How does a Countersurveillance Monitor (a.k.a Bug Detector) works to sweep a room for bugs?
Teardown of the Research Electronics CPM-700
Also a look at the NSA "LoudAuto" radar retro-reflector spy bug, and some cold war era Soviet embassy espionage.
NSA Spy Devices Brochure:
https://www.eff.org/document/20131230-appelbaum-nsa-ant-catalog
Talking Electronics FM Bugs:
http://www.talkingelectronics.com/projects/Fly/Fly.html
Forum: http://www.eevblog.com/forum/blog/eevblog-956-countersurveillance-monitor-teardown/'>http://www.eevblog.com/forum/blog/eevblog-956-countersurveillance-monitor-teardown/
EEVblog Main Web Site: http://www.eevblog.com
The 2nd EEVblog Channel: http://www.youtube.com/EEVblog2
Support the EEVblog through Patreon!
http://www.patreon.com/eevblog
EEVblog Amazon Store (Dave gets a cut):
http://astore.amazon.com/eevblogstore-20
T-Shirts: http://teespring.com/stores/eevblog
๐Ÿ’— Likecoin โ€“ Coins for Likes: https://likecoin.pro/ @eevblog/dil9/hcq3

Hi, it's time for another random tear down from my mailbag shelf and this is a rather interesting bit of kit you don't get to see everyday. This is a Research Electronics inch Ink Counter Surveillance monitor. Yes, counter-surveillance as in a bug detector I'm You know in those spy movies when they sweep for bugs in rooms, this is exactly what they're using. This is the CPM 700 model.

that's what I believe one of the popular units on the market. It's fairly older, dates are from the 80s, but it still be a useful bit of kit today for bug detection and stuff like that. So I thought we'd do a teardown of this thing now. I Was hoping to actually show you this thing working and actually give you a bit of a demo in the lab here of actually finding some bugs because it does actually come with a little arm.

RF Test transmitter and it also comes with a mains powered bug detector receiver. This is a the Australian model. It's got the Australian plug on it and this is our design for detecting bugs that are on your powerlines powerpoints because that's a common place to install your bomb from. You know, aspires to install bugs is like on the back of a PowerPoint or something like that.

and it uses the mains power line to actually transmit and you might be able to pick it up in the next room at the switchboard. Whatever. And they're typically out lower in frequency. And it's got a transmitter, a test transmitter as well that you just plug into the mains and you cannot use this as you know to make sure all your setups working correctly and you're able to detect the bugs.

but it comes with an RF antenna which is one of these are you know telescopic rod antennas like this and it's got a frequency range from about 50 kilohertz up to about 3 gig so it detects over that entire frequency range. Now these things aren't very complex devices, you might think all they sweep over the entire frequency range and do all fancy stuff like that no inside these things as you'll see when I tear down this thing and tear this thing down I'm absolutely sure is that it's just going to have a wideband RF amplifier front end with a diode detector that's basically as complicated as these things really get. but yeah they're interesting bit of kit so it can detect any transmitter be an audio transmitter, video transmitter, whatever it is over. Basically you know anything up to three gigs or there abouts which would cover you know a good lot of us stuff.

So real interesting bit of kit but sadly I've been trying to get this with to work for some time both with the test transmitter and with this test transmitter as well. and it does not work so there's obviously something wrong with it. so sorry about that but hey we can still tear it down. And thanks to who sent this in I couldn't find the mailbag episode that was in and I normally keep them notes.

it came with the original padded bag and everything like that. And yes, we've got the original owners guide as well, which tells you all about our setting up and using this thing. And it also comes with an audio cassette training tape. I Love this.
Do Not play this cassette. In an era which may be a target for eavesdroppers to choose a low-security error. and yeah, read through the owner's manual. anyway.

they've got lots of sage advice in the manual here on how to you know, but how to establishing a game plan may consist of time of entry. You know you've got to do it during business hours so that bugs might be active because they might have timers on there. or you may have to actually set up the east chopper by sort of I Get in luck actually making a plausible fake meeting and then actually you know then maybe they're listening in and then they are. Something's going to happen and we'll switch on our bug or whatever because they might be remote switched on bugs and hence why you won't find them with a general sweep with one of these RF receivers.

it's only when they activate it will they do that. so you might have to bait them and stuff like that and controlled leakages and out of those sweep considerations. there's also it's a cool advice in Daniel it's pretty neat anyway. Yeah, from fifty kilohertz to three gig.

