Telephone Transmitters
Hardwire Intercepts
Soft Wiretaps
RF Flooding
Hot-Micing
Wireless Attacks
Tape Recording
Fax Interception
Dialed Number Recorders
Call Accounting
Probablity of Intercept

Telephone Transmitters


  • Profile:

  • RF telephone transmitters are 'bugs' wired into the phone line or the telephone unit itself, broadcasting all traffic to a listening post. RF line transmitters are either series or parallel, depending on how they're designed to be attached to the line. RF transmitters can vary in size from absolutely tiny (think pea sized) to reasonably large depending on their intended application (devices in the wiring between your phone and the phone company can be a little bigger to incorporate larger power supplies and transmit further, while bugs in your phone have to be very discrete).

    From a wiretapper's standpoint, parallel and series transmitters have their respective good and bad points.


    Series Transmitters
    Parallel Transmitters
    Advantages :

    * Draws line voltage, so it needs no batteries and the user isn't forced to risk detection by having to change them.

    Advantages:

    * Generally harder to detect with countermeasures equipment because they run off batteries instead of line voltage.

    Disadvantages :

    * Can be detected by voltage measurements.


    * Installation more complex (must be installed on a 'hot' line due to risk of interrupting connection).


    * Must be placed as close as possible to target to prevent line hum.

    Disadvantages:

    * Batteries must be replaced eventually, unless an expensive device with a trickle charger is used.



  • Detection:

  • Series telephone transmitters on the customer's property can be picked off by making a series of measurements.

    1. Remove all phones, faxes, modems, etc. from the line to be tested.
    2. Short the pair to be tested at the demark point (the point where wiring enters the building).
    3. Measure loop resistance with the lowest resistance setting from the jack farthest from the demark point.
    4. Reconnect the pair and measure loop voltage.
    5. Measure pair voltage on another line.

    If loop resistance exceeds a few ohms or line voltage dips noticeably below the standard (usually around 48 volts), there is something (not necessarily a transmitter) on the line.

    Parallel telephone transmitters on the customer's property can also be detected with a series of resistance measurements.

    1. Remove all phones, faxes, modems, etc. from the line to be tested.
    2. Open the pair to be tested at the demark point.
    3. Measure loop resistance with the highest resistance setting available on the meter.

    If the loop resistance is less than infinite, something is wired onto the line in parallel (not necessarily a transmitter).

    Note: a multimeter with VERY high impedance scales is most helpful here in order to compensate for devices with high impedance front ends. Even more precise and greater scale measurements can be made with the use of a resistance bridge and a resistance substitution box.

    Both of the above tests can be adapted to test for surveillance devices outside the customer's property, provided a method can be found to short and open the pair at the central office. The phone company can be coerced into opening and shorting a customer's pair, if they're provided with a good enough reason.

    * Note to anyone using a DATU to open the pair: open measurements using a DATU must compensate for the "testing matrix" of a 5ESS switch, which will add 500 ohms to the series measurement. Switch type can be determined by calling the phone company and asking on the pretext of purchasing switch specific ISDN equipment.

    The series measurement will also have to compensate for resistance added by loop length. Determine loop length by measuring the loop's capacitance and dividing by .083 (1000 feet of cable has .083 microfarrads per 1000 feet microfarrads per mile.). Now consult the loop resistance chart below to determine rough loop resistance. Remember, thats per conductor.



    Gauge
    Per 1000 ft. of loaded cable
    Per 1000 ft. of unloaded cable
    26 84.33 83.33
    24 52.89 51.89
    22 33.72 32.39
    19 17.43 16.10

    Should the series test turn up positive, it can be supplemented with a voltage measurement and a balance test. Should the voltage dip noticeably from the 48 volt average, it could indicate a series load on the line. A resistive balance test can also be conducted. Short the far end of each conductor independantly to an earth ground, and measure resistance between the near end of each lead and an earth ground. The leads should 'balance', i.e. their resistances should match or nearly match. An imbalance of more than 10 ohms indicates that more investigation is needed. The series balance test will not always allow for accurate readings, as some transmitters will use a balancing network to match the resistance of both conductors.


    "Loop loading" can be ascertained by either investing in a load coil counter or by calling the phone company and having the line checked for high speed services readiness. If the line can support ISDN/XDSL immediately, its unloaded. If its loaded have the line conditioned for high speed service, it'll make your life easier and maybe get a few extra Kbps out of your modem.

