Consumer Spookware vs. Your Castle author: wideband dreamer (a.k.a. dark spectrum) (repost by clamydia) This is a repost of a 2600 article. I'm transcribing it here because I feel it deserves a wider audience, I feel that people here need to hear this information, nobody has made it available online yet, and I can't find any copyrights on it, so it's fair game. Anything writen [in bold face between brackets] is me; everything else is wideband dreamer's (a.k.a. dark spectrum). BTW I can't remember what I dreamed last night; I think the government is sucking my dreams out of my head. It's been a long day. You slaved for hours under the baleful glare of your employer's closed-circuit spycams. You ran errands on city streets, in a mall, and at an ATM - more spycams. Then you visited with some friends at a wild party. Everyone there seemed to be flashing camera phones. Who knows how many wireless cameras and microphones were planted or where. But now you're home and you can finally feel that you have some privacy and security. After all, you've got bars on your windows, high=quality door locks, and an alarm system. You're surrounded by a protective shield of drywall, structural timber, and bricks. You swept the house for wireless surprise packages just last week. Still, you can't help asking yourself: are there any chinks in your armor? You bet there are. Not just chinks, but big, gaping holes: clothes dryer exhaust vents and air exchanger vents. Stove vents, chimneys, and sump drains. Bathroom fan ducts, soil stacks, and sewer lines. Most of them are big enough to drive a truck through (a stripped-down 1:24 scale R/C truck that is). You might be asking yourself "Ducts? Vents? Has this guy been playing too much Half-Life?" but in fact each of those external interfaces constitutes a vulnerability. Some of them are already borderline exploitable with consumer spookware available at the nearest big-box store. I'll give you a few examples later on, but first a short history lesson. This article describes the next phase in the ongoing erosion of your physical privacy. Phase One started over a decade ago with "Big Brother" spycams watching out for you. They were installed in public places, places of work, and some not-so-public places. You didn't like the spycams but eventually got used to them. After all, you like to feel safe from unknown threats and you certainly don't want to pay the cost of someone else's shoplifting or any coworkers slacking off on the job. You often hear about abuses such as covert spycams in changing rooms but in today's highly charged post-911 environment there's not much point in complaining. Nobody will listen. Phase Two started just a few years ago, as continuing advances in wireless technology and miniaturization started placing tiny - but highly effective - multimedia devices in the hands of ordinary consumers. This new batch of users didn't need any large outlays of cash or any special training and some of them didn't feel that they should be constrained by privacy laws or any nothing of propriety. This led to spycams being placed in all sorts of odd, intrusive places like residential bathrooms, clock radios, fake smoke detectors, and even the tops of shoes. Just google "spycam" and you'll see that there is a thriving industry based on this concept. In case you aren't aware of how pervasive or how capable spycams are these days, a good introduction is Marc Roessler's article "How to Find Hidden Cameras" at http://www.tentacle.franken.de/papers/hiddencams.pdf. Modern technology created these possibilities but has yet to offer any inexpensive, easy to use countermeasures. Miniature radio frequency (RF) detectors are available from a few companies. For example, P3 International sells an inexpensive unit that they describe as a wireless camera detector. It certainly does work as advertised but isn't effective in all circumstances. For example, try using it in an area with wireless speakers or close to a switch-mode power converter. More capable devices have been available for some time from companies like Optoelectronics but of course they cost more and require some expertise to use properly. Camera phones are the most recent privacy threat. They're difficult to avoid due to their portability, tiny lens, and widespread use. Cell phone detectors are one solution but they're not cheap, and in any reasonably busy area they'll get nonstop false hits from ordinary cell phone usage. You could just nuke all calls with a cell phone jammer but that's kind of risky in the USA and the many other countries where such devices are outlawed. Enough history. Let's review what we have so far. Phase One was "Big Brother's" spycams in public places. Phase Two saw the introduction of other people's audio and video spookware in their shared places. The progression should be obvious. The next phase will bring common criminals' spookware into your own private places. The required wireless and multimedia products are already available and the robotics platforms aren't too far behind. A Simple Example: Burglary Let's start with clothes dryer exhaust vents. As a general rule, they feed directly through the exterior wall into living space. How convenient. They're four inches in diameter which is large enough to accommodate all kinds of gear, and they're located low down on the ground floor (nobody wants to run upstairs or downstairs to do the