Low Frequency Electro-Magnetic detection

[dave94024]

We've got a lash-up we're using in order to demonstrate lack of
security in a particular technology (you'll have to read between the
lines to determine the application in question).

In any event we're remotely detecting a coil being pulsed on-off at
around 1200 Hz from a few feet away. It's a small coil without a lot
of energy but the coil is being fed by a square wave so there are sharp
edges for the changes in magnetic flux in the coil.

Currently we're using a ferrite rod with some turns of magnet wire for
a reasonable directional antenna in series with an audio transformer
wired backgrounds (to give us a gain of ~10) followed by a OP27 for a
preamp and then followed by filters, a PLL and lots of other odds and
ends to form the detector and recover the signal from a pretty noisy
area of the spectrum (AC lines, etc).

For the purposes of our demo we'd like to show that these signals can
be intercepted from a greater distance than a couple of feet (sort of
a-la-tempest, though not that kind of application).

Any ideas on something more sensitive for the front-end? We'd like to
move away from a technology we feel has significant risk down the road
to something more secure (and management wants to see the risk before
they abandon a significant investment).

Thanks, in advance, for any thoughts or input,

Dave.
david.pariseau<no_spam>sbcglobal.net

 

[artie]

Move the filtering up the signal chain as far as you can -- for
example, turning your ferrite coil pickup into a parallel resonant
circuit, then using bandpass filters for gain.

As an example, you might google for Polar heart rate monitor receivers
-- the Polar system generates 5 KHz pulses. The typical receivers
follow the scheme described; a tuned-circuit pickup followed by gain
stages incorporating filtering.

namaste--

 

[John Popelish]

We've got a lash-up we're using in order to demonstrate lack of
security in a particular technology (you'll have to read between the
lines to determine the application in question).

In any event we're remotely detecting a coil being pulsed on-off at
around 1200 Hz from a few feet away. It's a small coil without a lot
of energy but the coil is being fed by a square wave so there are sharp
edges for the changes in magnetic flux in the coil.

Currently we're using a ferrite rod with some turns of magnet wire for
a reasonable directional antenna in series with an audio transformer
wired backgrounds (to give us a gain of ~10) followed by a OP27 for a
preamp and then followed by filters, a PLL and lots of other odds and
ends to form the detector and recover the signal from a pretty noisy
area of the spectrum (AC lines, etc).

For the purposes of our demo we'd like to show that these signals can
be intercepted from a greater distance than a couple of feet (sort of
a-la-tempest, though not that kind of application).

Any ideas on something more sensitive for the front-end? We'd like to
move away from a technology we feel has significant risk down the road
to something more secure (and management wants to see the risk before
they abandon a significant investment).

Thanks, in advance, for any thoughts or input,

Dave.
david.pariseau<no_spam>sbcglobal.net

Unless the transformer has been designed for this task, it may be
losing as much signal as it gains. I would wind the middle third of
the ferrite rod with several layers of fine magnet wire, and resonate
that with a capacitor at the detection frequency before connecting it
to a high input impedance amplifier (to keep the Q up). 1200 Hz takes
a lot of turns on the rod to maximize signal voltage. Adding a big
ferrite bead on each end of the rod (like you find around the cables
on monitors to block EMI) would increase its inductance and
sensitivity, also. You need only a small overlap between the rod and
the bead. Rod length is signal.

 

[John Larkin]

We've got a lash-up we're using in order to demonstrate lack of
security in a particular technology (you'll have to read between the
lines to determine the application in question).

In any event we're remotely detecting a coil being pulsed on-off at
around 1200 Hz from a few feet away. It's a small coil without a lot
of energy but the coil is being fed by a square wave so there are sharp
edges for the changes in magnetic flux in the coil.

Currently we're using a ferrite rod with some turns of magnet wire for
a reasonable directional antenna in series with an audio transformer
wired backgrounds (to give us a gain of ~10) followed by a OP27 for a
preamp and then followed by filters, a PLL and lots of other odds and
ends to form the detector and recover the signal from a pretty noisy
area of the spectrum (AC lines, etc).

For the purposes of our demo we'd like to show that these signals can
be intercepted from a greater distance than a couple of feet (sort of
a-la-tempest, though not that kind of application).

Any ideas on something more sensitive for the front-end? We'd like to
move away from a technology we feel has significant risk down the road
to something more secure (and management wants to see the risk before
they abandon a significant investment).

Thanks, in advance, for any thoughts or input,

Dave.
david.pariseau<no_spam>sbcglobal.net

Do what the guys suggest, but keep in mind that the field from your
transmitting coil is probably dropping off as the cube of distance,
and will be zero at certain orientations.

John

 

[Robert Baer]

Unless the transformer has been designed for this task, it may be losing
as much signal as it gains. I would wind the middle third of the
ferrite rod with several layers of fine magnet wire, and resonate that
with a capacitor at the detection frequency before connecting it to a
high input impedance amplifier (to keep the Q up). 1200 Hz takes a lot
of turns on the rod to maximize signal voltage. Adding a big ferrite
bead on each end of the rod (like you find around the cables on monitors
to block EMI) would increase its inductance and sensitivity, also. You
need only a small overlap between the rod and the bead. Rod length is
signal.

