Using phones as remote controlled bugging devices.

There exist two methods for using a non-modified telephone as a remote controlled bugging device.

One is called frequency flooding, and has been known for a long time. This analogue technique requires physical access to the targets telephone line, and can thus not be used in a grand scale. It is probably also best suited for older telephones, which don't contain electronic.

The other method  has its first reference from 1986 but was noticed by a broader audience in January 1998 when it was included in a report to the European parliament. It affects only modern ISDN-phones. This digital method is more technically advanced and it is difficult to find references that prove if it even exists.

Dear New Scientist Letter Editor,

A little tinkling in the night
Just to check your line's are alright,
A little tinkle in the day
just to listen to what you say...

I have read with interest your comments in recent month on the telephone tinkling phenomenon. I have some further information.

The UK telephone network now supports the Integrated Services Digital Network (ISDN) protocol. This allows digital devices such (eg FAX) to share the system with existing phones. The ISDN sub-set that BT implements is defined in their document BTNR 191, "signalling CCITT I-series interface for ISDN access".

On modern tone-dialling phones, the "ringing" is controlled by the local controller chip rather than a high voltage ringing signal from the exchange. The network indicates the arrival of a call to your phone by sending a SETUP message. This is the start of an electronic conversation between your phone, fax or modem with the exchange, and is how BT can check your line without the phone ringing (hopefully!). The Subscriber Line Interface Circuit, which holds this conversation on your behalf, powers the analogue telephone and controls the ringing, the on/off hook supervision, and call barring and diversion facilities.

Built into the international CCITT protocol is the ability to take your phone 'off hook' and listen to conversations occurring near the phone without the user being aware this is happening. BT states that this is not implemented in the UK system, but then they also deny that our transatlantic calls are monitored by the US security services at Meanwith Hill. It is difficult to find the truth in areas considered to be of National Security.

In the meantime if you want to keep your secrets safe - remember that someone may be listening to your every move! This includes office PABX phones and is even a publicised feature in some.

Yours sincerely,

Alasdair Philips

--- End of article in SGR Newsletter, No.4, September 1993, page 7. ---

The source for the article was a British Telecom document, which was classified and is thus not generally available. But with the details given, it should be possible to double-check them with the actual ISDN specifications, but they are expensive, and it also requires a CCITT-guru to find the correct place in the standard.

I talked with a person, (A.H) knowledgeable within the signalling area from the Swedish telecom operator, Telia. As far as he could tell, this functionality at least does not exists in the Swedish telephone network. Below are my notes of how I understood him, but since the topic of signalling protocols in telephone networks is totally outside of my competence I might have miss understood the explanation.
1) When a telephone receives a SETUP message from the exchange, it will respond with a ring signal to notify the called party (the called party is also called B-abonent in the telephone terminology) that someone is calling. This phase, when the telephone is ringing is called the ALERT phase.
2) Even if the telephone (for some reason) does not notify the caller (B-abonenten) with a ring signal, it would require a command at the telephone operators exchange to order a connection mode called "through connection", "switch through" or "cut through" These are different words for the same thing. In Swedish it is called "genomkoppling". This gives a straight line during the ringing phase. That is, while the caller (the A-abonent) is listening to ring signals that are supposed to be heard by the called party, B, on the other side, the caller, A, can here something between the ring signals. But the origin of the sound comes from the local exchange that for example resides within a company and not from the called party, B:s , telephones. Therefore, this special connect mode is not useful for listening on a conversation in a room. A side effect of this special connection mode is that sound between the two end lines can be transferred without any costs. Therefore this is a not a desirable connection mode.
3) This special connection mode lasts only during the ringing phase. After 180 - 190 seconds, the telephone network automatically ends the ALERT phase, to avoid a situation where a telephone rings forever. This ends the connection and a new call has to be made in order to continue.

Later, after the conversation with AH, Mr. Alasdair Phillips wrote to me the following information, which i was given permission to reproduce here.

"It is possible for the telephone service provider to call a telephone on the network and check if the phone is OK without the bell or buzzer sounding. This is done on an acknowledged regular basis by the service providers to check out their system - in most cases they can then pre-set the phone to dial back out to check that the calling process is also working. The user is completely unaware of this as it all happens silently, but sometimes you may see "test units" cost credited to your telephone bill if the 'dial-back' test is used. BT used to show this but I think they have now stopped as too many people were querying what these "test units" were!

