RF telephone transmitters are 'bugs' wired into the phone line or the telephone unit itself, broadcasting all traffic to a listening post. RF line transmitters are either series or parallel, depending on how they're designed to be attached to the line. RF transmitters can vary in size from absolutely tiny (think pea sized) to reasonably large depending on their intended application (devices in the wiring between your phone and the phone company can be a little bigger to incorporate larger power supplies and transmit further, while bugs in your phone have to be very discrete).

From a wiretapper's standpoint, parallel and series transmitters have their respective good and bad points.

Series telephone transmitters on the customer's property can be picked off by making a series of measurements.

1. Remove all phones, faxes, modems, etc. from the line to be tested.
2. Short the pair to be tested at the demark point (the point where wiring enters the building).
3. Measure loop resistance with the lowest resistance setting from the jack farthest from the demark point.
4. Reconnect the pair and measure loop voltage.
5. Measure pair voltage on another line.

If loop resistance exceeds a few ohms or line voltage dips noticeably below the standard (usually around 48 volts), there is something (not necessarily a transmitter) on the line.

Parallel telephone transmitters on the customer's property can also be detected with a series of resistance measurements.

1. Remove all phones, faxes, modems, etc. from the line to be tested.
2. Open the pair to be tested at the demark point.
3. Measure loop resistance with the highest resistance setting available on the meter.

If the loop resistance is less than infinite, something is wired onto the line in parallel (not necessarily a transmitter).

Note: a multimeter with VERY high impedance scales is most helpful here in order to compensate for devices with high impedance front ends. Even more precise and greater scale measurements can be made with the use of a resistance bridge and a resistance substitution box.

Both of the above tests can be adapted to test for surveillance devices outside the customer's property, provided a method can be found to short and open the pair at the central office. The phone company can be coerced into opening and shorting a customer's pair, if they're provided with a good enough reason.

* Note to anyone using a DATU to open the pair: open measurements using a DATU must compensate for the "testing matrix" of a 5ESS switch, which will add 500 ohms to the series measurement. Switch type can be determined by calling the phone company and asking on the pretext of purchasing switch specific ISDN equipment.

The series measurement will also have to compensate for resistance added by loop length. Determine loop length by measuring the loop's capacitance and dividing by .083 (1000 feet of cable has .083 microfarrads per 1000 feet microfarrads per mile.). Now consult the loop resistance chart below to determine rough loop resistance. Remember, thats per conductor.

Should the series test turn up positive, it can be supplemented with a voltage measurement and a balance test. Should the voltage dip noticeably from the 48 volt average, it could indicate a series load on the line. A resistive balance test can also be conducted. Short the far end of each conductor independantly to an earth ground, and measure resistance between the near end of each lead and an earth ground. The leads should 'balance', i.e. their resistances should match or nearly match. An imbalance of more than 10 ohms indicates that more investigation is needed. The series balance test will not always allow for accurate readings, as some transmitters will use a balancing network to match the resistance of both conductors.

"Loop loading" can be ascertained by either investing in a load coil counter or by calling the phone company and having the line checked for high speed services readiness. If the line can support ISDN/XDSL immediately, its unloaded. If its loaded have the line conditioned for high speed service, it'll make your life easier and maybe get a few extra Kbps out of your modem.

DO NOT attempt the above test on a PBX without first checking the maintenance manuals! Shorting the wrong pair can blow out the master fuse or even an entire board on certain PBXs.

Preventative: Your demark point should be locked (most demark boxes have a provision for this), the "Telco Access Only" side should have the bolt holding it closed coated with Thread Lock or transparant nail varnish (making it openable, but the tampering will be noticed).

* Voice encryption, if the transmitter isn't built into the phone. *

Hardwire taps are direct connections between the telephone being monitored and the eavesdropper. These taps can be as simple as connecting a linesman's butt-set to the line and can be very difficult to detect.

A subclass of hardwire taps are slave devices, which are remotely controlled hardwire taps. A line slave is connected in parallel to the pair under surveillance and to the control pair, and then tucked away in a wiring cabinet or other cable access point. When the slave is activated (via MF or DTMF tones, or by voltage fed down the control pair) it creates a connection between the control pair and the pair under surveillance. Slaves are usually connected with a capacitor build-out to eliminate clicking sounds when activated.

Hardwire taps can be a real pain to find. A TDR or metallic fault locator is most useful in this capacity, but an induction probe with a high gain amplifier will suffice. Put a trace tone on your line (or play loud music into your phone) and probe your line at every splice point. If you hear the tone on more than 2 conductors (yours) the line has been split.

Line slaves are usually only detectable with a TDR.

* Voice encryption.

Soft wiretapping is a form of phone tap that works be analyzing digital information as it passes through a switching computer (either the phone company's, or a PBX). RemObs (Remote Observation) is a form of soft wiretapping implemented in the telephone company's equipment, designed for telco personnel to monitor line quality of specific pairs; which also has the potential for seamless telephone surveillance. Such a system is further delineated for law enforcement applications under CALEA (Computerized Aide to Law Enforcement Agencies).

PBXs (private branch exchanges) often have a provision for monitoring extensions. This feature can be abused by bosses, nosy co-workers, or outside surveillants with remote access to the PBX.

Something as simple as a second analog set hooked up to a line can provide a neat method for eavesdropping on a phone line.

Because RemObs is executed at the switch, it's all but impossible to detect its use without having inside knowledge of day to day switch operations. The only countermeasures to RemObs would be external encryption.

