By Julian Claxton
A review of mobile communication advancements and its impact on technical surveillance countermeasures.
I still fondly remember the excitement I felt when I purchased my first mobile phone in 1990. It was the size of two bricks; an analogue device with patchy reception (1G). At the time, I was a young surveillance operative and investigator still learning the ropes. The mobile phone was a novelty at first, although its convenience quickly became a necessity as I rushed across the city with a constant need to communicate with my colleagues, hot on the tail of our respective surveillance targets.
A year or so later, the analogue phone service was upgraded to digital and, not long after that, text messaging (SMS) and multimedia messaging (MMS) features were enabled. The digital network was second generation (2G) and mobile communications were becoming the norm. Communication as we knew it changed and with it went our privacy. The digital network saw a proliferation of audio surveillance devices (bugs) transmitting room audio using the 2G cellular network.
By this time, I had enhanced my tradecraft to include technical surveillance and, like the thieves and fraudsters I was pursuing, I collaborated with colleagues to see how to benefit from this enhanced method of communication, particularly with respect to developing covert electronic surveillance products to lawfully aid investigations. Whilst I have always operated within the boundaries of the law, my adversaries do not and they too were devising means by which to benefit from this enhanced communication method.
One of the pioneers of third generation (3G) technology in Australia was a company called Three, owned by Hutchinson Telecommunications. In 2003, they released a handset that could make video calls over an enhanced network (although 3G was released internationally in 1998). Latency was considerable and the image was often distorted, but who cared – I could actually see my interlocutor! A considerable benefit of the 3G network was the ability to send video clips, photos and audio files relatively quickly. It also provided internet access from the palm of your hand. This revolutionised the concept of real-time surveillance, providing the ability to instantly send images and video to our employers for verification or further surveillance instructions. Access to the internet meant that directions and other relevant information could be accessed in real time to aid investigations.
Covert surveillance devices soon flooded the market and, with advancements in technology and improvements to the chipsets used, they became smaller and lasted longer. Online retailers such as eBay provided an anonymous means by which to purchase such products and, throughout the 2000s, surveillance bugs were being sold in the thousands by online retailers.
In 2008, the laws changed in New South Wales, resulting in a restriction on the way in which covert surveillance products were used. I subsequently decided to switch sides and actively steer my career toward countersurveillance, particularly technical surveillance countermeasures (TSCM). Having had a thorough understanding of how to develop and use covert surveillance products, it made sense to put that knowledge to good use, helping organisations find them. This stood me in good stead to combat the ever-increasing use of 2G and 3G surveillance bugs – not to mention the older style devices operating using standard radio frequency (RF) means – such as frequency modulation (FM) radio bugs, often sold as a toy kit!
Also in 2008, fourth generation (4G) products were commercially released, enabling large amounts of data to be transmitted in what was then considered lightning-fast speeds. Manufacturers of covert surveillance devices were becoming more creative in the way they concealed devices and transmitted via the 4G network. Burst bugs were using encrypted data to send audio via the 4G network and, depending on the product and its compression algorithms, 24 hours of audio recordings could be transmitted across the globe in a matter of minutes.
With the advent of digital (encrypted) communication, the countersurveillance community had to lift its game and become more reliant upon signal strength, rather than signal demodulation, to determine which radio frequencies were a threat. Thorough physical inspections were even more pertinent than before and any signal originating from within your designated area had to be identified, typically using direction finding or near field radio receivers focused on received signal strength indicators (RSSI). This was not significantly diﬀerent to how we operated prior to digital encryption, except that we needed to be more vigilant with our physical searches and more cognisant of RF spectrum management and propagation.
The emergence of fifth generation 5G networks from a TSCM perspective presents little change to our modus operandi. In essence, the physical search methodology needs to be reviewed and more research conducted on the emerging threats associated with wider bandwidths and faster speeds. Transmitting via the 5G network will mean that a full day of audio recordings stored within a burst bug’s memory will take just seconds, rather than minutes, to transmit and a lot more video (and audio) can be transmitted in almost real time. However, the practical realisation of 5G advantages for covert surveillance is a long way oﬀ.
The diﬀerence between 4G and 5G from a signal propagation perspective is considerable. The advantage of 5G transmissions is that a lot more bandwidth is available at much higher frequencies, known as mmWaves. These operate above 6GHz (in this instance, we refer to frequencies, not the evolution of mobile phone technology, also labelled ‘G’ for Generation) and have the capacity to operate up to around 90GHz (albeit impracticably). From a practical standpoint, anything transmitting at those mmWave frequencies will be unreliable and ineﬀective, unless antennas/repeaters are placed in direct line of sight. The 5G mmWave transmissions can be blocked by precipitation, foliage, walls, people and even oxygen (at the upper end of the spectrum). We all know what it is like trying to make a call from within a building when mobile signal strengths are low. At this point in time and for the foreseeable future, using mmWave technology to transmit from a mobile will be far worse, especially if you are deep indoors.
