LOUDAUTO: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:


(TS//SI//REL TO USA,FVEY) Audio-based RF retro-reflector. Provides room audio from targeted space using radar and basic post-processing.

(U) Capabilities
(TS//SI//REL TO USA,FVEY) LOUDAUTO's current design maximizes the gain of the microphone. This makes it extremely useful for picking up room audio. It can pick up speech at a standard, ofice volume from over 20' away. (NOTE: Concealments may reduce this distance.) It uses very little power (~15 uA at 3.0 VDC), so little, in fact, that battery self-discharge is more of an issue for serviceable lifetime than the power draw from this unit. The simplicity of the design allows the form factor to be tailored for specific operation requirements. All components at COTS and so are non-attributable to NSA.

(U) Concept of Operation
(TS//SI//REL TO USA,FVEY) Room audio is picked up by the microphone and converted into an analog electrical signal. This signal is used to pulse position modulate (PPM) a square wave signal running at a pre-set frequency. This square wave is used to turn a FET (field effect transistor) on and off. When the unit is illuminated with a CW signal from a nearby radar unit, the illuminating signal is amplitude-modulated with the PPM square wave. This signal is re-radiated, where it is picked up by the radar, then processed to recover the room audio. Processing is currently performed by COTS equipment with FM demodulation capability (Rohde & Schwarz FSH-series portable spectrum analyzers, etc.) LOUDAUTO is part of the ANGRYNEIGHBOR family of radar retro-reflectors.

Unit Cost: $30

Status: End processing still in development

Page, with graphics, is here. General information about TAO and the catalog is here.

This one is kind of cool, I think.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on January 21, 2014 at 2:11 PM • 47 Comments


BertJanuary 21, 2014 3:37 PM

Hiya, I was wondering if it perhaps would be an idea to write some generic bios scanner software that could check it for these nsa implants. I imagine that if the signatures are known and one can read the bios as superuser, a generic C style program could be written, and perhaps adapted for these wildly different devices like routers and normal pc's.

As far as I know, there are no scanners that check the bios. They can all check the boot sector but that's not gonna cut it.


camurgoJanuary 21, 2014 3:52 PM

To think that all these exploits are almost six years old. Whatever they have in use today is probably better than these antiques. That rootkit from 2012, Rakshasa, made by an academic, was already comparably more sophisticated at persisting in the machine's firmware.

camurgoJanuary 21, 2014 3:54 PM

To think that all these exploits are almost six years old. Whatever they have in use today is probably better than these antiques. For example that rootkit from 2012, Rakshasa, made by an academic, was already comparably more sophisticated at persisting in the machine's firmware.

Carl 'SAI' MitchellJanuary 21, 2014 3:57 PM

Several of the last few devices have been radar activated. Multi-band radar detectors seem like a good detection method, though there could be confusion with aircraft radars and such.

If I were planning on discussing something I wanted to keep secret from the NSA I'd purchase aluminium foil and line a closet/small room with it, being sure to ground the foil. Obviously make all purchases with cash and at various stores, etc. Jamming might also be possible, but more easily detectable by the listening party. They can also get the FCC to arrest you for running a jammer, so it's probably not a good route.

Milo M.January 21, 2014 4:03 PM

Ref 9 in the Wikipedia article links to an article in EE Times which says in part:

"In US Patent Application 2005/0220310 William R. McGrath details how microwaves can be reflected to intercept sounds. The important part of this patent is the detailing of how microwaves can be reflected by an object and signal processed to recover audio information."

The patent application ("Technique and device for through-the-wall audio surveillance") can be downloaded here:


A more recent patent application by the same inventor:



The inventor is with JPL.

Carl 'SAI' MitchellJanuary 21, 2014 4:06 PM

I should revise my previous statement of "anything I wanted to keep secret from the NSA" to "anything I needed to keep secret from the NSA." I don't need to keep many things secret, but I do want to keep them secret. The effort involved in hiding such matters from a targeted attack is (currently) likely quite a bit greater than the risk of such an attack against me. Unless the NSA is worried about me conquering America with an army of parrots, then I'm screwed.

Clive RobinsonJanuary 21, 2014 5:03 PM

@ Nick P,

The designer of the Great Seal bug also designed the THERAMIN musical instrument that gives those wierd sounds on the Beach Boys "Good Vibrations".

As for the "thing" (the actual bug from inside the great seal) it was fairly well described in Peter Wright's book Spy Catcher" as desicribed it's very clearly "prior art", and as the "thing" was from the 50's any patent would have expired long long ago.

Thus the patent @Milo M, mentions should never have been granted, and it's just another example of the USPO failing to do "due diligance" on discovery (nothing new there when it comes to grabing "A fist full of Fees" (que a Moricone Spagatii Western sound track ;-)

Clive RobinsonJanuary 21, 2014 6:04 PM

For those wondering how this device works, it's reasonably well described accept for the important bit ;-)

If you look at a TV antenna you will see either a dipole or folded loop which is connected to the feedline/coax which goes to the receiver. Behind this are one or more "elements" that act as "reflectors" and in front more elements that act as "directors". The length of these elements is in effect a half wave length, which means they are in resonance.

