http://www.encryptionwarehouse.com (Who's computer is this?)

Audio surveillance and countermeasures


AUDIO SURVEILLANCE AND COUNTERMEASURES
INTRODUCTION
STATEMENT OF PURPOSE
DEFINITIONS OF AUDIO
SECURITY AND AUDIO
COUNTERMEASURES
AUDIO SURVEILLANCE TECHNIQUES
MECHANIC
VISUAL/OPTICAL
MICROPHONE AND WIRE
FREE-SPACE TRANSMITTER
CARRIER-CURRENT TRANSMITTERS
TELEPHONES
AUDIO COUNTERMEASURES
GENERAL CONSIDERATIONS FOR AUDIO SECURITY
ISOLATION AND NULLIFICATION
THE AUDIO COUNTERMEASURE SURVEY


INTRODUCTION

The purpose of presenting the following material is threefold. First,
it equips the lay-person with a general understanding of the real
threats from electronic eavesdropping. Second, it provides enough
information to allow the security representative responsible for
general security to set up an effective electronic countermeasure
program that should sharply limit the likelihood of a successful
electronic attack. Thirdly, it addresses and hopefully dispels many
myths that have attached themselves to this industry.

This material is written in as nontechnical a fashion as possible
consistent with clarity and understanding. Persons with an electronics
background should note that this simplistic approach of holding
technical language to a minimum may strain certain traditional
textbook definitions. Nonetheless, any technical distortion that
occurs is only the product of the omission of detail from some
definitions that were not considered necessary in a general
discussion. All definitions and terminology used herein are accurate
and valid for a discussion on this nontechnical level.

Not all eavesdropping is electronic and the term "electronic
countermeasures" is not sufficiently comprehensive to describe this
branch of the security field. The general term used is audio security,
and audio countermeasures the specific steps taken to either detect or
nullify listening devices. Audio Countermeasure Technician describes
one skilled in these techniques. In some circles the act of
eavesdropping is technical surveillance and the actions taken to
combat such an attack as technical surveillance countermeasures,
commonly abbreviated TSCM.

The most difficult to detect methods of technical attack may or may
not be the most expensive and many of them represent years of
experimentation by those so inclined. Often the full resources of
foreign governments support their agents. Intensifying the threat is
the value to the information sought, much of which is vital to a
nation's or company's security and thus of great interest to opposing
intelligence services. With stakes high, both sides have found it
worthwhile to expend great sums on the development of new surveillance
techniques that in turn require additional sophistication in
countermeasures. The presumption that most technical attacks
encountered by those at a nonfederated level will be relatively
unsophisticated and therefore more susceptible to detection or
nullification is inaccurate.

Understanding the ways a technical audio attack may be mounted must be
considered first when planning for an effective audio countermeasure
program. In view of that, technical audio surveillance techniques or
audio attack methods is the primary consideration.

AUDIO SURVEILLANCE TECHNIQUES

For ease of presentation, the types of technical attacks are placed in
six general categories. These categories are arbitrarily established
for ease of discussion. Some devices or procedures covered can fit
into more than one category.

MECHANICAL
VISUAL/OPTICAL
MICROPHONE AND WIRE
FREE-SPACE TRANSMITTERS
CARRIER-CURRENT TRANSMITTERS
TELEPHONES

MECHANICAL ATTACK

In spite of the technological advances of the electronic age, one of
the most important "devices" used to compromise audio security is
still the unaided human ear. The security officer who fails to
consider this may find that the large sums of money just spent for
sophisticated audio countermeasures equipment negated by the secretary
who sat immediately outside the conference room or private office or
they failed to note that the public address system used in the meeting
room amplified sound so much that anyone walking down a nearby hallway
could hear it clearly.

Do not discount the effectiveness of the human ear further enhanced by
a plain old-fashioned water glass or the doctor's stethoscope placed
against an adjoining wall. Heating/air conditioning ducts and pipes/
conduits exiting the room also carry a considerable amount of room
audio.

The section on countermeasures discusses acoustic attenuation of
walls. It also addresses variables such as thickness, nature of
materials, types of construction and acoustic impedance (the rate at
which a material allows voices to pass through it). If the perimeter
of a space to be protected lack's sufficient acoustic attenuation (in
particular, the ability to block the transmission of voices) then,
without a doubt, the first threat to be considered and dealt with is
that of the human ear.

Tape recorders represent another type of "mechanical" attack. They can
either be placed in the target area and retrieved later or carried by
a person intent on intercepting details of a conference or
conversation. Concealment is now quite easy thanks to the large number
of miniature, inexpensive and very good tape recorders currently
available. Some are a little larger than a pack of matches. Today, it
is possible to place 2,000,000,000 (that's two billion) transistors on
a single substrate less than 1/8 of an inch square! Taking advantage
of this incredible density are recent developments in "fully solid-
state" electronic "tape-less" recorders that now further complicate
the picture.

A recorder with a voice operated switch (VOX), that turns on only when
voices are present, put in place before a meeting or conference, can
be very damaging. There are many commercially available recorders
using this technique that tape for tens of hours and "standby" for
over 1,000 hours when no voices are present. This approach is
especially useful in attacking onetime events, such as conferences,
where an opportunity to retrieve the device would be much greater than
if the target were a corporate office or board room.

The recorder attack relies least upon gadgetry. Its greatest danger
lies in the fact that it is so obvious. A security officer oriented
along more technical lines may completely overlook it.

Cell phones have recently been added to the growing list of
"mechanical" attacks. It is now possible to program a cell phone to
automatically answer an incoming call while NOT ringing. The
implications of this approach are enormous. Also, two inexpensive cell
phones can be purchased at a chain or discount store and one used to
call the other. One of the phones is then left in the target area
while the other is used to monitor conversations from it. That phone
may be carried to virtually anywhere in the country.

VISUAL OR OPTICAL ATTACK

In some ways, this is the most interesting category because the
techniques range from the most mundane to exotic "James Bond" type
devices. Attacks under this category fit into the following areas:

OPTICAL
TV
LIGHT
OPTICAL ATTACKS

Optical attacks include real time observation via telescope or
binoculars or photography via telephoto lenses. The latter includes
both motion/still pictures and video techniques. Although there is a
possibility that a camera with telephoto lens could photograph
sensitive documents lying on desk tops the main hazard comes from a
seemingly nontechnical, but in fact highly effective technique;
lipreading. Accomplished lip-readers, especially those with a language
capability, could be of great value when armed a good pair of
binoculars and line-of-sight view of those in conversation. The
conversation, of course, could be video taped for analysis later. As
obvious as this may seem, it is a technique all too often overlooked.

TELEVISION ATTACKS

Television is a threat in those areas where the opposition has had a
chance to gain unimpeded access to the target space or occupies an
adjoining room. A hole no larger than the head of an ordinary pin can
produce a television picture of quite acceptable quality. With the
current state of the art, light levels are no longer critical.
Miniature television cameras complete with transmitter smaller than a
pack of cigarettes are readily available for under $200.00!

