Phone Bugging and Modifications

If you are reading this then you probably have a telephone, and if you have a telephone you already have an excellent bugging device installed in your home or office.

In many cases nothing has to be done to the telephone (ie: Northern Telcom) to turn it into an excellent room bug, but in most cases a simple capacitor (at a cost of three cents) can be installed and a wire snipped to turn your telephone into a very high quality eavesdropping device.

Telephones have microphones, speakers, ringers, microphonic transducers, and power which provides everything an eavesdropper needs to listen in on your business or personal affairs.

What follows are a few of the hundreds of things an eavesdropper can do to turn a telephone into an excellent surveillance device.

Native or Friendly Threats
Cellular and cordless telephones by their very nature emit large amounts of RF energy which may then be intercepted at fairly large distances. Even the new "secure" digital spread spectrum telephones may be easily intercepted with only a few dollars of parts available at any Radio Shack.

Many modems, telephones and speakerphones also emit RF energy when in use, this energy may then be easily intercepted by an eavesdropper using inexpensive radio receivers.

The speaker phone systems made by Lucent, Panasonic, U.S. Robotics, and others have a history of "native emissions". One of these phones ordered right from the factory, (with no modifications) will often transmit RF energy which may be easily intercepted several hundred feet away. For example many of the Merlin speakerphones emit an RF (NFM) signal around 300 Mhz.

Many data modems (Practical Peripheral, Motorola, Rockwell, etc..) also transmit RF energy when in normal use. This allows an eavesdropper to easily intercept and record the signal at considerable distance. Often all that is needed to monitor the signal is a modified twenty dollar FM radio. For example an unmodified Practical Peripheral 28.8 modem transmits a RF signal in the 120-130Mhz range, the signal is wide FM modulated, with several pulse modulated components.

Fax machines may also do this, when a confidential document is sent to your client you may also be broadcasting it to an eavesdropper. This is a serious problem with Sharp, Canon, HP, and other fax machines.

RF Transmitter
This is the classic phone bug, a small RF transmitter is attached to the phone line somewhere outside the facility. Power may be supplied by the current already on the phone line or from a small battery. Most devices of this nature only transmit when the phone is lifted off of the switch.

RF Transmitter with Microphone
This is similar to the above device, but it has its own microphone, and is typically installed inside the telephone. Such a device is normally considered a room bug. This type of device transmits an RF signal over the phone or power lines (9 kHz to 750 kHz is common, but the signal may be as high as 450+ MHz).

Infinity Transmitter or Harmonica Bug
An older devices, which is attached to a telephone, and when called from an outside telephone would enable the caller to listen in on room audio. Considered obsolete, but still sold in spy shops.

Recorder Starter/Drop Out Relay
This is little more than a device that detects the voltage or current change caused when the handset is lifted off of the hook. Its purpose is to activate a tape recorder hidden nearby. Some recorder starter devices may also detect sound, and activate if sound is detected on the line.

This type of device is popular with private investigators and "Walter Mitty wanna-be spies". The product may be purchased at Radio Shack or other electronics stores for under twenty dollars.

Slave or Bypass Device This type of device provides electrical isolation between a target line and an eavesdropper, which provides a low level of security against detection. (Popular with Law Enforcement)

CO/REMOBS Monitoring (Central Office Remote Observance)
Allows the phone company or government to legally tap or monitor your phone. The computer that handles phone service to your local area is instructed to transmit a digital copy of all of your calls to a secure listening post (which can be located anywhere in the world).

All that is required to do this is access to the ESS translation, and a T-Carrier or OC-xx data line (a normal "loop" line is rarely used). With a 622 mb fiber optic line eavesdropping can easily access, and listen in on over 11,100 lines at a time in a local area.

This function of the phone system is very loosely controlled as the maintenance people at the phone company use it for routine maintenance. Any computer hacker or PHreaker can easily access the system. Private investigators and insurance companies have also been known to illegally use this system to gather information on targets.

Hookswitch Bypass Methods
Inside the telephone is a switch that disconnects and shorts out the microphone in your telephone handset when the telephone is hung up (hookswitch). If the telephone cicruitry is slightly modified (cut one wire and then install a three cent part) the microphone will be "hot" all the time. If the microphone is hot all the times then the eavesdropper can go anywhere outside that area; plug an audio amplifier into the phone line; and get excellent quality room audio. It is effectively the same as installing a microphone or eavesdropping device in the room or building.

Several telephone systems lack a hookswitch mute circuit (such as the cheaper phones made by Northern Telcom, Toshiba, and several others). This allows an eavesdropper to perform a technical surveillance without actually gaining access to the area (such as a hotel room) or performing any type of modifications to the telephone.

Several types of Common Hookswitch Bypass Methods:

• Resistance/Capacitance Bypass
• Capacitance Bypass
• Spare Pair Bypass
• Spare Pair to Microphone Bypass
• Spare Pair to Earpiece Bypass
• Third Wire Bypass
• Ground Return Bypass
• Reversed-Biased Diode Bypass
• Neon Bulb Bypass
• Four-Layer Device
• Ringer
• Handset Wiring Change

One of the activities that a TSCM specialist will conduct during an inpection is the careful analysis of every telephone instrument being used in the area in question. The TSCM specialist will use electronic test equipment to verify the electronic characteristics of both the telephone instrument and the associated wiring. This will then be followed by a careful physical examination of the telephone (and surrounding area) to further identify other potential security risks or anomalies.