Click for homepage
Audio masking
Audio masking, or just masking, is a technique that is often used with covert listening devices, or bugs, for hiding the intelligence of the intercepted audio (e.g. human speech), from a casual or professional interceptor. In some cases, obscure modulation techniques are used that defeat any non-compatible surveillance receiver. Some of these masking schemes are described below.

The following audio masking techniques are currently covered:

Subcarrier modulation   SC
One of the first and most widespread techniques is the use of subcarrier modulation. It works on the basis that the audible audio signal is modulated onto another audio signal that is well above the audible range. The combined signal is then modulated onto an RF carrier. In its basic form, an interceptor will only hear a silent carrier once the RF signal has been demodulated. The actual audio modulation can only be recovered by demodulating the demodulated signal once more.


With this scheme, Frequency Modulation (FM) is commonly used to add the audio signal to the subcarrier (SC) signal, whilst the combined signal (SC+FM) can be added to the RF with either FM or Amplitude Modulation (AM). The diagram above shows how the modulated subcarrier signal would appear as the two sidebands of an AM signal. Pretty much any frequency above the audible range can be used for the subcarrier. Common SC frequencies are 12.5 kHz, 22 kHz and 40 kHz.


When frequency modulating the carrier with a frequency-modulated subcarrier, the presence of the audio signal is even less noticable, especially when the channel's baseband is modulated with a strong noise or hum signal (see below). In such cases, the contribution of the audio signal is marginal compared to the subcarrier, which itself is marginal compared to the injected noise.

One of the first known uses of subcarrier modulation is in wired telephony, where it was used to send multiple telephone coversations over a single wire pair, thereby effectively increasing the capacity of the network. One of the first uses in covert listening devices was in 1958 with the CIA's Easy Chair Mark III, where it was used to hide the audio. In the later Easy Chair Mark V it was even used to listen to up to three Passive Elements (PEs) in the same target area simultaneously.

SC-modulation is arguably the most commonly used audio masking scheme for professional as well as semi-professional bugs. During the Cold War, it was used heavily by inteligence services like the American CIA and the East-German Stasi. Especially the latter (Stasi) is known to have produced a wide range of telephone and room bugging devices that feature SC-techniques.

Countermeasures
Despite the fact that SC-modulated bugs are often used by intelligence serices, even today, the system is easily defeated with a professional surveillance receiver, or bug tracer. One of the first bug tracers that was able to demodulate an SC signal, was the Scanlock Mark 3 in 1976.

Its successor, the ScanLock Mark VB shown in the image on the right, can even discover the SC frequency automatically and will generally find and demodulate an SC bug within seconds.

 More about the Scanlock range
  

Improved SC modulation
Silent carriers are very difficult to identify, as they are also produced as spurious by-products of domestic equipment, computers and even by the surveillance receiver itself. When scanning a frequency band, it will be difficult to distinguish an SC-modulated bug from a spurious signal.

To make identification of the signal even more difficult, some manufacturers injected noise or a strong 50/60 Hz hum into the signal's base­band, so that the carrier was no longer silent.

A good example of the latter is the bug that was found in the {?OPEC headquarters=../opec/index.htm} in Vienna in the late 1970s. By injecting a very strong 50 Hz hum into the baseband, it was hoped that a sweep team checking the room for bugs, would discard it as interference from a domestic applience or a transformer. Despite the improvement however, this scheme is defeated by a Scanlock receiver.
  

Around 1974, the CIA introduced the SRT-105, a miniature bug with SC audio masking, in which noise was injected into the baseband. When scanning the frequency band, this noise is difficult to distinguish from the background noise that is present in any empty radio channel. Nevertheless, noise-injected SC bugs are just as easily defeated by a Scanlock receiver as normal SC bugs, so they hardly provide any effective protection against discovery by a professional sweep team.

Despite that, and the availabily of other, often superior, masking schemes, the CIA kept using this scheme for many years. In 1981, they even introduced the SRT-153, which was modelled after a discovered device from an adversary.

