STATEMENT OF PURPOSE
DEFINITIONS OF AUDIO
SECURITY AND AUDIO
AUDIO SURVEILLANCE TECHNIQUES
MICROPHONE AND WIRE
GENERAL CONSIDERATIONS FOR AUDIO SECURITY
ISOLATION AND NULLIFICATION
THE AUDIO COUNTERMEASURE SURVEY
The purpose of presenting the following material is threefold. First, it equips the lay-person with a general understanding of the real threats from electronic eavesdropping. Second, it provides enough information to allow the security representative responsible for general security to set up an effective electronic countermeasure program that should sharply limit the likelihood of a successful electronic attack. Thirdly, it addresses and hopefully dispels many myths that have attached themselves to this industry.
This material is written in as nontechnical a fashion as possible consistent with clarity and understanding. Persons with an electronics background should note that this simplistic approach of holding technical language to a minimum may strain certain traditional textbook definitions. Nonetheless, any technical distortion that occurs is only the product of the omission of detail from some definitions that were not considered necessary in a general discussion. All definitions and terminology used herein are accurate and valid for a discussion on this nontechnical level.
Not all eavesdropping is electronic and the term "electronic countermeasures" is not sufficiently comprehensive to describe this branch of the security field. The general term used is audio security, and audio countermeasures the specific steps taken to either detect or nullify listening devices. Audio Countermeasure Technician describes one skilled in these techniques. In some circles the act of eavesdropping is technical surveillance and the actions taken to combat such an attack as technical surveillance countermeasures, commonly abbreviated TSCM.
The most difficult to detect methods of technical attack may or may not be the most expensive and many of them represent years of experimentation by those so inclined. Often the full resources of foreign governments support their agents. Intensifying the threat is the value to the information sought, much of which is vital to a nation's or company's security and thus of great interest to opposing intelligence services. With stakes high, both sides have found it worthwhile to expend great sums on the development of new surveillance techniques that in turn require additional sophistication in countermeasures. The presumption that most technical attacks encountered by those at a nonfederated level will be relatively unsophisticated and therefore more susceptible to detection or nullification is inaccurate.
Understanding the ways a technical audio attack may be mounted must be considered first when planning for an effective audio countermeasure program. In view of that, technical audio surveillance techniques or audio attack methods is the primary consideration.
AUDIO SURVEILLANCE TECHNIQUES
For ease of presentation, the types of technical attacks are placed in six general categories. These categories are arbitrarily established for ease of discussion. Some devices or procedures covered can fit into more than one category.
MICROPHONE AND WIRE
In spite of the technological advances of the electronic age, one of the most important "devices" used to compromise audio security is still the unaided human ear. The security officer who fails to consider this may find that the large sums of money just spent for sophisticated audio countermeasures equipment negated by the secretary who sat immediately outside the conference room or private office or they failed to note that the public address system used in the meeting room amplified sound so much that anyone walking down a nearby hallway could hear it clearly.
Do not discount the effectiveness of the human ear further enhanced by a plain old-fashioned water glass or the doctor's stethoscope placed against an adjoining wall. Heating/air conditioning ducts and pipes/conduits exiting the room also carry a considerable amount of room audio.
The section on countermeasures discusses acoustic attenuation of walls. It also addresses variables such as thickness, nature of materials, types of construction and acoustic impedance (the rate at which a material allows voices to pass through it). If the perimeter of a space to be protected lack's sufficient acoustic attenuation (in particular, the ability to block the transmission of voices) then, without a doubt, the first threat to be considered and dealt with is that of the human ear.
Tape recorders represent another type of "mechanical" attack. They can either be placed in the target area and retrieved later or carried by a person intent on intercepting details of a conference or conversation. Concealment is now quite easy thanks to the large number of miniature, inexpensive and very good tape recorders currently available. Some are a little larger than a pack of matches. Today, it is possible to place 2,000,000,000 (that's two billion) transistors on a single substrate less than 1/8 of an inch square! Taking advantage of this incredible density are recent developments in "fully solid-state" electronic "tape-less" recorders that now further complicate the picture.
A recorder with a voice operated switch (VOX), that turns on only when voices are present, put in place before a meeting or conference, can be very damaging. There are many commercially available recorders using this technique that tape for tens of hours and "standby" for over 1,000 hours when no voices are present. This approach is especially useful in attacking onetime events, such as conferences, where an opportunity to retrieve the device would be much greater than if the target were a corporate office or board room.
The recorder attack relies least upon gadgetry. Its greatest danger lies in the fact that it is so obvious. A security officer oriented along more technical lines may completely overlook it.
Cell phones have recently been added to the growing list of "mechanical" attacks. It is now possible to program a cell phone to automatically answer an incoming call while NOT ringing. The implications of this approach are enormous. Also, two inexpensive cell phones can be purchased at a chain or discount store and one used to call the other. One of the phones is then left in the target area while the other is used to monitor conversations from it. That phone may be carried to virtually anywhere in the country.
VISUAL OR OPTICAL ATTACK
In some ways, this is the most interesting category because the techniques range from the most mundane to exotic "James Bond" type devices. Attacks under this category fit into the following areas:
Optical attacks include real time observation via telescope or binoculars or photography via telephoto lenses. The latter includes both motion/still pictures and video techniques. Although there is a possibility that a camera with telephoto lens could photograph sensitive documents lying on desk tops the main hazard comes from a seemingly nontechnical, but in fact highly effective technique; lipreading. Accomplished lip-readers, especially those with a language capability, could be of great value when armed a good pair of binoculars and line-of-sight view of those in conversation. The conversation, of course, could be video taped for analysis later. As obvious as this may seem, it is a technique all too often overlooked.
Television is a threat in those areas where the opposition has had a chance to gain unimpeded access to the target space or occupies an adjoining room. A hole no larger than the head of an ordinary pin can produce a television picture of quite acceptable quality. With the current state of the art, light levels are no longer critical. Miniature television cameras complete with transmitter smaller than a pack of cigarettes are readily available for under $200.00!
Coupling the lens of a television camera to a high resolution fiber optic bundle such as those used in internal medicine is a distinct possibility. Fiber optic systems allow mounting the television camera some distance from the area under observation. This alone can cause considerable problems for the countermeasure technician. When the target makes extensive use of briefing charts or other visual displays, it calls for a television camera attack. There are three ways to gather information intercepted by the television camera:
VIDEO TAPE retrievable at one's leisure.
HARD WIRE where it goes from the camera to the monitor via shielded cable (fast scan) or telephone line (slow scan).
VIDEO TRANSMITTER that transmits the signal over the airways to a distant location.
LIGHT ATTACK where the video is sent over a laser beam.