laundry) which means that they're easy to access from the outside. It doesn't take any space-age told to remove the outside vent cap, separate or cut off the duct feed, and then rock the dryer away from the wall. This deconstruction activity is likely to tick off Fifi big time but she doesn't know how to dial 911 and the alarm system's motion detector around the corner is clueless to the big happenings in the laundry area. If Fifi proves to be too much of a nuisance or if the clothes dryer is too difficult to muscle out of the way then a good alternate route is provided by the air exchanger. It has input and output ducts which are four inches or larger and typically lead to an unmonitored basement area. Once the duct has been cleared the next step would be to shove through a Robots 'R Us BurglarBot and while it's unfolding, retreat to a more comfortable position to prepare for some leisurely remote-controlled burglary. Just like Fifi, the BurglarBot is too small to trigger motion detectors but large enough to climb stairs and jump onto countertops. Okay, so there's no such thing as a BurglarBot. The best a burglar can do right now with off-the-shelf consumer gear is strip down a small R/C truck, strap a penlight, wireless camera, and a custom gripper onto it, and hope that the homeowners keep their jewelry and other valuables on the floor. Not much of a payoff for a criminal act. But if you consider industrial equipment, there will soon be many more options available. Google "ventilation duct robot" and pay particular attention to the so-called micro units. You'll see that there are already several small, versatile robotic platforms for sale. Once they've been shrunk by another factor or two, the addition of a telescoping arm will transform them into real security threats. As always, there's much better stuff cooking in research labs. It's usually aimed at defense or rescue applications but might some day find its way into your house. For example, the University of Minnesota;s Digital Technology Center is developing reconnaissance robots the size of a soda can (google "COTS Scout") that can easily fit sideways through a clothes dryer duct. They can jump up stairways. They can assemble and transmit complete 360 degree panoramas of each room. Cool. SUNY's robo rat (google "robo-rat abc") looks even more dangerous: a cyborg that could eventually become a well-trained burglary tool. Don't think that clothes dryer ducts are the only vulnerability. There are many other ventilation pathways into a house. Most of them are constrained by flooring, joists, and drywall, and are terminated by well-anchored equipment. But that doesn't make them much more secure. A determined burglar could easily reach into the hole in the exterior wall and cut through the ceiling drywall. Internal Interfaces A separate concern: these other pathways lead to more active areas of the house which means that they're vulnerable to privacy intrusions. To better understand the possibilities you can start by examining one of your own bathroom fans. You'll need a stepladder and a Phillips screwdriver. The fan's grille is probably held in place by spring clips. Carefully pry it away from the ceiling - you'll notice that it doesn't take much strength to do that - and then release the clips to remove it. If the interior of the housing has an outlet and an electrical cord then the blower assembly is removable. Unplug it and loosen or remove any metal screws holding it in place. You'll see that the blower assembly doesn't provide much of a sound barrier. In fact, it probably has openings below the fan blades that are wide enough to accept a thin surface-mount circuit board. Look up inside the fan housing and you'll see that it has an exhaust port which leads to ductwork. There might be a light-weight spring-loaded damper just outside the exhaust port but it's not going to stop any kind of miniature robot and it's often too poorly sealed to provide any barrier to sound waves. In a quiet house, a microphone placed just beyond a poorly sealed damper can pick up conversations in the adjoining room, assuming that the bathroom door is open most of the time. Looking down the road a few years, consider a miniature "urban reconnaissance robot" that has reached the exhaust port and wedged itself in place. From there, it could fish a small cluster of three miniature cameras between the fan blades and the grille. Each camera would have its field of vision partly obscured by the grille but all it takes is some fancy image processing to blend the three signals into an unobstructed view down from the ceiling. And you thought your bathroom was a private place. Note that a robot this size is closer to reality than you might think: take a look at Robomotes (just google it), a tiny robotics research platform. External Interfaces So how hard is it to gain access to the fan's exhaust port? To answer that question you'd have to go outside and study some external vents - preferably the ones on your own house. You'll get into less trouble that way, plus you should have an easier time figuring out which rooms the vents lead to. Bring a flashlight. If you're the self-conscious type then you might feel strange while snooping around your house's external ventilation interfaces. You shouldn't. It happens to be a perfectly natural thing to do since it can provide answers to many questions that plague a typical