When in resonance the elements convert the free space E & H fields back to current in the ellement with a coresponding voltage. As the element is at resonance it acts as a tuned circuit which can be visulised as a swinging pendulum or child on a swing. The energy builds up and unless quenched in some way would keep rising as long as it was being energised. However due to the rise in current in the element it "re-radiates" --nearly-- all the energy back into free space and in the process distorts the RF field it was energised by. If two or more elements are spaced at the correct distance their re radiated signals can be addative which is why the antenna has gain in one major direction (as well as a few side lobes, as a very rough rule of thumb approximation each active director gives a gain of three so count the elements multiply by three take the log and apply isotropic radiator correction factor).

Now the easiest way to quench a tuned circuit is to put a short across part or all of it and dump the energy into the "short" which acts as a load. With an element on an antenna you only need change the impedence on one end of it from an open circuit to a short circuit. As the element changes it's re-radiation charecteristic this will have an effect on the RF field around it. This can be detected by another antenna some considerable distance away as shallow depth AM modulation (and if moving it causes a coresponding doppler signal)

This has been well known to RF engineers for some considerable period when antennas rotating at speed for automatic direction finding modulated the signal on nearby "search antennas" and after reception produced an audio tone directly related to the rotation speed.

The same problem exists today with electronicaly synthasised rotating antennas of the sort mounted on police cars to find stolen vehicals. The "FETs" that act as antenuators at the bottom of the four or eight antennas cause a rotating vector in the RF field. This can be picked up to provide information on the movment of the police vehical when it's direction finding (a usefull thing to know about and exploit if you are a sophisticated auto thief/chop shop).

So in the description of this device the FET is simply acting as an electronic switch opening and closing the end of the antenna...

Back in the 80's when I was designing and manufacturing surveillance equipment I designed a similar device but slightly more sophisticated (and yes reading Peter Wright's book started me thinking). I used a triangle wave signal generator running at the top end of the audio band, this went into one input of an op-amp comparitor, the other was driven by the output of an electret mic --with built in amp-- the output from the op-amp went into one input of an XOR gate the other was driven by a LFSR running at a chip rate of around 455KHz the resulting output drove the gate of the FET switch.

I later changed the design such that I ditched the triangle wave generator and comparitor using instead the audio signal to NBFM the chip clock. Thus using less components and getting better operational stability etc.

The advantage of this "poorman's" DSSS system was that even when iluminated and operating the bug hunters of the time could not find it and a spectrum analyser display would just show the CW carrier from the illuminator with a rather high noise floor...

Clive RobinsonJanuary 21, 2014 8:14 PM

@ Carl 'SAI' Mitchell,

    ... I'd purchase aluminium foil and line a closet/small rooxm widddth it being sure to ground the foil. Obviously make all purchases with cash and at various stores, etc. Jamming might also be possible, but more easily detectable by the listening party

A single or double layer of aluminium foil is not going to be very reliable for varios reasons.

If you are going to do this at home then you need to do it "flat pack" style.

You need to make up some light weight wooden frames just like those artists do to stretch canvas for oil painting. However instead of stretching canvas you stretch chicken wire such that it goes around the frame. You take two of these and screw them together such that you have both wooden frames inside an outer skin of chicken wire. It's best to put thermal insulation of the fiber type inbetween as this helps deaden sound. Don't rely on the compression contact between the two sides of chicken wire lace the together with copper wire and solder it to the chicken wire (it's usually galvanised so will take solder if you clean it, flux it and use a hot enough iron). You can make these flat pack frames upto 8x4 using standard DIY timber packs.

Eight of them (1 floor, 1 ceiling, 2 end walls 4 for side walls) will make a small box/room you can build in a shelf for a computer and an office chair to sit on. However you need to make the floor frame much stronger (unless you've over done the fasting diet craze ;-)

Obviously one of the frames needs to have a door built in and this is a little more complicated. Make a smaller frame of about 6x3 this is the door, the frame holding it is made such that the Inner frame has a smaller hole than the door to make a half to one inch jamb all around the outer frame has a hole just large enough to take the door. You then need to make a conductive door seal. The easiest way to do this is with 75ohm TV coax, if you strip the outer plastic insulation you have a soft foam plastic core with a woven braid outside it. Staple this two the door and jamb such that you have two concentric circles one on the jamb one on the door such that they dont touch each other. You will need to come up with a door handle and bolt system such that the braid makes good contact with the chickenwire covering the door and covering the jamb.

Having bolted it together you then line the inside with aluminium foil such that you have four layers. You put in the first layer horizontaly with the edges overlaping by an inch or so the second layer verticaly, the third horizontaly the fourth verticaly. Hold each layer in place with small lengths of sticky tape. Using copper staples hang a layer of thick hessian (sack) cloth over this then with copper plated marine screws carefully put a layer of thin protective ply wood over this.

There is a minor problem you next need to solve and that's ventilation the easiest way to do this is when making the end wall frame that goes over the computer deskmake an internal frame the size of a small bathroom/kitchen surface mount extractor fan unit, don't put the fiber insulatioon in here but do ensure the chicken wire covers both sides of the frame. Mount the extractor on the outside after carefully making holes in the aluminium foil. Make a similar arangment in the bottom of the door only don't add an extractor, put one of those aluminium ventilation louvers with the sliding plate on either side, make sure one has the louver slots verticaly the other horizontly.

Your next problem is getting power into the unit. To do this you need two dicast aluminium boxes with screw on lids and two IEC (kettle plug) EMI/EMC chassis mount filter connectors. Drill holes and mount the IEC connectors one in each box, screw one box on the inside and one on the outside with the holes to take the cable aligned wire the two IEC's together. Connect a power strip board to a kettle lead and plug it into the inside IEC connector, then for obvious safety reasons screw a wooden block in behind it to stop it being pulled out and alowing fingers to touch the pins in the IEC connector. On the outside you need one of those "garden lawn mower" earth leakage / residual current trip devices in the wall socket and a suitable length kettle lead to plug into the IEC connector on the external box. Remember it's only good for about 5amps.