So the way one of these would generally work, you would switch it on like this and then you'd set your input again and then you put it in search mode here. what are we in? Where it? Note: we're in manual monitor mode like that when we set our threshold, but we're in search mode now and you know you can put filter off and on and then we can basically turn up the gain. You should be able to hear that speaker coming out there, so we've got our noise or whatever and you would just go around. You'd have headphones on of course, because you don't want it to feedback.

and for the East dropper to actually know that you've that, you're actually sweeping for bugs and you're listening and stuff like that. See, go around, you know, under tables and under other gear and you know you'd sweep over things. And it's basically it works because it can detect what it can easily detect our local transmitters. So if you've got your transmitter and there you know, tape the wire under there.

it's going to be really quite close. So it's going to get a large RF signal on the thing and they're dead easy to pick up because they have to transmit. So yeah, they're pretty simple devices and we've also got the manual for this test transmitter as well. and it got built-in microphone so you can actually you know, simulate a real audio bug.

Or you can just start set it to a tone which might be able to easy easier to detect and look. It's just one of those um FM transmitters. Nothing fancy, you know, just like one of those talking electronic ones. you know the what's is the two transistor one.

Well, this one's fancy pantsy. We've got a pin 3563 RF transistor there. They've used proper RF transistor instead of like a Bc547c stir amplifier with a tank circuit. Here's an which is formed with the coil there.
Here's a typical wall schematic from my Colin Mitchell from Talking Electronics our fame who I've done a series of interviews which which are absolutely fascinating. Uh, click here. I'll try and include one of those card things if you want to the YouTube card theme pop-up Thanos if you want to watch those Colin Mitchell interviews or it talks about his FM bugs and all sorts of things. So yeah, that's a three transistor Am.

so the first transistor would be used for the microphone again and probably another one for the oscillator and one for the for the tone oscillator and one for the RF transmitter. And that's all she wrote. Bob's your uncle and this particular one works around one hundred and seventy two megahertz. All right.

So let's lift the hood on this thing and see if I am right? Tada! Yep, that doesn't look that complicated. Oh Check out the routing on that the square auto routed type layout. Oh my goodness, nobody's taken pride in that layout whatsoever. Oh, that's a bit of a shocker, but you know it works.

Anyway, we've got a bunch of chips. Are those numbers? Hey Yep, Yep. I think they've rubbed some of the numbers on off. I'll get the macro lens up, but yet not much in this look.

here's our here's our RF input here. Oh there we go. What's down in? there could be a surface meowth Bhaji. Anyway, we'll take a look at that see a couple of art diodes.

We got some diodes here so this is our RF front end by the looks of it. and of course we've got a uh, he rubbed the numbers off the micro for this LCD he rubbed the numbers off these G's These are only going to be like LCD Drivers like give me a break I mean that's just written. That's ridiculous. Anyway, um yeah, they've any way to counter surveillance device you know, Serious professional job and got to rub the numbers off.

Jeez, it's part of the business. Alright, this is a little bit interesting. Here's our BNC input there. comes right in there.

AC coupled surface mount cap. but we've got ourselves a little up. well. ferrite bead there.

What's going on? Are we feeding in a DC signal? perhaps? Um, to the ENC Is there an amplifier in that antenna like a, you know, a masthead type amplifier and the feeding DC up there to parrot and then AC coupling again. We've got a couple of glass diodes in there. You can probably bet your bottom dollar they're Germanium, because you want the lowest job possible. very common to use our Germanium diodes in, you know, RF detector type circuits, then up buggers off down to the board down here and this switch down the bottom.

You can't see it, but there's the switch down the bottom and then that rocks in the filter down here. so it looks like that's what that ship there is doing. It's giving that filter so numbers are rubbed off. can't get it.
they've written, you know their own number on there after rubbing the thing off. but if anyone wants to have a crack at that, actually reverse engineering that front end by all means got four diodes here. Have we got ourselves a bridge there? I Don't think so. Something else is going on now.

we just have a look at the underside here. There's no secret squirrel stuff I going on there, but all the right angle traces. Oh, but yeah, that's you know. somebody's laid out.

This board is not really. you know, high end professional. PCB designer. It's pretty lazy anyway.

uh, right angle traces. All the electrons are just gonna fly off the corner anyway, so there's no funny business going on there. 1988 vintage and Oh somebody scribbled some numbers in there. What's a lot about a Anyway, I Just noticed this.

