TELECOM Moderator <telecom@eecs.nwu.edu> (04/08/90)
TELECOM Digest Sat, 7 Apr 90 18:28:00 CDT Special: Infinity Transmitters
Inside This Issue: Moderator: Patrick A. Townson
The "Infinity Transmitter": Fact, Fiction and Fairy Tale [Larry Lippman]
----------------------------------------------------------------------
Subject: The "Infinity Transmitter": Fact, Fiction and Fairy Tale
Date: 4 Apr 90 14:22:47 EST (Wed)
From: Larry Lippman <kitty!larry@uunet.uu.net>
Some recent articles have made mention of an eavesdropping
device commonly called the "Infinity Transmitter", a/k/a the
"Harmonica Bug". I will address some specific aspects of a few recent
articles in a moment, but first I'll provide some background and a
more accurate description of this device.
The "infinity transmitter", in the form which has been known
to the general public, was developed around 1963 by an interesting
character from New York City with the name of Manny Mittelman.
Mittelman, whose knowledge of electronics was largely self-taught, ran
a small business called the Wireless Guitar Company. The first
product of his company during the 1950's was, as readers may have
already guessed, a small FM transmitter with acoustic pickup that
transmitted the sound of a guitar to a companion receiver.
Mittelman quickly learned, however, that there was more money
to be made selling a slightly modified version of this FM transmitter
for eavesdropping purposes than for music applications. Mittelman
expanded his product line to include other types of eavesdropping
devices, and primarily sold his products to private investigators,
some local law enforcement agencies, and anyone who walked into his
store with money in hand.
I am not certain what caused his "infinity transmitter" to
become a matter of public knowledge, but I suspect it was his
testimony before Senator Long's investigating committee, which was a
precursor to passage of the federal Omnibus Crime Control and Safe
Streets Act of 1968. One of the key provisions of this legislation
were various prohibitions against use, manufacture, advertising,
interstate transportation and sale of eavesdropping devices; these
laws are contained in U.S.C. Title 18, Sections 2510 to 2520.
The "infinity transmitter", while a clever idea which
apparently captivated the public's vivid imagination, was actually a
rather crude eavesdropping device with extremely limited usefulness.
Not only could the device be detected by a subject's suspicion in
hearing occasional short rings of their telephone, but continued use
of the device would cause a subject's line to be busy for legitimate
callers. It does not take much imagination to envision a caller
complaining to the subject that "your line has been busy for hours",
with the subject knowing full well that their telephone was not in
use.
The "infinity transmitter" as produced by Mittelman, and later
cloned by other purveyors of eavesdropping apparatus, drew
approximately 3 milliamperes of current from the telephone line in an
on-hook state. This corresponds to a loop resistance leak of
approximately 16,000 ohms, which can be readily detected by any
telephone company test board. Anyone with a simple VOM could also
detect the presence of such a device on a subject's telephone line.
In the on-hook state the primary source of power consumption
was the tone detector circuit, which consisted of a simple LC bandpass
filter with a center frequency of approximately 500 Hz, the output of
which went to a pre-amplifier, limiter and relay driver. Bear in mind
that at the time this device was developed and sold, there were
neither CMOS IC's nor a practicable source of FET's which could
withstand the transient voltages of telephone applications. The
circuitry was designed and built using discrete germanium and silicon
transistors of 1960's vintage; therefore, quiescent power consumption
was in the milliampere and not microampere range.
The "infinity transmitter" only worked with certain central
office switching apparatus, typically SxS, panel, No. 1 XBAR, and
*early* No. 5 XBAR. The infinity transmitter will not work with any
ESS apparatus, be it analog or digital.
The "infinity transmitter" exploited a loophole in the design
of the SxS connector, and in panel and early XBAR interoffice trunks.
While the actual circuit description would be difficult to convey in
this type of forum, I will attempt a brief explanation. In the above
type of CO apparatus no speech path exists between the calling and
called parties until the called party goes off-hook, operating a "ring
trip" relay during either the silent or ringing interval, which in
turn operates a called party supervisory relay which provides battery
feed to the called party and then remains operated by the loop closure
furnished by the called party's telephone being off-hook. Operation
of the called party supervisory relay also completes the speech path
to the calling party, typically through a 2 uF capacitor on the tip
side, and a 2 uF capacitor on the ring side.