homeowner. Questions like: "Why isn't my bathroom fan pulling air out?", "Where is that horrible stench coming from?", or "Why is there smoke coming out of my clothes dryer vent?" Choose a suitable concern in advance so that you're ready in case one of your neighbors starts asking nosey questions. You'll soon see that vent caps are often located in unexposed, out of the way places and so covert access is possible. They aren't considered to be particularly attractive so you usually don't see them in front of the house where they might at least be protected by motion-activated lighting. Instead, they're on side walls or rear walls, possibly even further obscured by a foundation planting such as a conical cedar which of course provides cover for intruders. There are two basic types of vent cap: louvered and hooded. Louvered caps are flush to the exterior wall and typically have four plastic louvers that swing out when the vent is expelling air. To inspect their ductwork all you have to do is raise two of the louvers and shine your torch in. Almost all ducts are three to six inches in diameter. Simple arithmetic (yup - divide by four) gives you some idea what you can stuff into there without damaging the louvers. They're flexible when in horizontal position so if you raise two of them you can get extra clearance at the center. Some specific examples: a four inch louvered cap is large enough to slide in a small FRS radio, a small Pocket PC or a AA battery pack. With some care, you could even squeeze in a mini PenCam. A six inch louvered ven can accept a D-cell battery pack, a Nomad Jukebox 3, and enough portable communications equipment to set up a remote-control command post. Hooded vent caps are covered by an angled hood which protrudes from the exterior wall. They have a swing out damper to prevent back drafts and to keep pests out. They might also have a separate removable pest guard held in place by hooks or snaps. Hoods that enclose a large volume can accommodate larger objects than an equal-size louvered cap but even the big ones are extremely awkward to look into. Standard flashlights don't fit (since you need to shine them straight in) and the wimpy ones that do fit don't provide enough lighting, as well as the compact disposable units with three side-by-side batteries. Unless you have a really odd-shaped head, the next challenge is to actually look inside. It's possible to position your head under the hood and use a small mirror but I wouldn't recommend it. Interpretation of a tiny reversed image while juggling a damper, mirror, and flashlight is not a skill that you want to acquire. What you need is a small video device which can be inserted and interactively positioned, e.g., a PC camera. If you live in a town house or some other multi-family building then don't forget to check for bathroom exhaust ducts which might pass through the attic to the shared (and hence insecure) rooftop. But don't actually go up on the roof. It's dangerous, and besides you can see more by going up into the attic. Just watch out for protruding nails and don't step through the ceiling. If there is ductwork up there you'll see that it's the flexible metal type and it follows a smooth curve from the fan housing up to the vent. Rooftop vents are the easiest ones to snake equipment into since their ducts usually don't have any sharp bends and also because gravity does most of the work. That makes them soft targets but not necessarily high value ones: what goes on in the bathroom itself isn't of much interest and an upstairs bathroom typically borders on high-traffic areas rather than discussion areas. These are just generalizations - your house might be different. Two Privacy Intrusions So where in your house would you go to place a sensitive, confidential phone call? Assume it's about something really big: your strategy for the next football game, a plot to overthrow the mayor, or maybe the next release of your network snuffer (spelling intentional). That kind of deep thinking requires lots of beer or soda pop and other good stuff. So the kitchen is the perfect place. If it has a central island counter, the kind with a cook top and integrated surface downdraft vent, then you might place the call from that countertop. Well, if that's the case then there could be a microphone literally right under your nose. Open up a cabinet door near the vent and you'll probably see a honking big six-inch duct coming out of the floor. The microphone would be right there where it meets the integrated blower. Stove ducts are required - by code - to be composed of rigid metal ductwork. It's stiff so it won't have any sags or bulges that are difficult to fish through. Since it's smooth there aren't many ridges to catch incoming or outgoing gear onto, although you do have to watch out for exposed sheet metal screws. Last but not least, downdraft vents need more pull than the overhead types so the ductwork has to be at least six inches in diameter. So downdraft vents are another soft target, as long as the duct isn't blocked by a remote blower or a pop-up snorkel vent grille. Maybe you don't like to use the kitchen for sensitive calls because too many family members hang out there (your parents, your kid sister, your own kids, whatever). Then the basement might be a better location even though it's less well equipped. But if it has a bathroom bordering on the main area and that