    DO NOT attempt the above test on a PBX without first checking the maintenance manuals! Shorting the wrong pair can blow out the master fuse or even an entire board on certain PBXs.


  • Countermeasures:


  • Preventative: Your demark point should be locked (most demark boxes have a provision for this), the "Telco Access Only" side should have the bolt holding it closed coated with Thread Lock or transparant nail varnish (making it openable, but the tampering will be noticed).

    * Voice encryption, if the transmitter isn't built into the phone. *

    Hardwire Taps

  • Profile:


  • Hardwire taps are direct connections between the telephone being monitored and the eavesdropper. These taps can be as simple as connecting a linesman's butt-set to the line and can be very difficult to detect.


    A subclass of hardwire taps are slave devices, which are remotely controlled hardwire taps. A line slave is connected in parallel to the pair under surveillance and to the control pair, and then tucked away in a wiring cabinet or other cable access point. When the slave is activated (via MF or DTMF tones, or by voltage fed down the control pair) it creates a connection between the control pair and the pair under surveillance. Slaves are usually connected with a capacitor build-out to eliminate clicking sounds when activated.



  • Detection:


  • Hardwire taps can be a real pain to find. A TDR or metallic fault locator is most useful in this capacity, but an induction probe with a high gain amplifier will suffice. Put a trace tone on your line (or play loud music into your phone) and probe your line at every splice point. If you hear the tone on more than 2 conductors (yours) the line has been split.


    Line slaves are usually only detectable with a TDR.



  • Countermeasures:


  • * Voice encryption.

    RemObs and Soft Wiretaps

  • Profile:


  • Soft wiretapping is a form of phone tap that works be analyzing digital information as it passes through a switching computer (either the phone company's, or a PBX). RemObs (Remote Observation) is a form of soft wiretapping implemented in the telephone company's equipment, designed for telco personnel to monitor line quality of specific pairs; which also has the potential for seamless telephone surveillance. Such a system is further delineated for law enforcement applications under CALEA (Computerized Aide to Law Enforcement Agencies).


    PBXs (private branch exchanges) often have a provision for monitoring extensions. This feature can be abused by bosses, nosy co-workers, or outside surveillants with remote access to the PBX.


    Something as simple as a second analog set hooked up to a line can provide a neat method for eavesdropping on a phone line.



  • Detection:


  • Because RemObs is executed at the switch, it's all but impossible to detect its use without having inside knowledge of day to day switch operations. The only countermeasures to RemObs would be external encryption.


    Soft wiretapping of PBXs can be detected by rifling through the PBX's programming. Features to look out for in a PBX's programming manual can be found on the phone system page.

  • Countermeasures:


  • If removal of ALL occurances of observation features from the PBX's programming and routinely auditing the programming to check for changes. Features to look out for in a PBX's programming manual can be found on the phone system page. Voice encryption. Removing all multi-line analog sets would be a wise decision. Certain PBXs have a programming provision to disallow connection of parallel connected sets, check the manuals.




    RF Flooding
  • Profile:


  • RF flooding is a specialized attack used on multi-line telephone systems that acts as a soft wiretap. RF flooding works by placing a source of strong RF near one of the system's telephones, and having the RF force signals from other wire pairs onto that line. Note: RF floods are only a real threat to Amphenol cabling.



  • Detection:


  • RF flooding attacks can be detected with field strength meters. Look for strong RF signals near a telephone.



  • Countermeasures:


  • Shielded telephone cables should help prevent RF floods, if they have an earth grounded drain wire.

    Hookswitch Compromises and Hot-Micing

  • Profile:


  • Hook switch compromises (also known as hot-mics) are a method of using a telephone as a room bug. The phone's hookswitch is shorted in some way (Usually a resistor, capacitor combination of the two which keep the mic hot at all times, or a neon bulb or reverse bias diode which can be externally controlled.) and a listen-down the line amplifier is then connected to the line. This would allow an eavesdropper to monitor room audio through the phone.


    Another hot-micing technique is exploiting a resonant ringer.


    Many cordless phones and private phone systems incorporate an option to monitor a room by pressing the correct sequence of keys. While this is an admirable security measure, its obvious how it could be exploited. Check the user's manual of your phone, PBX or key system to see if this feature is available.



  • Detection:


  • Hook-switch bypasses are detected in a manner similar to splits, with a high gain induction probe. Probe the pair at the demark with the phone hung-up and a stereo playing next to it. If room audio is clearly heard, the phone has been compromised. Specific programming features are listed on the phone system resource page.



