434 lines
25 KiB
Plaintext
434 lines
25 KiB
Plaintext
This file may also be known as wombat file #01, or wombat01 if I ever bother to
|
|
type/write something else. \/\/ombat
|
|
|
|
This file is a work of fiction. Everything in it is fictitious.
|
|
Any resemblance to persons living or dead, magazines, companies, products,
|
|
trademarks, copyrights, or anything else in the real world is purely
|
|
coincidental, and you should see a shrink about your over-active imagination
|
|
if you think otherwise.
|
|
|
|
- \/\/ O M B A T -
|
|
presents:
|
|
|
|
Cordless Telephones: Bye Bye Privacy!
|
|
#####################################
|
|
|
|
by Tom Kneitel, K2AES, Editor
|
|
=============================
|
|
|
|
A Boon to Eavesdroppers, Cordless Phones Are as Private as Conversing in an
|
|
Elevator. You'll Never Guess Who's Listening In!
|
|
|
|
(originally published in Popular Communications, June 1991)
|
|
|
|
OK, so it took a while, but now you've accepted the fact that your cellular
|
|
phone conversations can easily be overheard by the public at large. Now you
|
|
can begin wrestling with the notion that there are many more scanners in the
|
|
hands of the public that can listen to cordless telephone calls than can tune
|
|
in on cellulars.
|
|
|
|
Monitoring cellular calls requires the listener to own equipment capable of
|
|
picking up signals in the 800 to 900 MHz frequency range. Not all scanners
|
|
can receive this band, so unless the scannist wants to purchase a new scanner,
|
|
or a converter covering those frequencies, [see February and March issues of
|
|
Radio-Electronics for a converter project -\/\/ombat-] they can't tune in on
|
|
cellular calls. And let's not forget that it's a violation of federal law to
|
|
monitor cellular conversations. Not that there seems to be any practical way
|
|
yet devised to enforce that law, nor does the U.S. Dept. of Justice appear to
|
|
be especially interested in trying.
|
|
|
|
On the other hand, cordless telephones operate with their base pedestals in
|
|
the 46 MHz band, and the handsets in the 49 MHz band. Virtually every scanner
|
|
ever built can pick up these frequencies with ease. Cordless telephones are
|
|
usually presented to the public as having ranges up to 1,000 feet, but that
|
|
requires some clarification. That distance represents the reliable two-way
|
|
communications range that can be expected between the handset and the
|
|
pedestal, given their small inefficient receivers and antennas, and that they
|
|
are both being used at ground level.
|
|
|
|
In fact, even given those conditions, 1,000 feet of range is far more
|
|
coverage than necessary for the average apartment or house and yard. Consider
|
|
that 1,000 feet is a big distance. It's almost one-fifth of a mile. It's the
|
|
height of a 100-story skyscraper. The Chrysler Building, third tallest
|
|
building in New York City, is about 1,000 feet high, so is the First
|
|
Interstate World Center, tallest building in Los Angeles. When someone uses a
|
|
sensitive scanner connected to an efficient antenna mounted above ground
|
|
level, the signals from the average 46 MHz cordless phone base pedestal unit
|
|
(which broadcasts both sides of all conversations) can often be monitored from
|
|
several miles away, and in all directions.
|
|
|
|
Some deluxe cordless phones are a snoop's delight. Like the beautiful
|
|
Panasonic KX-T4000. Its range is described as "up to 1,000 feet from the
|
|
phone's base," however the manufacturer brags that "range may exceed 1,000
|
|
feet depending upon operating conditions." When you stop to think about it,
|
|
what at first seems like a boast is really a somewhat harmless sounding way
|
|
of warning you that someone could monitor the unit from an unspecified great
|
|
distance. In fact, just about all standard cordless phones exceed their rated
|
|
ranges. But the KX-T4000's main bonus and challenge to the snoop is that it
|
|
can operate on ten different frequencies instead of only a single frequency.
|
|
The BellSouth Products Southwind 170 cordless phone suggests a range of up to
|
|
1,500 feet., depending on location and operating conditions. The ten-channel
|
|
Sony SPP-1508 has a built-in auto-scan system to select the clearest channels.
