The Wavecom Eavesdropping Threat
Over the last 3.5 years the 2.4 GHz ISM band has become popular for covert eavesdropping, and hundreds of products are available (legally and illegally) to facilitate the usage of this band.
By far the most popular products are the Wavecom transmitter modules, which is a consumer product designed to relay a video signal from one room of a house to another, and is limited to well under a few hundred feet (in reality under 75 ft).
The largest amount (nearly all) of the 2.4 gig stuff sold starts as the same modules placed in a primitive concealment (such as a clock radio, lamps, or exit signs)
Wavecom is short for "Wireless Audio Video Everywhere Communicator", and refers to a 2.4 GHz RF module made in China by the Chia-Heir Group and commonly sold in the United States under the RF-Link brand name.
The module is available in a host of consumer products, and is often found built into video products illegally available in SpyShops, via mail order, and over the Internet.
The module is available in a variety of configurations including NTSC, PAL, and SECAM, as well as audio only, and both high and low speed data.
The RF signal is FM Modulated with a center frequency between 2400-2483.5, however, special order versions are also available in the following bands:
900-928 |
Not Common |
2150-2162 |
|
2300-2500 |
|
2400-2483.5 |
*** Most Common Usage *** |
2500-2700 |
MSDS Usage |
Antenna are available as either left or right hand circular polarized (LHCP is the most popular).
Power amplifiers and high gain antennas are also available that enables considerable (illegal) transmission range.
A frequency expansion board (or PROM) is also available which allows the user to modify the operating parameters of the module to transmit between 2300 to 2700 MHz.
The most popular product is a four channel audio and video system, with the first channel being the most commonly used. Units will always default to channel A on power interruption.
The primary A/V frequencies are listed in the next table and are followed by the first five harmonics in the appropriate column.
Ch. |
Fund. Freq. |
1st Harm. |
2nd Harm. |
3rd Harm. |
4th Harm. |
5th Harm. |
A |
2.411 |
4.822 |
7.233 |
9.644 |
12.055 |
14.466 |
B |
2.434 |
4.868 |
7.302 |
9.736 |
12.17 |
14.604 |
C |
2.453 |
4.906 |
7.359 |
9.812 |
12.265 |
14.718 |
D |
2.473 |
4.946 |
7.419 |
9.892 |
12.365 |
14.838 |
2.411 GHz is the most commonly found frequency.
Typical "Legal" Range
Advertised as "up to 300 feet indoors", 50-75 ft is reasonable
Stock, out of the box, .25 mw (1/4 mile maximum range outdoors)
Common Illegal Modifications
Removal of the 9db internal pad, 2 mw power increase (1/2 mile range)
MMIC Mod - increase output to 60mw
DEMI RF Amp - 2.2 W with 10mw input
Good feed and 18" dish, +30db, 1 W output (range is 3-5 miles)
Transmitter Module - Physical Size and Power Requirements
Physical Size 2.0" x 2.2" x 0.5" (4.7 cubic inches)
Operating Voltage 8 to 9 VDC
Current (typical) 150 mA (.25 mW output)
Additional Components and Subsystems
External "Small Patch" Antenna (8 dB Nominal)
External "Medium Gain" Antenna (10 dB Nominal)
External "Large Patch" Antenna (14 dB Nominal)
External Omni Direction Antenna (0 gain)
Power Booster
Zero Lux Camera Module (Camera Concealed inside antenna housing)
Added Notes
Wavecom Products have channel 3 or 4 RF outputs and Base band A/V (also available with S-Video Y/C component outputs).
Digital video version is rumored to be "in the works" in China, which is aimed at HDTV and/or Digital TV systems (with a possible bi-directional firewire/P-1394 version due out soon).
OEM Transmitter Modules are available for under $80.00, power amps for $50.00. Often the entire system may be found on sale for $80 - 100 or less.
Output power levels of 100 mW is popular for video eavesdropping, however; the module can be operated as high as 500 mW by only adding a few components (but it presents a serious health hazard, and is violation of federal law to operate).
Audio only modules are also popular for covert eavesdropping (and are of course illegal).
If a clean feed line is used with a roof-mounted directional antenna, range in a dense urban area can easily be over 5-10 miles (line of site).
The company also makes a number of other products, which are easily adapted for use as a covert eavesdropping device. While the products can not be legally sold or imported into the US they are available from various SpyShops at a premium (the audio eavesdropping modules are the most popular).
Power may be obtained from native PBX system, alarm circuits, or telephone loop current (provided the power is kept low and a regulator is used).
Wireless RF Module for Input Device
(Keyboard, Mouse, joystick, barcode reader, etc.)