You then need to get an EMC test receiver or appropriate spectrum analyser to do inside spectrum to outside spectrum comparison to see how good a job you have done.

If you know what you are doing you can fit a "tracking generator feed through bypass" basicaly it's a length of 50ohm coax mounted between two glanded chassis mount N-type connectors one on the inside the other on the outside. It enables you to have a broadband amp and antenna on the inside of your box and the spectrum analyser on the outside with it's tracking generator output fed through the bypass to the amp and antenna. When not in use you screw plugs onto the connectors with hard shorts in them to prevent leakage.

A less dangerous way to do it is to make up a tempory lead you have fed through either the door louvres or extractor unit.

If you cann't see any leakes from the outside put the spectrum analyser inside and the amp and antenna outside and run the tests again, remember to move the antenna from place to place outside. It can be a quite time consuming effort and in some cases take longer than it did to build the box...

Usually if you are certifing a comercial RF cage, you are looking at alowing four working days for a couple of engineers/technicians.

With appropriate antennas you can check how well your box screens. It should be good for 60db or more of antenuation depending on how well you fit the door and gaskets. With care you can get it to the point where average test equipment is not sufficient to give readings above it's noise floor.

The real question is do you value your privacy to the point of a capital outlay of around 1000USD and a week or two of time?

Coyne TibbetsJanuary 21, 2014 9:16 PM

I read this before.

(Disclaimer: Not an expert.)

The problem with it acting as an antenna being partially shorted, is that it becomes a non-linear circuit. According to what I've read, that would make it detectable to standard debugging equipment, which looks for non-linear circuit responses.

As I read the document, I am guessing that, rather than using the field-effect transistor to short, amplify, or do anything that would would be detectable as a non-linear response, it is used to load the input signal, to transiently reduce the strength of the reflected radar signal.

They then read the content by reading the strength of the reflected signal from outside the bugged zone.

Detection should be almost impossible. All active detection and amplification occurs outside the bugged zone, where it is non-detectable. Observers might easily free-ride on the local weather radar; if that were done, the shifted signal would be buried in the other reflections from the same radar; with no identifiable "unusual" reflection.The "transmission" would be so weak that, if you don't know exactly where the bug is, you wouldn't be able to detect the strength variation; a micro-tremor in the hand holding a bug detector would produce more signal strength change than likely from the bug. You'd have to find it by manual search.

(This makes the code name LOUDAUTO a "private joke", since it seems likely the bug is very quiet indeed.)

Thoughts? (An electronics/antenna expert would be welcome.)

FigureitoutJanuary 21, 2014 10:56 PM

They can also get the FCC to arrest you for running a jammer, so it's probably not a good route.
Carl 'SAI' Mitchell
--Sure they can frame you and implant a device on you, but I would bet (the last & first time I gambled was on penny slots) FCC won't find you for randomized small time periods to do some probing. Also, NSA jammed garage doors (an extremely prominent attack target on your home because it legitimizes the attacker to observant neighbors and the doors behind it are typically unlocked...) and they didn't get charged for a blatant offense. Jamming is a common occurrence on ham bands, and that's just people who have a "legal right to certain bands".

WaelJanuary 21, 2014 11:43 PM

@ Clive Robinson,

I Guess Electromagnetics is the subject du jour...

A single or double layer of aluminium foil is not going to be very reliable for varios reasons.
I think not! What are the reasons? Besides, you mean the tin hat foil I was wearing is ineffective?
If you look at a TV antenna you will see either a dipole or folded loop which is connected to the feedline/coax which goes to the receiver.
Quick! Why does VHF use a dipole and UHF uses a loop?
You need to make up some light weight wooden frames just like those artists do to stretch canvas for oil painting. However instead of stretching
Two things: 1) Don't you think different spacing on the chicken wire (different specifications) will exhibit different frequency responses? 2) Thanks for the verbose instructions, but I'd rather get caught red handed than build this thing :)
@Nick P,
I haven't forgotten about the paper... Not in the mood to read it. I already have a ton of other papers to read, summarize, and analyze or I'll be ...

Clive RobinsonJanuary 22, 2014 5:05 AM

@ Wael,

    I think not! What are the reasons? Besides, you mean the tin hat foil I was wearing is ineffective?

I guess you've never put wallpaper up ;-)

OK you are dealing with two dimensional strips of foil that you are trying to attach to a surface that is unlikely to be 2D but 3D in that it has raises and dips. As the foil is in effect not streachable bows and bellies in the wall will narrow the effective width of the strip.

Which is why you need an overlap, otherwise you have a slot radiator. BUT... aluminium is a very reactive metal the only reason it does not turn to a pile of dust infront of you is the thin layer of aluminium oxide, which just happens to be an insulator. Thus maintaining a good electrical connection over time along the entire overlap is going to be problematical. If you have doubts on this climb on your roof and have a good look at the aluminium elements on your TV antenna, they usually have lost their shine within a year and are usually deeply pitted after a couple of years especialy if other metals are in contact. Also the way aluminium foil is made can lead to pin holes that will grow with time due to movment and thermal expansion / contraction

So you put on the second layer at 90 degrees to the first this means your slot radiators are now mainly --but not entirely-- covered or shorted out. However time and corrosion with movment will have it's way. Thus you put on the next two layers of foil, again crosswise but also with a 50% width offset from the coresponding layer underneath. Doing this also has another effect, in that for RF to get out it has to make a journy of atleast the width of the foil with an unfortunate bend or two. If the foil layers are not shorted then you are looking at an oddly shaped waveguide with a very very narrow apature (I'll let you look up and work out the cutoff frequency).