Now readily available and inexpensive, light-emitting-diodes (LEDs) and laser diodes, primarily infrared (IR) emitters, are finding their way into surveillance equipment. These diodes have reached peak efficiencies only dreamed of a few years ago. As with any light, they need an optical path from the area under surveillance to the listening post. Bear in mind, though, that some materials impervious to visible light may pass IR light with little attenuation.
Both the LED and laser are used in a similar manner. A microphone attached to electrical components convert room audio into the energy needed to modulate the light beam. The type of modulation can vary but generally centers around several types of pulse modulation schemes to conserve power and thus give battery powered units a longer life span.
It is necessary for the optical transmitter to be placed in a position so it can transmit its beam of light uninterrupted to the listening post (LP) where a suitable detector reverses the process, i.e., changes the light back into audible sound. Although somewhat constrained by the need of an optical path to the listening post, these devices are hard to detect.
The laser diode is perhaps the ultimate optical weapon. In some ways, the laser diode resembles the LED except that it produces a much, much narrower or coherent beam of light at higher operating efficiency.
As previously mentioned, a laser diode modulated with room conversation is an effective transmitter. There is, however, another application of the laser that is much more devious.
When a conversation takes place in a room, all objects in that room vibrate from the acoustic energy generated by that conversation. Rigid objects tend to vibrate more so than soft ones. This, of course, is how a microphone works. The diaphragm moves back and forth vibrated by room audio and this vibration is, in turn, converted into electrical energy. Focusing a laser on an object with a suitable beam return path returns room audio.
These systems, besides being difficult to deploy, suffer from major audio retrieval problems. Room conversation is not the only thing that vibrates the target surface. A variety of mechanical equipment noises, such as motors and fans coupled with the normal "street" noise of people walking and moving things makes advanced filtering equipment mandatory. To make the job somewhat easier, state-of-the-art voice recognition filters called digital-signal-processors (DSP) are now available.
A recently developed device sends light from an I.R. laser diode down a single strand of fiber optic cable where it strikes a small reflective diaphragm that is modulated by room conversation and returned on another strand to the detector where it is demodulated. This device defies all electronic detection and must be found by physical search.
MICROPHONE AND WIRE
This is probably the oldest of the technical attacks dating from the early days of carbon microphones and tube-type amplifiers. Today, microphone technology has advanced to the point where there are now highly sensitive units, less than 1/4 inch square and 1/16 inch thick, with built in amplifiers that can transmit conversations over super thin copper wires hundreds of feet in length. There are multitudes of small, inexpensive (under US$5.00) microphones commercially available that are very suitable for audio surveillance.
While microphones differ in design or specific operating principle, they all do essentially the same thing. As a group, microphones fit into that class of electrical components generally known as "transducers." A transducer is simply a device that changes mechanical energy to electrical energy, or vice versa. Thus, a radio loudspeaker is as much a transducer as the window pane that modulates a laser beam. This interrelationship is of interest because of the fact that a loudspeaker, especially an efficient one with a stiff speaker cone, makes a highly effective microphone.
It is perhaps a sign of the times that so many supposedly secure areas have speakers mounted in the walls or ceilings for the omnipresent background music or public address system. An unused speaker, i.e., one not actually propagating music or announcements, makes an extremely effective microphone. All that is necessary is to intercept the pair of speaker wires at any point and attach a suitable matching transformer and amplifier, recorder or transmitter. Audio in the room causes the speaker cone to resonate in the same manner as would the diaphragm of a microphone.
Types of microphones include the dynamic (moving coil or moving magnet), ceramic, electret, carbon, crystal, condenser, etc. Each has its particular advantages and disadvantages. The potential attacker would carefully consider which one to use in view of the need for certain characteristics such as sensitivity, current drain, frequency response, impedance, signal output level and detectability. It is not necessary to go into the differences between the varieties of microphones suffice it to say that the technological spy would choose the proper microphone with the same care as would a surgeon in choosing his instruments (that is probably not the best analogy, but it's close). Microphones may be placed into three groups; the carbon microphone, other microphones, and contact microphones.
Once the most common, carbon microphones are fading into oblivion. There are still a large number of telephones around which use this microphone so it deserves some discussion. Carbon microphones are characterized by their very high output signal as compared to most other types. They need an external voltage source to work. This requirement, and a progressive loss of sensitivity over time as the carbon granules settle, limit its use. Carbon microphones vary their resistance in proportion to the sound reaching them and thus are not voltage generating microphones. It is important to remember this when searching for them.
Dynamic, ceramic, crystal or condenser microphones are usually connected to an amplifier or transmitter by a length of wire. They are self generating transducers, similar to loudspeakers, i.e., audio in equals voltage out. Among this group is the electret microphone. This unit contains a built in amplifier that requires an external supply voltage. The current levels needed though are much, much lower than the carbon microphone and can be obtained by detecting a local radio or TV station and using the resulting voltage to power the microphone.
A modern microphone connected to a good amplifier can pick up conversations in an average room no matter where it is placed, especially if the room is acoustically dead. These microphones are difficult to detect or locate due to their very small size. When acoustically fed through a slender plastic tube they are known as "tube microphones." The advantage of this approach is that the microphone element itself does not have to be close to the target area. This approach really works. Do not discount its effectiveness.
Although very thin wire is sometimes used, existing electrical conductors such as power lines, telephone lines, or wire pairs that have been abandoned but remain in place inside the walls are much more effective.
The contact microphone is usually a form of dynamic, electret, ceramic, crystal or piezo microphone designed specifically to pick up mechanical vibrations moving along a surface vs. airborne sounds. Placing it firmly against a common wall, pipe, conduit, duct, etc., produces room audio. When mounted through a wall via a suitable fixture it becomes a "spike mike." Placed into or against the wall, it uses the entire wall as a diaphragm.
Under ideal circumstances, a contact microphone is very effective. Inherent disadvantages can be overcome by use of a digital-signal-processor (DSP)/filter.
"SHOTGUN" OR PARABOLIC MICROPHONES
Although "shotgun" or parabolic microphones differ in design from one another, both have the same purpose; the detection of voices at relatively great distances. Both are directional in that they focus sound waves upon the diaphragm of the microphone element somewhat like a parabolic reflector focuses light. These microphones can be seen at most sporting events. In that particular application do not assume the sound heard over the TV or radio is actually coming from a particular microphone. It is the product of the skillfully mixed output of several microphones. Parabolic microphones are also used in wildlife photography to record bird calls or similar sounds.
Both the shotgun and the parabolic microphone have another characteristic in common; their effectiveness is grossly exaggerated. They generally work at distances of less than 100 feet providing the ambient noise level does not block out the targeted sound. As the distance increases, so does the "signal-to-noise level." In other words, it is harder to distinguish target audio from background or unwanted audio. Under ideal circumstances, the best directional microphones might have a range of 300 feet, but as mentioned before, 100 feet or less is much more realistic for voice interception. These devices actually work quite well for bird calls, for two reasons.