Look at this completely how you're doing regulator. You can see that they had some holes down here to bolt the regulator or got a bit hot so it just budged in a heatsink like that. Ah, that is terrible. Muriel Awful and looks like there's got almost like a budge resistor there.

We've got another budge resisted coupler bite resistors. They're what's doing there. But like you see, there is not much in this thing at all. No, there is no.

like, you know, surface-mount RF amp or anything on the back of that board. There's nothing down in there, so it's not that it's just going basically straight in. Yeah, they've rubbed the numbers off every single chip in this thing, but as you can see, there's not much. So sorry, it's probably taken some of the magic away.

You might think, oh, you know, only the NSA can develop these bug detectors. And no, it's just an area wideband RF amp with a detector diode and that's you know, pretty much it. Then it's going to detect everything over the range because it's easy for these things. I Mean you've got the antenna.

They only work when they're right next to the antenna. Hence, you have to go round and sweep the room. You don't sweep it in terms of frequency. I Mean it's just checking the entire frequency range at once so you don't sweep it.

in terms of the frequency range you sweep it. In terms of you physically go and sweep the antenna over and under and around every object in the room. and they've got to be transmitting something. Um, you know, otherwise they would have to actually record something for example, and then come back and physically get it later.

That'd be another art method. But yeah, it's got to transmit. And if it's transmitted and it's within the under three gig, this puppy is going to pick it up, no worries. And it doesn't matter whether it's encrypted or anything like that.

You're just looking for any sort of RF r transmission. or in the case of the one for the mains, here, this is fairly low frequency. The Menu: I've also got the manual for this thing. This one's actually 250 kilohertz plus minus 10.
Thank you very much. Not exactly crystal controlled, is it? Hmm. Anyway, plug it into the mains and that would simulate a transmitter that a spy would install. You know that just take out your unscrew your power point.

They might pretend to be an electrician, maintenance person coming in undetected, unscrew the power point and whack a bug behind your power point. So that's why you. That's how you'd find these. You just plug this in and it's just basically just couples that over into your RFR front end.

No worries, and sorry, but they've done a real good job rubbing these chips off. and I've tried the usual techniques: putting spit on it and getting it under the mantis, under different angles of light and stuff like that. Now we're not getting the code. back off those I'm afraid anytime soon.

So yeah, someone would have to Wow reverse-engineer the circuit. They're probably not hot, so obviously there's no, you know, high frequency RF stuff going on around here I don't think. um I wonder where that could be? Hmm. and yep, I was on the money there.

look at that active our amplifier front end. Bingo. So that was. They were feeding voltage up the clacker of that coax and got ourselves a tag tantalum on the bottom there and just a couple of little RF RF amps in there.

they're not RF they. they are our specific amplifier RF amplifier. IC So they would be wideband. you can see as though antenna input AC coupled straight in and of course we're coming feeding power into power and ground into these things and then the output here and you just couple the power off.

just got little lah ferrite beads there and a couple of little resistors and you just tap off the DC voltage. So we've got one night front end amplifier there AC coupled. So we've got two-stage amplification here. The front end of course would be a three gig.

Well, they're both going to be three gig bandwidth ass, but this one would be specifically for amplification of the front end and this one would be a cable driver for driving the coax over there. But that's about all she wrote and I am actually able to get something out of this thing. look I've got my I've got the mic here and there we go. We can get some feedback there and got a tone.

It's more of a buzz than a tone, but anyway can definitely get the feedback there. So and I can turn that off and on so that works. But yeah, it's like if it was just the RF our front end in the probe that had failed then okay I thought Yeah, fair enough, but it doesn't work with this current transmitter either, so it looks like there might be some damage in the other in the front end of this thing as well. So yeah, I was hoping the door real good.

Interesting bug test, but not sorry. The best. we're going to get some feedback. Check this out.
We do have the switching frequency of our LCD here. yeah, but the probe cannot pick up anything so dead as a dodo. I Just find this site interesting that it's a very unsophisticated device for a very sophisticated market. Like yeah, But anyway, anyone can go into the counter-surveillance business I guess.

but it's all about trust. people build up trust in this particular brand model stuff like that. Now interestingly, we can actually have a look at a real NSA bug courtesy of Edward Snowden thank you very much Edie And this is available on the EF F the Electronic Frontier Foundation our website I'll link it in down below it's readily available. Everyone's published this thing and let's there's one thing in here that we're interested in.

and if we have a look down here, it's got all various products and stuff like that and these have been analyzed by all in that sundry these days. But what I'm interested in is this loud auto product here dates from 2009 and here it is. It picks up speech and I stand at office environments. Just a regular bug except that it works differently.

it's not continuously RF transmitting. In this case, it uses very little power. 15 micro amps at 3 volts. So basically our shelf life of the battery.

