Index
Home
About
Blog
From: "John G. De Armond" <rsiatl!jgd@gatech.edu>
Subject: Re: Infinity Transmitter (was: Ringing a Busy Phone)
Date: 1 Apr 90 02:56:57 GMT
Organization: Radiation Systems, Inc. (a thinktank, motorcycle, car
and gun works facility)
In article <5814@accuvax.nwu.edu> tots!tep@logicon.com (Tom Perrine) writes:
>What about the long-rumored "Infinity Bug"? This is reportedly a
>device that allows one to call a phone, and listen to whatever the
>phone mic picks up. The interesting part is that the phone never rings
>and the handset does not need to be lifted. This seems to be similar
>to the problem of rining an off-hook phone.
>Has anyone actually seen one of these things, or is it just a myth
>that a *lot* of people believe in?
Yes these things do exist. I used one in the early '70s to get the
goods on my boss who was, it turns out, planning on having some pot
planted in my car in order to have me fired. I worked for the
government at the time. I got my infinity transmitter from a friend
who worked for a well known government agency whose name begins with a
"C" :-).
The transmitter looked just like a regular phone network device. It
was installed inside a normal (at the time) dial phone. It's function
depended on the fact that crossbar systems typically make up the DC
path somewhat before the ring voltage is turned on. The procedure
when you want to monitor ambient conversations is to dial the number
of the phone containing the infinity transmitter and apply a sequence
of tones to the line as the last digit is completed.
A sequence is used to keep amateur sweeps (and some sophisticated
ones) from finding the bug by sweeping the line with a variable
frequency tone. The infinity transmitter detects these tones and
picks up the line before the bell has a chance to ring. It then
connects the handset microphone to the line and one can monitor the
sounds in the room. The transmitter disconnects itself in the event
the target phone is taken offhook.
These devices work pretty well on old systems. Sometimes the ring
generator would be in a state such as to put ring on the line almost
immediately after the DC was made up. In that case, the phone WOULD
ring. I usually would just hang up, though it was recommended that
the tapper go ahead and act like he had reached a wrong number so as
not to raise alarm with the target with all the single and aborted
rings.
The big limitation with these bugs was the quality of the handset
microphone. The old phones this agency had must have been bought at a
surplus auction held by Columbus!
Oh yeah, about my problem. I confronted my boss behind closed doors
with those tapes and tapes from a phone tap I'd installed too and we
reached an agreement on a truce until I could transfer to another
agency. Last time I'd heard, he'd been arrested for sexual battery to
a subordinate. So I guess he got his :-)
BTW, to any of you folks who buy government surplus equipment - I
never did go back and retrieve the transmitter. Who knows, you may
just own it now :-)
John De Armond, WD4OQC Radiation Systems, Inc.
Atlanta, Ga emory!rsiatl!jgd
Subject: The "Infinity Transmitter": Fact, Fiction and Fairy Tale
Date: 4 Apr 90 14:22:47 EST (Wed)
From: Larry Lippman <kitty!larry@uunet.uu.net>
Some recent articles have made mention of an eavesdropping
device commonly called the "Infinity Transmitter", a/k/a the
"Harmonica Bug". I will address some specific aspects of a few recent
articles in a moment, but first I'll provide some background and a
more accurate description of this device.
The "infinity transmitter", in the form which has been known
to the general public, was developed around 1963 by an interesting
character from New York City with the name of Manny Mittelman.
Mittelman, whose knowledge of electronics was largely self-taught, ran
a small business called the Wireless Guitar Company. The first
product of his company during the 1950's was, as readers may have
already guessed, a small FM transmitter with acoustic pickup that
transmitted the sound of a guitar to a companion receiver.
Mittelman quickly learned, however, that there was more money
to be made selling a slightly modified version of this FM transmitter
for eavesdropping purposes than for music applications. Mittelman
expanded his product line to include other types of eavesdropping
devices, and primarily sold his products to private investigators,
some local law enforcement agencies, and anyone who walked into his
store with money in hand.
I am not certain what caused his "infinity transmitter" to
become a matter of public knowledge, but I suspect it was his
testimony before Senator Long's investigating committee, which was a
precursor to passage of the federal Omnibus Crime Control and Safe
Streets Act of 1968. One of the key provisions of this legislation
were various prohibitions against use, manufacture, advertising,
interstate transportation and sale of eavesdropping devices; these
laws are contained in U.S.C. Title 18, Sections 2510 to 2520.
