larry@uunet.uu.net (Larry Lippman) (07/13/89)
In article <telecom-v09i0220m10@vector.dallas.tx.us>, nvuxr!deej@bellcore. bellcore.com (David Lewis) writes: > ] >I might add this is how the Federal Bureau of Investigation and the CIA > ] >also listen to you (assuming authorized taps, of course). When telco is > ] >served with a court order to apply a tap to your line, they tie another > ] >pair on your line in the office and send it through a coil and off to the > ] >FBI. **And they charge both YOU and the FBI for the price of the line!!** The above comment was made by the Telecom Digest moderator. I'm not certain what the point of the last sentence was, unless it was merely a disdainful reference to authorized eavesdropping. Surely one does not expect the telephone company to provide the intercept circuit free of charge (the intercept circuit may often have interexchange mileage charges since the monitoring point is often not within the same central office), nor does one expect the law enforcement agency to pay for the subject's telephone line, either! Most CO (central office) eavesdropping intercepts in a BOC CO are today performed using a modified MFT (Metallic Facility Termination) circuit pack which places about a 100,000 ohm isolated bridging impedance across the subscriber line. Supervisory signaling is detected on the subscriber loop using a high-impedance electronic circuit, and the signaling is repeated in an isolated fashion using the A and B leads of the repeating coil in the MFT to "reconstruct" a CO line for the benefit of monitoring apparatus. The entire purpose of the above effort is to prevent any trouble or noise on the intercept line or monitoring apparatus from causing any trouble, noise or transmission impairment on the subject line. Some BOC's may elect to use service observing apparatus to provide the necessary isolation and repeated loop supervisory signaling. Less common are locally engineered variations which merely use an isolation amplifier from an MFT or other 4-wire repeater, and which provide no repeated supervisory signaling (which is not all that necessary, since voice-activated recorders and DTMF signaling detectors can be used, and since dial pulses can be counted by playing a tape at slow speed). Today, the use of a "bridge lifter" retardation coil for the purpose of connecting an eavesdropping intercept line is virtually non-existent since they do not provide sufficient isolation and since they provide a fair amount of insertion loss without loop current on the "observing" side. Bridge lifter coils are primarily intended for answering service intercept lines, and consist of a dual-winding inductor which passes 20 Hz ringing and whose windings easily saturate when DC current flows. Bridge lifter coils are used to minimize the loading effect (and consequent transmission impairment) of two subscriber loops on one CO line. Bridge lifter coils provide a significant insertion loss at voice frequencies toward the idle loop; i.e., the loop in use will have DC current flow, saturating the inductor, and reducing its insertion loss to 1.0 dB or less. > ] If so, does this mean that the electronically inclined and paranoid > ] among us might be able to keep track of when we are being bugged by > ] measuring the impedance and capacitance of our lines? > Actually, it's already been done. > ] Maybe Sharper Image will start selling a box to watch your line and > ] tell you when its electrical properties change in a suspicious way? > I don't know if Sharper Image sells them, but there are any number of > "security consulting" firms which do. They include boxes which sit > beside/beneath the phone to a replacement microphone for a 2500 set > which has a little LED that lights up if the characteristics of the line > change... As the author of the second article stated, these gadgets are for the paranoid who have nothing better to waste their money on. The simple truth of the matter is that there is NO WAY for any person using ANY type of apparatus at the telephone set location to ascertain whether there is a properly installed eavesdropping device connected across their line in the CO. The only way such a determination can be made is through the cooperation of the telephone company. For that matter, there is virtually no way for any person using any type of apparatus in their premises to ascertain if there is ANY type of eavesdropping apparatus installed ANYWHERE on their telephone line outside their premises, unless the eavesdropping apparatus was designed or installed in an exceptionally crude manner (not likely today). Some types of eavesdropping apparatus may be located, but only with the full cooperation of the telephone company. The sole capability of these nonsense gadgets is to ascertain if an extension telephone is picked up during a telephone call, which is hardly a likely scenario for serious eavesdropping! These screw-in-the-handset gadgets work by sensing the voltage across the carbon transmitter circuit, and using a control to null this voltage using a comparator circuit. When a person makes a telephone call, the control is adjusted until the light just goes out. If an extension telephone at the user's end is picked up during the call, the increased current drain of a second telephone set will decrease the voltage across the carbon transmitter circuit, unbalancing the voltage comparator circuit, and thereby causing the LED to light. These voltage comparator "tap detectors" cannot even be left with their setpoint control in the same position, because the effective voltage across a subscriber loop will vary depending upon the nature of the call (except in the case of an all digital CO), and upon other conditions in the CO. Electromechanical and analog ESS CO's may present different characteristics to the telephone line, depending upon whether it is used at the time of: an originated intraoffice call (calling side of intraoffice trunk), an answered intraoffice call (called side of intraoffice trunk), an originated tandem call (interoffice tandem trunk), an originated toll call (toll trunk), or an answered tandem/toll call (incoming tandem or toll trunk). There is usually enough variation in battery feed resistance due to design and component tolerance changes on these different trunks to cause a variation of up to several volts measured at the subscriber end for a given loop and given telephone instrument. Even more significant are variations in CO battery voltage, which can vary (within "normal limits") from 48 volts to slightly over 52 volts, depending upon CO load conditions. 