As snug as a bug in… your smoke alarm
A microphone is hidden inside a USB charger, a camera is inside a pen, a tracking device is in a portable charger, and a listening device is inside a plug adaptor. These all sound like gadgets from a James Bond movie. Still, they are a small sample of the surveillance equipment (bugs) that the team at speciality security investigations agency Valkyrie have discovered during numerous Technical Surveillance Countermeasure (TSCM) inspections – commonly known as ‘bug sweeps’.
There is an increasing number of reports in the press concerning the discovery of surveillance equipment and bugs in private spaces: hotels and holiday rentals, for example. These reports are just a small sample of what we at Valkyrie have noticed as a growing security trend over the last few years, and, in fact, does not take the number of private incidents in residential properties and offices into account, where we are often called for TSCM tasks. The intrusive nature of these devices, which are increasingly easy to purchase and deploy —and which offer a minimal risk and high reward for culprits, without the need for extensive technical expertise —means the problem is only likely to get worse.
The proliferation of ‘bugs’
The commercialisation of ‘bugs’ over the last few years is best demonstrated by the fact they are readily available on Amazon. A basic search will identify hidden cameras that can be deployed in any number of devices, including smoke alarms, alarm clocks or USB chargers. If you have Amazon Prime you can even get these delivered to your house via ‘next day’ delivery. Developments in technology and concerns over personal security may explain the explosion in demand for these types of products.
Many of the devices available are described as being for ‘security, anti-theft and evidence collection’ purposes; in other words, to monitor employees including cleaners or nannies. However, as with all technology, these products are often being used for malicious means. The public availability, alongside advances in technology, means that these devices are also simple to use. There is no need for a technical background, and they can be easily deployed without a targets knowledge and then monitored from a distance.
Leverage and corporate espionage
This minimal-risk, high-reward scenario means these bugs and devices are ideal for criminals or those looking to obtain a competitive advantage in the world of business. The margins in business are so fine that having access to a competitor’s intellectual property, or sensitive information relating to business deals such as mergers or acquisitions, can be worth millions of pounds. Key rooms such as boardrooms, in which sensitive information is often discussed, are so very often left unattended and unsecured when not in use, with staff and third-party contractors often allowed unrestricted access.
Devices can be easily deployed and left dormant, only being activated when they become necessary. In our experience at Valkyrie’s TSCM team, these devices are also being used to get an advantage in domestic disputes such as divorce proceedings, with partners deploying the devices in the family home as means to ‘spy’ on former partners or illicit information that will be helpful in the proceedings.
How bugs can lead to extortion
Naturally, these bugs are also being utilised for the purposes of extortion, whether as part of a targeted attack or as part of a wider campaign. In the latter scenario, the device is deployed in the hope that it will capture anything of ‘value’ during a specific period. The media recently reported an incident involving a hidden camera in an Airbnb; the reasons for its use in that particular case were unclear, but it demonstrates a widespread problem with reports of surveillance equipment being found in bathrooms, bedrooms, and communal spaces.
In contrast to our home or offices, these are transient places and so the opportunity to secure them is limited. The issue is compounded by the fact that we often visit these places at a time when we let our guard down or are in locations outside our comfort zone, meaning we are already slightly exposed. In response, Valkyrie’s clients are increasingly requesting advice around securing themselves physically and digitally while they are travelling; in these circumstances we advise the use of a travel TSCM bug-sweeping kit, which, with the proper training, can give peace of mind that a location is secure.
Actions and TSCM
So, what can be done in response to this trend? Valkyrie recommends the following:
- Awareness — knowing the threat exists, that these devices are out there and how they can be deployed against you, is the first step in protecting yourself.
- Training — for yourself and employees, to recognise how bugs and devices may be deployed and your information exploited.
- Policies and procedures — ensure these are in place to reduce the opportunity for hostile actors to access your location or deploy devices.
- Inspections — regular TSCM inspections to give peace of mind that you are operating in a secure environment. If you are travelling at short notice, then there are alternative solutions, such as a travel kit, which can help.
These threats are not the stuff of Hollywood make-believe, nor are they a thing of the future. Surveillance devices are here and are readily available at a low cost for malicious actors. It is essential to arm yourself with the right knowledge and security to mitigate the risks of you — or your data — being exploited.