Bird sounds are quite loud, certainly much louder than a normal conversation.
The sounds are higher in frequency. High frequency sound is generally more directional. Additionally, the human ear tends to perceive higher-than-human-voice frequencies more easily under marginal conditions.
Since they are difficult to conceal it is unlikely that one would select this type of microphone to further their technical efforts.
In summary, the microphone and wire attack is still very much with us and quite a few of the "finds" made by technical surveillance countermeasure technicians are of this type. They are attractive because of their commercial availability and low cost. Generally the lack of technical expertise of the installer assures that most are discovered during a good physical search.
For purposes of clarity and convenience, free-space transmitters will be broken into two broad categories; the radio frequency (RF) transmitter and the carrier-current transmitter. This distinction is necessary as they differ markedly in the way information is transmitted from the target area to the listening post. The countermeasure employed against each category also differs and each discussed separately.
This section deals only with the free-space transmitters. In order to understand more fully the whole subject of transmitters, it will be necessary to use a little more technical language. Again held to the minimum needed to understand how transmitters can be used for technical attacks and, later, to more easily comprehend what some countermeasures are.
As pointed out earlier, a transducer is a device that changes mechanical energy, such as human speech, into electrical energy. The proper term for this electrical energy is electromagnetic energy (EME). EME travels in waves that vibrate a given number of times per second. Various forms of electromagnetic energy vibrate at different rates and this rate of vibration is called its "frequency." Frequency is expressed in the number of variations or cycles per second. The phrase "cycles per second" (cps) changed in recent times to "Hertz" (Hz) to honor the scientist who first described this phenomena. One hertz equals one cycle per second or vice versa.
Scientists often refer to the electromagnetic spectrum as a group of electromagnetic energy expressed in order of frequency. At one end of the spectrum is energy that does not vibrate at all. This is direct current (DC) such as that produced by a battery. At the upper end is visible light, x-rays and cosmic rays. The energy of concern is radio frequency (RF) energy, and it is generally considered to be the electromagnetic energy in the spectrum from 10,000 Hz to infrared light. These can be very large numbers so now is a good time to look at some abbreviations. Another way to say 10,000 Hz is 10 Kilohertz, or 10 KHz. The letter "K" (for kilo) is the common abbreviation for 1,000. One million Hertz or Hz is one megahertz, or 1 MHz. 1,000 MHz is one gigahertz, or 1 GHz. "M" and "G" are frequently used in science for "million" and "billion" respectively.
Back to the transducer. Energy produced in the audio range i.e., from 20 Hz to 10 KHz is the same range as sounds in a room. All the transducer has done is convert the mechanical energy (sound) into relatively low frequency electromagnetic energy. Because it is low frequency, the energy will flow along the wires attached to it and into an amplifier. Consequently, low frequency information is retrieved from the target area along a hard wire path.
Shifting the intercepted information to a much higher frequency, however, creates a new picture. A certain amount of the energy would still flow down the wire, but some of it radiates outward into the airways. If the frequency were to be increased further, greater amounts radiate into the airways and are intercepted by a radio receiver tuned to the same frequency.
Of course there is a device that can convert audio range electromagnetic energy into radio frequency energy; a radio frequency (RF) transmitter. The transmitter takes the audio range information fed to it and converts it to a specific frequency in the radio frequency range. The transmitter usually includes an amplifier to magnify the converted signal. The amount of electric power used in amplifying the radio frequency signal is expressed in watts. As noted earlier, the radio frequency energy radiates from the wire leading to the listening post. Cut the wire and the radio frequency energy continues to radiate from the section still attached to the transmitter, especially if it is of a certain length in relation to the transmitted frequency. This piece of wire becomes an "antenna" and the ideal size, its "resonant length."
Add to the above a power supply and the result is a simple broadcast station. However, similar though the operating principles may be, there is a great deal of difference between a full fledged commercial broadcast transmitter and a clandestine transmitter or "bug". The first difference is its gross size; the "bug" must generally be very small for ease of concealment.
The requirement for electrical power needed to operate the transmitter and broadcast the signal varies widely. The need to use either small batteries or to "parasite" power from the target area's telephone line sharply limits the output power of the clandestine transmitter. This limitation does not, of course, apply when using the AC power lines. Output power is usually kept low to avoid detection. Normally, there is no need to broadcast great distances as most listening posts are located within a few hundred yards or less of their target. While commercial broadcast stations use thousands of watts of radiated power during transmission and typical hand-held walkie-talkies use 1 to 5 watts, the modern clandestine transmitter can effectively employ less than 1 milliwatt (a milliwatt is 1/1,000 of a watt).
Another factor affecting detection of "bug" transmitter is the type of modulation used. A look back at the simple transmitter may be in order at this point. If the transmitter operates at a frequency of 100 MHz (as an arbitrary example), it emits a radio signal at that frequency. Somehow the electrical information from the transducer must be impressed onto this signal to transmit the information. The way in which this intelligence superimposes itself upon the 100 MHz signal (called the "carrier wave" or "signal", or quite often, just "carrier")is modulation. The carrier wave is changed or modulated by the audio information impressed upon it during transmission.
There are several ways to modulate this carrier wave. The most common are amplitude modulation (AM) and frequency modulation (FM). These, of course, are the two types used in commercial broadcasting. It is not necessary to understand the technical differences between them. What is important is that the countermeasure search device detects the transmission that carries them.
Clandestine transmitters come in a variety of shapes and degrees of sophistication. One of the basic considerations in transmitter construction is operating time that is determined by battery life. Generally, the larger the battery, the longer the transmitter will last. Size is not normally critical if the transmitter is to be secreted in a wall or in a location next to the target area, or if a microphone and wire run are employed.
Turning the transmitter on and off by remote control extends battery life. The advantages of this are obvious. Not only does it greatly conserves battery life during periods of inactivity, but switching the transmitter off at the first sign of an audio countermeasure survey reduces chances of its detection by means of a search receiver.
There are many small, inexpensive "throw away" or "quick drop" transmitters commercially available. These may have a battery life of only a few hours but sometimes that is all that is necessary.
One type of free-space transmitter, a type that has no battery, is the so-called "resonant cavity" transmitter. The Great Seal of the United States in the Moscow Embassy concealed such a device. As has been reported extensively in the media, a wooden wall plaque was presented as a gift along with the suggestion of mounting it on the wall behind the Ambassador's desk. Many may recall the photograph of Ambassador Lodge pointing to a "bug" concealed in the back of the plaque. The embarrassment caused by the detection of this transmitter motivated the intelligence community to spring into action and devices similar to it soon evolved.
