Classification of threat levels of technical intelligence equipment.

Classification of threat levels of technical reconnaissance equipment.

James M. Atkinson, Granite Island Group

Threat levels of technical control

Threats caused by the use of technical control equipment can be divided into five main levels. When moving to the next level, the difficulty of detecting such means increases by an order of magnitude.

Each of the levels is correlated with a specific type of eavesdropper and the equipment used.

Each of the levels is also correlated with a specific type of TSCM inspection.

Level 1 — amateur electronics.

This threat level involves amateur electronics and amateur circuits. Such equipment is commonly available at radio shops, department stores, and toy stores.

This equipment is not intended to be used as a monitoring device and operates in certain amateur frequency bands.

The bands used to a significant extent are 49 MHz, 88 — 108, 143, 171, 900 — 925 MHz.

The range is mostly limited to frequencies up to 1 GHz. Limited use of the 2.4 GHz range, mainly Wavecom video transmitters, are very easy to detect.

Equipment used to connect to telephone lines is easily detected due to high parasitic consumption.

Since the equipment and training required to perform TSCM inspections at this level are minimal, the cost of this type of service is minimal. Companies offering services at this level typically charge between $150 and $750 for a full cleaning (but remember, you get what you pay for). This type of TSCM service typically takes no more than 4 hours to complete.

Technical Devices.

• Wireless microphones
• Intercom systems
• Child monitoring devices
• Voice recorders
• Voice recorder trigger relays
• Inexpensive microphones
• Video cameras
• Video cameras with tape recorders
• Similar electronic devices that are nothing more than hobbyist toys and trinkets.
• Usually used by spouses when they spy on each other.

Technical Profile

• Frequencies are typically between 150 kHz and 2.5 GHz
• Power is typically below 50 mW
• ISM bands with narrowband spread spectrum may be used.
• Wideband spread spectrum and frequency hopping are rarely used
• IR devices are concentrated around 900nm
• Modulation types: AM, narrowband FM, wideband FM
• Little or no cryptographic cover is used
• Large harmonic components
• Inefficient circuit design, but very low cost

Countermeasures

• Digital multimeter
• Handheld/pocket RF field detector
• Near field detector
• Feedback detector
• Detection requires TSCM equipment worth no more than $300

Characteristics of TSCM performers

• Requires 5 days of TSCM training
• More than 50,000 people worldwide work at this level
• More than 4,500 firms in the US offer services at this level
• Half of the firms offering services at this level are private detective firms
• Another quarter are security consulting firms.
• The remaining quarter are crooks, criminals, spy shop salesmen and scammers who will say and do anything to get you out of your money (usually thousands of dollars).
• There are at least 50 firms operating at this level in every major city in the US

Level 2 — «spy shop toys».

This threat level consists of equipment and products specifically modified for use in covert surveillance.

Typically nothing more than cheap consumer electronics, such as Wave — Com video transmitters or wireless microphones in the amateur band.

Often, level two devices are level one devices that have been modified, rebuilt, and/or camouflaged (e.g., in the back of a box, in an eyeglass case, a lamp, or a clock radio).

The main feature of a second-level device is its smaller size and camouflage method (usually inside another electronic device).

The equipment usually operates in the well-known “spy shop” or amateur radio frequency range and often at consumer frequencies.

Equipment used to connect to telephone lines usually has a large parasitic consumption and is very easy to detect.

The equipment and training required to perform TSCM inspections at this level are minimal, and the cost of this level of service is moderate. Firms offering TSCM services at this level charge between $1,000 and $1,500 for a limited cleaning. This type of TSCM service typically requires no more than six hours.

• Phone Bugs
• Body-Worn Devices
• Wireless Microphones
• Intercom Systems
• Child Monitoring Devices
• Voice Recorders
• Voice Recorder Trigger Relays
• Low Cost Microphones
• Video cameras
• Video cameras with video recorders
• Similar electronic devices that are little more than toys and trinkets

• Frequencies typically between 50 kHz and 3 GHz
• Enhanced use of 399 MHz and 2.4 GHz
• Power typically between 2.5 mW and 500 mW
• May use ISM band with narrowband spread spectrum
• Wideband spread spectrum, burst operation, and frequency hopping are rarely used
• IR products are clustered around 900nm
• AM modulation, narrowband FM, wideband FM, with FM subcarrier
• Cryptosecurity is rarely or not used
• Harmonic components are detected
• Relatively low cost
• Designed as toys for hobbyists

