SM-9312 Spectrum Monitor
SM-9312 Spectrum Monitor
UHF Tuner SUT-1000C-1
UHF Tuner SUT-1000C-1
VHF Tuner SVT-30C-1
VHF Tuner SVT-30C-1
LF Receiver S302-1
Control Panel Front
Control Panel Rear
To learn what Tempest is see The Complete, Unofficial TEMPEST Information Page or do a Google search on Tempest (Wiki: TEMPEST, Van Eck phreaking, RINT, Markus Kuhn). Since the 1950s it has been known that it was possible to gather information by means of the electromagnetic emanations from some electrical device. An example is that early teletype machines using 20 or 60 ma current loop circuits to feed on line encryption equipment sent signals down the wire in addition to the encrypted information that would allow someone to read the plain text message directly (i.e. without even looking at the encrypted signal). There was a major U.S. project during the cold war where we tunneled under the West German border and tapped a trunk line to get these signals. This is described in the book Wilderness of Mirrors by David C. Martim, Ballantine Books as part of their Espionage/Intelligence Library 1981, ISBN 0-345-29636-2.
Other examples of Tempest attacks are using radio equipment in a van outside someone's office to see what is being displayed on their computer monitor. A newer way to do this is to use a telescope and photo multiplier tube to look at light reflected from the wall or ceiling that's coming from a CRT or LCD and reconstructing the image. Another modern tempest attack is based on looking at the modulation on the "power on" LED and recovering information. Or processing the signals from a cell phone that's near some encryption equipment.
Optical Time-Domain Eavesdropping Risks of CRT Displays by Markus GŁnther Kuhn.
TEMPEST is an acronym for "Telecommunications Electronics Material Protected from Emanating Spurious Transmissions"
CEI and WJ RS-111 receivers - the RS-111 receiver used by Nixon's Watergate team to listen to the bugs is in the same product family as these CEI receivers.
The NSA has recently (9-27-2007) declassified a paper "TEMPEST: A Signal Problem". Bell Labs discovered a problem with the SIGTOT 131-B mixer used to encrypt teletype messages.
These receivers were typically used in conjunction with a screen room (Wiki) and were used to look for radiated and using power line couplers conducted emissions coming from the equipment under test. The signals they were looking for would be strong and so these receivers are not at all good for using with an antenna to hear weak radio signals going over the air.
When looking for weak signals that are continuous wave (Wiki CW) the sensitivity of a receiver depends on how narrow the true bandwidth is. For example the HP 4395A when used as a spectrum analyzer has a true RMS bandwidth of 1 Hz. But for receiving modulated signals the receiver is most sensitive when it's demodulator is matched to the transmitted signal. For example the signal from GPS satellites is below thermal noise on the surface of the Earth, but a GPS receiver can take the wide band signal and pull it out of the noise.
Communications Electronics Inc. (CEI) later bought by Watkins Johnson (WJ) made a test system primarily designed for testing equipment that was to be certified as not having any emanations that could be used to recover any useful data.
From W-J Application Note 1307.50 "RS-125-17 Tempest Receiving System" Introduction:
"The Watkins-Johnson RS-125-17 TEMPEST Receiving System represents a highly versatile arrangement of equipment's designed primarily to meet the TEMPEST measurements requirements of NACSEM-5100. The system is also well suited for spectrum surveillance, electromagnetic surveys range monitoring, propagation studies, electromagnetic pulse (EMP), and analysis of electromagnetic emanations. The RS-125-17 is a manual wide band receiving system providing continuous coverage from 1 kHz to 1 GHz. The system is extendable on the high end of the tuning range for ultimate coverage to 18 GHz."
The mention of "manual" indicats to me that there was work on systems that were under computer control or they already existed.
The system consisted of 3 sloping face rack panels (holding maybe two dozen rack boxes like these) that were above table height with:
I think the equipment on this page with the CEI brand is slightly older than that used in the W-J RS-125-17 TEMPEST Receiving System. Both these CEI boxes and the W-J boxes shown in the app. note have almost identical appearance and function but with minor differences. Note that these CEI boxes use MC (Mega Cycles) and the WJ App note uses MHz (Mega Hertz).
- VLF Receiver and Converter
- HF, VHF and UHF tuners
- IF Demodulators
- Switching hardware
- Display and Monitor Hardware
This 2 rack unit (3.5") high box takes in the 21.4 MHz IF outputs from the tuners and displays a frequency spectrum. If you know the frequency range the tuner is scanning you can recognize the modulation type. For example TV signals look different than FM radio is different form narrow band FM communications signals. Having a spectrum display makes finding signals much easier since you can see where there's activity.
