Homepage
Crypto
Spy radio
Burst encoders
Intercept
Covert
Index
Glossary
Cameras
Recorders
Radio
Bugs
Microphones
Concealments
Lock picking
Stories
Radio
PC
Telex
People
Agencies
Manufacturers
• • • Donate • • •
Kits
Shop
News
Events
Wanted
Contact
About
Links
   Click for homepage
OPEC bug
Covert listening device with SC audio masking - wanted item

The OPEC bug 1 is a small sophisticated covert listening device (bug) that was discovered in the late 1970s in a meeting room at the headquarters of the Organization of the Petroleum Exporting Countries (OPEC) in Vienna (Austria). The device was installed behind the wiring of the PA system. Its discovery by the Austrian Funküberwachung (Radio Monitoring Service) caused great upset [1].

Contrary to other types of bugs of the era, it does not have to be connected to the wiring of the PA. Instead it picks up the electromagnetic field that surrounds the wiring and amplifies it, which makes it far more difficult to detect.

The OPEC bug emits its signal on a frequency near 600 MHz in Frequency Modulation (FM). To make its discovery even more difficult, the audio signal is masked by modulating it onto a 12.5 kHz subcarrier (SC) first. This means that if the 600 MHz radio signal is intercepted at all, the eavesdropper will only hear a silent carrier.
  
OPEC bug

Silent carriers are often ignored as they are commonly caused by domestic equipment or by a spurious (unwanted) by-product of the intercept receiver itself. Bugs that are modulated twice, are commonly known as subcarrier bugs or SC bugs, and are known to defeat standard receivers.

The OPEC bug is even more complicated, as a strong 50 Hz hum is injected into the device's baseband signal, in order to mask its presence. The 50 Hz hum will likely make an eavesdropper believe that the intercepted signal is interference caused by a domestic device (which is usually powered from the 50 Hz mains). This indicates the involvement of a very professional party.

Bugging the OPEC is not unique to the 1970s. In 1997 bugs were found in the walls of the Mariott Hotel in Vienna, in rooms that were frequently used by oil ministers and OPEC delegates [6].
  
The OPEC bug is less than 11 cm long

The Austrian police assumes that they were planted by a foreign intelligence service to eavesdrop on Iraqi and Iranian OPEC delegates [6]. It was suggested that the CIA might have been behind it. In 2010, NSA whistle-blower Edward Snowden revealed that the computers at the OPEC head­quarters in Vienna were infiltrated by both the British GCHQ and the American NSA, who had bugged the computers of nine OPEC employees and monitored the General Secretary of OPEC [7].

  1. As the official name and/or model of this bug and its origin are currently unknown, we have decided to identify it with the nickname OPEC, after the place where it was discovered.

OPEC bug OPEC bug Pickup coil mounted to the rear side Antenna terminals and power wire Frequency adjustment and antenna tuning Opening the OPEC bug The OPEC bug is less than 11 cm long Inside the bug
A
×
A
1 / 8
OPEC bug
A
2 / 8
OPEC bug
A
3 / 8
Pickup coil mounted to the rear side
A
4 / 8
Antenna terminals and power wire
A
5 / 8
Frequency adjustment and antenna tuning
A
6 / 8
Opening the OPEC bug
A
7 / 8
The OPEC bug is less than 11 cm long
A
8 / 8
Inside the bug

Features
The OPEC bug measures just 109 x 19 x 5 mm and is housed in a silver-plated brass enclosure that consists of two U-shaped halves. After removing two 1 mm screws from the top half, the interior is exposed. Inside the bug are two small PCBs, each with a teflon substrate and gold-plated copper tracks. In between the two PCBs are a few DC power-related components.


