TUCoPS :: Phreaking General Information :: fonesci.txt

The science of Telephone Surveillance


======================================
=The Science of Telephone Surveilance=
=   Brought to you by Eric The Red   =
======================================

Wiretapping
-----------
The Telephone is always a favorite target for the potential spy as it provides
access to a capsule summary of many important decisions and transactions. It
also offers a number of easy tap-in points which may not even necessitate
premise trespass, and are generally harder to discover.

Numerous devices have been marketed by professional bugging suppliers to tap
the telephone, and in some cases, even utilize the telephone as a room bug when
not transmitting phone conversations.

Literally thousands of there devices which could be installed by almost anyone,
were sold prior to the great surveilance scare laws. Access to commercial
devices of this type is now pretty much limited to law enforcement bodies,
although there is an undeniable blackmarket for "radio repaiman specials".

Common "conference line broadcasters" sold for as little as $30 for the schlock
"private eye" suppliers in th late 60's, while a top law enforcement
counterpart brings a couple of hundred bills from the more viably financed
police and investigative departments.

The state of the art is such in wiretapping that it is possible to buy (or
build) such exotic taps as the microphone which drops into the handset of a
phone in as long of a time it takes to unscrew the cap, looks identical to the
regular microphone, and broadcasts both sides of the conversation (using the
phone's own electrical power) to a nearby FM radio.

Another popular exotic is the "infinity transmitter"; a small, cube-shaped
device which hooks into the phone and jst lies there, hibernating, one might
say, until the phone is dialed from an outside line (anywhere in the world - as
long as it is direct dialing) and a small whistle blown into the mouthpiece of
the dialing phone.

Upon "hearing" this sound the infinity transmitter stops the parent phone from
ringing, and turns on the phones own carbon microphone or uses its own to
broadcast the room's sounds over the phone line to the listening whistle-
blower.

This device was popular (for those of us who had $400 dollars to blow on such
things) gimmick for traveling businessmen who had an extension phone in the
bedroom where their wife slept...A quick call from any port would let the
listener know exactly what was transpiring in his absence.

In phone tapping, much as in most forms of surveilance, the key is the same:
Keep it simple and direct. The less complicated a system, the better the chance
of success.

Direct Taps
-----------
Phone tapping falls into two general categories; direct, meaning an actual
electrical contact from the phone or line, to the listening post, or wireless,
this latter being a combination of a phone tap and a mini-transmitter.

Direct taps are the easiest, and often the best. The quickest method of tapping
into a phone is simply to locate a good point along the phone line, strip away
the insulating cable to expose the four enclosed wires, strip away a small
piece of insulation on the two hot (red and green) wires WITHOUT CUTTING THE
WIRES, and attach a set of high impedence headphones. One side of the phones is
directed through a small .005 mfd capacitor to keep out the 48 volt phone
power.

With this simple set-up. the bugger has to go listen to the headphones whevever
a call is made on the instrument in question. The disadvantages tp this system
include spending most of one's time waiting for the phone to be used and then
rushing to the garage every time it happens...It is often difficult to explain
one's presence when discovered in such situations.

The next logical step up the ladder of progressive involvement is to add a
small inter-satge transformer along with the capacitor. The primary of the
transformer should be at least 10,000 ohms (but not over 20,000) to match the
phone lines' high impedence, the secondary should be of a near value to the
equipment it is going into.

This set-up provides a clear passageway for the audio (conversation) to pass
through, while not loading the phone line. This "not-loading" is a real factor
to consider, as a draw of over 20 mills or so might trip the central exchanges
relay (trips around 40 milliamps) and send a phone repairman scurrying to the
scene of the crime.

This output can be fed directly into a tape recorder, eliminating the
crouching-at-the-phone syndrome. However, one must still endeavor to turn the
recorder on and off at the proper moments, as task sometimes easier said than
done.

To eliminate this final problem, one adds a tiny bit of sophistication; the
drop-out relay. This is a small device that senses the condition of the phone
line in question, and, through the remote start feature found on most modern
tape recorders, turns the recorder on when the phone is lifted off of its
cradle. This, of course, limits the waste of tape, and needs attention only
when necessary to turn over or install more tape.

Another, more esoteric value of this set-up is the fact that it is probably the
kind of thing used to tape record all the calls made out of the White House.
Now, this in no way reflects on the quality of quality of the recordings
obtained, with a bit of care one would not find any unexplained gaps in the
tape...