|
|
|
|
What with millions of scanners in the hands of the public, a cordless
|
|
telephone in an urban or suburban area could easily be within receiving range
|
|
of dozens of persons owning receiving equipment capable of listening to every
|
|
word said over that phone. Likewise, every urban or suburban scanner owner
|
|
is most likely to be within receiving range of dozens of cordless telephones.
|
|
Many persons with scanners program their units to search between 46.50 and
|
|
47.00 MHz and do listen. Some do it casually to pass the time of day, others
|
|
have specific purposes.
|
|
|
|
Not Covered
|
|
===========
|
|
|
|
The Electronic communications Privacy Act of 1986, the federal law that
|
|
supposedly confers privacy to cellular conversations, doesn't cover cordless
|
|
telephones.
|
|
|
|
A year and a half ago, the U.S. Supreme Court wasn't interested in reviewing
|
|
a lower court decision that held that some fellow didn't have any
|
|
"justifiable expectation of privacy" for their cordless phone conversations.
|
|
It seems that man's conversations regarding suspected criminal activity were
|
|
overheard and the police were alerted, which caused the police to investigate
|
|
further and arrest the man after recording more of his cordless phone
|
|
conversations.
|
|
|
|
Yet, even though (at this point) there is no federal law against monitoring
|
|
cordless phones, there are several states with laws that restrict the
|
|
practice. In New York State, for instance, a state appellate court ruled that
|
|
New York's eavesdropping law prohibits the government from intentionally
|
|
tuning in on such conversations.
|
|
|
|
California recently passed the Cordless and Cellular Radio Telephone Privacy
|
|
Act (amending Sections 632, 633, 633.5, 634, and 635 of the Penal Code,
|
|
amending Section 1 of Chapter 909 of the Statutes of 1985, and adding Section
|
|
632.6 to the Penal Code) promising to expose an eavesdropper to a $2,500 fine
|
|
and a year in jail in the event he or she gets caught. Gathering the evidence
|
|
for a conviction may be easier said than done.
|
|
|
|
There may be other areas with similar local restrictions, these are two
|
|
that I know about. Obviously listening to cordless phones in major population
|
|
areas is sufficiently popular to have inspired such legislative action. There
|
|
are, however, reported to be efforts afoot to pass federal legislation
|
|
forbidding the monitoring of cordless phones as well as baby monitors. Such
|
|
a law wouldn't stop monitoring, nor could it be enforced. It would be, like
|
|
the ECPA, just one more piece of glitzy junk legislation to hoodwink the
|
|
public and let the ACLU and well-meaning, know-nothing, starry-eyed privacy
|
|
advocates think they've accomplished something of genuine value.
|
|
|
|
Strange Calls
|
|
=============
|
|
|
|
On April 20th, The Press Democrat, of Santa Rosa, Calif., reported that a
|
|
scanner owner had contacted the police in the community of Rohnert Park to say
|
|
that he was overhearing cordless phone conversations concerning sales of
|
|
illegal drugs. The monitor, code named Zorro by the police, turned over
|
|
thirteen tapes of such conversations made over a two month period.
|
|
|
|
Police took along a marijuana-sniffing cocker spaniel when they showed up
|
|
at the suspect's home with a warrant one morning. Identifying themselves,
|
|
they broke down the door and found a man and a woman, each with a loaded gun.
|
|
They also found a large amount of cash, some cocaine, marijuana, marijuana
|
|
plants, and assorted marijuana cultivating paraphernalia.
|
|
|
|
In another example, Newsday, of Long Island, New York, reported in its
|
|
February 10, 1991 edition another tale of beneficial cordless phone
|
|
monitoring.
|
|
|
|
It seems a scanner owner heard a cordless phone conversation between three
|
|
youths who were planning a burglary. First, they said that they were going to
|
|
buy a handheld CB radio so they could take it with them in order to keep in
|
|
contact with the driver of the car, which had a mobile CB rig installed.
|
|
Then, they were going to head over to break into a building that had, until
|
|
recently, been a nightclub.
