Schneier on Security

Clive Robinson • December 14, 2023 3:45 PM

@ Bruce, ALL,

Re : The horse is long gone.

This kind of raised a “where have you been hiding for a decade” thought,

“Ms Martin argues: “Retailers do need to be doing more. They need to be stamping out hidden cameras because there are very few instances in which hiding the fact that you’re filming someone is applicable or acceptable.”

You’ve been able to buy very small cameras openly for over a decade and a half. Swann in Australia used to manufacture, and Maplin UK used to sell a colour camera and 2.5GHz transmitter combined in a cube about 1cm by 1cm by 1cm for less than the equivalent of 100USD.

I put several in my son’s Hornby model railway engines and guards vans to give a driver / guard eye view at the control station. You could turn them on/off using a spare output from the DCC chip more usualky used by modlers to turn carrage lights or similar on and off. Somewhere I’ve a silly video clip that we made with a christmas cake decoration of a rabbit or hare was jokingly called “Psycho-bunny” because the eyes had been painted in red and it looked kind of like that famous “red eyes” political poster of a certain well known UK politician. The movie clip was like those early silent black and white movies of a moustache twirling vilain with a maiden –played by another christmas cake decoration of a fairy– tied to the tracks… It was silly but quite funny.

The point is you could put those cameras in anything. Another made by Swann sold by Maplin UK item was a compleate camera, and DVR to in a 1cm by 1cm by 2cm metal case including a microphone. A later version had a flatter camera with a screwthread on the lens unit you could push through a button hole on a jacket or other item of clothing, and a selection of screw on buttons in black you could paint to match clothing. It’s DVR unit was on the end of a meter and a half cable and had a built in LCD screen with backwards/forwards fast/slow buttons and it recorded to a Miniture Menory Card (MMC) of the physical size commonly used in mobile phones.

You can now by DJI Drones with 4K HD colour cameras for well under 100GBP and stripping the camera, and 2.5 or 5Ghz transmitter with a line of sight range of 0.5km or more is something a home hobbyist can do with very little dificulty.

If you want to spend “silly money” then you can by a “baby monitor” at lots of stores that have such cameras and microphones built into a cuddly toy you can put in the cot or bedside or other place in the room. One is ironically in a “cuddly-bunny” mouth with Infra-Red LEDs in the eyes to give 10m of night vision. On chatting to some one I know who’s “other half” works as a buyer in a major London Retail outlet they put the price up to over 600GBP and they were still selling out… Mostly to thirtyish WMC “helicopter parent” type couples.

The point is “the genie was well and truely out of the bottle” a decade and a half ago on the availability and use of tiny CCTV cameras, quite a few with built in ISM band transmitters with quite a long distance range.

For those with evil intent using a razor blade to lift wall paper and a small chisel to dig a hole in the plaster and put in a CCTV camera with a very thin four wire interface then make a pin hole in the wall paper before using a “prit-stick” or similar glue is not difficult.

But also remember for atleast two decades you have been able to buy those combined microwave and passive IR burglar detector alarms with built in CCTV camera and microphone. Also overhead “smoke alarms” with camera and microphone, it takes about five minutes to take a cheap wall clock with large black numbers drill in a small hole in the 6 and put a miniture CCTV camera behind it with the microphone facing downwards which has an inbuilt 2.5Ghz transmitter. And hang it on a conferance room wall.

Likewise take one of those shelf box files for A4/ fullscap paper put in a drone or similar camera and a motorbike battery sized 128Wh LiPo-4 battery in it as well, it will sit there transmitting away for well over a week and in some cases more than two weeks.

Over the years on this blog I’ve indicated how you can find hidden cameras by the “red-eye” or “lamping” effect which is the principle those “cats-eyes” in the road use (ie 180degree intetnal reflection).

People need to learn how to do it and as I also point out learn how to use low cost “Software Defined Radios”(SDRs) as “spectrum displays” and receivers as “bug-sweepers”.

I’ve personal been involved with highly confidential business meetings where signals in the room have suddenly started transmitting and they have come from individuals in the meeting… putting devices “under the table” etc. Likewise using mobile phones on the table using the built in WiFi to send audio…

We are in times where the ability to “black bag job” in video/audio and other spying/surveillance equipment has never been smaller, less expensive, and oh so childishly simple to put in place.

