Building Retro Reflectors

A group of researchers have reverse-engineered the NSA's retro reflectors, and has recreated them using software-defined radio (SDR):

An SDR Ossmann designed and built, called HackRF, was a key part of his work in reconstructing the NSA's retro-reflector systems. Such systems come in two parts – a plantable "reflector" bug and a remote SDR-based receiver.

One reflector, which the NSA called Ragemaster, can be fixed to a computer's monitor cable to pick up on-screen images. Another, Surlyspawn, sits on the keyboard cable and harvests keystrokes. After a lot of trial and error, Ossmann found these bugs can be remarkably simple devices – little more than a tiny transistor and a 2-centimetre-long wire acting as an antenna.

Getting the information from the bugs is where SDRs come in. Ossmann found that using the radio to emit a high-power radar signal causes a reflector to wirelessly transmit the data from keystrokes, say, to an attacker. The set-up is akin to a large-scale RFID- chip system. Since the signals returned from the reflectors are noisy and often scattered across different bands, SDR's versatility is handy, says Robin Heydon at Cambridge Silicon Radio in the UK. "Software-defined radio is flexibly programmable and can tune in to anything," he says.

The NSA devices are LOUDAUTO, SURLYSPAWN, TAWDRYYARD, and RAGEMASTER. Here are videos that talk about how TAWDRYYARD and LOUDAUTO work.

This is important research. While the information we have about these sorts of tools is largely from the NSA, it is fanciful to assume that they are the only intelligence agency using this technology. And it's equally fanciful to assume that criminals won't be using this technology soon, even without Snowden's documents. Understanding and building these tools is the first step to protecting ourselves from them.

Posted on June 23, 2014 at 6:51 AM • 28 Comments


noonneeJune 23, 2014 7:53 AM

To prevent such attacks and bugs we'll have to go back to physical protection of every computer in some office being the key. Maiden attacks will be more and more common.

wiredogJune 23, 2014 8:18 AM

it is fanciful to assume that they are the only intelligence agency using this technology.
Which is why Snowden should be trying to get out of Russia. He's blown at least one intel gathering operation that the Russians were probably duplicating, because they would be targeting the same groups. If any Russians get killed as a result he's going to have a very bad time.

renkeJune 23, 2014 8:26 AM

@wiredog But where else should Snowden go? On (probably) behalf of the US even Morales' air plane was searched in Vienna on the tour from Russia to Venezuela.

noonneeJune 23, 2014 9:08 AM

@renke: change hair, clothes, beard, take a false id, go to Ukraine, take a false passport, go to Argentina and live long there...

JacobJune 23, 2014 10:02 AM

If is fairly expensive and not overly convenient to shield a system from such an attack.

It would be much better to carry a small RF/Radar detector in the room to sense the probing beam - a beam that must be of fairly high power in
order to get meaningful reflection off the implant.

Such a "radar detector" should be a fairly low cost gadget, even when covering a wide frequency band of say 1-5GHz range. When the alarm goes off, you know you are being probed and it's time to look outside the window for the black van.

BenniJune 23, 2014 10:10 AM

One problem: if these are on the free market, they get cheaper. That way, the NSA has it more easy todistribute them en masse...

@wiredog "He's blown at least one intel gathering operation that the Russians were probably duplicating, because they would be targeting the same groups."

If you mean these bugs, then you are totally wrong. For the reason that it was not NSA who invented these, but they are merely a advanced copies of the russian things that americans found in their russian embassies.
I think that theremin's original listening device still has some advantages to these NSA bugs, since it works completely passive and does not need any current supply at all. With theremin's thing, you can even bug some old hut without any current. Certainly, the russians will also have their upgraded versions of this.

ChrisJune 23, 2014 10:17 AM

Hi in one of the Spiegel files there was an intresting document that was a history from 1947-1968 and what and what not can be declassified, it was for me a very intresting file to read!

However this TEMPEST techonology as far as that file was concerned using RADAR reflections if you will is VERY old stuff.

I too was thinking about a RADAR detector, but which band/bands :-)

SimonJune 23, 2014 11:29 AM

Fiber optic cable to visor. Can't intercept signals on cable, can't scrape sceen, can't put CCTV to watch. Have to get video RAM but that's even easier to lock down.