Coupling the lens of a television camera to a high resolution fiber
optic bundle such as those used in internal medicine is a distinct
possibility. Fiber optic systems allow mounting the television camera
some distance from the area under observation. This alone can cause
considerable problems for the countermeasure technician. When the
target makes extensive use of briefing charts or other visual
displays, it calls for a television camera attack. There are three
ways to gather information intercepted by the television camera:

VIDEO TAPE retrievable at one's leisure.
HARD WIRE where it goes from the camera to the monitor via shielded
cable (fast scan) or telephone line (slow scan).
VIDEO TRANSMITTER that transmits the signal over the airways to a
distant location.
LIGHT ATTACK where the video is sent over a laser beam.

Now readily available and inexpensive, light-emitting-diodes (LEDs)
and laser diodes, primarily infrared (IR) emitters, are finding their
way into surveillance equipment. These diodes have reached peak
efficiencies only dreamed of a few years ago. As with any light, they
need an optical path from the area under surveillance to the listening
post. Bear in mind, though, that some materials impervious to visible
light may pass IR light with little attenuation.

Both the LED and laser are used in a similar manner. A microphone
attached to electrical components convert room audio into the energy
needed to modulate the light beam. The type of modulation can vary but
generally centers around several types of pulse modulation schemes to
conserve power and thus give battery powered units a longer life span.

It is necessary for the optical transmitter to be placed in a position
so it can transmit its beam of light uninterrupted to the listening
post (LP) where a suitable detector reverses the process, i.e.,
changes the light back into audible sound. Although somewhat
constrained by the need of an optical path to the listening post,
these devices are hard to detect.

The laser diode is perhaps the ultimate optical weapon. In some ways,
the laser diode resembles the LED except that it produces a much, much
narrower or coherent beam of light at higher operating efficiency.

As previously mentioned, a laser diode modulated with room
conversation is an effective transmitter. There is, however, another
application of the laser that is much more devious.

When a conversation takes place in a room, all objects in that room
vibrate from the acoustic energy generated by that conversation.
Rigid objects tend to vibrate more so than soft ones. This, of course,
is how a microphone works. The diaphragm moves back and forth vibrated
by room audio and this vibration is, in turn, converted into
electrical energy. Focusing a laser on an object with a suitable beam
return path returns room audio.

These systems, besides being difficult to deploy, suffer from major
audio retrieval problems. Room conversation is not the only thing that
vibrates the target surface. A variety of mechanical equipment noises,
such as motors and fans coupled with the normal "street" noise of
people walking and moving things makes advanced filtering equipment
mandatory. To make the job somewhat easier, state-of-the-art voice
recognition filters called digital-signal-processors (DSP) are now
available.

A recently developed device sends light from an I.R. laser diode down
a single strand of fiber optic cable where it strikes a small
reflective diaphragm that is modulated by room conversation and
returned on another strand to the detector where it is demodulated.
This device defies all electronic detection and must be found by
physical search.


MICROPHONE AND WIRE

This is probably the oldest of the technical attacks dating from the
early days of carbon microphones and tube-type amplifiers. Today,
microphone technology has advanced to the point where there are now
highly sensitive units, less than 1/4 inch square and 1/16 inch thick,
with built in amplifiers that can transmit conversations over super
thin copper wires hundreds of feet in length. There are multitudes of
small, inexpensive (under US$5.00) microphones commercially available
that are very suitable for audio surveillance.


While microphones differ in design or specific operating principle,
they all do essentially the same thing. As a group, microphones fit
into that class of electrical components generally known as
"transducers." A transducer is simply a device that changes mechanical
energy to electrical energy, or vice versa. Thus, a radio loudspeaker
is as much a transducer as the window pane that modulates a laser
beam. This interrelationship is of interest because of the fact that a
loudspeaker, especially an efficient one with a stiff speaker cone,
makes a highly effective microphone.

It is perhaps a sign of the times that so many supposedly secure areas
have speakers mounted in the walls or ceilings for the omnipresent
background music or public address system. An unused speaker, i.e.,
one not actually propagating music or announcements, makes an
extremely effective microphone. All that is necessary is to intercept
the pair of speaker wires at any point and attach a suitable matching
transformer and amplifier, recorder or transmitter. Audio in the room
causes the speaker cone to resonate in the same manner as would the
diaphragm of a microphone.

Types of microphones include the dynamic (moving coil or moving
magnet), ceramic, electret, carbon, crystal, condenser, etc. Each has
its particular advantages and disadvantages. The potential attacker
would carefully consider which one to use in view of the need for
certain characteristics such as sensitivity, current drain, frequency
response, impedance, signal output level and detectability. It is not
necessary to go into the differences between the varieties of
microphones suffice it to say that the technological spy would choose
the proper microphone with the same care as would a surgeon in
choosing his instruments (that is probably not the best analogy, but
it's close). Microphones may be placed into three groups; the carbon
microphone, other microphones, and contact microphones.

CARBON MICROPHONES

Once the most common, carbon microphones are fading into oblivion.
There are still a large number of telephones around which use this
microphone so it deserves some discussion. Carbon microphones are
characterized by their very high output signal as compared to most
other types. They need an external voltage source to work. This
requirement, and a progressive loss of sensitivity over time as the
carbon granules settle, limit its use. Carbon microphones vary their
resistance in proportion to the sound reaching them and thus are not
voltage generating microphones. It is important to remember this when
searching for them.

OTHER MICROPHONES

Dynamic, ceramic, crystal or condenser microphones are usually
connected to an amplifier or transmitter by a length of wire. They are
self generating transducers, similar to loudspeakers, i.e., audio in
equals voltage out. Among this group is the electret microphone. This
unit contains a built in amplifier that requires an external supply
voltage. The current levels needed though are much, much lower than
the carbon microphone and can be obtained by detecting a local radio
or TV station and using the resulting voltage to power the microphone.

A modern microphone connected to a good amplifier can pick up
conversations in an average room no matter where it is placed,
especially if the room is acoustically dead. These microphones are
difficult to detect or locate due to their very small size. When
acoustically fed through a slender plastic tube they are known as
"tube microphones." The advantage of this approach is that the
microphone element itself does not have to be close to the target
area. This approach really works. Do not discount its effectiveness.

Although very thin wire is sometimes used, existing electrical
conductors such as power lines, telephone lines, or wire pairs that
have been abandoned but remain in place inside the walls are much more
effective.

CONTACT MICROPHONES

The contact microphone is usually a form of dynamic, electret,
ceramic, crystal or piezo microphone designed specifically to pick up
mechanical vibrations moving along a surface vs. airborne sounds.
Placing it firmly against a common wall, pipe, conduit, duct, etc.,
produces room audio. When mounted through a wall via a suitable
fixture it becomes a "spike mike." Placed into or against the wall, it
uses the entire wall as a diaphragm.

Under ideal circumstances, a contact microphone is very effective.
Inherent disadvantages can be overcome by use of a digital-signal-
processor (DSP)/filter.

"SHOTGUN" OR PARABOLIC MICROPHONES

Although "shotgun" or parabolic microphones differ in design from one
another, both have the same purpose; the detection of voices at
relatively great distances. Both are directional in that they focus
sound waves upon the diaphragm of the microphone element somewhat
like a parabolic reflector focuses light. These microphones can be
seen at most sporting events. In that particular application do not
assume the sound heard over the TV or radio is actually coming from a
particular microphone. It is the product of the skillfully mixed
output of several microphones. Parabolic microphones are also used in
wildlife photography to record bird calls or similar sounds.