Unless you want to live in a SCIF with armed guards on the door –shout out to Jeff Bezos– or randomly couch surf –Hi to Elon Musk– then you had better “get with the tech” of surveillance sweeps, window noise makers and drawn curtains in any area you want a little privacy…

As for “perverts and stalkers” anyone remember all the noise over Apple’s oh so easy to use tracking devices so you would not loose your lugage etc?

Well whilst Apple came up with a few after market ideas, their competitors such as Tile, Amazon and others still are a “stalkers friend”. So we know what little chance there is that this surveillance will be stopped by retail controls or punitive legislation.

Clive Robinson • December 15, 2023 9:53 AM

@ Winter, ResearcherZero, ALL,

Re: CCTV and other bug hunting.

“For finding cheap&simple spy IoT’s, help is on its way”

It will only find those devices that are,

1, Radiating WiFi at the time of the bug -sweep scan.
2, Radiating at a consistant level.
3, Where the antenna or other radiating part can be got close to by the user.
4, That do not use MAC randomization or similar meta-data changing.
5, Do not use “burst mode” or similar techniques to break up relationship between input and transmission.
6, Off Freguency / out of ISM / WiFi bands signal radiation.
7, Any form of “Low Probability of Intercept”(LPI) technique such as Spread Spectrum frequency/channel hopping etc.

As I’ve indicated at various times in the past.

For instance obviously a simple mains power timer switch system you can by on the high street for a few USD be setup so that the CCTV/Bug is not powered up for say two hours after the “guest” arives or only at certain times of the day (as used with security night-lights etc).

Also some WiFi devices can be put into a passive non TX mode by the receiving end of the link. So if the evesdropper/pervert sees a user moving around in a way that is indicative of “bug sweeping” they can turn the devices off for five or ten minutes then turn them on briefly to check etc.

It’s why I like Red-Eye detection systems because it detects the bug / CCTV devices input transducer by it’s physical characteristics not if it is operating / powered up. Thus if it’s there it will show up to an effective “bug sweep”. Oh and audio microphones of the “electret capsual” size and smaller often use “audio waveguide” which as it is a “feedline/transmission-line” will suffer from the “mismatched load reflection” issue not that disimilar to the “Red-Eye” effect. Like all transmission lines they are highly susceptable to being detected by a variation on “Time and Phase Domain Reflectomatry”(TDR)[1].

What I’ve pointed out in the past is that you can use a mobile phone camera and flashing IR-LED to do Red-Eye detection of focused optics very easily. Likewise writting an app to do acoustic TDR and FFT analyse the reflections is well within the capabilities of many App developers. Both will be more effective than in WiFi band RSSI and basic packet analysis techniques, because they “instrument the transducers” and other “Physical input” that has to be present for the bugs / surveillance devices to work even if they are not powered up.

Also as taught to all high school kids in Basic Science all work,

1, Requires Energy.
2, Is inefficient.
3, Waste energy becomes heat.
4, Heat energy not only radiates, it is also transported by conduction and convection.

So all active electronic devices even when in standby mode and not transmitting data are doing work and thus producing waste energy heat signitures different to the local environment they are in. Thus can if you know how to do it[2] be found using the likes of Thermal Imagers that are getting quite inexpensive these days.

Also if digital as most things are these days, they will have a “clock signal”. As has oft been noted “Even a rusty nail will radiate.” as will any wire carrying changing charge. Loops especially radiate more effectively with increasing area compared to a fraction of a wavelength due to the additive effect of the fields. A good book on “ElectroMagnetic Compatability”(EMC) will tell you most of what you need to know as will a number of very less expensive books from the US ARRL and UK RSGB and other nations Amateur Radio Societies, as it’s “reguired knowledge” under the licencing conditions of an individual[3] participating in the hobby.

[1] Simply you send out a very fast rising edge signal repetedly and look at the returned energy in time and phase domains using DSP techniques. Any waveguide will act as a “quater-wave resonator” or multiples there of at near harmonically related frequencies. So like blowing across the top of a bottle, or flute, it will unavoidably due to it’s intended purpose produce a reflection that betrays it’s pressence. I’ve talked about this in the past when discussing “Active TEMPEST/EmSec” techniques. Duncan Campbell the journalist that M15 and MET Special Branch tried to evesdrop on via a device they had put on his POTS landline that “jumped the hook switch”, discovered to their suprise that Duncan had developed a detection system that showed it’s and other wire tap devices presence on the “last mile” line by TDR. Typical to form MI5 stole the device and then having had Tony Sale and colleagues examin it then got a couple of UK telco manufactures to make them for the security services and other government Depts, without paying Duncan any of the royalties he was legaly due… When I chatted to Tony Sale about it “over a beer or two” at Bletchly, he guessed it would have been a fair sum of money, as other Five-Eye partners Australia and US in particular apparently purchased quite a lot of them.