Early telephone CO apparatus (SxS, panel and early XBAR)
utilized electromechanical ringing machines which were rich in audible
harmonics. Audible ringback tone to the calling party was therefore
supplied by a capacitor (typically .04 to .05 uF) which was ALWAYS
connected between the ring side of the calling and called parties.
Therefore, the calling party heard an attenuated version of the same
ringing voltage which was actually ringing the called party's
telephone line. During the silent ringing interval, a poor but
nevertheless real audio path did in fact exist between calling and
called party; this audio path probably resulted in an end-to-end
insertion loss of between 20 and 45 dB, depending upon loop length and
capacitance of calling and called parties.
In the original Mittelman version, a loudly-blown harmonica
was used as a source of the 500 Hz trigger signal, hence the alternate
name for this device, "Harmonica Bug".
As mentioned above, the "infinity transmitter" worked with
SxS, panel, No. 1 XBAR and early No. 5 XBAR. However, a major ringing
and tone plant upgrade program by the Bell System during the 1960's
quickly rendered the "infinity transmitter" inoperable in most No. 5
XBAR CO's. Changing to the precise tones necessary for touch-tone
service was a major factor behind the ringing and tone plant upgrade
effort. The implication for No. 5 XBAR was that ringing current
obtained from solid-state supplies no longer had the harmonic content
necessary for for capacitively-coupled ringback tone. As a result,
the intraoffice trunks in existing No. 5 XBAR, and in new No. 5 XBAR,
were modified to supply ringback tone from a dedicated source of
ringback tone, thereby eliminating the .04 uF capacitor mentioned
above. With this capacitor gone, the "infinity transmitter" could no
longer function as there was longer any audio path in advance of
ring-trip.
In article <5814@accuvax.nwu.edu> tots!tep@logicon.com (Tom Perrine) writes:
> Has anyone actually seen one of these things, or is it just a myth
> that a *lot* of people believe in?
It's not a myth. I have seen one, and it was a rectangular
block potted with black Scotchcast resin, measuring approximately 3
inches by 1 inch by 3/4 inch. It fit between the dial mounting
brackets and the network on a 500-type telephone.
In article <5944@accuvax.nwu.edu> zweig@cs.uiuc.edu (Johnny Zweig) writes:
> ... misunderstanding of the phrase "this device allows you to call up and
> listen through the handset mike without the handset being picked up"
> leads people to believe there is a device I can use on _my_ end to
> call an untampered phoneset and listen through the handset.
> The latter is obviously false since there is no electrical connection
> between the handset mike and the line in an on-hook telephone.
Actually, there *is* a connection to the handset in an
unmodified 500-type telephone set; there is inductive coupling between
the bridged ringer and the transformer windings in the 425-type
network. An eavesdropping device does exist to exploit this fact,
although its usefulness today is rather limited since telephone sets
with electronic networks are rapidly replacing the traditional
500-type set. Effective use of this device requires that it be no
more than several hundred feet from the subject's telephone set, and
installation of this device requires that the subject's telephone pair
be broken and routed *through* a special device, which is rather
complex and not exactly small. No entry to the subject's premises or
modification to their telephone set is required. This device works
through sending short, fast risetime high energy pulses into a
subject's ringer at a multiple of a resonant frequency of the network
formed by the handset and 425-type network in an on-hook state. These
pulses have too little average energy to cause any mechanical
operation of the ringer, in addition to being of a frequency
inappropriate for ringer operation.
As far as I know, this device fortunately does not exist in
the private sector; however, there has been some disclosure in the
media over the years, although never with technical details of the
nature that I have just furnished (which is also the extent to which I
am prepared to disclose them).
In article <5946@accuvax.nwu.edu> pixar!bp@ucbvax.berkeley.edu (Bruce Perens)
writes:
> I guess it sometimes took a few tries to get the
> connection, thus someone might get a lot of ring-and-hang-ups if they
> were bugged with this device.
> Do modern COs still work that way?
Fortunately, no.
In article <5915@accuvax.nwu.edu> rsiatl!jgd@gatech.edu (John G. De Armond)
writes:
A Fairy Tale as follows...
> Yes these things do exist. I used one in the early '70s to get the
> goods on my boss who was, it turns out, planning on having some pot
> planted in my car in order to have me fired. I worked for the
> government at the time. I got my infinity transmitter from a friend
> who worked for a well known government agency whose name begins with a
> "C" :-).
