Print Issue: February 2006
The next time you are sitting in a corporate boardroom, look around for the sound system speakers. They may not look like the front line in the war on industrial espionage, but they are one of the most common places for eavesdropping devices in a corporate environment. During meetings, the music tends to be turned off, but the speaker is still very much alive.
Unobtrusive and harmless in appearance, the speaker is a natural microphone with its own energy source. It is often centrally located and, as a dynamic microphone, can suck up every word or whisper uttered in the boardroom.
I learned this lesson many years ago when I was at a large platinum refiner doing a technical surveillance countermeasures (TSCM) sweep—the process by which one looks for electronic eavesdropping devices. Only after I had conducted an exhaustive physical sweep of all of the phones and executive offices did I notice a small speaker disk in the ceiling of the boardroom. I asked the company’s security director what it was, and he said, “The Muzak system. It’s harmless.”
How wrong he was. In the telephone wire closet, or “frame room,” serving the boardroom, I found a switch from the loudspeaker linked to a connector which had been plugged into a tape recorder. All I found was the wire and connector, and the place where the recorder had once sat—but no tape recorder. From that point on, I always started with the corporate boardroom on every electronic sweep, conducting a physical inspection of each room, before I switched on any of my TSCM equipment.
Tools of the Trade
Would-be information thieves have many tools at their disposal that can help them listen in on conversations that are supposed to be private; they need not spend a lot of money to achieve their objectives.
In fact, cheap devices are often more effective than the expensive ones. For example, a $35 miniature voice-activated tape recorder in a briefcase left in the CEO’s office or a cell phone placed on a table in the boardroom will often be more effective in siphoning proprietary information than an expensive $5,000 transmitter with a hearing-aid microphone.
Miniature recorders. Miniature tape recorders are prime suspects in any information leak. Some of the newer, fully digital Russian models can operate for over 1,200 hours.
These units are now very small and can be easily concealed. There was even a company that openly sold a transmitter mounted in a cigar tube. The only defense against these devices is a walk-through metal detector, or one that is hand-held, though companies typically do not choose to subject executives to this level of screening before meetings where proprietary information will be discussed.
The Teamsters Union once had me build a tape-recorder detector that was installed under a meeting table. Nowadays, however, technology has made that type of detector obsolete.
Telephones. The music system speaker in the ceiling is not the only threat of this type. Another speaker is the one you listen to while on the telephone. There are numerous ways to modify the telephone to monitor room conversations while the handset is hung up.
I once detected this type of modification in the civil defense telephone of the Governor of Maryland. I trained his State Police technician how to find it, and that trooper later discovered the same modifications on telephones in governors’ offices across the United States.
One of the most novel spying tactics I detected was in the telephone system of the state attorney’s office for the city of Baltimore. By using extra wires, the eavesdropper had built a transformer inside the cable that connected the telephone terminal to the switching equipment. The device picked up all conversations to and from the state attorney’s office.
I hunted down the bug by measuring the voltage of the telephone terminal block on the wall of the office itself. The first two sets of terminals showed normal voltage; the third had no voltage, but was still carrying conversation. That precipitated a trip to the basement of the building, where we found a listening post—complete with an ashtray full of cigarette butts where the wiretapper had sat, soaked up the conversation, and smoked.
Radio waves. Another way that information may be pirated is via a miniature transmitter, or bug, that emits radio waves. Information is transmitted by modulated radio waves, much the same way as television or radio.
A sweep will typically look for signs of such waves. However, the sweep has to go beyond the obvious.
A TSCM expert offering a sweep only with an auto-tune scanner is doing you a great disservice. Auto tune scanners scour the room for AM and FM frequencies and beep if they run across a bug using that type of modulation, but they are unable to pick up any other modulations.
There are no upper or lower limits for radio wave frequencies that can be used to transmit information. In addition to the standard modulations, there are exotic ones, like spread spectrum, frequency hopping, single sideband, and pulse, which reduce interference. However, once the frequency of the transmitted signal approaches the AM broadcast band and below, it is usually best to transmit the information along a wire. This can be an AC power line, a telephone line, or cable TV lines. Once put on a line, these signals are referred to as carrier current; the threat they pose has long been overlooked by TSCM services.
Only a spectrum analyzer—essentially an ordinary radio receiver with visual display—can identify all of the standard modulations, as well as exotic ones. In addition to detecting airborne signals, the spectrum analyzer can also identify signals transmitted back through cable TV and telephone systems. Spectrum analyzers are not that expensive and any good TSCM firm should have one in its kit and be adept at using it.
In the exotic realm of radio frequency bugging techniques—which are predominantly used by national intelligence services—there is a pair of old standbys. The first is the water vapor detector, or microwave detector, which can sense the water molecules as they leave your mouth and translate them into audio. The second is the series of devices invented in the early 1900s by a Russian engineer, Lev Sergeivitch Theremin.
The most famous listening tool of the type Theremin concocted was found in the U.S. embassy in Moscow in the mid-1950s, hidden inside a wooden carving of the Great Seal of the United States. The device worked by beaming ultrahigh-frequency radio signals at the Seal. The signal struck a metallic membrane inside the seal that vibrated at a rate determined by the voices striking it.