I totally agree with the resonance method, as well as keeping the
loading to a minimum.
I would use an opamp in gain follower mode as the first gain stage.
I do not think that ferrite beads on the ends would be of any
material benefit.

Another trick one could try is to arrange four ferrite rods into a
square form and to connect the windings on each one inseries aiding, to
make a ferrite version of a "quad" antenna.
That would increase sensitivity and increase directional capabilities
(RDF??).

 

[John Popelish]

Robert Baer wrote:

(snip)

I do not think that ferrite beads on the ends would be of any material
benefit.

They are the magnetic analog of capacitive hats on under resonant
length dipoles.

 

[Robert Baer]

Robert Baer wrote:

(snip)



They are the magnetic analog of capacitive hats on under resonant length
dipoles.

I immediately recognized that, but most "beads" are rather small
compared to larger sized ferrite rods.
That is why i suggested the "quad" configuration.

 

[Ken Smith]

We've got a lash-up we're using in order to demonstrate lack of
security in a particular technology (you'll have to read between the
lines to determine the application in question).

In any event we're remotely detecting a coil being pulsed on-off at
around 1200 Hz from a few feet away. It's a small coil without a lot
of energy but the coil is being fed by a square wave so there are sharp
edges for the changes in magnetic flux in the coil.

Currently we're using a ferrite rod with some turns of magnet wire for
a reasonable directional antenna in series with an audio transformer
wired backgrounds (to give us a gain of ~10) followed by a OP27 for a
preamp and then followed by filters, a PLL and lots of other odds and
ends to form the detector and recover the signal from a pretty noisy
area of the spectrum (AC lines, etc).

A coil of wire can preform quite well. Take a look at:
http://www.emiinc.com/bf10.html

Although the noise graph hits its bottom below 1000Hz, it is still quite
good at 1200. The only thing that is going to do better will be a
low-temp SQUID.

10fT/sqrt(Hz) puts it below the earth's background noise.

How long do you have to do the detection and how accurately is the
frequency known? Around 1200Hz could mean within a Hz or within 100Hz.
It could also mean 1201.234567 Hz exactly or something at drifts around in
the 1200Hz area.

If the signal doesn't drift or only drifts very slowly, there are lots of
methods like "stacked PSDs" that can pull the signal out from the noise.
The biggest problem will be the mains noise right at 1200Hz.

If you know the field strength at distance that is at least, lets say, 5
times the size of the source, you can use the simple 1/R^3 rule to figure
out where it will drop below what you can detect. You may be surprised at
just how far it is.

 

[John Popelish]

I immediately recognized that, but most "beads" are rather small
compared to larger sized ferrite rods.
That is why i suggested the "quad" configuration.

The beads I am thinking of are made to fit around 1/4" to 3/8" cables
and are about an inch in diameter.

 

[Mark Zenier]

We've got a lash-up we're using in order to demonstrate lack of
security in a particular technology (you'll have to read between the
lines to determine the application in question).

In any event we're remotely detecting a coil being pulsed on-off at
around 1200 Hz from a few feet away. It's a small coil without a lot
of energy but the coil is being fed by a square wave so there are sharp
edges for the changes in magnetic flux in the coil.

For the purposes of our demo we'd like to show that these signals can
be intercepted from a greater distance than a couple of feet (sort of
a-la-tempest, though not that kind of application).

Any ideas on something more sensitive for the front-end? We'd like to
move away from a technology we feel has significant risk down the road
to something more secure (and management wants to see the risk before
they abandon a significant investment).

Thanks, in advance, for any thoughts or input,

Dave.
david.pariseau<no_spam>sbcglobal.net

Get some of the software that amateur radio operators use (with PC and
sound card) for weak signal operation. They have FFT based displays
for such things as detecting morse code signals bounced off the moon.

Mark Zenier [email protected] Washington State resident

 

[dave94024]

Ken,

You're idea was pretty intriguing and I looked at it some. However the
BF-10 antenna is over 4' long and 2.5" in diameter. For the purposes
of this demonstration the receiver has to be covert (unless of course
the reception could be done from outside a building at some distance).


It was difficult to estimate how much signal we'd have at 100 feet but
I'm guessing AC line noise would overwhelm us.

See my more general comments, in my other post, on the signals in
particular.

I agree that a low-temp SQUID device seems ideal, but cost/temperature
issues are problematic.

The security case we're trying to protect against would be a low-cost
(<$200 parts) device that is reasonably simple to breadboard (soldering
iron/basic tools / ICs) that would be able to intercept the signal at
5' or more.

Dave.

 

[dave94024]

The quad antenna w/ or w/o inductors sounds like exactly the kind of
case we're looking to reproduce / defend against.

The following scope plot shows an example of the signal
http://www.tekplusinc.com/

The green trace is the FET on the target device driving the coil.

