--- Legal and Technical Aspects of RF Monitoring --- --- Major [TNo] --- SYNOPSIS -------- The "Cordless Fun" (Noam Chomski, 2600 Magazine Summer 1994) article doubtlessly sparked an interest in cordless phone monitoring. Wireless telephones are a prime target for monitoring. Both cordless and cellular telephones are nothing more than radio transceivers that, at some point, interface with the telephone system. This article will seek to expand on and clarify some points made in "Cordless Fun", and also to point to some other areas of interest. ============================================================================= CORDLESS -------- Legal Stuff: Monitoring cordless phones is now a federal crime! Recent legislation prohibits listening in on cordless phones, much the same as cellular phones. Also, the Communications Act of 1934 makes it a crime to divulge anything you monitor to another person. It is also illegal to use anything that you hear for personal gain. Note that this applies to anything that you monitor, not just cordless phones. Alternatively, there are presently no restrictions on scanners that are capable of receiving cordless phone frequencies. However, I suspect that in the near future the feds will deny certification to such scanners, as they did with scanners that could receive cellular frequencies. Technical Stuff: Cordless telephones transmit and receive with very low power. This is primarily to minimize interference with other nearby cordless telephones. This makes scanning for cordless telephones a short-range endeavor. Most cordless phones of recent manufacture operate in the 46-49MHz range. However, the FCC has recently opened up a part of the 900MHz spectrum for cordless telephone usage. The new 900MHz phones often offer greater range and increased clarity. There are also models sporting "spread-spectrum" technology, which makes monitoring with conventional scanning-receivers a virtual impossibility. Another security measure on some cordless phones involves encoding the DTMF tones sent from the handset to the base. This prevents the base from accepting tones from other, unauthorized, handsets. It does not hinder monitoring the calls, but the DTMF tones will not be recognizable. In the 46-49MHz phones, there are ten frequency pairs available. Many older phones only utilize one pair. Newer, more expensive, phones can utilize all ten pairs. Some automatically search for an open channel, while others can be manually manipulated to find a channel with less noise. Likewise, the new 900MHz phones will scan to find a clear channel. CELLULAR -------- Legal Stuff: Intercepting cellular mobile telephone (CMT) traffic is illegal. The Electronic Communications Privacy Act of 1986 made it so. Scanners that receive the CMT portion of the 800MHz range may no longer be manufactured, sold, or imported into the U.S. Many scanners were designed to scan this area, though. When the Cellular Telephone Industry Association began complaining about this fact, most scanner manufacturers/resalers voluntarily "blocked" the cellular freqs from their scanners. This pacified the CTIA for a while, but the "blocks" were easily hackable. Typically, restoring a "blocked" scanner involved removing a single diode, a ten minute job for even the most devout technophobe. This fact led to the passage of the Telephone Disclosure and Dispute Resolution Act (TDDRA), which denies F.C.C. certification of scanners that receive cellular freqs, or those which may be easily modified to do so. New scanners will be "blocked" at the CPU, and hacking them is unlikely. Frequency converters offered another means of monitoring cellular and other 800MHz traffic. Essentially, a converter receives an 800MHz signal, and converts it to a 400MHz signal that the scanner is capable of receiving. Converters are useful for scanners that have no 800MHz reception capabilities, as well as those that have portions of the 800MHz band blocked. Unfortunately, converters were also outlawed by the TDDRA. They are still legal in kit-form, however. Another option would be to build one from scratch, which isn't an especially difficult project. Technical Stuff: The word "cellular" defines the