Clive RobinsonJune 23, 2014 12:10 PM

Like one or two other people on this blog I've known how to build and detect these devices for quite a few years well preceding the Ed Snowden Revelations [1]. And I have mentioned on the appropriate TAO pages that Bruce has put up in the past not just how they work but how to detect them as well, and improvments I have designed to make them less detectable.

In essence the way to understand these devices is as a high Q tuned circuit connected inbetween the two elements of a dipole antenna.

When an RF signal is directed at such a device the antenna couples some of the energy in the EM field of the RF signal into the tuned circuit where it is stored. The tuned circuit uses this energy to maintain it's resonant frequency oscilations, which need not be on the same frequency as the RF signal. Because of the bidirectional nature of transducers the energy in the tuned circuit gets re-radiated back out of the antenna into what is often called "free space".

Such effects are used by the passive devices used in shop / store anti-theft tags and which are detected by those frames by the store doors.

Now as indicated the device re-radiates at the frequency of the tuned circuit, not the RF signal that energises it thus the addition of a variable capacitance or inductance that varied in sympathy with another signal such as room audio would cause a FM signal to be radiated carrying the audio as the FM component.

Another method is to use the antenna as the tuned circuit and just put a variable impedence device between the two elements that form the dipole. This has the effect of changing the antenna impedence which in turn varies the amount of energy taken out of the EM field and likewise put back. The result is like a form of AM modulation. A simple way to do this is to use a FET drain source across the antenna and the gate be driven by a voltage signal. As the power required to drive the gate can be in the nanowatt range it is easy to see how a very small battery could last almost indefinately, and as with a digital watch also include some interesting additions good for a year or three.

Two important things to note, firstly all these devices take energy from the EM field of the RF signal and are thus detectable. Secondly whilst the RF signal may be highly directional the re-radiated signal is not which provides another method by which the devices can be detected. However all wires act like antennas and have their own resonant frequencies so the detection methods need to be augmented by other device charecteristics to reduce the false positives and this is where the fun of using modern broadband IQ receivers backed up by DSP comes in.

This "extra charecteristics" dimension is problematic which is why I was looking into the design of systems that only become active when two RF signals are present one of which is modulated by the equivalent of a SelCall signal which activates the device.

Perhaps I should put forward a presentation for DefCon or equivalent, but then that would involve traveling to the USA which I would rather avoid thses days for fairly obvious reasons.

If people want to know more then in a few days when this page has quietend down I'll be happy to answer them or give pointers to further information.

In the mean time read up on "Grid Dip Oscillators" as to how they work and what you can use them for, then have a read about "Parametric amplifiers" and how they work and you should then have a good insight i to the basics of Theramin's Thing, and the subsiquent TAO devices that are to be honest, were well behind the technical curve back at the turn of the century.

[1] Back in the 1980s an argument between a retiring technical specialist and MI5 over reconable service for pension rights caused a problem. The specialist decided to write a book to try and cover the significant shortfall in income. The then UK Prime Minister Margret Thatcher went balistic and as a result made herself a laughing stock by trying to get the book banned. In the end all she managed to achieve was to give Peter Wright's "Spy Catcher" international publicity that could not be bought by the best advertising agency or publicitist. The book gives a lot of information on the "Great Seal Bug" that ended up being called "The Thing" which is now on display in the NSA museaum with little informmation on the fact it was the UK scientists that not just reverse engineered it but designed and built new improved versions. One person involved with this was Peter Wrights assistant Tony Sale, who latter went on to rescue Bleatchly Park from developers who had aquired the site from BT, and thus saved a lot of history not just about cryptography but computers and clandestine uses of radio.

Wyatt StorchJune 23, 2014 1:08 PM

Possible countermeasure for low-tech retro-reflector bugs; use your own SDR and sweep its transmitter frequency, looking for something that responds. Then continuously sweep the receiver, looking for anything transmitting your way.

While not up to the specifications of the excellent-looking HackRF board, a $20 usb SDR might serve the purpose. For hobbyists, the frequency range can be extended with plans shown here;

While the idea is old and might seem low-tech or brute-force, the utility of a bug that stays quiet until it is queried seems pretty powerful.

The weakness of an unpowered bug is that it needs to be illuminated for long periods of time with a fairly powerful and therefore readily detectable RF transmission. A battery or system-powered bug might be a lot more advanced, it could be built to collect data and only transmit in burst mode when it is addressed, minimizing the detectable emissions. Constant monitoring might catch that ...

Anyway the $20 dongle could be handy for testing shielding if that's your defense, particularly because shielding across a wide frequency range is likely to be pretty difficult.

Wyatt StorchJune 23, 2014 1:31 PM

P.S. -- I found this tantalizing tidbit at the article linked to;

"Joshua Datko of Cryptotronix in Fort Collins, Colorado, will reveal a version of an NSA device he has developed that allows malware to be reinstalled even after being dealt with by antivirus software. It works by attaching its bug to an exposed portion of a computer's wiring system – called the I2C bus – on the back of the machine. "This means you can attack somebody's PC without even opening it up," says Ossmann."

A cursory search shows that on some video cards there is an I2C interface implemented on the video output connector terminals, and another source asserted that SMBus is implemented in laptops as part of the charging circuit, and that it is almost identical to I2C. Hmmmm. Another hangar door left wide open, if the blurb isn't exaggerating. (It depends which devices are attached to the bus and what their capabilities are.)

RRJune 23, 2014 8:52 PM

Wyatt: The I2C on video cards is usually implemented as part of the video chipset and would only be polled at boot time by the video driver. The system's main I2C bus (called SMBUS or System Managemenet Bus) however goes to the PC's chipset and is constantly used. Temperature and fan monitoring, fan speed control, frequently LEDs on the front panel. Also each memory DIMM/SIMM has a small I2C eeprom on it that contains configuration data, the SPD, or serial presence data, which is used to configure the systems memory.

I could see how someone might have analyzed the code that polls I2C devices and found a way to inject an exploit in the data... that code probably has only been tested to the level of "it works, so ship it" due to pain of testing odd data coming in off the wires.

RhialtoJune 24, 2014 5:23 AM

@Clive Robinson: no need to go to the USA for DefCon. You can present something at the CCC congress (between christmas and new year), or the CCC camp (hopefully next summer again).

Mike the goatJune 24, 2014 4:13 PM

Clive: are you suggesting that you suspect you may be detained upon visiting the United States? Just curious. Not that they'd be able to break an old hand such as yourself ;-)

ConstructorJune 24, 2014 5:11 PM

Retroreflectors are easy. And for a few meters of coverage, no fancy powerful transmitters are needed. Few months back I built a retroreflector "repeater" on a whim. It allowed the communication between 433Mhz amateur radios and 446MHz PMR radios. If the local osc in it ware to be FM modulated with, say the data line from a keyboard, one would get nice 2FSK data transmission from it.

I built one on a whim, but I got the idea from VU2NAN's blog.

The VU2NAN design can be made to FSK by just connecting a cap and a diode in series and connecting the bundle in parallel with the crystal.
Applying the data between the cap and didoe would FSK it, and a retro reflector bug would be born. All it takes is the idea.

Here's a picture of my retroreflector repeater toy
It really is that simple.

FigureitoutJune 25, 2014 11:00 PM

If people want to know more then in a few days when this page has quietend down I'll be happy to answer them or give pointers to further information.
Clive Robinson
--I'll bite since no one else is asking questions, reminds me of class when I feel pressured to ask a question out of respect to the teacher...(thanks to those that link to other sites and the "constructors" giving practical advice). How did you make the devices less detectable (I'm pissed b/c I can't recall what I just heard about some modern advances avoiding RFI issues, which wasn't mind-blowing but interesting, and of which there are quite a few at work lol...)? Had some issues where a product was transmitting, signals were blocked from faulty install, and it would continue seeking an acknowledgement. Should've quit, but on top of that there's some "mystery noise" on scope readings that I really want to solve (killing me); probably meaningless to you but I hope some of my thoughts are extremely wrong... Milliseconds of transmitting (which it's doing way too much) kills batteries (unless they're high quality and big) so presumably your devices are transmitting small distances and "hitching a ride" somewhere on a device or band w/ AC power...The biggest question in my view is "where to look", and like you pointed out a "dipper" looking at resonant frequencies would help, but there's so much bandwidth for bugs so the advantage is still in the attacker planting a bug...

