COUNTERMEASURES OPERATIONS AND HIDDEN OPPORTUNITIES
An Advanced Manual
Compiled By Ralph D. Thomas
This is a rundown on utilizing high tech gear and methods to conduct
professional countermeasures. We are going to start with a detailed run
down on the use of one of the most popular basic countermeasures kits,
the CPM-700. After going through an explanation
use and testing functions of this piece of equipment, we will cover some
other typical gear and methods needed to conduct professional countermeasures
services. You'll also find material in this article on going way above
and beyond mere eavesdropping detection and approaching it as an overall
information security and investigative service which opens up many avenues
of additional income for you. I like to think of this as hidden opportunities
that provide valuable services for your clients and help you grow your
business with additional add-on services at the same time. However, before
we go into the proper approaches for hidden opportunity, let us first review
a major piece of really professional equipment. I have chosen the CPM-700
because of it's superior quality and functions compared to many of the
other types of countermeasures gear in it's class on the market place today.
By reviewing this, you'll get a basic grasp of basic countermeasures services
at a minimum level needed today in the business world. At the end of this
extensive article, I have also included many other articles you can read
concerning the countermeasures business and countermeasures as a professional
OVERALL REVIEW OF THE CPM-700 COUNTERMEASURES
The CPM-700 is a broadband receiver designed
to detect and locate all major types of electronic surveillance devices
including room, phone, body bugs, video transmitters, and tape recorders.
It can also be used to perform countermeasures checks on telephones and
telephone lines (even multi-line telephone systems), electrical outlet
testing for carrier current eavesdropping, IR (INFRARED) audio carrier
tests, laser carriers and microwave detection as well as video camera detection.
It will also help detect acoustic leakage problems in relationship to walls,
pipes and air ducts, perform tests of unknown wiring , perform sweeps of
vehicles for bumper beepers and tracking devises and perform computer tempest
The CPM-700 sweep kit includes a custom Cordura
case that contains all items necessary to conduct a professional sweep.
Broadband receivers such as the CPM-700 provide
a very important cost-effective tool for professional sweep teams, government
security personnel, and private citizens with important security needs.
The CPM-700 is very effective for rapidly detecting
and locating transmitted signals, while being very easy to learn to use.
There are several "copies" of the CPM-700
on the market because of it's success as a product. While some of the copies
may be cheaper, they do not provide the frequency performance and sensitivity
nor the massive extended options available with CPM-700.
We guarantee it!
The CPM 700 will uncover hidden devices and
all major categories of electronic surveillance- quickly, easily and silently
with five of the most desired sweep functions built into one package:
Room, phone and body bugs that are transmitting your conversations.
Video transmitters watching your every move.
Vehicle tracking beepers giving away your location.
Infinity bugs, hook switch by-pass or reversals "turned-on"
to your conversation.
Computer, Fax or Telex transmitters "reading" your information.
Wired microphones listening inside a wall.
Even at high security levels where a spectrum analyzer may be employed,
the CPM700 is an invaluable tool for detecting
ultra-sophisticated frequency hopping and "burst" bugs. The ALARM
MONITOR MODE protects you after a sweep by continuously checking for new
devices brought in, remote control activation, near-by two-way communications
and phone line tampering. RECORD ON TAPE while you are away storing evidence
of sounds of an eavesdropper installing a bug or tap, noises of an intruder
"snooping" in your office or unauthorized usage of your equipment.
Rapid detection and location of electronic surveillance.
Ease of operation, highly effective with limited training.
Silent covert detection and location "gives you the advantage".
High R.F. sensitivity can locate a bug as low as 1 microwatt.
Total spectrum coverage from 200Hz to over 3GHz with no holes or gaps.
Active R.F. and V.L.F. probes "pump" signals for lower noise
and more sensitivity.
Optional probe extensions allow unit to monitor remote locations.
Balanced high gain audio input with AGC and filter.