It is possible to employ any of these methods at any point along the "pair",
either as it leaves the phone, before the surge protector, on the drop cable
running to the telephone pole, or at the terminal or junction boxes located on
the pole or in the building's garage or basement.

The telephone instrument itself can be used as a microphone by any number of
simple alterations (the addition of the infinity transmitter being the most
common). Any of these alterations will allow the+;;+F{FK#+sF{&{{kkconversation when the phone is on the hook. To use either of these alterations,
the bugger simply connects a sensitive amplifier anywhere on the phone line.

1) The most common is to place a resistor across the hookswitch (this is the
switch activated by the placing of the phone on its cradle). The resistor must
be fairly low as to not throw the trip relay in the central station. This
set-up allows a bit of current to trickle through the microphone and activate
it, sending the conversation down the line much as an ordinary phone call will
do, albeit at a lower level.

2) A capacitor can be installed across one side of the hookswitch allowing a
bit of audio to pass on by, but keeping the DC current where it belongs.

In both of these applications, one side of the double pole hookswitch must be
shorted out, leaving the open side to accept your device.

Near Direct
-----------
There is one other form of almost direct tap - the induction pick-up. These can
be commercially purchased in electronics shops for a couple of bucks and are
designed to be fed into a home tape recorder. They have a few important
limitations? they must be physically attached to the phone, usually near the
base or sidetone coil, to work properly, and also the volume level is not the
best, and they are subject to AC hum from nearby electric devices.

A way around some of these limitations is to hide the induction coil in some
little object (desk blotter, pen set, etc.) that may be placed near the phone,
and then employ a small, direct-coupled amplifier to beef up the weak signals.
In this manner, the induction pick-up becomes a bit more practical as it and
the amplifier (and in some cases, the tape recorder) can be concealed in a
drawer under the phone, or in a nearby artifact.

Commercial hidden induction units are sold by the usual law enforcement
suppliers cleverly secreted in such things as fake flowers (which only
reinforces my dislike for plastic flowers), desk blotters, picture frames, etc.
Most induction pick-ups have a small suction cup attached to make it easy to
attach to the phone. Many pick-ups will even work on an extension phone even if
though the extension phone is still lying peacefully on its cradle.

It is also possible to use a powerful induction tap near the phone line, but a
real beefy amp must be employed and this sort of thing never works out quite
like the spy movies would have us believe: be practical, stick to direct routes
when possible.

A real classy method is to put the induction pickup INSIDE the phone, and have
its leads run to the two unused (black and yellow) wires, where the bugger can
use a normal bug to these two wires (but only in parallel) without ever making
any contact with the main line.

Wireless
--------
The other approach of the problem of not knowing what is said over your
neighbor's phone is to secrete a small transmitter in the phone, or along the
line, which broadcasts the conversation to a nearby reciever/tape recorder.

Telephone Tap Detection
-----------------------
Only the most amateurish wiretapper would betray his (or her) presence by
producing spurious noises, i.e., "clicks" on a telephone line while in use.
Most line noise is a naturally occurring phenomenon which does not indicate the
presence of a third party on the conversation.

Therefore, bug fighting requires more than a mere surface understanding of the
game. To begin the process, one should have more than a passing grasp of the
dear old telephone company itself.

Telephone exchanges use a 48-volt DC power to operate their equipment. The
phone is rung by inserting an AC ringing of about 20 cycles. The central telco
office contains a series of frames wherein each subscriber's wires are attached
to a set of contacts and a system of relays.

Your instrument is basically a microphone/earphone combination, a bell, a large
coil (near the base of the phone) known as a sidetone coil, and a relay.

When the phone is on the hook, this relay is open. When you lift the reciever
up from its cradle, the relay contacts are closed (in effect you are just
closing a switch). When you dial, this relay is opened and closed a number of
times (on a rotary phone). The central relay reads this series of openings and
closings and then connects you to the proper set of contacts to reach the
number you are dialing. On a tone phone, the tones sent down the line are
decoded by the central office and you are hooked up.

When your wire leaves the main office, it is in a cable containing many similar
wires, or "pairs" (it takes two wires for every phone). This cable comes to
your pole where it goes into a junction box, and then to your house or
apartment. When the pair reaches your residence, it comes to a device known as
a surge protector. At this surge protector a third wire is added. This third
wire is in the middle of the other two and is the ground wire.