RE: offering a Defcon presentation
--Do it, or just put up a youtube video. Are you saying you can't anonymously post a video..? I'd like to hear your voice and see if I'm right... :p

RE: Tony Sale saving some history
--Going to get a little awkward so apologies...have you made any arrangements to preserve your history? Or is it going to the family hopefully not to rot in an attic somewhere..?

Clive RobinsonJune 26, 2014 12:23 AM

@ Mike the Goat,

The last time I went to the US on business I had a "gold" backup CD of software that was being developed for use by one of the then major cell phone providers that enabled movment tracking of mobile phones. I was asked by customs what was on the CD and I told them it was a backup of software. They had a good look at the letters and other paperwork about it and spoke to a supervisor befor taking the docs and CD away for a little while to check it in a back room...

Thankfully they did not take away the laptop which also had another more uptodate copy of the software backup on it.

On getting to the hotel I checked the laptop copy was OK and then trashed the CD before throwing it away.

As readers will know I've moved on since then, and also amongst other things I generate KeyMat of the OTP variety and other security solutions etc. Readers will also know long prior to the Ed Snowden revelations I had good reason to state I didn't have faith in anybodies abilities to be able to secure a laptop against a level three / state level player.

Thus I'm of the view that I'm to old to be playing stupid games with US or other nations border thugs, and thus have little wish to have any contact with them. Especialy if I've drawn a target on my back by putting my name down as a speaker about anti-servailance to a Black Hat or other conferance as has happened to other people in the past.

Further like Nick P, I don't regard any EU countries as safe these days for that sort of thing either, the US has shown it's ability over many years to get people arrested in the likes of Italy on quite minor charges and then apply for extradition etc keeping the person effectivly imprisoned abroad away from legal support etc (just another variation on "Rights Stripping).

I'm also personaly aware of US DOJ supplying falsified electronic evidence to other nations police forces which has been used in court to try gain false convictions. And I've seen personaly what it can do to destroy the life of somebody, even though they are innocent, and were always able to show they were.

So whilst I may not be currently "actually at risk" (though I have had some of my comments censored by Google for DMCA reasons which means I'm a "person of interest" to some one prepared to fill out the required paperwork) I don't see the advantage in upping my risk without good reason.

Clive RobinsonJune 26, 2014 8:46 AM

@ Figureitout,

With regards finding bugs, basic physics tells you a lot...

Specificaly power is energy used by time and most things that do "work" are transducers --that convert one type of energy to another-- and are usually highly inefficient and thus radiate waste energy often as heat or in some other radiant form that is usually --but not always-- omnidirectional.

Further aside from potential energy of a mass in a gravitational field, most energy storage devices are also transducers and as a result are leaky and degrade with time. Thus their stored energy has to go somewhere, often as radiant heat. Electronic devices are known to be inefficient in the real world and thus when connected to a power source will emitt heat above ambient, the smaller the device the more the thermal difference will be for the same energy loss, thus hiding the heat signiture requires carefull planing by an attacker, and aside from myself I've not seen obvious signs that other attackers even try...

The question then is, this usually omnidirectional, radiant heat --which conducted or convected heat eventually becomes-- is a signal in a noisy environment, what does it take to detect it sufficiently well that false positives and false negatives are managable?

Even cheap commercial pyrometers are good to fractions of a degree these days, the problem is having them sufficiently close and narrowly focused such that the warmer than the environment active electronics etc stands out (which with care by the attacker will be as near minimal as possible, which is one advantage of these semiactive radar reflector bugs[1]).

There is also a secondary thermal consideration which helps finding all types of bug, which is how fast objects move from one temprature to another, that is how long do they take to cool down or heat up when the environment they are in is changed fairly rapidly and significantly. Silicon or other semiconductor medium changes more slowly than metals and faster than most insulating materials. Further the ability of an object to move heat to obtain thermal equilibrium is dependent on it's density, that is a copper tube will not be as efficient as a solid copper rod of the same external dimensions.

This knowledge can be used to find even passive bugs such as the Theramin Thing, simply by temprature cycling and integrating the image over time from a thermal camera and subjecting it to software transforms to lift the signal from the noise. It will also find voids and other hiding places such as holes drilled for hidden mics and cameras etc.