Portable Sweep Kit - provides everything needed to perform a professional
sweep; fits inside a standard briefcase.
Multi-Functional Utility - Comes with probes to detect RF transmitters
(audio and video), carrier current transmitters, and telephone bugs. Probes
also available to detect for infrared transmitters and tape recorders.
Wideband Coverage - from 200Hz to over 3GHz with no holes or gaps.
Monitor Mode - after a sweep, the alarm monitor (silent or audible
alert) guards against new devices brought in or remote control activation
of surveillance devices.
Auxiliary Audio Input - allows user to listen to telephones or lines
for hotmikes, hookswitch by-pass and infinity bugs. Unknown wires and cables
can be tested for wired microphones.
CPM Technical Specifications
Gain: 20dB nominal Frequency
Response: 50kHz-2GHz ±3dB 3GHz-10dB
Sensitivity: -62dBm (1 segment) -85dBm M.D.L.
Frequency Response: 15kHz-1MHz-3dB
MAX input voltage: 300 VAC 50-60Hz
Isolation: 1500 VAC 60Hz
Sensitivity: -38dBm (1 segment) -60 M.D.L.
Input Impedance: 50K Ohm balanced
Input Range: 1.7uV-10V (135dB) AGC
Dynamic Range: 100dB (high and low gain)
Frequency Response:100Hz- 15kHz±3dB (filtered) 500Hz-24dB/octave,
Headphone Output: 5Vp-p 220 Ohms
Record Out: 25 mVp-p nominal with AGC
18 segment LCD bargraph with pulsing single segment trip point
50dB dynamic range (1 segment High Gain to MAX Low Gain)
Alert Output: 2.8kHz tone or silent red LED at 2Hz
Remote Output: N.O. contact (300mA 25V MAX)
8 ea. MN1500 AA Alkaline - Life 10-16 hrs
(Optional) 8 ea. 550mAh NiCad - life 3-5 hrs per charge
Low Battery Indicator: approx. 10% remaining power
Input: 95-l30VAC 50-60Hz, or 200-275VAC 50-60Hz
Output: 12VDC with 500mA NiCad Recharge Time: 8-10 hrs
Size: 9 1/8 x 6 1/8 x 1 3/4 in, 23.2 x 15.6 x 4.4 cm
Weight: 39 oz, 1.1 kg
CARRY CASE WITH ALL STANDARD ITEMS
Size: 16 3/8 x 11 1/4 x 3 in, 41.6 x 28.6 x 7.6cm
Weight: 7 lbs, 3.18 kg
FRONT PANEL DISPLAY
1. FILTER: Audio filter used to accentuate voice frequencies and remove
2. MODE: Sets the unit to Search or Monitor function. Search is for
performing a sweep with the audio Automatic Gain engaged, the Monitor Mode
sets the Alarm Record output to detect an intrusion.
3. ALERT: Selects either audible Tone Beeper or Silent flashing LED
output from monitor Mode.
4. LOW BATT: Voltage indicator, indicates approximately 10% remaining
5. STATUS DISPLAY: Shows unit operating conditions made by button selections.
6. GAIN: Adjusts the internal sensitivity of the Detector and Audio
7. PROBE INPUT: Provides input and power for active probes and automatically
selects the appropriate Probe or Aux detectors circuits.
8. PULSING SEGMENT: Indicates alarm trip point in the Monitor Mode,
activates Alarm & Remote output.
9. INPUT LEVEL: Bargraph indicates signal strength of Probe or Aux
10. ALERT LED: Flashes Red when input level exceeds trip point of Monitor
11. THRESHOLD: Sets the trip point for the Monitor Mode.
12. GAIN: Controls the audio gain (volume) to the speaker or headphone
13. PHONES: Allows for silent headphone detection, disconnects the
FIFTEEN MAJOR DETECTION FUNCTIONS YOU SHOULD
DETECTION FUNCTION ONE RF SWEEPING
RF sweeping is done quickly, easily and silently with the CPM-700 by
attaching the RF probe. The RF probe provides rapid and silent spectrum
coverage from 200Hz to over 3GHz with no holes or gaps. Due to superior
sensitivity, the CPM-700 can locate even a low powered bug down to 1 microwatt.The
sweep range and sensitivity in R.F. mode will also detect video transmitters.