Once they have called a telephone and suppressed the ringer they have access to a number of features depending on the make and model of the telephone. On old telephones the handset "hook switch" - the switch that apparently turns the telephone off when the handset is replaced did actually do that. It physically connected the incoming line to the bell circuit. On modern phones it does nothing of the sort. It is only a line into the phone's simple microprocessor chip - all the audio circuits are effectively still "live". So, once they have called up the phone and inhibited the ringer from working they can just tell to micro controller chip to connect the microphone signal to the outgoing line and thereby listen in to everything that can be heard in range of the phone!

All the telephone operators say is that "this facility is not implemented in our system" - however the facility is there(!) and they could use it if they wanted to. I am not sure if the controllers in the very simplest phones have this ability programmed in to them - i.e. the ability to recognise the command to connect the handset signals when the handset is on the rest switch.

The "Switchhook" information element is defined in CCITT Q.931. It can be read remotely and has the facility to be remotely "overidden" if that function has been implemented in the phone. The trouble is that the information elements are many and complex. They include bearer capability, cause, call identity, call state, channel ident, display bytes, keypad data, called party number, caller number, high layer compatibility, etc.

Extracted from British Telecom Network Requirement No.191,Iss.1,Dec.1986
--------------------------------------------------------------------

"When a CALL is made to a subscriber terminal (eg a phone) a CONNect message is sent across the user-network interface to the caller. This message indicates to the caller that a connection has been established through the network and stops a possible local indication of alerting (ie ringing). At this time the call enters the ACTIVE state. Once reliable communications have been established a layer 3 message (SETUP) is sent. SETUP may include optional Supplementary Services Control Messages at the data link layer if the receiving subscriber terminal has that capability."

"Layers 2 and 3 Protocols for testing and maintenance"
"These are special procedures intended for testing and maintenance purposes such as activation/deactivation of loops, routine tests built in to the subscriber terminals (called SELF-TESTS), and access to functions and entities not used in normal call control."
"Testing and maintenance protocols make use of a special Service Access Point Identifier [SAP(62)] which is different from the Management SAP(630) and has a special protocol discriminator at level 3."
"Maintenance shall transmit a MAINTENANCE-INQUIRY message to the Data Link Layer using the primitive MDL-UNITDATA-REQUEST and shall receive responses by means of the MDL-UNITDATA-INDICATION. The SAPI value of the layer 2 frames shall be set to 62 and the TEI value to 127."

-------------------------------------------------------------

As you can understand from reading the text above it is quite possible to switch the phone into an "off-hook" surveillance mode using these facilities. I do not have the time, energy or funding to dig deeper into this to try to obtain documentary proof, but in any case I imagine it will be effectively hidden in maintenance / test procedure codes. There is no way (and no need) for them to admit in words what can be achieved for covert purposes by using simple test procedures! The best thing would be to try to get a demonstration going with a phone driven from a computer into the various test modes, but without "insider information" it would be likely to take so time, effort and money to work out the codes needed.

Yours sincerely, Alasdair"
 
 

Other sources/memory notes to check for further investigation.
BTNR191 is the British ISDN protocol. Simulators can be bought at Digital Engineering Ltd. Sweden, and several other countries in Europe is using an ISDN protocol called Euro-ISDN. The obvious question is if the bugging capability is unique for UK, or if the whole Euro-ISDN, and thus Sweden, is also affected.

BT is the abbreviation for British Telecom.
Dan Kegel's ISDN Page contains many links to further technical information about ISDN
The Swedish Telecom operator, Telia's ISDN pages General information and advanced technical documentation about ISDN seems to be relevant.
"The intention of this set of specifications is to give the designers and suppliers of ISDN terminal equipment a description of the services which are implemented in Telia's ISDN, the communication protocols that are supported and the possibilities to interwork with networks other than the ISDN. "

Definition of SLIC, Subscriber Line Interface Circuits.
"Connects the two wire analogue world to the CODEC/filter on the line card that brings the voice signal into the digital domain. Principal functions include line current feed, voice signal transmission and detection of subscriber signalling."

