Re: [TSCM-L] {2191} Detecting Covert GPS Tracking Systems
James M. Atkinson wrote:
> TrimTrac trackers have a priority system where the unit can be set to
> transmit when certain behaviors are observed by the unit. The most
> common of these priorities is the detection of tracker motion
> averaged out based on the dilution of precision (LDOP), such as
> sensing the vehicle or packing in which it is installed being by a
> user defined distance, radius, or LDOP (Trimble calls this function
> "Dynamic Motion Filter"). This is perhaps the most common way that a
> tracker of this type will operate as it significantly reduces current
> draw and conserves internal batteries unless the unit is hardwired
> into an external power source. This will increase the battery life by
> two or three times the life that would be expected compared to
> transmitting a normal data burst every 12 to15 minutes which the
> Trimble trackers use as a factory default or recommended user defined variable.
>
> Transmitting updated positions only when the vehicle is in motion
> further benefits the eavesdropper in that the device is less likely
> to be detected as it occupies less time on the spectrum, and thus
> becomes more challenging to detect. With this in mind the TSCM
> specialist should set up broadband detector systems inside the
> vehicle with both a tuned antenna and bandpass filter for the phone
> transmit bands, but not for the receive band. A good example of this
> is the REI CPM-700 with a modified RF probe, but a single detector
> should be used for each of the four major bands, and set up in alarm
> mode. To assist with detecting these units the audio can be drawn off
> of the detectors and inserted into a four channel audio recorder, or
> a single recorder can be used on each individual detector. The
> vehicle is then driven for 30 minutes or more at various speeds, but
> more importantly the vehicle is driven not only on normal highways
> with good cell phone reception, but also in rural areas in fringe
> cellular reception and virtually no other strong RF activity. This
> should be done on roads that are only minimally occupied at the time,
> and at times when traffic is would not be slow so that a high rate of
> speed can be maintained. Some of these units are set to either
> provide a position fix ever X number of minutes when the vehicle is
> in motion (ie: every 15 minutes), but can also be set to only
> transmit a fix only when the vehicle has traveled a certain distance
> (ie: every mile) or a combination of the two. This is not unique to
> this particular product, nor unique to this particular manufacture.
>
> This particular device can also be set to turn off the GSM cellular
> modem so that it can not hear or connect to any outside base station
> for a predefined period when the tracker is not in motion. This is
> factory defaulted to 1:60 ratio where the tracker modem only listens
> for commands for 1 minute during any single hour of being dormant.
> This frequency can be considerably adjusted so that the unit only
> communicates to the base when the device is moved and in turn the
> battery life can be extended to well over 6 months on one set of
> batteries. The frequency of how often the tracker checks in with the
> base determines approximate battery life, and may provide clues as to
> how long the unit has been in place. If the vehicle is used at normal
> highway speeds and the unit is found to be transmitting a signal once
> every 5 minutes then a battery life can be estimated to be 3 to 4
> days. If on the other hand the tracker only transmits its location
> only once an hour when in motion, the battery life is significantly
> increased to weeks and even months on a set of four AA sized batteries.
>
> The Tracker alarm mode or priority level also allows the unit to be
> directly interfaces with vehicle sensors or controls that the
> eavesdropper can exploit to tracking the target. An example of this
> would be setting up the device to immediately transit a position each
> time the vehicle brake pedal with pushed, or when the ignition is
> tuned on or off. In this way the eavesdropper can have advanced
> knowledge that the vehicle is about to be moved as it was just
> started, or the brakes applied indicating a potential change in
> direction. This alarm mode also permits the eavesdropper to place
> traps in the vehicle so that should the device be found during a
> physical search the eavesdropper is immediatly alerted. An example of
> this would be a photo-sensor which detects light being present in an
> otherwise dark cavity, or a detection switch or trip wire. While not
> endorsed by the manufacture, but of interest to the TSCM specialist
> is that a simple RF alarm circuit can be used so that the tracker
> will detect the usage of an NLJD near the tracker and thus alert the
> eavesdropper, this can be a NLJD tuned to an ISM band, or more likely
> an "overly strong" GPS signal thus indicating that the TSCM
> specialist is hunting for a GPS device.