The "infinity transmitter", while a clever idea which
apparently captivated the public's vivid imagination, was actually a
rather crude eavesdropping device with extremely limited usefulness.
Not only could the device be detected by a subject's suspicion in
hearing occasional short rings of their telephone, but continued use
of the device would cause a subject's line to be busy for legitimate
callers. It does not take much imagination to envision a caller
complaining to the subject that "your line has been busy for hours",
with the subject knowing full well that their telephone was not in
use.
The "infinity transmitter" as produced by Mittelman, and later
cloned by other purveyors of eavesdropping apparatus, drew
approximately 3 milliamperes of current from the telephone line in an
on-hook state. This corresponds to a loop resistance leak of
approximately 16,000 ohms, which can be readily detected by any
telephone company test board. Anyone with a simple VOM could also
detect the presence of such a device on a subject's telephone line.
In the on-hook state the primary source of power consumption
was the tone detector circuit, which consisted of a simple LC bandpass
filter with a center frequency of approximately 500 Hz, the output of
which went to a pre-amplifier, limiter and relay driver. Bear in mind
that at the time this device was developed and sold, there were
neither CMOS IC's nor a practicable source of FET's which could
withstand the transient voltages of telephone applications. The
circuitry was designed and built using discrete germanium and silicon
transistors of 1960's vintage; therefore, quiescent power consumption
was in the milliampere and not microampere range.
The "infinity transmitter" only worked with certain central
office switching apparatus, typically SxS, panel, No. 1 XBAR, and
*early* No. 5 XBAR. The infinity transmitter will not work with any
ESS apparatus, be it analog or digital.
The "infinity transmitter" exploited a loophole in the design
of the SxS connector, and in panel and early XBAR interoffice trunks.
While the actual circuit description would be difficult to convey in
this type of forum, I will attempt a brief explanation. In the above
type of CO apparatus no speech path exists between the calling and
called parties until the called party goes off-hook, operating a "ring
trip" relay during either the silent or ringing interval, which in
turn operates a called party supervisory relay which provides battery
feed to the called party and then remains operated by the loop closure
furnished by the called party's telephone being off-hook. Operation
of the called party supervisory relay also completes the speech path
to the calling party, typically through a 2 uF capacitor on the tip
side, and a 2 uF capacitor on the ring side.
Early telephone CO apparatus (SxS, panel and early XBAR)
utilized electromechanical ringing machines which were rich in audible
harmonics. Audible ringback tone to the calling party was therefore
supplied by a capacitor (typically .04 to .05 uF) which was ALWAYS
connected between the ring side of the calling and called parties.
Therefore, the calling party heard an attenuated version of the same
ringing voltage which was actually ringing the called party's
telephone line. During the silent ringing interval, a poor but
nevertheless real audio path did in fact exist between calling and
called party; this audio path probably resulted in an end-to-end
insertion loss of between 20 and 45 dB, depending upon loop length and
capacitance of calling and called parties.
In the original Mittelman version, a loudly-blown harmonica
was used as a source of the 500 Hz trigger signal, hence the alternate
name for this device, "Harmonica Bug".
As mentioned above, the "infinity transmitter" worked with
SxS, panel, No. 1 XBAR and early No. 5 XBAR. However, a major ringing
and tone plant upgrade program by the Bell System during the 1960's
quickly rendered the "infinity transmitter" inoperable in most No. 5
XBAR CO's. Changing to the precise tones necessary for touch-tone
service was a major factor behind the ringing and tone plant upgrade
effort. The implication for No. 5 XBAR was that ringing current
obtained from solid-state supplies no longer had the harmonic content
necessary for for capacitively-coupled ringback tone. As a result,
the intraoffice trunks in existing No. 5 XBAR, and in new No. 5 XBAR,
were modified to supply ringback tone from a dedicated source of
ringback tone, thereby eliminating the .04 uF capacitor mentioned
above. With this capacitor gone, the "infinity transmitter" could no
longer function as there was longer any audio path in advance of
ring-trip.
In article <5814@accuvax.nwu.edu> tots!tep@logicon.com (Tom Perrine) writes:
> Has anyone actually seen one of these things, or is it just a myth
> that a *lot* of people believe in?