Also, due to it's high sensitivity, The CPM-700 will detect snuggled bugs
as well as burst transmission bugs while transmitting.
DETECTION FUNCTION TWO PHONE LINE R.F. SWEEP
Extremely easy to use to check phones and phone lines in the R.F. sweep
mode function much like an induction coil with the R.F. probe. The operator
simply shortens the RF antenna probe to about four inches and wraps the
curly cord of the handset around the antenna at least four turns. The test
is then done on hook and off hook and the readings compared to normal room
levels. While off hook, the bargraph should move no more than two segments
Further testing can be conducted in the same manner by keeping the
probe on the sides and around the telephone itself (without contact) Again,
check the readings, levels and audio between on hook and off hook.
The same procedure can be employed around the area the telephone wire
enters the wall.
DETECTION FUNCTION THREE TELEPHONE LINE TESTING
With the Modular Telephone Line Testing Jack and the Line Probe, all
wire pairs can be checked on a telephone system to determine if it's clear
of eavesdropping. The unit will work on both single line and multi-line
telephones. NOTE: Even a single line telephone system has four wires of
which only two are actually used. With the Modular Telephone Line Testing
Jack, you can check ALL wire pairs for possible audio bugging on BOTH single
and mult-line phones.
It's important for the operator to understand the tip and ring of the
telephone wiring (usually red and green wiring). On a single line telephone,
you'll note that the telephone wire has four wires. The other two wires
are usually just extra wiring and should be checked.
On the Telephone Modular Jack, you'll note the following numbers on
each side of the jack
A) Using the auxiliary output, plug in the input patch cord into the
side of the CPM-700 with the two alligator clips. The CPM-700 Will automatically
toggle over to auxiliary input mode.
B) Attach the Modular Telephone Testing Adapter in between the telephone
unit and the telephone modular jack. The telephone line coming from the
telephone jack plugs into the top of the Modular Telephone Testing Banjo.
The line coming from the telephone itself plugs into the other side. In
the event of a single line telephone system, four line telephone wiring
needs to be used. If the phone line has more than four incoming lines,
use the supplied multi-line cord and the supplied telephone line cord attached
to the telephone.
C) Now you have the Modular Telephone Testing Adapter on the telephone
line between the telephone and the telephone modular jack.
Tip and ring will be the numbers
Attach the alligator clips to these two points numbered on the Modular
Telephone Adapter. When you pick up the headset of the telephone, you should
hear a dial tone and room audio from your sound source. Check the line
on hook. If you obtain audio while the on hook test is being conducted,
further checking and inspection needs to be done--it could be a hook switch
On a single line telephone, the next two numbers up from 5 and 4 are:
On multi-line telephone systems, more wire pairs are, of course, used.
All combinations of wire pairs need to be checked to make sure none of
the wires are being used to transmit audio.
DETECTION FUNCTION FOUR HOOKSWITCH BYPASS TESTING
With the included adapters, you can conduct a hookswitch bypass test
(and modification to the telephone itself that turns the headset microphone
into a bug) and other telephone equipment testing. (see above)
DETECTION FUNCTION FIVE
ELECTRICAL OUTLET CARRIER CURRENT TESTING
With the VLF probe you can quickly, easily and silently test all electrical
outlet for carrier current eavesdropping.Carrier current transmitters use
the AC power lines for transmission path. A good example of such a devise
would be the FM wireless intercom systems sold through electronics dealers
such as Radio Shack. BY simply plugging the VLF probe into the probe input
jack of the CPM-700 and plugging the two prongs into any electrical outlet,
you can quickly and easily check all outlets.