Yes it's a bit "belt and braces" but the failure modes are silent, so unless you want to re-certify every month or so and then have to do a compleate rebuild when it fails considerably earlier than it would have done...

As for dipole-v-loop it's mainly a matter of choice as you can use either for VHF or UHF, the difference it has on the electrical charecteristics for a receive only antenna is marginal (receiver front ends generaly don't worry about VSWR where as transmitter output stages do).

As for the holes in chicken wire making a difference to the frequency response, yes they do, but it's not realy there for stoping microwave RF it's there for UHF and below and making a reasonable "ground" to conduct current away.

If you look at comercial RF cages for doing RF R&D they often use thin metal sheet which has been put through a press tool to make lots of slits that are then twisted and streached this both increases it's physical size making it lighter but adds rigidity in one direction, as well as alowing plenty of ventalation (which you need it you are working on a 10KW TX and the dummy load is inside the cage). The slits are usually not a problem untill you get up to 10GHz or so.

As for "building it-v-getting caught" as I said it rather depends on "how you view your privacy" and "why". For businesses they don't view "getting caught" as an issue (unless it's a criminal enterprise) no they are more concerned with the leaking of trade secrets, marketing plans, high value negotiations etc, which can seriously effect their profitability and thus existance.

As I've indicated in the past on this blog I use my RF cage not just for R&D work but producing KeyMat as well, and in it I have computers locked up in their own safes.

SteveJanuary 22, 2014 5:41 AM

This probably used to require physical intrusion. Drones would change that dynamic significantly.

I suppose that more generally you need audio countermeasures like a white noise generator. There's nothing preventing this being used as a simple relay for a parabolic microphone, and I think you could use interferometry to distinguish between the generator and an interlocutor easily enough. I would also worry about the quality of the randomness the generator was creating.

Peter A.January 22, 2014 8:08 AM

I had mused once with an idea of lining a section of my poured concrete cellar with sheet copper just for fun... but than I thought what kind of door it would need for proper shielding and how to get power and air inside... too expensive for a "for fun" project.

Aaaarghhh, after the NSA revelations I feel SOOOO exposed now ;-P

@Clive: nice, quite cheap, and practical design of a DIY SCIF :-) One thing that may be missing still - what about power analysis attacks? It could be better to bring a large battery inside and run your computers off it, directly or through an inverter. The battery could be charged when the cage is not in use and all sensitive equipment is off - even by running a cable through open door.

Clive RobinsonJanuary 22, 2014 10:15 AM

@ Peter A.,

    :-) One thing that may be missing still - what about power analysis attacks?

Yes it is a concern, but not one I tend to think about as I use my own design of programable UPS to give me a very clean AC output at various frequencies from 25Hz to 700Hz and 50 to 350 Vrms to test equipment I design.

For those looking to make there own similar UPS have a look at Walsh functions you then take the digital signals and use them to drive various Class D drivers into appropriate windings on a suitable torid transformer (using audio amp grade cores). If you pick the right walsh waveforms the first harmonic you will see is 32 times the fundemental frequency at a very low level. A more relaxed three sequence input will give 16 times which should be clean enough after you put it through an EMC filter. I use modified switch mode PSU's to generate the required voltages for the Class D drivers, however with three sequences and a little lateral thinking you need only one voltage and different driver configurations.

For those who don't want to go that far then get yourself something like an APC 650 and connect a nice thick wiring harness out from the PCB where the battery leads go to a much larger capacity battery. You will however need to make a couple of changes so you don't blow the charging circuit, unless you are going to charge that battery externaly. More expensivly but probably getting cheaper by the day look at a 12/24/48VDC to 220VAC inverter system that is designed to be charged by solar cells for a "green house" of grid system.

JasonJanuary 22, 2014 12:06 PM

There's been some discussion about whether having this information about NSA methods "out in the open" is a good or a bad thing. My general opinion is that it's irresponsible to leak methods which are narrowly-targeted at specific foreign actors, but absolutely ethical to leak methods that target the American public en masse. (The other two cases in the truth table are where it gets interesting...)

So revealing this one bothers me. It's clearly intended to target a specific person or group. It'd be unconstitutional to use it domestically without a surveillance order (and violates NSA's nominal mandate in any case) but using stuff like this on foreign soil is what the NSA *should* be doing.

JasonJanuary 22, 2014 12:13 PM

For those of you who want to counter this device with a Faraday cage: that's great so long as it's in the cage with you. But suppose I plant this in the exterior caulking surrounding your window, or in the weatherstripping under your front door. Is your Faraday cage soundproof?

EKJanuary 22, 2014 12:32 PM

These exploits are all very interesting, but Bruce, maybe you could think about starting a side discussion:

Given: The NSA are a bunch of really smart guys and likely are very experienced social engineers.

So: What if this data dump was planned?