It's not a myth. I have seen one, and it was a rectangular
block potted with black Scotchcast resin, measuring approximately 3
inches by 1 inch by 3/4 inch. It fit between the dial mounting
brackets and the network on a 500-type telephone.
In article <5944@accuvax.nwu.edu> zweig@cs.uiuc.edu (Johnny Zweig) writes:
> ... misunderstanding of the phrase "this device allows you to call up and
> listen through the handset mike without the handset being picked up"
> leads people to believe there is a device I can use on _my_ end to
> call an untampered phoneset and listen through the handset.
> The latter is obviously false since there is no electrical connection
> between the handset mike and the line in an on-hook telephone.
Actually, there *is* a connection to the handset in an
unmodified 500-type telephone set; there is inductive coupling between
the bridged ringer and the transformer windings in the 425-type
network. An eavesdropping device does exist to exploit this fact,
although its usefulness today is rather limited since telephone sets
with electronic networks are rapidly replacing the traditional
500-type set. Effective use of this device requires that it be no
more than several hundred feet from the subject's telephone set, and
installation of this device requires that the subject's telephone pair
be broken and routed *through* a special device, which is rather
complex and not exactly small. No entry to the subject's premises or
modification to their telephone set is required. This device works
through sending short, fast risetime high energy pulses into a
subject's ringer at a multiple of a resonant frequency of the network
formed by the handset and 425-type network in an on-hook state. These
pulses have too little average energy to cause any mechanical
operation of the ringer, in addition to being of a frequency
inappropriate for ringer operation.
As far as I know, this device fortunately does not exist in
the private sector; however, there has been some disclosure in the
media over the years, although never with technical details of the
nature that I have just furnished (which is also the extent to which I
am prepared to disclose them).
In article <5946@accuvax.nwu.edu> pixar!bp@ucbvax.berkeley.edu (Bruce Perens)
writes:
> I guess it sometimes took a few tries to get the
> connection, thus someone might get a lot of ring-and-hang-ups if they
> were bugged with this device.
> Do modern COs still work that way?
Fortunately, no.
In article <5915@accuvax.nwu.edu> rsiatl!jgd@gatech.edu (John G. De Armond)
writes:
A Fairy Tale as follows...
> Yes these things do exist. I used one in the early '70s to get the
> goods on my boss who was, it turns out, planning on having some pot
> planted in my car in order to have me fired. I worked for the
> government at the time. I got my infinity transmitter from a friend
> who worked for a well known government agency whose name begins with a
> "C" :-).
Surely you are referring to the Civilian Conservation Corps,
since no other agency would use a device as crude and impracticable as
this one.
> The transmitter looked just like a regular phone network device. It
> was installed inside a normal (at the time) dial phone.
I have never known of this device to be built into a 425-type
network. It would be *absurd* to go to the trouble of designing and
building such a device in a network since it can be so easily detected
by simple loop current and/or voltage measurement. Furthermore, ever
look closely at a 425-type network in a 500-type station set? The
network is *riveted* to the base, and it would not be that easy to
duplicate the riveting during a clandestine installation.
Furthermore, early 425-type networks had some wires from the
hookswitch soldered directly to them, further complicating a
clandestine installation.
No one in their right mind would ever go to the trouble of
designing and building an "infinity transmitter" into a network; its
ease of detection through other means clearly negates such effort.
> The procedure
> when you want to monitor ambient conversations is to dial the number
> of the phone containing the infinity transmitter and apply a sequence
> of tones to the line as the last digit is completed.
> A sequence is used to keep amateur sweeps (and some sophisticated
> ones) from finding the bug by sweeping the line with a variable
> frequency tone. The infinity transmitter detects these tones and
> picks up the line before the bell has a chance to ring.
Please, spare us. No "sequence of tones" was ever used to
hide the presence of this device, since it sticks out like a sore
thumb to other means of detection. A simple voltmeter placed across
the subject's telephone line at their premises will show at least a 3
volt drop from expected on-hook voltage, on say, a 500 ohm CO loop. A
simple milliammeter placed in series with the subject's telephone line
will show a 3 mA current flow where the expected value is *zero*.
Furthermore, the "infinity transmitter" had enough trouble in
detecting a single tone without exceeding 3 mA on-hook loop current;
the thought of 1960's technology in detecting multiple tones with
appropriate combinatorial and timing logic without exceeding this
current flow is absurd. Even 3 mA is enough current to cause dialing
trouble and premature ring-trip problems on some longer CO loops.