So you're working the battery and it's going to last you know, five, or even 10 years or whatever depending on the battery. you know, shelf life of a lithium primary battery in there. So now they tell you you know, self discharge is more of an issue basically. So the concept of the operation though is not not just a regular RF amplifier front end.

by the way, it's just have a look at the hand soldering job on that. It looks like it's like almost like a home etched board with you know, really hacked together so that's really quite interesting. They've got a scale there, but the interesting thing is is how it works. It uses a pulse position modulation square wave running at a preset frequency.

They don't tell you what this square wave is used to turn on and when the unit. but this is the interesting part. When the unit is illuminated with the CW signal from a nearby radar unit, then it actually amplitude modulated with that particular square way. So essentially it's a reradiates like an Rfid tag and how other things like that works.

So the neat thing about this is that you're basically if you're went in and did a sweep and nobody was illuminating the room to actually you know the things still running but it's not RF transmitting so it wouldn't be picked up with the type of RF bug detector that we've got here it would date you need it would only do that if you know you were being illuminated with the radar, you know someone's sitting in the black van outside with the you know fiberglass fake side on it with their little you know their RF our radar unit in there and demodulating that so that's you know it's a retro retro reflector. Very interesting our technique but these aren't new. These have been around for decades. In fact, many many decades.
I Bring your attention to the thing as it's called which is a famous bug that was I installed. It was given by the Soviets to the US ambassador to Moscow in 1945. So it's a passive RFID type retro reflector and it wasn't discovered until many decades later or something. I'll link in the article down below.

But the interesting thing. the thing consisted of a tiny capacitive membrane connected to a quarter wavelength antenna. It had no active technology of electronics at all. no power supply.

It was the capacitive membrane was just acting as a microphone modulating that quarter wavelength antenna so that in this case it was around three thirty megahertz or so. And when you and I put a radar onto this thing, it'll modulate back. You get the tiny reflection coming back and they can listen to what was going on inside the embassy. Anyway, this is brilliant bit of a Soviet espionage technology here.

Absolutely fantastic. Dates from 1945. Brilliant. So there you go.

I Hope you enjoyed that quick look inside. One of my random mailbag items. A counter-surveillance monitor. not something you get to see every day.

It's not something you know Joe average would generally get their hands on. although you know they do sell this particular model to you. No paranoid businesspeople and stuff like that. you can actually do sweeping yourself.

This is one of the more popular or was one of the more popular models I Think it is still current, actually still buying as several thousand dollars to buy this you're paying for. You know the niche market and the paranoia and stuff like that. I Mean you know there's not much I mean not much that goes into building this at all. It's the hardware is worth bugger-all There's no software or there's no, you know, fancy pantsy research going into this.

It's just a wideband RF detector front end? That's it and you know then, But they can sell these for a couple of thousand dollars. No worries it. Yeah, sorry, it doesn't work if anyone actually has a schematic or wants to reverse engineer that front end. But this is not going to be a repair video.

Kind of a pain in the ass when you don't have a schematic. that'd be nice. But I'm sure there's no schematic released for this thing because they wouldn't want to reveal the magic of a RF detector anyway. Hope you enjoyed it If you did.

Please give it a big thumbs up. Catch you next time you.

Avatar photo

By YTB

27 thoughts on “Eevblog #956 – countersurveillance monitor teardown”
  1. Avataaar/Circle Created with python_avatars K Richner says:

    Wouldn't a SDR radio do the same thing and more for a lot less money?

  2. Avataaar/Circle Created with python_avatars Nowhereman JK says:

    They forgot to tear the strips off the resistors ;}

  3. Avataaar/Circle Created with python_avatars JJ74Q Formerly Jailbreak says:

    They seen them people coming when they made that thing.

  4. Avataaar/Circle Created with python_avatars Kevin PEAF Smith says:

    OMG. You first tell us you'd like to show it to us working but… then we have to wait for 3 minutes while you waffle on about other things before you actually tell us why you can't show us it working.
    OMG. 1 then you tell us you're going to tear it down and then spend another 4 minutes waffling on before you start tearing it down. OMFG!