Why: Here's a fruitful playground for conspiracy theorists...could you think of any "national security" objectives (in quotes because IMHO the NSA is a governmental security entity, not a national security entity) might be furthered by releasing all this information. Or, instead of a national security objective, maybe look at it as: what kind of *NSA* objective might be furthered (e.g., budget increase, taking the heat off of another project, etc.).

Thoughts anyone???

BenniJanuary 22, 2014 12:52 PM

By the way, given that

a) we know they have such a radar station in Berlin embassy
b) here on this blog are some people who have expertise with radar tech:

Could you name us some devices that could be useful to investigate possible electromagnetic radar emissions from the berlin embassy? E.g. devices that are able to locate the direction from which such an emission comes etc..?
Since then, perhaps some journalist or some interested tech-nerd can use these devices to look at the embassy.

Iain MoffatJanuary 22, 2014 2:18 PM

@Benni: A spectrum analyser displays a graph of frequency (X axis) versus amplitude - it should detect any fixed frequency signal pointed at its antenna fairly easily. Rohde and Schwarz in Germany have made very fine ones for over 40 years, several are always on ebay.de. Model FSBC ( http://www.helmut-singer.de/pdf/rsfsbc.pdf ) would probably find a CTX4000 or other microwave illuminator pointed its way fairly easily, given that the CTX4000 operates on a fixed frequency with a relatively narrow bandwidth. Within geir limited frequency coverage some units made for the TV industry can also be used e.g http://www.helmut-singer.de/pdf/unaohmep507a.pdf .

One of the major 'problems' with radar in its traditional uses is that the target always sees a much stronger signal (over a one way path) than the radar receiver sees from radar to target and back, so the target can always detect the radar before the radar is close enough to detect it. The same is true for any bug illuminator - to get enough back it must create a very strong signal at the bug site.

Depending on the antenna used with the analyser it can detect signals from all directions (called an omnidirectional antenna and used to determine if the antenna location is illuminated) or only from where the antenna is pointed (used to locate the source). The amateur radio press is full of designs and advertisements for suppliers of commercial antennas. DUBUS Verlag in Germany specialises in the VHF, UHF and microwave ranges in its publications. In general you need dipole or ground plane antennas for omnidirectional use, and "log periodics" or horns for directional use - a dish has too narrow a beam to find things easily.

The spectrum analyser is basically a reciever that is rapidly tuned across the frequency band of interest (over several tenths of a second, or even several seconds) so may not find anything that rapidly switches frequency and doesnt appear where & when the analyser is looking, however. You need to use other approaches to detect frequency hopping and spread spectrum signals, so I am not sure that the absence of strong fixed frequency signals is proof that nothing is happening.

Hope this helps


BenniJanuary 22, 2014 3:09 PM

I've looked at some spectrum analysers on ebay. the good ones cost too much for me around 1000-3000 euros, but perhaps someone other may give them a try to spy back on the us-embassy.
Also, a device for finding the bug signals would be interesting. Then, one could either fake the nsa signal, or after confirmation of it being there, just listening for the bug modulations and go on a bug hunt in Berlin.
Would be very interesting, in which buildings they have planted their bugs. Definitely something, an investigative magazine like "Der Spiegel" should do.

Matt HurdJanuary 22, 2014 3:33 PM

@Benni: These cost less than $300 new and cover part of the range (they miss 3GHz to 4GHz). http://rfexplorer.com/models/

Stops the obvious.

Remember LOUDAUTO is an unsophisticated one using COTS so they are non-attributable. A harder to find thing might use spread spectrum and be beneath the noise floor. They will always be able to find a way.

bottomFeederJanuary 22, 2014 3:42 PM

guys, wake up.

no purpose whatsoever is served by grounding a faraday cage.

google green's theorem sometime if you never had second year calculus much less intro to electromagnetic radiation

google slit antenna sometime

the catalog dates from july 2008. one more time, july 2008. not the CSSM manual issue date, that's on many thousands of documents.

some of the devices are -- notably CottonMouth III -- are not available until may 2009. so the devices are not as dated as they seem. and TAO is very cautious about introducing new devices so a long lag time.

however on the hardware side, i would say you can purchase much better corporate devices on the open market.

on the software side, compare the mickeymouse in this catalog with the 20+ modules in Flame and Gauss and the 80 C&C servers for them.

Matt HurdJanuary 22, 2014 3:49 PM

You could use a Signal Hound tracking generator (up to 4.4GHz) combined with their spectrum analyser perhaps? The CW from the tracking generator may stimulate but what does the return look like? The CTX4000 page notes that they can extract a signal from an off the shelf spectrum analyser, so ideas?

RADCOM Signal Hound review PDF from 2011

The sweep speed is slow though.

name.withheld.for.obvious.reasonsJanuary 22, 2014 4:17 PM

@ Iain Moffat
One of the major 'problems' with radar in its traditional uses is that the target always sees a much stronger signal (over a one way path) than the radar receiver sees from radar to target and back, so the target can always detect the radar before the radar is close enough to detect it.

Not necessarily. Sensitivity, resolution/precision (D/A), and noise immunity along with antenna efficiencies all affect the ability of the target to discern source emmenations. Not trying to be picky here, just saying that budgets play a part (as the fore mentioned typically incur greater costs). I'd much rather have a flash versus SAR A/D, 10GSps with more than 12bits of resolution and a tuned attenna than say an old 10MHz analog scope. Just sayin...