  • Countermeasures:


  • Replacement of the ringer with either a non resonant ringer (available from Marty Kaiser) or a phone flasher should compensate for resonant ringers. A cut-out switch to disconnect the handset from the rest of the phone unless its off hook should be added. Specific programming features are listed on the phone system resource page.



  • Other hot-mic resources:


  • Air Force Instruction 33-220, On Hook Telephone Security <http://www.p-and-e.com/Documents/AFI%2033-220%20(1%20Mar%2097).pdf>

    Wireless Attacks

  • Profile:


  • Wireless communications systems (cellular phones, cordless phones and beepers) are a huge threat to privacy. Even pricacy concious people often don't realize that the pubic phones in trains and airliners are just as insecure as cordless.


    Realizing that their old 25 channel cordless phones are a threat to their security, some privacy conscious people have invested in 900 MHz or 2.1 GHz phones, assuming this will be sufficient to prevent eavesdropping. This assumption is patently false. No matter how high you jack up the frequency, there is a receiver that is able to intercept it. While these phones often utilize spread spectrum technology, which will hamper the efforts of casual eavesdroppers, the technology to demodulate it is readily available.


    The cellular industry has responded to the eavesdropping threat by promoting digital cellular phones using GSM, TDMA and CDMA technologies. This hasn't worked either.


    While it has become rather common knowledge that analog cellular and cordless phones can be eavesdropped on with a scanner, many people don't realize that their POCSAG beepers can also be spied on with a scanner that has a discriminator tap and the correct decoding software.


    In addition to eavesdropping, cellular phones can be modified for use as surveillance transmitters. An older technique suggests simply secreting away a tiny transmitter in a particular phone, but there is a more graceful method. Some newer cellular phones have incorporated an option for automatically answering incoming calls as a safety feature while driving. This feature also opens up the possibility for modifying a cellular phone for use as a listening device. By making a few simple modifications to the phone (in the case of Nokias, shorting the handset adapter pins to the microphone), engaging auto answer and muting the phone's ringing the phone is now a perfectly serviceable transmitter, operable from anywhere in the world.



  • Detection:


  • Because listening in on wireless is 'passive' monitoring, detection is generally considered impossible.


    Checking a cellular phone for external bugs requires an intimate knowledge of the phone's hardware and the tools to disassemble it. Checking for programming that would make a phone into a bug requires a copy of the owners manual. Make sure ringing is set to an audible level, and that auto answer is disengaged.



  • Countermeasures:


  • Cordless phones should be avoided whenever privacy is to be assured. External encrypters are available for many cellular phones (see the voice encryption page for sources), which will reduce the threat of cellular eavesdropping.

    Tape Recording

  • Profile:


  • People tape telephone calls all the time (Isn't that right, Ms. Tripp?), and for various reasons. Surreptitious recording of telephone calls is usually done with a drop-out relay, which automatically engages the recorder when the phone its connected to is taken off hook. A less sophisticated recording interface (one that is 'always on') can be easily assembled from electronic store parts. There is a schematic available at <http://www.hut.fi/Misc/Electronics/circuits/tm_adapt.gif>. In the US, the laws governing recording telephone calls vary from state-to-state.



  • Detection:


  • A tape recorder on your end can be detected by searching for a signal from 5 to 200 kHz (emitted by the tape recorder's bias oscillator), though this method isn't foolproof. Some recording devices (the recording chip things) lack a bias oscillator. The drop-out relay itself can be detected through impedance measurements. Physical search remains the best option for tape recorder detection on your end. A tape recorder on the other person's end can't be detected through electronic means.



  • Countermeasures:


  • In Electronic Surveillance Devices, Paul Brookes suggests a technique called 'band masking' where 4 kHz noise is played into the line as a technique for protecting against tape recorders (4000 Hz is the ragged edge of the voice channel. Sounds at this high of a frequency are inaudible through telephone speakers, but are still transmitted down the pair). While this technique works admirably against casual eavesdroppers it has a failing; a low pass filter manufactured from a few dollars worth of parts could defeat it. So while certainly not fed proof, the average phone phreak or PI would be stumped. Band masking will prevent anyone on the other end from recording your conversation on tape as well.


    * Voice encryption.

    * Voltage spreaders.

    Fax Interception

  • Profile:


  • Interception of fax transmissions is simpler than many people believe. While fax interception once required complex audio recording and mixing gear (such techniques may still be employed), fax intercepts can now be done with a one piece fax logging unit such as Fax Collector or certain Title III equipment. More mundane attacks of fax systems also exist, such as acquiring the thermal transfer film from a thermal fax machine (all the information that the fax has printed out is on that sheet in negative), exploitation of fax polling (where a document held in memory for users to download is surrepitiously copied) or exploitation of a store-and-forward-to-multiple-locations feature.



