larry@uunet.uu.net> (04/08/90)
In article <6034@accuvax.nwu.edu> david@wraith.cs.uow.oz.au (David E A Wilson) writes: > >The latter is obviously false since there is no electrical connection > >between the handset mike and the line in an on-hook telephone. Just > >shows to go ya. > A British program broadcast in Australia stated that this is done by > tapping the wires leading into the property and applying a high > frequency AC signal to the line - at this frequency the switch hook > looks like a capacitor which conducts the AC which is then modulated > when it passes through the microphone. The above explanation is quite close; there are, in fact, *multiple* mechanisms of coupling "around" the switchhook which combine in a complex and unpredictable manner necessitating that any apparatus used to eavesdrop based on this principle must be empirically "tuned" to the characteristics of a particular telephone set. More often than not, for a variety of reasons (most commonly inability to locate the apparatus close enough to the subject telephone set), suitable "tuning" cannot be achieved and the apparatus will not function in a usable manner. In the particular method mentioned in the referenced article, the switchhook contacts themselves will be lucky to provide a few pF of capacitance, which is far too much reactance to be useful at any suitable frequencies. There is more mutual capacitance in the wires connecting the network to the switchhook than in the switchhook contacts themselves. However, the primary method of achieving "coupling" across the on-hook contacts is magnetic coupling between the bridged ringer windings and the transformer windings within the network. While the inductive reactance of the ringer windings in toto is rather high at the frequencies being used, there is mutual capacitance between ringer coil layers which creates a succession of smaller LC networks and makes this approach more feasible than one might first imagine. There is actually another methodology which can be applied to eavesdropping on room conversations using an unmodified telephone set. Most ringers will function as a variable reluctance microphone, if the line from the telephone is amplified to an extreme degree, along with application of suitable signal processing to eliminate an incredible amount of noise. As in the above methods, the necessary apparatus must be within a few hundred feet from the telephone set, and the CO pair must be broken during the operation (with circuitry to detect an incoming call or outgoing call attempt and reestablish the CO line continuity to avoid any suspicion on the part of the subject). I am not claiming that a ringer is a *good* microphone, but under some selected circumstances this technique can provide useful intelligence. I may later regret this suggestion, but as an example to illustrate this principle, here is an experiment that an enterprising reader can perform using apparatus found in any well-equipped electronics laboratory. Take a 500-type or 2500-type set with a bridged ringer and connect its tip and ring directly to the input of a low-noise amplifier providing say, 80 dB of gain in the voice frequency range. A suggested approach is to cascade two Hewlett-Packard 465A amplifiers, with each amplifier being set for 40 dB gain. Take the 80 dB amplifier output and connect it to the input of a variable bandpass filter having at least 20 db/octave attenuation (like a Kron-Hite 3100, 3500 or 3700). Take the output from the bandpass filter and feed it to another amplifier providing 20 to 40 dB gain and capable of driving a pair of headphones. Tune the bandpass filter to reject powerline noise, and you have just turned the telephone set into a crude microphone. At that point it does not take much imagination to realize that given some competent engineering resources and a commensurate budget, this technique can be refined into a practicable eavesdropping device. The availability of digital signal processing can also do wonders to eliminate the vast amount of power line, impulse noise and other interference which develops at the gain necessary for speech pickup sensitivity. While electromechanical ringers are becoming somewhat a thing of the past, many electronic telephone sets with tone ringers will function as an even better microphone. Such tone ringers usually rely upon a piezoelectric element as the loudspeaker, although a few low-quality "drugstore-variety" one-piece telephones utilize the receiver element as the ringer transducer. As most readers of this forum are no doubt aware, piezoelectric devices will generally function as both a microphone and loudspeaker. Even a piezoelectric element optimized for tone ringer use, i.e., with resonance in the range of 1.5 to 2.5 kHz, will still function as a usable microphone for lower frequencies. An on-hook telephone set with electronic tone ringer, if isolated from the CO line and connected to an ultra-high gain amplifier with suitable bandpass filtering, and if also subjected to an appropriate RF bias to cause conduction across the initial full-wave bridge rectifier and subsequent semiconductor junctions, can in many instances be turned into a microphone. While this technique will not work with all electronic telephones, it will work with a significant number. The above technique of compromising a telephone with an electronic tone ringer was first performed almost twenty years ago on the Ericophone. The Ericophone was an early one-piece telephone, some models of which contained an electronic tone ringer. While the geometry of the Ericophone defies verbal description in this forum, the overall design scheme may best be described as phallic in nature. Those readers who are familiar with the Ericophone will no doubt concur with this description :-). I have commented much more on the above topics that I had originally intended. However, since some of the above methodologies have not only been mentioned in the media but are now well over 20 years old, I do not see any overt harm in my disclosure of some further selected details in an effort to promote "awareness". > [Moderator's Note: Larry Lippman has written us again! Some of you who > have been readers for at least a few months will remember his interesting > articles. I have been rather busy in the past several months with the startup of a new division of my organization, and have not had time to contribute to TELECOM Digest, but I'll see if I can keep up for a while. <> Larry Lippman @ Recognition Research Corp. - Uniquex Corp. - Viatran Corp. <> UUCP {boulder|decvax|rutgers|watmath}!acsu.buffalo.edu!kitty!larry <> TEL 716/688-1231 || 716/773-1700 {utzoo|uunet}!/ \uniquex!larry <> FAX 716/741-9635 || 716/773-2488
Leichter-Jerry@CS.YALE.EDU@venus.ycc.yale.edu (04/09/90)
Larry Lippman's recent comments - for which this reader says "much thanks" - bring to mind a an old story. It may be "urban legend", or there may be something behind it. It's claimed that the reason Ma Bell was so slow to replace the little incandescent bulbs in multi-line phones with LED's was a security problem. It seems that voices on the line modulate the power available to the indicators. The reluctance of the old incandescents was high enough that no useful information could be gotten from them, but it was alleged that the LED's provided a nice clear signal which could be read, say, with a decent telescope and a little equipment, from the building across the street. -- Jerry
John Higdon <john@bovine.ati.com> (04/10/90)
Leichter-Jerry@CS.YALE.EDU@venus.ycc.yale.edu writes: > It's claimed that the reason Ma Bell was so slow to replace the little > incandescent bulbs in multi-line phones with LED's was a security > problem. It seems that voices on the line modulate the power > available to the indicators. The reluctance of the old incandescents > was high enough that no useful information could be gotten from > them, but it was alleged that the LED's provided a nice clear signal > which could be read, say, with a decent telescope and a little > equipment, from the building across the street. Well, I hate to be the thrower of cold water on a great sounding story, but whatever reason Ma Bell had for not modernizing their line indicators wharn't that. The incandescent bulbs were powered from 10 VAC obtained from the KSU power supply. If anything, the bulbs were modulated by other bulbs going on and off within the system. But mainly, they were modulated with 60 Hz from the AC line. Voices on the line had no effect on the bulbs. GTE had key phones with LEDs for years that would plug into standard KSUs. If you tried to "eavedrop" with a photodetector, all you would get would be a big buzz. John Higdon | P. O. Box 7648 | +1 408 723 1395 john@bovine.ati.com | San Jose, CA 95150 | M o o !