|
|
|
|
The scanner owner notified Suffolk County Police, which staked out the
|
|
closed building. At 10:30 p.m., the youths appeared and forced their way
|
|
into the premises. They were immediately arrested and charged with
|
|
third-degree burglary and possession of burglary tools.
|
|
|
|
I selected these two examples from the many similar I have on hand because
|
|
they happen to have taken place in states where local laws seek to restrict
|
|
the monitoring of cordless telephones.
|
|
|
|
Most of the calls people monitor aren't criminal in nature, but are
|
|
apparently interesting enough to have attracted a growing audience of
|
|
recreational monitors easily willing to live with accusations of their being unethical, nosy, busybodies, snoops, voyeurs, and worse.
|
|
|
|
As it turns out, recreational monitors are undoubtedly the most harmless
|
|
persons listening in on cordless phone calls.
|
|
|
|
They're All Ears
|
|
================
|
|
|
|
A newsletter called Privacy Today, is put out by Murray Associates, one of
|
|
the more innovative counterintelligence consultants serving business and
|
|
government. This publication noted (as reported in the mass media) that IRS
|
|
investigators may use scanners to eavesdrop on suspected tax cheats as they
|
|
chat on their cordless phones.
|
|
|
|
But, the publication points out that accountants who work out of their homes
|
|
could turn up as prime targets of such monitoring. Their clients might not
|
|
even realize the accountant is using a cordless phone, and therefore assume
|
|
that they have some degree of privacy. One accountant suspected of preparing
|
|
fraudulent tax returns could, if monitored, allow the IRS to collect evidence
|
|
on all clients.
|
|
|
|
Furthermore, Privacy Today notes that this has ramifications on the IRS
|
|
snitch program (recycle tax cheats for cash). They say, "Millions of scanner
|
|
owners who previously listened to cordless phones for amusement will now be
|
|
able to do it for profit. Any incriminating conversation they record can be
|
|
parlayed into cash, legally."
|
|
|
|
In fact, in addition to various federal agents and police, there are private
|
|
detectives, industrial spies, insurance investigators, spurned lovers, scam
|
|
artists, burglars, blackmailers, and various others who regularly tune in with
|
|
deliberate intent on cordless telephones in the pursuit of their respective
|
|
callings. If you saw the film Midnight Run, starring Robert DeNiro, you'll
|
|
recall that the bounty hunter was shown using a handheld scanner to eavesdrop
|
|
on a cordless phone during his effort to track down a fugitive bail jumper.
|
|
|
|
No, cordless phone monitoring isn't primarily being done for sport by the
|
|
incurably nosy for the enjoyment and entertainment it can provide. The
|
|
cordless telephone has been recognized as a viable and even important tool for
|
|
gathering intelligence.
|
|
|
|
Intelligence Gathering?
|
|
=======================
|
|
|
|
In fact, there are differences between cordless and cellular monitoring.
|
|
When a cellular call is monitored, it's quite difficult to ascertain the
|
|
identity of the caller, and impossible to select a particular person for
|
|
surveillance. These are mostly portable and mobile units that are passing
|
|
through from other areas, and they're operation on hundreds of different
|
|
channels. Sometimes the calls cut off right in the middle of a conversation.
|
|
The opportunities for ever hearing the same caller more than once are very
|
|
slim.
|
|
|
|
Not so with cordless phones. These units are operated at permanent
|
|
locations in homes, offices, factories, stores. Most models transmit on only
|
|
one or two specific frequencies, and while a few models can switch to any of
|
|
ten channels, that's still a lot fewer places to have to look around than
|
|
scanning through the hundreds of cellular frequencies. So, with only minor
|
|
effort, it's possible to know which cordless phones in receiving range are
|
|
set up to operate on which channels. And you continually hear the same
|
|
cordless phone users over a long period of time. They soon become very
|
|
familiar voices; you might even recognize some of them.