cellular phone system. A service area is broken up into many small cells. As a user travels through an area, his call will be handed off from one cell to the next. This handoff is transparent to the user, but a monitor will lose the conversation. Cellular phones use low power (a maximum of five watts) so that a cell phone will not attempt to seize more than one site at a time. When a call is initiated by a cell phone, the nearest site will respond, and assign an available frequency to the phone. When the user moves comes into range of the next site, the process repeats itself, and the new site will assign a new frequency. Therefore, it can be difficult to track a particular conversation as it moves from site to site with a single scanner. Every area served by cellular phones will have two service providers. One will be the local RBOC, while the other will be a cellular-only provider. The two systems are designated as "A" and "B" systems, or "Wireline" and "Non-Wireline". There is no difference between the two for monitoring purposes, but since "A" and "B" carriers use different frequencies, it should be possible to identify local cell-towers as being "A" or "B" sites. PHONE PATCH ----------- Legal Stuff: The Communications Act of 1934 applies here as well, but there are no other prohibitions on monitoring business-band phone patches. Technical Stuff: Many business radio systems have the ability to tie into the phone system. Most of these systems will be found in 800MHz trunked radio systems. In a conventional radio system, one frequency will equal one channel. In a trunked system, however, frequencies and channels are independent of each other. The trunking computer will assign a different frequency to a radio each time it transmits, and it will send a signal to other radios on the same channel, telling them the current frequency in use. Phone patches are easy to monitor, though. Since the radio on a phone patch is transmitting constantly, the frequency used will remain the same for the duration of the conversation. Many people mistakenly believe these calls to be cellular, but they are not. Most phone patches found in 800MHz trunked systems will be full-duplex, just like cellular and home phones. Some systems, especially in UHF (around 450MHz) and 800MHz conventional radio systems will only be half-duplex, though. In those systems, only one person call talk at a time, just like normal two-way radios. Radio systems are typically designed to offer service to an entire metropolitan area, so range is quite good. The mobile radio will transmit its signal to a strategically located "repeater", which then re-broadcasts the signal with much more power. So long as a scanner is within reception range of the repeater output, monitoring will be possible regardless of the location of the party transmitting. EQUIPMENT ---------- Legal Stuff: Some states prohibit mobile use of scanners. Also, it is illegal to use a scanner in the commission of a crime. Technical Stuff: There is a scanner for every appetite. What sort of monitoring one wants to do will dictate which scanner one buys. For someone interested only in cordless phones, a ten-channel scanner with no 800MHz coverage will be quite adequate, and much cheaper than a more capable scanner. For someone interested in cellular, a full- coverage 800MHz scanner with a much greater frequency storage capacity will be necessary. Base, mobile or handheld? Depends entirely on how it will be used. Modern scanners are programmable, while older units require crystals. For someone wanting to monitor only a few channels (such as cordless phones, or the local police), a crystal-controlled scanner would be adequate, and much cheaper. But for more serious and varied scanning, programmable units are a necessity. Models are available that store between 10 and 1000 channels. Uniden/Bearcat and Realistic are the two most commonly available brands in the U.S. (although Realistic isn't actually a brand, just a label...Radio Shack scanners are all manufactured by Uniden or GRE, depending on the model). Because of the TDDRA, many of the best scanners from the past several years are no longer available, but watch for Hamfests (great