DETECTION FUNCTION SIX ELECTRONIC DEVISES
Using a combination of the line probe and and the included plug conversion
patch cord, you can test anything that plugs into an electrical outlet
for eavesdropping devises. The included plug conversion plugs into the
auxiliary input jack on the side of the unit and the CPM-700 converts itself
over to auxiliary input. The patch cord line can be configured to plug
anything with a standard electric plug into the CPM unit for testing.
DETECTION FUNCTION SEVEN IR (INFRARED) TESTING
IR is an invisible light source and a common way in which audio can
be carried from any premises. The IR probe can be used inside the premises
to detect IR beams with audio.
Infrared methods of evesdopping gives the eavesdropper a very useful
transmission medium which can not be detected by standard R.F. detectors.
Although there are limitations and disadvantages such as high current consumption
and pinpointed line of sight needed for pickup, it's a popular method of
audio eavesdropping. The IR probe can be used to sweep a room just like
the RF probe is used. Pay special attention to line of sight paths that
could go through windows.
DETECTION FUNCTION EIGHT VIDEO CAMERA DETECTION
Sweeping for the presence of video cameras is becoming increasingly
important. The magnetic leakage probe will detect and locate hidden video
cameras. It must be pointed out that the magnetic detection probe that
can be used in this manner needs to get extremely close to the video camera
to register a reading so a much slower paced sweep needs to be conducted.
DETECTION FUNCTION THREE NINE RECORDER DETECTION
Sweeping for the presence of hidden tape recorders is also becoming
increasingly important. The magnetic leakage probe will detect and locate
hidden tape recorders. Again, It must be pointed out that the magnetic
detection probe that can be used in this manner needs to get extremely
close to a recorder to register a reading so a much slower paced sweep
needs to be conducted.
DETECTION FUNCTION TEN UNKNOWN WIRE TESTING
The source of unknown wires found in a physical inspection are sometimes
problemistic on a countermeasures sweep but not with the CPM-700. Using
the auxiliary input plug and patch cords, you can easily, quickly and silently
check any wire you find for audio.
DETECTION FUNCTION ELEVEN OUTSIDE LASER BEAM DETECTION
Using the IR Probe, it's quite easy to go around the outside of the
building to detect any lasers that may be pointed at the windows of the
DETECTION FUNCTION TWELVE ACOUSTIC LEAKAGE DETECTION
It is quite common place for eavesdropping to occur without the aid
of any electronic devises at all and it often due to the acoustic characteristics
of the building. The Acoustic Leakage Probe can be used to check walls,
vents and pipes that could create possible acoustic leakage problems. Once
detected, additional countermeasures procedures can be recommended in the
form of Acoustic noise generators injected in a strategic manner.
DETECTION FUNCTION THIRTEEN VEHICLE TRACKING DEVICES
The CPM-700 will detect and locate R.F. tracking transmitters which
are used to follow vehicles. The typical "bumper Beeper" will
employ a minimum output of 100 milliwatts to more than 5 watts and usually
have a pulsed output.
DETECTION FUNCTION FOURTEEN
COMPUTER TEMPEST COMPARISON
The CPM-700 can be used to compare emissions from Tempest Approved
DETECTION FUNCTION FIFTEEN AUTOMATIC MONITOR MODE
The CPM-700 can be placed on automatic monitor mode once a sweep has
been conducted and detect and alarm you to any changes while one is away.
THE TSCM BIBLE (Version 2.0)
A COUNTERMEASURES COOKBOOK ON
CONDUCTING PROFESSIONAL COUNTERMEASURES SERVICES The Ultimate Guide To Testing And
Checking For Bugs And Wiretaps
By Ralph D. Thomas CLICK HERE FOR BOOK REVIEW
UNDERSTANDING THE DIFFERENT PROBES
THE RF PROBE
The RF probe searches for RF bugs and performs a room sweep. It can
also be used like an induction coil to check telephones and telephone jacks.
