Friday, December 7, 2012

Silencing Chatty Selectrics: Operation GUNMAN

On March 25, 1985 Dan Rather reported that the Soviet Union had successfully penetrated the United States Embassy in Moscow. The Soviets had placed bugs inside IBM Selectric IIs located in sensitive areas. These bugs were able to easily read what was being typed on these typewriters. Until this incident occurred, US Security agencies believed that the USSR had only been bugging audio, but the typewriter bugs were the first plain-text threat they ever encountered. Moreover, the bug itself was uniquely created to take advantage of the electro-mechanical nature of the IBM Selectric II. All-told 16 bugs were found hidden inside IBM Selectrics (both IIs and IIIs) and the story of their discovery and operation is a fascinating part of typewriter lore.

The relationship between the United States and Soviet Union during the late 70s and 80s was strained and both sides were actively using covert methods to infiltrate each other’s embassies. While the extent of the United States’ eavesdropping program is still shrouded in mystery, the Soviets’ exploits are well documented.

Henry Cabot Lodge Jr. having show-and-tell in the UN.
Take, for example, the great seal given to the American Ambassador and hung in his private residence in Russia. This seal was a gift from Young Pioneer Organization and in addition to being a beautiful carving, contained an ingenious bug that was powered using radio frequency, RF. This is the same technology that makes RFID tags work. The operation of this device stymied US investigators who didn’t understand how it worked.

The history is mum, but something prompted the start of a new program called Operation GUNMAN. This program was designed by the NSA to replace equipment and technology in America’s embassy in Moscow and Leningrad in a manner that would not alert the Soviets to the discovery of the Selectric bugs.

Replacing the entire American mission's compliment of communication equipment was going to be a serious task. 250 IBM Selectrics would be required, and they needed to transport the typewriters without raising the suspicions of the Soviets. The NSA contacted IBM's Office Products division looking for the required typewriters.

No dice.

Why? 250 Selectrics that ran on 220v mains would be hard to come by in short-order. They were out of stock and getting the right motor would take a while. IBM sent the NSA all 50 of the 220v typewriters they had. A decision was made to replace the typewriters in the 50 most information-sensitive departments in the embassy. 

The timing was right because these typewriters (along with teletypes and other devices) were going to be delivered in the spring when the embassy received other major shipments. The new non-bugged typewriters would be swapped out for the old machines. 

Here the official narrative is silent, but this is what I think happened: the NSA worked with several other agencies to create several anti-surveillance systems to be imbedded in the Selectrics. This would need to be done stateside and the completed machines would then be sent to Moscow and Leningrad in diplomatic pouches. What they did to the typewriters is still classified, but on the NSAW (Naval Support Activity, Washington) campus four trailers were set up. In the first trailer new machines were removed front their cartons and tested. They were x-rayed and those x-rays and operational information were included in a dossier on each machine so if one was suspected of being compromised, there would be non-compromised photos of all parts of the typewriter. In the second trailer secret counter-espionage methods were applied. The equipment was reboxed and sealed in the third trailer. The fourth trailer was for storage.

The equipment was transferred by diplomatic pouch and the swap occurred over the course of ten days. The swapped equipment was then returned to NSAW where a detailed analysis of how these devices were bugged was conducted. X-rays of the machines were done and by luck an unnamed technician found an interesting coil on the power switch of the Selectric.

Power switch.
This coil was hidden within the switch and would have never been visible to the naked eye. Also, because of the electrical nature of the coil it probably would have been overlooked had the technician not been familiar with the Selectric switch design. Further x-rays were completed and the ingenuity that went into creating this listening device became evident.

The Selectric uses a series of interposers and bails to determine rotation and the angle of the type element. The process utilizes a device called a whiffletree (for more information on the A/D converter in a Selectric see Bill Hammack’s very good video). The Soviets replaced the interposers with non-magnetic and non-magnetizable version. At the end of each interposer was placed a very strong magnet. This magnet, when an interposer was moved, tripped a Hall Effect sensor embedded in the interposer support comb. This corresponded to a letter on the keyboard and was sent to a small memory space in the device. When this storage was full, the device would send out the signal in a radio burst that could be picked up by agents listening elsewhere.

Location of replaced equipment.
When the device was not transmitting, the radio was silent. That was the genius of the system. Power came from the typewriter itself. 

There were also reports of another bar in the typewriter and the location and purpose of this was not clear. I find it likely that the bar was part of the antenna system. Selectrics were made of steel with aluminum housing. Without a properly tuned antenna it would have been difficult to hear a low-power device through the Selectric’s bodywork; it would have acted like a Faraday Cage.

Interesting as the technology was, what really caused the breach was a systemic failure in the State Department’s security. Inventory control was never completed on these typewriters and when they were first installed Soviet customs had the typewriter in their possession. No one knew how long, but it was evidently long enough for them to apply this special bug.

Soviet Portable from PTF/Davis
As compared to Soviet systems for data protection, the US was very lax. The USSR did not allow the use of electric typewriters to be used for drafting secure and classified information in their own embassies. Typewriters used for classified work were sent from Moscow to foreign embassies in diplomatic pouches. When the typewriters were not in use, they were stored in sealed containers in sealed location. Considering how the Soviets bugged the United States’ typewriters, their actions were in keeping with their own surveillance techniques.

In the Cold War spying and espionage was a central activity designed to keep the superpowers equal. For typewriter aficionados it is an interesting footnote in the history of typing.


  1. What an amazing story! I'll have to check carefully inside my own Selectrics, just in case the Other Half is supervising what I type...

  2. Fascinating and very ingenious of the Russkies, I must say.

    A similar device plays a part in my 2010 Nano novel.

  3. Very interesting story. It's funny to imagine that some of the Selectrics may still be in circulation with bugs inside them. As obsolete as the technology would be now, in some post-apocalyptic imaginings, they may even come back into play like the way morse code comes back when more sophisticated technology fails! :D

  4. I think we have another Robert Messenger in our fraternity. (:

    Your last two articles have been truly amazing!

    1. Thank you, Ted. Robert is a worthy yardstick by which to measured.

  5. Very interesting bug. I wonder why nobody ever thought to put the embassy machines on one large transformer circuit for 120v or a small transformer at each desk? Then it is the U.S. government.....

  6. Fascinating! On another note, I have a friend who works for Westinghouse and often ends up in shanghai. The Chinese tell you openly that you'll be under surveillance. If you have a lap top with you and you hook up to Chinese WiFi or mobile, you instantly download a virus that copies all your email and sends it to a location in China and, of course, it works even after you've returned to the USA.

  7. Possibly a little more invention than Robert would allow for :-) I would have carried on using the typewriters in tandem with new machines, thus making it possible to provide disinformation. Who knows? Maybe that's what actually happened. Great yarn!

  8. Wow! This is the first I've heard of this. I've read the NSA report since I found this post and it seems intentionally vague. Your post is more detailed and I'd love to find out more about this. It seems the russians had to replace all the interposers, installed the hall-effect switches and circuitry. A very extensive task. I'm skeptical that it could be done in 30 minutes. It makes me wonder if the bugged machines were swapped-in at some point during service or by agents.

    If the bugs were installed as they were shipped into the country, I wonder how they were able to intercept them one at a time and have the intricate bugs installed. It was revealed that various versions of the bugs were found, so they weren't all installed at the same time, instead over a period of years.

    Surely these machines needed service over the years and an honest trained tech would notice the extra wiring. Who was trusted to service these machines? And where did they hide the batteries on the battery-powered versions?

    Very interesting.

  9. Get some information from this article on message hacking application. I think it could be useful.