bathroom has an exhaust fan, then it might be less private than you think. You probably noticed its vent cap during your outside tour. It's located low on the ground so it's easy to access. But the ductwork consists of flexible metal tubing. It's corrugated, has lots of sags and bulges, and is thin and easy to damage: very difficult to fish equipment into. If it has any bends or if it runs for longer than ten feet then it's probably immune to the simple method that I'll describe in this article. But who knows - you might dream up more effective techniques. Microphones Now that you know where the soft spots are, the next step is to actually try planting a microphone to measure its pickup range and see how vulnerable your place is. There are all kinds of esoteric equipment out there but I'll focus on standard consumer stuff so that maybe you can choose from your existing treasure trove. Let's start with the mic. There are three important things to remember. First of all, you're trying to pick up far-field signals so don't use a noise-canceling mic. Secondly, choose an omni directional unit since its orientation will be hard to control. Thirdly, use a wired mic since they're small, can't be picked up by RF detectors, and also because the wire makes it less likely that you'll lose the @#$* thing deep inside a duct run. If you're testing with a PC then a small multimedia mic is fine, otherwise use either a tie-clip mic or a lapel mic. The classic tie-clip design's tiny mic and separate battery box make it ideal for covert recording in public (it can even be fitted into the top of a disposable pen) but the small size reduces sensitivity a bit and the separate battery box is yet another bulge that might get caught on a sheet metal screw or whatever. Lapel mics are more compact as a whole because they integrate the battery box to the microphone housing but they're also more likely to have a modern right-angle plug which is less than ideal - you'll see why soon enough. The recorder should be placed just inside the vent cap so that the cap's louvers can be fully closed to block outside noise sources. The mic's wire probably won't be long enough so use a headphone extension cable but make sure it's shielded and is a straight cable, not the coiled type. Get the minimum length you need - shorter is better. Headphone cables have three conductors so they're perfect for stereo mics or PC mics and are also usable with the mono mics used by the most portable audio gear. I hope you know not to plug a PC mic into audio gear or vice versa - they aren't compatible. Recorders Even if you succeed in positioning the mic right next to the fan's exhaust port, its location guarantees that the signal will be muffled and reverberant. So the ideal recorder would have continuously adjustable microphone sensitivity that you can crank up to an abnormally high level. It would also have digital outputs so that the audio can be uploaded for further amplification and more sophisticated enhancement, and of course it needs a jack for an external microphone. All portable datacorders and some minidisk recorders have those features. They're good test tools but don't have enough recording capacity for real-life surveillance applications. Another possibility is an MP3 recorder with a line in jack but it would need a preamp to raise the mic input to line levels. I don't know of any small off-the-shelf preamps so you might have to build your own: look for "audio preamp" at sites like discovercircuits.com. Keep away from phono preamps - they-re special-purpose devices that were used in the last century when music was recorded on vinyl. Note that the Nomad Jukebox 3 has a line in jack, or google "line music recorder" to find a smaller unit. Try to get a model that can record enough raw audio without compressing it. You might think that a pocket memo recorder would be perfect for the job. For example, the Olympus DS-330 Digital Voice Recorder is the size of a cigarette lighter, lightweight, all-digital, and has a jack for an external microphone. In standard playback mode it can record two hours and thirty-five minutes which is more than enough for acoustic testing. But it doesn't have enough dynamic ranger for most surveillance applications it only has two sensitivity levels, and its aggressive compression algorithm reduces low-level speech into low-level incomprehensible babble. So it's only useful in ideal conditions: fans that have no exhaust port dampers and are close to the target area. An extra preamp stage might help. A notebook PC makes an excellent recorder - see my article "Microphone Laptops, and Supertaps" in [2600 magazine volume]20:[issue]2. Configure it for 16 bits and either 8 kHz or 16 kHz. A Pocket PC or PDA is even better, as long as it has a jack for an external microphone. Just use whatever you have - even a boom box with a cassette recorder is good enough for exploratory tests. But remember that a real intruder will probably have better equipment than you do. Don't assume that battery life is a serious constraint. It's easy to hook up external battery packs. A homebrew microphone cable could supply endless power to replace the mic's tiny button cell and as an added bonus it could supply a higher voltage to boost the mic's sensitivity a few dB. Installing the Microphone The ideal microphone delivery device would be some sort of robotic "duct rat". You probably don't