[Eavesdropping
- the Basics]
[the
B4ckCh4tter]
[2002]
[INTRO]
This
file's not intended as a how-to guide; it's merely a general, introductory
discussion about various methods employed today by the amateur and proffesional
eavesdropper. All of this comes from various sources in the public domain; all
I've done is collected the most interesting and relevant information and
textualised it. Enjoy
[TYPES
OF PHONE TAPS]
RF
Transmitter Wiretaps
-----------------------
The
radio frequency (RF) transmitter tap technique involves attaching a small RF
transmitter to the telephone line, or within the telephone instrument. The
audio fluctuations from the telephone conversation modulate the transmitter
carrier, transmitting the conversation into free air space. A series RF tap or
leach is powered by the telephone line and therefore does not require frequent
battery replacement, which enables indefinite operation.
A
popular RF series wiretap known as a drop-in can be installed in seconds. This
device is built onto the back of a carbon microphone, which is typically found
in most telephone instrument handsets. The eavesdropper simply opens the
handset and replaces the standard receiver with this modified version.
RF
transmitter taps offer several advantages over the other types of wire taps.
Because the listening post (LP) is a receiver requiring no wire lines' run to
it, the LP can be located anywhere within transmission range.
The
Infinity Transmitter
------------------------
An
infinity transmitter is a device which is installed in the target area
utilizing a telephone line to transmit the room audio out. Called from a remote
telephone, and activated with a tone signal. This type of device operates
independent of the telephone instrument and typically requires its own
telephone line. As it is not connected to any telephones within the target
area, it would not ring and alert the target. This device could be hidden in
any location, for connection to the additional telephone line. Unlike the
conventional infinity transmitter, this method of attack will function on
ELECTRONIC SWITCHING SYSTEMS (ESS), without requiring procedures to work around
the ESS system.
Infinity
transmitters are available as common electronic devices which are sold as house
monitors. Electronic detection of this type of attack requires equipment
capable of activation and detection of remote devices.
Slave
Parallel Wiretaps
-----------------------
One of
the most popular wiretap devices used by the law enforcement community, and
many professional eavesdroppers, is a slave parallel wiretap. This device is
similar in operation to an infinity transmitter and combines these features
with a parallel wiretap. The slave is attached anywhere along the target telephone
line. The eavesdropper requires a standard working telephone line (leased line)
which is located in the same cable, cross-connect or closet as the target line.
Once both lines are connected to the slave, the eavesdropper can call his
leased telephone line and activate the slave. Upon activation, the slave
automatically connects the eavesdroppers telephone line to the target telephone
line. This attack allows eavesdropping on the target telephone line to be
performed from any telephone in the world.
Inductive
Wiretap
-----------------
An
inductive tap is accomplished by bringing a coil into the electro-magnetic
field created by the current fluctuations during a telephone conversation.
Current
fluctuations similar to the target conversation are induced into the coil
windings caused by this electro-magnetic field. These current fluctuations are
amplified in order to recover the target conversations. Inductive taps are not
particularly effective. However, a split/resplit inductive wiretap, using a highly
sophisticated method, which is relatively unknown, produces excellent audio
recovery.
Of all
the known methods of wiretapping, this little known method is probably the
safest from accidental detection or location by the telephone company and is therefore
often used by professional eavesdroppers. This technique exploits the inductive
properties of wire pairs within the same cable. The split/resplit wiretap is
accomplished by rewiring the target telephone line to induce conversational
audio into the eavesdroppers telephone line.
An
inductive split/resplit wiretap can not be detected by any piece of equipment,
other than time domain reflectometer (TDR). A TDR is the only instrument that
will enable the TSCM technician to reliably detect all wire irregularities,
including split/resplit and bridge taps.
[HARDWIRED
ATTACKS]
Microphones
-----------
The
eavesdropper has at his disposal microphones that are smaller than the head of
a pin which will pick up a whisper at up to twenty feet. There are several
different types of common microphones, such as the carbon, condenser, magnetic
and electret microphones. The professional eavesdropper also has a virtually
unlimited selection of others to choose from, including tube microphones, piezo
film, hydrophones and even electrical switches, which are sometimes
microphonic.
Spike
Microphone
----------------
Of all
the microphones utilized by the eavesdropper, the contact and spike microphones
are perhaps the only ones specifically designed for this purpose. These
microphones contain a special crystal which, when slightly compressed, will
produce a very small electrical signal. If placed against a vibrating wall or
attached to a rigid probe which is touching one of the vibrating surfaces, the
crystal will produce small electrical signals which correspond to the
vibrations. If these vibrations are caused by room conversations, the
electrical signal will correspond to those conversations.
Pneumatic
Cavity
----------------
The
pneumatic cavity microphone is an electronic version of a glass tumbler against
the wall, historically recognized as one method of monitoring adjacent room
conversations. This electronic version is substantially superior, as it is
highly responsive to surface vibrations at audio frequencies found in human
speech. Several manufacturers offer these microphones as electronic
stethoscopes.