Both the shotgun and the parabolic microphone have another
characteristic in common; their effectiveness is grossly exaggerated.
They generally work at distances of less than 100 feet providing the
ambient noise level does not block out the targeted sound. As the
distance increases, so does the "signal-to-noise level." In other
words, it is harder to distinguish target audio from background or
unwanted audio. Under ideal circumstances, the best directional
microphones might have a range of 300 feet, but as mentioned before,
100 feet or less is much more realistic for voice interception. These
devices actually work quite well for bird calls, for two reasons.


Bird sounds are quite loud, certainly much louder than a normal
conversation.
The sounds are higher in frequency. High frequency sound is generally
more directional. Additionally, the human ear tends to perceive higher-
than-human-voice frequencies more easily under marginal conditions.
Since they are difficult to conceal it is unlikely that one would
select this type of microphone to further their technical efforts.

In summary, the microphone and wire attack is still very much with us
and quite a few of the "finds" made by technical surveillance
countermeasure technicians are of this type. They are attractive
because of their commercial availability and low cost. Generally the
lack of technical expertise of the installer assures that most are
discovered during a good physical search.

FREE-SPACE TRANSMITTERS

For purposes of clarity and convenience, free-space transmitters will
be broken into two broad categories; the radio frequency (RF)
transmitter and the carrier-current transmitter. This distinction is
necessary as they differ markedly in the way information is
transmitted from the target area to the listening post. The
countermeasure employed against each category also differs and each
discussed separately.

This section deals only with the free-space transmitters. In order to
understand more fully the whole subject of transmitters, it will be
necessary to use a little more technical language. Again held to the
minimum needed to understand how transmitters can be used for
technical attacks and, later, to more easily comprehend what some
countermeasures are.

As pointed out earlier, a transducer is a device that changes
mechanical energy, such as human speech, into electrical energy. The
proper term for this electrical energy is electromagnetic energy
(EME). EME travels in waves that vibrate a given number of times per
second. Various forms of electromagnetic energy vibrate at different
rates and this rate of vibration is called its "frequency." Frequency
is expressed in the number of variations or cycles per second. The
phrase "cycles per second" (cps) changed in recent times to
"Hertz" (Hz) to honor the scientist who first described this
phenomena. One hertz equals one cycle per second or vice versa.

Scientists often refer to the electromagnetic spectrum as a group of
electromagnetic energy expressed in order of frequency. At one end of
the spectrum is energy that does not vibrate at all. This is direct
current (DC) such as that produced by a battery. At the upper end is
visible light, x-rays and cosmic rays. The energy of concern is radio
frequency (RF) energy, and it is generally considered to be the
electromagnetic energy in the spectrum from 10,000 Hz to infrared
light. These can be very large numbers so now is a good time to look
at some abbreviations. Another way to say 10,000 Hz is 10 Kilohertz,
or 10 KHz. The letter "K" (for kilo) is the common abbreviation for
1,000. One million Hertz or Hz is one megahertz, or 1 MHz. 1,000 MHz
is one gigahertz, or 1 GHz. "M" and "G" are frequently used in science
for "million" and "billion" respectively.

Back to the transducer. Energy produced in the audio range i.e., from
20 Hz to 10 KHz is the same range as sounds in a room. All the
transducer has done is convert the mechanical energy (sound) into
relatively low frequency electromagnetic energy. Because it is low
frequency, the energy will flow along the wires attached to it and
into an amplifier. Consequently, low frequency information is
retrieved from the target area along a hard wire path.

Shifting the intercepted information to a much higher frequency,
however, creates a new picture. A certain amount of the energy would
still flow down the wire, but some of it radiates outward into the
airways. If the frequency were to be increased further, greater
amounts radiate into the airways and are intercepted by a radio
receiver tuned to the same frequency.

Of course there is a device that can convert audio range
electromagnetic energy into radio frequency energy; a radio frequency
(RF) transmitter. The transmitter takes the audio range information
fed to it and converts it to a specific frequency in the radio
frequency range. The transmitter usually includes an amplifier to
magnify the converted signal. The amount of electric power used in
amplifying the radio frequency signal is expressed in watts. As noted
earlier, the radio frequency energy radiates from the wire leading to
the listening post. Cut the wire and the radio frequency energy
continues to radiate from the section still attached to the
transmitter, especially if it is of a certain length in relation to
the transmitted frequency. This piece of wire becomes an "antenna" and
the ideal size, its "resonant length."

Add to the above a power supply and the result is a simple broadcast
station. However, similar though the operating principles may be,
there is a great deal of difference between a full fledged commercial
broadcast transmitter and a clandestine transmitter or "bug". The
first difference is its gross size; the "bug" must generally be very
small for ease of concealment.

The requirement for electrical power needed to operate the transmitter
and broadcast the signal varies widely. The need to use either small
batteries or to "parasite" power from the target area's telephone line
sharply limits the output power of the clandestine transmitter. This
limitation does not, of course, apply when using the AC power lines.
Output power is usually kept low to avoid detection. Normally, there
is no need to broadcast great distances as most listening posts are
located within a few hundred yards or less of their target. While
commercial broadcast stations use thousands of watts of radiated power
during transmission and typical hand-held walkie-talkies use 1 to 5
watts, the modern clandestine transmitter can effectively employ less
than 1 milliwatt (a milliwatt is 1/1,000 of a watt).

Another factor affecting detection of "bug" transmitter is the type of
modulation used. A look back at the simple transmitter may be in order
at this point. If the transmitter operates at a frequency of 100 MHz
(as an arbitrary example), it emits a radio signal at that frequency.
Somehow the electrical information from the transducer must be
impressed onto this signal to transmit the information. The way in
which this intelligence superimposes itself upon the 100 MHz signal
(called the "carrier wave" or "signal", or quite often, just
"carrier")is modulation. The carrier wave is changed or modulated by
the audio information impressed upon it during transmission.

There are several ways to modulate this carrier wave. The most common
are amplitude modulation (AM) and frequency modulation (FM). These,
of course, are the two types used in commercial broadcasting. It is
not necessary to understand the technical differences between them.
What is important is that the countermeasure search device detects the
transmission that carries them.

Clandestine transmitters come in a variety of shapes and degrees of
sophistication. One of the basic considerations in transmitter
construction is operating time that is determined by battery life.
Generally, the larger the battery, the longer the transmitter will
last. Size is not normally critical if the transmitter is to be
secreted in a wall or in a location next to the target area, or if a
microphone and wire run are employed.

Turning the transmitter on and off by remote control extends battery
life. The advantages of this are obvious. Not only does it greatly
conserves battery life during periods of inactivity, but switching the
transmitter off at the first sign of an audio countermeasure survey
reduces chances of its detection by means of a search receiver.

There are many small, inexpensive "throw away" or "quick drop"
transmitters commercially available. These may have a battery life of
only a few hours but sometimes that is all that is necessary.