Another thing to remember that can be exploited in bug finding is the equivalent of "red eye" in photos. It is caused by internal reflection caused by focused optics sending back an illuminating signal back along the same axial path. The same applies to all radiant energy transducers, so even microphones can be pinged out as can antennas matched to transmission lines and receiver front ends, the problem is building the required sensors with sufficient directionality to be usefull at reasonable ranges.

Finaly electronics has another issue, which is that of magnetic and electrostatic fields and permiability differences. You would be surprised at just how many bugs can be found with a $5 nail/pipe finder you can buy down at your local hardware store, and even a cheap "boy scout" compas will show up hidden objects just below the surface of a wall or ceiling etc.

As I've said before all wires are antennas at some frequency and believe it or not so are lengths of dieletric materials etc including wet organics like a six foot plank lest out in the rain or human being ;-) This gives rise to a problem with using just a GDO as it will give lots and lots of false poitives. The traditional way around this problem is a "non linear junction detector" which relies on the fact that the square law behavior of most electronics causes harmonic signals to be generated. Thus if your GDO has a very clean spectral output and you have a detector tuned to the second harmonic, the GDO will register a piece of wire etc at resonance by the dip, but the lack of a harmonic signal will indicate it has no electronics connected to it, so it is most probably a false positive not a bug, if there is a second harmonic then unless it's got an oxide join between two conductors [2] then it's worth investigating. Another technique I've not seen used much is Time Domain Reflectometery or TDR, it is in effect an Ultra Wide Band technique. Simply you generate very high energy very narow pulse width signals from a wide band directional antenna. If it's pointed at another antenna connected to a transmission line then you will get atleast two time seperated reflections from it. The initial reflection is from the antenna and a delayed version from the signal bouncing off the load at the other end of the transmission line (sort of RF Red Eye detection). A broadband IQ reciever will with appropriate DSP algorithms ellicit quite a large amount of information about the antenna, transmission line and receiver/transmitter that is the distant load. It will for instance show up bends or compression of the transmission line.

There are all sorts of other tricks however many are still classified in the likes of the US even though knowledge of them is in the open community else where (if you can read Russian as a friend of mine can then you will find there is quite a bit of info available up on the web).

The anoying thing for those TEMPEST trained in the US is not being able to talk about things untill some independant researcher has put a paper into the public domain (if from a classifed source that's been leaked like the Ed Snowden revelations it still can not be talked about or even looked at...).

For instance TEMPEST design rules are all based on knowledge of physics etc that has been around for over a century. However having done the courses quite a few bright engineers discovered they were nolonger alowed to talk about "the bleeding obvious" because it was "classified"... One such is the issue to do with the difference between the bandwidth of a signal and the bandwidth of the channel it is traveling in. Take a simple serial signal, its baud (not bit) rate is general defined by the narrowest pulse width of the transmitted signal. However to get a realistic squarewave down the wire the transmission bandwidth has to be many times greater. The consiquence of this is that even though you cannot change the baud rate very much, you can change the waveform symetery over a short duration, thus you can phase modulated the signal edges to carry a hidden signal. You can also in non continuous transmission systems move packets of data backwards and forwards in time creating a time based signaling channel. All of which is fairly obvious when you think about it. However most engineers don't go on to think about the systems on the end of the channel. Thus the covert time channel if low frequency enough will pass though that system and out onto the next communications link...

Untill Matt Blaze and some of his students built a keyboard bug that clearly demonstrated this going through a PC and traveling across several network hops it was supposadly "classified" and engineers that had done TEMPEST course were not supposed to talk about "Clocking the inputs, and clocking the outputs" which partialy cures the problem (fail hard on error being another).

In fact on reading the paper at the time I was left with the feeling that some one close to the group had, had such training and was using the paper to give a "mono digit hail to the chief" salute. As it was not just the transparancy bit of TEMPEST that had been outed, but also the use of Spread Spectrum / Stream Encryption on the covert channel to make it very much more difficult to impossible to detect...

But you also have to watch out for some TEMPEST Gurus who have set up shop on the Internet. Some make claims that are there to no purpose other than to fool those who have no knowledge. At least one in the past has made claims of confidential clasified briefing of congress and letting out such secrets as a -174dBm limit (look up thermal noise in a 1Hz bandwidth[3]) that a second year engineering graduate would raise an eyebrow to realising that it was just "snowing the gulible".

