If you ever watch a spy movie, you’ve doubtlessly seen some nameless tech character sweep a room for bugs using some kind of detector and either declare it clean or find the hidden microphone in the lamp. Of course, as a hacker, you have to start thinking about how that would work. If you had a bug that transmits all the time, that’s easy. The lamp probably shouldn’t be emitting RF energy all the time, so that’s easy to detect and a dead give away. But what if the bug were more sophisticated? Maybe it wakes up every hour and beams its data home. Or perhaps it records to memory and doesn’t transmit anything. What then?
High-end bug detectors have another technique they use that claims to be able to find active device junctions. These are called Nonlinear Junction Detectors (NLJD). Spy agencies in the United States, Russian and China have been known to use them and prisons employ them to find cell phones. Their claim to fame is the device doesn’t have to be turned on for detection to occur. You can see a video of a commercial NLJD, below
The idea behind an NLJD is to flood a volume with an RF signal at a particular frequency. Normal insulators and conductors in the area won’t alter the signal. However, anything that has a nonlinear response — like a diode junction — will emit harmonics. They might be at a low level, but if you can detect the harmonics, you can identify these junctions.
Sounds simple, but the RF has to be powerful enough to get there and produce a harmonic you can detect. It also shouldn’t be so powerful that you can’t localize the volume or — extremely — that it would damage circuits. The other problem is that any dissimilar metal junction will exhibit nonlinear behavior. So in addition to bugs and cell phones, you’ll detect rusty nails and similar items.
You can get an overview of how a pro uses an NLJD. It is a little more involved than in the movies. In broad terms, the operator gets an idea of any radio sources in the area first, to try to avoid false positives. Apparently, by looking at the ratio of the second and third harmonics, an experienced operator (or a smart computer) can differentiate between a rusty nail and a real piece of electronic equipment.
Off the Shelf
You can buy NLJDs off the shelf. They aren’t cheap though. Even on the usual Chinese import sites, the good-looking models run about $10,000. The more mainstream versions all want you to ask for the price and we decided not to get on any CIA watch lists by asking. We did see an Orion listed for over $14,000.
Of course, the commercial units have other features, but that’s still a lot of money. You’d like to think a clever hacker could do better.
There aren’t many homebrew NLJDs and we don’t know why. The only clear example we could find was on an unusual site full of underground projects. It says under development and doesn’t show any examples of it in use, so we don’t know if it performs well or not.
There are detailed photos of the construction, though and quite a bit of data, so it seems like the device exists.
Don’t forget to look at part two of the post. There’s some example software at the bottom of that page for the Basic Stamp II, so while it would not be trivial to replicate, it does look like there’s enough info there to experiment if you are interested.
Spy vs Spy
The NLJD wasn’t originally a spy device. [Charles Bovill] invented it during World War II for discovering corrosion below painted surfaces on airplanes. However, the spy use of it became evident. So much so that, since around 1968, CIA devices like the SRT-107 seen here have special filters in them to shunt the probe signal to ground.
So for serious spies, the NLJD might not be very useful anymore even though more common bugging devices might still be susceptible to detection. However, there’s a bigger reason these aren’t as useful as they once were. With computers and cell phones everywhere, you really don’t need to plant a bug anymore, do you? You just need to compromise the subject’s device and in many ways, that’s even easier to do.
Covert bugging is nothing new. The amount of tech that goes into hiding them and finding them is a largely unknown race that might even dwarf the space race.