Power is applied to the green feedthrough capacitor at one of the long sides (here visible at the top) via two resistors. In between the two PCBs is a 5.6V zener diode and a 22µF capacitor that stabilizes the power. At the left is the modulator PCB that consists of three parts: a pre-amplifier (left), a VCO (the white chip at the centre), and a 50 Hz hum generator (right). At the far right is the transmitter PCB which consists of a free-running single-transistor oscillator. The modulated signal (hum + subcarrier/audio) is applied to the transmitter via the purple wire at the centre.

The OPEC bug is clearly constructed from more or less standard parts or modules that can easily be adapted for a specific application. The pre-amplifier is extremely tolerant and can be used for microphone signals as well. It is adapted here for connection of a pickup coil, by adding a couple of external parts. The transmitter is another standard part that can also be used stand-alone. The PCBs are normally powered by a stable source between 5 and 6V DC. In between the two PCBs are a few components that allow the bug to be powered by an external 20-30V DC source.

RCA CD4046 PLL chip (of which only the VCO is used) Closeup of the transmitter Opened OPEC bug Modulator Transmitter Powre circuitry Close-up of the pickup coil Slimline case - view at the antenna connection
B
×
B
1 / 8
RCA CD4046 PLL chip (of which only the VCO is used)
B
2 / 8
Closeup of the transmitter
B
3 / 8
Opened OPEC bug
B
4 / 8
Modulator
B
5 / 8
Transmitter
B
6 / 8
Powre circuitry
B
7 / 8
Close-up of the pickup coil
B
8 / 8
Slimline case - view at the antenna connection

Origin of the OPEC bug
It is currently unclear who developed and installed the bug at the OPEC headquarters and why, but by looking at the overall design, the era in which it was developed and the (rare) components that were used, we can make a few observations. First of all, rather high-quality PCB material is used, consisting of a teflon substrate and gold-plated copper tracks. A rather strange type of varicap is used in the RF oscillator. It looks like a ceramic capacitor that is placed on its side.

The ceramic capacitors are made by American Technical Ceramics (ATC). Subminiature resistors are used, probably because small SMD resistors were not yet available or would have occupied too much space. The use of these components hints to a US (or US-supported) manufacturer.

The VCO is based on the 4046 [A] phase-locked loop (PLL) 1 [4], which was developed by RCA in 1972 [B], but was not generally available until the mid-70s. It is housed in a ceramic package, which suggests a very early (probably military or prototype) implementation, from around 1972.
  
Transmitter detail. Click to enlarge.

The use of early SMD 2 transistors at a time when these were not yet available on the civil market, indicates the involvement of a high profile intelligence agency, such as the CIA. The RF transistor however, is a BFR92 (marked as P1) [C], which is a European part, just like the improvised BZY88C zener diode in between the two boards. Some of the other components are clearly made in Israel.

As suitable American alternatives were available for these parts, it seems unlikely that the device was made in the US. It is possible that the device was made for the CIA, but it is also possible that is was produced by another party who used components from all over the world, in order to hide its true origin. There is currently insufficient evidence to conclusively determine the bug's origin.

  1. Only the VCO part of the 4046 chip is used.
  2. SMD = Surface Mount Device.

Countermeasures
Although it is possible to pick up the signal of an SC bug with a standard intercept receiver, the eavesdropper will only hear a silent carrier, or in the case of the OPEC bug a strong 50 Hz hum, which is likely to be discarded as a spurious signal from the intercept receiver itself or as radio frequency interference (RFI) caused by a domestic device in the vicinity of the monitored room.

In order to pick up and demodulate an SC bug, special receivers were developed that had two cascaded demodulators. The first (standard) demodulator yields the silent carrier, which is in fact a high-frequency audio tone (12.5 kHz in this case) that is modulated with the actual audio signal. The second demodulator is then used to reveal the original audio by removing the carrier.

The image on the right shows a Scanlock Mark VB receiver made by Audiotel in the UK. When it was introduced around 1978, it was one of the first receivers 1 capable of intercepting SC bugs.
  
