[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Spread Spectrum Update



===========================================
TSCM-L Technical Security Mailing List
Monday, July 14 1997

Postings: [email protected]
Unsubscribe: [email protected]
Subscribe: [email protected]
Admin: [email protected]
===========================================


Several weeks ago I had a chance to examine a number
of spread spectrum microwave bugging devices.

Since that time I've conducted some analysis and
gathered further intelligence on the circuit.

Here are a few of my observations.


======= C O N F I D E N T I A L ========


1) Most of the products use a high bandwidth QPSK/BPSK
modulator, multi channel audio CODEC, and a RISC
micro-controller chip (all components are either
surface mounted ICs or multiple dice potted in epoxy).

2) RF Circuit seems to be a simple homodyne audio
transmitter (6 Ghz Gilbert Cell Mixer) which is driven
by a single CPU/microcontroller (with a clock speed of 180 Mhz).

3) Frequencies used for the ultra low power device are
clean from 130 Mhz to 4 Ghz, circuit starts to fail
above 5.5 Ghz (but is still operable to about 8 Ghz).

4) Emitter is driven directly from vector modulator chip,
with no power amp circuits. PIN diode found on output
appears to provide gain control or disconnect of
circuit, but provides no amplification of signal.

5) Noise floor of circuit is -135 dBm (below 2 ghz),
-142 dBm (2-4 ghz), and -150 dBm above 4 Ghz.

6) Signal has a variable bandwidth which varies between
350 Mhz and 900 Mhz. Appears to be designed for a
900 Mhz bandwidth signal. Device operates "deep" inside
the noise floor.

7) Virtually impossible to detect at close range with a
conventional RF spectrum analyzer (492/494/8566/etc).

8) Detectable with most wideband systems (with IF BW
above 300 - 900 Mhz, 700 Mhz ideal).

8) VCC = +3.0 VDC, all circuits functional 2.3 to 6.8 VDC

9) Output applied to PIN diode ranges between -28 and
-42 dBm (depending on frequency and span)

10) Device enters some type of sleep mode when power
is present but audio level is low (seems to auto
squelch). Total current draw when in sleep mode is 12
�A. Device does not emit RF energy when in sleep mode.

-------------

11) One of the devices has no type of connection for
external power, but instead uses a uses a network of
Schottky diodes and capacitors which constitute an
effective RF to DC converter.

12) The RF to DC circuit requires an un-modulated 10-15
Ghz RF signal, and seems to respond well to X-Band
microwave motion detectors used for many corporate
alarm systems.

13) Device also has a small microphone built onto the
circuit, microphone measures 4.5mm * 1.6mm * 4.1mm.

14) Entire device measured 3.2 cm * 5.2 cm and about 3
mm thick (or about the thickness of a standard
business envelope).

15) Device contains some type of adhesive on both
sides of a foil backing. Suspect it's applied as some type
of "sticky label". Once the device is installed any
attempt to remove results in its total destruction
(unless you freeze it off).

16) The French government has been know to use a
similar device in some of its "Diplomatic" activities.


-jma

========================================================================
"For those who risk, life has a flavor the protected shall never enjoy."
========================================================================
James M. Atkinson Phone: (508) 546-3803
Granite Island Group - TSCM.COM
127 Eastern Avenue #291 http://www.tscm.com/
Gloucester, MA 01931-8008 [email protected]
========================================================================
The First, The Largest, The Most Popular, and The Most
Complete TSCM Counterintelligence Site on the Internet
========================================================================