Undestanding Spread Spectrum Microwave Bugging Devices For Countermeasures Professionals

By James Atkinson, Granite Island Group
Web Site: http://www.tscm.com
Email: jmatk@tscm.com


Several weeks ago I had a chance to examine a number of spread spectrum microwave bugging devices. Since that time I've conducted some analysis and gathered further intelligence on the circuit. Here are a few of my observations.


1) Most of the products use a high bandwidth QPSK/BPSK modulator, multi channel audio CODEC, and a RISC micro-controller chip (all components are either surface mounted ICs or multiple dice potted in epoxy).

2) RF Circuit seems to be a simple homodyne audio transmitter (6 Ghz Gilbert Cell Mixer) which is driven by a single CPU/microcontroller (with a clock speed of 180 Mhz).

3) Frequencies used for the ultra low power device are clean from 130 Mhz to 4 Ghz, circuit starts to fail above 5.5 Ghz (but is still operable to about 8 Ghz).

4) Emitter is driven directly from vector modulator chip, with no power amp circuits. PIN diode found on output appears to provide gain control or disconnect of circuit, but provides no amplification of signal.

5) Noise floor of circuit is -135 dBm (below 2 ghz), -142 dBm (2-4 ghz), and -150 dBm above 4 Ghz.

6) Signal has a variable bandwidth which varies between 350 Mhz and 900 Mhz. Appears to be designed for a 900 Mhz bandwidth signal. Device operates "deep" inside the noise floor.

7) Virtually impossible to detect at close range with a conventional RF spectrum analyzer (492/494/8566/etc).

8) Detectable with most wideband systems (with IF BW above 300 - 900 Mhz, 700 Mhz ideal).

8) VCC = +3.0 VDC, all circuits functional 2.3 to 6.8 VDC

9) Output applied to PIN diode ranges between -28 and -42 dBm (depending on frequency and span)

10) Device enters some type of sleep mode when power is present but audio level is low (seems to auto squelch). Total current draw when in sleep mode is 12 µA. Device does not emit RF energy when in sleep mode.

11) One of the devices has no type of connection for external power, but instead uses a uses a network of Schottky diodes and capacitors which constitute an effective RF to DC converter.

12) The RF to DC circuit requires an un-modulated 10-15 Ghz RF signal, and seems to respond well to X-Band microwave motion detectors used for many corporate alarm systems.

13) Device also has a small microphone built onto the circuit, microphone measures 4.5mm * 1.6mm * 4.1mm.

14) Entire device measured 3.2 cm * 5.2 cm and about 3 mm thick (or about the thickness of a standard business envelope).

15) Device contains some type of adhesive on both sides of a foil backing. Suspect it's applied as some type of "sticky label". Once the device is installed any attempt to remove results in its total destruction (unless you freeze it off).

16) The French government has been know to use a similar device in some of its "Diplomatic" activities.