With regards the circuits given by constructor I've mentioned similar before to you with "anti-parellel half wave diode mixers". Although the circuit given will work "sort of" it can be improved by providing a return path from the other side of the diode back to the oscilator. If you look at the "fox hunt antenuator" circuit the author provides you will see an example. Also if you look at the other link for a passive repeater for using a hand held walkie talky without removable antenna you will see it's the same as the ones I've mentioned before for passive television repeaters and those used by AQ/Taliban when avoiding ground based troops trying to DF locations etc.

[1] As I've said before I object to the use of "radar" in the title as it is incorrect, it's effectivly a "re-radiator" repeater.

[2] Early non vacuum rectifiers were made by forming black copper oxide on one side of copper disks and then stacking several up under mechanical preasure. Early VHF televison antennas suffered from similar problems that would cause mixing problems with strong local signals causing in band spurious signals.

[3] For instance,

Mike the goatJune 27, 2014 5:00 PM

I knew this thread was going to get interesting. ;-)

Clive re US visit: I understand. re TEMPEST: I don't understand why emsec is such a dirty word. Given it has been known about since the 50s and probably earlier and entered the public lexicon probably in the 80s after Van Eck demonstrated how insanely trivial it was to exploit the emanations of a CRT, I just don't see why the government persists with trying to maintain the confidentiality over something which is pretty much already public knowledge. The horse has well and truly bolted!

Nick PJune 27, 2014 7:20 PM

@ Mike

Indeed. Most accounts, like this, put it around 1914. It's long past due for majority of engineers to understand this threat. Attackers moved on to active attacks with radar and ultrasound while defenders haven't gotten passive attacks down yet.

FigureitoutJune 28, 2014 12:07 AM

Clive Robinson
--Wow..damn...damn good post Clive; one of your better ones for as long as I've been around (I haven't gone thru all the archives). Unfortunately I can't reciprocate w/ a pleasurable response as I'm focusing on other things and I realize my limits (which are obviously smaller than yours). It's good though, I'm letting go of the OPSEC and getting into better my computer which I hope to very elegantly guide the reader for a nice ride along a pretty computing system. Didn't answer my questions but it's ok. So, apart from some other things, I notice you are quite fond of spread spectrum; it's a quite interesting concept, quite useful.

Next, let me see people? Look how Clive wants to help people learn, it's incredible. Why he didn't become a life-long professor is beyond me, he would've been legendary...Most of his life he was legally prevented from speaking, literally could be he's giving them the 1-finger salute and spilling all kinds of secrets and there's nothing they can do.

And next, some little nitpicks. It's quite sad so many people are censored, they can't even speak about what they do. But worse, and here's where I get a little deep, they are hiding physics, which is physical knowledge of our universe...tell me that won't ultimately bite our species in the ass. We are deliberately letting so many people live in ignorance of physical knowledge of our universe; for "security"! Thankfully there's so much info that it really doesn't even matter and those of us on the outside can speak freely and have fun while they have to live w/ the threat of some bureaucrat cracking down on them lol...keep your work "secret", no one cares haha it's probably not even interesting as academics and commercial is starting to beat gov't projects.

Next thing, the heat and detecting a bug. I can't really get into the topic like I want here, but false positives really pissed me off. Didn't want to waste my time when I get so many false positives, felt like trolling. It's an absolute mess out there anyway, total chaos; when I get my own place it's going to be different but still subject to killing all power, spewing harmful radiation killing my sensors. But real-time surveillance, which is the ultimate nightmare, can change up bugs and switch up the bug for the detection method.

Lastly, and here's where you're really getting me worried. In my Unix class, I had a bunch of little projects, all of which were small and didn't involve a lot of code or complexity. Yet one time I got an error message I never saw before and never had it explained...clock skew...Hopefully it was my crappy coding but I don't recall what I was doing w/ any clocks. I always logged in to the supercomputer over the internet so it makes me really nervous to think it got infected w/ a side channel...And yeah I remembered another of your ominous lines from a long time ago, "clock the inputs and outputs", ok...but w/ what?! Why would I clock them w/ infected PC's?