  • Detection:


  • Fax interception can be detected as per hardwire taps, although physical search would be the most practical detection technique. Note: many businesses log their inbound and outbound faxes with fax collection systems. Checking a fax machine's programming for broadcast and polling features would require a copy of the owner's manual. Simply confirm that forwarding is disengaged or set-up securely.



  • Countermeasures:


  • Encrypting fax systems (sources are listed on the voice encryption page) will protect your faxes from interception. Setting a polling password will prevent unauthorized parties from downloading faxes in memory. If thermal (shiny paper) faxes are still in use make sure that the transfer rolls are destroyed. Not thrown out. Not torn slightly. Destroyed. Check your fax machines routinely to confirm that faxes aren't being forwarded covertly.



  • Further Resources:


  • CIAC 2304 < http://ciac.llnl.gov/ciac/documents/CIAC-2304_Vulnerabilities_of_Facsimilie_Machines_and_Digital_Copiers.pdf>



    Dialed Number Recorders

  • Profile:


  • Dialed number recorders (also called 'pen registers') are devices used to make a record of all digits dialed. DNRs are the 'trap' portion of the fabled 'trap and trace'. A DNR can manifest itself as an independant bit of hardware, a feature on another device (such as a line slave), or built into a phone or phone system (see the call accounting entry below).



  • Detection:


  • DNRs are most easily found through physical search. Note: many private phone systems offer an option to record all digits dialed by a particular user, so a check of the local PBX programming would be warranted.



  • Countermeasures:


  • Countering a DNR is simplicity itself; dial 0 and have the operator dial for you. If the operator refuses (many telco operators will) to dial hang up, call back and start the conversation by saying "Operator, I have handicap-dial privilege. Please connect me to...". This means that for one reason or another (for instance, lacking fingers) you can't dial a phone, and that the operator has to connect you.



    Call Accounting

  • Profile:


  • AMA tapes are a method the telephone company uses for billing and auditing purposes. AMA tapes automatically record any number you dial (including digits that don't complete a phone call), the length of all calls, and whether they were voice or data. PBXs maintain this feature in miniature, with the Station Message Detail Recording. SMDR records will usually record Date, Time, Duration and Calling Party.



  • Detection:


  • Detecting AMA would be phenomenally difficult for the average person. While AMA is present in a majority of offices in the United States, its not universal. Most if not all PBXs utilize SMDR.



  • Countermeasures:


  • There is no way to disable AMA, short of terrorist attack on phone company facilities. Keeping your phone activities reasonably private is another matter. Dialing through the operator will still leave an AMA record. Prepaid calling cards are certainly NOT foolproof (as was shown in the Ok. City Bombing Trial), but the end number will not be recorded on AMA tapes. Remember that AMA tapes can be correlated with calling card company logs to determine the originating number of a phone call.

    Kinks



    There are more than a few kinks that can be applied to telephone taps and transmitters to make them more difficult to detect.



  • Induction coils: Induction coils appear to be a waking nightmare for anyone trying to detect a surveillance device. Place a coil around a telephone cable and you're able to siphon off clear audio without making a physical connection to the line. Induction coils generate poor audio however, and are easy to find in the physical search. Hall effect sensors would be a much better choice for taping without making a connection, as the audio is clearer.


  • OSP placement: The TDR is a potent tool for locating wireline devices, but it has a weakness: it can't usually test through loading coils. A resourceful wiretapper will locate a transmitter inside or behind a loading coil in a bid to hide it from a TDR. This technique is popular with law enforcement. It IS possible to test through a loading coil be using a technique known as 'Near-End/Far-End High Frequency Cross-Talk TDR analysis'. Details can be found at TSCM.com.


  • Transformers: Linking two phone lines together with a low resistance 1:1 transformer will make a mockery of voltage/resistance measurements, especially on longer loops. Such a transformer can be detected either as per a hook switch compromise, or with resistance to ground measurements on the individual leads.



  • Telephone encryption devices must be either built into the phone itself, or attached to the line. Any device that fits over the earpiece and mouthpiece of the telephone is a scrambler, which can be defeated. If you're using a secure PC telephone system, remember that the microphone on your computer could be bugged and that if the room is monitored securing phone calls is useless.

    Index