The TSCM tools we use for corporate executive protection


September 23, 2016 - By David Falco & Sean Paul Schuhriemen

Technical Surveillance Countermeasures (TSCM) tools are an important part of corporate executive protection.

More casually called “bug sweeping”, TSCM refers to electronic and physical inspection of a given area (a principal’s room, a vehicle, or even an entire building) in order to find and neutralize eavesdropping devices—or really, any unwanted surveillance device used by a nefarious third-party in order to spy on their target.

Think of the implications if someone is eavesdropping on your principal. Let’s say they’re traveling, and their hotel room is bugged. What they believe to be private conversations (either personal or business related) can now be listened to, recorded and exploited. In addition to opening the door to corporate espionage, such bugging may also lead to some serious security issues for the principal. What if someone knew your itinerary for the next day? Where you’ll eat, how and when you’ll get there?

Needless to say, TSCM is a pretty crucial process in our line of work – both on corporate campuses and while on the road.

TSCM bug sweep for executive protection has 2 parts: RF and non-RF

The term “bug sweeping” calls to mind scenes from spy movies: security pros walking around a room with an array complex apparatuses, searching for state-of-the-art devices that emit detectable signals. And, yes, that is one part of a TSCM bug sweep.

The other part entails looking for things that are no more high-tech than a simple recorder—the kind anyone could buy for a few bucks. All the bad guys need to do is cleverly stash one of these then retrieve it later.

To find such non-RF devices, nothing beats a thorough physical search. This is why TCSM inspections must always consist of two parts: looking for devices that emit radio frequencies (RF), and for devices that don’t. Each part requires different gear and methods, so let’s take a look at both types of devices, then at the tools we use to detect them.

RF devices

Radio frequency (RF) devices send data, including voice and video, to a third-party. They’re the most “direct” bugs as they transfer info in real time and don’t necessarily have to be retrieved. This makes it very difficult to discover who planted the bug. RF cams and recorders can tap into the local wi-fi network, or even have access to a GSM network. And you can buy them online for under $30.

Because they transmit data via transmitters within the RF spectrum and not cables, it can sometimes be easier (although by no means easy) for a properly trained and equipped agent to detect them.

But RF devices can also be particularly tricky to find and neutralize. Some emit radio frequencies only at specific moments so they would not necessarily be spotted by doing a single sweep at any given time. Others simply record to a hard drive, USB, SD card, or some other storage device which can be recovered at a later time.

Technology being what it is, such devices continue to get smaller and cheaper—making them more accessible to more people, and more prevalent than ever.

Non-RF devices

Audio recorders, cameras, microphones and other “hardware interception” devices don’t emit RF themselves, but instead rely on other tech such as phone lines, computers and DSL/cable lines to transmit data.

While there is some gear that can help detect non-RF devices, nothing beats a thorough physical inspection. Every single electrical plug, lighting socket, and electronic device should be looked at. A deep TSCM bug sweep would include looking for what might be hidden behind or within walls using thermal imaging.

In addition to locating devices that may be powered off, a thorough physical inspection can discover vulnerabilities in three areas/systems within a room:

  1. Audio video and video conferencing
  2. Phone/data
  3. Electrical (carrier current)

What kind of TSCM tools can be used during a sweep?

Prior to digging into the TSCM tech itself, let’s make clear one important step: assessing the vulnerability of a given area or room by taking some baseline readings.

Before determining if a signal or device is a potential threat or foreign to the target area, three baseline sweeps should be completed in the following areas of vulnerability:

  1. Electrical commonalities (carrier current)
  2. Video/microphones (VC, phone speakers, audio mics, etc.)
  3. Phone and data lines

As for phone and data lines, a few provisos are in order: All lines not in use should be sealed off. And if the space is “temporary”, such as a hotel room or a rented meeting room, use of hardline devices use should be completely avoided.

The specific steps that follow these baseline sweeps depend on the location’s topography and specific layout and size. Similarly, the TSCM tools we use vary depending on our needs.

Once the baseline is established, we use the tools described below to complete TSCM bug sweeps.

Spectrum analyzers:

Probably one of the most important pieces of equipment, every reliable TSCM team needs a decent spectrum analyzer. The spectrum analyzer allows the team conducting the sweep to “map” the area’s frequencies and establish whether there might be suspicious transmissions.

Teams may use multiple spectrum analyzers with different features (e.g., different frequencies and ranges covered, built-in video display, etc.).

REI’s Oscor Green is the preferred industry standard and is, in our opinion the best spectrum analyzer on available to the public.

Nonlinear junction detectors:

Once spectrograms of the transmitting frequencies are produced, nonlinear junction detectors help check for devices that don’t necessarily use RF or are turned off. This includes  hardwired devices that are tethered to computers, dictaphones, cell phones, circuitry, transmitters, etc.

We like REI’s Orion 2.4 HX Non-Linear Junction Detector for this work.

Broadband detector/receiver:

The broadband receiver is designed to detect and locate all major types of electronic surveillance devices including room, phone, body bugs, video transmitters, and tape recorders.

Broadband receivers are an essential tool for professional sweep teams and are very effective for rapidly detecting and locating transmitted signals.

Once again, we rely on REI for this tool and prefer their CPM-700 Broadband Detector.

Telephone line analyzers:

While phone lines are less and less common in households, they’re still present in many hotel rooms around the globe. Especially digital ones. Devices such as REI’s TALAN allow agents to check phone systems, including VoIPs.

Telephone line analyzers tend to be minimally effective for temporary spaces, since full schematics and physical hardline access are required. This is yet another good reason why hardline device use should be avoided while on the road.