Clive RobinsonJune 28, 2014 3:20 PM

@ Figureitout,

You say I did not answer your question, to which I say, you asked a number so which one is the important one... So I'll start from the top where you ask,

How did you make the devices less detectable…

If it's not the right one well I'm sure you will sing out :-)

Well reducing power consumption and increasing thermal disipation whilst also trying to hide in a complex environment of varying thermal inertia rates helps. That much should be evident from what I said however specifics in this area are difficult for various reasons. It's why I suspect that some of the TAO devices were designed to work inside of larger components which are complex when considered thermaly. To go in more detail on this aspect requires access to equipment that whilst available is expensive to buy or rent and also requires a large investment in time.

However there is also the consideration of signal false negatives. That is from the point of view of nonlinear junction detectors and the like making the "tell tale" they are looking for to distinquish between a bug and false positives, not visable to the detector so the detectors ignore the bug as a false positive and thus turn an otherwise positive detection into a false negative.

Whilst this is easyish for the less complex bug detectors the dificulty goes up as a power law of the number of "tell tales" the detector looks for.

To see why you have to remember there is always a difference between somthing that is real and a facsimilly of it made with other components. A simple example being a copper pipe that has been end plugged and bright turned to the same diameter as a copper bar will pass visuall inspection but not being picked up or tapped or subject to ultrasound or X-Ray or put in a condensing environment etc etc, though it will pass surface chemical tests. Whilst academic for copper currently it is a "hot button" subject for gold bullion traders, where it can be shown more gold has been sold by weight than has been mined... so there are fake bars of it in repositories which is a problem if you are unfortunate enough to have purchased such a "gold brick".

But of more relevance to the subject at hand a length of wire for instance resonates at not just one frequency but at quite a few because in reality it is more like a transmission line in behaviour than a lumped circuit of an inductor and capacitor (it's why switch boxes that act as various transmission line lengths are quite complex internaly using many lumped circuit components and still don't get it right outside of fairly limited parameters).

So to take a simple example, your bug is resonant at one frequency but actually works at a different frequency. It will not have frequency multiples where you would expect them to be if it was just a single piece of wire. You can partialy solve this problem with a diplexer made from all pass filters. Although this helps correct the frequency multiple problems it does not solve a secondary problem. A pasive transmission line shows a pattern of both phase and absorbtion of energy from an EM field that has a recognisable pattern against frequency, an active device such as a bug does not show the same pattern against frequency. If the bug detector is sufficiently complex then it will pick up on this as a "tell tale".

The nonlinear nature of semiconductor junctions is another "tell tale" you hit the junction with a nice clean sinewave, and the square law effect of the junction produces harmonics that can be fairly easily detected with an appropriate receiver (it's how many of those larger shop anti theft tags on cloths have worked in the past). One solution to this is to again use some form of diplexer that issolates the bug electronics from the antenna wire in a frequency selective way, thus the harmonics the junction makes are filtered out and don't get radiated to the bug detector.

The problem is that you can use two or more clean non harmonical related sinewaves which the junction then mixes together to make intermodulation products. Carefull selection of sinewave frequencies can result in the intermodulation products actually being "in band" for dyplexers built of lumped components. The better class bug hunters use two such carriers but actually modulates them, which as a result of the intermodulation appears on the product generated by the junction and can be checked for and thus helps eliminate false positives caused by other sources in the area.

In fact sophisticated detection systsms I've designed using cross polarised antennas and a phase modulated signal on one carrier and an amplitude modulated signal on the other the intermodulation product from the bug will be modulated with a signal that gives directional information to the bug detector (look up how VOR receivers for aircraft navigation work for the messy details).

Dealing with the above problems is something you could fill a book with, and might go mad trying ;-)

However most mid ranged bug detectors are not that sophisticated, and they use much simpler --and now antiquated-- techniques that assume some kind of analogue modulation. Put simply they emit bursts of energy and check if the received signal of interest responds in sympathy, If not then it is assumed to be generated by interferance not a bug and is ignored as a false positive. Obviously modern digital modulation systems with encryption etc will not show a sympathetic response to the bug hunters energy bursts and will be considered false positives. Unfortunatly these rebrodcasting or reflector bugs will still respond in sympathy unless you take steps to prevent it.

One way is to not use one illuminating energy source but two. That is your bug does not rebroadcast a modulated signal unless both illuminating frequencies are pressent.

