Problem solve Get help with specific problems with your technologies, process and projects.

How to perform a bug sweep

Learn why many corporations have started to perform bug sweeps or Technical Security Counter Measure (TSCM) operations, and five basic technologies used by TSCM operators.

The revelation of the identity of Deep Throat, the secret source of the Watergate scandal, reminded me of an old...

threat we still face today known as "bugging" or, as those in the business call it, "technical surveillance." Receiving information about a victim through audio or video surveillance provides an attacker with a wealth of information. And, as today's electronics become more sophisticated, bugging equipment once available only to spies is now easily obtainable on the Internet. In response to this threat, many corporations have started to perform bug sweeps or Technical Security Counter Measure (TSCM) operations, with the help of outside contractors.

TSCM is a specialized area, and performing a sweep requires expensive equipment that needs regular updating. As a result, sweeps can be pricey, although not as pricey as the losses from a bugged office. Many firms charge more than $10,000 for one floor of an office building. Therefore, you may want to limit the scope of the sweep to especially sensitive areas such as corporate management offices, boardrooms, etc. If you take this approach, it is important to remember to limit sensitive discussions to the "cleared" areas.

When researching vendors, ask about the equipment and techniques they use. Legitimate TSCM firms are up front about their techniques and technology. To find out if a potential vendor is legitimate, ask for references and seek out recommendations. Your local chapter of the FBI InfraGard or Secret Service Electronics Crimes Task Force may be a good place to start. Industry associations, such as the American Society for Industrial Security (ASIS), may also be of help.

Related Information


Discover how to stop hackers in their tracks.

Learn five measures you can take to protect your organization from insider threats.


To help weed out the wannabes, let's take a closer look at five basic technologies used by genuine TSCM operators:

  • RF detection. Some surveillance devices use radio frequency (RF) transmissions to carry their signals to the listener. To find these, TSCM analysts use an RF analyzer like REI's OSCOR (Omni Spectral Correlator). The OSCOR absorbs the RF transmissions in an area and uses a built-in database to filter out those known to be legitimate, such as TV and radio stations. The remaining transmissions are presented to an operator for analysis to determine if they pose a threat. The OSCOR is also used to store a profile of the radio frequency environment of the location. During later sweeps, comparing the record of the previous environment with a new set of signals can quickly point to potential problems.
  • Detection of electronics. More sophisticated surveillance devices can be turned on and off as needed. When a bug is turned off, it does not transmit any RF signals and is therefore invisible to RF detection devices. In order to find these stealthy devices, the TSCM professional will turn to a Non Linear Junction Detector (NLJD). The NLJD looks a bit like one of those metal detectors they used to sell in the back of comic books. It works by sending out RF signals tuned to cause the semiconductors in electronic devices to resonate, even if they are powered off. During a sweep, the TSCM operator passes the NLJD over every surface in the office, looking for electronics in places where they should not be.
  • Heat can be another telltale sign that electronics are present. Because small heat variations may point to a power supply, a TSCM toolkit should include a thermal imager, which the operator uses to scan the office and objects in it. If hot spots are found in unlikely places, a manual inspection is conducted to determine if they are from suspect devices.

  • Phone and power lines are also popular places for the placement of surveillance devices. Phone lines provide power, access to conversations and other information, and a way for attackers to receive information. Power lines can provide power to devices hidden in electrical outlets and transmit information out of the area under surveillance. The TSCM operator will use equipment to detect anomalous behavior on these lines, such as voltage drops or the presence of sub carriers.

  • Some surveillance devices may use infrared light to transmit their signals back to an attacker. An infrared viewer may reveal the presence of these devices. The TSCM operator scans the area looking for questionable IR sources and then investigates them further manually.

Like other forms of security testing, TSCM sweeps provide you with a snapshot of conditions at a particular time. For continued assurance that your offices are "clean" of surveillance devices, you'll need to repeat sweeps periodically. Most vendors provide some sort of "volume discount" for annual or biannual services.

TSCM services are not for every company, but if the disclosure of conversations or phone calls in your offices would cause irreparable harm to your business, you should consider checking to see if your walls have ears.

About the Author
Al Berg, CISSP, CISM is Information Security Director of New York City based Liquidnet ( Liquidnet is the leading electronic venue for institutional block equities trading and the 4th fastest growing privately held financial services company in the US.

This was last published in August 2005

Dig Deeper on Security Awareness Training and Internal Threats-Information