Schneier on Security

Clive Robinson • June 23, 2014 12:10 PM

Like one or two other people on this blog I’ve known how to build and detect these devices for quite a few years well preceding the Ed Snowden Revelations [1]. And I have mentioned on the appropriate TAO pages that Bruce has put up in the past not just how they work but how to detect them as well, and improvments I have designed to make them less detectable.

In essence the way to understand these devices is as a high Q tuned circuit connected inbetween the two elements of a dipole antenna.

When an RF signal is directed at such a device the antenna couples some of the energy in the EM field of the RF signal into the tuned circuit where it is stored. The tuned circuit uses this energy to maintain it’s resonant frequency oscilations, which need not be on the same frequency as the RF signal. Because of the bidirectional nature of transducers the energy in the tuned circuit gets re-radiated back out of the antenna into what is often called “free space”.

Such effects are used by the passive devices used in shop / store anti-theft tags and which are detected by those frames by the store doors.

Now as indicated the device re-radiates at the frequency of the tuned circuit, not the RF signal that energises it thus the addition of a variable capacitance or inductance that varied in sympathy with another signal such as room audio would cause a FM signal to be radiated carrying the audio as the FM component.

Another method is to use the antenna as the tuned circuit and just put a variable impedence device between the two elements that form the dipole. This has the effect of changing the antenna impedence which in turn varies the amount of energy taken out of the EM field and likewise put back. The result is like a form of AM modulation. A simple way to do this is to use a FET drain source across the antenna and the gate be driven by a voltage signal. As the power required to drive the gate can be in the nanowatt range it is easy to see how a very small battery could last almost indefinately, and as with a digital watch also include some interesting additions good for a year or three.

Two important things to note, firstly all these devices take energy from the EM field of the RF signal and are thus detectable. Secondly whilst the RF signal may be highly directional the re-radiated signal is not which provides another method by which the devices can be detected. However all wires act like antennas and have their own resonant frequencies so the detection methods need to be augmented by other device charecteristics to reduce the false positives and this is where the fun of using modern broadband IQ receivers backed up by DSP comes in.

This “extra charecteristics” dimension is problematic which is why I was looking into the design of systems that only become active when two RF signals are present one of which is modulated by the equivalent of a SelCall signal which activates the device.

Perhaps I should put forward a presentation for DefCon or equivalent, but then that would involve traveling to the USA which I would rather avoid thses days for fairly obvious reasons.

If people want to know more then in a few days when this page has quietend down I’ll be happy to answer them or give pointers to further information.

In the mean time read up on “Grid Dip Oscillators” as to how they work and what you can use them for, then have a read about “Parametric amplifiers” and how they work and you should then have a good insight i to the basics of Theramin’s Thing, and the subsiquent TAO devices that are to be honest, were well behind the technical curve back at the turn of the century.

[1] Back in the 1980s an argument between a retiring technical specialist and MI5 over reconable service for pension rights caused a problem. The specialist decided to write a book to try and cover the significant shortfall in income. The then UK Prime Minister Margret Thatcher went balistic and as a result made herself a laughing stock by trying to get the book banned. In the end all she managed to achieve was to give Peter Wright’s “Spy Catcher” international publicity that could not be bought by the best advertising agency or publicitist. The book gives a lot of information on the “Great Seal Bug” that ended up being called “The Thing” which is now on display in the NSA museaum with little informmation on the fact it was the UK scientists that not just reverse engineered it but designed and built new improved versions. One person involved with this was Peter Wrights assistant Tony Sale, who latter went on to rescue Bleatchly Park from developers who had aquired the site from BT, and thus saved a lot of history not just about cryptography but computers and clandestine uses of radio.

Clive Robinson • June 26, 2014 8:46 AM

@ Figureitout,

With regards finding bugs, basic physics tells you a lot…

Specificaly power is energy used by time and most things that do “work” are transducers –that convert one type of energy to another– and are usually highly inefficient and thus radiate waste energy often as heat or in some other radiant form that is usually –but not always– omnidirectional.