Iain MoffatJanuary 22, 2014 4:22 PM

@ Matt: It should just be an amplitude modulated signal on the CTX4000 (or other illuminator) frequency - the modulation will be the ambient sound in the room. I doubt the LOUDAUTO device has very precise tuning because it is too small to have much in the way of tuned circuits so I would expect a source anywhere in the frequency range of CTX4000 would get a response. The issues with doing it are partly legal -you need to transmit between 1 and 2 GHz to find it - and partly technical - the modulated return is much weaker than the transmitted unmodulated carrier so the receiver or spectrum analyser needs to have very good dynamic range (the ratio between strongest and weakest signals it can resolve at the same time).

The easiest detector would actually be to clone the CTX4000 and make a 1000-2000MHz band transmitter and a direct conversion receiver using the transmitter as its local oscillator (as would be the case with CTX4000 used as a fixed frequency source) automatically removes the transmitter signal and converts the modulation to baseband audio or video. Of course for use to hunt the LOUDAUTO bug at close quarters the source need not be so powerful. In the special case of amplitude modulated audio the signal should be directly listenable with a speaker or headphones - see http://en.wikipedia.org/wiki/Direct-conversion_receiver for a more detailed explanation of a direct conversion receiver. So "all" that is needed is a loud acoustic source to modulate the bug and a combined single frequency RF source and receiver to hunt it.

For comparison, if I read the CTX4000 article correctly the I (in phase with transmitter) and Q (90 degree out of phase) outputs are the modulation converted to baseband which can be fed to commercial test gear to be analysed or decoded. This becomes more necessary if the bug does anything to the audio before modulating the return signal to make it less easy to find in the way I described above.

Iain MoffatJanuary 22, 2014 4:34 PM

Correction to what I wrote above - reading again I see that the Loudauto is claimed to use pulse position modulation (so the microphone signal level changes the timing of a pulse) - so they will need a more sophisticated demodulator than a speaker - my fault for not reading carefully. You would need an oscilloscope to look at the demodulated signal from a direct conversion receiver and find a pulse output possibly at ultrasonic frequency that would vary when the bug is exposed to a loud noise. See: http://en.wikipedia.org/wiki/Pulse-position_modulation and http://www.pcbheaven.com/wikipages/Pulse_Position_Modulation/ - I would actually expect it to be differential PPM as that is easier to synchronise - in that case the gap between pulses encodes the microphone level at that point in time.

RobertTJanuary 22, 2014 5:16 PM

LOUDAUTO sound to me like a simple RFID tag coupled to a suitable microphone. Usually these tags operate at 900Mhz, but the exact peak operating frequency is a function of the RFID's Rx antenna tuning and its fairly broadband anyway, so it would be easy to take generic RFID tags and make your own antenna which would shift the operating frequency for 900Mhz to say 700Mhz.

The problem with these tags is that the return "back-scattered" signal is very weak so detection is normally limited to a distance of about 30m from the tag. The Transmit signal could be mile away and coupled to a good directional antenna but they probably still would use a local receiver say in the same building, next room or something like that.

As for sweeping for these tags with standard bug finding equipment ah good-luck, one of the essential features of RFID systems is the ability to communicate with just one tag in a very "crowded (lots of other tags) space. so the tags have an ID sequence that enables the system to address just one tag and have it respond. So even if you pick the right frequency and illuminate the tag you wont get a response unless you know the device ID.

In terms of bugging this means that an agency could deploy hundreds of these devices in a building and address just the tag they wanted. Think of a typical hotel, I could bug every room and put a local RX unit somewhere in the hotel maybe attached to the hotels WiFi (for a free return over the internet)

To activate I park outside the hotel and illuminate the hotel with a suitable frequency TX beam and address just the tag that I want. The Perp can bug sweep the room all they want they'll never find the bug.

If you have never seen an RFID tag than make a point to get hold of one, they are typically a sticky label about 2inch by 4inch and have a
printed antenna (vacuum deposited Aluminum on the plastic tape, the RFID chip is bonded directly to the tape so there is no noticeable pump) This product LOUDAUTO would require a separate microphone and mic amp and probably a sigma-delta ADC that directly generated the necessary PPM modulate audio. The whole thing could be thin enough to stick to a wall and maybe even wallpaper over it. the tricky bit would be the microphone but there are plenty of cell phone mics/amps that are very thin and very low power where even a pin hole in the wall paper is all thats needed for the mic to work (look at your cell phone mic)

Someone mentioned detecting these bugs because of their non-linear response. This might work but the return energy would be very low level. The problem is that the tags need to protect themselves from self destructing when the TX is too close, so they include a circuit to de-Q the antenna and load it, this is typically a FET across the antenna that has its RDS-ON (effective series resistance) controlled by the voltage regulator on the TAG, google shunt-regulation if you want a more detailed explanation)

OK so this means the device load looks linear so there will be limited frequency splatter due to non-linear mixing. however it does suggest that a specially built system could specifically look for the load signature of the RFID tags voltage regulation circuit, it needs to react quick to clamp the Rx power but relax fairly slowly. Sounds like a suitable sequence of Tx pulses could identify the load change.

Maybe I need to try this....Anyone interested if I find a way to detect these?

Matt HurdJanuary 22, 2014 5:54 PM


Interesting, thanks. It sounds like a sweep and detect on an inexpensive SDR platform could work for it. The LOUDAUTO page notes it can be listened to via a COTS portable spectrum analyser with FM demodulation capabilities, so that doesn't seem too hard. It depends if @RobertT's hypothesis is right and it needs a wake-up ID or some such.


