|
|
|
|
Covert listening device with SC audio masking
The OPEC bug 1 is a small sophisticated
covert listening device (bug)
that was discovered in the late 1970s in a meeting room at the headquarters
of the Organization of the Petroleum Exporting Countries
(OPEC) in Vienna (Austria).
The device was installed behind the wiring of the PA system. Its
discovery by the Austrian Funküberwachung (Radio Monitoring Service)
caused great upset [1].
|
Contrary to other types of bugs of the era, it does not have to be connected
to the wiring of the PA. Instead it picks up the electromagnetic field that
surrounds the wiring and amplifies it,
which makes it far more difficult to detect.
The OPEC bug emits its signal on a frequency near 600 MHz in Frequency
Modulation (FM). To make its discovery even more difficult, the audio signal
is masked by modulating it onto
a 12.5 kHz subcarrier (SC) first. This means that if the
600 MHz radio signal is intercepted at all, the eavesdropper will only hear
a silent carrier.
|
|
|
Silent carriers are often ignored as they are commonly caused by domestic
equipment or by a spurious (unwanted) by-product of the intercept receiver
itself. Bugs that are modulated twice, are commonly known as
subcarrier bugs
or SC bugs, and are known to
defeat standard receivers.
|
The OPEC bug is even more sophisticated, as a strong 50 Hz hum is injected
into the device's baseband signal, in order to
mask its presence.
The 50 Hz hum will likely make an eavesdropper believe that
the intercepted signal is interference caused by a domestic appliance
(which is usually powered from the 50 Hz mains). This indicates the
involvement of a very professional party.
Bugging the OPEC is not unique to the 1970s.
In 1997 bugs were found in the walls of the Mariott Hotel
in Vienna, in rooms that were frequently used by oil
ministers and OPEC
delegates [6].
|
|
|
The Austrian police assumes that
they were planted by
a foreign intelligence service
to eavesdrop on Iraqi and Iranian OPEC delegates [6].
It was suggested that the CIA might have been behind it.
In 2010, NSA whistle-blower
Edward Snowden
revealed that the
computers at the OPEC
headquarters in Vienna were infiltrated by both the
British GCHQ
and the American NSA,
who had bugged the computers of nine OPEC employees and
monitored the General Secretary of OPEC
[7].
|
-
As the official name and/or model of this bug and its origin are
currently unknown, we have decided to identify it with the nickname
OPEC bug, after the place where it was discovered.
|
The OPEC bug
measures just 109 x 19 x 5 mm and is housed in a silver-plated
brass enclosure that consists of two U-shaped halves. After removing two
1 mm screws from the top half, the interior is exposed. Inside the bug are two
small PCBs, each with a teflon substrate and gold-plated copper tracks.
In between the two PCBs are a few DC power-related components.
Power is applied to the green feedthrough capacitor at one of the long
sides (here visible at the top) via two resistors. In between the two PCBs
is a 5.6V zener diode and a 22µF capacitor that stabilizes the power. At the
left is the modulator PCB that consists of three parts: a pre-amplifier (left), a VCO (the white chip at the centre), and a 50 Hz hum generator (right).
At the far right is the transmitter PCB which consists of a free-running
single-transistor oscillator. The modulated signal (hum + subcarrier/audio)
is applied to the transmitter via the purple wire at the centre.
The OPEC bug is clearly constructed from more or less standard parts or
modules that can easily be adapted for a specific application.
The pre-amplifier is extremely tolerant and can be used for microphone
signals as well. It is adapted here for connection of a pickup coil, by
adding a couple of external parts. The transmitter is another standard part
that can also be used stand-alone. The PCBs are normally powered by a stable
source between 5 and 6V DC. In between the two PCBs are a few components
that allow the bug to be powered by an external 20-30V DC source.
|
It is currently unclear who developed and installed the bug at the
OPEC
headquarters and why, but by looking at the overall design, the era in
which it was developed and the (rare) components that were used, we can
make a few observations. First of all, rather high-quality PCB material
is used, consisting of a teflon substrate and gold-plated copper tracks.
A rather strange type of varicap
is used in the RF oscillator.
It looks like a ceramic capacitor that is placed on its side.
|
The ceramic capacitors are made by American Technical Ceramics (ATC).
Subminiature resistors are used, probably because small SMD resistors
were not yet available or would have occupied too much space. The use of
these components hints to a US (or US-supported) manufacturer.