(Standard With Basic Unit)
THE VLF PROBE
The URF probe plugs into electrical outlets to search for carrier current
(Standard With Basic Unit)
MODULAR TELEPHONE JACK
AND LINE PROBE
The line probe plugs into the auxiliary output of the CPM-700. It can
be used to check any unknown wires to test for possible eavesdropping.
The Modular Telephone Jack can be used to test all wire pairs on a telephone
and telephone line (even multi-line phones) for audio. (Line Probe Is Standard
With basic Equipment-Modular Telephone Tester is $95.00 separately or standard
with Ultra Unit)
The IR probe is designed to sniff for infrared light sources, a common
way of carrying audio. IR Probe is $295.00 separately or standard and included
with the CPM-700 Ultra)
VIDEO CAMERA AND
TAPE RECORDER PROBE
The Video Camera And Tape Recorder Detector probe will detect hidden
video cameras and tape recorders. This Probe is $295.00 separately or standard
and included with the CPM-700 Ultra)
ACOUSTIC LEAKAGE PROBE
The Acoustic Leakage Probe is designed to be used to check for acoustic
leakage (a very common form of eavesdropping) by checking other sides of
walls, pipes and air ducts for acoustic leakage of room audio. This Probe
is $295.00 separately or standard and included with the CPM-700 Ultra)
There are a number of products on the market today that can be utilized
to mask sound and defeat eavesdropping. The Audio
Jammer is an inexpensive white noise generator that can be used in
a meeting room that is very hard to filter. This is somewhat problemistic
in that voices need to talk below the range of the Audio Jammer. The Portable Noise Generator can be used to inject
walls and air ducts with white noise that can not be filtered. The Acoustic Noise Generator System is a non-portable
nistalled system that injects walls and acoustic ceiling with noise defeating
any covert eavesdropping attempts.
PROPER APPROACHES AND HIDDEN OPPORTUNITY IN
Careful physical inspection of everything in the room needs to be conducted
and it should be pointed out that countermeasures is a whole lot more than
just knowing how to utilize a piece of equipment. Baseboards need to be
examined carefully and the carpet pulled back to search for hidden wires
(a common place to hide wires for eavesdropping) UV lights will help you
quickly determine alterations in the form of dry wall patches and carpet
pullbacks. Acoustic tile ceilings need to be taken out and inspected.
TELEPHONE/ELECTRICAL JACK COVERS
All telephone and electrical jack covers need to be removed and inspected.
A fiberscope can be used to look inside the areas. Once physical inspection
is made, the covers can be replaced and the head screws marked with a UV
pen. Detection with a UV light for tampering can then be done.
OTHER TYPICAL EQUIPMENT USED IN A COUNTERMEASURES SWEEP
UV LIGHTS AND MARKING PENS
UV lights can be used as revealed above
to detect any tampering. UV marking pens can
be used as you take phone jacks, electrical outlets, wall sockets, switches,
telephones and other devises apart and put them back together. You simply
mark the head screw position with the UV pen. Once done, further inspection
is not as time consuming as all one has to do is check the screw head marks
with a UV light to see if they are in the same place.
Flash lights small and large needs to be obtained to look in dark corners
inside jack plates and electrical outlets and for inspection in the hidden
space in most office building above the acoustic tiled ceilings.
FIBERSCOPE OR BORESCOPE
These units let you place a flexible optic rod inside space for viewing
and have an optical viewer on the other end. They are must have equipment
to inspect areas you could not inspect without them.