Speakers
--------
One of
the most frequently used microphones is a simple speaker usually found in a
radio. T.V. or intercom. Additionally, numerous ceiling speakers, typically
used for background music, are commonly found throughout most office areas.
Most
speakers are structurally similar to a magnetic microphone with a coil of wire
positioned in a magnetic field. When used as a simple speaker, electrical
current is passed through the coil which vibrates the speaker to provide sound.
Most speakers show varying degrees of reciprocal performance and can therefore
be used as a microphone. When acoustical energy impinges on an unused speaker
cone and vibrates the coil of wire in the permanent magnetic field, small
amounts of electrical energy are produced which can be transmitted by a radio
frequency transmitter or over wires to a listening post.
Hardwired
Audio Transmission
----------------------------
Regardless
of which type of microphone that is used by the eavesdropper, intelligence must
be transmitted out of the target premise. With the exception of a radio
transmitter with a built-in microphone, the eavesdropper will normally connect
the microphone to an amplifier, transmitter or tape recorder by conductive
paint or extremely small wires. Wires thinner than a human hair, and as
flexible, can be purchased at most local electronic shops. These wires can be
sewn in the carpet or hidden in a variety of different ways. Once outside the
target area, the conductive paint or tiny wires are usually connected to unused
wires in a ceiling or wall, and then carry the signal to the listening post or
to a radio transmitter.
[RADIO
FREQUENCY ATTACKS]
Size
and Range
--------------
As in
other categories of electronic eavesdropping, recent technology has been
utilized to build miniaturized RF transmitters the size of a pencil eraser.
These devices will transmit radio signals anywhere from 100 feet to five miles
and with the use of repeaters, reception range is even further. The
availability of these small devices is rather astonishing with several
manufacturers offering pre-concealed transmitters already packaged into such
objects as smoke detectors, picture frames, clocks and ashtrays.
One of
the smaller commercially manufactured transmitters is the size of an aspirin
tablet, including microphone and battery, with a transmitting range of 1,000
feet. Several radio transmitters are available in prepackaged electrical lamps,
power receptacles and clocks. These types have the advantage of a continuous
power source, supplied directly to the transmitter, which permits a permanent
installation.
Modulation
----------
All
radio transmitters must modulate their basic operating frequency (carrier) to
convey information to the eavesdropper's radio receiver. The eavesdropper has
at his disposal a host of different modulation techniques to choose from. In
addition to amplitude modulation (AM) and frequency modulation (FM), and
eavesdropper could employ various other sophisticated modulation techniques
including sub-carrier, pulse amplitude modulated (PAM), pulse width modulated
(PWM) and pulse position modulated (PPM). Sophisticated transmission techniques
could also be employed to make the signal virtually undetectable such as
snuggling, frequency hopping, spread spectrum and burst transmissions.
Sub-carrier
-----------
Sub-carrier
modulation is one of the most popular and attractive to the eavesdropper. These
devices operate by combining intercepted audio with one low frequency signal
and then recombining this resulting signal with a higher frequency (carrier)
signal. The resulting radio signal is very complex, and is not detectable by
conventional radio receivers.
Snuggling
---------
A
popular procedure among eavesdroppers is the practice of snuggling. This is a
relatively simple method of hiding a transmitter's signal. Regardless of the
radio device power, frequency or modulation, an additional guard against
detection can be provided by carefully setting the frequency adjacent to that
of a large, high-powered radio or T.V. station. By setting the transmitter
frequency in this manner, the signal cannot be detected by a field strength
meter or broadband radio receiver.
Carrier
Current
---------------
Another
popular radio transmitting method is by carrier current. Below the A.M.
commercial portion of the radio frequency spectrum is a region identified as
very low frequency (VLF). A different type of audio surveillance transmitter is
manufactured which operates in this region but uses the electric power lines
for transmission of the signals. These F.M. modulated devices operate between
50 Khz and 300 Khz. At these frequencies, very little radio energy is radiated
into free air space. What these signals will do, however, is to move along
almost any wire path, including regular electric power lines and telephone
lines. These transmissions are known as carrier current transmissions because
of this characteristic. This is the same method of communications used by many
of the wireless intercoms sold commercially.
Eavesdropping
devices which use carrier currents offer two principle advantages over those
which transmit through space. The signal can't typically be received anywhere
along the wire between the eavesdropping device and the power source. Also,
these devices are not detectable by radio receivers R.F. sensing or other
debugging equipment, since they radiate little energy into free air space.