The resonant cavity transmitter is an amazingly simple device technically known as a passive radiator;, i.e., one that lacks an internal source of energy. In constructing this device, a layer of thin metalized material was stretched across a closed metal tube. The specific size of the tube determined its resonant frequency. A wire "tail", which functions as an antenna, is attached to the base of the cavity. The cavity was then flooded with a beam of radio frequency energy from an external source (usually in the microwave region, 1 GHz and up). The size of the cavity and the length of its antenna are carefully calculated so that a harmonic (multiple) of the inbound radio frequency energy that bathes the cavity is rebroadcast. The metalized diaphragm acts as a transducer, and the audio range energy modulates the returned radio frequency signal that, in turn, is picked up by a receiver in the nearby listening post. Do not assume these devices are the sole providence of Federal level agencies.
The free-space transmitter, though, remains one of the most prevalent forms of technical attacks. The most likely threat comes from one of the plentiful miniature transmitters available assembled or in kit form that use the FM broadcast band (88 to 108 MHz) or tuned to operate just above or below it. In many instances, commercially available "baby sitters" make very effective listening devices. Nonetheless, regardless of sophistication, all free-space transmitters pose a threat that should receive serious consideration during an audio countermeasure survey.
Technically, carrier-current transmitters are similar to free-space transmitters except that they use transmitting frequencies somewhere between those in the audio frequency range and those in the radio frequency range that radiate outward from a conductor (antenna). The transmitted energy from a carrier-current device remains ON the conductor. Their energy is impressed upon either a power line, telephone line, cable TV line or other paired conductors and is retrieved by a receiver connected to that same line somewhere outside the target area. A common example of this is the "wireless intercom." There are some obvious advantages to such a system. One is that the electrical energy needed for the transmitter comes from the power or telephone line thus eliminating the need for a battery. Consequently, a carrier-current device can be left in place for years without the need of replacing exhausted batteries. Like the free-space transmitter, remote control signals sent over the very line powering the unit may turn it on or off.
Such carrier-current devices are easily concealed and usually not found by a "sweep" of the radio frequency spectrum with a search receiver because of their very low frequency. They are, however, easy to locate with either an oscilloscope or very-low-frequency (VLF) receiver or converter connected to the line powering them.
Carrier-current devices are commonly built into innocuous looking objects such as clocks, radios, lamps, telephones, etc. and sent as an expensive looking gift to the unsuspecting target person who plugs it into the wall outlet and promptly bugs themselves. [Sad to say, bombers sometime use this exact scenario!] This approach, of course, overcomes the disadvantages of having to enter the target area.
One great advantage the carrier-current transmitter has over the free-space transmitter that radiates in all directions (not only to the listening post) is that it radiates only down the wire. This can turn into a major disadvantage though if one cannot get to the wire. Although transmitting range (distance) can be a problem, there are many ways to overcome it. Earlier difficulties these units had with power line noise (primarily AM) have been overcome by the introduction of FM carrier- current devices.
In summation, the carrier-current transmitter is a serious threat confronting the audio countermeasures technician, particularly if installed by an adversary skilled in the concealment and use of one of these devices.
Numerous "embarrassing" cases have served to focus public attention upon the vulnerability of the telephone system to technical attack. Holding sensitive discussions in any area that contains a telephone presents a very, very serious hazard to the audio security of the entire room, no matter whether the telephone is off or ON hook.
There are two different types of technical attacks made upon the telephone; the "tap" and the "compromise." The telephone "tap" is an interception of telephone communications. The interception may be of conversation or normal telephone communication, such as teletype, facsimile, or computer data. The "tap" results in the collection of information only when the phone is in use. A tap does not require physical access to the target area. Telephone lines are vulnerable anywhere between the target phone and central telephone office miles away.
There are a multitude of ways to tap a telephone, ranging from direct connection with the line to inductive coupling that does not require a physical connection to the line. The latter uses a so- called induction coil/transformer to couple the energy from the line to the listening post. An induction coil works on the following principle. Electromagnetic energy flowing down a telephone wire creates a magnetic field around that wire. The information flowing down the telephone wire is, of course, electromagnetic energy modulated by the information impressed upon it. This modulation causes the magnetic field to vary at the same rate as the audio on the line itself. Placing an induction coil on or near the line so that it is within this electromagnetic field induces a similar electromagnetic energy flow in the coil. The induced signal is then fed into an amplifier and the information recovered.
A recent development in this area replaces the induction coil with hall-effect magnetic field sensors that detect the minute magnetic fluctuations caused by signals flowing down the wire. The induction coil, hall-effect and similar devices are virtually impossible to detect by technical means so a thorough visual inspection of the telephone line is mandatory!
A compromise is an attack upon a telephone that transforms it into a listening device capable of intercepting audio in the targeted area at all times, no matter whether the telephone is on hook (hung up) or off hook. A telephone can be compromised in many different ways, all of which require physical access to the telephone.
A transmitter, either carrier-current or free- space, concealed inside a telephone can be very difficult to find even when the phone is opened for inspection, especially if it resembles a legitimate telephone part. One of the most common of these transmitters resembles either the telephone ear piece or mouthpiece transducer. (Technically, the mouthpiece transducer is called the transmitter; the ear piece, the receiver.) This "drop-in" transmitter draws its power from the telephone. Transmitters can also be hidden within internal parts of the telephone thus masking them from visual inspection.
Every telephone contains at least three transducers. One of these is the telephone mouthpiece(transmitter), usually either a carbon or electret microphone. As mentioned earlier, these are not "self generating" microphones and require external power.
The second transducer is the ear piece (receiver) which, besides being a miniature loud speaker, is a highly sensitive "self generating" dynamic microphone that requires no external power. A spare pair of wires within the telephone connected to this device can do wonders! This is a "natural" point of attack.
The third, and usually most unreliable transducer, is the telephone ringer itself. The ringer assembly of many telephones is resonant at voice frequencies and thus modulated by the room audio impinjing upon it. If a telephone ringer is sufficiently resonant, a high- gain amplifier with a good DSP filter can retrieve conversations emanating from nearby. Though its range is quite limited, generally 3 to 5 feet from the instrument.
An explanation of what a telephone hook-switch does will enhance understanding how easily phones can be compromised. The hook-switch is the mechanical device that ostensibly disconnects the telephone from the central office (the telephone exchange) when the handset is placed upon the cradle. A telephone in this position usually has about 48 to 50 volts of DC line voltage. Lifting the handset off of the cradle ("off-hook" position) connects the receiver and transmitter to central office and the voltage drops to 7 to 9 volts DC.
In the standard, single line instrument, all that separates the telephone handset transducers from the outside world is the hook- switch. From time to time one of these hook-switches will become accidentally bent (wink, wink), or some conductive deposit will build up on one of the electrical contact points (some more winking). Under these circumstances the handset is never completely "hung up" and a high-gain amplifier placed across the of telephone wires will retrieve room audio with astonishing fidelity!