To put things in perspective, the wavelength of a signal is inversely proportional to frequency – higher frequencies have shorter wavelengths. The shorter the wavelength, the less likely it is to penetrate obstacles. Take the low frequency signal of 30Hz. It has a wavelength of 10,000km. This wavelength will easily penetrate through walls. A high frequency signal of 300GHz has a wavelength of only one millimetre! Its penetration capacity is as good as zero. Using the familiar 2.4GHz Wi-Fi frequency as another example, its wavelength is 12.5cm and, as you would know from your home or oﬃce Wi-Fi setup, it will typically penetrate through a couple of walls to provide connectivity within your environment. In summary, lower frequencies have longer wavelengths which penetrate obstacles better. Higher frequencies have shorter wavelengths and will not penetrate much beyond line of sight (depending on the frequency used).
Leading 5G telecommunication infrastructure companies, such as Ericsson, Nokia and Huawei, have all released white papers and/or academic papers discussing the issue of propagation. All of them refer to the complexity of operating mobile handsets at mmWave frequencies. In every instance, they refer to using what is known as sub-6GHz frequencies to operate 5G mobile handsets to overcome the restrictions of signal penetration. As a result, it has been widely agreed that a more eﬀective frequency to benefit from 5G technology is sub-6GHz and, in many instances, will be 3.6GHz or below for indoor mobile phone use. This means that existing 4G LTE infrastructure will be relied upon and, in many instances, used to help with mobile uplinks (handsets/devices talking to base stations). The result of this will likely be enhanced 4G network access, providing faster connections than we currently have. This is an important factor when considering the topic of covert surveillance and related countermeasures.
A good covert surveillance operative will typically find the least resistant path to placing a listening device or electronic bug. It needs to be easily installed, reliable and unlikely to be detected if his or her surveillance operation is to be successful. It also needs to have stable power, an audio path for the microphone or visual path for cameras, and access to transmission methods (these can be wired and/or wireless depending on the product used). On the market today is a plethora of reliable and inexpensive devices operating using radio transmission methods such as VHF, UHF and SHF, which include Wi-Fi, Bluetooth, 3G and, in some cases, 4G networks. All of these transmission methods are tried and tested. If an operative has regular access to the target premises (such as that available to a trusted insider) then they may choose to install a solid-state listening device which records locally with no (or limited) need to transmit a signal at all. It makes little sense at this early stage of 5G development to design and use a bug that is reliant upon untested and clunky 5G technology. In fact, it would be counterproductive, given the risk of failure or otherwise intermittent success. That is not to say that 5G technology will not be of use for surveillance purposes. It absolutely will – just not for many years. And even then, the propagation (penetration) of mmWave-based products is unlikely to change, as the laws of physics are somewhat fixed!
So, let us argue the concept that a covert surveillance device might be built into a 5G mmWave modem/router. Assuming it is not using sub-6GHz frequencies, it will require line-of-sight access to a base station. It is proposed that 5G base stations will use something called massive multiple-input-multiple-output (mMIMO) and beam forming, full-duplex technology. In simple terms, it will have antennas steered toward each device it connects to and chipsets will communicate uplinks and downlinks simultaneously. For this to operate eﬀectively, those antennas will need to be placed in close proximity to that device so as to not be too interrupted by obstacles (including people). A building will therefore need numerous antennas installed within; ergo, easily discovered by a basic TSCM inspection team, or the router itself will need to be placed on the external perimeter of the room in which it is expected to operate (preferably near a window, which in itself will cause attenuation), or a separate antenna will need to run from the device to outside the building, in proximity to a 5G base station. In each of these cases, a physical search team should have no trouble identifying most 5G threats or components used to covertly transmit a 5G signal. Moving forward, 5G routers and various other products may rely upon mmWave frequencies exclusively; however, for now, that comes with more components and a larger housing, decreased battery life and an increased power draw (resulting in the generation of heat – easily detected using thermal imaging).
Our equipment currently covers up to 24GHz. My firm purchased receivers with this capability in 2011, to pander to clients who were ill-informed by charlatan TSCM wannabes, marketing the unnecessary and alarmist requirement to scan mmWave frequencies. This was well before 5G technology was even on the drawing board. Given the RF propagation issues raised in this article, I see little benefit in organisations increasing the capability of their spectrum analysers to detect 5G mmWave transmissions beyond around 11GHz at most. It would be ridiculously expensive and subsequently increase the cost of services, whilst providing little to no benefit to an experienced, qualified and professional TSCM team.
The sixth generation may be a diﬀerent story.
With over 25 years of active industry participation, Julian Claxton is an experienced security professional, with specific expertise in technical surveillance countermeasures, insider threat management and credibility analysis (detecting deception). Julian has presented on TSCM and security management Espionage Research Institute in Washington DC, as well as being a founding member of the Technical Surveillance Countermeasures Institute in London and a member of the Espionage Research Institute International in America. He is also a longstanding member of ASIS International, and a serving board member of the Australian Institute of Professional Intelligence Officers in Canberra, Australia. He is director of Jayde Consulting Pty Ltd and holds certificates in security risk management, countersurveillance and investigations, as well as a graduate diploma in Behavioural Analysis and Investigative Interviewing and a master’s degree in Communication, Behaviour and Credibility Analysis (MMU). He can be contacted at firstname.lastname@example.org