Very popular for computer keyboard, or modem eavesdropping.
Ch. |
Frequency |
1 |
2411 MHz |
2 |
2420 MHz |
3 |
2429 MHz |
4 |
2438 MHz |
5 |
2447 MHz |
6 |
2456 MHz |
7 |
2465 MHz |
8 |
2474 MHz |
Channel Bandwidth 9 MHz
Modulation FSK
Data Rate 19200 bps (Max.)
Transmit power 0.5mW (EIRP)
Size 55 x 51 x 15.5mm
Wireless RS-232
Popular for Modem eavesdropping
Operating Frequency 2400 - 2483.5 MHz
Modulation GMSK
Modem Method DSSS
Half-duplex - 192 kbps
Chipping Rate 3.127 Mcps
Audio Eavesdropping Transmitter
Channel Frequency 2.400 - 2.4835 GHz
Modulation Type Digital FM
Digital Channel 80 Hz - 8 kHz / -3dB ()
Suggested Countermeasures Protocol
1) Check for any RF energy using a hand held patch antenna (8-14 dB) that feeds into a Wavecom receiver module. Stand in the center of the room, start on channel A, and slowly "paint" the walls and ceiling. Then switch to channel B, C, and D and repeat. This step is important, as a 100-mW transmitter will burn out the front end of a spectrum analyzer if you get too close to it (check with both an LHCP and RHCP antenna).
A small monitor, receiver, and antenna may be attached with Velcro to a ping pong paddle for convenient use (batteries should be used to run the system).
The Wavecom receiver module has excellent sensitivity, but very poor selectivity making it ideal for this TSCM application. This will also detect similar FM video products made by Trango, BMS, E-Sys, HDS, and other companies making 2.4 GHz ISM transmitters.
2) Then use a microwave spectrum analyzer with a highly directional antenna to check from 900 to 2700 MHz and pay very close attention to the 2300 to 2450 MHz areas. (Use a spiral log periodic, wave-guide, or tuned patch antenna attached to a fiberglass painters pole or boom).
To avoid problems with polarization upset a linear polarized antenna may be used instead of a circular polarized antenna (but with reduced sensitivity).
3) Next inspect the frequencies (with a spectrum analyzer) from at least 50 MHz to 40 GHz for any type of harmonic components. The transmitter modules often emit spurious 60-72 MHz unless modified.
4) The receiver is designed to provide a clean video signal with only an -80 dB signal, and the signals tend to bleed over into other channels when pushed to higher power levels.
5) Also keep in mind that your looking for a FM modulated video signal, not an amplitude modulated video signal, and that the signal has a bandwidth of 20 MHz (which many older spectrum analyzers will be unable to detect).
6) Power levels may be as low as .25 mW, or as high as several watts (100 mW seems to be the more popular lower level for eavesdroppers).
7) Warning: Exposure to high power 2.4 GHz RF fields for any length of time (such as a 25 - 100 mW transmitter) presents a very serious health hazard. (That little video transmitter disguised as a pager or cellular telephone you bought at your local Spy Shop may be silently destroying your kidneys, prostate, spleen, liver, and other internal organs).
8) During the alerting segment of the sweep the above techniques may be repeated except this time the room is darkened, and a flashing light or lamp is introduced into the room (or use a bi-metal lamp flasher from your local hardware store).
A studio strobe (generating at least 1200 watt seconds) may also be used with the trigger signal connected to the time gate of your spectrum analyzer.
9) The products may also be detected by using thermal imaging as they get fairly hot when the power output levels exceed 50 mW.
10) Don't forget that it's an FM SIGNAL!!!
Click HERE to obtain more TSCM Tutorials
Sed quis custodiet ipsos Custodes?
| Home | What is TSCM | Types of Bugs | Warning Signs You're Bugged |
| How To Behave if Bugged | TSCM Threat Levels | How To Engage a TSCM Firm |
| Qualifications | TSCM Protocol | Bug Frequencies | Phone Taps and Bugging |
| Signal Analysis | TDR Analysis | TDR Tutorial | Wiretapping | Training | Tools |
| Equipment | OSC-5000 | Kaiser | Riser Bond | Avcom | Search Rcvrs |
| Outside Links | Recommended TSCM Books | TSCM Reference Library |
| Recommended U.S. TSCM Firms | TSCM-L Mailing List |
For a confidential consultation please E-mail: jmatk@tscm.com
-
Granite Island Group
127 Eastern Avenue #291
Gloucester, MA 01930
Telephone: (978) 381-9111
International Callers: 001-978-381-9111