Installing bugs in telephone equipment and making changes to the equipment.
James M. Atkinson, Granite Island Group
Installing bugs in telephone equipment and making changes to the equipment.
Installing bugs in telephones and making changes.
If you are reading this, you have a telephone, and if you have a telephone, you already have an excellent bug installed in your home or office.
In many cases, nothing at all needs to be done to the telephone (Northern Telcom, for example) to turn it into an excellent indoor bug, and in most cases, installing a simple capacitor (costing three cents) and cutting one wire will turn your telephone into a very good quality eavesdropping device.
Telephones have microphones, speakers, bells, converters and power supply… everything that someone who is eavesdropping needs to intercept your personal or work conversations.
And then the one who wants to eavesdrop can. Choose from hundreds of options on how to turn your phone into an excellent monitoring device.
Threats caused by self-emissions.
Cellular and cordless phones, by their very nature, emit high-power RF energy that can be intercepted over considerable distances. Even the newest digital spread spectrum phones are easily intercepted using a few dollars' worth of radio parts that can be purchased at any radio supply store.
Many modems, phones, and speakerphones also emit RF energy when in use, which can be easily intercepted by an eavesdropper using standard equipment and inexpensive radio receivers.
Speakerphone systems made by Lucent, Panasonic, U.S. Robotics, and others have a history of their own «self-emitting» features. One of these phones, ordered straight from the factory (without any modifications) will often emit RF energy that can easily be intercepted within a few hundred feet of the phone. For example, many of the Merlin speakerphones emit RF (narrowband FM) at frequencies around 300 MHz.
Many modems used for data communications (Practical Peripheral, Motorola, Rockwell, etc.) also emit RF energy during normal use. This allows an eavesdropper to easily intercept and record the signal over considerable distances. Often, all that is needed to monitor the signal is a slightly modified twenty-dollar FM receiver. For example, the Practical Peripheral 28.8 modem, which has not been modified in any way, emits an RF signal in the 120-130 MHz range, a signal with wideband FM modulation and several pulse-shift keyed components.
The same thing happens with fax machines. When a confidential document is sent to your client, you may be transmitting it to someone who is eavesdropping. This is a serious problem for Sharp, Canon, HP and other fax machines.
HF transmitters.
This is a classic telephone bug, a small RF transmitter attached to a telephone line somewhere — or outside the premises. Power may be supplied by the telephone line or by a small battery. Most of these types of devices only transmit when the telephone receiver is lifted.
RF Transmitter with Microphone
Similar to the above product, but has its own microphone and is usually installed inside the telephone set. This device is usually considered an indoor bug. Devices of this type transmit an RF signal over telephone lines or the power grid (frequency is usually between 9 kHz and 750 kHz, but can be 300+ MHz).
Infinite Range Transmitter
These are older devices that usually connect to a telephone and allow the caller to listen in on the room when called from another phone. Considered obsolete, they are still sold in spy shops.
Recorder Trigger/Disable Relay
This is little more than a device that detects the voltage/current change that occurs when a telephone receiver is picked up. It activates a voice recorder hidden nearby. Some triggers can also detect the presence of sound and trigger the voice recorder if sound is detected on the line.
This type of device is popular with private detectives and “wannabe spies.” These products can be purchased at radio stores or other electronics stores for under twenty dollars.
A Slave or Bypass Device.This type of product provides electrical isolation between the line — the target and the interceptor, providing low-level security from detection (popular in law enforcement).
CO/REMOBS Monitoring (Remote Monitoring by the Telephone Company)
Allows the telephone company or government to legally connect to and monitor your telephone. The computer providing telephone service in your local area is configured to broadcast a digital copy of all your conversations to a hidden listening post (which can be located anywhere in the world).
All that is needed is access to an electronic switchboard converter and a digital communications system or data line of an office communications network (usually a “closed” line is rarely used). Using a 622 Mbps fiber optic line, an eavesdropper can easily access and listen in on more than 11,100 lines of a local network simultaneously.
This feature of the telephone system is fairly loosely controlled, as the telephone company's operations department uses it for routine maintenance. Any computer hacker/phone thief can easily gain access to this system, and private investigators and insurance companies have been known to illegally use this system to gather information on targets of interest.
Methods to Bypass a Telephone Hookswitch
There is a switch inside the telephone that disconnects and shorts out the microphone of the telephone handset when the receiver is hung up (a hook switch). If the telephone circuit is slightly modified (cut one wire and insert a 3-cent part), the microphone will be “hot” all the time. And if it is hot all the time, then the eavesdropper can be located anywhere outside the monitored area, insert an audio amplifier into the telephone line, and get a high-quality room bug. This method is as effective as installing a microphone or listening device in that room or in the building.
Some telephone systems do not have a mute switch circuit (for example, in cheaper models of Northern Telcom, Toshiba, and some others). This allows the eavesdropper to carry out technical monitoring without actually entering the area (for example, a hotel room) and without making any — or changes to the telephone set.
Here are some variations of the hook switch bypass method:
- Bypass using a resistor and capacitor
- Bypass with Capacitor
- Bypass with Spare Pair
- Bypass with Spare Pair to Microphone
- Bypass with Spare Pair to Handset Telephone
- Bypass with Third Wire
- Bypass with Reverse Ground
- Bypass with Reverse Bias Diode
- Bypass with Neon Circuit
- Four-Terminal Product
- Ringer
- Change to Handset Circuit
One of the jobs that a TSCM technician will perform during an inspection is to analyze each telephone product used in the area under inspection. The TSCM technician will use electronic testing equipment to test the electronic performance of both the telephone products and their associated wiring. This will be followed by a thorough physical inspection of the telephones (and their surroundings) to further determine any potential security risks or what — or anomalies.