The VCO
is based on the 4046 [a]
phase-locked loop (PLL) 1 [4],
which was developed by RCA
in 1972 [b], but was not generally available
until the mid-70s. It is housed in a ceramic package,
which suggests a very early (probably military
or prototype) implementation, from around 1972.
|
|
|
The use of early SMD 2 transistors at a time when these were not yet available
on the civil market, indicates the involvement of a high profile
intelligence agency,
such as the CIA.
The RF transistor however, is a BFR92
(marked as P1) [c],
which is a European part, just like the improvised
BZY88C zener diode in between the two boards.
Some of the other components are clearly made in Israel.
As suitable American alternatives were available for these parts,
it seems unlikely that the device was made in the US.
It is possible that the device was made for the CIA, but it is
also possible that is was produced by another party who used components
from all over the world, in order to hide its true origin.
There is currently insufficient evidence to conclusively determine
the bug's origin.
|
-
Only the VCO part of the 4046 chip is used.
-
SMD = Surface Mount Device.
|
Although it is possible to pick up the signal of an SC bug with a standard
intercept receiver, the eavesdropper will only hear a silent carrier,
or in the case of the OPEC bug a strong 50 Hz hum, which
is likely to be discarded as a spurious signal from the intercept receiver
itself or as radio frequency interference (RFI)
caused by a domestic appliance in the vicinity of the monitored room.
|
In order to pick up and demodulate an SC bug, special receivers were developed
that had two cascaded demodulators. The first (standard) demodulator yields
the silent carrier, which is in fact a high-frequency audio tone (12.5 kHz
in this case) that is modulated with the actual audio signal. The second
demodulator is then used to reveal the original audio by removing the carrier.
The image on the right shows a
Scanlock Mark VB receiver
made by Audiotel in the UK.
When it was introduced around 1978, it was one of the first receivers 1
capable of intercepting SC bugs.
|
|
|
The Scanlock receiver scans the entire frequency spectrum between 10 MHz
and 2 GHz in just a few seconds, and automatically locks onto the strongest
signal in its vicinity. Furthermore, it can automatically establish the
frequency of the subcarrier (if present) and adjust its SC demodulator
accordingly. This automatic behaviour makes the
Scanlock one of the best
bug tracers of the era.
It is even capable of demodulating the OPEC bug,
despite the strong injected 50 Hz hum signal.
➤ About the Scanlock receiver
|
-
The Scanlock Mark 3,
introduced in 1976, was also capable of demodulating
SC bugs, but this was a manual process. In the
Scanlock Mark VB,
recovering the subcarrier frequency was an automatic process.
|
The signal from the pickup coil (fa)
is first amplified in a high-gain pre-amplifier (> 40dB)
and then fed to the input of Voltage Controlled Oscillator (VCO)
with a base frequency of 12.5 kHz. This 12.5 kHz is the so-called
subcarrier signal (fsc). The result is a Frequency Modulated (FM) signal. Normally this results in a seemingly silent carrier. In this case
however, the SC/FM signal is masked by adding a much stronger 50 Hz
sinewave signal to it (fb).
This is done to confuse an eavesdropper, who might think that he is listening
to interference from a domestic applience.
In fact, the 50 Hz hum is modulated so strongly that it results in a wideband
FM signal (WFM) with a bandwidth of approx. 1 MHz. As a result, the
faint SC/FM signal is virtually invisible, even on a spectrum analyser.
It can only be seen by doing an FFT analysis on the demodulated signal.
The output of the modulator (50 Hz + SC/FM) is fed to the separate
transmitter PCB, which is actually a free-running oscillator
built around a single BFR92 transistor
[c]. The oscillator is Frequency Modulated (FM) by means of a varicap.
This results in a double-modulated FM signal.
➤ More about audio masking
|
Reverse engineering the OPEC bug is difficult but not impossible.
The PCBs are single sided and the resistors are all colour coded.
The major problem is that the active components (i.e. the IC, the diodes,
and the transistors) do not have any useful markings on them,
which means that we had to measure them out and make a few educated
guesses. Below is the full circuit diagram.
At the top right is the actual 600 MHz FM transmitter. To the left of
the transmitter is a small power circuit that allows the bug to be powered
by a 20 - 30V DC source. At the bottom is the modulator, which consists of
a 40dB pre-amplifier, a subcarrier FM modulator (i.e. the VCO of the
CD4046), and a 50 Hz hum generator (in the middle)
that is based on a wien bridge oscillator.
The signals from the hum generator and the SC modulator are added
in such a way that the 50 Hz hum signal dominates. The resulting signal
is then fed to the modulator input (M) of the transmitter,
where it is once again frequency modulated (FM) onto a 600 MHz RF carrier
(varicap).
|
A slotted coil is used to pickup the alternating magnetic field around
a speaker cable of the PA system. The wires do not have to be split.