> I usually would just hang up, though it was recommended that
> the tapper go ahead and act like he had reached a wrong number so as
> not to raise alarm with the target with all the single and aborted rings.
This, in Mr. De Armond's own words, is one fundamental reason
why the "infinity transmitter" is a largely impracticable device.
> The big limitation with these bugs was the quality of the handset
> microphone.
Not true.
The carbon handset transmitter is actually a rather decent and
sensitive microphone, if properly excited and coupled to a
well-designed pre-amplifier circuit. The carbon microphone has one
thing going for it which balances other shortcomings - it has a large
diaphragm surface area.
> Oh yeah, about my problem. I confronted my boss behind closed doors
> with those tapes and tapes from a phone tap I'd installed too and we
> reached an agreement on a truce until I could transfer to another agency.
That's really great. IF your alleged experience is true, then
YOU are the one who committed multiple crimes, not your alleged boss.
Eavesdropping of the nature you describe is a felony in most, if not
all states, in addition to violating U.S.C. Title 18 Section 2511,
which is of a felony nature. While violation of the federal statute
is not always present in the absence of involvement with interstate
communication or interstate commerce, if we are to believe that your
alleged "government" employer is the U.S. government, or receives any
funding from the U.S. government, then we have most likely attained
federal jurisdiction.
Also, I note with interest that in his article Mr. De Armond
provided us with his amateur radio call sign, WD4OQC. It may assist
Telecom readers in evaluating his story to know that according to the
amateur radio operator database available through ftp, Mr. De Armond
was a teenager until December 11, 1974.
I'm sorry if I may appear harsh to Mr. De Armond, but there are
enough *real* problems in the world involving unlawful eavesdropping,
without the need to invent any more myths.
<> Larry Lippman @ Recognition Research Corp. - Uniquex Corp. - Viatran Corp.
<> UUCP {boulder|decvax|rutgers|watmath}!acsu.buffalo.edu!kitty!larry
<> TEL 716/688-1231 || 716/773-1700 {utzoo|uunet}!/ \uniquex!larry
<> FAX 716/741-9635 || 716/773-2488 "Have you hugged your cat today?"
[Moderator's Note: Bravo! Mr. Lippman, this was indeed an excellent
presntation, and on behalf of all the readers -- the possible
exception being Mr. De Armond -- I thank you for sharing with us. PT]
Subject: Infinity Transmitters, Larry "the LID" Lippman and the BIG LIE
Date: 11 Apr 90 01:30:22 EDT (Wed)
From: "John G. De Armond" <jgd@rsiatl.uucp>
To comp.dcom.telcom readers:
Over the weekend, Pat the Moderator posted an article from Larry
Lippman titled "Infinity Transmitter: Fact, Fiction, and Fairy Tale",
an article preceded with significant fanfare in the days beforehand.
In this article, Larry the Lid, henceforth referred to as LL, wrote a
scathing personal attack against me regarding an article I had posted
earlier describing my use of an infinity transmitter in my first job
with the government in the mid 70's. As if to add credence to his
story, he preceded this attack with an exposition of his rather
limited knowledge of the generic family of devices referred to as
"Infinity transmitters". In particular, he related the history, dated
in the 60's, of the originator of the infinity transmitter, Manny
Mittelman.
After this brief history lesson, LL proceeds to extrapolate from the
microscopic particular to the general and claim that the infinity
transmitter I described could have NEVER existed and that I had simply
made up a fairy tale (his words.). His justification was simply that
he had never heard of the device I described and therefore it could
not have existed. He further justified his opinion by citing the
mid-60s technology he had previously described as making my kind of
device impossible to implement.
He went on to describe the details of a particular telephone switch
and then extrapolated again to the general and stated that when a
coupling capacitor was removed from a particular switch, no infinity
transmitter anywhere could work. Even those connected to switches
quite dissimilar to the one for which he had purported knowledge. And
of course, all of this was sprinkled with the glut of obscure
buzzwords, equipment model numbers, and figures for which LL is known.
Well Hey, it works for the government.