Further aside from potential energy of a mass in a gravitational field, most energy storage devices are also transducers and as a result are leaky and degrade with time. Thus their stored energy has to go somewhere, often as radiant heat. Electronic devices are known to be inefficient in the real world and thus when connected to a power source will emitt heat above ambient, the smaller the device the more the thermal difference will be for the same energy loss, thus hiding the heat signiture requires carefull planing by an attacker, and aside from myself I’ve not seen obvious signs that other attackers even try…

The question then is, this usually omnidirectional, radiant heat –which conducted or convected heat eventually becomes– is a signal in a noisy environment, what does it take to detect it sufficiently well that false positives and false negatives are managable?

Even cheap commercial pyrometers are good to fractions of a degree these days, the problem is having them sufficiently close and narrowly focused such that the warmer than the environment active electronics etc stands out (which with care by the attacker will be as near minimal as possible, which is one advantage of these semiactive radar reflector bugs[1]).

There is also a secondary thermal consideration which helps finding all types of bug, which is how fast objects move from one temprature to another, that is how long do they take to cool down or heat up when the environment they are in is changed fairly rapidly and significantly. Silicon or other semiconductor medium changes more slowly than metals and faster than most insulating materials. Further the ability of an object to move heat to obtain thermal equilibrium is dependent on it’s density, that is a copper tube will not be as efficient as a solid copper rod of the same external dimensions.

This knowledge can be used to find even passive bugs such as the Theramin Thing, simply by temprature cycling and integrating the image over time from a thermal camera and subjecting it to software transforms to lift the signal from the noise. It will also find voids and other hiding places such as holes drilled for hidden mics and cameras etc.

Another thing to remember that can be exploited in bug finding is the equivalent of “red eye” in photos. It is caused by internal reflection caused by focused optics sending back an illuminating signal back along the same axial path. The same applies to all radiant energy transducers, so even microphones can be pinged out as can antennas matched to transmission lines and receiver front ends, the problem is building the required sensors with sufficient directionality to be usefull at reasonable ranges.

Finaly electronics has another issue, which is that of magnetic and electrostatic fields and permiability differences. You would be surprised at just how many bugs can be found with a $5 nail/pipe finder you can buy down at your local hardware store, and even a cheap “boy scout” compas will show up hidden objects just below the surface of a wall or ceiling etc.

As I’ve said before all wires are antennas at some frequency and believe it or not so are lengths of dieletric materials etc including wet organics like a six foot plank lest out in the rain or human being 😉 This gives rise to a problem with using just a GDO as it will give lots and lots of false poitives. The traditional way around this problem is a “non linear junction detector” which relies on the fact that the square law behavior of most electronics causes harmonic signals to be generated. Thus if your GDO has a very clean spectral output and you have a detector tuned to the second harmonic, the GDO will register a piece of wire etc at resonance by the dip, but the lack of a harmonic signal will indicate it has no electronics connected to it, so it is most probably a false positive not a bug, if there is a second harmonic then unless it’s got an oxide join between two conductors [2] then it’s worth investigating. Another technique I’ve not seen used much is Time Domain Reflectometery or TDR, it is in effect an Ultra Wide Band technique. Simply you generate very high energy very narow pulse width signals from a wide band directional antenna. If it’s pointed at another antenna connected to a transmission line then you will get atleast two time seperated reflections from it. The initial reflection is from the antenna and a delayed version from the signal bouncing off the load at the other end of the transmission line (sort of RF Red Eye detection). A broadband IQ reciever will with appropriate DSP algorithms ellicit quite a large amount of information about the antenna, transmission line and receiver/transmitter that is the distant load. It will for instance show up bends or compression of the transmission line.

There are all sorts of other tricks however many are still classified in the likes of the US even though knowledge of them is in the open community else where (if you can read Russian as a friend of mine can then you will find there is quite a bit of info available up on the web).

The anoying thing for those TEMPEST trained in the US is not being able to talk about things untill some independant researcher has put a paper into the public domain (if from a classifed source that’s been leaked like the Ed Snowden revelations it still can not be talked about or even looked at…).

