Using Spectrum Analyzers to Look for Unknown Signals

Integrated Spectrum Analyzers like OSCOR combine capabilities from multiple types of analyzers to locate signals, not just detect them.

In the last few decades, the volume of RF spectrum activity has exploded and shows no indication of slowing as the demand for wireless information transmission grows insatiably. The opportunity to use free airspace for good is equal to the ability for it to be used nefariously. RF safety and security efforts will face significant challenges in coming years to keep pace with increased opportunity for abuse.

One particular area of RF exploitation that is demonstrating significant expansion is illicit surveillance. Availability of cheaper and highly advanced surveillance products at the consumer level has taken technology that was once reserved for an elite field of intelligence specialists, and made it accessible to the average individual. Easy to use video and audio recording transmitters can be disguised and hidden in the most common, ordinary off the shelf products. These malicious devices are being produced in volume and marketed commercially with little restriction. A quick search for “hidden camera” on your favorite online retailer site may yield surprising results.

This article will explain how integrated spectrum analyzers, like the REI OSCOR, draw characteristics from several types of analyzers to make it uniquely qualified to detect, analyze and locate illicit transmitters. Some spectrum analyzer manufacturers and software developers focus on analyzing signals for precise signal characteristics. In security applications like TSCM (Technical Surveillance Countermeasures), it is equally important to find the source of the transmission. Knowing there’s a thief in the neighborhood isn’t good enough. You’re going to want to catch him.

Spectrum Analyzer Overview

Spectrum analyzers use antennas to collect RF signal activity and display amplitude (signal strength) as it varies by signal frequency. The frequency appears on the horizontal axis, and the amplitude is displayed on the vertical axis. Every product has different levels of signal display and analysis capability, either integrated with the receiver or processed through computer based software.

For many years, spectrum analyzers have been used for lab measurements of electromagnetic emissions, safety and compliance testing, spectrum monitoring, and many other applications:

  • Regulatory Compliance
  • Research & Development
  • Manufacturing testing and calibration
  • SIGINT (Signal Intelligence)
  • Wi-Fi testing and analysis
  • Spectrum Management
  • Security

There are many applications and technical requirements that make it impossible to build a spectrum analyzer that does everything superbly. It is necessary when choosing one to determine the application needs, not just product specifications. Relying only on speed or sensitivity may not contribute to the optimal outcome for your application.

Different types of spectrum analyzers generally have particular qualities by which they can be compared:

  • Benchtop – high precision and accuracy, speed, signal analysis
  • SDR (Software Defined Radios)- in-place continuous monitoring, less expensive, hardware is generalized and not optimized for specific application, software based
  • Portable- in-field measurement, detecting unknown signals, mobile and agile
  • Integrated- combine characteristics from all others, detecting unknown signals, spectrum view and analysis, speed, mobile/agile, integrated antenna system

In security applications, spectrum analyzers are used to investigate for RF transmitters that may be stealing corporate, private or government information, or simply in violation of security or privacy policies. Hidden microphones and cameras can record and/or transmit stolen information via RF or other mediums to remote receivers. GSM devices allow users to dial into a device for real-time monitoring, view recordings or transfer recorded files. Finding transmitters like these in the RF environment can be like finding a needle in a stack of needles. Traditional spectrum analyzers are used to look at and analyze specific signals. TSCM is different because they are used to look for unknown and often disguised signals anywhere in the spectrum. This requires a certain set of skills.


When looking for hidden transmitters, portability should be a key analyzer feature and there’s more to portability than just being able to move the product from one location to another. In this situation, portability is about effectively, quickly, and discretely collecting data from different locations and comparing the differences to provide important information for locating transmitters.

The results achieved by walking around are based on the physics of transmitting RF energy. Because of the expanding radiation pattern, energy levels being transmitted from a single source will decrease as an exponential power of 2. This means that energy level changes as a function of the range squared, from the source of the transmission.

For example, when comparing RF energy 1 foot from a target versus 20 feet from the target, the energy level is 400 times stronger at one foot than at 20 feet. By simply walking around, you can increase the sensitivity of your search by a large factor. In order to do this, the spectrum analyzer needs to be compact and light enough to carry and operate while moving about. Many receivers and handheld analyzers may be smaller than the OSCOR, but after you include antennas, cables, laptop/tablet, and other accessories required to adequately capture comparable signal activity across a large frequency span, they aren’t very portable. The display, control center, and 24 GHz auto switching antenna system built into the OSCOR make it easy to move around and analyze data simultaneously.

The best way to know a system’s portability is to test it by walking around a facility for 30 minutes collecting RF measurements. Try it with different products and see which one has the portability and provides the most information to locate RF energy.

Sweep Speed

While the OSCOR can sweep 24 GHz a second, there are spectrum analyzers that claim faster sweep times. However, other spectrum analyzer sweep speed specifications are typically referring to the receiver’s processing speed when tuned to a single narrow acquisition bandwidth and NOT the time it actually takes the receiver to sweep a span from 10kHz to 24GHz (which would require changing/switching antennas). The OSCOR can actually sweep from 10 kHz to 24 GHz, switching through multiple built-in antennas in less than 1 second, displaying a single trace for this wide span.

Probability of Intercept (POI)

POI is often referred to in spectrum analyzer specifications. Many spectrum analyzers are quoting a 100% probability of intercept (detection) for a specific burst duration (for example, one competitor system claims their unit has a 100% probability of detecting a 125µsec burst event). However, this specification assumes that the receiver is tuned to a single instantaneous bandwidth block (also called the acquisition bandwidth, maybe 40 MHz wide depending on the model/manufacturer), which means the frequency of the signal being tuned to is already known.

While POI could be useful when analyzing a specific burst signal at a known frequency, in a TSCM sweep, neither the existence nor the frequency of a suspect signal is yet known. For unknown signals (TSCM applications), the POI has more to do with how quickly the receiver can actually cover a very wide band (i.e. 8 GHz or more) and a reasonable resolution step size (i.e. 12.2 kHz) to actually capture evidence of an unknown signal.

Known vs. Unknown Signals

If you were to compare spectrum analyzers to the telescope, the telescope focuses on a narrower field of view in order to magnify a subject. A system of lenses or mirrors allows the viewer to see distant objects more clearly by magnifying them or by increasing the effective brightness of a faint object. This is great for looking at known stars and planets or observing relatively small segments of the sky, but what if you had to find a single unknown stationary object somewhere in the entire sky looking only through the telescope. It would be impractical at best. Even worse, suppose the unknown object didn’t reflect light all the time, but was only visible some of the time as is the case with burst transmitters. The likelihood of finding the subject would be very small and would require an immense amount of time.

In the same sense, many spectrum analyzers display relatively small segments of the spectrum at one time, often limited by the antenna input or frequency span of the equipment. Changing antennas may change the frequency span, but it would still display a limited span.

The OSCOR’s antenna array continuously sweeps and displays 24 GHz of frequency spectrum, with the ability to also zoom in on any segment of the frequency while still sweeping. OSCOR was designed for applications where the user does not know the frequency of the signal of interest. This is a totally different perspective than spectrum analyzers designed for bench top test analysis or field analysis of a known frequency or band, or general purpose software defined radio where the user adds laptop/tablet, software, antennas/cables, and any other hardware for their specific application.

The bottom line is, to identify and locate unknown signals, you need the right tool for the job, and the right specifications. Specifications that relate to your application.

This is an excerpt from REI’s TSCM Quarterly Newsletter. Click here to download the full edition.