LL concluded his post with a couple of paragraphs of pontificating
regarding my obvious violation of the law by using this fairy tale
device (I'll bet LL NEVER phreaked - ever.) He then made reference to
my age as gleaned from the Ham Radio Database in some sort of effort
to further discredit me because of my age.
Normally I ignore such LIDS as Larry when they make personal attack.
At the most, I'll post something argumentative back just to poke fun
at the poster. But this case is different. Larry is regarded in some
circles as a very knowledgeable person. He is quite a prolific poster
and can usually obfuscate the the subject with obscure details.
Lastly, his attack was intensely personal. He basically called me a
liar. I don't quite understand this state of affairs. Even though
I've seen Larry post some pretty bad data, I've never commented on his
postings either publicly or in private. This was a shot literally out
of the blue.
This was the kind of attack for which there is little defense. I
obviously do not still have the device in question, having left it in
place when I left the government service in 1979. There was another
person involved in planting the device but since he still works for
the government and since revelation of his participation could result
in his being fired, I must respect his privacy and allow him to remain
anonymous.
Nonetheless, some important facts remain:
1) Larry has absolutely no knowledge of my activities other than by
my postings on the net. He certainly knows nothing of my
government career.
2) Larry has absolutely no knowledge regarding the origin of the
infinity transmitter I used. He knows not, for example, whether
the device was purpose-built, was a prototype or was an "off-the-
shelf" unit.
3) Larry had absolutely no knowledge of the environment under which
the device was used. For example, it was used on the relatively
controlled environment of an old crosspoint PBX and not a Bell
subscriber loop or phone. He did not know this, as evidenced by
his description of a CO switch.
4) Larry displayed a rather complete lack of knowledge of the then-state-
of-the-art in infinity transmitters, particularly the ones that might
not fit into his preconceived notion of what one is.
And yet he makes a slanderous attack on my character. What a guy.
One of the central themes of LL's posting was that my device must be a
fairy tale because the technology did not exist to make such a not-
easily-detectable device. After stewing on this for a day or two, I
decided to get proactive and prove that indeed such a device was not
only feasible but easy to make. I decided to dig out the old
Proto-Board and dedicate an evening to the project. Here is what I
came up with in about 6 hours' work.
The design criteria for my "bug" are as follows:
1. Be undetectable by DC means. This implies a quiescent current draw
under 100 microamps.
2. Be undetectable by AC means applied to a subscriber loop. This implies
a high AC impedance, preferably over 100kohms.
3. Be undetectable via emitted or induced EMI. In other words, no
oscillators and no inductors.
4. Use technology available in 1975. My device was probably built closer
1977 or '78 but '75 is conservative.
5. Be small enough to fit in a network.
An additional criterion was that I had to be able to breadboard it
from junkbox parts in an evening.
I modified the functional design a bit from the one I used a decade
ago in the interest of simplicity and perhaps in the interest of added
security. This device is designed to respond to a pair of tones
alternately applied to the line at a moderate switching rate. Out of
convenience, I used the tones of 1209 hz and 3266 hz alternated at a 7
hz rate. I'll explain why later.
The design I arrived at uses a pair of cascaded 2nd order bandpass
filters driving a precision rectifier whose output trips a micropower
relay. One should note that the design presented here is meant to be
a proof-of-concept exercise and is by no means a finished product.
I have a HUGE "junk box" (actually, about 2500 sq feet of floor space)
and a large library so I have a wide selection of parts to choose from
and a good library that dates back to the late 60s (Yes, Larry, when I
was in my early teens.).
The filter design came from a book titled "Manual of Active Filter
Design" by Hilburn and Johnson, copyrighted in 1973. This book is
essentially a collection of nomographs used to design filters
cookbook-style. I modified the filter shown on page 100.
My active device is my old favorite of the linear devices, the 74C04
hex inverter. Yes, sportsfans, a digital CMOS part. This device,
when properly biased and fed-back, is an excellent low power audio and
low RF amplifier.
According to my 1975 edition of the National Semiconductor CMOS data
book, this device is rated at 0.01 microamp, 15 microamps max, with DC
input. I would have expected the consumption to go up a bit when
linearly biased. It does indeed but with the advances in processing
since the early 70s, the consumption is much lower. I measured the
consumption at 5 volts with a Keithley Model 614 digital picoammeter.
With inputs grounded, this particular part consumed 0.002 microamp.