By the same token, there are many ways to deliberately bypass a hook-switch thus allowing room information retrieval at the listening post. A simple rearrangement of wires takes only minutes and is very effective. It has the added advantage of being a deniable compromise: i.e., it may never be possible for the audio countermeasures expert to learn whether the rewiring was an actual attack or merely human error. Additionally, it is possible to insert into a telephone any number of devices such as diodes, transistors, capacitors or resistors that compromise the hook- switch. Some of these devices have the added advantage of automatically shutting off when the handset is picked up due to the resultant voltage drop (from 48 volts DC to 7 to 9 volts DC).
The original "infinity transmitter" or "harmonica bug" is now replaced by newer devices better able to deal with current telephone technology. Some of these devices require complex DTMF (Dial Tone-Multi Frequency) tones to actuate them. These are a variation of the remotely controlled radio frequency transmitters described earlier. As with those devices, the attacker must gain access to the target area or at least arrange for a compromised telephone to be placed in the target area. The device can also be placed anywhere along the telephone line or worse yet, along some other persons telephone line to monitor the target area. Once on, the infinity transmitter usually stays on until the handset of the target telephone is lifted from the cradle. Most of these devices are parasitic i.e., they draw their power from the telephone line, thus drawing the telephone line voltage down a few volts.
The telephone is susceptible to a variety of technical attacks that vary in sophistication and are extremely effective and quite difficult to detect.
The telephone provides a hard wire path out of the target area.
The telephone is particularly appealing to one planning a technical attack as it provides a ready source of power.
The telephone is large enough to simplify concealment of a variety of devices.
The telephone does not require additional microphones because of existing transducers within the telephone instrument.
Because of its attractiveness for, and susceptibility to, technical attack the telephone remains one of the most dangerous of surveillance devices.
An effective audio security program should encompass two basic considerations:
Measures taken that will complicate or prevent a technical attack.
Measures to be taken that will detect the presence of a technical attack.
The term generally used to describe the former is isolation and nullification. The latter would encompass the actual conduct of an audio countermeasure survey. However, before undertaking either plan, a first step is the assessment of the threat. First of all, determine:
Who is the target?
What is the potential value of the information?
Who would be the most likely person (or persons) to mount a technical attack?
ISOLATION AND NULLIFICATION
Generally the areas to be protected fall into one of three basic categories:
Permanent facilities such as offices used by key figures on a daily basis, houses, conference rooms, etc.
Facilities used temporarily or infrequently such as hotel rooms, conferences in facilities such as meeting halls, or public buildings.
Each category of facility presents a different challenge, primarily as the result of variations in the amount of control security has over the audio environment of the facility.
As previously noted, isolation and nullification relate to actions taken before the fact that will sharply limit the opportunity for a successful audio surveillance attack. The actions taken along this line become more apparent if one considers the possible techniques used against the area. Despite the variety of techniques described in the 6 categories of technical attacks, there are only 4 ways to take audio from a target area:
Carry it out. All of the techniques discussed under the heading of "Mechanical" attacks apply.
Transmit it out - "Free-Space" techniques apply.
Retrieve it optically - "Visual/Optical" techniques apply.
Retrieve it via hard wire - "Carrier-Current", "Microphone and Wire" and "Telephone" techniques apply.
There is no technique that does not use one of the above methods. Therefore, these four methods must always be considered during the development of an effective isolation and nullification program. For purposes of this discussion, isolation pertains to those actions that tend to prevent the mounting of a technical attack whereas nullification relates to those techniques that would tend to hinder or even prevent the attack from producing useful information.
The basic component of isolation is physical security. A highly effective physical security system would deny an attacker access to the target space, which would in turn sharply limit his selection of techniques. However, the security must be round-the-clock and cannot consist solely of physical protective devices such as locks or vaults. Support all such physical security systems with either an effective alarm and television system and/or a 24 hours a day guard service. Obviously, the amount of protection given a facility depends into which of the 3 categories it falls and limitations on time and resources available to security.
The easiest facility to protect is, of course, the permanent facility. A security officer attempting to create an ideal audio security environment in this instance should first identify those areas in which sensitive discussions may take place. These areas normally are private offices and/or conference rooms and attempts made to confine sensitive discussions to these specific areas, which then allows concentration of security resources on just one or two rooms rather than an entire building.
Consideration should be given to the type of construction of the room with a view towards the acoustic attenuation characteristics of its perimeter, which is the ability of the walls, ceiling, and floor to act as a barrier to sound. Acoustic attenuation is greatest when there is a barrier consisting of two different types of insulating materials. This creates what engineers call an acoustic impedance mismatch. Use of dissimilar materials, particularly when there is air space between them, is much more effective than mere thickness. For instance, a double wall consisting of 1/4 inch plywood nailed to 2 by 4 inch studs attenuate more sound than 4 inches of cinder block, and double pane, 1/4 inch glass with a 1/4 inch airspace is even more of a barrier.
One common insulating material that should not be used is acoustical tile. This tile was not developed to function as an sound insulator. Rather, it was designed to reduce reverberation or reflected sounds within radio broadcast studios. Its use in a room facilitates a technical attack by making the target area as acoustically "dead" as a recording studio, an ideal situation for a clandestine microphone. Additionally, the presence of thousands of dampening holes in the tile gives an opponent just that many more places to conceal a microphone, as the diameter of any one of these holes is ample for such a purpose.
It is far better to use a dense, sound reflective material such as plywood, plaster board, or masonite. If the reverberations in the room become annoying to its occupants, heavy draperies can soften the sound considerably without having an adverse effect upon audio security.
ROOM DOORS... One
security aspect often overlooked is the door. Although a heavy,
solid core door is often quite adequate, there is considerable
sound transmission around the edges and underneath the door. This
can be eliminated or reduced by the installation of an inexpensive
rubber gasket around the edges of the door.
ROOM DUCT WORK... Air conditioning or heating vents provide audio paths that can be exploited. There are various acoustic baffles that can be installed, but the most inexpensive approach is usually the application of nullification techniques. One example of nullification applicable in this situation is audible noise masking.
AUDIO MASKING... Masking is the generation of sufficient noise at the perimeter of the secure area to cover or mask any conversations within the room.
There are many commercially available systems designed for this exact purpose. Special transducers that create random vibrations or mechanical noises are fastened to the walls, ceiling and floor. Transducers are also mounted in the air vents, on pipes/conduits and in any possible avenue where sound might exit the target area. When the transducers are in operation they virtually eliminate the chances of a successful attack using a contact microphone. The wiring of these systems should be done in such a manner that it can be visually inspected.
