Granite Island Group Banner

Phone Bugging and Modifications

If you are reading this then you probably have a telephone, and if you have a telephone you already have an excellent bugging device installed in your home or office.

In many cases nothing has to be done to the telephone to turn it into an excellent room bug due to design flaws, but in most cases a simple capacitor (at a cost of three cents) can be installed and a wire snipped to turn your telephone into a very high quality eavesdropping device.

Telephones have microphones, speakers, ringers, microphonic transducers, and power all of which can provide everything an eavesdropper needs to listen in on your business or personal affairs.

What follows are a few of the hundreds of things an eavesdropper can do to very simply turn your normal telephone into an excellent surveillance device.

Native or Friendly Threats
Cellular and cordless telephones by their very nature emit large amounts of RF energy which may then be intercepted at fairly large distances. Even the new, so called "secure" digital spread spectrum, TDMA, CDMA, PCS, GSM, and similar telephones may be easily intercepted with only a few dollars of parts. The rule is that "If it has an antenna, then it is not secure, period!"

Many modems, telephones and speaker phones also emit RF energy when in use, this energy may be easily intercepted by an eavesdropper using an inexpensive radio receivers or police scanner.

The speaker phone systems made by Lucent, Panasonic, U.S. Robotics, and others have a history of "compromising emissions". One of these phones ordered right from the factory (with no modifications) will often transmit RF energy which may be easily intercepted several hundred feet away. Depending on the specific model, the speaker phone may transmit room audio while on hook or off hook, or not at all. If you have a speaker phone in your office be sure to always unplug or remove it prior to any sensitive meetings.

Many data and fax modems (Practical Peripheral, Motorola, Rockwell, etc..) also transmit RF energy when in normal use. This allows an eavesdropper to easily intercept and monitor the signal at a considerable distance. Often all that is needed to monitor the signal is a modified twenty dollar FM radio. For example an unmodified Practical Peripheral 28.8 modem transmits a strong RF signal in the 120-130 MHz range which can be picked up remotely, hundreds of feet away.

Fax machines may also do this, when a confidential document is sent to your client you may also be broadcasting it to an eavesdropper. This is a serious problem with Sharp, Canon, HP, and other fax machines.

When you engage a TSCM firm be sure you have them evaluate your speaker phones, modems, and fax machines for any kind of design flaw which could be transmitting your confidential information to anybody who is interested in listening.

RF Transmitter
This is the classic phone bug, a small RF transmitter is attached to the phone line. Power may be supplied by the current already on the phone line or from a small battery. Most devices of this nature only transmit when the phone is lifted off of the switch. Such a device may also be concealed inside the actual telephone, or attached to the wiring inside the targeted building.

RF Transmitter with Microphone
This is similar to the above device, but it has its own microphone, and is typically installed inside the telephone. Such a device is normally considered a room bug. This type of device transmits an RF signal over the phone or power lines (9 kHz to 500 kHz is common, but the signal may be as high as 450+ MHz).

Infinity Transmitter or Harmonica Bug
An older devices, which is attached to a telephone, and when called from an outside telephone would enable the caller to listen in on room audio. Considered obsolete, but still sold in spy shops.

Recorder Starter or Drop Out Relay
This is little more than a device that detects the voltage or current change caused when the handset is lifted off of the hook. Its purpose is to activate a tape recorder hidden nearby. Some recorder starter devices may also detect sound, and activate if sound is detected on the line.

This type of device is popular with private investigators and "Walter Mitty wanna-be spies". The product may be purchased at Radio Shack or other electronics stores for under twenty dollars.

Slave or Bypass Device This type of device provides electrical isolation between a target line and an eavesdropper, which provides a low level of security against detection. This type of device is popular with the law enforcement community (both legally and illegally), but easy for a skilled TSCM specialist to find.

CO/REMOBS Monitoring (Central Office Remote Observance)
Allows the phone company or government agency to legally tap or monitor your phone. The computer that handles phone service to your local area is instructed to transmit a digital copy of all of your calls to a secure listening post (which can be located anywhere in the world). This also refers to various taps placed inside the central office.

All that is required to do this is access to the ESS translation, and a T-Carrier or OC-xx data line (a normal "loop" line is rarely used). With a 622 mb fiber optic line eavesdropping can easily access, and listen in on over 11,100 lines at a time in a local area. For a small level of eavesdropping a simple leased line and a bridge can be used, but for a full scale eavesdropping project tapping right inside the phone companies building is ideal.

This function of the phone system is very loosely controlled as the maintenance people at the phone company use it for routine maintenance. Any computer hacker or PHreaker can and have easily accessed the system and listened to private calls, or manipulated the line in other ways. Private investigators and insurance companies have also been known to illegally use this system to gather information on targets.

Hookswitch Bypass Methods
Inside the telephone is a switch that disconnects and shorts out the microphone in your telephone handset when the telephone is hung up (hookswitch). If the telephone circuitry is slightly modified (cut one wire and then install a three cent part) the microphone will be "hot" all the time. If the microphone is hot all the times then the eavesdropper can go anywhere outside that area; plug an audio amplifier into the phone line; and get excellent quality room audio. It is effectively the same as installing a microphone or eavesdropping device in the room or building (but no actual bug is used).

Several telephone systems lack a hookswitch mute circuit (such as the cheaper phones made by Northern Telecom, Toshiba, and several others). This allows an eavesdropper to perform a technical surveillance without actually gaining access to the area (such as a hotel room) or performing any type of modifications to the telephone.

Several types of Common Hookswitch Bypass Methods:

One of the activities that a TSCM specialist will conduct during an inspection is the careful analysis of every telephone instrument being used in the area in question. The TSCM specialist will use electronic test equipment to verify the electronic characteristics of both the telephone instrument and the associated wiring. This will then be followed by a careful physical examination of the telephone (and surrounding area) to further identify other potential security risks or anomalies.

An inspection of this nature should be performed on a quarterly basis and only by a reputable TSCM firm and should include all phones or other electronics used for confidential discussions. Such an inspection should include all areas where sensitive work is done, executive offices, conference rooms, and related support areas.

If you are concerned about covert eavesdropping or wiretapping then it would be wise to contact Granite Island Group, or another TSCM firm and schedule a "Bug Sweep" or TSCM Inspection. However, do not call from a suspect telephone, cellular telephone, or cordless phone and understand that it is critical that you should get someone out to your location as quietly, and as quickly as possible.

Advanced TSCM Signals Detection and Analysis
TSCM - Sweeping the Spectrum for Eavesdropping Devices

| Home | What is TSCM | Types of Bugs | Warning Signs You're Bugged |
| How To Behave if Bugged | TSCM Threat Levels | How To Engage a TSCM Firm |
| Qualifications | TSCM Protocol | Bug Frequencies | Phone Taps and Bugging |
| Signal Analysis | TDR Analysis | TDR Tutorial | Wiretapping | Training | Tools |
| Equipment | OSC-5000 | Kaiser | Riser Bond | Avcom | Search Rcvrs |
| Outside Links | Recommended TSCM Books | TSCM Reference Library |
| Recommended U.S. TSCM Firms | TSCM-L Mailing List |


Copyright ©2002, Granite Island Group