What you say makes sense and the CTX4000 could generate a wake-up ID that a simple shift register could agree to like some garage door openers. Perhaps they keep it simpler/smaller and it is not that clever as they only deploy handfuls yearly if the 280 or so TAO op count in the docs disclosed is correct?? Hmmm, maybe one op covers a hotel or country or continent though. At a $30 cost there is little disincentive to not leave them everywhere that suits.

RobertTJanuary 22, 2014 5:54 PM

BTW I'm not talking about the device in the picture rather what it has probably evolved into, I'm thinking the picture is some prototype. The pictured device looks really clunky and does not include the antenna.

BenniJanuary 22, 2014 7:39 PM

One could detect them probabily after one has carefully studied the radar emitter. Since we know where one is located (us embassy berlin) this should be studied by someone in a first step. after one has replicated the signal, one can then go on bug searching.

BuckJanuary 22, 2014 9:34 PM


I'd be especially interested if you find a way to detect these in the common anti-theft RFID tags you find everywhere these days... Apparently even in my $4 can of coffee!

Perhaps a proprietary publicprivate key database could be utilized to track the progress of goods from P.O.S. to anywhere with suitable RFID infrastructure... Where it could then be called on with the proper secret knock ;-)

WaelJanuary 23, 2014 2:02 AM

@ Clive Robinson,

I guess you've never put wallpaper up ;-)
Thats actually true! I don't remember ever doing that. Your explanation makes sense, though.
As for dipole-v-loop it's mainly a matter of choice
Loop antennas react mostly to the magnetic field component of the Electromagnetic wave. In modeling, they represent an ideal current source (zero resistance, constant current) — Impedance is typically 300 Ohms (Ohm, where the heart is :) ). The output Current of the antenna is proportional to the H field.

Dipole (or monopole, if you compare it to a single loop antenna) antennas react mostly to the Electric field component of the Electromagnetic wave. In modeling, they represent an ideal voltage source (infinite resistance, constant voltage) — Impedance is typically 75 Ohms. The output Voltage of the antenna is proportional to the E field.

In a way, the loop antenna is the dual of the monopole antenna, just like the current source is the dual of the voltage source, and the E (Electric) field is the dual of the H (Magnetic) field.

That still doesn't answer why UHF indoor antennas are Loop antennas, and VHF indoor antennas are bipolar ones. Some of the links below may answer that question. In other words, I haven't the slightest clue ;)


Clive RobinsonJanuary 23, 2014 5:11 AM

@ Buck,

    I'd be especially interested if you find a way to detect these in the common anti-theft RFID tags you find everywhere these days...

They are actualy fairly simple to find, the problem is recognising that you've found one.

As @RobertT has pointed out RFID and these NSA bugs work on the frequency the antenna resonates at.

Now as I've pointed out several times before on this blog it's been known for well over three quaters of a century how to find a resonating circuit it's known by the quirky sounding name of a "Grid Dip Meter". The principle it works by is simple, you have an oscilator where the inductor is exposed to free space, if there is another (powered or unpowered) resonator at that frequency close by then it couples into the field surounding the oscillator inductor and changes the behaviour of the oscilator in a measurable way.

Now this will respond to any tuned circuit it is close to which is a touch problematical because any and every conductor and some non conductors (dielectric resonators) have a basic pair of resonant frequencies (series and parellel) and will also resonate at harmonic multiples of these frequencies (which is why the "illuminator" covers an octive frequency range).

So you will get one heck of a load of "false positives" without going into long winded explanations there are various ways to reduce the problem and multiple usage of such methods quickly eliminates many of the false positives.

You can extend the idea and range of a grid dip meter by making a so called "Homodyne receiver" with something like a dual gate FET and you will see these in the likes of those DIY devices that find nails and pipes and wiring in walls and can also distinquish between powered and unpowered wiring.

Essentialy what the Homodyne receiver does is use an "on frequency oscillator" to drive a mixer, when on frequency this down converts the RF signal to a DC signal (giving signal strength) and thus will show any "envelope modulation" on top of this. However any difference in phase of the two signals will also cause the signal level to change so phase modulation will also be recovered. Further any frequency difference between the RF carrier and oscillator will produce a "beat frequency" which means that Frequency Modulation will also be recovered.

Another frequently seen Homodyne system is on traffic lights this is often called a "Doppler Radar" (though it should not because all it detects is velocity information not distance or range). Basically you have a length of X-Band wave guide that is shorted at one end and open at the other. Mounted an appropriat distance from the "back wall" short is a Gunn or IMPAT diode, due to "negative resistance" effects the diode oscillates with an output of between 1mW and 250mW in the microwave band which travels down the wave guide to the open end. Usually a horn or similar antenna radiates this for some reasonable distance. Also mounted in the wave guide is one or more "detector" diodes, part of the oscillator energy biases these on and off at the oscilator frequency. However as the old saying goes "what goes up, must come down" the oscillator signal that is radiated out the front will bounce off objects and some of it comes back into the antenna and down the waveguide to the detector diode, where it mixes and gets demodulated as a DC signal, unless the object it reflects off is moving... In which case you get an audio tone proportional to the velocity of the object to --or from-- the antenna (with a single detector it's not realy possible to know which way just from the tone, but a change of amplitude over time will give an indication). These simple devices with care will work upto around 50meters with small horn antennas and over 200meters with higher gain antennas (I built one using a long helical antenna back in the 1980's which could detect aircraft over London without problems)

Getting information out of a homnydine receiver can be difficult with a single mixer/detector, however using two detectors with a 90degree phase offset will turn it into a simple I/Q receiver and DSP processing of the outputs will give all the missing information.