have one lying around in your toolbox so you'll have to find some way to fish the mic into position. It might be harder than you expect. Take interior measurements first so that you'll know how far the mic has to be inserted. If the vent cap is hooded don't just fish blindly assuming that the ductwork is all in a straight line. The location of the vent cap is constrained by clearances to the ground and to windows so the duct might need a downwards twisting dive to get lined up between the joists. If you want your test to be realistic then you'll have to use unobtrusive equipment to insert the mic - I doubt that an intruder would go skulking around your neighborhood armed with duct cleaning brushes. Try to find something smaller. Whatever you do, don't use an electrician's fish tape - they're much too stiff and are sure to damage unseen flexible connections, the damper, or the fan blades. A metal tape measure is safer and is a lot more convenient to carry around. A slim, lockable 16-foot unit with a removable belt clip is a good choice since you can insert it into the vent cap once the mic had been positioned. Go to a larger size if you need more stiffness or length but then you might have to leave it outside the vent cap and the louvers won't be fully closed. Attach the microphone with masking tape so that it will be easy to release once you're done. It you're using a lapel mic then tape it facing down just beyond the end of the measuring tape. If you're using a tie-clip mic then let the mic element extend an extra half-inch so it can hang downwards. Use plastic-coated 18 gauge wire to fasten a small plastic cat toy (the kind that comes with a bell inside) over the end of the measuring tape. The cat toy provides a protective cage for the mic and prevents the metal tab at the end of the tape from catching on things. [I think a ping-pong ball might work better since the "bars" of the cat-toy "cage" might catch on sheet metal screw heads, etc, (plus the jingling of the cat-toy can be heard from inside the house LOL!) but then again it might dampen the mic's sensitivity] Don't forget to turn on the mic. If it has a separate battery box then tape the box into the curve of the measuring tape. Position it to protect the on/off switch or if that can't be done then cover the switch with a piece of masking tape. [Another good idea would be to position the unit so that the switch's "on" position is pointed toward you. That way, most any rubbing while the unit is traveling away from you through the duct is going push the switch toward the "on" position, which isn't a problem, and it doesn't matter if the switch gets turned off while you are pulling the unit back out. You should still tape the switch just in case, though.] You also need to tape down the joint to the extension cable and that's when you'll realize that an old-fashioned straight microphone plug is more appropriate than the newer right-angle ones. Pay out the measuring tape from a distance of two or three feet so that you can accurately gauge perpendicularity. Measuring tapes are only flexible in a single plane. If you're fishing into a rigid duct that has a vertical bend further in (typical of downdraft vents) or flexible duct with vertical sags then orient the tape as though you were measuring a floor. If you're fishing into flexible duct which zigzags within it's 16 inches of joist space then hold the tape measure sideways. Let the tape pull in the mic wire. If the wire stops pulling in it means the tap has gotten folded over itself which isn't good. Reel it back in and try again. Once you've got the mic in place you can congratulate yourself: you planted a mic deep within the bowels of your house and set up a recorder in a weatherproof, easily accessible location. You did all this from the outside without being detected by the alarm system. But before patting yourself on the back too hard you should check if the setup is effective. Go to the target area and place a telephone call or speak as though you were in a meeting. If the pickup isn't what you expected then remove the blower assembly and check where the mic actually is. It could be in the middle of nowhere, right on top of a particularly noisy A/C duct. Epilogue So that's it for Duct Fishing 101. You might be wondering about the other vulnerabilities I mentioned earlier, like chimney and sewer lines. Well sorry but I'm not about to put my equipment in those places so you're on your own. But if you're expecting robots to come bursting out of your toilet like the creature in Alligator (1980) then forget it - that won't be happening for the next decade or so. If you're like most people then you don't leave your valuables on the floor, and you don't hold secret meetings that anyone in their right mind would be interested in. So you won't lose any sleep over this article. If you wake up late one night to the sound of someone's voice coming out of a nearby bathroom fan, don't be too alarmed - it's just some doofus who's decided to sacrifice a cheap FRS radio for a practical joke. But be more wary if you wake up to strange, inhuman noises radiating from the ceiling. Pulsed, high-pitched whirring sounds characteristic of step monitors or precision servomotors, maybe even miniature high-speed cutters. By then it will be too late. Maybe you should go look at those ducts right now...[Whew! Finished! That fucker took awhile to type up!]