One type of free-space transmitter, a type that has no battery, is the
so-called "resonant cavity" transmitter. The Great Seal of the United
States in the Moscow Embassy concealed such a device. As has been
reported extensively in the media, a wooden wall plaque was presented
as a gift along with the suggestion of mounting it on the wall behind
the Ambassador's desk. Many may recall the photograph of Ambassador
Lodge pointing to a "bug" concealed in the back of the plaque. The
embarrassment caused by the detection of this transmitter motivated
the intelligence community to spring into action and devices similar
to it soon evolved.

The resonant cavity transmitter is an amazingly simple device
technically known as a passive radiator;, i.e., one that lacks an
internal source of energy. In constructing this device, a layer of
thin metalized material was stretched across a closed metal tube. The
specific size of the tube determined its resonant frequency. A wire
"tail", which functions as an antenna, is attached to the base of the
cavity. The cavity was then flooded with a beam of radio frequency
energy from an external source (usually in the microwave region, 1 GHz
and up). The size of the cavity and the length of its antenna are
carefully calculated so that a harmonic (multiple) of the inbound
radio frequency energy that bathes the cavity is rebroadcast. The
metalized diaphragm acts as a transducer, and the audio range energy
modulates the returned radio frequency signal that, in turn, is picked
up by a receiver in the nearby listening post. Do not assume these
devices are the sole providence of Federal level agencies.

The free-space transmitter, though, remains one of the most prevalent
forms of technical attacks. The most likely threat comes from one of
the plentiful miniature transmitters available assembled or in kit
form that use the FM broadcast band (88 to 108 MHz) or tuned to
operate just above or below it. In many instances, commercially
available "baby sitters" make very effective listening devices.
Nonetheless, regardless of sophistication, all free-space transmitters
pose a threat that should receive serious consideration during an
audio countermeasure survey.

CARRIER-CURRENT TRANSMITTERS

Technically, carrier-current transmitters are similar to free-space
transmitters except that they use transmitting frequencies somewhere
between those in the audio frequency range and those in the radio
frequency range that radiate outward from a conductor (antenna). The
transmitted energy from a carrier-current device remains ON the
conductor. Their energy is impressed upon either a power line,
telephone line, cable TV line or other paired conductors and is
retrieved by a receiver connected to that same line somewhere outside
the target area. A common example of this is the "wireless intercom."
There are some obvious advantages to such a system. One is that the
electrical energy needed for the transmitter comes from the power or
telephone line thus eliminating the need for a battery. Consequently,
a carrier-current device can be left in place for years without the
need of replacing exhausted batteries. Like the free-space
transmitter, remote control signals sent over the very line powering
the unit may turn it on or off.

Such carrier-current devices are easily concealed and usually not
found by a "sweep" of the radio frequency spectrum with a search
receiver because of their very low frequency. They are, however, easy
to locate with either an oscilloscope or very-low-frequency (VLF)
receiver or converter connected to the line powering them.

Carrier-current devices are commonly built into innocuous looking
objects such as clocks, radios, lamps, telephones, etc. and sent as an
expensive looking gift to the unsuspecting target person who plugs it
into the wall outlet and promptly bugs themselves. [Sad to say,
bombers sometime use this exact scenario!] This approach, of course,
overcomes the disadvantages of having to enter the target area.

One great advantage the carrier-current transmitter has over the free-
space transmitter that radiates in all directions (not only to the
listening post) is that it radiates only down the wire. This can turn
into a major disadvantage though if one cannot get to the wire.
Although transmitting range (distance) can be a problem, there are
many ways to overcome it. Earlier difficulties these units had with
power line noise (primarily AM) have been overcome by the introduction
of FM carrier- current devices.

In summation, the carrier-current transmitter is a serious threat
confronting the audio countermeasures technician, particularly if
installed by an adversary skilled in the concealment and use of one of
these devices.

TELEPHONES

Numerous "embarrassing" cases have served to focus public attention
upon the vulnerability of the telephone system to technical attack.
Holding sensitive discussions in any area that contains a telephone
presents a very, very serious hazard to the audio security of the
entire room, no matter whether the telephone is off or ON hook.

There are two different types of technical attacks made upon the
telephone; the "tap" and the "compromise." The telephone "tap" is an
interception of telephone communications. The interception may be of
conversation or normal telephone communication, such as teletype,
facsimile, or computer data. The "tap" results in the collection of
information only when the phone is in use. A tap does not require
physical access to the target area. Telephone lines are vulnerable
anywhere between the target phone and central telephone office miles
away.

There are a multitude of ways to tap a telephone, ranging from direct
connection with the line to inductive coupling that does not require a
physical connection to the line. The latter uses a so- called
induction coil/transformer to couple the energy from the line to the
listening post. An induction coil works on the following principle.
Electromagnetic energy flowing down a telephone wire creates a
magnetic field around that wire. The information flowing down the
telephone wire is, of course, electromagnetic energy modulated by the
information impressed upon it. This modulation causes the magnetic
field to vary at the same rate as the audio on the line itself.
Placing an induction coil on or near the line so that it is within
this electromagnetic field induces a similar electromagnetic energy
flow in the coil. The induced signal is then fed into an amplifier and
the information recovered.

A recent development in this area replaces the induction coil with
hall-effect magnetic field sensors that detect the minute magnetic
fluctuations caused by signals flowing down the wire. The induction
coil, hall-effect and similar devices are virtually impossible to
detect by technical means so a thorough visual inspection of the
telephone line is mandatory!

A compromise is an attack upon a telephone that transforms it into a
listening device capable of intercepting audio in the targeted area at
all times, no matter whether the telephone is on hook (hung up) or off
hook. A telephone can be compromised in many different ways, all of
which require physical access to the telephone.

A transmitter, either carrier-current or free- space, concealed inside
a telephone can be very difficult to find even when the phone is
opened for inspection, especially if it resembles a legitimate
telephone part. One of the most common of these transmitters resembles
either the telephone ear piece or mouthpiece transducer.
(Technically, the mouthpiece transducer is called the transmitter; the
ear piece, the receiver.) This "drop-in" transmitter draws its power
from the telephone. Transmitters can also be hidden within internal
parts of the telephone thus masking them from visual inspection.

Every telephone contains at least three transducers. One of these is
the telephone mouthpiece(transmitter), usually either a carbon or
electret microphone. As mentioned earlier, these are not "self
generating" microphones and require external power.

The second transducer is the ear piece (receiver) which, besides being
a miniature loud speaker, is a highly sensitive "self generating"
dynamic microphone that requires no external power. A spare pair of
wires within the telephone connected to this device can do wonders!
This is a "natural" point of attack.

The third, and usually most unreliable transducer, is the telephone
ringer itself. The ringer assembly of many telephones is resonant at
voice frequencies and thus modulated by the room audio impinjing upon
it. If a telephone ringer is sufficiently resonant, a high- gain
amplifier with a good DSP filter can retrieve conversations emanating
from nearby. Though its range is quite limited, generally 3 to 5 feet
from the instrument.

An explanation of what a telephone hook-switch does will enhance
understanding how easily phones can be compromised. The hook-switch is
the mechanical device that ostensibly disconnects the telephone from
the central office (the telephone exchange) when the handset is placed
upon the cradle. A telephone in this position usually has about 48 to
50 volts of DC line voltage. Lifting the handset off of the cradle
("off-hook" position) connects the receiver and transmitter to central
office and the voltage drops to 7 to 9 volts DC.

