Friday, December 7, 2012

Silencing Chatty Selectrics: Operation GUNMAN

On March 25, 1985 Dan Rather reported that the Soviet Union had successfully penetrated the United States Embassy in Moscow. The Soviets had placed bugs inside IBM Selectric IIs located in sensitive areas. These bugs were able to easily read what was being typed on these typewriters. Until this incident occurred, US Security agencies believed that the USSR had only been bugging audio, but the typewriter bugs were the first plain-text threat they ever encountered. Moreover, the bug itself was uniquely created to take advantage of the electro-mechanical nature of the IBM Selectric II. All-told 16 bugs were found hidden inside IBM Selectrics (both IIs and IIIs) and the story of their discovery and operation is a fascinating part of typewriter lore.

The relationship between the United States and Soviet Union during the late 70s and 80s was strained and both sides were actively using covert methods to infiltrate each other’s embassies. While the extent of the United States’ eavesdropping program is still shrouded in mystery, the Soviets’ exploits are well documented.

Henry Cabot Lodge Jr. having show-and-tell in the UN.
Take, for example, the great seal given to the American Ambassador and hung in his private residence in Russia. This seal was a gift from Young Pioneer Organization and in addition to being a beautiful carving, contained an ingenious bug that was powered using radio frequency, RF. This is the same technology that makes RFID tags work. The operation of this device stymied US investigators who didn’t understand how it worked.

The history is mum, but something prompted the start of a new program called Operation GUNMAN. This program was designed by the NSA to replace equipment and technology in America’s embassy in Moscow and Leningrad in a manner that would not alert the Soviets to the discovery of the Selectric bugs.

Replacing the entire American mission's compliment of communication equipment was going to be a serious task. 250 IBM Selectrics would be required, and they needed to transport the typewriters without raising the suspicions of the Soviets. The NSA contacted IBM's Office Products division looking for the required typewriters.

No dice.

Why? 250 Selectrics that ran on 220v mains would be hard to come by in short-order. They were out of stock and getting the right motor would take a while. IBM sent the NSA all 50 of the 220v typewriters they had. A decision was made to replace the typewriters in the 50 most information-sensitive departments in the embassy. 

The timing was right because these typewriters (along with teletypes and other devices) were going to be delivered in the spring when the embassy received other major shipments. The new non-bugged typewriters would be swapped out for the old machines. 

Here the official narrative is silent, but this is what I think happened: the NSA worked with several other agencies to create several anti-surveillance systems to be imbedded in the Selectrics. This would need to be done stateside and the completed machines would then be sent to Moscow and Leningrad in diplomatic pouches. What they did to the typewriters is still classified, but on the NSAW (Naval Support Activity, Washington) campus four trailers were set up. In the first trailer new machines were removed front their cartons and tested. They were x-rayed and those x-rays and operational information were included in a dossier on each machine so if one was suspected of being compromised, there would be non-compromised photos of all parts of the typewriter. In the second trailer secret counter-espionage methods were applied. The equipment was reboxed and sealed in the third trailer. The fourth trailer was for storage.

The equipment was transferred by diplomatic pouch and the swap occurred over the course of ten days. The swapped equipment was then returned to NSAW where a detailed analysis of how these devices were bugged was conducted. X-rays of the machines were done and by luck an unnamed technician found an interesting coil on the power switch of the Selectric.

Power switch.
This coil was hidden within the switch and would have never been visible to the naked eye. Also, because of the electrical nature of the coil it probably would have been overlooked had the technician not been familiar with the Selectric switch design. Further x-rays were completed and the ingenuity that went into creating this listening device became evident.

The Selectric uses a series of interposers and bails to determine rotation and the angle of the type element. The process utilizes a device called a whiffletree (for more information on the A/D converter in a Selectric see Bill Hammack’s very good video). The Soviets replaced the interposers with non-magnetic and non-magnetizable version. At the end of each interposer was placed a very strong magnet. This magnet, when an interposer was moved, tripped a Hall Effect sensor embedded in the interposer support comb. This corresponded to a letter on the keyboard and was sent to a small memory space in the device. When this storage was full, the device would send out the signal in a radio burst that could be picked up by agents listening elsewhere.

Location of replaced equipment.
When the device was not transmitting, the radio was silent. That was the genius of the system. Power came from the typewriter itself. 

There were also reports of another bar in the typewriter and the location and purpose of this was not clear. I find it likely that the bar was part of the antenna system. Selectrics were made of steel with aluminum housing. Without a properly tuned antenna it would have been difficult to hear a low-power device through the Selectric’s bodywork; it would have acted like a Faraday Cage.

Interesting as the technology was, what really caused the breach was a systemic failure in the State Department’s security. Inventory control was never completed on these typewriters and when they were first installed Soviet customs had the typewriter in their possession. No one knew how long, but it was evidently long enough for them to apply this special bug.

Soviet Portable from PTF/Davis
As compared to Soviet systems for data protection, the US was very lax. The USSR did not allow the use of electric typewriters to be used for drafting secure and classified information in their own embassies. Typewriters used for classified work were sent from Moscow to foreign embassies in diplomatic pouches. When the typewriters were not in use, they were stored in sealed containers in sealed location. Considering how the Soviets bugged the United States’ typewriters, their actions were in keeping with their own surveillance techniques.

In the Cold War spying and espionage was a central activity designed to keep the superpowers equal. For typewriter aficionados it is an interesting footnote in the history of typing.