|
|
|
|
The diligent, professional intelligence gatherer creates a logbook for each
|
|
of the frequencies in the band, then logs in each cordless phone normally
|
|
monitored using that frequency. Then, each time a transmission is logged from
|
|
a particular phone, bits and scraps of information can be added to create a
|
|
growing dossier picked up from conversations. With very little real effort,
|
|
it doesn't take long to assemble an amazing amount of information on all
|
|
cordless phones within monitoring range.
|
|
|
|
Think about the information that is inadvertently passed in phone calls that
|
|
would go into such files. Personal names (first and last) which are easily
|
|
obtained from salutations, calls, and messages left on other people's answering
|
|
machines; phone numbers (that people give for callbacks or leave on answering
|
|
machines); addresses; credit card numbers; salary and employment information;
|
|
discussions of health and legal problems; details of legit and shady business
|
|
deals; even information on the hours when people are normally not at home or
|
|
will be out of town, and much more, including the most intimate details of
|
|
their personal lives. Anybody who stops for a moment to think about all the
|
|
things they say over a cordless telephone over a period of a week or two
|
|
should seriously wonder how many of those things they'd prefer not be
|
|
transmitted by shortwave radio throughout their neighborhood.
|
|
|
|
Cordless phone users don't realize that these units don't only broadcast
|
|
the phone calls themselves. Most units start transmitting the instant the
|
|
handset is activated, and will broadcast anything said to others in the room
|
|
before and while the phone is being dialed, and while the called number is
|
|
ringing. Using a DTMF tone decoder, it's even possible to learn the numbers
|
|
being called from cordless phones. [see the classified ads in Popular
|
|
Communications for DTMF decoders; also for books on how to modify scanners to
|
|
restore the cellular frequencies, and more! -\/\/ombat-]
|
|
|
|
One private investigator told me that part of a infidelity surveillance he
|
|
just completed included a scanner tuned to someone's cordless phone channel,
|
|
feeding a voice-operated (VOX) tape recorder. Every day he picked up the old
|
|
tape and started a new one. The scanner was located in a rented room several
|
|
blocks away from the person whose conversations were being recorded.
|
|
|
|
Hardware Topics
|
|
===============
|
|
|
|
Many people are under the impression that the security features included in
|
|
some cordless phones provide some sort of voice scrambling or privacy. They
|
|
don't do anything of the kind. All they do is permit the user to set up a
|
|
code so that only his or her own handset can access the pedestal portion of
|
|
his own cordless phone system. In these days of too few cordless channels,
|
|
neighbors have sometimes ended up with cordless phones operating on the
|
|
identical frequency pair. That created the problem of making a call and
|
|
accessing your neighbor's dial tone instead of your own, or your handset
|
|
ringing when calls come in on your neighbor's phone.
|
|
|
|
The FCC is going to require this feature on all new cordless telephones, but
|
|
it still won't mean that the two neighbors will be able to talk on their
|
|
identical-channel cordless phones simultaneously. Such situations allow
|
|
neighbors to eavesdrop on one another's calls, even without owning a scanner.
|
|
The FCC is attempting to relieve the common problem of too many cordless
|
|
phones having to share the ten existing base channels in the 46.50 to 47.00
|
|
MHz band. These frequencies are 46.61, 46.63, 46.67, 46.71, 46.73, 46.77,
|
|
46.83, 46.87, 46.93, and 46.97 MHz. Each of these frequencies are paired with
|
|
a 49 MHz handset channel.
|
|
|
|
Manufacturers are going to be permitted to produce cordless phones with
|
|
channels positions in between the existing ten frequency pairs. Cordless
|
|
phones will now be permitted operation on these additional offset frequencies
|
|
to relieve the congestion.
|
|
|
|
A date for implementing these new frequencies hasn't yet been announced, but
|
|
it should be soon. The FCC feels that the life expectancy of a cordless phone
|
|
isn't very long, and they'd like these new phones to be ready to go on line as
|
|
the existing phones are ready to be replaced. The new model phones are going
|
|
to have to also incorporate the dial tone access security encoding feature I
|
|
mentioned.