In the standard, single line instrument, all that separates the
telephone handset transducers from the outside world is the hook-
switch. From time to time one of these hook-switches will become
accidentally bent (wink, wink), or some conductive deposit will build
up on one of the electrical contact points (some more winking). Under
these circumstances the handset is never completely "hung up" and a
high-gain amplifier placed across the of telephone wires will retrieve
room audio with astonishing fidelity!

By the same token, there are many ways to deliberately bypass a hook-
switch thus allowing room information retrieval at the listening post.
A simple rearrangement of wires takes only minutes and is very
effective. It has the added advantage of being a deniable compromise:
i.e., it may never be possible for the audio countermeasures expert to
learn whether the rewiring was an actual attack or merely human error.
Additionally, it is possible to insert into a telephone any number of
devices such as diodes, transistors, capacitors or resistors that
compromise the hook- switch. Some of these devices have the added
advantage of automatically shutting off when the handset is picked up
due to the resultant voltage drop (from 48 volts DC to 7 to 9 volts
DC).

The original "infinity transmitter" or "harmonica bug" is now replaced
by newer devices better able to deal with current telephone
technology. Some of these devices require complex DTMF (Dial Tone-
Multi Frequency) tones to actuate them. These are a variation of the
remotely controlled radio frequency transmitters described earlier. As
with those devices, the attacker must gain access to the target area
or at least arrange for a compromised telephone to be placed in the
target area. The device can also be placed anywhere along the
telephone line or worse yet, along some other persons telephone line
to monitor the target area. Once on, the infinity transmitter usually
stays on until the handset of the target telephone is lifted from the
cradle. Most of these devices are parasitic i.e., they draw their
power from the telephone line, thus drawing the telephone line voltage
down a few volts.

In summation:

The telephone is susceptible to a variety of technical attacks that
vary in sophistication and are extremely effective and quite difficult
to detect.
The telephone provides a hard wire path out of the target area.
The telephone is particularly appealing to one planning a technical
attack as it provides a ready source of power.
The telephone is large enough to simplify concealment of a variety of
devices.
The telephone does not require additional microphones because of
existing transducers within the telephone instrument.
Because of its attractiveness for, and susceptibility to, technical
attack the telephone remains one of the most dangerous of surveillance
devices.

AUDIO COUNTERMEASURES

An effective audio security program should encompass two basic
considerations:

Measures taken that will complicate or prevent a technical attack.
Measures to be taken that will detect the presence of a technical
attack.
The term generally used to describe the former is isolation and
nullification. The latter would encompass the actual conduct of an
audio countermeasure survey. However, before undertaking either plan,
a first step is the assessment of the threat. First of all, determine:

Who is the target?
What is the potential value of the information?
Who would be the most likely person (or persons) to mount a technical
attack?

ISOLATION AND NULLIFICATION

Generally the areas to be protected fall into one of three basic
categories:

Permanent facilities such as offices used by key figures on a daily
basis, houses, conference rooms, etc.
Facilities used temporarily or infrequently such as hotel rooms,
conferences in facilities such as meeting halls, or public buildings.
Automobiles.

Each category of facility presents a different challenge, primarily as
the result of variations in the amount of control security has over
the audio environment of the facility.

As previously noted, isolation and nullification relate to actions
taken before the fact that will sharply limit the opportunity for a
successful audio surveillance attack. The actions taken along this
line become more apparent if one considers the possible techniques
used against the area. Despite the variety of techniques described in
the 6 categories of technical attacks, there are only 4 ways to take
audio from a target area:


Carry it out. All of the techniques discussed under the heading of
"Mechanical" attacks apply.
Transmit it out - "Free-Space" techniques apply.
Retrieve it optically - "Visual/Optical" techniques apply.
Retrieve it via hard wire - "Carrier-Current", "Microphone and Wire"
and "Telephone" techniques apply.

There is no technique that does not use one of the above methods.
Therefore, these four methods must always be considered during the
development of an effective isolation and nullification program. For
purposes of this discussion, isolation pertains to those actions that
tend to prevent the mounting of a technical attack whereas
nullification relates to those techniques that would tend to hinder or
even prevent the attack from producing useful information.

The basic component of isolation is physical security. A highly
effective physical security system would deny an attacker access to
the target space, which would in turn sharply limit his selection of
techniques. However, the security must be round-the-clock and cannot
consist solely of physical protective devices such as locks or vaults.
Support all such physical security systems with either an effective
alarm and television system and/or a 24 hours a day guard service.
Obviously, the amount of protection given a facility depends into
which of the 3 categories it falls and limitations on time and
resources available to security.

The easiest facility to protect is, of course, the permanent facility.
A security officer attempting to create an ideal audio security
environment in this instance should first identify those areas in
which sensitive discussions may take place. These areas normally are
private offices and/or conference rooms and attempts made to confine
sensitive discussions to these specific areas, which then allows
concentration of security resources on just one or two rooms rather
than an entire building.

ACOUSTIC BARRIERS

Consideration should be given to the type of construction of the room
with a view towards the acoustic attenuation characteristics of its
perimeter, which is the ability of the walls, ceiling, and floor to
act as a barrier to sound. Acoustic attenuation is greatest when there
is a barrier consisting of two different types of insulating
materials. This creates what engineers call an acoustic impedance
mismatch. Use of dissimilar materials, particularly when there is air
space between them, is much more effective than mere thickness. For
instance, a double wall consisting of 1/4 inch plywood nailed to 2 by
4 inch studs attenuate more sound than 4 inches of cinder block, and
double pane, 1/4 inch glass with a 1/4 inch airspace is even more of a
barrier.

One common insulating material that should not be used is acoustical
tile. This tile was not developed to function as an sound insulator.
Rather, it was designed to reduce reverberation or reflected sounds
within radio broadcast studios. Its use in a room facilitates a
technical attack by making the target area as acoustically "dead" as a
recording studio, an ideal situation for a clandestine microphone.
Additionally, the presence of thousands of dampening holes in the tile
gives an opponent just that many more places to conceal a microphone,
as the diameter of any one of these holes is ample for such a purpose.

It is far better to use a dense, sound reflective material such as
plywood, plaster board, or masonite. If the reverberations in the room
become annoying to its occupants, heavy draperies can soften the sound
considerably without having an adverse effect upon audio security.

ROOM DOORS... One security aspect often overlooked is the door.
Although a heavy, solid core door is often quite adequate, there is
considerable sound transmission around the edges and underneath the
door. This can be eliminated or reduced by the installation of an
inexpensive rubber gasket around the edges of the door.

ROOM DUCT WORK... Air conditioning or heating vents provide audio
paths that can be exploited. There are various acoustic baffles that
can be installed, but the most inexpensive approach is usually the
application of nullification techniques. One example of nullification
applicable in this situation is audible noise masking.

AUDIO MASKING... Masking is the generation of sufficient noise at the
perimeter of the secure area to cover or mask any conversations within
the room.

