Don’t Overlook the Threat Posed by Bugs
By TorchStone VP, Scott Stewart
As I go through my daily news feeds, it is not unusual to see items pop up reporting how someone has been arrested after a clandestine video camera was found in a locker room, a hotel room, a changing room, etc. Such stories serve to highlight how cheap and widely available miniaturized video surveillance devices have become. But such technology is not just in the hands of sexual deviants. A wide range of threat actors also have easy access to small, cheap, high-quality video surveillance cameras and audio devices, and I’d like to examine how this reality applies to corporate and personal security.
While a lot of attention and budget is currently being devoted to cybersecurity—and justly so—cyberattacks are just one of the tools in the arsenal of sophisticated criminal or espionage actors. Certainly, they are a handy tool, and in many instances prove to be not only effective but convenient. Cyberattacks can permit an entity to remotely target the company without having to enter the premises, or, in some cases, even the country. Hacks, however, do not always work, especially when the hacking target has a solid cybersecurity program in place.
There is simply some information that hackers can’t access, such as the contents of a discussion held in a physical conference room or office. In such cases, threat actors may have to employ other tools in place of, or in addition to, cyberattacks. These other tools can include recruiting an insider to serve as a human intelligence agent, using an external technical system such as a laser microphone, or planting a surveillance device or “bug” inside the room.
What is said inside a room during a board meeting or a business negotiation can be of interest to a variety of actors, including competitors, state actors, and criminals. A criminal organization that receives inside company information about an upcoming earnings statement, a bankruptcy, or a potential merger can make a great deal of money on the stock market. Internal or external business disputes, labor negotiations, or even marital problems can also generate intense interest in what is being said or done in a particular room.
A Technical Surveillance Counter Measures (TSCM) sweep is the term used to denote searching a location for bugs. To get an idea of what TSCM sweeps are turning up today, I called my friend Rob Kimmons, the president of Kimmons Investigative Services, a Houston-based company specializing in TSCM sweeps. Rob has been conducting TSCM sweeps for over 25 years and conducts approximately 100 of them a year. While Rob is very protective of his client’s privacy, he agreed to talk to me in very general terms. He advises that in about 5-6 percent of the TSCM sweeps his company conducts, they encounter some sort of listening or video device. The numbers are even higher for vehicle trackers which are discovered in some 12 percent of their TSCM sweeps.
Rob advises that the miniaturization of electronics that we have seen in recent decades has also allowed surveillance devices to become smaller, cheaper, and more capable. For example, a few years ago car trackers used to be about the size of a VHS tape. Today they can be about one-quarter the size of a pack of cigarettes—and at the same time are far less expensive; a decent quality tracker can be purchased for as little as $100. In fact, many of these devices have become so inexpensive that they are considered expendable, and those who plant them don’t even make an effort to retrieve them. In many cases, retrieval of a bug would also increase the hostile actor’s chances of being discovered, making retrieval even less attractive.
Today, miniature high-quality audio and video surveillance devices are readily available at spy stores and on the internet. The ease of obtaining these devices, their low cost, and their user-friendliness, have combined to lower the bar of entry for those wishing to use them. (Which explains why they are so commonly used by sexual deviants.)
The mass-produced and accessible nature of these bugs means that they are used by a wide variety of threat actors, making it difficult to trace them back to a specific perpetrator when discovered. This means that it is often difficult to identify, much less bring legal charges, against a suspect for planting the device. Because of these factors, there are many more bugs being discovered today than there are people being charged for placing them, and victims tend to quietly cover up cases where there is no chance of obtaining a conviction.
My friend Fred Burton recently interviewed Rob Kimmons on the Ontic Protective Intelligence podcast. During their discussion, Rob provided a detailed account of how he conducts a TSCM sweep, as well as describing some of the devices he commonly finds during sweeps.
Bugs can be hidden in many common office items—including electrical outlets, power strips, and phone chargers, USB cords, and thumb drives. They can also be placed in more traditional items such as lamps, clocks, and smoke detectors. For an added cost, spy shops and bug manufacturers can even build an audio or video device into a custom item, such as a specific piece of art or furniture. These devices can be hardwired, use internal storage devices such as micro-SD cards to store audio and video files, or they can transmit via Bluetooth, cellular signals, or Wi-Fi.
Rob advises that due to the rapid technological advancements, his company has been forced to buy at least one new piece of detection equipment every year to keep pace.
Countering the Threat
The threat posed by technical devices is more dire than ever, but there are steps that can be taken to mitigate the threat. Perhaps the first thing that can be done is to raise awareness of the threat and the types of devices that can be used. That way individuals who notice new, out-of-place, or suspicious items in sensitive areas can report them.
Secondly, TSCM sweeps should be conducted periodically to check for the presence of devices. Sweeps should be conducted of the homes, offices, and vehicles of key executives, as well as any corporate facilities where sensitive research and development takes place. A competent TSCM vendor will conduct a thorough physical search of the space that is being swept as well as use a number of different instruments such as a spectrum analyzer, a non-linear junction detector, advanced near-field detection receiver, etc., to search for transmitters or hardwired surveillance devices. Beware of any vendor who claims to have a single box or wand that can detect any bug. There is no such magical device.
While TSCM sweeps should be unannounced in advance and at unpredictable times to avoid alerting hostile actors who can turn off or remove devices, the knowledge that TSCM searches are being conducted can often prove a strong deterrent.
In addition to TSCM sweeps, it is also important to monitor anything brought into areas where sensitive discussions are conducted, such as furniture, electronic items, or even decorations. It is also important to limit the number of people with access to sensitive areas and to heavily vet those who are to be given access, including construction, maintenance, or cleaning crews.
Finally, the threat posed by bugs illustrates the danger of creating corporate security silos between physical and cybersecurity operations. Threat actors will use a variety of espionage tools to get information, and their efforts will often span the physical/cyber divide. Cyber and physical security operations must be conducted hand-in-glove in order to counter determined threat actors and their diverse array of espionage tools.