So building such a system is actually not that difficult and will work comftably in even large rooms. You can by and slightly modify a Software Defined Radio to do the RF front end and use a PC with decent quality sound cards to do a chunk of it (though many modern SDR's have much wider bandwidth AD converters and dump out the data by ethernet or USB2/3). So all you have to do is write the software...

But what is the software going to look for?

Thankfully it's not a 64,000 dollar question. Firstly it needs to differentiate ordinary mains wiring from other wiring. Like the little DIY detectors you look for "mains frequency" signals in a stable phase relationship to that coming out the wall socket (or ceiling light etc) Usually getting a refrence just requires a neon light and a photodetector, or photo detector pointed at strip lights etc. You should check to see if data is hidden at the "zero crossing" as there are bugs that do this and they are going to get more prevelant with time.

You then need to check for PC and the like wiring, this is where the fun starts because some of the bugs are designed to "amplify" the data signals you will see from keyboards and displays... That is a real bug to do this is going to look very similar to just the ordinary wiring response, and unfortunatly if the evesdropper can get sufficiently close with their receiver they don't need to have a buging device at all... (and their transmitter could be miles away with sufficient ERP)

A physical bug that is not keyed will reveal it's prescence by it's unknown modulation mainly as AM.

However even a keyed bug whilst it will not send data will reveal it's prescence due to a number of factors, I've detailed these in the past when talking about the dangers of RFID passports so I'll give just an overview.

The bugs like RFIDs have sensitive electronics connected to the antenna which means they need protection circuits of some kind, even if it is just nonlinear behaviour of a semiconductor.

By moving the frequency of your oscilator and by changing it's power you can enumerate the chip/device in use. The device can not hide from this without the use of antenuators and the like which would stop it functioning as required...

The "Smart Card" and "RFID" manufactures have known this and "kept quiet" about it for atleast 30years and have published deliberatly misleading "research papers" to keep it hidden. It has nothing to do with NSA preasure, just ordinary commercial preasure we saw with the tabbaco, automotive and drugs industries "not wanting to kill the goose that lays the golden eggs".

I once made myself very very unpopular at a major European Confrence when I "called out" one of the major companies "security research specialists" at the Q&A session of the presentation of her "white wash" paper. She did not like me calling her "either negligent or a lier by ommision" infront of three hundred or so deligates... Needless to say "my card was marked" and I could not get tickets for other related industry confrances...

I am wondering if similar is going to happen at the EMC/RSA conferance ;-)

Clive RobinsonJanuary 23, 2014 5:48 AM

@ Wael,

    That still doesn't answer why UHF indoor antennas are Loop antennas, and VHF indoor antennas are bipolar ones. Some of the links below may answer that question. In other words, I haven't the slightest clue ;)

As I said it's a matter of choice for RX antennas where VSWR due to mismatch on the feedline makes little or no difference to the average FM Radio or TV (it does make a difference when working long distance in a power constrained system such as Amature Radio EME or troposcatter working).

Thus things like element lengths and material costs are more relevant. Look at it this way which is easier to work with two 72cm lengths of ali tube or 3meters of ali tube that has to be bent in the right places and needs extra, stronger and more complex fixings to the boom due to extra windage, electrical balance etc etc?

There is also the question of polarisation to consider as well as when it comes to the antenna gravity comes into play on the mechanics. FM Radio used to be predominantly vertical polarisation for car and portable radios (as did early VHF televison). UHF TV learned from VHF issues and tended to be horizontal, partly because it means the antenna can sit closer to the roof of a building and thus look less obtrusive and in part it helps to reject man made interferance as well as some multipath due to structures (which is one reason relays into hard to reach places are often verticaly polarised where multipath is more to do with surface/ground refections etc).

As for transmitters... as I said VSWR is important as is ERP which means stacked antennas forming collinear arrays thus the antennas tend to have very thick elements (decrease radiation resistance and broaden bandwidth) or slot radiators in both cases with either broad band balluns or narrow band tuning stubs. Perhaps oddly the need for high ERP for a modest feedline power can cause signals to be quite weak in the mast shadow, which is usefull with consumer front ends that don't have great dynamic range.

As for ERP as a rough rule of thumb each time you double the number of stacked radiators you halve the power for the same receive signal strength which means that a lot of that wasted power that heats the sky and wanders off into space gets redirected to those listeners the advertisers wish to reach for a lot lower electricity bill thus more profit ;-)

turingturkeyJanuary 23, 2014 1:08 PM

If I understand this correctly we illuminate the target device which amplitude modulates the backscatter with a position modulated pulse train which we can pass through an FM demodulator to recover the audio.

If we need to deploy multiple listening devices we assign each one a different non-overlapping PPM frequency.

Sweeping for such devices would be as simple as illuminating the target area and viewing the return on a spectrum analyzer for any peaks corresponding to the PPM trains.

I'm sure someone has already though of applying spread spectrum techniques although this might come at the cost of increased complexity and power consumption.

For the hobbyist gnuradio implementation I think we'll stick with plain old PPM.

Matt HurdJanuary 23, 2014 3:49 PM

I think TAWDRYYARD answers the question about ID. It is the NSA "tag." Its sheet talks about a future version adding a "unique target identifier" for automated scans of an area.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..