|
|
|
|
Let's hope the new batch of cordless phones is less quirky than some of the
|
|
ones now in use. We understand that the transmitters of some cordless phones
|
|
switch on for brief periods whenever they detect a sharp increase in the
|
|
sound level, such as laughter, shouting, or a loud voice on the extension
|
|
phone.
|
|
|
|
Privacy Today tells of the cordless phone that refused to die. They noted
|
|
it was reported that the General Electric System 10 cordless phone, Model
|
|
2-9675, just won't shut up. It broadcasts phone calls even when they are made
|
|
using regular extension phones!
|
|
|
|
As for receiving all of these signals, any scanner will do. Antennas that
|
|
do an especially good job include 50 MHz (6 meter ham band) omnidirectional
|
|
types, or (secondarily) any scanner antenna designed for reception in the 30
|
|
to 50 MHz range.
|
|
|
|
There is a dipole available that is specifically tuned for the 46 to 49 MHz
|
|
band, which you can string up in your attic (or back yard) and get a good shot
|
|
at all signals in the band. This comes with 50 ft. of RG-6 coaxial cable
|
|
lead-in, plus a BNC connector for hooking to a scanner. This cordless phone
|
|
monitoring antenna is $49.95 (shipping included to USA, add $5 to Canada) from
|
|
the Cellular Security Group, 4 Gerring Road, Gloucester, MA 01930. [you can
|
|
build one yourself for much less $; look in the chapter on antennas in the
|
|
ARRL Radio Amateur's Handbook -\/\/ombat-]
|
|
|
|
The higher an antenna is mounted for this reception, the better the range
|
|
and reception quality, and the more phones will be heard.
|
|
|
|
Zip The Lip
|
|
===========
|
|
|
|
Once you understand the nature of cordless phoning, you should easily be
|
|
able to deal with these useful devices. Let's face it, it isn't really
|
|
absolutely necessary for all of your conversations to achieve complete
|
|
privacy. You are perfectly willing to relinquish expectations of
|
|
conversational privacy. You do it every time you converse in an elevator, a
|
|
restaurant, a store, a waiting room, a theatre, on the street, etc. You take
|
|
precautions not to say certain things at such times, so you don't feel that
|
|
you are being threatened by having been overheard. Think of speaking on a
|
|
cordless phone as being in the same category as if you were in a crowded
|
|
elevator, and you'll be just fine. It's only when a person subscribes to the
|
|
completely erroneous notion that a cordless phone is a secure communications
|
|
device that any problems could arise, or paranoia could set in.
|
|
|
|
Manufacturers don't claim cordless phones offer any privacy. Frankly,
|
|
because they instill a false and misleading expectation of privacy, the
|
|
several well-intentioned but unenforceable local laws intended to restrict
|
|
cordless monitoring actually do more harm than good. The laws serve no other
|
|
purpose or practical function. It would be far better for all concerned to
|
|
simply publicize that cordless phones are an open line for all to hear.
|
|
|
|
So, cordless phones must be used with the realization that there is no
|
|
reason to expect privacy. Not long ago, GTE Telephone Operations Incorporated
|
|
issued a notice to its subscribers under the headline "Cordless Convenience
|
|
May Warrant Caution." Users were told to "recognize that cordless messages
|
|
are, in fact, open-air FM radio transmissions. As such, they are subject to
|
|
interception (without legal constraint) by those with scanners and similar
|
|
electronic gear... Discretion should dictate the comparative advisability of
|
|
hard-wired phone use."
|
|
|
|
Good advice. We might add that if you are using a cordless phone, you don't
|
|
give out your last name, telephone number, address, any credit card numbers,
|
|
bank account numbers, charge account numbers, or discuss any matters of a
|
|
confidential nature. Moreover, it might be a good idea to advise the other
|
|
party on you call that the conversation is going through a cordless phone.
|
|
|
|
Some people might not care, but others could find that their conversations
|
|
could put them in an unfortunate position. Harvard Law School Professor Alan
|
|
M. Dershowitz, writing on cordless phone snooping in The Boston Globe (January
|
|
22, 1990), said, "The problem of the non-secure cordless telephone will be
|
|
particularly acute for professionals, such as doctors, psychologists, lawyers,
|
|
priests, and financial advisors. Anyone who has an ethical obligation of
|
|
confidentiality should no longer conduct business over cordless phones, unless
|
|
they warn their confidants that they are risking privacy for convenience."