50 to 51 volts in most CO's is a typical daily variation. If anyone is curious, connect an _isolated_ voltage recorder or data logger to a CO loop and watch the on-hook voltage variations; in many CO's the resultant voltage vs 24-hour time curve will look just like the inverse of a busy-hour graph from a telephone traffic engineering text! In some all-digital CO apparatus, the subscriber loop signaling is performed by a solid-state circuit which functions as a constant-current (or current-limiting) device. With such a solid-state circuit controlling loop current, there is no longer ANY meaningful reference to CO battery voltage; i.e., one cannot even use short-circuit loop current at the subscriber location to even estimate outside cable plant resistance. To explode this myth even further, let's do a little Ohm's Law: 1. Assume a CO loop with battery fed from a dual-winding A-relay (or line relay, ESS ferrod line scanner element, or whatever) having 200 ohms to CO battery and 200 ohms to ground. 2. Assume a CO loop of 500 ohms (a pretty typical loop). 3. Assume an eavesdropping device with a DC resistance of 100,000 ohms (this is still pretty crude, but I'm being generous with my example). 4. Using some simple Ohm's law, the presence or absence of this hypothetical eavesdropping device at the SUBSCRIBER PREMISES will result in a voltage change of less than 0.5 volt when measured in the on-hook state. This voltage change is much less than normal variations of CO battery voltage. 5. Using some simple Ohm's law, the presence or absence of this hypothetical eavesdropping device at the CENTRAL OFFICE LOCATION will result in a voltage change of less than 0.2 volt when measured in the on-hook state. This voltage change is an order of magnitude less than the expected normal variation of CO battery voltage! Measuring voltage variations on a subscriber loop in an effort to detect a state-of-the-art eavesdropping device is meaningless, regardless of resolution of a voltage measuring device, since the "signal" is in effect buried in the "noise". Moving on to the subject of subscriber line impedance... There is simply no way for any device located on the subscriber's premises to obtain any MEANINGFUL information concerning the impedance characteristics of the subscriber loop and whether or not anything "unusual" is connected at the CO (or for that matter, anywhere else on the subscriber loop). There are a number of reasons why this is the case, which include but are not limited to: 1. The impedance of a typical telephone cable pair results from distributed impedance elements, and not lumped elements. Non-loaded exchange area cable (22 to 26 AWG @ 0.083 uF/mile capacitance) is generally considered to have a characteristic impedance of 600 ohms (it actually varies, but this is a good compromise figure). Loaded exchange area cable, such as H88 loading which are 88 mH coils spaced at 6 kft intervals, is generally considered to have a a characteristic impedance of 900 ohms (it actually varies between 800 and 1,200 ohms, but 900 ohms is generally regarded as a good compromise figure for the voice frequency range of 300 to 3,000 Hz). What this means is that a bridged impedance of 100,000 ohms located in the CO on a typical subscriber loop will result in an impedance change measured at the SUBSCRIBER LOCATION of 0.1% or less. That's IF you could measure the impedance change at the subscriber location. 2. As a general rule of thumb, the impedance of an exchange area telephone cable pair changes ONE PERCENT for every TEN DEGREES Fahrenheit temperature change. Actual impedance changes are a function of the frequency at which the impedance is measured, but the above rule is pretty close for the purposes of this discussion. 3. Moisture in the telephone cable causes dramatic changes in its impedance characteristics. While this may appear obvious in the case of pulp (i.e., paper) insulated conductors, it is also characteristic of polyethylene (PIC) insulated conductors. Only gel-filled cable (icky-PIC), which still represents only a small percentage of installed cable plant, is relatively immune from the effects of moisture. 4. From a practical standpoint, it is extremely difficult to measure impedance in the presence of the DC potential which is ALWAYS found on a telephone line. The subscriber has no means to remove the telephone pair from the switching apparatus in the CO to eliminate this potential. Therefore, any attempt at impedance measurement will be subject to DC current saturation error of any inductive elements found in an impedance bridge. The telephone company can, of course, isolate the subscriber cable pair from the switching apparatus for the purpose of taking a measurement - but the subscriber cannot. In addition to the DC current problem, there is also the problem of impulse and other types of noise pickup on a connected loop which will impress errors in the impedance bridge detector circuit. Such noise primarily results from the on-hook battery feed, and is present even in ESS offices, with ferrod scanner pulses being a good source of such noise. While one could possibly dial a telephone company "balance termination" test line to get a quieter battery feed, this still leaves something to be desired for any actual impedance measurements. 