Recommendations for checking wirelines using ST-301"SPIDER"

Recommendations for checking wirelines.
 
 
  1. Main types of threats
Mainly the threats can be separated in to two categories: special (artificially created) and functional (of natural origin)
Special threats – are created by the perpetrator directly for information interception. Their compound and parameters are determined by the operational and technical capabilities of the perpetrator. In case of such threats present at the site, the information leakage is inevitable.
Functional threats – are not linked by any actions of the perpetrator. They can appear due to technical peculiarities of the office equipment and ways of cable line installation and so on. The information leakage due to the existence at the premise of such threats is possible, but it is necessary not to overlook the search for them.
The most common ways of technical realization of special (artificially created) threats are:
• acoustic interception devices that transmit a signal over wired lines in the speech frequency range (electret and dynamic cable microphones)
• means of intercepting acoustic information that transmit a signal over standard power and low-current lines in the RF frequency range (over 50 kHz)
• means of intercepting telephone information connected to telephone lines by contact and contactless means (telephone transmitters and voice-recorder adapters)
• interception of acoustic information using "high-frequency imposition" equipment»
• use of software and hardware capabilities of office PBX to intercept acoustic information when the handset is "on"
• using the hardware and software capabilities of IP phones to intercept acoustic information when the handset is "on".
Most common functional threats:
• information leakage due to acoustoelectric transformations
• leakage of information due to the interference of an informative signal with a parallel run of wire lines.
 
  1. Main Stages of operations when checking wirelines
As well as other search operation type, the wire line check are separated into three stages: 
• collecting technical information about the search object
• object search operations
• progress report with recommendations
Before starting work directly on the site, you need to get and analyze information about the composition and features of wire lines and connected technical means.
Such information is:
• power line laying schemes with indication of the locations of switching nodes (junction boxes, boards, etc.)
• list and type of equipment located in the room under inspection and connected to the power supply network
• routing of low-voltage lines indicating the locations of switching nodes
• list and type of equipment located in the tested room and connected to low-current lines
• type of PBX with its location
• scheme of lines of a computer network with an indication of the location of switching equipment
• information about the availability of IP telephony facilities in the room being checked


If the necessary documents are not available, you should draw up the above diagrams with the help of competent employees of the facility and get the required information.
The preliminary stage is very important and the overall effectiveness of the verification depends on the completeness of the information received. 
The main types of object works are:
-visual inspection of lines and technical means connected to them,
-search for signals of eavesdropping devices in the wired lines by using receiving equipment
-inspection of lines with the help of special equipment for the presence of illegal connections.
The General test procedure is almost identical for lines and equipment for various purposes. Verification is carried out in accordance with the existing schemes for laying and installing lines.
During the check, the previously drawn up schemes are clarified. Verification of a complex network with a large number of branches is carried out on its individual sections.
The following equipment and wiring lines are subject to inspection:
-power and lighting networks
-office and subscriber telephone network
-computer network (LAN)
-intercom
-radio transmission network
-the "unknown" destination.
After the end of the object stage, a report is issued, which indicates the list of work performed, the equipment used to perform this work, the detected threats (or lack thereof), as well as technical recommendations necessary to prevent information leakage.

  1. Object search operations
3.1.Visual search
To perform a visual inspection, you will need:
  • a set of tools for disassembling instrument housings and communication equipment
  • magnifier
  • set of inspection mirrors
  • UV and conventional lights
  • UV marking agents (markers, varnishes, etc.)
ü  For visual inspection, it is recommended to follow the sequence below.
ü   Before inspecting any device, device, or section of wire line with exposed live parts, use the voltage indicator to make sure that there is no life-threatening voltage on them. If there is a dangerous voltage, disconnect this device or a section of the line.
ü   It is necessary to check the presence and integrity of previously applied hidden marks (seals) on the covers and other removable elements of the equipment being checked. If the labels are not broken, it is not advisable to disassemble the case. If the marks (seals) are broken, disassembly of the case is mandatory! Disassembly is also required if there is no previously applied mark (seal) on the case. The attacker is likely to replace the device with a similar one equipped with an eavesdropping device. If this is the first time a site inspection is performed, disassembly of the equipment is mandatory.
ü   If unauthorized opening or substitution of equipment is suspected, this equipment is opened, disassembled and inspected. At the same time, you need to make sure that the standard arrangement of the internal device elements, the absence of foreign objects, new parts or elements of unknown purpose, connections of foreign conductors to current-carrying parts. One of the most characteristic features of installing an eavesdropping device may be the presence of a microphone (if it is not included in the standard scheme).
ü   When checking electrical panels and other distribution equipment, special attention should be paid to the inspection of incoming cables, cable channels, corrugated hoses, electrical pipes and process holes in the enclosing structures. During the inspection, cables are pulled out of cable channels, pipes and process holes to the maximum length. This is necessary to make sure that there are no abnormal connections in the hidden area.
ü   All consumers and splitters connected to the power grid (not related to complex electronic devices) must be disassembled and inspected directly in the room to be checked. These devices include: extension cords, tees, stationary and table lamps, air conditioners, fans, heating devices, etc.the purpose of the inspection is to detect abnormal elements and foreign objects connected to the current-carrying conductors of the devices being checked.
ü   All open sections of wire lines, as well as areas where the lines are laid in cable channels, are subject to inspection. To do this, all cable channels must be opened at the time of inspection. If the lines are laid in the cavity of a collapsible raised ceiling, the ceiling panels must be removed to allow access to the lines. During the inspection, foreign objects connected to the lines are detected, as well as abnormal wire connections.
ü   At the end of the inspection, it is recommended to apply hidden marks (seals) on the cases of devices and equipment. Information about the place marks must be specified in the report.