Datasheets of the circuits which is in the phone.
MT8910-1 Digital Subscriber Line Interface Circuit
AMS2006 - Subscriber Line Interface Circuit, Data Sheet
HC5517B, Short Loop Ringing SLIC Subscriber Line Interface Circuit, FN4404.1
L3037QN Subscriber Line Interface Circuit
Ericsson's product range

---

Frequency Flooding turns an ordinary phone into a listening device?

Frequency flooding is the name of a technique that is claimed to make it possible to use a telephone as a bugging device. No modifications of the telephone are needed. This is most probably not the same method that is described in the European parliament, (which somehow fools the protocol between the telephone exchange and the telephone)

About frequency flooding. Can someone verify/fill in these assumptions?
The frequency flooding method means that you insert an high frequency signal, a carrier, on the two lines that goes to the target telephone.
The insertion point.
The insertion point must be between the telephone exchange and the telephone. Preferably as close to the telephone as possible. Since telephone wire is not designed to carry high frequency, the amplitude of the injected high frequency will be reduced the longer it has to travel along the telephone wires. It will also be distorted and become mixed with noise from the surrounding. A practical solution would be to make the insertion point, and the tapping point at the same place. But this could make the equipment unnecessarily big, so the insertion point can be at another place along the telephone line than the tapping point. For department buildings, it could be at the basement where the Telephone Company usually has a rack of junction points.
Inside the phone
When high frequency reaches the telephone, it "leaks" into the telephone's hook switch by capacitive coupling. The carrier is then somehow modulated by sound in the room where the telephone is placed. The modulated carrier becomes mixed with the inserted carrier. It "leaks" back through hook switch and reaches the telephone lines where it travels back. We are thus not depending on whether the exchange is AXE or not. It would instead be the telephones own characteristics that would decide how well a sound could modulate the carrier. One suggestion is that the high frequency passes through the microphone where it becomes amplitude modulated. Even some phase modulation is probably existing (with a ringing sound as a side effect)
The carrier
Besides of the microphone itself, the telephones shell, and its physical inside is probably also affecting the modulation. To achieve the best sound quality, the optimal best carrier frequency should be tried out on experimental basis. But since this can be done remotely, it pose no problem. At very high frequencies, the signal energy do not go straight through the air, instead it follows the surface. This is called the "skin effect"

The tapping point (demodulation)
This part use the same principles as a radio receiver. Returning from the telephone is a the high frequency that we earlier injected. It is modulated (amplitude modulation?) with the sound that the telephone picked up. A filter (demodulator) removes the carrier, and left is a weak signal that after amplification becomes the sound that was picked up from the target telephone. This tapping point should preferably be placed as close to the target phone as possible. The modulated sound will become weaker, the longer distance it must travel along the telephone lines. We could increase the amplification, but in general, it would be on cost of the quality. Irrelevant noise would also become amplified together with the desired sound.
The hook switch.
Hook switch is the name of the a switch inside the telephone that must be closed (usually by lifting the phone so it is placed off-hook) to allow current to flow through the microphone. If the telephone is not modified, no current flows through the microphone, and thus it can not pick up any sound in the room. The only way to by pass a mechanical switch is to use high frequency that with capacitive coupling can overcome the galvanic isolation distance in the switch. One problem with this method is that modern telephones use electronic switches instead of mechanical switches. An electronic switch would most probably show a totally different characteristic of letting high frequency pass by.

---

A Swedish book; "Under Cover - the Swede Security Police and its Methods", [1] (the book is not translated to English) mentions frequency flooding. But the author did not supply enough technical details to make it understandable of how it was supposed to work. [The description has probably not been reviewed by a technician, since it contains some conflicting technical details. 1) A sound at a high frequency usually stops at 20 kHz. Above this frequency, it can not be heard by a human ear, and can thus not be described as a sound. 2) For frequency flooding to work, the telephone must not be connected to an AXE-exchange. 3) Frequency flooding most probably require a higher frequency than a sound signal at 20 000 Hz.]