The block diagram above shows how this works. When a current (i) flows through
the wire, this induces a magenetic field (H), which will in turn induce a
current (i') in the pickup coil. The coil is actually a high-impedant current transformer.
The coil consists of a ferrite core, with a high number of very thin
copper windings. The DC resistance of the coil is approx. 40Ω.
The coil is encapsulated in a brass cilinder. This is done to avoid
interference from electrical fields, which may cause hum.
The cylinder has a slot over its full length to avoid a magnetic short
circuit. Without this slot the pickup coil would not work.
One of the speaker wires of the PA system is guided past the coil
at a 90° angle, as indicated in the drawing above. In practice, the
coil is sensitive enough to provide a clear hum-free signal, even when
it is several centimetres away from the audio cable. This means that the
bug could be hidden inside the wall behind the cabling, or outside the
PVC tube through which the cables run.
|
Device Covert listening device (bug) Purpose Room overhearing Developer Unknown User Unknown Found at OPEC, Vienna (Austria) Frequency 600 MHz Modulation FM Subcarrier 12.5 kHz, FM Pre-amplifier > 40dB Output 20 mW Masking 50 Hz sinewave Power 20V DC (internally 5V) Dimensions 109 x 19 x 5 mm (without pickup coil) Pickup coil 30 x 5 mm Weight 28 gram
|
OPEC
|
|
Organization of the Petroleum Exporting Countries
International intergovernmental organization of petrolium (oil) exporting
countries, founded in 1960 in Bagdad (Iraq), to coordinate and unify the petrolium policies of its member states and ensure stabilization of the
oil market in general. By some, the organization is seen as a cartel.
➤ Wikipedia
|
PA
|
|
Public Address
General expression for the audio system used during meetings, commonly
consisting of a 100V amplifier, one or more microphones and a (large) number
of loudspeakers.
|
Important events in the history of the OPEC [2]:
|
1960
|
|
First OPEC Meeting in Bagdad (Iraq)
OPEC is founded with its headquarters in Geneva (Switzerland).
|
1965
|
|
OPEC headquarters moved from Geneva to Vienna
After the Swiss government no longer wanted to grant diplomatic immunity
to the OPEC members, the headquarters was moved to
Vienna (Austria).
|
1967
|
|
Six-Day War 1
In reaction to the mobilisation of Egyptian forces along the Israeli border
in the Sinai Peninsula, Israel launched a series of preemptive airstrikes
against Egyptian airfields. Six days later a ceasefire was signed.
➤ Wikipedia
|
1973
|
|
Yom Kippur War, Arab Oil Embargo
On Yom Kippur day, 6 October 1973,
an Arab coalition lead by Egypt and Syria launched an attack
on the Israeli-occupied territories, marking the start of the
Yom Kippur War 2 that lasted until 25 October. After the US had
supplied arms to Israel, some countries of the OPEC announced an oil
embargo against the countries that had supported Israel.
This led to the 1973 oil crisis. ➤ Wikipedia
|
1974
|
|
Oil Embargo resolved
The oil crisis had a severe impact on the oil price. By the time the crisis
was over, the price of oil had risen from US$3 per barrel to nearly US$12.
|
1975
|
|
Attack on OPEC Conference
Attack on the semi-annual meeting of OPEC leaders in
Vienna (Austria) by a group of six militants lead by Carlos the Jackal.
Also known as the OPEC
siege ➤ Wikipedia
|
1979
|
|
Iranian Revolution
|
1980
|
|
Iran-Iraq War (1980-1988)
|
1990
|
|
Iraqi occupation of Kuwait (1990-1991)
|
2001
|
|
9/11 Attacks on the WTC in New York (USA)
Attacks on the two towers of the World Trade Center (WTC) in New York
on 11 September (9/11) 2001 by (mostly) Saudi hijackers.
|
2004
|
|
Conflict in the Niger Delta (2004-present)
|
2010
|
|
Arab Spring (2010-2012)
|
2011
|
|
Libian Crisis (2011-present)
|
2012
|
|
International embargo against Iran (2012-2016)
|
|
-
Also known as the June War, the 1967 Arab-Isreali War or the
Third Arab-Isreali War.
➤ Wikipedia
-
Also known as the Ramadan War, the October War or the
1973 Arab-Isreali War.
➤ Wikipedia
|
|
|
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Sunday 28 August 2016. Last changed: Tuesday, 19 December 2023 - 11:52 CET.
|
|
|
|
|