Failing the availability of an acoustical noise system a radio tuned to a rock station and placed with its speaker against the unsecured wall will sometimes do. The conversations should be held as close as possible to this noise source and the tendency to talk louder than the radio should be overcome. Complete, portable, personal, secure wire communication systems are also available for use when noise sources are not available.
ROOM WINDOWS... Ideally, there should be no windows in the secure room. If there
are windows, they should be equipped with acoustical noise generators
or, again, the radio. Cover the windows with blinds or drapes.
If there are no windows, the visual/optical attack possibility
is reduced to almost zero.
ROOM WIRING... All wiring leaving the secure area should be accounted for and any that are not being used either removed or have the ends permanently shorted together to prevent technical exploitation.
ROOM TELEPHONES... telephones should not be allowed in areas where discussions are held under any circumstances - they are an EXTREME hazard. A persuasive security officer can usually present a good argument for their removal from conference rooms, but there is no way a public figure can be talked out of having a telephone in his office. Thus, although the ideal situation is to have no phone, it will be necessary to take steps to minimize the hazard it presents.
The telephone instrument should be equipped with an easy means of disconnecting it from the telephone line. It should be unplugged when sensitive conversations take place. The cheapest and simplest of these means are the plug and jack arrangement similar to that used in home telephones. With this arrangement, it is necessary to install a separate ringer to annunciate incoming calls, as the ringer in the telephone is, of course, also disconnected when the phone is not plugged in. Ideally, the ringer should be a special, nonresonant ringer such as the Stromberg-Carlson Model 687-96A Ringer or the Kaiser RA-10 Non-Transducing Ringer. This would preclude an attacker from using the ringer as a transducer. A Kaiser RA-15 annunciator installed in the telephone insures that it will not be left connected to the line and unattended.
Not withstanding apocryphal stories to the contrary, there is no way that an unplugged telephone can be technically attacked. At best, it could be used to conceal a transmitter needing its own power supply. This would be detected by a basic visual search. Thus, a relatively inexpensive precaution as described above, nets a tremendous increase in audio security.
AND SWITCHES... There were several of these devices commercially
available years ago but they are not recommended. Since they contained
extensive circuitry the lay person was and is unable to tell if
it had been compromised.
SECURITY OF THE TELEPHONE INSTRUMENT... Again, physical security is paramount. The simplest of countermeasures will work only if the potential adversary is denied an opportunity to gain access to the telephone instrument. As one attack technique consists of replacing the entire telephone with one that has been rewired, it is a good idea to discreetly mark the telephones so they can be quickly visually inspected. A control number can be engraved on the bottom of the instrument, for instance. A better method is to mark the phone in some manner with a material that fluoresces under ultraviolet light. Locking the telephone instrument itself in a safe is a good idea.
TELEPHONE TAPS... The adaption of all, or at least a substantial portion, of the above procedures will prevent any but the most highly sophisticated attacks. However, a word of explanation is in order. The attacks prevented are compromises designed to hear room conversation when the telephone is not in use, not taps. Short of the use of encrypted or "scrambled" telephone systems, there is no way to guarantee that a telephone is either not now or soon will be tapped.
A great deal of time and considerable effort has been spent by many a technician to produce a system that can detect wiretaps. To date, NO system has been developed that can reliably find even the most basic of taps all of the time.
The problem is created by the fact that the line pair can be intercepted at any point between the telephone instrument and central office. That can mean miles of unprotected wiring. Telephones are not the only devices that use the telephone lines. They are, or can, be shared with other devices such as computers/modems, Fax machines and a variety of signaling and control equipment.
A direct tap made with careful attention to impedance matching, would be very, very difficult to detect. Certainly the telephone subscriber would be unaware of it as there would be no telltale clicks or noises on the line. Detection of a carefully installed induction coil or hall-effect tap is simply impossible.
On the other hand, chances of a successful tap are complicated by good physical security practices. The simplest tap is made at the nearest terminal or connecting block where the target line pair is tied to either a large "house" cable or to an "outside" cable. The line pair at this point is spread out on the connecting block and is easy to both identify and attack. The terminal board or connecting block is usually found within the same building as the telephone, although it may be on an adjacent telephone pole, especially if the telephone is located in a residence. Consequently, if there is good physical security, it would possibly deny an adversary this easier point of attack.
An attacker with an understanding of how the telephone line matrix is set up can reap a bonanza by simply determining where the target company conducted its business in the past and searching for the wires outside that location. Sometimes the old wires are even left on the terminal blocks inside the old location!
Target lines can be located by means of a telephone company cable chart and normally it would be necessary to obtain that chart from the telephone company. It is amazing how often this information "falls off" telephone company trucks and into eager hands. Often these charts are left in the telephone frame room of the company under attack and thus easy targets. Assume always that the attacker has access to information on the telephone lines.
Although the isolation and nullification procedures described so far are primarily applicable to permanent facilities, it should be obvious that many of them can be effectively applied to occasional use facilities and, occasionally, to automobiles. Audio security, like any other form of security, is a percentage proposition in that every positive preventive action taken will yield a certain percentage increase in security. Therefore, it is incumbent upon the security officer to carry out as many countermeasures as possible consistent with resources and common sense.
A careful analysis of the isolation and nullification techniques discussed above reveal two basic points common to all the recommended countermeasures:
The security planner merely decides the most likely means of attack and plans his defenses accordingly. The material thus far presented should clearly show the overwhelming importance of good physical security, security that would have to be present in any event to safeguard the personal safety of the public figure.
If all applicable isolation and nullification techniques have been applied, then a potential technical perpetrator has been denied several means of attack. His most viable option would be the planting of a remotely-controlled transmitter, either free-space or carrier-current, and even then it would require him to breach physical security, either before or after the security perimeter was established. In short, if the security perimeter is perfect and all isolation and nullification recommendations implemented, a successful technical attack would be very difficult to carry out. However, security is never perfect or foolproof. Therefore, the security planner cannot consider his audio security program complete until he has arranged for and conducted the second major program component, the audio countermeasures survey.
THE AUDIO COUNTERMEASURE SURVEY
The audio countermeasures survey is a vital component of an effective audio security program, despite the application of the isolation and nullification techniques in the section. It becomes necessary for two reasons.
A technical attack may have been perpetrated before the
initiation of the audio countermeasures program.
An attack may have been successfully launched because of overlooked weakness or human error in the maintenance of adequate physical security.
As with the approach used with isolation and nullification, the survey may be conducted on a sliding scale of sophistication ranging from a simple physical examination of the area to the application of the most complex and detailed audio countermeasures equipment. As might be expected, the effectiveness of audio security tends to increase proportionately. However, the application of audio countermeasure techniques described in this section will certainly add to the general audio security already present because of previously applied isolation and nullification techniques.
