New Bugging Threats
Print Issue: February 2010
DURING THESE difficult economic times, there has been an uptick in incidents of corporate espionage, according to some experts. One way this has occurred is by tapping conversations with bugging devices. According to some professionals, the risk of bugging is rising as small, inexpensive devices become more available.
Finding such bugs has been the purview of a relatively small field of experts who practice Technical Surveillance Countermeasures (TSCM). TSCM experts often use expensive equipment on bug sweeps. But their success comes down to experience combined with a dogged, rollup-the-sleeves search, say experts.
Newer bugs use the global system for mobile communications (GSM), which is the communications standard that most cell phones use. In some Asian countries, “they’re turning out GSM bugs like penny candy,” says Michael Tomamichel, director of TSCM vendor SoCaltscm. A search of shopping sites such as eBay shows multiple devices for sale, with prices ranging from a few dollars to about $50. Appearing like small keypadless phones, they can be silently called from anywhere in the world and used for eavesdropping.
Bugs in general have grown smaller and easier to deploy over the years, says James Atkinson, president of the Granite Island Group. Some bugging advances have included more use of wireless LAN technology; more bugs can also be switched on or off remotely. But Atkinson says that detection equipment has outpaced the technology used by spies. Spectrum analyzers, for example, which detect signals put out by GSM and wireless LAN, have gotten more sensitive and are also better designed than in the past.
What hasn’t changed, he says, is the critical importance in a bug sweep of combining experience with an in-depth physical search. For example, experienced professionals know that the search should be stealthy, because if the person who planted the bug knows there will be a sweep, he or she can simply turn off a bug’s signal during the search. If they have advance warning, some spies might even try to retrieve a device. During a search for an existing bug, spies will realize at some point that a search is underway, Atkinson says. The aim is to delay this point for as long as possible.
While it’s good to be discreet, it’s preferable to avoid searching at night or when few people are present, because if the spies are also conducting video surveillance, they will immediately notice the activity. Many spies using bugs will also monitor a situation through other methods, he says. Some might deploy computer key loggers; others might use cheap wireless Internet Protocol cameras to view the exterior of a bugged area. To avoid suspicion when entering a location, bug sweepers will sometimes wear nondescript clothing, carrying equipment in generic bags.
Companies that want to have a sweep conducted should also use caution in researching TSCM-related information or contacting professionals. It’s best to use a phone or computer outside the suspect area, for example.
It’s worth noting that all bugs require a power source. Though some devices are battery powered, others will be deployed and configured to use existing electrical power. This is one reason bugs are frequently planted in or behind electrical outlets, fixtures, or switches. Other common locales include inside ceilings, in floors under rugs, and in smoke detectors, plants, and desks. A good sweep usually requires access to rooms above, below, and surrounding a potentially targeted location, Atkinson says. A thorough search of a 20-foot by 20-foot room can sometimes take three days, he says.
Hard numbers on bugging incidents are scant. Skilled spies often leave no evidence, Tomamichel says. The financial services industry and firms with high-value intellectual property tend to be targeted more than others, he says.
On his Web site, Atkinson posts risk factors, such as a relationship separation, as well as red flags, such as having one’s office or home broken into but not seeing anything missing.
While the risk is real, people who think they have a bug are usually wrong. Because sweeps can cost as much as several hundred dollars an hour, they aren’t for everyone. However, for companies with important trade secrets or other intellectual property to protect, it may pay to err on the side of caution and have the occasional sweep.
The key is to find a reputable expert with the right tools and experience. A little shopping around for TSCM services makes sense as well, Tomamichel says. But not too much time, as the real presence of bugs can be “deadly” to a company’s intellectual property protection program.