The book states at page 91: (Laszlo's translation to English)

"It is further possible to replace the normal circuit board in the telephone with a circuit board that makes it possible to remotely activate the existing microphone in the handset. Thereby it is possible to bug a room through the microphone in the handset, even when the handset is placed on hook. According to P-G Näss [the former chief of operations in SÄPO, the security police in Sweden] this should be the most practised method of bugging. The security police modify a circuit board to later replace it with the ordinary circuit board at the Telephone Company. This is a necessity in order to make the telephone microphone pick up sound even when the handset is placed on hook. The costs are moderate, just around 4000 SEK.

A crucial benefit with this type of bugging is that the possibility to do the tape-recording at the px, that is; at the police special tape-recording room for telephone listening. A Revox tape-recorder is connected to a speech control. This eliminates a constant manual surveillance of the locality, and the associated problems of arranging an observation room with all its risks and problems this means. The most crucial drawback with this type of bugging must as far as I can understand, be that it can only be used against non-professional persons who lacks the professionals natural habit to check if the phone is bugged.

The most advanced version of this system that I have heard of is to remotely being able to activate the microphone in a telephone connected to an AXE-system. There is no need to perform any special modifications in the existing telephone equipment. The telephones are activated with a sound signal at a high frequency that is directed to the telephone. 'The technique, known as frequency flooding, has been used in Sweden as well as in Northern Ireland, mainland UK and elsewhere' [2]"

For completeness, the Swede original text is:
"Det är vidare möjligt att ersätta det normala kretskortet i telefonen med ett kretskort som gör det möjligt att utifrån aktivera den i telefonluren befintliga mikrofonen. Därmed kan avlyssning av rummet via telefonens mikrofon ske även när luren är pålagd. Enligt P-G Näss skulle denna metod vara det genom tiderna vanligaste sättet att bugga. Säkerhetspolisen modifierar då kretskortet för att sedan låta det ersätta det ordinarie kortet på televerket, något som är nödvändigt för att telefonmikrofonen ska ta upp ljud trots att kuren är pålagd. Kostnaden är blygsam, bara ca SEK 4 000:-. En helt avgörande fördel med denna typ av buggning är att man då kan låta bandinspelningen ske i px:et, dvs i polisens särskilda bandinspelningsrum för telefonavlyssning. Kopplat till en talstyrd Revoxmaskin slipper man då ständig manuell bevakning av lokalen samt det därmed sammanhängande problemet att anskaffa en observationslokal med alla de risker och problem det innebär. Den mest avgörande nackdelen med denna typ av buggning måste såvitt jag kan förstå vara att den endast kan användas mot oprofessionella motståndare som inte med den självklarhet det är för proffs, med jämna mellanrum kontrollerar om telefonen är buggad.

Den mest avancerade variant av detta system jag hört talas om är att man utifrån skulle kunna aktivera mikrofonen i en telefon ansluten till AXE-systemet utan att behöva vidta några som helst särskilda ingrepp i den befintliga teleutrustningen. Telefonerna aktiveras via en ljudsignal på hög frekvens som riktas mot telefonen. 'The technique, known as frequency flooding, has been used in Sweden as well as in Northern Ireland, mainland UK and elsewhere' [2]"

[1] About the book.
Author: Töllborg, Dennis, 1953-
Title: Under cover : den svenska säkerhetspolisen och dess arbetsmetoder
Place/Publisher: Stockholm : Norstedts Juridikförlag.
Published: 1991
Pages: 142
ISBN: 91-38-50065-5
Price: 147 SEK

About Dennis Töllborg. He has written about 10 - 15 books. The first one is dated 1979. Töllborg is today professor at  Juridiska Institutionen, (law faculty) handelshögskolan at Gothenburg's University

[2] "Comments on Dennis Töllborg Covert Policing in Sweden. The Swedish Secret Service", Peter Klerks. Jämför även antydningar i denna riktning i Stockholms åklagardistrikt dnr C6-1-004-88 Förundersökningsprotokoll 5, s 113

Mr Peter Klerks, who is mentioned as the reference in Töllborgs book, kindly supplied this information.

"To my knowledge, the subject first came up in the Irish magazine Hybernia in the late 1970s, were it was described as a technique used by antiterrorist forces such as the British SAS. I've seen a demonstration of it on old-fashioned dial-operated telephone in the mid-1980s. It worked reasonably well.