TIMING OF THE AUDIO COUNTERMEASURE SURVEY
Perhaps the first question to be considered is when an audio countermeasure survey should be conducted. The answer, of course, depends upon the type of facility; permanent or occasional.
With the permanent facility, the most important criterion is the overall effectiveness of the isolation and nullification program. If they are all implemented, one audio countermeasure survey every year is usually sufficient. Any time there is extensive modification of the area, new construction, new electrical wiring, or any other activity that gives outsiders relatively unsupervised access to the sensitive area, a survey should be conducted upon the completion of the disrupting activity.
The survey should always be conducted during normal working hours to facilitate the discovery of remotely switchable devices. With occasional-use facilities, the survey may be conducted any time prior to its scheduled use. Upon completion of the survey, physical security procedures must be implemented. Additionally, if the activity to be protected is a conference or discussion, the security officer should arrange for some additional monitoring of the radio frequency spectrum during the initial stage of the conference. This detects any radio frequency devices missed during the survey but remotely turned on to intercept the sensitive discussion. A survey will be required for the occasional facility each time there is a break in the physical security provided it. As described later in this section, the same criterion applies to automobiles.
The equipment needed during the survey will be discussed as the steps of the audio countermeasure survey are outlined. The chances of an audio countermeasure survey detecting a clandestine device are greatly enhanced if the survey can be conducted in as non-alerting a manner as possible. There are two basic reasons for this.
If the attacker learns in advance of an audio countermeasure survey, he may have an opportunity to remove or destroy (a charged high voltage capacitor placed across a microphones wires can literally vaporize the microphone element) any clandestine equipment before the survey can be conducted.
If the adversary has advance notice, hears the audio countermeasure specialists in the conduct of the survey, or overhears someone in the target area mention that such a survey is in progress, he may switch off his remotely activated transmitter, preventing its detection. At the very least, he would have an opportunity to abandon his listening post, negating chances of an apprehension. It also precludes any chances of exploiting any devices found by using them to transmit false or spurious information.
This idea of strict secrecy in the conduct of audio countermeasure surveys cannot be overstressed. Secrecy is, in fact, regarded as one of the technical surveillance countermeasure specialist's most important tools. The following is a very good rule to remember when talking about secrecy. If 1 person knows a secret then that's it. But if he or she tells another person (1) then putting those two 1's side by side looks like 11 or eleven. Adding another person (1) means it looks like 111 or one hundred and eleven, and so on. As you can see, secrets can be even harder to keep as each person is added!
SEARCHING FOR RADIO FREQUENCY TRANSMITTERS
Generally, the most important and sensitive part of the audio countermeasures survey is the search for radio frequency transmitters, both free-space and carrier-current. This is done in two ways:
The use of electronic
The most effective electronic equipment available to assist the security officer in the detection of clandestine transmitters is specially designed detectors, a search receiver or spectrum analyzer (preferably capable of tuning from 10 KHz to 3 GHz). Quality detectors are available priced from a few hundred to a few thousand dollars. It is recognized that this cost factor may seem expensive to many agencies having a requirement to conduct audio countermeasure surveys, but it should be noted that relatively inexpensive "feedback" detectors can also be very effective.
The first step, then, in the conduct of an audio countermeasure survey is the search of the radio frequency spectrum. Upon the completion of the "sweep" of the spectrum, check the power lines for the presence of a carrier-current device with equipment designed for that purpose. A similar check is made of the telephone lines at the same time that the telephone system is checked for any compromises.
INSPECTION OF THE TELEPHONE SYSTEM
The next step in the audio countermeasure survey is inspection of the telephone system. The easiest and most efficient way to accomplish this is to check the outgoing telephone lines at their first appearance after they leave the secure area. Generally, buildings have a telephone closet where the various line pairs appear on terminal boards. This is where they are patched into the cable witch eventually goes to central office. There are usually two wires on the terminal board for each outside line. The telephone company calls the two lines "tip and ring"; a holdover from the days of operator assisted calls. Some specialized and foreign telephones use a 4-wire system. In this case, there will be a "tip and ring" for the "talk" pair (the pair connected to the transmitter/mouthpiece), and a "tip and ring" for the pair connected to the receiver/ear piece.
In telephone systems using key telephones, many wires on the board are not tip and ring. They are auxiliary conductors for such functions as the "hold" and "lamp flash" circuits. It is possible to tell a line pair by the use of a voltmeter (tip and ring will show approximately 48 volts DC between them if the line is not being used).
It is not really necessary to know which is which for the purpose of a survey since an adversary may have decided to use one of the auxiliary wires in the technical attack.
One of the audio countermeasure experts most useful tool is a high gain (amplification) audio amplifier. There are any number commercially available priced in the two to four hundred dollar range that offer the user a choice of input and output impedances. The amplifier should include a high/low-pass filter, a tone generator for tracing wires and activating certain microphones, and a means of producing voltage to turn on external accessories such as electret and carbon microphones. Along with the amplifier there should be a set of earphones (the stethoscope type that covers both ears is best), and a two conductor cable terminated in alligator clips.
To check a telephone line, one wire from the amplifier is clipped to "tip", and the other to "ring". If the amplifier allows a selection of input impedances, anywhere from 10 K to 500 K Ohms is a good choice. All that is necessary is to turn up the volume control and listen. If the telephone is in use, the conversation will be heard. If the telephone is not in use and room audio is heard, the telephone hook-switch has been bypassed in some fashion, either by accident or on purpose. The sound of room audio is unmistakable.
The above procedure should be followed with all line pairs leading toward the central office. If a technical attack has been initiated on a telephone in the secure area that does not utilize a radio frequency transmitter, this procedure detects it in many, but not all, instances.
Upon completion of this audio check, the procedure should be repeated using the carrier-current detector, receiver or spectrum analyzer. If both the radio frequency check and the audio check are negative, there is some assurance that the telephone system has not been attacked. A disassembly of the individual telephone instruments will be covered later in the survey.
There is a device available for telephone countermeasures called a "Telephone Analyzer" or telephone test set. This equipment tends to vary a great deal in cost and the most expensive are not necessarily the best. Carefully check the capabilities of each unit to see if it matches both expectations and the existing system. Although these units are generally effective, there are drawbacks to them. First, there are devices that they cannot detect for a variety of technical reasons. Secondly, they require lot of understanding which translates into time. Typically, a unit can take 30 minutes to an hour to test a multi-line telephone. If the space to be surveyed includes several telephones, the time can be excessive!
One of the major determinations the security officer must make is the value per audio security dollar. Sometimes money is better spent on the isolation and nullification program. In short, using the overall criterion of cost effectiveness, the telephone analyzer is not recommended for general surveys.
