Countermeasures Revisited ~Seuss The most prevalent information on telephone counter-surveillance has been floating around for at least 15 years. Short the pair at the demark and measure resistance. Open the pair at the demark and measure the resistance. Abnormally high or low resistances indicate a phone tap. Forrest Ranger wrote about it in text files, M.L. Shannon and Paul Brookes included it in their books, and an untold number of phone phreaks have employed this technique. Despite its popularity, this technique has its shortcomings: it fails to detect devices installed in the outside plant, split pairs are undetected and transmitters built into the phone are not tested for. What you'll need: - Access to a local DATU. - A multimeter with high impedance scales (several meters that measure into the giga-ohm range are available) and a capacitance meter. - An induction probe. - A frequency counter or near field detector. - Something that makes continuous noise, like a tape player. - Ancillary tools (screwdrivers, a can wrench, etc.) First, call the Phone Company to ask about your line's readiness for ISDN or DSL. High-speed services demand a line with no loading coils and a minimum amount (less than 2500 ft.) of bridged taps. Either will cause inaccurate measurements. Begin by taking the phone off hook and turning on your tape player (to turn on voice activated transmitters). Now give your phone a pass with your near field detector or frequency counter. Transmitters in the phone will hopefully be picked up at this point. (Note: some speakerphones are prone to normal RF leakage) Next measure the capacitance of the line, dividing the value by .83 (the average mutual capacitance for a mile of phone line). This is roughly the length of your line. Write it down, you'll need it later. Remember that .83 is an average value, which can range from .76 to .90 depending on line conditions. To get a more accurate measurement you can fine tune your figure by comparing capacitance measurements on a section of plant cable of a known length, or use a TDR. Disconnect all the phones from the line you want to test. Go to your demark and disconnect your pair on the customer access side. Short the pair and measure the resistance of the line from the farthest jack with the meter set to its lowest scale. Reverse the polarity of the meter and measure again. If either resistance is more than a few ohms, it would suggest a series device wired into the line somewhere on your property. Now return to your demark, open the pair, and cover the ends in electrical tape. Measure the resistance of the pair with the meter set to its highest scale. A less than infinite resistance would suggest a device wired in parallel to your line. Testing in the outside plant should be conducted from the telco side of the demark point in order to avoid measurement error from the station protector circuit. Call that DATU and short the pair, then measure the resistance of the line. Compare the value you got for your line's length with the figures below: Wire Gauge Loaded Pair Unloaded Pair 26ga 84.33 83.33 24ga 52.89 51.89 22ga 33.72 32.39 19ga 17.43 16.10 Note: 5ESS switches incorporate a 'test bus' that will add about 500 ohms to the shorted pair. These figures will vary with temperature, splices, wet sections, and a host of other reasons. Large deviancies could (but don't necessarily) suggest something wired in series with the line. This measurement may be supplemented by either a resistance to ground measurement of both sides of the pair and a capacitance balance test, or a voltage measurement. A resistive imbalance of more than 10 ohms or a noticeable drop in off-hook voltage calls for further inspection. To test for parallel devices in the outside plant, open the line with the DATU and repeat the parallel test as described above. Testing for telephone hook-switch compromises requires an induction probe. Reconnect your pair at the demark and plug all your phones back in. Turn your tape player back on and put it near your phone. Now probe all the lines coming through your demark point. If you hear the tape player through the probe, your phone's hook-switch has been compromised. Checking for splits on your line requires an induction probe and access to a plant wiring cabinet. Add a tone to either lead of your pair with the DATU. Probe all the conductors in the binder pair, listening for the trace tone. If you hear the tone on more than two leads (the ones connected to the line you're checking) your line has been split. This can be either a bad splicing job, or someone intentionally hooking a pair up to your line. If any of the above tests suggests that there is something on your line, remember that there are plenty of innocent reasons a test could turn up positive, so a detailed physical search is in order. Disassembling the phone in question and comparing the innards to a schematic would be a wise idea at this point. Take the covers off your phone jacks, dig around in your demark point, peek inside wiring cabinets if you can, and so on. There are some places that are likely out of your reach, but keep in mind that they're likely out of reach to many wiretappers as well. 2600 Magazine, Volume 16, Number 4, Winter 1999-1900