A Surprising Feature in the NSA’s Radar Bugs: A Neurophone!

The “I’m gonna blow your fucking mind” part of Appelbaum’s by now the stuff of Internet legend 30c3 talk was, as I mentioned before, about radar bugs. And it just so happens that to do this, the NSA uses an invention I reverse-engineered and posted here!

First, the NSA’s “radar bugs” are electronic versions of Theremin’s “Great Seal” cavity resonator. (If you don’t know what the “Great Seal bug” is, go look it up. Then give yourself twenty lashes for having missed the most commonly told anecdote in TSCM history.)

What the Soviets did with some carefully machined plastic and metal, the NSA does with electronics. Beam in a 1-4GHz radar signal, up to 450MHz bandwidth and around 2W power, and look at the reflection. (Those stats are from the newer PHOTOANGLO[1] system, the up to 1kW system Appelbaum talked about has been end-of-lifed.)

Roughly: This technology was invented by the Russians, complained about bitterly by the Americans in their Moscow embassy, modified by the Americans, and variants have been rumored in TSCM circles for some time.

(Notably, I’ve mentioned several times the “passive” version of this, which requires no radar at all — where the local RF transmitter of a cell phone illuminates the onboard phone circuitry, exposing encryption keys! Transponderless “active” versions are also well known.)

In other words, the Russians invented this, and the Americans are OK with this technology falling into foreign hands. (c.f “off the shelf parts so deniable it’s NSA”) Which is probably why Snowden felt OK leaking it.

But, that’s only half of it.

What made me do a bit of a double-take was how they encode the signal. From the LOUDAUTO data sheet:

“Room audio is picked up by the microphone and converted into an analog electrical signal. This signal is used to pulse position modulate (PPM) a square wave signal running at a pre-set frequency. This square wave is used to turn a FET (field effect transistor) on and off). When the unit is illuminated with a CW signal from a nearby radar unit, the illuminating signal is amplitude-modulated with the PPM square wave. This signal is re-radiated, where it is picked up by the radar, then processed to recover the room audio. Processing is currently performed by [commercial off-the-shelf] equipment with FM demodulation capability (Rohde & Schwarz FSH-series protable spectrum analyzers, etc). LOUDAUTO is part of the ANGRYNEIGHBOR family of radar retro-reflectors.”

That’s right, kids, when the NSA beams radar into your apartment, they call it an ANGRYNEIGHBOR attack!

I digress. The key part is the encoding: using a pulse position modulated square wave to transmit audio was patented in 1972 by G. Patrick Flanagan, as part of his “Neurophone.” [2] I’ve posted my modernized schematic of the Neurophone here before, replacing the transistor stages with TL062 opamps. (It works, but I think I need faster opamps.)

The key benefit for your local ANGRYNEIGHBOR is the low bandwidth. Using Flanagan’s pulse position modulation reduces the bandwidth of an audio signal to about 300Hz (according to the patent).

This is — absolutely — critical to enhancing the range of the system. When you think about it, the reflected signal from a 2W CW radar is absurdly weak. By reducing the BW, it’s possible to pick even a very faint signal “out of the noise.”

(You can transmit around the world using a 5-10W transmitter if you use ultra-low-bandiwdth Morse code, but you need much more power if you use voice.)

The other important thing is Flanagan’s system can be implemented using relatively simple parts or DSP. In this case, that means a very low-power bug using generic off-the-shelf components that aren’t traceable to the NSA.

Still, if you find one of these things, keep it. Getting the Neurophone encoding to work right is NOT easy, and I’ll bet the NSA did a better job of it than I did…

[1] http://freesnowden.is/wp-content/uploads/2013/12/S3224_PHOTOANGLO.jpg

[2] US3647970 – Mar 7, 1972


%d bloggers like this: