Your browser version is outdated. We recommend that you update your browser to the latest version.

RF Detection


Transmitter detection is a tricky process.

The bad guy has the entire radio frequency spectrum to choose from. And has a whole host of different modulation techniques to use. Modulation techniques control how the sound is transmitted. Common ones include those you use every day: Amplitude Modulation (AM), Frequency Modulation (FM), Narrow Band FM, and others. More exotic modulation types include single side band, subcarrier, spread spectrum, frequency hopping and various other digital types where the analog audio is converted into data.

Transmitters can operate on frequencies as low as 50 kHz, using the AC power lines or telephone lines to carry the signal. Transmitters can operate up into the microwave frequencies, too.

The TSCM technician does not know what background, ability and equipment the bad guy has, so the entire spectrum and all of the different modulation techniques have to be considered and examined.  Plus, there really is no way to tell how much power the eavesdropping transmitter has. It might be an 80 milliwatt transmitter that will go several hundred yards or a much weaker transmitter that only has to transmit a few dozen feet to a hidden receiver. This makes the RF sweep a detailed and time consuming task.  Quick and easy is not a concept that good RF TSCM technicians are familiar with.

Frequency Coverage
Traditionally, the frequencies covered during a TSCM sweep start just above sound and end in the microwave ranges.

Our equipment can detect transmissions as low as 50 kHz. Transmitters using frequencies this low generally do not use radiating antennas since they would have to be way to long for concealment.  Instead, low frequency eavesdropping transmitters make use of existing building wiring; their signals are carried on the AC wiring or are coupled onto the telephone or LAN wiring. The signals from these sources only radiate a few inches from whatever wiring they use.  Our RF detection equipment couples directly to building AC and telephone wiring so any signals carried by the wiring can be picked up right away. 

Most RF detection equipment tops out at 1000 Megahertz. And currently 98% of all eavesdropping transmitters will be found below this threshold.  In fact, 98% of all radio signals that the TSCM technician has to evaluate are below 1000 MHz.

This means that at least 2% of the signals are going to be above the 1000 MHz threshold. There are products that can be used for eavesdropping that operate as high as 10.5 GHz that can be bought for under $250 at consumer electronics stores or on line . We recognize this escalation of frequency range as a serious problem.

Our equipment will detect transmitters operating at 12 times higher than the traditional range. We continually ask the question "how high is high enough?" Currently, we put the ceiling at 12 GHz. When we recognize a realistic threat higher than 12 GHz, we will extend the range of our sweeps to cover.

Area of Coverage
Our arsenal of RF detection equipment includes new technology software-defined-radio (SDR) spectrum analyzers, capable of many amazing things.  We also use a laboratory standard spectrum analyzer, ISA's ECR-2. Spectrum analyzers are the tool of choice for all major TSCM providers. The ECR-2 analyzer can cover a large area --up to 32,000 square feet in one sweep. The reason we can sweep such a large area is that the ECR-2 has remarkable sensitivity. High sensitivity is the ability to detect weak signals from a distance. To be certain of detecting even low powered transmitters, we calibrate the area prior to the sweep using low power RF sources to make sure that even the lowest power signal will be detected.  The SDR analyzer is much faster in collecting RF data and is utilized for spectrum monitoring during sweeps and meetings.

All equipment selected for use by TSCM Technical Services is carefully evaluated to make sure the sweep is as accurate and efficient as current technology allows.

Computer Control
Computer control automates the RF sweep and makes it much more accurate. It also frees up a technician for other activities and tasks. Manual RF sweeps can take upwards of 1 to 2 hours. Using computer control, a sweep usually takes less than twenty minutes of actual operator time.

It also lets us compare signals outside a facility to signals inside, detecting transmitters more efficiently. All RF sweeps are archived in the computer for reporting capability and for comparison against previous sweeps at a facility speeding up the survey.

An important feature of this software is the ability to detect a wide variety of burst and intermittent signals, frequency hopping signals, and spread spectrum transmitters.  This type of transmission can be very easily missed using traditional RF testing techniques and the transmitters themselves are becoming smaller, more efficient, and more common, so the capability to detect them has become quite important.

Other Techniques
Video signals are examined to determine if they are transmitting pictures of the area being swept. This is done though actual video displays and by use of waveform analysis techniques.

All digital telephones are tested for RF emanations.

Telephone lines for distances around the site of the survey are examined with the RF spectrum analyzer to detect transmitters located at remote from the site.

AC power lines are tested for RF transmissions.

CATV cabling is tested, also.

On-site Monitoring
To protect sensitive meetings, we can monitor the RF spectrum in real-time during the meetings.   This technique will detect the activation of a cellphone or other transmitter in the area during the meeting. Although we can assure you that the area is clean when the sweep is completed, we can not prevent a device from being carried into the area after we have completed the survey.  Devices could be carried in by service personnel or could consist of a cell phone configured for auto-answer brought into the meeting by an unfriendly participant.

Real time monitoring is the best way to safeguard against persistent and highly technical attacks.