This suggests that the CIA may have done this deliberately, so that the adversary would be blamed for planting the bugs, whilst the CIA also had other, less easy to find, bugs planted in the same room. There is an unwritten law in the surveillance business, that for every bug that has been found, there are four undiscovered ones.
  

It is also possible that the CIA used subcarrier bugs for less high profile targets, such as civilians. The image above shows the CIA's SRT-153 transmitter, together with the QRR-153 switch receiver, as they were built in 1981 as part of the SRS-153 bugging system. In order to practice with the discovery of SC bugs, Audiotel in the UK introduced the special SCX training transmitter.

Examples of subcarrier bugs
Suitable countermeasures receivers
  1. Noise injected into baseband.
  2. 50 or 60 Hz hum injected into baseband.
  3. 40 kHz subcarrier
  4. 22 kHz subcarrier
  5. 12.5 kHz subcarrier
  6. 24 kHz subcarrier


Double Sideband with Suppressed Carrier   DSBSC
Double Sideband with Suppressed Carrier (DSBSC) is a rarely used audio masking scheme that defeats most bug finding equipment. In most cases, the audio signal is amplitude modulated (AM) onto a carrier above the audible range (e.g. 20 kHz), which in turn is frequency modulated (FM) onto the RF carrier. The 20 kHz subcarrier itself is suppressed, or ideally eliminated.


On a spectrum analyser, the signal will look like any modulated FM signal. However, after demodulating the FM signal, the result is an AF signal that contains speech information well above the audible range. Furthermore, the original sub-carrier (20 kHz) as been removed, as a result of which it cannot be re-inserted automatically by a bug tracer like the Scanlock Mark VB.


The diagram above shows the audio frequency spectrum (AF) after demodulation of the FM radio frequency carrier (RF). The audible range is approx. from 30 to 10,000 Hz (in practice often 30-300 Hz). The AM modulated subcarrier has two sidebands: an upper sideband (USB) and a lower sideband (LSB), but as the subcarrier is removed, the relation between the sidebands and their carrier is lost. The signal can only be recovered in a compatible receiver, in which the 20 kHz carrier is added in again, but for this to work, the recipient has to know the exact frequency.

This masking scheme can be further improved by injecting noise or a strong 50/60 Hz hum in the baseband. This will obscure the (faint) sidebands in the 20 kHz range.

Example of DSBSC bugs
DSBSC compatible receivers
  • SRR-40 with SRT-57 20 kHz demodulator
Triple Pulse   TP
Triple Pulse (TP) is an audio masking technique based on Pulse Position Modulation (PPM), developed around 1964 by the Dutch Radar Laboratory (NRP), for the US Central Intelligence Agency (CIA), as part of a long-term research contract under the codename Easy Chair. This masking scheme was first used with the SRT-52, and is also known as Type 52 or 52 System.


The system takes sound samples at random intervals, under control of a noise generator, and transmits these in pulse position modulation (PPM). In the above diagram, the random samples are shown in red as T1, T2 and T3. Each pulse is enclosed within two reference pulses (green) that have a fixed distance (d). Each pulse has the same width and amplitude. The actual audio intelligence is carried in the position of the red pulse, relative to the two green reference pulses.


Each pulse is approx. 0.5 µs long and resembles a square wave. As a result of this, this type of modulation produces a multitude of sidebands at either side of the carrier. In practice, the band­width of the signal can be up to 100 MHz, especially when in close proximity of the transmitter.

The TP masking scheme was first used in 1969 with the SRT-52, which is why it is also known as Type 52 or System 52. The SRT-52 consists of two or three metal cylindrical enclosures that contain the RF unit, the audio masking unit (also known as the video module) and (optionally) a 110/220V AC mains power supply unit (PSU).

The image on the right shows a genuine SRT-52 set, as used by the CIA. The units can generally be recognised by their blue colour, although some units may seem to be green, due to colourisation of the varnish, caused by aging.
  