Scanlock Mark VB in operation

The Scanlock receiver scans the entire frequency spectrum between 10 MHz and 2 GHz in just a few seconds, and automatically locks onto the strongest signal in the room. Furthermore, it can automatically establish the frequency of the subcarrier (if present) and adjust its SC demodulator accordingly. This automatic behaviour makes the Scanlock one of the best bug tracers of the era. It is even capable of demodulating the OPEC bug, despite the strong injected 50 Hz hum signal.

 About the Scanlock receiver

  1. The Scanlock Mark 3, introduced in 1976, was also capable of demodulating SC bugs, but this was a manual process. In the Scanlock Mark VB though, recovering the subcarrier frequency was an automatic process.

Block diagram
The signal from the pickup coil (fa) is first amplified in a high-gain pre-amplifier (> 40dB) and then fed to the input of Voltage Controlled Oscillator (VCO) with a base frequency of 12.5 kHz. This 12.5 kHz is the so-called subcarrier signal (fsc). The result is a Frequency Modulated (FM) signal. Normally this results in a seemingly silent carrier. In this case however, the SC/FM signal is masked by adding a much stronger 50 Hz sinewave signal to it. This is done to confuse an eavesdropper, who might think that he is listening to interference from a domestic applience.


In fact, the 50 Hz hum is modulated so strongly that it results in a wideband FM signal (WFM) with a bandwidth of approx. 1 MHz. As a result, the faint SC/FM signal is virtually invisible, even on a spectrum analyser. It can only be seen by doing an FFT analysis on the demodulated signal.

The output of the modulator (50 Hz + SC/FM) is fed to the separate transmitter PCB, which is actually a free-running oscillator built around a single BFR92 transistor [C]. The oscillator is Frequency Modulated (FM) by means of a varicap. This results in a double-modulated FM signal.

 More about audio masking

Circuit diagram
Reverse engineering the OPEC bug is difficult but not impossible. The PCBs are single sided and the resistors are all colour coded. The major problem is that the active components (i.e. the IC, the diodes, and the transistors) do not have any useful markings on them, which means that we had to measure them out and make a few educated guesses. Below is the full circuit diagram.


At the top right is the actual 600 MHz FM transmitter. At the left of the transmitter is a small power circuit that allows the bug to be powered by a 20 - 30V DC source. At the bottom is the modulator, which consists of a 40dB pre-amplifier, a subcarrier FM modulator (i.e. the VCO of the CD4046), and a 50 Hz hum generator (in the middle) that is based on a wien bridge oscillator.

The signals from the hum generator and the SC modulator are added in such a way that the 50 Hz hum signal dominates. The resulting signal is then fed to the modulator input (M) of the transmitter, where it is once again frequency modulated (FM) onto a 600 MHz RF carrier (varicap).

Pickup coil
A slotted coil is used to pickup the alternating magnetic field around a speaker cable of the PA system. The wires do not have to be split. The block diagram above shows how this works. When a current (i) flows through the wire, this induces a magenetic field (H), which will in turn induce a current (i') in the pickup coil. The coil is actually a high-impedant current transformer.


The coil consists of a ferrite core, with a high number of very thin copper windings. The DC resistance of the coil is approx. 40Ω. The coil is encapsulated in a brass cilinder. This is done to avoid interference from electrical fields, which may cause hum. The cylinder is open at one end in order to avoid a magnetic short circuit. Without this slot the pickup coil would not work.


One of the speaker wires of the PA system is guided past the coil at a 90° angle, as indicated in the drawing above. In practice, the coil is sensitive enough to provide a clear hum-free signal, even when it is several centimetres away from the audio cable. This means that the bug could be hidden inside the wall behind the cabling, or outside the PVC tube through which the cables run.