• Digital multimeter
• Handheld/pocket RF field detector
• Near field detector
• Feedback detector
• Ultrasonic stethoscope
• Cheap spectrum analyzer (e.g. Avcom PSA -65C)
• All-spectrum correlator (e.g. OSC -5000)
• TSCM equipment for about $15,000 is required for detection work

Characteristics of TSCM performers

• Requires 10 — 20 days of TSCM training (2 -4 weeks)
• Over 10,000 people worldwide work at this level
• Over 2,500 private firms work in the US at this level
• Every major US city has at least 50 firms working at this level

Typical Suppliers

• Micro Electronics
• PK Electronics
• Lorraine
• Xandi
• DECO
• Ramsey
• Supersurcuits

This threat level typically represents equipment and devices used by law enforcement, industry, science, and broadcasting. This equipment is generally not available to the public. These items are usually too expensive for spy shops, private investigators, and amateur spies.

An estimated 60% of this production is equipment used in the broadcast industry (video transmitters, body-worn products, and wireless audio products). Typically, this equipment is relabeled and sold to law enforcement at highly inflated prices. This equipment is quasi-legal for the public to own, buy, sell, or attempt to sell (but it's a big gray area).

Only 40% of the equipment is specifically designed for law enforcement (AID, HDS, etc.) and is in reality nothing more than a copy of a broadcast product in a covert product. Such equipment is absolutely prohibited for the public to own, sell, buy or attempt to buy.

The equipment usually operates on auxiliary broadcast or law enforcement frequencies that have nothing to do with “consumer bands”

The person conducting the wiretap usually assumes that the target is «easy» and does not expect to be wiretapped. The target usually does not conduct any TSCM inspection, or uses spy shop bug detectors, which provides a false sense of security.

The equipment used to tap into the phone lines usually contains sophisticated decoupling circuits and is difficult to detect electronically. Such equipment can usually only be detected by careful physical inspection.

The main characteristic of a Level 3 device is that it was originally developed, advertised, and sold to a consumer outside the general public (such as TV studios, medical institutions, industrial companies, or law enforcement agencies).

The equipment and training required to perform TSCM inspections at this level begin to become complex. The cost of this type of service begins to increase. Firms offering TSCM services at this level typically charge between $1,500 and $3,000 for a limited inspection. This type of inspection usually takes no more than 1 day.

Typical Equipment

• Body Worn Equipment
• Bumper Alarms
• Motion Trackers and Beacons
• Wireless Microphones
• Voice Recorders
• Hidden Video Cameras
• Night Vision Devices

• Frequencies typically between 3kHz and 40GHz
• Power typically between 2.5mW and 10+W
• Generally uses ISM bands with spread spectrum
• Uses narrowband/wideband spread spectrum or frequency hopping
• IR devices in the range from 850nm to 1050nm
• AM, narrowband FM, wideband FM, FM — subcarrier, SSB, quadrature AM and over 32 other types of modulation
• Limited use of cryptographic cover using simple algorithms
• Limited use of digital modulation
• The products are expensive but very effective
• Designed for short-term, low-risk technical inspections

Countermeasures

• Digital multimeter
• Handheld/pocket RF field detector
• Near-field field detector
• Feedback detector
• Ultrasound stethoscope
• All-spectrum correlator (e.g. OSC — 5000)
• Spectrum Monitoring Systems (e.g. MSS, ACES, Omnisean)
• Spectrum Analyzer 9kHz to 40GHz
• Vector Signal Analyzer Narrowband
• Oscilloscope
• Non-Linear Locator
• Search/Intercept Receivers
• Telephone Analyzer
• Time Domain Reflectometer
• Portable X-ray Equipment
• Requires at least $350,000 worth of TSCM equipment to detect

TSCM Performer Profiles

• Requires 30 — 49 days of TSCM training
• Over 2,000 people worldwide are officially certified at this level
• About 500 private firms in the US offer TSCM services at this level (mostly private investigator firms)

Typical Equipment Suppliers

• Audio Intelligence Devices
• Telex
• Sony
• Household Data Systems — HDS

Level 4 — Professional Eavesdropping Equipment

The main characteristic of equipment at this level is that it is designed, advertised, and sold as a product for covert eavesdropping.

This type of device is designed to be undetectable during a normal TSCM sweep. It takes a very long time to detect and identify. This type of threat assumes that TSCM work will be conducted at the facility.