Microphone detectors:

Devices such as the SDMS Bloodhound can be used to detect audio signals coming from microphones. We have not used these yet at the client site or in the field, as we rely on broadband or non-linear junction detectors, which also locate any microphone in the room.

Amplifiers:

Can be used specifically to identify audio devices attached to wiring (computer cables, wires, AC power, etc.)

This type of device requires wiring diagrams/schematic and physical access as well.

REI’s CMA-100 Countermeasures Amplifier is a good option here.

UV lights and pens:

Ultraviolet lights and pens are used to assist in the physical search of a location. UV pens and lights are a great way to mark objects (e.g., screws and wall fixtures) in order to check for a breach at a later date.

Digital cameras, borescopes and video scopes:

Borescopes can be used individually for a specific use, or can be used as a kit to cover a wide variety of situations. The borescope is a fine optical instrument for seeing inside small areas, and is used in many applications including security and manufacturing inspections. It can be utilized in many environments where direct viewing is impossible.

A cheaper alternative is a simple snake inspection camera such as the Ryobi Phone Works, which turns your smart phone into a decent borescope.

Thermal imagers/thermal imaging cams:

Thermal imaging cameras (TICs) are used to find heat signatures of anything left powered on or “hot” from receiving a signal (remotely, electronically, etc.). These can be invaluable when conducting a physical search of an area to discover items behind a wall that are warm from heat (conduit, wires, etc.) that are otherwise invisible to the naked eye due to their location.

FLIR is the industry leader in thermal imaging for the private sector and the government, and they make some good stuff:

The Seek Compact XR is also a good alternative.

Cable testers:

Wire and cable locators are designed to trace and locate all types of inside and outside wiring and piping.

These devices (similar to the TALAN) send out a signal and use precise measurements to time the out and back of the signal to figure out where a device or additional connector (resistance) is placed on the line.  The limiting factor is that most lines have many connectors, Ys, etc., and schematics are imperative for these types of sweeps.

The RFX 1500 & 2500 are two excellent options.

The RFX-1500 transmitter can be connected to live AC power (up to 220VAC) to allow tracing of live electrical circuits in the house or buried outdoors. When connected to working telephone lines, the RFX-1500 Transmitter is totally transparent. It is not audible on phone lines, does not disrupt fax, modem, or voice communications. The RFX-1500 can even transmit into the ground, so you can trace gas and water pipes buried outside.

The RFX-1500/2500 is a sophisticated radio transmitter and receiver operating at 455khz. As it is radio based, the RFX-1500/2500 system has a detection range of over 10 feet indoors, and can detect buried wiring and cables down to three feet or more outdoors. The system uses a “Null” mode antenna, which when pointed at the hidden wire is undetectable on the phone lines you are checking. This allows you to pinpoint the exact location of a hidden wire or cable to within the width of the antenna.

The future of TSCM for corporate executive protection

There are primarily two types of corporate espionage operators: state actors and espionage-as-a-service providers, who are freelancers that sell to whomever wants to buy.

State actors are and will be extremely difficult to neutralize as they have the money, resources and authority in their own country to gain access to any location required.

It is easier (but still not easy) to neutralize attempts by espionage-as-a-service providers: they are usually independent and are more limited on funds and resources than state actors.

We expect both state actors and espionage-as-a-service providers to increase activities in the coming years.

Corporate espionage is, unfortunately, a growing business. On its own, it accounted for an estimated $300 million in theft in the US in 2013. Pooled together with cybercrime, which includes far more methods than TSCM sweeps are designed to expose, the costs of espionage and cybercrimes are growing exponentially:  a recent report by Juniperestimates that cybercrime, including corporate espionage, will cost businesses worldwide a whopping $2 trillion by 2019.

Not only is the financial impact of corporate espionage growing. The costs of carrying it out are falling. As mentioned above, surveillance devices continue to get smaller and cheaper, so they will only continue to be more and more accessible to those intent on stealing data.

For these reasons alone, we believe corporations will increase their focus on TSCM. But we also believe they will step up anti-surveillance activities for another reason: to mitigate risks to principals as part of executive protection programs.

Five years ago TSCM bug sweeps were seldom seen in corporate EP. Today, they are common practice with our larger clients. In the coming years, we predict that more and more clients will require ongoing and ad hoc TSCM services in conjunction with other corporate executive protection services, and that TSCM will be a very critical piece of the security umbrella that we provide to our clients.

David Falco

David Falco

Program Specialist

Dave works as a Program Specialist at AS Solution North America, Inc.

Sean Paul Schuhriemen

Deputy Director, Intelligence Operations

Sean Schuhriemen brings 20+ years experience from the U.S. Navy, the Central Intelligence Agency, and the private sector as a security and intelligence consultant.

Sean has worked in project management, technology, and as an emergency medical technician. Sean’s military, Agency, and security-related school/training include: recurrent medical and protection techniques, surveillance detection (planning, development, and execution), paramilitary operations, counter-intelligence, intelligence field tradecraft, asset protection, TSCM sweeps, technical exploitation, logistics planning, communications, due diligence, behavior assessment and elicitation, applied behavioral psychology, site surveys, emergency vehicle operator’s course and an evasive driving course, recurrent weapons qualifications. In addition, Sean is also certified in denial and deception (basic & advanced).

Sean is a reserve police officer with the ability to support armed in all 50 states, Guam and Puerto Rico. He has a B.A.in psychology from the University of La Verne and is currently pursuing a master’s degree in intelligence from AMU.