Technical specifications
  • Dimensions
    109 x 19 x 5 mm (without pickup coil)
  • Pickup coil
    30 x 5 mm
  • Weight
    28 gram
  • Power
    20V DC (internally 5V)
  • Output
    20 mW
  • Frequency
    600 MHz
  • Subcarrier
    12.5 kHz
  • Modulation
    FM
  • Pre-amplifier
    > 40dB
  • Masking
    50 Hz sinewave




Glossary
OPEC   Organization of the Petroleum Exporting Countries
International intergovernmental organization of petrolium (oil) exporting countries, founded in 1960 in Bagdad (Iraq), to coordinate and unify the petrolium policies of its member states and ensure stabilization of the oil market in general. By some, the organization is seen as a cartel.  Wikipedia

PA   Public Address
General expression for the audio system used during meetings, commonly consisting of a 100V amplifier, one or more microphones and a (large) number of loudspeakers.

Events
Important events in the history of the OPEC [2]:

1960   First OPEC Meeting in Bagdad (Iraq)

1965   OPEC headquarters moved from Geneva to Vienna
During the first 5 years of its existence, the OPEC headquarters was based in Geneva (Switzerland), but after the Swiss government no longer wanted to grant diplomatic immunity to its members, it was moved to Vienna (Austria).

1967   Six-Day War 1
In reaction to the mobilisation of Egyptian forces along the Israeli border in the Sinai Peninsula, Israel launched a series of preemptive airstrikes against Egyptian airfields. Six days later a ceasefire was signed.  Wikipedia

1973   Yom Kippur War, Arab Oil Embargo
On Yom Kippur day, 6 October 1973, an Arab coalition lead by Egypt and Syria launched an attack on the Israeli-occupied territories, marking the start of the Yom Kippur War 2 that lasted until 25 October. After the US had supplied arms to Israel, some countries of the OPEC announced an oil embargo against the countries that had supported Israel. This led to the 1973 oil crisis.  Wikipedia

1974   Oil Embargo resolved
The oil crisis had a severe impact on the oil price. By the time the crisis was over, the price of oil had risen from US$3 per barrel to nearly US$12.

1975   Attack on OPEC Conference
Attack on the semi-annual meeting of OPEC leaders in Vienna (Austria) by a group of six militants lead by Carlos the Jackal. Also known as the OPEC siege  Wikipedia

1979   Iranian Revolution

1980   Iran-Iraq War (1980-1988)

1990   Iraqi occupation of Kuwait (1990-1991)

2001   9/11 Attacks on the WTC in New York (USA)
Attacks on the two towers of the World Trade Center (WTC) in New York on 11 September (9/11) 2001 by (mostly) Saudi hijackers.

2004   Conflict in the Niger Delta (2004-present)

2010   Arab Spring (2010-2012)

2011   Libian Crisis (2011-present)

2012   International embargo against Iran (2012-2016)

  1. Also known as the June War, the 1967 Arab-Isreali War or the Third Arab-Isreali War.  Wikipedia
  2. Also known as the Ramadan War, the October War or the 1973 Arab-Isreali War.  Wikipedia

Documentation
  1. Texas Instruments, CD4046 Datasheet
    2003. Retrieved January 2014.

  2. Application note ICAN-6101, The RCA COS/MOS Phase-Locked-Loop,
    a versatile building block for micro-power digital and analog applications
    October 1972. pp. 614-617.

  3. BFR92 datasheet
    Retrieved August 2016.
References
  1. Anonymous contributor, OPEC bug
    Verbal account at Crypto Museum, June 2014.

  2. Mees, OPEC History
    Retreived August 2016.

  3. OPEC, Brief History
    OPEC website. Retrieved August 2016.

  4. Wikipedia, Phase-locked loop
    Retrieved August 2016.

  5. Wikipedia, 1973 oil crisis
    Retrieved August 2016.

  6. Alexander's Gas & Oil Connections, Eavesdropping on OPEC in Vienna hotel
    14 April 1997 (source unknown).

  7. Wikipedia, Global surveillance disclosures (2013-present)
    Retrieved August 2016.
Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
Crypto Museum. Created: Sunday 28 August 2016. Last changed: Tuesday, 13 June 2017 - 07:09 CET.
Click for homepage