The signal carrying the room conversation then returned to the receiver located in a building across the street at two to three times the frequency of the original input signal. This was then translated into room audio, monitored, and recorded.
The amount of signal power required to accomplish this was almost enough to cook a hot dog, and there is no doubt the people using the room must have been perpetually warm. Soviet intelligence was able to record conversations for nearly six years until the device was discovered during a routine physical—not electronic—security check.
This kind of system was made obsolete by the advent of television because its powerful signal obliterated all TV pictures. But because television sets today have an improved design that blocks such interference and because the technology has now improved, it is again in use.
Raw audio. It is also possible to put raw audio directly on the AC power line. The eavesdropper will install a microphone and hook it to the AC power line via an amplifier.
To counter this type of threat, an audio sweep should be followed by a carrier current detector and a spectrum analyzer to ensure that all wires are “clean.”
Lasers. Another exotic eavesdropping technique is the use of lasers to monitor room conversation. Laser beams can detect vibrations in the room and convert them into audio.
Newer laser microphones are created by feeding two hair-thin strands of fiberoptic cable into the room being monitored. The microphone operates when a laser beam is sent down one of the fibers, where it bumps into a thin aluminum diaphragm and returns on the other fiber with the room conversation.
Finding these devices requires a careful physical search employing ladders, flashlights, and mirrors.
Conducting the Sweep
Electronic sweeps are not easy, and they are time consuming. Upon entering an office to be swept, I make a mental picture of the room. Plates covering light switches and wall outlets and covers on air conditioning and heating systems must be removed in preparation for the main sweep.
I usually head for the telephone to remove the cover and inspect the insides for foreign devices. Various instruments are then used to detect a bug within the telephone system.
A spectrum analyzer, as mentioned earlier, is employed to test for radio frequency devices. A time domain reflectometer (TDR) is used to detect any devices that may be connected to the telephone lines or telephone switching equipment.
Voltage measurements are made. The lines are then followed to telephone closets, each of which may be on different floors. These are visually inspected for uniformity and foreign devices.
On average, I spend roughly four hours on this stage, then another four hours conducting a radio frequency and audio sweep.
The final phase is an exhaustive physical search. In all, a thorough sweep takes up to 10 hours per room. The cost is on average $150-$250 per hour. Big companies should plan on sweeps up to four times per year, scheduling them at irregular intervals to throw off potential eavesdroppers.
Limitations of Sweeps
Most TSCM sweeps will find nothing suspicious. That is not because the TSCM expert is incompetent, but because information thieves don’t need to resort to electronic eavesdropping in most cases; it is far easier to get an employee to steal information by other means. Consider the following case, for example.
The security director for a Chicago-based oil exploration company was worried. It was clear that highly sensitive proprietary information about the company’s drilling operations was somehow getting into the wrong hands despite a bimonthly TSCM sweep of the premises, including the boardroom, the executive offices, and all phones.
After a reference to the firm’s confidential drilling sites appeared in a local trade publication, the senior vice president for operations told the security director to stop the leak or find a new job. The first thing the security chief did was fire the old TSCM consultant; he then called fellow security directors to get recommendations for a new one, whom he hired. But the newcomer was no more effective than his predecessor was, and the information hemorrhage continued. The security director was indeed fired.
Months later, the leak was finally traced to a member of the management team who was passed over for promotion. He had decided to steal confidential data from his employer and feed it to one of the company’s competitors in exchange for a job.
The security director’s mistake was that instead of conducting a well-rounded investigation of the case, including the potential that it was a human resources problem, he had relied almost exclusively on an electronic sweep.
As a TSCM consultant with nearly forty years of experience, I can assure you that an electronic sweep cannot plug every information leak, nor necessarily find the source of the leak, even if it is of an electronic nature. For that, you need a comprehensive information protection program that recognizes that most information theft from corporations today is conducted by human, not technological, means.
The best eavesdropping countermeasure efforts start with a well-designed security plan that includes preventive measures such as awareness training, good password policies, and proper information classification and handling protocols. The company should also regularly conduct after-hours office inspections.
When the worst-case scenario occurs and information theft appears to have occurred, security directors should make a list of all the means by which the data may have been stolen.
Security professionals must be creative and put themselves in the spy’s shoes, and think in terms of the cheap, the easy, and the obvious. They must canvass spots on the premises where an eavesdropping device could pick up the most valuable type of information, yet be hard to find during a TSCM sweep because the bug may be long gone. In so doing, they may detect clues that an eavesdropper was there. They can then consider other means of determining who might have had access to those locations or to the information that has been leaked.
TSCM sweeps provide peace of mind for protecting a company’s proprietary data, but they are just one measure. They can only be effective as part of a larger information protection program.
Martin L. Kaiser III is president of Martin L. Kaiser Inc., an electronic manufacturing firm in Cockeysville, Maryland.
Robert S. Stokes is a freelance writer, novelist, playwright, and a former journalist.
Kaiser is the author, with Stokes, of “Odyssey of an Eavesdropper: My Life in Electronic Countermeasures and My Battle against the FBI,” (Carroll & Graf Publishers, January 2006) an autobiographical account of his experiences in the counterintelligence community dating back to the mid 1960s.