There are many commercially available systems designed for this exact
purpose. Special transducers that create random vibrations or
mechanical noises are fastened to the walls, ceiling and floor.
Transducers are also mounted in the air vents, on pipes/conduits and
in any possible avenue where sound might exit the target area. When
the transducers are in operation they virtually eliminate the chances
of a successful attack using a contact microphone. The wiring of these
systems should be done in such a manner that it can be visually
inspected.

Failing the availability of an acoustical noise system a radio tuned
to a rock station and placed with its speaker against the unsecured
wall will sometimes do. The conversations should be held as close as
possible to this noise source and the tendency to talk louder than the
radio should be overcome. Complete, portable, personal, secure wire
communication systems are also available for use when noise sources
are not available.

ROOM WINDOWS... Ideally, there should be no windows in the secure
room. If there are windows, they should be equipped with acoustical
noise generators or, again, the radio. Cover the windows with blinds
or drapes. If there are no windows, the visual/optical attack
possibility is reduced to almost zero.

ROOM WIRING... All wiring leaving the secure area should be accounted
for and any that are not being used either removed or have the ends
permanently shorted together to prevent technical exploitation.

ROOM TELEPHONES... telephones should not be allowed in areas where
discussions are held under any circumstances - they are an EXTREME
hazard. A persuasive security officer can usually present a good
argument for their removal from conference rooms, but there is no way
a public figure can be talked out of having a telephone in his office.
Thus, although the ideal situation is to have no phone, it will be
necessary to take steps to minimize the hazard it presents.

The telephone instrument should be equipped with an easy means of
disconnecting it from the telephone line. It should be unplugged when
sensitive conversations take place. The cheapest and simplest of these
means are the plug and jack arrangement similar to that used in home
telephones. With this arrangement, it is necessary to install a
separate ringer to annunciate incoming calls, as the ringer in the
telephone is, of course, also disconnected when the phone is not
plugged in. Ideally, the ringer should be a special, nonresonant
ringer such as the Stromberg-Carlson Model 687-96A Ringer or the
Kaiser RA-10 Non-Transducing Ringer. This would preclude an attacker
from using the ringer as a transducer. A Kaiser RA-15 annunciator
installed in the telephone insures that it will not be left connected
to the line and unattended.

Not withstanding apocryphal stories to the contrary, there is no way
that an unplugged telephone can be technically attacked. At best, it
could be used to conceal a transmitter needing its own power supply.
This would be detected by a basic visual search. Thus, a relatively
inexpensive precaution as described above, nets a tremendous increase
in audio security.

TELEPHONE DISCONNECTS AND SWITCHES... There were several of these
devices commercially available years ago but they are not recommended.
Since they contained extensive circuitry the lay person was and is
unable to tell if it had been compromised.

SECURITY OF THE TELEPHONE INSTRUMENT... Again, physical security is
paramount. The simplest of countermeasures will work only if the
potential adversary is denied an opportunity to gain access to the
telephone instrument. As one attack technique consists of replacing
the entire telephone with one that has been rewired, it is a good idea
to discreetly mark the telephones so they can be quickly visually
inspected. A control number can be engraved on the bottom of the
instrument, for instance. A better method is to mark the phone in some
manner with a material that fluoresces under ultraviolet light.
Locking the telephone instrument itself in a safe is a good idea.

TELEPHONE TAPS... The adaption of all, or at least a substantial
portion, of the above procedures will prevent any but the most highly
sophisticated attacks. However, a word of explanation is in order. The
attacks prevented are compromises designed to hear room conversation
when the telephone is not in use, not taps. Short of the use of
encrypted or "scrambled" telephone systems, there is no way to
guarantee that a telephone is either not now or soon will be tapped.

A great deal of time and considerable effort has been spent by many a
technician to produce a system that can detect wiretaps. To date, NO
system has been developed that can reliably find even the most basic
of taps all of the time.

The problem is created by the fact that the line pair can be
intercepted at any point between the telephone instrument and central
office. That can mean miles of unprotected wiring. Telephones are not
the only devices that use the telephone lines. They are, or can, be
shared with other devices such as computers/modems, Fax machines and a
variety of signaling and control equipment.

A direct tap made with careful attention to impedance matching, would
be very, very difficult to detect. Certainly the telephone subscriber
would be unaware of it as there would be no telltale clicks or noises
on the line. Detection of a carefully installed induction coil or hall-
effect tap is simply impossible.

On the other hand, chances of a successful tap are complicated by good
physical security practices. The simplest tap is made at the nearest
terminal or connecting block where the target line pair is tied to
either a large "house" cable or to an "outside" cable. The line pair
at this point is spread out on the connecting block and is easy to
both identify and attack. The terminal board or connecting block is
usually found within the same building as the telephone, although it
may be on an adjacent telephone pole, especially if the telephone is
located in a residence. Consequently, if there is good physical
security, it would possibly deny an adversary this easier point of
attack.

An attacker with an understanding of how the telephone line matrix is
set up can reap a bonanza by simply determining where the target
company conducted its business in the past and searching for the wires
outside that location. Sometimes the old wires are even left on the
terminal blocks inside the old location!

Target lines can be located by means of a telephone company cable
chart and normally it would be necessary to obtain that chart from the
telephone company. It is amazing how often this information "falls
off" telephone company trucks and into eager hands. Often these charts
are left in the telephone frame room of the company under attack and
thus easy targets. Assume always that the attacker has access to
information on the telephone lines.

Although the isolation and nullification procedures described so far
are primarily applicable to permanent facilities, it should be obvious
that many of them can be effectively applied to occasional use
facilities and, occasionally, to automobiles. Audio security, like any
other form of security, is a percentage proposition in that every
positive preventive action taken will yield a certain percentage
increase in security. Therefore, it is incumbent upon the security
officer to carry out as many countermeasures as possible consistent
with resources and common sense.

A careful analysis of the isolation and nullification techniques
discussed above reveal two basic points common to all the recommended
countermeasures:

Threat analysis
Physical security

The security planner merely decides the most likely means of attack
and plans his defenses accordingly. The material thus far presented
should clearly show the overwhelming importance of good physical
security, security that would have to be present in any event to
safeguard the personal safety of the public figure.

If all applicable isolation and nullification techniques have been
applied, then a potential technical perpetrator has been denied
several means of attack. His most viable option would be the planting
of a remotely-controlled transmitter, either free-space or carrier-
current, and even then it would require him to breach physical
security, either before or after the security perimeter was
established. In short, if the security perimeter is perfect and all
isolation and nullification recommendations implemented, a successful
technical attack would be very difficult to carry out. However,
security is never perfect or foolproof. Therefore, the security
planner cannot consider his audio security program complete until he
has arranged for and conducted the second major program component, the
audio countermeasures survey.

THE AUDIO COUNTERMEASURE SURVEY

The audio countermeasures survey is a vital component of an effective
audio security program, despite the application of the isolation and
nullification techniques in the section. It becomes necessary for two
reasons.

A technical attack may have been perpetrated before the initiation of
the audio countermeasures program.
An attack may have been successfully launched because of overlooked
weakness or human error in the maintenance of adequate physical
security.

