What is TSCM? And how is it carried out? Peter Clements, pictured, Director, Templepan Security Systems Ltd, offers some practitioner answers.
The TSCM (Technical Service Counter Measures) inspection is a check to ensure that there is no possibility of conversations being overheard by others, normally in an office or meeting place. A TSCM survey is the service provided by qualified personnel to detect the presence of surveillance devices and hazards and to identify technical security weaknesses. It is also to ensure that there is nothing that could compromise the security and confidentiality of an area by the use of technical audio surveillance devices. The purpose of this article therefore is to provide a basic understanding of TSCM. One does require a reasonably high level of technical skills to carry out ECM inspections and a logical approach to this technical process with suitable training on the use of the equipment used is essential.
The definition TSCM could include other types of technical subjects involved. COMSEC (communications security), ITSEC (information technology security) and physical security as these are all related subjects.
The subject of TSCM has often been shrouded in secrecy by those that carry out the inspection. We believe that, while the timing and location of this should be confidential, the actual work involved can be discussed within a security environment, to achieve the best working practices. In permanent facilities, scans and technical searches should take place during working hours if possible although this rarely happens due to the presence of staff which would make TSCM work more challenging.
The advent of multimedia devices and remote control technologies allow huge scope for removal of data in very secure environments by the staff employed within, with or without their knowledge. Inspections covering all these new developments must be included in the inspections.
Very sensitive radio detection equipment is used to look for magnetic fields, or for the characteristic electrical noise emitted by radio circuits although where there are many computers, photocopiers, or other pieces of electrical equipment, detection of transmitting bugs can be more demanding.
Another method is using accurate thermal imaging cameras to detect residual heat given out from a listening device (a bug), or from its power supply that may be concealed in a wall or ceiling. The listening device could be found by locating a hot spot which the device generates and this can be detected by the thermal camera.
Threats to identify
1)Electronic devices which are recording or relaying audio or video by radio transmission, infra-red transmission, hard wired circuits, mains circuit transmission and window vibration systems.
2)Illicit radio transmitters, voice or data recorders.
3)Interception of land line telephones and their cabling
4)Mobile phone and Wi-Fi bugs
5)Other audio or video path travelling out of the area.
Order of sweep
The sweep is normally conducted in the following order:
1)The physical search
2)The “Near Field” radio frequency search
3) Mobile phone detection sweep
4) Telephone line and cable analyser
5) Radio Spectral analysis inspection
6) The Non-Linear Junction sweep
7) Video camera with audio detection
8) Wi-Fi bugging devices
9) Other searches can be made which are not covered by this report and will be discussed later.
The physical search
The most important part of any ECM sweep is the physical search. This is carried out to ensure there is nothing physical to see that is suspicious. We recommend that the sweep starts a fixed point in the room, say the door, and the search is completed in a logical order around the room including the door itself. This search applies to the walls ceilings and floors. Many eavesdropping devices will require constant power supply, so electrical points, telephone sockets and data points with their cables should be carefully examined.
With great care visual checks should be made behind pictures, mirrors, clocks, objets d’art, and furniture. If the ceilings are false, these should be checked with cameras for microphones and unidentified cables. If there is a lighting well in the ceiling, physical checks using suitable mirrors and pole cameras should be made. During this process great care should be taken not to disturb fire sprinklers or fire detectors.
An inspection should be made to look for concealed hardware, equipment modifications and for evidence of previous entry or disturbance (marks in dust or chipped ceiling tiles for example). This is not an exhaustive list of searches and these will vary according to local conditions. A common sense approach is required to complete the physical search. The use of an ultra violet marker pen is useful to mark fixing screws on electrical boxes. During subsequent inspections, these can be inspected with a UV torch. Tamper evident labels can also be used.
“Near Field” radio search
This is probably the most straightforward part of the TSCM inspection. Using suitable hand held equipment, the strongest radio signal in the room can be immediately heard. The strongest signal is normally a transmission which is very close to the receiver and will normally be stronger than a broadcast station or a distant but more powerful transmission. One needs to walk through the room and move the antenna through 180 degrees whilst doing so to receive devices operating with different aerial polarity. Once a strong analogue signal is received the detector can demodulate it automatically so the signal can be listened in to. With digital transmissions a different approach is required which will be described in a later update.
Mobile phone detection
Since mobile phone bugs use the same technology as mobile phones themselves they are very efficient and wok extremely well. To detect mobile a phone signals is straightforward with a suitable hand held mobile phone detector but what takes more time is to identify the device itself.
In the unlikely event that the office telephone network is analogue, as may be found in a private house, tapping the line would be straightforward. Most telephones used in commercial telephone equipment will be digital. The best way for an eavesdropper to intercept the digital line telephone is to use the phone’s internal analogue signal i.e. direct connection to the telephone’s microphone or the earphone wiring. Telephone analysing equipment can also be used for detecting digital telephone taps, and is an essential tool for checking phone lines and cables.
Radio Spectral Analysis inspection
We recommend the use of sophisticated radio frequency spectral analysis software coupled with a software defined receiver. This set up will enable the user to “see” all radio transmissions in the vicinity up to 16 MHz wide per screen shot. Different aerial lengths will determine the sensitivity achievable with this equipment although there is no point in trying to receive the radio stations from miles away so normally the sensitivity is kept quite low. However it can be set so that transmissions from an average sized office floor can be detected 10-35 metres or more away thus enabling a suite of offices to be checked for RF transmitting devices as one area thus saving time. To estimate the distance over which transmissions are detected a low power test bug can be used and positioned some distance from the receiver and its detection by the receiver will show the range of the receiver.
Spectral analysis is a very efficient form of sweeping for illicit signals. It is used by the military and by governments as their first line of checks. When using other types of communications receiver for detecting transmissions one can normally only select one frequency at a time making the work very time consuming. Each ripple or peak on the spectral analysis plot represents a radio transmission and hundreds of these can be seen on the screen at once. Each of these can be further analysed for its type of modulation, frequency (to 3 KHz), and its signal strength and, if not digital, they can be demodulated and listened to. Using the correct options many other functions can be selected, for example a continuous sweep of the frequency bands can be achieved in three seconds. A recording can be made of all RF signals received above preset signal strengths. This type of equipment can also be set to operate remotely and controlled using the internet.
Spectral analysis will visually show the operator transmissions of all types such as radio microphones, analogue or digital devices, indeed any device or radio station that is using the electromagnetic spectrum. No other system does this so well with such accuracy and detail. Training on its use is required and Templepan can provide the equipment and training.
The use of a Non-Linear Junction detector needs to be very thorough – patience and thorough training is required. The transmission of the NLJD signal, normally about 800 MHz is transmitted, which is then moved near to the suspect area. If a non-linear junction is found an alarm tone or LED lights are activated to alert the user. A non-linear junction is normally present is most electronic equipment therefore if one is detected suspicions should be raised that it could be part a listening device.
The NLJD is ideal for sweeping walls and other areas when an electronic device could be hidden but cannot be found by other means as it is not necessarily switched on and has no current flowing to be detected. NLJD do have their drawbacks and one of them is that their sensitivity requires careful adjustment. Otherwise they will alarm when tiny fragments of rust or even a couple of paper clips are detected. When used conscientiously the NLJD is an excellent detection device.
Visit http://www.templepan.com.
