=========================================== TSCM-L Technical Security Mailing List Monday, July 14 1997 Postings: TSCM-L@tscm.com Unsubscribe: unsubTSCM-L@tscm.com Subscribe: subTSCM-L@tscm.com Admin: jmatk@tscm.com =========================================== Several weeks ago I had a chance to examine a number of spread spectrum microwave bugging devices. Since that time I've conducted some analysis and gathered further intelligence on the circuit. Here are a few of my observations. ======= C O N F I D E N T I A L ======== 1) Most of the products use a high bandwidth QPSK/BPSK modulator, multi channel audio CODEC, and a RISC micro-controller chip (all components are either surface mounted ICs or multiple dice potted in epoxy). 2) RF Circuit seems to be a simple homodyne audio transmitter (6 Ghz Gilbert Cell Mixer) which is driven by a single CPU/microcontroller (with a clock speed of 180 Mhz). 3) Frequencies used for the ultra low power device are clean from 130 Mhz to 4 Ghz, circuit starts to fail above 5.5 Ghz (but is still operable to about 8 Ghz). 4) Emitter is driven directly from vector modulator chip, with no power amp circuits. PIN diode found on output appears to provide gain control or disconnect of circuit, but provides no amplification of signal. 5) Noise floor of circuit is -135 dBm (below 2 ghz), -142 dBm (2-4 ghz), and -150 dBm above 4 Ghz. 6) Signal has a variable bandwidth which varies between 350 Mhz and 900 Mhz. Appears to be designed for a 900 Mhz bandwidth signal. Device operates "deep" inside the noise floor. 7) Virtually impossible to detect at close range with a conventional RF spectrum analyzer (492/494/8566/etc). 8) Detectable with most wideband systems (with IF BW above 300 - 900 Mhz, 700 Mhz ideal). 8) VCC = +3.0 VDC, all circuits functional 2.3 to 6.8 VDC 9) Output applied to PIN diode ranges between -28 and -42 dBm (depending on frequency and span) 10) Device enters some type of sleep mode when power is present but audio level is low (seems to auto squelch). Total current draw when in sleep mode is 12 µA. Device does not emit RF energy when in sleep mode. ------------- 11) One of the devices has no type of connection for external power, but instead uses a uses a network of Schottky diodes and capacitors which constitute an effective RF to DC converter. 12) The RF to DC circuit requires an un-modulated 10-15 Ghz RF signal, and seems to respond well to X-Band microwave motion detectors used for many corporate alarm systems. 13) Device also has a small microphone built onto the circuit, microphone measures 4.5mm * 1.6mm * 4.1mm. 14) Entire device measured 3.2 cm * 5.2 cm and about 3 mm thick (or about the thickness of a standard business envelope). 15) Device contains some type of adhesive on both sides of a foil backing. Suspect it's applied as some type of "sticky label". Once the device is installed any attempt to remove results in its total destruction (unless you freeze it off). 16) The French government has been know to use a similar device in some of its "Diplomatic" activities. -jma ======================================================================== "For those who risk, life has a flavor the protected shall never enjoy." ======================================================================== James M. Atkinson Phone: (508) 546-3803 Granite Island Group - TSCM.COM 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@tscm.com ======================================================================== The First, The Largest, The Most Popular, and The Most Complete TSCM Counterintelligence Site on the Internet ========================================================================