As with the approach used with isolation and nullification, the survey
may be conducted on a sliding scale of sophistication ranging from a
simple physical examination of the area to the application of the most
complex and detailed audio countermeasures equipment. As might be
expected, the effectiveness of audio security tends to increase
proportionately. However, the application of audio countermeasure
techniques described in this section will certainly add to the general
audio security already present because of previously applied isolation
and nullification techniques.

TIMING OF THE AUDIO COUNTERMEASURE SURVEY

Perhaps the first question to be considered is when an audio
countermeasure survey should be conducted. The answer, of course,
depends upon the type of facility; permanent or occasional.

With the permanent facility, the most important criterion is the
overall effectiveness of the isolation and nullification program. If
they are all implemented, one audio countermeasure survey every year
is usually sufficient. Any time there is extensive modification of the
area, new construction, new electrical wiring, or any other activity
that gives outsiders relatively unsupervised access to the sensitive
area, a survey should be conducted upon the completion of the
disrupting activity.

The survey should always be conducted during normal working hours to
facilitate the discovery of remotely switchable devices. With
occasional-use facilities, the survey may be conducted any time prior
to its scheduled use. Upon completion of the survey, physical security
procedures must be implemented. Additionally, if the activity to be
protected is a conference or discussion, the security officer should
arrange for some additional monitoring of the radio frequency spectrum
during the initial stage of the conference. This detects any radio
frequency devices missed during the survey but remotely turned on to
intercept the sensitive discussion. A survey will be required for the
occasional facility each time there is a break in the physical
security provided it. As described later in this section, the same
criterion applies to automobiles.

The equipment needed during the survey will be discussed as the steps
of the audio countermeasure survey are outlined. The chances of an
audio countermeasure survey detecting a clandestine device are greatly
enhanced if the survey can be conducted in as non-alerting a manner as
possible. There are two basic reasons for this.

If the attacker learns in advance of an audio countermeasure survey,
he may have an opportunity to remove or destroy (a charged high
voltage capacitor placed across a microphones wires can literally
vaporize the microphone element) any clandestine equipment before the
survey can be conducted.

If the adversary has advance notice, hears the audio countermeasure
specialists in the conduct of the survey, or overhears someone in the
target area mention that such a survey is in progress, he may switch
off his remotely activated transmitter, preventing its detection. At
the very least, he would have an opportunity to abandon his listening
post, negating chances of an apprehension. It also precludes any
chances of exploiting any devices found by using them to transmit
false or spurious information.

This idea of strict secrecy in the conduct of audio countermeasure
surveys cannot be overstressed. Secrecy is, in fact, regarded as one
of the technical surveillance countermeasure specialist's most
important tools. The following is a very good rule to remember when
talking about secrecy. If 1 person knows a secret then that's it. But
if he or she tells another person (1) then putting those two 1's side
by side looks like 11 or eleven. Adding another person (1) means it
looks like 111 or one hundred and eleven, and so on. As you can see,
secrets can be even harder to keep as each person is added!

SEARCHING FOR RADIO FREQUENCY TRANSMITTERS

Generally, the most important and sensitive part of the audio
countermeasures survey is the search for radio frequency transmitters,
both free-space and carrier-current. This is done in two ways:

The use of electronic devices
Physical search

The most effective electronic equipment available to assist the
security officer in the detection of clandestine transmitters is
specially designed detectors, a search receiver or spectrum analyzer
(preferably capable of tuning from 10 KHz to 3 GHz). Quality
detectors are available priced from a few hundred to a few thousand
dollars. It is recognized that this cost factor may seem expensive to
many agencies having a requirement to conduct audio countermeasure
surveys, but it should be noted that relatively inexpensive "feedback"
detectors can also be very effective.

The first step, then, in the conduct of an audio countermeasure survey
is the search of the radio frequency spectrum. Upon the completion of
the "sweep" of the spectrum, check the power lines for the presence of
a carrier-current device with equipment designed for that purpose. A
similar check is made of the telephone lines at the same time that the
telephone system is checked for any compromises.


INSPECTION OF THE TELEPHONE SYSTEM

The next step in the audio countermeasure survey is inspection of the
telephone system. The easiest and most efficient way to accomplish
this is to check the outgoing telephone lines at their first
appearance after they leave the secure area. Generally, buildings have
a telephone closet where the various line pairs appear on terminal
boards. This is where they are patched into the cable witch eventually
goes to central office. There are usually two wires on the terminal
board for each outside line. The telephone company calls the two
lines "tip and ring"; a holdover from the days of operator assisted
calls. Some specialized and foreign telephones use a 4-wire system.
In this case, there will be a "tip and ring" for the "talk" pair (the
pair connected to the transmitter/mouthpiece), and a "tip and ring"
for the pair connected to the receiver/ear piece.

In telephone systems using key telephones, many wires on the board are
not tip and ring. They are auxiliary conductors for such functions as
the "hold" and "lamp flash" circuits. It is possible to tell a line
pair by the use of a voltmeter (tip and ring will show approximately
48 volts DC between them if the line is not being used).

It is not really necessary to know which is which for the purpose of a
survey since an adversary may have decided to use one of the auxiliary
wires in the technical attack.

One of the audio countermeasure experts most useful tool is a high
gain (amplification) audio amplifier. There are any number
commercially available priced in the two to four hundred dollar range
that offer the user a choice of input and output impedances. The
amplifier should include a high/low-pass filter, a tone generator for
tracing wires and activating certain microphones, and a means of
producing voltage to turn on external accessories such as electret and
carbon microphones. Along with the amplifier there should be a set of
earphones (the stethoscope type that covers both ears is best), and a
two conductor cable terminated in alligator clips.

To check a telephone line, one wire from the amplifier is clipped to
"tip", and the other to "ring". If the amplifier allows a selection of
input impedances, anywhere from 10 K to 500 K Ohms is a good choice.
All that is necessary is to turn up the volume control and listen. If
the telephone is in use, the conversation will be heard. If the
telephone is not in use and room audio is heard, the telephone hook-
switch has been bypassed in some fashion, either by accident or on
purpose. The sound of room audio is unmistakable.

The above procedure should be followed with all line pairs leading
toward the central office. If a technical attack has been initiated on
a telephone in the secure area that does not utilize a radio frequency
transmitter, this procedure detects it in many, but not all,
instances.

Upon completion of this audio check, the procedure should be repeated
using the carrier-current detector, receiver or spectrum analyzer. If
both the radio frequency check and the audio check are negative, there
is some assurance that the telephone system has not been attacked. A
disassembly of the individual telephone instruments will be covered
later in the survey.

There is a device available for telephone countermeasures called a
"Telephone Analyzer" or telephone test set. This equipment tends to
vary a great deal in cost and the most expensive are not necessarily
the best. Carefully check the capabilities of each unit to see if it
matches both expectations and the existing system. Although these
units are generally effective, there are drawbacks to them. First,
there are devices that they cannot detect for a variety of technical
reasons. Secondly, they require lot of understanding which translates
into time. Typically, a unit can take 30 minutes to an hour to test a
multi-line telephone. If the space to be surveyed includes several
telephones, the time can be excessive!

One of the major determinations the security officer must make is the
value per audio security dollar. Sometimes money is better spent on
the isolation and nullification program. In short, using the overall
criterion of cost effectiveness, the telephone analyzer is not
recommended for general surveys.