  5. Avataaar/Circle Created with python_avatars Gazza Boo says:

    Bit redundant these days when your own phone, computer, TV could be compromised and when bazillions are bugging themselves with Alexa, Siri and Echo. Plus all the security cameras, doorbell surveillance, trackers and everything else people put inside their own homes. It's funny how cold-war paranoia used to be, now everyone almost expect to be bugged and tracked. ๐Ÿ˜‚

  6. Avataaar/Circle Created with python_avatars christopher bรฉkรฉsi says:

    This thing is pretty much useless today when we have so many other devices transmitting signals

  7. Avataaar/Circle Created with python_avatars Anubis jack says:

    in my country is cost 3542,38$

  8. Avataaar/Circle Created with python_avatars Ang Davies says:

    Could it detect things that were hopping around in frequency really fast like bluetooth, such that they were on average below the noise floor?

  9. Avataaar/Circle Created with python_avatars yoppindia says:

    8 pin ic might be an op amp.

  10. Avataaar/Circle Created with python_avatars ExecTech says:

    The white box version was literally from back in the 80's-90's. They improved the circuits many times over the years, moving to a black case in the 90's.
    It has now been long discontinued, but was a staple of bug sweepers for many many years.
    The unit you have is historical and could go into the Spy Museum in Washington DC!

  11. Avataaar/Circle Created with python_avatars ibycus314 says:

    Plot twist….made in China

  12. Avataaar/Circle Created with python_avatars Robin Sattahip says:

    The NSA should get Huawei to make that stuff for them, it wouldn't look like a garage project and would probably still work.

  13. Avataaar/Circle Created with python_avatars Robin Sattahip says:

    fix it

  14. Avataaar/Circle Created with python_avatars pushpendra khaira says:

    It is a diode detector in a box … crystal set technology.

  15. Avataaar/Circle Created with python_avatars VIDEOSUPERHIGHWAY says:

    they rubbed off the numbers off a bunch of 555s, Opamps and 74xx bog standard chips ๐Ÿ˜‚

  16. Avataaar/Circle Created with python_avatars VIDEOSUPERHIGHWAY says:

    Next up, Teardown of OSCOR Blue ๐Ÿ˜‚

  17. Avataaar/Circle Created with python_avatars Jay Cool says:

    That board looks far too massive for the amount of tracks on it etc. Could always fix it and sell it on LOL.

  18. Avataaar/Circle Created with python_avatars Da A says:

    Cold War stuff .gov would pay anything youโ€™d like to charge for devices like that, so they were made as cheaply as possible and sold to .gov at a huge profit.

  19. Avataaar/Circle Created with python_avatars isettech says:

    Did phantom power to the probes fail? Was interested in the common failure of the probes. The BNC seems to react to high level RF, so that seems to be operational. Current practice today is to use a spectrum analyzer with a log periodic antenna.

  20. Avataaar/Circle Created with python_avatars Felenov says:

    Right angle traces, all the electrons just gonna fly off the corner

  21. Avataaar/Circle Created with python_avatars OpenKeith says:

    I actually think square traces look pretty cool.

  22. Avataaar/Circle Created with python_avatars Alexandru Mihai Coroi says:

    Did they ripped off the writings even on the RF transistors from the small amplifier? ๐Ÿ™‚

  23. Avataaar/Circle Created with python_avatars Stone Cold7 says:

    Why are right angle traces bad?

  24. Avataaar/Circle Created with python_avatars Andrew Theodore says:

    Need this.

  25. Avataaar/Circle Created with python_avatars Ricardo Schuchmann says:

    Rubbing the lcd-driver ic numbers off? Even the regulators are sanded? Okay, what's next? sanding the resistors? cut the capacitor shrinkwraps? weld the case shut? Potting the whole unit? Super secret stuff, whohoo.

  26. Avataaar/Circle Created with python_avatars Ricardo Schuchmann says:

    In The Netherlands all police vehicles are equipped with a detector for hidden radar detectors in cars. They are called radar detector-detectors (no kidding} Okay, they only work at some more narrow frequency band, but i think they work quite similair…

  27. Avataaar/Circle Created with python_avatars The Kaiser says:

    Did it detect your mobile or wifi? If not, its rubbish.

Leave a Reply

Your email address will not be published. Required fields are marked *