The TP masking scheme was only used in the video coder of the SRT-52 that was in production from 1969 to 1971. According to the currently available information, it was not used in any bugs after 1971. The TP scheme was superceeded by the more stable RP and DP masking schemes.

Countermeasures
There are currently no known commercially available surveillance receivers that can readily demodulate a PPM-masked signal. Furthermore, existing bug tracers like the Scanlock range, do not lock onto a PPM signal at all. This means that automatic discovery of the bug is not evident.

The only way to discover the presence of the bug is to search the entire frequency spectrum in the target area manually with a portable spectrum analyser, such as the Rohde & Schwarz FSH-3.

When using it in combination with a directional antenna, such as the HE-100, the spectrum in the building or room under investigation can be searched for the typical fingerprint of the SRT transmitter, which consists of a 6 to 10 MHz wide carrier and several sidebands at either side. The image on the right shows the portable FSH-3 spectrum analyser, with an HE-100 antenna.
  

Once a suspicious signal is found, the directional antenna can be used to find its location, simply by looking for the bearing with the strongest signal and walking towards it. Finding the strongest signal by means of a spectrum analyser is not easy though, even not when it is a portable one.

In such situations, the use of a modern portable surveillance receiver, such as the PR-100 from Rohde & Schwarz, would be more appropriate. The PR-100 is shown in the image on the right, together with the HE-300 directional antenna.

This device has a 10 MHz wide panorama viewer, a waterfall display and an accurate field strength meter with an acoustic indicator (tone). After tuning to the desired frequency, as found with help of the FSH-3, the tone will lead you straight to the transmitter. A test with the PR-100 in our collection showed that this was easily possible.
  

The PR-100 can pick up the signal from the SRT from a distance of at least 100 metres. It is capable of demodulating AM, FM, PM, CW and SSB signals. Although it can be used to locate the SRT transmitter, it can not be used to demodulate its signal, as was to be expected of course.

A quick test with the portable Audiotel Delta-V differential RF detector, shown in the image on the right, immediately revealed the presence of a bug in the room. Due to the low energy density of the PPM bugs, caused by the low signal level and the low duty cycle of the transmitted pulses, the Delta-V has to be closer to the transmitter than normal, before it produces a usable tone.

Once a tone is obtained, the transmitter can be located within seconds, which is remarkable for a simple, small and rather inexpensive tool like this. The one shown here is the Delta-V ECM.
  

It is also remarkable that the Delta-V does not suffer from the strong RF signal from the nearby broadcasting station that has caused us many headaches before. It can be concluded from the above tests, that finding a PPM bug is not evident, but with the right tools it certainly is possible.

Examples of bugs with TP masking
TP compatible receivers

Rejected Pulse   RP
Rejected Pulse (RP) is an audio masking technique based on Pulse Position Modulation (PPM), developed around 1965 by the Dutch Radar Laboratory (NRP), for the US Central Intelligence Agency (CIA), as part of a long-term research contract under the codename Easy Chair. This masking scheme was first used with the SRT-56, and is also known as Type 56 or 56 Modulation. In some internal CIA litarature it is referred to as the Dropped Pulse Audio Masking Scheme.


In this scheme, samples are taken at fixed intervals 'i' (shown in red) and transmitted in Pulse Position Modulation (PPM). Under control of a noise generator, up to five consecutive pulses are rejected (shown in grey), resulting in a noisy pulse pattern. The relative position of each surviving pulse carries the actual intelligence, which can be only recovered in an RP-compatible receiver.


Each pulse is approx. 0.5 µs long and resembles a square wave. As a result of this, this type of modulation produces a multitude of sidebands at either side of the carrier. In practice, the band­width of the signal can be up to 100 MHz, especially when in close proximity of the transmitter.

The RP-masking scheme was first used in 1968 with the SRT-56, and is therefore also known as Type 56 or System 56. An SRT-56 transmitter consists of an RF unit (which is nearly identical to that of the SRT-52), an audio masking unit (video coder) and (optionally) a mains PSU. The PSU could also be replaced by Mercury batteries.