Soft wiretapping of PBXs can be detected by rifling through the PBX's programming. Features to look out for in a PBX's programming manual can be found on the phone system page.

If removal of ALL occurances of observation features from the PBX's programming and routinely auditing the programming to check for changes. Features to look out for in a PBX's programming manual can be found on the phone system page. Voice encryption. Removing all multi-line analog sets would be a wise decision. Certain PBXs have a programming provision to disallow connection of parallel connected sets, check the manuals.

Shielded telephone cables should help prevent RF floods, if they have an earth grounded drain wire.

Hook-switch bypasses are detected in a manner similar to splits, with a high gain induction probe. Probe the pair at the demark with the phone hung-up and a stereo playing next to it. If room audio is clearly heard, the phone has been compromised. Specific programming features are listed on the phone system resource page.

Replacement of the ringer with either a non resonant ringer (available from Marty Kaiser) or a phone flasher should compensate for resonant ringers. A cut-out switch to disconnect the handset from the rest of the phone unless its off hook should be added. Specific programming features are listed on the phone system resource page.

Air Force Instruction 33-220, On Hook Telephone Security http://www.p-and-e.com/Documents/AFI%2033-220%20(1%20Mar%2097).pdf

While it has become rather common knowledge that analog cellular and cordless phones can be eavesdropped on with a scanner, many people don't realize that their POCSAG beepers can also be spied on with a scanner that has a discriminator tap and the correct decoding software.

In addition to eavesdropping, cellular phones can be modified for use as surveillance transmitters. An older technique suggests simply secreting away a tiny transmitter in a particular phone, but there is a more graceful method. Some newer cellular phones have incorporated an option for automatically answering incoming calls as a safety feature while driving. This feature also opens up the possibility for modifying a cellular phone for use as a listening device. By making a few simple modifications to the phone (in the case of Nokias, shorting the handset adapter pins to the microphone), engaging auto answer and muting the phone's ringing the phone is now a perfectly serviceable transmitter, operable from anywhere in the world.

Because listening in on wireless is 'passive' monitoring, detection is generally considered impossible.

Checking a cellular phone for external bugs requires an intimate knowledge of the phone's hardware and the tools to disassemble it. Checking for programming that would make a phone into a bug requires a copy of the owners manual. Make sure ringing is set to an audible level, and that auto answer is disengaged.

Cordless phones should be avoided whenever privacy is to be assured. External encrypters are available for many cellular phones (see the voice encryption page for sources), which will reduce the threat of cellular eavesdropping.

People tape telephone calls all the time (Isn't that right, Ms. Tripp?), and for various reasons. Surreptitious recording of telephone calls is usually done with a drop-out relay, which automatically engages the recorder when the phone its connected to is taken off hook. A less sophisticated recording interface (one that is 'always on') can be easily assembled from electronic store parts. There is a schematic available at http://www.hut.fi/Misc/Electronics/circuits/tm_adapt.gif. In the US, the laws governing recording telephone calls vary from state-to-state.

A tape recorder on your end can be detected by searching for a signal from 5 to 200 kHz (emitted by the tape recorder's bias oscillator), though this method isn't foolproof. Some recording devices (the recording chip things) lack a bias oscillator. The drop-out relay itself can be detected through impedance measurements. Physical search remains the best option for tape recorder detection on your end. A tape recorder on the other person's end can't be detected through electronic means.

In Electronic Surveillance Devices, Paul Brookes suggests a technique called 'band masking' where 4 kHz noise is played into the line as a technique for protecting against tape recorders (4000 Hz[Sound1.wav - MISSING] is the ragged edge of the voice channel. Sounds at this high of a frequency are inaudible through telephone speakers, but are still transmitted down the pair). While this technique works admirably against casual eavesdroppers it has a failing; a low pass filter manufactured from a few dollars worth of parts could defeat it. So while certainly not fed proof, the average phone phreak or PI would be stumped. Band masking will prevent anyone on the other end from recording your conversation on tape as well.

* Voice encryption.

* Voltage spreaders.

Interception of fax transmissions is simpler than many people believe. While fax interception once required complex audio recording and mixing gear (such techniques may still be employed), fax intercepts can now be done with a one piece fax logging unit such as Fax Collector or certain Title III equipment. More mundane attacks of fax systems also exist, such as acquiring the thermal transfer film from a thermal fax machine (all the information that the fax has printed out is on that sheet in negative), exploitation of fax polling (where a document held in memory for users to download is surrepitiously copied) or exploitation of a store-and-forward-to-multiple-locations feature.

Fax interception can be detected as per hardwire taps, although physical search would be the most practical detection technique. Note: many businesses log their inbound and outbound faxes with fax collection systems. Checking a fax machine's programming for broadcast and polling features would require a copy of the owner's manual. Simply confirm that forwarding is disengaged or set-up securely.

Encrypting fax systems (sources are listed on the voice encryption page) will protect your faxes from interception. Setting a polling password will prevent unauthorized parties from downloading faxes in memory. If thermal (shiny paper) faxes are still in use make sure that the transfer rolls are destroyed. Not thrown out. Not torn slightly. Destroyed. Check your fax machines routinely to confirm that faxes aren't being forwarded covertly.

CIAC 2304 http://ciac.llnl.gov/ciac/documents/CIAC-2304_Vulnerabilities_of_Facsimilie_Machines_and_Digital_Copiers.pdf

Index