|
|
|
|
That's more good advice. Not that the public will heed that advice. People
|
|
using cellulars have been given similar information many times over, and
|
|
somehow it doesn't sink in. But _you_ got the message, didn't you? Zip your
|
|
lip when using any of these devices. And, if you've got a scanner,you can
|
|
tune in on everybody else blabbing their lives away, and maybe even help the
|
|
police catch drug dealers and other bad guys -- well, unless you live in
|
|
California or some other place where the local laws are more protective of
|
|
cordless phone privacy than the federal courts are.
|
|
|
|
==============================================================================
|
|
|
|
That's it. There wasn't much high-tech intelligence there, but it was
|
|
a lot more readable than something copied out of The Bell System Technical
|
|
Journal, right?
|
|
|
|
Think about the implications: Someone who'd turn in their neighbours for
|
|
enjoying recreational chemicals would probably narc on phreaks, hackers,
|
|
anarchists or trashers as well. It isn't just the FBI, Secret Service, and
|
|
cops you have to worry about -- it's the guy down the street with a dozen
|
|
antennas on his roof. The flip side is that if you knew someone was listening
|
|
in, you could have a lot of fun, like implicating your enemies in child
|
|
prostitution rings, or making up outrageous plots that will cause the
|
|
eavesdropper to sound like a paranoid conspiracy freak when he she or it talks
|
|
to the cops.
|
|
|
|
On the more, uh, active side, the potential for acquiring useful information
|
|
like long-distance codes is obvious. Other possibilities will no doubt occur
|
|
to you.
|
|
|
|
Cordless phones also have the potential to allow you to use someone's phone
|
|
line without the hassles of alligator clips. With a bit of luck you could buy
|
|
a popular model of phone, then try various channels and security codes until
|
|
you get a dial tone. Since many phones have these codes preset by the
|
|
factory, one might have to capture the code for a given system and play it
|
|
back somehow to gain access. The ultimate would be a 10 channel handset with
|
|
the ability to capture and reproduce the so-called security codes
|
|
automatically.
|
|
|
|
This subject requires further research. Guess I'd better get a scanner.
|
|
Most short-wave receivers don't go past 30 MHz, and they generally don't have
|
|
FM demodulators. Looking in the Radio Shark catalog, any of their scanners
|
|
would do the job. Some scanners can be modified to restore cellular coverage
|
|
and increase the number of channels just by clipping diodes. If you're going
|
|
to buy a scanner, you might as well get one of those. The scanner modification
|
|
books advertised in Pop Comm would help, or check out Sterling's article
|
|
"Introduction to Radio Telecommunications Interception" in Informatik #01.
|
|
He lists many interesting frequencies, and has the following information on
|
|
the Radio Shark scanners:
|
|
|
|
==============================================================================
|
|
Restoring cellular reception.
|
|
|
|
Some scanners have been blocked from receiving the cellular band. This
|
|
can be corrected. It started out with the Realistic PRO-2004 and the PRO-34,
|
|
and went to the PRO-2005. To restore cellular for the 2004, open the radio
|
|
and turn it upside down. Carefully remove the cover. Clip one leg of D-513
|
|
to restore cellular frequencies. For the PRO-2005, [and for the PRO-2006
|
|
-\/\/ombat-] the procedure is the same, except you clip one leg of D-502 to
|
|
restore cellular reception. On the PRO-34 and PRO-37, Cut D11 to add 824-851
|
|
and 869-896 MHz bands with 30 kHz spacing.
|
|
|
|
All these are described in great detail in the "Scanner Modification
|
|
Handbook" volumes I. and II. by Bill Cheek, both available from Communications
|
|
Electronics Inc. (313) 996-8888. They run about $18 apiece.
|
|
==============================================================================
|
|
(reproduced from Informatik #01, file 02)
|
|
|
|
-30-
|
|
==============================================================================
|