3.2.            Search for wired microphones
3.2.1      Wired   microphones  and  their  peculiarities
Cable microphones are one of the simplest, but at the same time reliable types of listening devices. They are designed to intercept speech information at the place where they are installed and transmit this information outside the premises (or object) via a wired line. The end device for a cable microphone is either a microphone switch or a low-frequency amplifier, or less often a sound recording device itself.
The guaranteed range of interception of information at the microphone is no more than 3-4 meters from its source. Although in practice, the attacker tries to bring the microphone as close as possible to the source of information.
The range of data transmission over the cable is from several tens of meters to several kilometers (depending on the microphone model). Information is transmitted in the spectrum of the source signal (i.e., the speech frequency range).
As a transmission channel for cable microphones, a specially laid wire line is often used. Less often, unused pairs of standard multi-core cables are used, which are brought to the desired room.
The need for special cable routing is probably the main drawback of such eavesdropping devices. The attacker does not always have the opportunity to lay the cable to the desired room. The most convenient time to install cable microphones is to repair or reconstruct the room.

IMPORTANT!!!
The microphone can be installed in a room adjacent to the one where the source of information is located. In this case, a hole is made in the wall where the microphone is inserted. A thin tube is placed directly on the microphone, which acts as a sound guide. With this method of installing a microphone, it is almost impossible to detect it without getting into an adjacent room.
Dynamic (electrodynamic) microphone - the most common type of microphone design. Unlike other types of microphones, dynamic microphones do not require power or use of a power preamp. Depending on the design of the dynamic microphone, the range of information transmission (over the wire) can range from hundreds to several hundred meters. Information is transmitted over a two-wire cable.
The disadvantages of a dynamic microphone include its relatively large dimensions. The advantages include simplicity of design, high reliability, and no need for power and a pre – amplifier.
Some types of dynamic microphones are presented on the picture.

Dynamic_Microphones

According to the principle of operation, an electret microphone is one of the varieties of condenser microphones, but unlike standard condenser microphones (used, as a rule, in Studio conditions), it is widely used in a variety of equipment due to its low price and suitability for operation in the "field".
The design of the electret microphone provides a pre-amplifier, so you must observe the polarity of the connection and provide the device with power. This is achieved by applying the so-called "phantom power supply" to the microphone (simultaneous transmission of DC power and information signals over the same wires). Some models of electret microphones are equipped with their own independent power source (batteries or batteries). Electret microphones use a three-wire (less often two-wire) line
The advantages of electret microphones include relatively small dimensions, low cost and a significant signal transmission distance (up to several kilometers). The disadvantages are the need to power the device.
In addition, since electret microphones use semiconductor electronic components in their assemblies, they can be easily detected by non-linear location during search operations. This circumstance can also be attributed to disadvantages.
Some types of electret microphone assemblies are shown in the figure.

electret_microphones

3.2.2      Detection and localization of dynamic microphone

Source Data

Results of visual inspection and preliminary stage

Device and accessories

Wire Line analyzer ST301 (modes «LFA» and «Switch»)

Electronic switch

Connection cable (in accordance with the type of line)

Control sound emitter

Headphones

Installation instruments

Search premises

Place of checkup

Adjacent rooms

Checkup wire lines

Regular low-current lines (if there is a free pair) and low-current wires of "unknown" purpose that are installed in the premises being checked and adjacent to it

 

3.2.2.1   Detection of dynamic microphone in manual mode
As a channel of transmission, can be used:
• two-wire dedicated transit line
• a two-wire dedicated line terminated with an outlet or connector
• multi-core dedicated transit line
• multi-core dedicated line terminated with a socket or connector
• multi-core regular (telephone, LAN, etc.), which has unused pairs.
Depending on which of the listed options occurs the following options are used for connecting the analyzer to the line being checked:

Type of wire lines

Ways of connection

two line highlighted transit line

- probe clip piercer

multi-wire highlighted transit line

two line highlighted lines, ended with a socket or jack.