Surely you are referring to the Civilian Conservation Corps,
since no other agency would use a device as crude and impracticable as
this one.
> The transmitter looked just like a regular phone network device. It
> was installed inside a normal (at the time) dial phone.
I have never known of this device to be built into a 425-type
network. It would be *absurd* to go to the trouble of designing and
building such a device in a network since it can be so easily detected
by simple loop current and/or voltage measurement. Furthermore, ever
look closely at a 425-type network in a 500-type station set? The
network is *riveted* to the base, and it would not be that easy to
duplicate the riveting during a clandestine installation.
Furthermore, early 425-type networks had some wires from the
hookswitch soldered directly to them, further complicating a
clandestine installation.
No one in their right mind would ever go to the trouble of
designing and building an "infinity transmitter" into a network; its
ease of detection through other means clearly negates such effort.
> The procedure
> when you want to monitor ambient conversations is to dial the number
> of the phone containing the infinity transmitter and apply a sequence
> of tones to the line as the last digit is completed.
> A sequence is used to keep amateur sweeps (and some sophisticated
> ones) from finding the bug by sweeping the line with a variable
> frequency tone. The infinity transmitter detects these tones and
> picks up the line before the bell has a chance to ring.
Please, spare us. No "sequence of tones" was ever used to
hide the presence of this device, since it sticks out like a sore
thumb to other means of detection. A simple voltmeter placed across
the subject's telephone line at their premises will show at least a 3
volt drop from expected on-hook voltage, on say, a 500 ohm CO loop. A
simple milliammeter placed in series with the subject's telephone line
will show a 3 mA current flow where the expected value is *zero*.
Furthermore, the "infinity transmitter" had enough trouble in
detecting a single tone without exceeding 3 mA on-hook loop current;
the thought of 1960's technology in detecting multiple tones with
appropriate combinatorial and timing logic without exceeding this
current flow is absurd. Even 3 mA is enough current to cause dialing
trouble and premature ring-trip problems on some longer CO loops.
> I usually would just hang up, though it was recommended that
> the tapper go ahead and act like he had reached a wrong number so as
> not to raise alarm with the target with all the single and aborted rings.
This, in Mr. De Armond's own words, is one fundamental reason
why the "infinity transmitter" is a largely impracticable device.
> The big limitation with these bugs was the quality of the handset
> microphone.
Not true.
The carbon handset transmitter is actually a rather decent and
sensitive microphone, if properly excited and coupled to a
well-designed pre-amplifier circuit. The carbon microphone has one
thing going for it which balances other shortcomings - it has a large
diaphragm surface area.
> Oh yeah, about my problem. I confronted my boss behind closed doors
> with those tapes and tapes from a phone tap I'd installed too and we
> reached an agreement on a truce until I could transfer to another agency.
That's really great. IF your alleged experience is true, then
YOU are the one who committed multiple crimes, not your alleged boss.
Eavesdropping of the nature you describe is a felony in most, if not
all states, in addition to violating U.S.C. Title 18 Section 2511,
which is of a felony nature. While violation of the federal statute
is not always present in the absence of involvement with interstate
communication or interstate commerce, if we are to believe that your
alleged "government" employer is the U.S. government, or receives any
funding from the U.S. government, then we have most likely attained
federal jurisdiction.
Also, I note with interest that in his article Mr. De Armond
provided us with his amateur radio call sign, WD4OQC. It may assist
Telecom readers in evaluating his story to know that according to the
amateur radio operator database available through ftp, Mr. De Armond
was a teenager until December 11, 1974.
I'm sorry if I may appear harsh to Mr. De Armond, but there are
enough *real* problems in the world involving unlawful eavesdropping,
without the need to invent any more myths.
<> Larry Lippman @ Recognition Research Corp. - Uniquex Corp. - Viatran Corp.
<> UUCP {boulder|decvax|rutgers|watmath}!acsu.buffalo.edu!kitty!larry
<> TEL 716/688-1231 || 716/773-1700 {utzoo|uunet}!/ \uniquex!larry
<> FAX 716/741-9635 || 716/773-2488 "Have you hugged your cat today?"
[Moderator's Note: Bravo! Mr. Lippman, this was indeed an excellent
presntation, and on behalf of all the readers -- the possible
exception being Mr. De Armond -- I thank you for sharing with us. PT]
------------------------------
End of TELECOM Digest V10 #235
******************************