TOTAL AREA INSPECTION
Prior to initiating the audio countermeasure survey, a cursory non-alerting inspection should have been made in order to decide the possible location of listening posts and to decide the best location from which to conduct the radio frequency sweep. When the most critical portions of the survey have been completed it is not as important to remain completely non-altering, although it would be best to remain so consistent with effectively completing the survey. Consequently, a more detailed inspection is in order starting from outside the facility.
Stand back a distance from the building. Where do the wires go from and to? Are there any buildings in the area not under control of the security department? Check the roof for wires and extraneous devices or antennas. Use common sense.
The inspection should continue inside the building. Are there any places in the building that might function as listening posts (a microphone and wire run could terminate in a closet where all interceptions are recorded on tape and the tape retrieved on a daily basis)? Are the telephone closets securely locked to hinder access by unauthorized personnel? Are all the keys accounted for? What conductors leave the secure perimeter? Is the closet alarmed? Every wire must be accounted for.
Following generalized exterior and interior building examination, the potential target area itself should be considered. By this point in the audio countermeasure survey, the security officer will have a good idea of what, if any, technical attack is involved. At this juncture obviously the greatest threat would come from a transmitter or microphone/wire feeding a nearby transmitter. The security director should have a fairly good idea of what to look for as the physical search is started.
The procedures used to search the facility are quite similar to those used to search for explosive devices, and the equipment used basically the same. Thus, a good tool kit containing a set of screwdrivers, various pliers, wrenches, inspection mirrors, and flashlights is the basic minimum needed to do the job correctly.
Priority should be given to those areas closest to where discussions normally take place such as desks, sofas, telephones, etc. Items such as pictures and wall plaques should be removed from the wall and closely inspected for devices. The wall behind the picture or plaque should also be carefully inspected. Remember that the acoustic passage can be little bigger than a pin hole.
There have been instances where transmitters have been secreted in the picture frame itself.
An examination should be made of the underside of all furniture. Wooden furniture should be thoroughly inspected inside and out. A metal detector is useful here. Furniture should be picked up and moved to ensure that it does not conceal wires.
Any and all grates or grills for air conditioning or heating ducts should be removed and the interiors inspected with a mirror. Be alert for any signs of recent entry such as tool marks or disturbed dust patterns. Use of an ultraviolet light is helpful in detecting recent alterations.
Examine baseboards carefully for signs of recent modification. These are popular places to hide microphones and/or wire runs. Roll back any carpeting to make sure that it does not hide wiring. Again, an ultraviolet light is useful.
If the room has a false ceiling, the space between it and the true ceiling must be thoroughly inspected. Be particularly alert to the wires that often abound in these spaces. Remember that all conductors must be accounted for.
Pay particular attention to the backs of file cabinets or bookcases as these too are good hiding places. It would be worthwhile to examine all hardbound books as these have been successfully used in the past to hide transmitters.
The walls should be carefully inspected for any signs of microphone. Ultraviolet light can be of assistance as it tends to highlight paint or plaster differences better than standard light.
Light switches and electrical outlets are among the favorite places to plant carrier-current devices. These must be carefully examined. BE CAREFUL WITH HOT AC LINES! The protective covers must be removed and the inside the box as well as the switch and socket must be carefully inspected. There are quite a few "off the shelf" carrier-current devices commercially available which are or can be packaged within wall plugs, electrical outlets and light switches. AGAIN, BE CAREFUL WITH HOT LINES! Use well-insulated tools. Even experienced countermeasure experts can ruefully attest to the shocking power of 117 volts AC (in some cases, 220 volts AC!) and most seasoned countermeasure tool kits contain at least one partially welded and badly scarred screwdriver.
PHYSICAL INSPECTION OF TELEPHONES
A physical inspection of the telephone system takes some preparation. If one is to gain anything useful from disassembling a telephone instrument, they must first know what a normal telephone looks like. Therefore, the security officer should examine a sampling of the telephones in the system prior to conducting an audio countermeasure survey in order to have a general understanding of what to expect. This will greatly assist in recognizing an attack on the instrument. More sophisticated attacks will not be detected in this manner as the devices may be hidden in telephone components or modifications made to any printed circuit boards.
The handset is examined by either unscrewing the holders for the mouthpiece and ear piece or removing the screws holding the handset together. The ear piece usually has only two wires attached to it which run through the center of the handset. seesaw these wires back and forth to make sure nothing is in the middle. There is a small device, called a varistor, attached between the two terminals on the ear piece. There should be nothing else. The presence of any other components may represent a surveillance device. Examine the mouthpiece and the area surrounding it carefully for any abnormal signs. A common attack is the replacement of the microphone element with a drop-in surveillance device.
The wire leading from the telephone should be followed to the junction box. The cover of this box or wall jack should be removed and examined for foreign devices. Be careful to look at the inside the covers themselves. There should be nothing there too. Some telephone systems use a plug called an Amphenol plug. The metal or plastic covers should be taken off and the inside inspected. Inspect the wires from the telephone to the wall jack.
AUDIO COUNTERMEASURES - AUTOMOBILES
Automobiles present an interesting and different set of problems. The basic difficulty with automobiles is that they are not afforded sufficient physical security to warrant the investment of concerted audio countermeasure efforts upon them. Consequently, a physical search is probably the most cost-effective countermeasure, and much of it could be done at the same time as any search for explosive devices. There are three viable attacks against an automobile; a voice transmitter, a tracking transmitter or a tape recorder. A well-conducted physical search should uncover the later provided, however, it is kept in mind that excellent quality voice activated recorders not much larger than a couple of packs of matches are commercially available.
Transmitters can also be easily hidden and will either be powered by their own battery or the vehicle battery. It is important, therefore, to measure the amount of current being drawn from the vehicle battery. All current paths should be accounted for. Remember that an attacker's choice of microphone placement must always be influenced by an inherent characteristic of the automobile noise. For this reason it follows that the microphones must be placed as close to the potential discussion area as possible. Thus, one would presume that in a chauffeur-driven car, the target area would be the back seat area rather than the front. Consequently, physical search efforts should be concentrated in that area. In short, experience and common sense will eventually formulate the audio countermeasure search procedures most effective for any given situation.
The importance of the physical search cannot be overemphasized, particularly if the audio countermeasures survey was conducted without the benefit of a radio frequency survey. By the same token, its effectiveness should not be underrated. It is a fact that more electronic eavesdropping devices have been found by physical search/examination than by any other means. Even if a good search receiver is utilized during the audio countermeasures survey, at least 80 percent of the total man-hours expended should be devoted to the physical search.
In summation, the audio countermeasures survey is only part of an effective audio security program. True audio security can be gained by the adoption of isolation and nullification techniques as well. Although ideally, all of the recommendations should be incorporated into an overall audio security program, implementation of even a few will significantly decrease vulnerability to a technical attack.