In addition to using this Spectrum Monitor you can also feed the 21.4 MHz IF tuner outputs into a communications receiver that can then demodulate wide and/or narrow FM as is used in most VHF and UHF communications and for TV sound.
Golden age construction, i.e. transistors and mostly Nuvistors.
- Gain - When full CCW it takes a +8 dBm signal for full scale deflection, when max CW it takes a -100 dBm signal for full scale
- Sweep Width - the widest setting (CW) provides (left to right) 22.5 MHz to 20.5 MHz, at about 9 o'clock it's 21.51 to 21.64, and with fully CCW the top of the peak fills the screen.
- Center Freq - allows centering the frequency (different from horizontal position). The center of the range is a little off from 21.4 MHz, but I don't have a manual for this box that tells how to make the centering adjustment.
There are two seperate tuners in this 2 rack unit (3.5") high box, one for 225 to 500 MC and another for 490 to 1000 MC. The SUT-1000B and SUT-1000C each have Slo-Syn motors so that either the front panel multiturn knob or the motor can tune the radio. The motors are designed to scan up and down between two limits. You might call this an early scanner radio. Some say real radios have motors.
The output is a signal at 21.4 MHz that is fed to the Spectrum Display and to Demodulator boxes (which I don't have).
Construction is "Golden Age", that is to say discrete components, transistors and Nuvistors (6CW4, 7077, 7486, 7587 in the front end) on printed circuit boards.
Instruction Manual for Type SUT-1000C Tuner is about 1/2" thick and includes alignment, maintenance, schematics, parts list and the remote modification information.
The front panel band switch was removed when I got these tuners. This was done as part of the motorization option so the the band selection could be remotly controlled from pin "P" (green wire) on the rear panel. Open is low band, -24 VDC for high band.
I replaced the 19 pin MS series connector with barrier strip screw terminals.
There are two seperate tuners in this 2 rack unit (3.5") high box, one for 30 to 60 MC and another for 54 to 260 MC. The B and C versions have Slo-Syn motors like the UHF tuner.
The output is a signal at 21.4 MHz that is fed to the Spectrum Display and to Demodulator boxes.
Instruction Manual for Type VT-30C Tuner (and SVT-30C Tuner) is about 1/2" thick and includes alignment, maintenance, schematics, parts list and the remote modification information.
Construction is "Golden Age", that is to say discrete components, transistors and Nuvistors ( 6CW4s and 7587s in the front end) on printed circuit boards.
This is a 3 rack unit high (5.25") panel. Made mainly to control the CEI tuneers but also to do some other useful control functions.
The band switch also sends DC to the relays in the dual band tuners to select which band they operate on. It also routes the common output from the SP10T antenna switch to the correct Antenna input so the antenna is swithced to the band in use.
- On the left is a home brew SP10T coax switch that was used to allow multiple antennas to be routed to one of the instruments in this system.
- There is a military 600 Ohm speaker to provide a frount mount speaker
- I did not have the LF Receiver at the time I was using this system so included a Palmor Engineers low frequency converter to translate 10 kHz to 500 kHz up into the HF band. So the band switch has a the following positions:
- 10 kHz to 500 kHz
- 50 kHz to 30 MHz (feeds the DR-33C HF receiver)
- 30 to 62 MHz
- 54 to 260 MHz
- 225 to 500 MHz
- 490 to 1000 MHz
- The ON-OFF switch feeds both a wall wart to power the Palmor Engineers converter (instead of a 9 VOlt battery) and the DC supply to drive the band switching relays in the dual band tuners.
This is a 2 rack unit (3.5") high receiver that has a single tuning knob and a single large Slo-Syn motor. There are three bands: 30 to 60 kC, 60 to 140 kC and 140 to 300 kC. There is a front panel 1/4" phone jack and rear panel audio out terminals. I have no manual for this receiver.
While bugs are a different subject, they are related to TEMPEST.
YouTube: The Spying Game - "Walls Have Ears" (Complete)
5:57: The Thing (Wiki) passive cavity resonator
8:04: Using mikes that already are in the room
9:45: Berlin Cable Tap (in Wilderness of Mirrors, see Background above)
13:33: Transistor (Wiki) allow small battery powered RF bugs
18:39: Vietnam outdoor intrusion sensors: TRC-3, ADSID & PSR-1,
20:26: Sweeper (bug hunter) CryptoMuseum: Lee Tracey, "Scanlock", Audiotel,
22:09: Remote turn-on -> Broom Non Linear Junction detector, Charles Bovill,
page created 16 May 2003.