Tapping the Keys
Posted on March 8, 2019
I stumbled across this while searching for something else …
It makes for interesting reading (I downloaded a copy onto my Kindle for just a few dollars).
From approximately 1976 to 1984, the Soviet union used electro-mechanical and electronic implants to gather information from Selectric typewriters located in the U.S. embassy in Moscow, and the U.S. consulate in Leningrad. Project GUNMAN was a National Security Agency (NSA) plan to remove and replace all of their potentially compromised typewriters (so any bugs could be analysed and reverse engineered) without the Soviets knowing they’d been rumbled.
The first bug was discovered on the 24th of July, 1984 …
On a Monday evening, 23 July, a technician noticed an extra coil on the power switch of an IBM Selectric typewriter. He decided to x-ray the whole machine from top to bottom. The x-rays of the keyboard proved to be very interesting:
When I saw those x-rays, my response was ‘holy f***\ They really were bugging our equipment.
[…] The next morning, [engineers] argued about whether we had an anomaly or a bugged typewriter. Some typewriters had memory now which could account for additional circuits. What led us to conclude that this typewriter was probably bugged was the location of so many circuits in a metal bar that went along the length of the machine.”
Of the 44 typewriters shipped back to the NSA from the U.S. embassy, 6 were bugged. Later, 7 additional typewriters in the Moscow embassy and 3 typewriters in the Leningrad consulate, were found to have implants.
In total, 16 bugs were found in twelve IBM Selectric II typewriters and four IBM Selectric III typewriters. All had modified bails (interpose latches or arms) that controlled the pitch and rotation of the ball.
The Soviets continually upgraded and improved their implants. It was discovered that there were five varieties or generations of bugs. Three types of units operated using DC power and contained either eight, nine, or ten batteries. The other two types operated from AC power and had beacons to indicate whether the typewriter was turned on or off. Some of the units also had a modified on and off switch with a transformer, while others had a special coaxial screw with a spring and a lug. The modified switch sent power to the implant. Since the battery-powered machines had their own internal source of power, the modified switch was not necessary. The special coaxial screw with a spring and a lug connected the implant to the typewriter linkage, and this linkage was used as an antenna to transmit the information as it was being typed.
Six ferromagnetic magnetizable bails were replaced with six nonferromagnetic nonmagnetizable bails with a very strong magnet in the tip. All the typewriters contained a modified comb support bar. Housing the bug inside a metal bar, and using low power and short burst transmissions at the 30, 60, or 90 MHZ range via radio frequency, made it very difficult for the bugs to be detected.
The Soviets also used “snuggling”techniques to hide bug transmissions in the noise of the transmission of television stations.
All of the implants were quite sophisticated. Each implant had a magnetometer that converted the mechanical energy of the keystrokes into local magnetic disturbances. The electronics package in the implant responded to these disturbances, categorized the underlying data, and transmitted the results to a nearby listening post. Data were transmitted via radio frequency. The implant was enabled by remote control (the Soviets could simply turn off the implants when they knew teams of inspectors were around). The integrated circuits were very sophisticated for that time period, and contained one bit core memory, an advancement that NSA engineers had never seen.
When the story broke in June 1985, press reports attempted to describe how the bugs worked, but were inaccurate in saying that the bugs were based on sound or timing. In reality, the movement of the bails determined which character had been typed because each character had a unique binary movement corresponding to the bails. The magnetic energy picked up by the sensors in the bar was converted into a digital signal.
While there was some ambiguity in determining which characters had been typed, the laws of probability enabled the Soviets (and subsequently NSA) to figure out what had been typed.
The implants were most likely installed by the Soviet Intelligence Service when the typewriters were under the control of Soviet customs officials before they reached their destination at the embassy or the consulate.
(Incidentally, the Soviets exercised extreme caution when it came to their own typewriters, using mechanical typewriters for all classified documentation.)
The GUNMAN security breach led to improvements in procedures for shipping plain text processing equipment. In 1988, the State Department built a facility to inspect and package (using ant-tamper technologies) all such equipment that was shipped overseas. The facility is still in operation today.
Extracts (and paraphrasing) from: Learning from the Enemy: The GUNMAN Project by Sharon A Maneki, National Security Agency, Progressive Management Publications, 2012.