This type of device is usually operated by a permanent staff located at a fixed control post. The listening team usually keeps the facility under close surveillance and monitors the security communication ranges to detect the TSCM teams.

This type of threat is usually used when businessmen are placing eavesdropping devices on each other and when “big money” is involved.

The equipment and training required to perform TSCM inspections at this level are significant. Firms offering TSCM services at this level typically charge between $3,000 and $7,500 for a limited cleaning. This type of TSCM service typically requires a full day of work (often 2 — 3 days).

• Wireless Microphones
• VLF Digital Instruments
• Hidden Video Cameras
• LAN/WAN Eavesdropping Devices
• Copying machines equipped with bookmarks
• Fax machines equipped with bookmarks
• Computers and monitors equipped with bookmarks
• Modified telephones, PBXs and voice mail systems
• Cell phone interception systems (usually undetectable)
• Pager alarms/interception systems (usually undetectable)

Technical Profile

• Frequencies typically between 3 kHz and 110 GHz
• Power typically between 250 nW and 100 mW
• Spread spectrum with wide and narrow bands, burst transmission and frequency hopping
• IR devices in the range from 300 to 1710 nm
• Used over 156 types of modulation
• Can use burst transmission
• Typically uses full duplex communication for remote control of the device
• Enhanced use of cryptographic cover using complex algorithms
• Enhanced use of digital modulation
• Extremely difficult to detect
• Roads and very high quality
• Designed for long-term operation in high-risk technical inspections

Countermeasures

• Spectrum analyzer from DC to 325 GHz
• Vector signal analyzer — very wide bandwidth
• Non-linear locator
• Search/intercept receivers
• Measuring receivers
• Telephone Analyzer
• Time Domain Reflectometer
• Portable X-ray Equipment
• LAN/WAN Analysis Equipment
• At least $750,000 worth of TSCM equipment is required for detection

Characteristics of TSCM Performers

• Requires 40 to 60 days of highly specialized TSCM training
• Only about 500 people worldwide are officially certified at this level.
• Usually Interagency Training Center/Counterintelligence Technical Specialist
• About 43 private firms in the U.S. offer TSCM at this level.

Level 5 — Intelligence Agency Equipment

This level of equipment is typically made to order by an intelligence agency by leading defense contractors.

Includes ultra-low lower spread spectrum digital devices and extremely sophisticated camouflage techniques.

A typical installation of the equipment costs hundreds of thousands of dollars (often millions) and requires significant assets prior to installation.

Used by nations to spy on each other.

The equipment and training required to perform TSCM inspections at this level are significant. Firms offering TSCM services at this level typically charge between $7,500 and $25,000 for a limited cleaning. This type of TSCM service requires at least 2-3 days (often a full week).

• The most advanced wireless microphones
• Digital VLF devices
• Specialized covert video cameras
• LAN/WAN listening devices
• Buried copy machines
• Buried fax machines
• Buried computers and monitors
• Modified telephones, PBXs and voice mail systems
• Cellular interception systems (usually undetectable)
• Alarm/pager interception systems

• Frequencies typically between DC and 1.5 THz
• Signal levels as low as possible
• Power typically between 250 nW and 100 mW
• Intensive use of “signal paths”
• Enhanced use of fiber optics
• Narrowband/wideband spread spectrum, burst operation, frequency hopping
• Optical devices in the range of 300 — 3500nm
• More than 300 commonly used modulations
• Can use burst transmission
• Typically uses full-duplex communication for remote control of the device
• Enhanced use of cryptographic cover using complex algorithms
• Heavy use of digital modulation
• Very difficult to detect
• Expensive and very high quality
• Designed for long-term operation in high-risk technical monitoring operations
• Typical use of planting decoy devices
• High probability of using repeaters and/or satellites
• Large-scale use of bugs in all switching systems
• High labor intensity of application with the involvement of dozens of people to carry out wiretapping

Countermeasures

• Spectrum analyzer from direct current to 1.5 THz
• Vector signal analyzer — very wide band
• Non-linear locator
• Search/intercept receivers
• Telephone analyzer
• Time domain reflectometer
• Thermal imaging equipment
• Portable X-ray equipment
• LAN/WAN analysis tools
• Requires well over a million dollars in TSCM equipment to detect

• Requires 150+ days of highly specialized TSCM training
• No more than 50 people worldwide are officially certified at this level
• Only six private firms in the US offer TSCM at this level