Remote
Controlled
-----------------
A
switch receiver or remote radio controlled device can be used advantageously
with any eavesdropping radio transmitter. Sophisticated remote radio units are
sold through many electronic suppliers for a multitude of purposes. This device
provides the eavesdropper with the ability to control the operating time of
room monitoring equipment and achieve two distinct advantages. The eavesdropper
can conserve battery power and reduce chances of detection by turning the
transmitter on only during the time of interest.
Spectrum
analyzers are sometimes used to detect the IF signal emissions radiated from
the remote control receiver, as the clandestine transmitter could possibly be
switched off and not transmitting. This detection method is unreliable, as the
IF signal radiated from the receiver is very weak. The spectrum analyzer's
antenna must be in close proximity of the clandestine receiver to detect these
emissions and with hundreds of RF signals to resolve, it would be very easy to
overlook a weak signal hidden within the noise. The only reliable method to
detect these types of devices is with a Non-Linear Junction Detector (NLJD).
[OTHER
TECHNIQUES]
RF
Flooding
-----------
A resonant
cavity device consists of a small cylindrical can with a flexible diaphragm at
one end, forming a cavity, the volume of which varies slightly as the diaphragm
vibrates as a result of sound in its vicinity. An antenna extends from inside
the cavity. The device operates by resonating at a frequency established by its
physical cavity dimensions and frequency modulating its resonant cavity when
flooded with a powerful carrier transmitted from the listening post or other
nearby hidden area.
Windows/Visual
--------------
Windows
are particularly vulnerable to eavesdropping attack from outside the building
by various methods. The loss of information, through visual acquisition, from
documents and wall charts, as well as lip reading, is a hazard. Visual
eavesdropping attacks are easily prevented, but frequently overlooked.
Laser
-----
A laser
can be used for eavesdropping at a substantial distance away from the target's
building. Outside offices with windows are highly susceptible to compromise.
Conversational sound waves within an area impinge upon all objects within that
area, causing them to vibrate. These objects vibrate relative to the sound
waves impinging upon them, or the conversations within that area. These
vibrations from room conversation could be remotely detected.
The
most commonly used method for this form of attack employs a beam of light,
laser or possibly infrared which strikes the surface of the window at an angle
and reflects off of the surface. The reflected beam varies in relation to the
movement of the window, which is received and converted back into audible
conversations. Window vibrators are typically utilized to reduce the risk of
exposure from this attack.
A beam
of light could also be directed through the window, aimed at an object within
the area and reflected back out of the window. The received beam of light is
then converted back into the target's conversation. This method of attack would
render window vibrators ineffective, which are intended to mask the room's
conversational window vibrations. An infrared transmitter could also be planted
within the target area, transmitting room audio out of the area to be received
and converted back into room conversation. The clandestine beam must be
detected to reveal an attack in progress, and if the beam is temporarily turned
off, it will not be detected. Various countermeasures are available to reduce
the risk of eavesdropping by these methods, depending on specific requirements.
Electro-Magnetic
Radiation
--------------------------
Computers,
CRT monitors, fax machines and other electronic equipment radiate
electro-magnetic signals (EMR/EMP). These inherent emissions can be
surreptitiously received to recover intelligence. This is referred to, in
government circles, as TEMPEST. The signal strength of these emissions, which
determines the effective reception range, varies between equipment. However,
the computer monitor (CRT) operates on high voltage to fire the electron beam,
which produces the images on the screen. As these high voltage on and off
pulses sweep across the CRT screen, strong electro-magnetic signals are
produced which radiate away from the CRT. A knowledgeable perpetrator could
intercept and decode these emissions, thereby obtaining all of the intelligence
presently being displayed on the CRT screen.
This
type of attack is real and does exist. Plans are readily available to build
this equipment, and the required components are relatively inexpensive.
[TELEPHONE
INSTRUMENT ATTACKS]
Perhaps
the most insidious and least recognized method of eavesdropping on room
conversations is by telephone bugging or a hookswitch bypass.
The
hookswitch bypass is a technique for room bugging which enables a telephone
instrument to transmit room audio while the handset is in the on-hook position.
This attack includes various methods by which the telephone instrument is
modified or rewired to convert it to a continual listening device, even when it
is hung up.
This
simple technique usually allows the eavesdropper to intercept both telephone
and room conversations without having to be concerned about hiding devices,
running wires, or changing batteries within the target area.
There
are several reasons why the telephone, as a listening device, is preferable to
other bugging techniques:
----->
The telephone, with up to three possible microphones or transducers (the
transmitter, typically a carbon or electret microphone, the magnetic earphone
receiver, and the ringer circuit), is usually at an optimum location to
accomplish eavesdropping in a target area. An additional microphone could also
be installed within the telephone instrument by an eavesdropper.
----->
The telephone system provides conductors to carry the acquired audio to a
listening post. Because the microphones and conductors are inherent to the
telephone, there are no concealment requirements.
----->
No power is required in the target area, since the power used is either
telephone system power or provided from the listening post. Therefore, battery
replacement is not necessary.
