Radio Frequency Attacks
Size and Range
As in other categories of electronic eavesdropping, recent technology has been utilized to build miniaturized RF transmitters the size of a pencil eraser. These devices will transmit radio signals anywhere from 100 feet to five miles and with the use of repeaters, reception range is even further. The availability of these small devices is rather astonishing with several manufacturers offering pre-concealed transmitters already packaged into such objects as smoke detectors, picture frames, clocks and ashtrays.
One of the smaller commercially manufactured transmitters is the size of an aspirin tablet, including microphone and battery, with a transmitting range of 1,000 feet. Several radio transmitters are available in prepackaged electrical lamps, power receptacles and clocks. These types have the advantage of a continuous power source, supplied directly to the transmitter, which permits a permanent installation.
All radio transmitters must modulate their basic operating frequency (carrier) to convey information to the eavesdropper's radio receiver. The eavesdropper has at his disposal a host of different modulation techniques to choose from. In addition to amplitude modulation (AM) and frequency modulation (FM), and eavesdropper could employ various other sophisticated modulation techniques including sub-carrier, pulse amplitude modulated (PAM), pulse width modulated (PWM) and pulse position modulated (PPM). Sophisticated transmission techniques could also be employed to make the signal virtually undetectable such as snuggling, frequency hopping, spread spectrum and burst transmissions.
Sub-carrier modulation is one of the most popular and attractive to the eavesdropper. These devices operate by combining intercepted audio with one low frequency signal and then recombining this resulting signal with a higher frequency (carrier) signal. The resulting radio signal is very complex, and is not detectable by conventional radio receivers.
A popular procedure among eavesdroppers is the practice of snuggling. This is a relatively simple method of hiding a transmitter's signal. Regardless of the radio device power, frequency or modulation, an additional guard against detection can be provided by carefully setting the frequency adjacent to that of a large, high-powered radio or T.V. station. By setting the transmitter frequency in this manner, the signal cannot be detected by a field strength meter or broadband radio receiver.
Another popular radio transmitting method is by carrier current. Below the A.M. commercial portion of the radio frequency spectrum is a region identified as very low frequency (VLF). A different type of audio surveillance transmitter is manufactured which operates in this region but uses the electric power lines for transmission of the signals. These F.M. modulated devices operate between 50 Khz and 300 Khz. At these frequencies, very little radio energy is radiated into free air space. What these signals will do, however, is to move along almost any wire path, including regular electric power lines and telephone lines. These transmissions are known as carrier current transmissions because of this characteristic. This is the same method of communications used by many of the wireless intercoms sold commercially.
Eavesdropping devices which use carrier currents offer two principle advantages over those which transmit through space. The signal can't typically be received anywhere along the wire between the eavesdropping device and the power source. Also, these devices are not detectable by radio receivers R.F. sensing or other debugging equipment, since they radiate little energy into free air space.
A switch receiver or remote radio controlled device can be used advantageously with any eavesdropping radio transmitter. Sophisticated remote radio units are sold through many electronic suppliers for a multitude of purposes. This device provides the eavesdropper with the ability to control the operating time of room monitoring equipment and achieve two distinct advantages. The eavesdropper can conserve battery power and reduce chances of detection by turning the transmitter on only during the time of interest.
Spectrum analyzers are sometimes used to detect the IF signal emissions radiated from the remote control receiver, as the clandestine transmitter could possibly be switched off and not transmitting. This detection method is unreliable, as the IF signal radiated from the receiver is very weak. The spectrum analyzer's antenna must be in close proximity of the clandestine receiver to detect these emissions and with hundreds of RF signals to resolve, it would be very easy to overlook a weak signal hidden within the noise. The only reliable method to detect these types of devices is with a Non-Linear Junction Detector (NLJD).