In the early 1980s, it once again came up after a Dutch activist magazine published about it. The Dutch telecom (PTT) at the time decided to calm down public opinion by offering an anti-bugging device, consisting of nothing more than a capacitor, which stops RF signals from going through the wires and reaching the phone.

You might want to try and get more info at respub@xs4all.nl, [ http://www.xs4all.nl ] I believe they may know more about the activist booklet which was also published in English. I believe it was called 'The walls have ears' or some similar title.

I hope this helps. The radio frequency flooding technique is quite a crude technique, which certainly does not require an ISDN telephone, and as it involves RF signals passing through LF wiring, it would not work on glass fibre cables. The type of telephone exchange isn't that important, presuming that the RF tapping instrument is connected at a rather close distance from the actual phone, which is necessary since RF signals couldn't cover large distances through regular copper wire."

I received this roomer about X4all. It is the former Utipia BBS which later was called Hacktic, and now is x4all. Hack-tic gave out a newsletter where the protection using a capacitor was described. This newsletter migth well be the same as what the " Dutch activist magazine published" above.

---

Another 12-page text where the word frequency flooding occurs is:

Telephones as bugs-Item #WP554
"Telephone-Hookswitch Bypasses explains how your phone can become a room-monitoring bug, undetectable by normal operation. It differentiates between the types of telephone-hookswitches, illustrates their vulnerable aspects, and offers visual and detectable measures on each. BONUS: Eavesdropping Accessories included.

Topics include: Passive, active, and spare-wire hookswitches defined, Radio-frequency flooding and on-line microphones. Eavesdropping Accessories: Pulse/DTMF-dial decoding devices, telephone slave: as a telephone, as a room-monitoring bug, Cheesebox, call forwarder or re-dialer, Voltage- and voice-activated automatic switching devices, and Surveillance audio amplifier."

---

There is a device called Telephone Security Unit that protects a telephone from different threats for example:
"... the TSU electronically isolates the telephone and provides protection from hookswitch bypass bugs, RF flooding, ..."

---

The technique of RF flooding has been used as court evidence. The complete article can be ordered on-line
"NETHERLANDS : "RF FLOODING" TAPS IN COURT (Article) from Intelligence Online, n° 198 - 22 July 1992
In a Den Bosch court on 14 July evidence was given that Dutch services were using loopholes in the law to carry out extensive telephone tapping. Since the recent Dutch Supreme Court ruling that allow (...)"

---

A German web page "Abhör"-Informationen  describes how a condensator prevents frequency flooding. The condensator  is connected in parallel with the telephone lines and acts as a short circuit for high frequencies so they never reach the phone itself.

"Frequency-flooding-Überwachung
"Frequency flooding" ist das Abhören eines Raumes mit Hilfe des Telefons. Das ermöglicht den Bullen, dass über das aufgelegte (!) Telefon abgehört wird. Hier eine simple Schaltung, die diese Art der Abhörung unterbindet. Kosten: ca: 0.15 DM. Es wird lediglich ein 10 nF Kondensator benötigt. "

---

Unanswered questions

What mailing lists/discussion groups are relevant in order to gather more information?

Frequency flooding
- Is frequency flooding an historical technique that does not work on a modern telephone of today, which consists of pure electronic?
- Exactly how is the carrier modulated when it reaches the phone? By the microphone, the telephones shell, the ringing bell's on old telephones, or how ?
- How is the returned carrier modulated? Phase modulation, frequency modulation or amplitude modulation?
- What frequency is used ? Is the optimal frequency different between different telephones?
- What is a typical amplitude of the carrier signal when it reach the telephone?
- What would happen when someone dials in to the target telephone while it is used as a bugging device with frequency flooding?
My guess; nothing happens. The modulated high frequency will not be forwarded back to a caller. The high frequency is above the frequency range for human speech that the telephone network is designed to transmit. My memory says that the telephone network has defined the human speech to be between 300 - 3 000 Hz. Every thing outside this range will not be amplified and transmitted.
- Does it exists any construction details/diagrams that allows the setup to be repeated?

ISDN-bugging
- Where in the CCITT standard are the references that proves the existence of the described bugging method?
- Can the existence of the test facilities mentioned above be verified?
- Are the test facilities enough powerful to achieve a bugging capability?

---

Latest change 24 Aug -98, Laszlo Baranyi, lb@qainfo.se