electronic flea- markets...inquire at your local ham radio/electronics store), garage sales, etc. There is nothing in the TDDRA or other current legislation that prevents private parties from owning or selling pre-TDDRA equipment. Aside from the scanner itself, the next-most important piece of equipment is the antenna. Handheld scanners will generally utilize an "all-band" rubber-duck antenna (a flexible, rubberized antenna, between 8-14" in length), while base units will have a telescoping metal whip antenna. These antennas are adequate for receiving strong, local signals, but more discriminating monitors will demand more. For base units, an all band discone type antenna, mounted outside as high as practical, will offer good, omnidirectional performance. For those who only want to monitor a particular band, it would be best to use an antenna cut specifically for that band. Likewise, for those monitoring signals coming from one general direction, a directional antenna will offer better performance than an omnidirectional unit. For mobile use, using an antenna mounted on the vehicle will greatly improve reception. MISCELLANEOUS COMMUNICATIONS ---------------------------- Voice-pagers can offer interesting monitoring. While the data- transmissions that send the signal to the proper pager are proprietary digital signals (and as such, illegal to monitor or decipher), the actual "voice messages" are transmitted "in the clear". Packet-radio is used by ham radio operators. They have a vast network of computer bbs's that operate independently of the phone system. Modulated data is sent over the airwaves with a ham transceiver, where it is received and de-modulated with a Terminal Node Controller (TNC). Expect the use of wireless data transmissions to increase over the next few years, and not just among ham operators. While not having anything to do with telephones, the "baby monitors" people use are transmitters just like cordless phones. They are also low-power devices, so range is limited. Most people who use these devices would be shocked to learn that they are "bugging" their own home. PRESENT AND FUTURE CHALLENGES ----------------------------- Spread spectrum, digital transmissions, encryption...these are all factors that are affecting monitoring today. While most cellular systems are presently analog systems, there are operational digital systems in some areas. Scanners that are currently available won't be able to decipher the digital communications, and it is unlikely that digital-capable scanners will be produced. That means it will be up to the hackers to provide the technology to intercept these communications. Spread spectrum is quite hackable, as it was never intended as an encryption system, per se, yet the phone manufacturers are certainly marketing it as such. And one oft overlooked advantage of the Clipper chip is the fact that the backdoor can be exploited by hackers as well as the government. In the meanwhile, there are plenty of intercepts to be had, and there will continue to be. ================================================================= For More Information: ================================================================= Scanner Modification Handbook (Vols. I & II), by Bill Cheek The scanner modification handbooks offer a plethora of information on hacking scanners. Hacks include: increased channel capacity (example: RS PRO-2006 from 400 channels to 6,400!), adding signal- strength meters, cellular-freq. restoration, scanning-speed increases, and much more. World Scanner Report, by Bill Cheek A monthly newsletter on the latest scanner hacks. Available from: COMMtronics Engineering Box 262478 San Diego, CA 82196-2478 BBS: (619) 578-9247 (5:30PM to 1:30PM P.S.T. ONLY!) COMMtronics Engineering also offers a scanner-computer interface for RS PRO-43/2004/2005/2006 model scanners. =================================================================== CRB Research Books Box 56 Commack, MY 11725 CRB has books on scanner modifications, frequency guides, and other interesting subjects. ================================================================= POPULAR COMMUNICATIONS CQ Publications 76 N. Broadway Hicksville, NY 11801 (516) 