The image on the right shows a typical SRT-56 set, as used by the CIA. It can be identified by its green colour. The RP video coder is at the left. It was later also used as part of the SRT-145 high-band transmitter that operated on 1350 MHz.
  

The RP masking scheme appeared to be reliable and was difficult to crack. As a result it was also used in 1974 in the fully integrated high-band SRT-107 transmitter. Bugs with RP masking can be decoded on nearly all NRP-built surveillance receivers, including the retrofitted SRR-52-M.

Countermeasures
Same as for TP-modulated bugs.

Examples of bugs with RP masking
RP compatible receivers

Dirty Pulse   DP
Dirty Pulse (DP) is an audio masking technique based on Pulse Position Modulation (PPM), developed around 1966 by the Dutch Radar Laboratory (NRP), for the US Central Intelligence Agency (CIA), as part of a long-term research contract under the codename Easy Chair. This masking scheme was first used with the SRT-91, and is also known as Type 91 or 91 System.

Initial version of Dirty Pulse (depricated)

In this scheme, samples are taken at fixed intervals (i) and are transmitted as Pulse Position Modulation (PPM). Under control of a noise generator, the back porch of each pulse is delayed in time by a randomly determined value (r). Only the relative position of the front porch contains intelligence. The spectrum diagram is nearly identical to the previous two schemes.

It was later discovered that when a DP-masked signal was received by an overloaded or blocking receiver, automatic demodulation could occur, as a result of which the transmitter would loose its masking capability. A similar scheme, known as Super Pulse (SP) did not have this drawback as it moved the rising edge of the pulse forward in time. In the end, the Super Pulse masking scheme was renamed Dirty Pulse, and the existing transmitters and receivers were all modified.

Final version of Dirty Pulse (taken from Super Pulse)

In this scheme, samples are taken at fixed intervals (i) and are transmitted as Pulse Position Modulation (PPM). Under control of a noise generator, the front porch of each pulse is moved forward in time by a randomly determined value (r). Only the relative position of the back porch contains intelligence. The spectrum diagram is nearly identical to the previous two schemes.


Each pulse is approx. 0.5 µs long and resembles a square wave. As a result of this, this type of modulation produces a multitude of sidebands at either side of the carrier. In practice, the band­width of the signal can be up to 100 MHz, especially when in close proximity of the transmitter.

The DP masking scheme was first used in 1974 with the SRT-91, which is why it is also known as Type 91 or System 91. Compared to earlier pulse-modulated transmitters, the SRT-91 was very compact and housed both the RF unit and the video encoder in a single rectangular case.

In addition it needed only 2.7V DC power, so that it could be powered by just two mercury battery cells. The image on the right shows a genuine SRT-91, as used by the CIA. It can generally be recognised by its typical grey colour and the colour-coded dots in one of the corners.
  

The DP masking scheme appeared to be reliable and was difficult to crack. As a result it was also used in later transmitters and in transmitters from other manufacturers, such as the SRT-99. As far as we know, there are currently no known commercially available surveillance receivers that can readily demodulate a DP-masked signal. Suitable CIA receivers are the SRR-90 and SRR-91.

Examples of bugs with DP masking
DP compatible receivers

Super Pulse   SP
Super Pulse (SP) is the name of a research project, carried out by the Dutch Radar Laboratory (NRP) on behalf of the CIA, with the aim to develop a sub-miniature transmitter. As part of this project, the Super Pulse audio masking scheme was developed, in which the position of the rising edge of the pulse is masked with noise. This scheme was later renamed to Dirty Pulse (DP).


In a later version of the SP hardware, a digitally coded switch receiver was added to design, allowing the transmitted signal to be turned OFF when surveillance was not required. This saved batteries and minimized the risk of being discovered.

 About the Super Pulse (SP) project



Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Monday 11 April 2016. Last changed: Sunday, 26 May 2024 - 10:54 CET.
Click for homepage