detect and isolate Spread Spectrum Signals and I felt it would be wise
to post this to the list as there seems to be some misunderstandings
about spread spectrum, and the level of security it provides the
very easy to detect, but tricky to demodulate. Also, Spread Spectrum
modulation methods only protect against CASUAL detection, and allow
"Multiple Access" to the frequency being used. In all reality it
provided minumal protection against detection (just the illusion or
identification of unknown signals it's a serious liability to rely to
heavily demodulation analysis. Of course it is typically not a TSCM'ers
job to demodulate the signal, but to isolate and locate what is
generating the signals.
threat associated with spread spectrum eavesdropping signals.
preamplifier, and low loss cables to collect and concentrate as much of
the signal as possible. This is important as SS eavesdropping devices
commonly place the signal "on top of" an already occupied band (such as
the FM band)
sweep the frequency range being monitored as quickly as possible (at
least 100 times per second).
characterized. This is done by allowing the equipment to warm up and
performing self alignment. Next disconnect the antenna and terminate
the cable with a lab grade terminator. Generate a noise floor
correction table, but ensure that each table covers no more then
200-250 MHz of spectrum (typically 4096 correction points per 250 MHz
the antenna sensitivity patterns.
polarization) of the antenna has utilized.
series of traces (one for each antenna position). The traces which show
a noticable increase in the noise floor will require further
investigation. Remeber that we are looking for "virtually invisible"
signals, so analysis of the noise floor is critical.
of the signal (or noise floor hump) is centered on the display, with
the center of the first side lobes placed on the far edges of the
frequency domain display. See the attached image to see what this
should look like (its the trace on top)
TO OPEN A CHART, CLICK HERE
oscilloscope or digitizer. Apply a bandwidth filter that is roughly the
width of the primary lobe, and optimize the amplitude and X-axis to
stabilize the display (using a threshold trigger will be helpful).
pulse width or duration. Also, record the width of the main lobe. In
the attached file the trace located at the bottom of the display is in
the time domain, with pulse rate indicated by markers.
frequency to a list of known spread spectrum signals to determine what
is creating the signal (in the attached example a Spread Spectrum
telephone chip was used).
domain. Next obtain a signature of the signals by bandwidth (of the
main lobe) and pulse repetition frequency. Then simply look up the
signature to determine components (or product) being used, and if
desired set up to demodulate.
long, and high threat entries should be marked in bold.
isolate, and locate virtually any spread spectrum device on earth.
Direct Spread Spectrum, Frequency Hoping, Chirp, and so on may all be
detected and located in the same way.
searching for a variety of signals.
just enough space for a 9 volt battery, electret microphone, and small
controlled), and a 70 MHz maximum signal spread.
for cordless consumer telephones.
-72.4 dBm signal reading was taken at a distance of under 3 feet using
a tuned antenna. Once a 25 dBm preamplifier was used and the antenna
polarization matched to the device a detection range of several hundred
feet was obtained.
copper-to-copper connection to be just under 3.5 mW.
very poor and almost looked "homebrew".
are being openly sold (in Spy Shops) for over 10 times that amount.
highly directional antenna such as a log periodic with a preamplifier.
TO CONTACT THE AUTHOR
Web Site: Http:www.tscm.com