>
> If the unit is hardwired into the vehicle electrical system it may be
> set up to only draw power when the ignition is tuned on, or wired
> into the alternator so that there is no current draw unless the
> engine has been running for X minutes/seconds. This will ensure that
> the tracker batteries used when the device is hardwired into the
> vehicle are recharged on a regular basis.
>
> A cell phone jammer or disrupter will also be of value in disabling
> these devices as they are essentially muted and unable to communicate
> with the base in this type of case; however, a jammer or any kind
> should only be used by sweep techs who can legally use such a device.
> A device which jams or disrupts GPS signals can also be utilized, but
> since the GPS system is moderate protected against jamming the
> effectiveness of this method may be minimal unless a significant
> amount of RF power and sufficient bandwidth is used which may alert
> the eavesdropper that a sweep is in process.
>
> A physical search agent by instrumentation is of course the optimal
> method of detecting these unit but limitations of time and resources
> may not permit as extensive an inspection. An average automobile made
> in the United States contains roughly 19,000 cubic inches of cavity
> inside the vehicle, but only about 8,500 cubic inches of this is
> suitable for the installation of an eavesdropping device. Door
> panels, bumper strips, headrests, glove boxes, and such are all easy
> to access and desirable locations for eavesdropping devices. Engine
> cavities, lead acid batteries, and the inside of gas tanks are not
> practical locations for eavesdropping devices unless the eavesdropper
> has considerable resources. With this in mind we can take the
> typical volume present in these cavities and divide this by the
> volume occupied by this particular tracking device (24.5 cubic inches
> on internal batteries) and obtain an estimate of how many locations
> on or around the vehicle must be carefully physically inspected
> (around 342 locations). If only 7 seconds is spent actually looking
> at each of these areas it would take a minimum of 40 minutes of
> actual eye contact with these area, but actual gaining access to
> these areas would require considerable more time involving over 4
> hours just for the physical inspection of easily accessed cavities.
> With the time consideration in mind the physical search should focus
> first on the more common or obvious concealment areas so that perhaps
> only 30 commonly used cavities which requires 90 minutes of
> inspection time are checked during a 4 hour vehicle inspection. On a
> longer inspection a greater number of cavities can be inspected with
> 19 to 20 hours spent on a physical inspection during a 45 to 50 man
> hour evaluation of a vehicle which equates to a two man team spending
> about three days inspecting just a single vehicle in a garage or shop
> environment. If the TSCM is searching for devices smaller in volume
> less than a tracker with 25 cubic inches then the time for the
> inspections would increase as the device begin sought decreased in
> size, or the time reduced as the size or intrusiveness of the device
> increases. If the eavesdropper made mistakes during the installation
> or programing of this or similar devices due to time constraint or
> skill level issue then the device may be easier to find, but the TSCM
> specialist should not assume that the installer has made any
> significant errors.
>
> -jma
>
>
>
> ----------------------------------------------------------------------------------------------------
> World Class, Professional, Ethical, and Competent Bug Sweeps, and
> Wiretap Detection using Sophisticated Laboratory Grade Test Equipment.
> ----------------------------------------------------------------------------------------------------
> James M. Atkinson Phone: (978) 546-3803
> Granite Island Group Fax: (978) 546-9467
> 127 Eastern Avenue #291 Web: http://www.tscm.com/
> Gloucester, MA 01931-8008 E-mail: mailto:jm..._at_tscm.com
> ----------------------------------------------------------------------------------------------------
> We perform bug sweeps like it's a full contact sport, we take no prisoners,
> and we give no quarter. Our goal is to simply, and completely stop the spy.
> ----------------------------------------------------------------------------------------------------
>
>
>
>
> >
>
>
Received on Sat Mar 02 2024 - 00:57:27 CST
This archive was generated by hypermail 2.3.0
: Sat Mar 02 2024 - 01:11:46 CST