[2] You can do it by “hot / cold transition” timing. Put simply all materials have different thermal characteristics especially in conduction and radiation. Thus if you have say a screw in a plaster wall and you cycle the rooms temprature the time delay difference will cause the screw to show up as a local difference to the plaster. Likewise holes etc. However whilst passive objects will show a consistant time lag from hot to cold as cold to hot as you switch back and forth, active devices have an asymmetric time response, as you would expect after a little thought about those high school basic science lessons.

[3] Technically the licencing conditions for RT&TTE systems come down from the United Nations via the “International Telecommunications Union”(ITU) agency into national legislation.

There are three basic types of licencing,

1, The system on a site.
2, The technical personnel on a site.
3, The specific equipment and it’s manufacturing process.

It’s unlawful to opperate radio equipment unless one or more of these licences are in place, unless you can play the “National Security Exemption” card (kind of like waterboarding it ain’t tourture if it’s a government sponsored person doing it).

Clive Robinson • December 16, 2023 2:58 AM

@ William,

“[W]hat is your take on detection sweeps which identify the lens of spy cameras?”

Firstly sweeps only work in or very close to the optics “field of view” which in some respects makes the search quite a bit easier…

Because CCTV is not used randomly and high quality optics are expensive, it is either used broad-view from a distance to get general coverage, or close-view from close-in to a point of interest. Thus your sweep is minimised to picking one or two spots and not even doing a 3D-360 sweep as mounting/concealment points are usually easily spotted by an experienced eye.

Further the “Find one you know it’s not alone” principle usually applies. Because CCTV is so very inexpensive these days the use of cameras in any area tends to be over the top thus multiple. Which means your probability of finding any one of them goes up significantly.

But with regards,

” Are they too small these days to be detected?”

Ask yourself the question,

“How small is a single piece of glitter that can be seen glinting from across the room?”

The answer supprisingly is one heck of a lot smaller than the normal resolving power of your eye which is about 1:2000 or 0.5mm^2 at 1m distance. It’s like the visability of celestial objects lit by stars, or the eyes of preditors/game “down to the objects albedo”. Like stelth-tech it’s made worse due to the curved surface of the objects. Think if you want a comparison to a 1970’s Disco Mirror Ball, it realy does not matter where you stand, as long as it’s in “line of sight” it will reflect your sweep beam back on that 180 return path that Red-Eye / lamping works so well on. Think how small a fox or rabbit iris opening is 50m or more across a field at night, likewise the “cats-eyes” road markers your car headlight makes visable 200m or more away.

With regards,

“I think it makes a good case for a dog trained to sniff out triphenylphosphine oxide.”

I don’t for a couple of reasons.

Firstly as for the heat disipating “Printed Circuit Board”(PCB) coating “triphenylphosphine oxide”(TPPO). Detecting it by sniffer dog is actually of less and less use these days. Because of not just the rise in IoT device usage but the significant rise of general “Fast Moving Consumer Electronics”(FMCE). For instance LED lights, and clothes irons use it, as do effectively all “white and brown” goods even those you would have thought unlikely such as nose hair trimmers, hair curlers and other grooming products and similar even the battery based tools in our tool box and gizzmo electronic wine bottle openers and electric carving knives we apparently steadily fill our homes with courtesy of Amazon and Co. They are all based around the same electronic components that “memmory cards” are, and for the same reason TPPO is used thus appearing in all “Fast Moving Consumer Electronics”(FMCE) pretty much as standard these days.

But secondly I actually hate the use of sniffer dogs/animals… Few know that they are effectively tortured not just in training but their entire working life by being on what is euphemistically called “The Reward Diet”. Basically you continuously stave the dog, and then only feed it morsels when it finds what you want it to find tgus it’s hunger enslaves… Worse the animals are undernourished with life expectancy and general well being of the animals verifiably diminished. Certainly not my idea of a “Working relationship” or “Symbiotic partnership” between “Man and beast” that many claim. It’s also why training other sniffer animals is not very successful with the exception of perhaps drug sniffing where the reward just as it is with junkies is a chemically altered state. So remember that starved or turned into an addict sniffer animals are in an “abuse-dependancy” relationship with the handler. What punishment do we hand out to those who do similar to children and other vulnerable people?