From the surge protector the three wires (and sometimes a fourth, non-used one)
run into your telephone. A number of bugging devices can be utilized in just
about any of the aforementioned areas to record and/or transmit your phone
conversations, and sometimes even just room conversations.

Types of Bugs
-------------
One of the most common types of bugs for the teley is the line powered parallel
bug. This type of bug draws its power directly from the line and radiates a
constant signal, whether the phone is in use or not. Its major advantage is
lack of batteries (it can conceivably run for years). Its major disadvantages
are: the constant signal makes it easier to detect, and the current it draws
can often be measured.

This unit can be installed anywhere on the phone line (even on the pole) or in
the phone itself. Although the in-the-phone mounting is considerably harder to
effect due to limited access, it has the advantage of only operating when the
phone is in use.

This type of bug can also be battery powered. This means a better range, and
less chance of detection, but a much shorter life, or battery replacement at
selected intervals.

A series bug is even more common. This unit requires the installer to actually
cut the phone wire (rather than just attaching as in a parallel bug) and
install the unit, but it only works when the phone is in use, and does not load
the phone line at all when the phone is not in use, meaning the chances of the
phone company detecting it are considerably smaller.

By utilizing a phone induction pickup (purchased at tape recorder stores for a
couple of bucks) a bugger can actually tap a phone without any installation
other than proper placement. The problems here are that the pick-up should be
placed near the side tone of the phone itself (or an extension phone) and the
output must be amplified before recording or transmitting. This type of tap is
alos much more likely to pick up hum and generally be hard to understand.

The commonest method of phone tapping is to simply connect a set of high
impedence headphones through a capacitor onto the phone lines, or add a small
matching transformer and go right into a tape recorder. This set up will record
both sides with amazing clarity. If a drop-out relay is added (or a voice
operated relay such as a VOX) to the tape recorder, it will only operate when a
call is being made, thereby conserving tape and power.

There are a number of things one can do to help eliminate the chances of phone
conversations being overheard by outside parties. These range from the simple,
and as one might excpect, up through the very complicated. The chances of
detection increase with the complexity, BUT if the bug is a fairly amateurish
(non-FBI, that is to say) job, a few simple approaces will probably turn it up.

Phone Company
-------------
The Phone Company will help to some degree (assuming they are ot the ones doing
the bugging - Ma Bell has done more than her share of this sort of thing,
either for her own records or by leasing equipment and lines to law enforcement
agencies...)

If a bug draws more than 40 milliamps of current it will automatically trip the
central office relay, alerting Ma to some problem which needs the attention of
a repairman, however, no pro or even semi-pro is going to install anything that
will eat up this kind of power. You can call the phone company and ask them to
run a check on your line for possible bugging and they will run a current check
(anything over a 1 milliamp loss makes them suspicious) and listen for hum,
unusual crosstalk, or other alarming symptoms. A simple check like this will
often do the job...and best of all, it's free.

Telephone company will often also dispatch a special investigator to check out
the line in person. If a tap is dicovered, the telco will remove it, restoring
the customer's privacy, but will not help in finding, or the possible
prosecution or the tapper(s).

If the tap does not tresspass on telco property (i.e. and inductive tap) they
might not even wish to remove it, but will show it to you or refer you to local
law enforcement bodies, assuming LOCAL LAW ENFORCEMENT BODIES DID NOT PLACE THE
TAP...THE PHONE COMPANY WILL NOT FINK ON ITSELF OR LEGAL, "AUTHORIZED"
AGENCIES...

Whether you elect to utilize the services of the friendly phone company or not,
you should also plan on a self-search. This is done by examining the phone and
its wires with a deft hand. Start with the wires...

Trace your phone wire to its wall plug and then from there throughout the
basement, or wherever to the surge protector. See another little wire attached
along the way and running into boxes or cabinets? Anything placed against the
wire that could be a tap? Check out your "pair" into the junction box if
possible (this is especially easy if you live in an apartment where the
junction box can be quickly located). Any funny little wires or little gizmos
hooked onto your pair?

Countermeasures
---------------
If you suspect you are the victim of an unauthorized telephone surveilance
campaign, there are a few things you can do to lower your risks:

Keep your phone(s) locked up in a drawer when not in use and deny access to
your premises to anyone, including cleaning people, without your constant
surveilance. Always check any "repairm

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH