The Thing [2] is also worth reading. Soviet Union was well-aware that RF/LO leakage was being constantly monitored by the NSA, so they made a passive eavesdropping device in 1945, that didn't use a power supply. Instead, when eavesdropping was needed, an agent near the field would transmit an unmodulated carrier wave at 330 MHz, which was received by The Thing with an antenna and tuned circuit, thus activates the device. The recording is then rebroadcasted at a higher harmonic frequency. When the device is inactive, it's almost impossible to detect.
Basically, using side-channel RF leakage to eavesdrop the eavesdropper who uses your side-channel RF leakage to eavesdrop you... Reminded me the old "radar-detector-detector detector" hoax edit from Wikipedia (https://www.reddit.com/r/wikipedia/comments/4a3tfm/in_1982_t...). But unlike other EM side-channel attack, RF local-oscillator leakage is a historically known attack vector since WW2.
> This RF leakage, however, is extremely weak and buried under noise and other transmitted signals that can be 3-5 orders of magnitude larger. Hence, it is missed by today’s radios. We design and build Ghostbuster, the first device that can reliably extract this leakage, even when it is buried under ongoing transmissions, in order to detect the hidden presence of eavesdroppers.
[1] https://en.wikipedia.org/wiki/Spycatcher