Eavesdropping
on telephone conversations is indeed a threat; however, far more critical
information is frequently uttered after the telephone call has ended. this is
particularly true in an office with the telephone on the desk or credenza,
which is typically the center of most conversations.
A
hookswitch bypass is the perfect eavesdropping method for gathering the maximum
amount of intelligence.
Telephone
Instrument Hookswitch Bypass
--------------------------------------
There
are several variations of hookswitch bypass types. The three general categories
of hookswitch bypass types are: Passive, Active, and Ringer. Application
variations include online, whereby the connection between the telephone and the
exchange is maintained, and offline, whereby the connection to the exchange is
automatically or manually broken.
Passive
-------
Passive
bypassing techniques are characterized as requiring no active devices in the
telephone instrument. This technique provides for monitoring all on-going
telephone conversations, as well as room conversations.
----->
Resistance/capacitance bypass
----->
Capacitance bypass
----->
Third wire bypass
----->
Ground return bypass
----->
Spare pair bypass
Active
------
Active
bypassing techniques are characterized by the application of some external
activation, without which the device will not function. Consequently, active
devices can be turned on and off at will to monitor select room conversations.
----->
Reverse biased diode
----->
Neon tube
----->
Four layer device
----->
Infinity Transmitter
Ringer
------
This
threat is one which is inherent in U.S. telephones and involves the fact that
the telephone ringer, in some instruments, is a dynamic transducer. The ringer
coil, loosely mounted on its core, is contiguous to a permanent magnet. As with
a dynamic microphone, vibrations cause the coil to move in the flux field of
the magnet and a voltage similar to room audio is transmitted down the
telephone line. Normally, the audio quality is poor; however, occasionally a
ringer is encountered which provides excellent audio. It should be noted that
the ringer is on the out-going side of the hookswitch and, consequently, is
always available to the eavesdropper without access to the telephone
instrument.
Keep
Alive
----------
Another
type of active hookswitch bypass is known as a keep alive. This attack requires
the eavesdropper to call the target's telephone instrument. The device
activates when the target answers the telephone call. After the target hangs up
the telephone, the circuit remains closed, as if the telephone is still
off-hook. From this point, conversations in the room are monitored by the
eavesdropper at his telephone. After the eavesdropper hangs up, the telephone
company's supervisory circuits will return the target's telephone line to an
on-hook condition.
[TELEPHONE
SYSTEM ATTACKS]
A new
threat, which is often overlooked by conventional TSCM techniques, exploits the
programming features available on computer-based telephone systems. All modern
telephone systems are computer-based and software driven, with preprogrammed
instructions to connect calls to the proper lines and extensions. This makes
them highly flexible for any changes required in the telephone system
configuration, as only the program needs altering. This also exposes the system
to various eavesdropping attacks.
Most
software eavesdropping attacks exploit the features of the telephone system.
These techniques provide for monitoring all on-going telephone conversations,
as well as room conversations. Reprogramming the privacy or access feature
could allow passive eavesdropping of a target from another extension.
Even
more alarming than the possibility of an eavesdropping attack, which could be
perpetrated on-site, is one that could be performed remotely. The remote
maintenance feature provides an eavesdropper the opportunity to remotely attack
a telephone system.
The
purpose of this feature is to allow remote off-site access, through the remote
maintenance port, for system diagnosis or to reprogram the telephone system
configuration. Remote access to the telephone system presents a unique threat
as physical access to the telephone system wiring for surreptitious purposes is
no longer necessary, therefore creating the opportunity for remote
eavesdropping attacks.
A
perpetrator could gain access into the telephone system program, through the
remote maintenance feature, and camp onto a selected line or extension of the
system, thereby enabling remote monitoring of any desired conversation. The
system program could also be modified for clandestine purposes, possibly
creating a software bridge tap, so that a target line or extension would also
be automatically connected to another line or extension without a physical
(hardwired) wire tap ever being performed.
This
presents a unique threat as access to the target's telephone system wiring or
instruments is not required, allowing eavesdropping attacks to be performed
remotely. Software attacks are very difficult to detect, as they could occur at
any time, remotely. Equally vulnerable to remote software attacks are voice
mail, modems, or any convenience options which allow remote access capabilities.
Typical
protection features securing most computer-based systems are easily
compromised. These security features, such as callback and access codes, only
offer a moderate level of protection.
The
telephone system, instruments and lines are exposed to numerous methods of
attack, which are difficult to detect. Most telephone instruments are centrally
located to sensitive room conversations. Telephone conversations are carried
along exposed and unprotected lines. The telephone system control is easily
accessed, offering complete and total control, virtually undetectable. Because
of these reasons, as well as others, it is understandable why eavesdropping
attacks are predominantly discovered on the telephone system.
the
B4ckCh4tter, 2002
[-EOF-]