The darker trace above is the signal out of the band-pass filter (using
our existing ferrite rod antenna at 6" or so).

From a frequency point of view we can't treat the signal like a ~1.1KHz

+ ~2.2KHz signal since the edges are much sharper and we're not dealing
with sine waves here. The low-pass filter is set about 10-15KHz. If
we get much below 10KHz we round out and flatten the signal and drive
it into the noise.

The modulation is non-traditional with one flux transition per bit-time
for a 0 and two transitions per bit time for a 1. In this case a bit
time is ~430us.

What would be the easiest way to get a rough idea of what this quad
antenna might look like? What kind of rod? How many turns? Inductors,
etc...

Alternatively, if someone out there feels they have a good grasp of
this issue and could deliver an antenna w/ or w/o preamp w/
significantly more range than we currently are getting we'd certainly
paying for time and materials.

In any event, I'll eagerly await posts on this site or feel free to
contact me directly at my email below (replace the <no_spam> with an @)

Thanks,
Dave.
david.pariseau<no_spam>sbcglobal.net

 

[Ken Smith]

Ken,

You're idea was pretty intriguing and I looked at it some. However the
BF-10 antenna is over 4' long and 2.5" in diameter. For the purposes
of this demonstration the receiver has to be covert (unless of course
the reception could be done from outside a building at some distance).

So you think I couldn't hide a 4' lone 2.5" diameter object near your
system? I'd put legs on it and a couple of hooks and hang a coat on it.

It was difficult to estimate how much signal we'd have at 100 feet but
I'm guessing AC line noise would overwhelm us.

I haven't made measurements up at 1200Hz lately so I can't tell you and
real solid numbers but: At 180Hz there is usually something like 100nT
in a normal building. As the harmonic gets higher, the amplitude
decreases about proportionally or perhaps with N^2.

[...]

I agree that a low-temp SQUID device seems ideal, but cost/temperature
issues are problematic.

Also they require more management than just a coil of wire.

The security case we're trying to protect against would be a low-cost
(<$200 parts) device that is reasonably simple to breadboard (soldering
iron/basic tools / ICs) that would be able to intercept the signal at
5' or more.

Other ideas:

Drive a fluxgate magnetometer with a 1800Hz drive so that its frequency
responce goes up high enough. Making a fluxgate good to about 5nT is
within the range of mere mortals.

Use many magneto-resistive devices. MR devices and GMR devices really
suck in terms of performance but they are fairly small and low cost.
Averaging the outputs of several would get the noise down.

There is a company called PNI that makes electronic compasses for cars.
They are magneto-inductive sensors that are very low cost.

 

[Robert Baer]

The quad antenna w/ or w/o inductors sounds like exactly the kind of
case we're looking to reproduce / defend against.

The following scope plot shows an example of the signal
http://www.tekplusinc.com/

The green trace is the FET on the target device driving the coil.

The darker trace above is the signal out of the band-pass filter (using
our existing ferrite rod antenna at 6" or so).

+ ~2.2KHz signal since the edges are much sharper and we're not dealing
with sine waves here. The low-pass filter is set about 10-15KHz. If
we get much below 10KHz we round out and flatten the signal and drive
it into the noise.

The modulation is non-traditional with one flux transition per bit-time
for a 0 and two transitions per bit time for a 1. In this case a bit
time is ~430us.

What would be the easiest way to get a rough idea of what this quad
antenna might look like? What kind of rod? How many turns? Inductors,
etc...

Alternatively, if someone out there feels they have a good grasp of
this issue and could deliver an antenna w/ or w/o preamp w/
significantly more range than we currently are getting we'd certainly
paying for time and materials.

In any event, I'll eagerly await posts on this site or feel free to
contact me directly at my email below (replace the <no_spam> with an @)

Thanks,
Dave.
david.pariseau<no_spam>sbcglobal.net

Try resonating the rod you have to 11 times the 2.26KHz or about
24.9KHz, with a "Q" to make it almost critically damped (slight ringing;
experiment on that).

 

[Mebart]

Hi Dave,

I think you are trying to receive the magnetic field.

Long pieces of ferrite can be concealed in a plain old aluminum
walking cane, not sure if stealth is a requirement. I was probably
attempting to do the same thing as you are, but it was several years
ago. Had limited success. But, the cane very stealthy.

I was also interested in spoofing as well, which is transmitting
too...that's another story alltogether.

Also, be sure to 100 percent shield the device from RF. Some low
frequency rf fields are very strong and you can have problems with rf
being picked up and amplified. Of course, this would be unknown unless
you looked at the spectral output of the chips, and even then it might
not be apparent.

But, you can gain a very large dynamic range boost by shielding the
receiver with a 100 percent copper shield or aluminum. The VLF users
find this tactic to be very successful and use it all the time.

You might also run the problem by the loopantennas mailing list
(yahoo) and the VLF_Group (also at yahoo). Both groups are highly
knowledgeable and require high sensitivity receivers and antennas.

Regards,

M