5. Devices which connect to a telephone pair and use a 2-wire/4-wire hybrid with either a white noise source or a swept oscillator on one side and a frequency-selective voltmeter on the other side to make a frequency vs return loss plot provide impressive, but meaningless data. Such a plot may be alleged to show "changes" in telephone line impedance characteristics. There is actual test equipment used by telephone companies which functions in this manner to measure 2-wire Echo Return Loss (ERL), but the ERL measurement is meaningless for localization of eavesdropping devices. 6. It is not uncommon for the routing of a subscriber line cable pair to change one or more times during its lifetime due to construction and modification of outside cable plant. Outside cable plant bridge taps (not of the eavesdropping variety) can come and go, along with back taps in the CO to provide uninterrupted service during new cable plant additions. Not only can the "active" length of an existing cable pair change by several percent due to construction, but lumped elements of impedance can come and go due to temporary or permanent bridge taps. The bottom line of the above is that one cannot accurately measure the impedance of a telephone pair while it is connected to the CO switching apparatus, and even if one could, the impedance changes caused by the installation of an eavesdropping device will be dwarfed by changes in cable pair impedance caused by temperature, moisture, and cable plant construction unknown to the subscriber. In some previous discussions in Telecom Digest about a year or so ago, there was mention of the use of a time domain reflectometer (TDR) for localization of bridge taps and other anomalies. While a TDR will provide a rather detailed "signature" of a cable pair, it has serious limitations which include, but are not limited to: 1. A TDR, in general, cannot be operated on a cable pair upon which there is a foreign potential; i.e., a TDR cannot be used on a subscriber cable pair which is connected to the CO switching apparatus. 2. A TDR contains some rather sensitive circuitry used to detect the reflected pulse energy, and such circuitry is extremely susceptible to noise found in twisted pair telephone cable. A TDR is works well with coaxial cable and waveguide, which are in effect shielded transmission lines. The use of a TDR with a twisted cable pair is a reasonable compromise provided it is a _single_ cable pair within one shield. The use of a TDR with a twisted cable pair sharing a common shield with working cable pairs is an invitation to interference by virtue of inductive and capacitive coupling of noise from the working pairs. 3. Noise susceptibility issues notwithstanding, most TDR's cannot be used beyond the first loading coil on a subscriber loop since the loading coil inductance presents far too much reactance to the short pulses transmitted by the TDR. There are one or two TDR's on the market which claim to function to beyond _one_ loading coil, but their sensitivity is poor. There is simply no device available to a telephone subscriber that without the cooperation of the telephone company which can confirm or deny the presence of any eavesdropping device at any point beyond the immediate premises of the subscriber. I say "immediate premises of the subscriber" because one presumes that the subscriber has the ability to isolate the premises wiring from the outside cable plant, and therefore has complete inspection control over the premises wiring. I have used the phrase "without the cooperation of the telephone company" several times in this article. No voltage, impedance or TDR data is meaningful without knowing the actual circuit layout of the subscriber loop in question. Circuit layout information includes such data as exact length and guages of loop sections, detailed description of loading (if present), presence and location of multiples and bridge taps, calculated and measured resistance of the loop, loop transmission loss, etc. Ain't no way that a telephone company is going to furnish that information to a subscriber! Sometimes it's even difficult for a government agency to get this information without judicial intervention. Despite what I have stated in this article, readers will see claims made by third parties as to the existence of devices which will detect the presence of telephone line eavesdropping beyond the subscriber's immediate premises. With the exception of the trivial cases of serious DC current draw by an extension telephone or the detection of RF energy emitted by a transmitter, this just ain't so. Companies like Communication Control Corp. (which advertises in various "executive" business publications) get rich by selling devices which claim to measure minute voltage and impedance changes on a telephone line - but consider those claims in view of the voltage changes due to CO battery variations and due to temperature changes in outside cable plant - and one should get the true picture. <> Larry Lippman @ Recognition Research Corp. - Uniquex Corp. - Viatran Corp. <> UUCP {allegra|boulder|decvax|rutgers|watmath}!sunybcs!kitty!larry <> TEL 716/688-1231 | 716/773-1700 {hplabs|utzoo|uunet}!/ \uniquex!larry <> FAX 716/741-9635 | 716/773-2488 "Have you hugged your cat today?"
David_Michael_McCord@apple.com (07/20/89)
Mr. Lippman's detailed article regarding detection of wiretaps was quite interesting reading. However, there is yet another possible method to implement a "wiretap" (reason for quotes will become apparent) that is totally impossible to detect, because it does not even cause the very-slight changes Mr. Lippman discussed. On any line served by an all-digital switch, all line signals pass through a digital cross-connect device which is essentially a large block of random access memory (RAM). Connections through this device are made by simply copying the digital image of the line audio signals from one RAM location (address) to another. It does not require a degree in computer science to see that the digitized audio may be copied just as easily to a second location, thus allowing completely undetectable monitoring of the line in question. I do not *know* that software to perform this function exists. But I suspect that it would only take fifteen minutes for a #5ESS-trained programmer to write it... A wiretap without any wire! David@cup.portal.com