VOLTAGE METER AND MULTI-METER
Various tests of the telephone line and electrical devises should be checked
with a voltage meter to determine voltage and line balance testing. Ted
Swift's book Wiretap Detection Techniques reveals
a number of simple tests you can conduct with a voltage meter to check
telephne lines. A countermeasures professional without a good
OTHER TELEPHONE TESTING GEAR
There is a range of other telephone testing gear on the market from the
inexpensive to the higher priced. The Tap Trap
is a single line telephone testing unit that can be very useful. The Advanced Telephone Analyzer With Time Domain Reflectometer
is a very high tech piece of equipment you should review. The TE-4200 Telephone Analyzer is an unit that can be used
to test and then continually monitor a telephone line. Most really professional
countermeasures people make a recommendation to the CEO of a small company
that he or she obtain a single line telephone coming into his office which
can then utilize continuous line monitors such as the TE-4200
dental mirrors also also extremely helpful for inspection of areas you
can not get to with the naked eye.
CD-PLAYER SOUND SOURCE
A good sound source is needed that you bring into the building. A portable
CD player or tape recorder is best used. If you use a radio, you take the
chance of finding that radio station on your sweep which could cause problems.
TONE GENERATOR LINE TRACER
A tone generator and line tracer is simply a
tone generating unit that plugs into the telephone line or wall outlet.
You can then use the tone generated to find or ID that line anywhere with
the tone probe pickup simply by getting it close to the line.
COVERT POCKET BUG DETECTOR
Before the actual countermeasures sweep starts, a walk through is usually
conducted. As the countermeasures professional approaches the premises
and as he or she does his walkthrough, it's wise to utilize a covert pocket
bug detector that will viberate in your pocket as you appraoch the area
to be swept and walk through it. There is a lot of junk on the market.
However, one of the better units for this type of thing is the Trantec Executive. This high tech unit will function
as a conventional countermeasures sweeping unit and can be turned into
another mode for covert viberation detection and is small enough to fit
into your pocket.
In order to really analyze any RF signals in the spectrum, you'll need
a good Spectrum Analyzer to do so. Conducting countermeasures services
without a good specturm analyzer is kind of like trying to run a computer
without a computer screen. The computer will run but you sure can not see
A written report needs to be given to your client concerning your sweep
and recommendations need to be given. The assignment needs to be approached
in this manner as an information security survey. There are several important
aspects of this type of thing you should consider. Remember, you are providing
a security service to the client above and beyond the mere sweeping of
offices. Various types of equipment can be offered to the client in your
recommendations for a highly level of information security. In order to
illustrate this point better, here are some recommendations from a recent
A) EXTRA TELEPHONE WIRING: There is a massive array of dominate
telephone wires in the ceiling that went to previous businesses in the
building. These could easily be turned into a carrier for eavesdropping.
These wires need to be fried and/or disabled.
B) DORMANT SPEAKERS: There are dominate speaker systems in the
ceiling that could easily be used as an audio carrier. They should be disabled
to the point in which the speakers can not function.
C) CEO SECURE PHONE: It is recommended that the corporation
obtain a single line isolated telephone in the CEO's office connected to
a TE-4200 and use of portable voice scrambling for telephone security for
highly sensitive telephone conversations.
D) TIME SENSITIVE SETUP WASTE MATERIAL: An extra secured trash
disposal method needs to be set up for high security mailings such as political
print jobs which needs to be stored and locked until the job is mailed.
This would prevent the opposition from obtaining setup printing trash from
these jobs before they are mailed.
E) CROSS-CUT PAPER SHREDDERS: Cross-cut paper shredders should
be obtained for the shredding of sensitive documents and notes.
F) ESTIMATOR COMPUTER: The job estimator's computer needs to
be isolated and secured. Encryption software needs to be used.
G) DIGITAL PRE-PRESS COMPUTERS: Norton utility file wipe security
software needs to be used.
H) TELEPHONE JUNCTION BOX ROOM: The telephone junction box room
needs to be locked and secured.
I) PRE-EMPLOYMENT SCREENING: A standardized method of pre-employment
screening and background check procedure needs to be employed for new employees.