TOTAL AREA INSPECTION

Prior to initiating the audio countermeasure survey, a cursory non-
alerting inspection should have been made in order to decide the
possible location of listening posts and to decide the best location
from which to conduct the radio frequency sweep. When the most
critical portions of the survey have been completed it is not as
important to remain completely non-altering, although it would be best
to remain so consistent with effectively completing the survey.
Consequently, a more detailed inspection is in order starting from
outside the facility.

Stand back a distance from the building. Where do the wires go from
and to? Are there any buildings in the area not under control of the
security department? Check the roof for wires and extraneous devices
or antennas. Use common sense.

The inspection should continue inside the building. Are there any
places in the building that might function as listening posts (a
microphone and wire run could terminate in a closet where all
interceptions are recorded on tape and the tape retrieved on a daily
basis)? Are the telephone closets securely locked to hinder access by
unauthorized personnel? Are all the keys accounted for? What
conductors leave the secure perimeter? Is the closet alarmed? Every
wire must be accounted for.

ROOM SEARCHING

Following generalized exterior and interior building examination, the
potential target area itself should be considered. By this point in
the audio countermeasure survey, the security officer will have a good
idea of what, if any, technical attack is involved. At this juncture
obviously the greatest threat would come from a transmitter or
microphone/wire feeding a nearby transmitter. The security director
should have a fairly good idea of what to look for as the physical
search is started.

The procedures used to search the facility are quite similar to those
used to search for explosive devices, and the equipment used basically
the same. Thus, a good tool kit containing a set of screwdrivers,
various pliers, wrenches, inspection mirrors, and flashlights is the
basic minimum needed to do the job correctly.

Priority should be given to those areas closest to where discussions
normally take place such as desks, sofas, telephones, etc. Items such
as pictures and wall plaques should be removed from the wall and
closely inspected for devices. The wall behind the picture or plaque
should also be carefully inspected. Remember that the acoustic passage
can be little bigger than a pin hole.

There have been instances where transmitters have been secreted in the
picture frame itself.

An examination should be made of the underside of all furniture.
Wooden furniture should be thoroughly inspected inside and out. A
metal detector is useful here. Furniture should be picked up and moved
to ensure that it does not conceal wires.

Any and all grates or grills for air conditioning or heating ducts
should be removed and the interiors inspected with a mirror. Be alert
for any signs of recent entry such as tool marks or disturbed dust
patterns. Use of an ultraviolet light is helpful in detecting recent
alterations.

Examine baseboards carefully for signs of recent modification. These
are popular places to hide microphones and/or wire runs. Roll back
any carpeting to make sure that it does not hide wiring. Again, an
ultraviolet light is useful.

If the room has a false ceiling, the space between it and the true
ceiling must be thoroughly inspected. Be particularly alert to the
wires that often abound in these spaces. Remember that all conductors
must be accounted for.

Pay particular attention to the backs of file cabinets or bookcases as
these too are good hiding places. It would be worthwhile to examine
all hardbound books as these have been successfully used in the past
to hide transmitters.

The walls should be carefully inspected for any signs of microphone.
Ultraviolet light can be of assistance as it tends to highlight paint
or plaster differences better than standard light.


Light switches and electrical outlets are among the favorite places to
plant carrier-current devices. These must be carefully examined. BE
CAREFUL WITH HOT AC LINES! The protective covers must be removed and
the inside the box as well as the switch and socket must be carefully
inspected. There are quite a few "off the shelf" carrier-current
devices commercially available which are or can be packaged within
wall plugs, electrical outlets and light switches. AGAIN, BE CAREFUL
WITH HOT LINES! Use well-insulated tools. Even experienced
countermeasure experts can ruefully attest to the shocking power of
117 volts AC (in some cases, 220 volts AC!) and most seasoned
countermeasure tool kits contain at least one partially welded and
badly scarred screwdriver.

PHYSICAL INSPECTION OF TELEPHONES

A physical inspection of the telephone system takes some preparation.
If one is to gain anything useful from disassembling a telephone
instrument, they must first know what a normal telephone looks like.
Therefore, the security officer should examine a sampling of the
telephones in the system prior to conducting an audio countermeasure
survey in order to have a general understanding of what to expect.
This will greatly assist in recognizing an attack on the instrument.
More sophisticated attacks will not be detected in this manner as the
devices may be hidden in telephone components or modifications made to
any printed circuit boards.

The handset is examined by either unscrewing the holders for the
mouthpiece and ear piece or removing the screws holding the handset
together. The ear piece usually has only two wires attached to it
which run through the center of the handset. seesaw these wires back
and forth to make sure nothing is in the middle. There is a small
device, called a varistor, attached between the two terminals on the
ear piece. There should be nothing else. The presence of any other
components may represent a surveillance device. Examine the mouthpiece
and the area surrounding it carefully for any abnormal signs. A common
attack is the replacement of the microphone element with a drop-in
surveillance device.

The wire leading from the telephone should be followed to the junction
box. The cover of this box or wall jack should be removed and examined
for foreign devices. Be careful to look at the inside the covers
themselves. There should be nothing there too. Some telephone systems
use a plug called an Amphenol plug. The metal or plastic covers should
be taken off and the inside inspected. Inspect the wires from the
telephone to the wall jack.

AUDIO COUNTERMEASURES - AUTOMOBILES

Automobiles present an interesting and different set of problems. The
basic difficulty with automobiles is that they are not afforded
sufficient physical security to warrant the investment of concerted
audio countermeasure efforts upon them. Consequently, a physical
search is probably the most cost-effective countermeasure, and much of
it could be done at the same time as any search for explosive devices.
There are three viable attacks against an automobile; a voice
transmitter, a tracking transmitter or a tape recorder. A well-
conducted physical search should uncover the later provided, however,
it is kept in mind that excellent quality voice activated recorders
not much larger than a couple of packs of matches are commercially
available.

Transmitters can also be easily hidden and will either be powered by
their own battery or the vehicle battery. It is important, therefore,
to measure the amount of current being drawn from the vehicle battery.
All current paths should be accounted for. Remember that an
attacker's choice of microphone placement must always be influenced by
an inherent characteristic of the automobile noise. For this reason it
follows that the microphones must be placed as close to the potential
discussion area as possible. Thus, one would presume that in a
chauffeur-driven car, the target area would be the back seat area
rather than the front. Consequently, physical search efforts should
be concentrated in that area. In short, experience and common sense
will eventually formulate the audio countermeasure search procedures
most effective for any given situation.

The importance of the physical search cannot be overemphasized,
particularly if the audio countermeasures survey was conducted without
the benefit of a radio frequency survey. By the same token, its
effectiveness should not be underrated. It is a fact that more
electronic eavesdropping devices have been found by physical search/
examination than by any other means. Even if a good search receiver
is utilized during the audio countermeasures survey, at least 80
percent of the total man-hours expended should be devoted to the
physical search.

In summation, the audio countermeasures survey is only part of an
effective audio security program. True audio security can be gained by
the adoption of isolation and nullification techniques as well.
Although ideally, all of the recommendations should be incorporated
into an overall audio security program, implementation of even a few
will significantly decrease vulnerability to a technical attack.