This is difficult to do with two EM signals with purely passive reflectors such as Theramin's Thing. However it can be done with one EM signal and one ultra sound signal. The trick is to employ hysterisis in the membrane that responds to room audio. If you make it in the right way it has high hysterisis and is very unresponsive to room audio except at extream levels. This was a problem with early magnetic media used for recording, the solution is now as then to provide an out of band bias signal at high level. Thus a high energy ultrasonic signal will cause the membrane to vibrate and the room audio will phase modulate this bias signal, which will be what goes out as the rebroadcast. The problem with such a system is actually an advantage... the membrane will require a lot of ultrasonic energy to vibrate unless it is specificaly tuned to resonate at that frequency.

There are a large number of other interesting tricks that can be done like this but you will I hope pardon me if I don't mention them as it is a case where security by obscurity can be made to work quite well and profitably ;-)

FigureitoutJune 29, 2014 12:57 PM

Clive Robinson
If it's not the right one well I'm sure you will sing out :-)
--Well, I'm 100% certain you do not want me to sing as I can barely stand the sound of my voice from a recording. You won't be able to answer my other questions anyway, and just shrug your shoulders.

So again, thanks for all the pointers over the years and what I really value is rephrasing of things until you get the satisfying "click" in the head. Pre-occupied w/ other topics like assembly language, multiplexing, power supplies, re-organizing my "lab" and more heavy-duty "work shop", and a large all inclusive "recovering computers"...Still go to sleep w/ my radio books though every night...

stimoceiverJune 30, 2014 8:01 PM

fascinating comments.

I've been thinking about various topics tangent to this for a couple years now.

There are a couple contemporary antenna designs that in addition to being beautiful and elegant, have unique electrical characteristics, and are fully capable of being implemented in a copper circuit board.

One is the sinuous antenna, a type of log periodic antenna. I get that this means it has several octaves of coverage.

The other is the study of fractal antennas in general.

I'm sure much of the readership here has seen these but if you havent each is worth a quick image search.

It makes me wonder if there arent already a way to surreptitiously design a RF retroreflector into the layers of a PCB.

In addition to modulating the reflection of a microwave signal with the current passing a given point in a circuit, it doesnt seem impossible that a more complex retroreflector might allow an external impinging RF signal with the right geometry to inject current into that circuit too.

Clive RobinsonJune 30, 2014 10:07 PM

@ stimoceiver,

With regards a couple of your points,


It makes me wonder if there arent already a way to surreptitiously design a RF retroreflector into the layers of a PCB

One easy way to do this is to make a "patch antenna" out of a fake ground or power "copper flood". Basicaly you arrange for it to be low frequency/DC connected to the rest of the plain but UHF/microwave issolated and resonant at an appropriate frequency. A similar trick which is even harder to spot is a slot antenna that uses a gama match trick to connect to a stripline.


... it doesnt seem impossible that a more complex retroreflector might allow an external impinging RF signal with the right geometry to inject current into that circuit too.

It's far from impossible it's actually expected when you think of the reflector as a transducer like a speaker/microphone or motor/generator. Many transducers display this two way property the most obvious and most efficient being the transformer used to step AC voltages up and down by converting to a magnetic flux and back again.

I guess you are not a long term reader, I have discussed active fault injection attacks using an EM carrier on a number of previous occasions on this blog. I independently came up with it back in the 1980s and demonstrated it to representatives of the UK intelligence services with whom I had associations at the time.

Little or no consideration has been given to it in the academic fields of enquiry, about the only paper on the subject was a couple of years ago when two UK Cambridge Labs researchers critically effected a hardware TRNG taking it's entropy down from 2^32 down to around 2^7 with an unmodulated EM carrier.

It's a field that is long overdue academic investigation and I would encourage anybody who has the resources to play with it.

One trick is to use a lower level EM signal to get cross modulated with the circuit under attacks state (similar to DPA) and use this information as a trigger to an active EM injection attack by modulating another EM carrier with the attack waveform.

Back in the eighties I successfully attacked an electronic pocket gambling device, and electronic purse/wallet and started on smart cards but changed employment befor finishing the latter.

Nick PJune 30, 2014 11:28 PM

@ stimoceiver

A fan of Delgado, I see? His work was so much more interesting than retro-reflectors. And with even more interesting implications. It's off topic so that's all I'll say. ;)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.