1998-01-20 - Re: Locating radio receivers

Header Data

From: Dave Emery <die@die.com>
To: Eric Blossom <eb@comsec.com>
Message Hash: c1a533ac89582a901d7aada743c7d4452704e67b78dd62143eade3ea9f4f77f4
Message ID: <19980120015007.64178@die.com>
Reply To: <E0xtbs7-0004Rk-00@heaton.cl.cam.ac.uk>
UTC Datetime: 1998-01-20 06:58:51 UTC
Raw Date: Tue, 20 Jan 1998 14:58:51 +0800

Raw message

From: Dave Emery <die@die.com>
Date: Tue, 20 Jan 1998 14:58:51 +0800
To: Eric Blossom <eb@comsec.com>
Subject: Re: Locating radio receivers
In-Reply-To: <E0xtbs7-0004Rk-00@heaton.cl.cam.ac.uk>
Message-ID: <19980120015007.64178@die.com>
MIME-Version: 1.0
Content-Type: text/plain

On Mon, Jan 19, 1998 at 01:55:55PM -0800, Eric Blossom wrote:
> > Kay Ping wrote on 1998-01-16 22:02 UTC:
> > > Radio links are perfect for hiding the location of receivers.
> > 
> > Actually, this is only true for extremely carefully shielded military
> > receivers and not for normal radios. Every receiver contains a local
> > oscillator to bring the signal down to intermediate frequency (IF), which
> > is emitting EM waves itself. In addition, the IF signal is emitted
> > as well.
> > 
> > As Peter Wright reported in his autobiography, British counterintelligence
> > (MI5) used vans and planes already in the 1950s to detect spys while
> > they received radio communication messages from Moscow and to protocol,
> > which frequency bands the embassies were monitoring (operation RAFTER).
> > Efficient receiver detection is an active process: You send out short
> > bursts of a wideband jamming signal and try to find the downtransformed
> > intermediate frequency equivalent of your burst in the compromising
> > emanations of the receiver. This way, you get not only the location of
> > the receiver, but also the precise frequency to which it is tuned.
> > 
> > Locating radio receivers within a radius of many hundred meters this way
> > was already state of the art in the spook community over 40 years ago,
> > so you can safely assume that with digital signal processing, the
> > performance parameters of modern systems have been increased
> > significantly. Sending out spread-spectrum style pseudo-noise signals
> > in the active probing bursts could give you in modern receiver detectors
> > a considerable signal gain.
> > 
> > Markus
> Hi,
> I talked to some RF guys about the RAFTER attack about a year ago.
> Their opinion was that since modern receivers have GaAs FET mixers,
> they don't leak the LO or IF out the antenna like the old fashioned
> inductor based mixers did.
> This should be trivial to confirm with a spectrum analyzer.
> Eric

	This varies a great deal.  Generally cheap vhf/uhf scanners and
the like radiate quite a bit of energy and can be easily seen on a
spectrum analyzer at hundreds of feet (with no special effort).   A good
bit of energy escapes many scanners through the cheap and poorly
shielded plastic case and power cords rather than leaving via the
antenna, so even if a good broadband preamp is used between the antenna
and the input of the scanner - which should effectively eliminate LO
radiation from going out the antenna because the preamp is going to have
to have a great deal of loss for energy routed through it backwards
(output to input) or it would be unstable and oscillate -  the signals
radiated from the radio itself and the power cord will give it away.

	First local oscillator energy is the most easily seen radiation
from scanners - IF radiation is much lower in level in most modern 
gear because of the very short lead lengths and comparitively low signal
levels and good decoupling from the antenna - IF frequencies (save the
first IF on many scanners) are low enough so the component leads don't
act like a very good antenna because they are such a tiny fraction of
a wavelength.

	High grade military/spook class receivers are much better
shielded, some in fact to TEMPEST level specs,  and don't have the
problems that most  cheap scanners for hobbiests have.  If used with a
good preamp ahead of them they are very hard to detect if the shielding
is intact and undamaged (which may or may not be the case for a unit
that has been kicked around for years and carelessly repaired and

	But a fair number of modern HF (2-30 mhz)  communications
receivers and transcievers use no or very little RF amplification before
the first mixer in order to maximize dynamic range and third order
intercept and their 1st LO's (usually in the low VHF range) are not as
well isolated from the antenna.

	However, most modern receivers use synthesized local oscillators
phase locked to a local crystal oscillator and the LO is not as likely
to be detectably modulated by the audio the receiver is receiving as was
the case with the vacuum tube era communications receivers in the RAFTER
era that used free running LC tuned oscillators.   Power supply regulation
and decoupling is much better in modern gear, and this combined with
the use of phase locked synthesized oscillators means that while it may
be possible to detect radiation from the receiver LO, it is not as easy
to detect fm and am sidebands coming from the receiver audio which was
the basis of a lot of RAFTER work.

	But sensitive spectrum analyzers are available and not uncommon
these days, so anyone who is trying to operate an undetected receiver
for any serious purpose now has the tools to determine just how much his
gear is radiating.   Of course the detection gear has gotten better too,
but careful shielding up to and including faraday cages, use of good
preamps and circulators and use of spectrum analyzers to check for stray
radiation makes it less likely that someone will  easily find a
carefully hidden receiver than in the past.   But a plastic cased
consumer grade scanner from Radio Shack may be detectable a half mile
away... or more...

	Dave Emery N1PRE,  die@die.com  DIE Consulting, Weston, Mass. 
PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2  5D 27 BD B0 24 88 C3 18