681-2926 Pop Comm is a monthly magazine on all sorts of radio monitoring, including scanning, shortwave, and broadcast. ================================================================== MONITORING TIMES Grove Enterprises, Inc. P.O. Box 98, 300 S. Highway 64 West Brasstown, North Carolina 28902-0098 M.T. is a monthly magazine covering all varieties of radio communications. ================================================================== NUTS & VOLTS Nuts & Volts is a monthly magazine that covers a wide variety of electronic-related subjects. T&L Publications, Inc. 430 Princeland Court Corona, CA 91719 (909) 371-8497 (909) 371-3052 fax CI$ 74262,3664 1-800-783-4624 SUBSCRIPTION ORDERS ONLY =================================================================== USENET: alt.radio.scanner rec.radio.scanner =================================================================== Charts & Tables: 1. Cordless Telephone Frequencies (VHF) 2. Cordless Telephone Frequencies (900MHz) 3. Cellular Telephone Frequencies 4. Business Band Frequencies (VHF, UHF, 800MHz) 5. IMTS Frequencies 6. PAGER Frequencies 7. PACKET Frequencies 8. ROOM MONITOR Frequencies 9. homebrew cordless dipole antenna 10. homebrew 1/4 wave groundplane antenna ================================================================= TABLE 1 - CORDLESS TELEPHONE FREQS. (CONVENTIONAL) CH BASE HANDSET -- ---- ------- 1 46.100 49.670 2 46.630 49.845 3 46.670 49.860 4 46.710 49.770 5 46.730 49.875 6 46.770 49.830 7 46.830 49.890 8 46.870 49.930 9 46.930 49.990 10 46.970 46.970 ================================================================= TABLE 2 - 900MHz CORDLESS FREQS. Cordless phones have been allocated the frequencies between 902-228MHz, with channel spacing between 30-100KHz. Following are some examples of the frequencies used by phones currently on the market. ---------------------------------------------------------------- Panasonic KX-T9000 (60 Channels) base 902.100 - 903.870 Base frequencies (30Khz spacing) handset 926.100 - 927.870 Handset frequencies CH BASE HANDSET CH BASE HANDSET CH BASE HANDSET -- ------- ------- -- ------- ------- -- ------- ------- 01 902.100 926.100 11 902.400 926.400 21 902.700 926.700 02 902.130 926.130 12 902.430 926.430 22 902.730 926.730 03 902.160 926.160 13 902.460 926.460 23 902.760 926.760 04 902.190 926.190 14 902.490 926.490 24 902.790 926.790 05 902.220 926.220 15 902.520 926.520 25 902.820 926.820 06 902.250 926.250 16 902.550 926.550 26 902.850 926.850 07 902.280 926.280 17 902.580 926.580 27 902.880 926.880 08 902.310 926.310 18 902.610 926.610 28 902.910 926.910 09 902.340 926.340 19 902.640 926.640 29 902.940 926.940 10 902.370 926.370 20 902.670 926.670 30 902.970 926.970 31 903.000 927.000 41 903.300 927.300 51 903.600 927.600 32 903.030 927.030 42 903.330 927.330 52 903.630 927.630 33 903.060 927.060 43 903.360 927.360 53 903.660 927.660 34 903.090 927.090 44 903.390 927.390 54 903.690 927.690 35 903.120 927.120 45 903.420 927.420 55 903.720 927.720 36 903.150 927.150 46 903.450 927.450 56 903.750 927.750 37 903.180 927.180 47 903.480 927.480 57 903.780 927.780 38 903.210 927.210 48 903.510 927.510 58 903.810 927.810 39 903.240 927.240 49 903.540 927.540 59 903.840 927.840 40 903.270 927.270 50 903.570 927.570 60 903.870 927.870 ------------------------------------------------------------ V-TECH TROPEZ DX900 (20 CHANNELS) 905.6 - 907.5 TRANSPONDER (BASE) FREQUENCIES (100 KHZ SPACING) 925.5 - 927.4 HANDSET FREQUENCIES CH BASE HANDSET CH BASE HANDSET CH BASE HANDSET -- ------- ------- -- ------- ------- -- ------- ------- 01 905.600 925.500 08 906.300 926.200 15 907.000 926.900 02 905.700 925.600 09 906.400 926.300 16 907.100 927.000 03 905.800 925.700 10 906.500 926.400 17 907.200 927.100 04 905.900 925.800 11 906.600 926.500 18 907.300 927.200 05 906.000 925.900 12 906.700 926.600 19 907.400 927.300 06 906.100 926.000 13 906.800 926.700 20 907.500 927.400 07 906.200 926.100 14 906.900 926.800 ------------------------------------------------------------ OTHER 900 MHZ CORDLESS PHONES AT&T #9120 - - - - - 902.0 - 905.0 & 925.0 - 928.0 MHZ OTRON CORP. #CP-1000 902.1 - 903.9 & 926.1 - 927.9 MHZ SAMSUNG #SP-R912- - - 903.0 & 927.0 MHZ ------------------------------------------------------------ ================================================================== TABLE 3 - CELLULAR TELEPHONE FREQUENCIES wireline ("b" side carrier) 824.1000-834.9000 869.0100-879.9900 non-wireline ("a" side carrier) 835.0200-849.0000 880.0200-894.0000 ================================================================== TABLE 4 - BUSINESS BAND RADIO FREQS. 