- probe-clip piercer,

- to the RJ45 socket of the switch with a cable,

- to the RJ45 socket of the switch directly

multi wire highlighted line, ended with a socket or jack

Multiwire stated (telephone, LAN, etc.) having unused pairs

a) Determine the location of the most convenient connection to the line. Such a place can be a socket, the end of the cable (with or without a connector), a junction box, a cross-block, a shield, etc. If the line does not have the equipment listed above, you must carefully open the external insulation of the cable, providing access directly to the wires.
b) prepare the ST301 analyzer for operation. Connect headphones.
c) turn on ST301
d) Connect the device to the line pair being tested.
Turn On the Acoustic Emitter in the search premise. It is recommended to install the Acoustic Emitter  in a place of most possible concentration of people during negotiations.
The localization of the observed dynamic microphone
When establishing the presence of a dynamic microphone in the tested room connected to a known pair of wires of the tested cable, you should find out where it is installed. The dynamic microphone is not a non-linear element, and its connection to the line is consistent. Based on this, it is impractical to use a non-linear locator and a reflectometer for its localization.
Localization can be performed using the ICS. This operation will require two people. One will control the signal using the ST301, and the other will move the ICS around the room.
In the room being checked, you need to reduce the volume level of the icz. ST301 is connected to the pair of wires on which the microphone was detected. The signal is monitored via headphones. By moving the ICS around the room, the signal level in the headphones is controlled. The approximate location of the microphone installation will coincide with the place where the sound level and quality (in headphones) of the ICS were recorded at the maximum.
The localization of the observed electret microphone
Upon inspection of a multiwire cable if the consumer is detected on one of the pairs. It is necessary to check it out.
It is important to remember to check out all the pairs, dispite wheter there is a consumer there or not. 
Turn On the Acoustic Emitter and select the pair under question.  Supply the bias voltage until the emitted sound is heared.
After the specialized sound is heared take the Acoustic emitter and move around the room. Upon close and clear sound detection, the operator can determin the area where the electret microphone is situated. 
More information about the search recommendations using ST-301"SPIDER" You can find in our other publication, link below:

https://www.selcomsecurity.com/en/our-publications/item/733-practical-review-of-the-st-301-capabilities

The building's power grid and its elements can be used by an attacker to install and power embedded devices, as well as transmit intercepted information. Wired hidden audio monitoring systems are designed for covert removal and transmission of audio information over wired lines. Audio information signals are received by special receivers. The products are designed to control the acoustic environment of the room with the transmission of information via wired communication lines: AC-220 V 50 Hz (KPL-S) or telephone network on subcarrier frequencies (KPL-T). Reception of the transmitted information is carried out on a special receiving device that allows you to receive a signal from three information transmitters. The receiver is equipped with sockets for connecting headsets, a tape recorder, and an external power source. In addition, embedded devices can be camouflaged under a socket, tee-socket, various adapters, in lamps, electric lamps, floor lamps, etc.some embedded devices are produced without camouflage so that the consumer can install them at their discretion. Embedded devices associated with the grid, can be divided into two groups: - embedded devices providing control of acoustic information space with the transmission of intercepted information in power network; - radionuclide device that allows for room monitoring powered by mains and transmission of the intercepted information over the air. One of the essential features of such embedded devices is their unlimited operation time (as long as there is a power supply network). Camouflaged for devices that are widely used in everyday life and work, such as extension cords, tees, wall lamps and other household electrical appliances, such embedded devices can easily be "embedded" in the room of interest. In such devices, the acoustic channel of the microphone is performed as structural gaps of the device, into which the bookmark is camouflaged. The dimensions of camouflage devices ensure the location of transmitting devices and, if necessary, antenna systems. All camouflage devices retain their direct purpose. The inclusion of embedded devices is provided, as a rule, by including a camouflage device (extension cable, tee, etc.) in the network. However, there are a number of limitations for such devices. For example, it is not recommended to use the product for connecting devices with high power consumption (more than 0.5 kW), as otherwise the network background may appear in the acoustic channel. It is not recommended to install a radio microphone near sources of acoustic interference such as a refrigerator, fan, transformer, TV, etc. To ensure greater secrecy of embedded devices, remote control is used, which allows you to turn on the embedded device only for the necessary time. 

 

CONTACTS

Address:
Silutes pl. 2 (Office No 525, 5th floor),
Klaipeda 91111, Lithuania
Phone: +370 655 08288, +370 655 08286
Fax: +370 46 411353
E-mail: info@selcomsecurity.com
zemelapis