For instance TEMPEST design rules are all based on knowledge of physics etc that has been around for over a century. However having done the courses quite a few bright engineers discovered they were nolonger alowed to talk about “the bleeding obvious” because it was “classified”… One such is the issue to do with the difference between the bandwidth of a signal and the bandwidth of the channel it is traveling in. Take a simple serial signal, its baud (not bit) rate is general defined by the narrowest pulse width of the transmitted signal. However to get a realistic squarewave down the wire the transmission bandwidth has to be many times greater. The consiquence of this is that even though you cannot change the baud rate very much, you can change the waveform symetery over a short duration, thus you can phase modulated the signal edges to carry a hidden signal. You can also in non continuous transmission systems move packets of data backwards and forwards in time creating a time based signaling channel. All of which is fairly obvious when you think about it. However most engineers don’t go on to think about the systems on the end of the channel. Thus the covert time channel if low frequency enough will pass though that system and out onto the next communications link…

Untill Matt Blaze and some of his students built a keyboard bug that clearly demonstrated this going through a PC and traveling across several network hops it was supposadly “classified” and engineers that had done TEMPEST course were not supposed to talk about “Clocking the inputs, and clocking the outputs” which partialy cures the problem (fail hard on error being another).

In fact on reading the paper at the time I was left with the feeling that some one close to the group had, had such training and was using the paper to give a “mono digit hail to the chief” salute. As it was not just the transparancy bit of TEMPEST that had been outed, but also the use of Spread Spectrum / Stream Encryption on the covert channel to make it very much more difficult to impossible to detect…

But you also have to watch out for some TEMPEST Gurus who have set up shop on the Internet. Some make claims that are there to no purpose other than to fool those who have no knowledge. At least one in the past has made claims of confidential clasified briefing of congress and letting out such secrets as a -174dBm limit (look up thermal noise in a 1Hz bandwidth[3]) that a second year engineering graduate would raise an eyebrow to realising that it was just “snowing the gulible”.

With regards the circuits given by constructor I’ve mentioned similar before to you with “anti-parellel half wave diode mixers”. Although the circuit given will work “sort of” it can be improved by providing a return path from the other side of the diode back to the oscilator. If you look at the “fox hunt antenuator” circuit the author provides you will see an example. Also if you look at the other link for a passive repeater for using a hand held walkie talky without removable antenna you will see it’s the same as the ones I’ve mentioned before for passive television repeaters and those used by AQ/Taliban when avoiding ground based troops trying to DF locations etc.

[1] As I’ve said before I object to the use of “radar” in the title as it is incorrect, it’s effectivly a “re-radiator” repeater.

[2] Early non vacuum rectifiers were made by forming black copper oxide on one side of copper disks and then stacking several up under mechanical preasure. Early VHF televison antennas suffered from similar problems that would cause mixing problems with strong local signals causing in band spurious signals.

[3] For instance, http://en.m.wikipedia.org/wiki/Minimum_detectable_signal

Clive Robinson • June 28, 2014 3:20 PM

@ Figureitout,

You say I did not answer your question, to which I say, you asked a number so which one is the important one… So I’ll start from the top where you ask,

How did you make the devices less detectable…

If it’s not the right one well I’m sure you will sing out 🙂

Well reducing power consumption and increasing thermal disipation whilst also trying to hide in a complex environment of varying thermal inertia rates helps. That much should be evident from what I said however specifics in this area are difficult for various reasons. It’s why I suspect that some of the TAO devices were designed to work inside of larger components which are complex when considered thermaly. To go in more detail on this aspect requires access to equipment that whilst available is expensive to buy or rent and also requires a large investment in time.

However there is also the consideration of signal false negatives. That is from the point of view of nonlinear junction detectors and the like making the “tell tale” they are looking for to distinquish between a bug and false positives, not visable to the detector so the detectors ignore the bug as a false positive and thus turn an otherwise positive detection into a false negative.

Whilst this is easyish for the less complex bug detectors the dificulty goes up as a power law of the number of “tell tales” the detector looks for.