151.5050-151.9550MHz 154.4900-154.5400 460.6500-462.1750 462.7500-465.0000 471.8125-471.3375 474.8125-475.3375 896.0125-900.9875 935.0125-939.9875 806.0125-810.9875 811.0125-815.9875 816.0125-820.9875 851.0125-855.9875 856.0125-860.9875 861.0125-865.9875 ================================================================= TABLE 5 - MOBILE TELEPHONE FREQS. (see note1 below) SIMPLEX OUTPUT INPUT OUTPUT INPUT -------- -------- -------- -------- -------- 035.2600 152.0300 158.4900 454.3750 459.3750 035.3000 152.0600 158.5200 454.4000 459.4000 035.3400 152.0900 158.5500 454.4250 459.4250 035.3800 152.1200 158.5800 454.4500 459.4500 035.5000 152.1500 158.6100 454.4750 459.4750 035.5400 152.1800 158.6400 454.5000 459.5000 035.6200 152.2100 158.6700 454.5250 459.5250 035.6600* 454.0250 459.0250 454.5500 459.5500 043.2200* 454.0500 459.0500 454.5750 459.5750 043.2600 454.0750 459.0750 454.6000 459.6000 043.3400 454.1000 459.1000 454.6250 459.6250 043.3800 454.1250 459.1250 454.6500 459.6500 043.4200 454.1500 459.1500 043.3000 454.1750 459.1750 043.5000 454.2000 459.2000 043.5400 454.2250 459.2250 043.5800* 454.2500 459.2500 043.6400* 454.2750 459.2750 152.2400* 454.3000 459.3000 152.8400* 454.3250 459.3250 158.1000* 454.3500 459.3500 158.7000* *-also allocated for pager usage (note1: These freqs are, for the most part, dead. The FCC has reallocated most of these for other services.) ================================================================= TABLE 6 - PAGER FREQUENCIES 035.2200 035.5800 152.4800 154.6250 158.4600 157.7400 465.0000 462.8000 462.7750 462.9250 462.7500 462.8750 462.8250 462.9000 462.8500 928.0000 929.0000 930.0000 931.0000 ================================================================= TABLE 7 - PACKET FREQUENCIES 050.6200 223.5200-223.6400 223.7100-223.8500 2303.500-2303.800 2303.900 2399.000-2399.500 ================================================================= TABLE 8 - BABY MONITOR FREQUENCIES 49.300 49.830 49.845 49.890 ================================================================= TABLE 9 - AIR PHONE FREQUENCIES OUTPUT INPUT 454.6750 459.6750 454.9750 459.9750 849.0000 851.0000 894.0000 896.0000 ================================================================== CHART 10 - IMPROVED ANTENNA FOR CORDLESS MONITORING The best way to improve the range for monitoring cordless telephones is to use an antenna specifically cut for the frequencies used in cordless phones. The following is a very effective, yet easy to build, "homebrew" antenna. CORDLESS DIPOLE --------------- materials needed: wire - virtually any type will suffice matching transformer (RS part number 15-1296) f connector (RS part number 278-225) ??? connector (this will connect the antenna to the scanner, so it will be dependant upon what type of antenna jack the scanner utilizes. Most use a BNC-type connector. Some older models will use a Motorola-type connector.) coax cable - while many types of coax can be used, a low-loss cable would be best, especially if a long cable run is required. RG-6 satellite coax (RS part number 278-1316) is a good choice. wire transformer wire -------------------------< >------------------------- + f connector | | coax | | * connector [ ] scanner ================================================================= CHART 11 - 1/4 WAVE GROUND PLANE ANTENNA Here is a simple-to-build antenna that will improve reception for a particular frequency area. materials needed: wire - a rigid wire is needed here. Clothes hangers work well. panel mount SO-239 connector (RS part number 278-201) male PL-259 connector (RS part number 278-205) coax cable connector (to scanner) | | | | [ ] / \ / \ / \ The length of the five rods will be dependant upon the frequency you intend to monitor. Use the following formula: WL=3X10^8/F WL = wavelegnth (in meters) F = frequency (in MHz)