To see why you have to remember there is always a difference between somthing that is real and a facsimilly of it made with other components. A simple example being a copper pipe that has been end plugged and bright turned to the same diameter as a copper bar will pass visuall inspection but not being picked up or tapped or subject to ultrasound or X-Ray or put in a condensing environment etc etc, though it will pass surface chemical tests. Whilst academic for copper currently it is a “hot button” subject for gold bullion traders, where it can be shown more gold has been sold by weight than has been mined… so there are fake bars of it in repositories which is a problem if you are unfortunate enough to have purchased such a “gold brick”.

But of more relevance to the subject at hand a length of wire for instance resonates at not just one frequency but at quite a few because in reality it is more like a transmission line in behaviour than a lumped circuit of an inductor and capacitor (it’s why switch boxes that act as various transmission line lengths are quite complex internaly using many lumped circuit components and still don’t get it right outside of fairly limited parameters).

So to take a simple example, your bug is resonant at one frequency but actually works at a different frequency. It will not have frequency multiples where you would expect them to be if it was just a single piece of wire. You can partialy solve this problem with a diplexer made from all pass filters. Although this helps correct the frequency multiple problems it does not solve a secondary problem. A pasive transmission line shows a pattern of both phase and absorbtion of energy from an EM field that has a recognisable pattern against frequency, an active device such as a bug does not show the same pattern against frequency. If the bug detector is sufficiently complex then it will pick up on this as a “tell tale”.

The nonlinear nature of semiconductor junctions is another “tell tale” you hit the junction with a nice clean sinewave, and the square law effect of the junction produces harmonics that can be fairly easily detected with an appropriate receiver (it’s how many of those larger shop anti theft tags on cloths have worked in the past). One solution to this is to again use some form of diplexer that issolates the bug electronics from the antenna wire in a frequency selective way, thus the harmonics the junction makes are filtered out and don’t get radiated to the bug detector.

The problem is that you can use two or more clean non harmonical related sinewaves which the junction then mixes together to make intermodulation products. Carefull selection of sinewave frequencies can result in the intermodulation products actually being “in band” for dyplexers built of lumped components. The better class bug hunters use two such carriers but actually modulates them, which as a result of the intermodulation appears on the product generated by the junction and can be checked for and thus helps eliminate false positives caused by other sources in the area.

In fact sophisticated detection systsms I’ve designed using cross polarised antennas and a phase modulated signal on one carrier and an amplitude modulated signal on the other the intermodulation product from the bug will be modulated with a signal that gives directional information to the bug detector (look up how VOR receivers for aircraft navigation work for the messy details).

Dealing with the above problems is something you could fill a book with, and might go mad trying 😉

However most mid ranged bug detectors are not that sophisticated, and they use much simpler –and now antiquated– techniques that assume some kind of analogue modulation. Put simply they emit bursts of energy and check if the received signal of interest responds in sympathy, If not then it is assumed to be generated by interferance not a bug and is ignored as a false positive. Obviously modern digital modulation systems with encryption etc will not show a sympathetic response to the bug hunters energy bursts and will be considered false positives. Unfortunatly these rebrodcasting or reflector bugs will still respond in sympathy unless you take steps to prevent it.

One way is to not use one illuminating energy source but two. That is your bug does not rebroadcast a modulated signal unless both illuminating frequencies are pressent.

This is difficult to do with two EM signals with purely passive reflectors such as Theramin’s Thing. However it can be done with one EM signal and one ultra sound signal. The trick is to employ hysterisis in the membrane that responds to room audio. If you make it in the right way it has high hysterisis and is very unresponsive to room audio except at extream levels. This was a problem with early magnetic media used for recording, the solution is now as then to provide an out of band bias signal at high level. Thus a high energy ultrasonic signal will cause the membrane to vibrate and the room audio will phase modulate this bias signal, which will be what goes out as the rebroadcast. The problem with such a system is actually an advantage… the membrane will require a lot of ultrasonic energy to vibrate unless it is specificaly tuned to resonate at that frequency.

There are a large number of other interesting tricks that can be done like this but you will I hope pardon me if I don’t mention them as it is a case where security by obscurity can be made to work quite well and profitably 😉