With an input tied to an output to bias the device linear, the current
rose to 0.015 microamps. Nitpickers will note that I am characterizing
a modern part. That is because I don't have an ancient specimen of
the part.
The circuit is as follows:
The input from the line is coupled in through a small capacitor
(selected, about 200-500 pf) to a resistive power divider that feeds 2
sets of bandpass filters. Each set of filters uses 2 gates of the
74c04 The output of the filter drives a half-wave rectifier and
smoothing filter and the 2 smoothing filter outputs are summed into
another gate that serves as a summing junction. The output of this
gate is fed to a last gate that is unbiased and serves as a
comparator. The output of the comparator is fed to a sensitive relay
from the junque box. This relay picks up at about 100 microamps and
probably came out of an old piece of process control equipment. It
has 2 dpdt dry contacts.
The power supply for this device consists of 4 1n4742 12 volt, 1 watt
zeners in series feeding a bridge rectifier whose output is clamped by
a 1n4735 6.3 volt, 1 watt zener. A 10 uf capacitor provides
sufficient reserve for switch activation and a 100 kohm resistor
limits current draw to about 20 microamps. (A long ways from your 3
milliamps, eh Larry?) At the currents involved, the 12 volt zeners
drop about 10.3 volts and the 6.3 volt zener drops about 5 volts.
Both diodes are characterized in my 1967 edition of the Motorola
Semiconductor Handbook. Bridging the zener string and the 100k
resistor is one set of the relay contacts. The second set of contacts
is used as seal-in contacts once the device is activated.
One should note that the entire device could be powered for months
from a 4.5 volt mercury battery that would fit inside the network.
There would then be ZERO load on the phone line.
The design purpose of this arrangement is for the circuit to draw zero
current until the applied voltage reaches about 40 volts. This
prevents the device from being detected by applying an ohmmeter to the
terminals of the phone. It also prevents the device from being
activated or detected by the application of 24 volts, a value common
to phone test boxes. The relay contact is used to pick up the line
when the device activates and to draw loop current. When activated,
the device represents about 6 extra volts' of drop across the set.
This could possibly be a detection avenue, though not very likely.
This design assumes that battery will be at least 48 volts, a safe
assumption in the era before solid state switches. Voltage at the
facility in question ran nearer to 58 volts most of the time.
Not implemented in this mockup but necessary for a real device is a
block to prevent the simultaneous application of the 2 tones or white
noise from activating the device. This could be implemented with a
couple of mosfet transistors or another cmos gate. One should
probably budget another 10 microamps for this part of the circuit.
The tone activator for this circuit consists of an old touch-tone pad
incorporating a Motorola MC1440 T-T encoder (1976 Mot. CMOS data
book). The 1209 hz tone is generated by grounding the C1 lead of the
chip. The 3266 tone is the 2nd harmonic of the 1633 hz tone generated
by grounding the C4 lead of the MC1440. The tones are alternated by
connecting 2n2222 transistors between the leads and ground and driving
them with the input and output of a 74C04 inverter. The inverter is
driven with a 7 hz squarewave from a GC electronics bench function
generator.
The frequencies were chosen because:
a) They are easy to generate for this test.
b) They are not harmonically related.
c) There is little speech energy in the 3266 hz range.
d) There is little repetitive energy in speech in the 7 hz range.
The time constants of the filters and rectifiers are chosen so that
the comparator triggers when both filters detect energy in their
respective bandpasses. As mentioned before, white noise or
simultaneous application of both frequencies would also cause
activation absent the interlock circuitry.
The remainder of the test setup consisted of 2 Western Electric Model
SD-81824-01 key system power units connected in series and powered
through a variac. Each power supply produces 24 vdc. The Keithley
614 picoammeter was placed in series with the ground return to measure
the current draw. All component values were optimized using decade
boxes and substitution boxes to minimize quiescent current draw. A
standard carbon microphone was wired in series with the loop to allow
testing for voice falsing. The test tones were introduced with a 600
ohm 1:1 transformer in series with the loop. The power supplies and
picoammeter were bypassed with 0.1 uF caps.
The vital statistics are:
1) Quiescent current draw - 22 microamps.
2) No current draw until the applied voltage reached 38 volts.
3) Reliable activation with no voice-falsing occurred with about
600 mv of tone.
Summary
I have proven that with about 6 hours of work and using components
from the junk box, a proof-of-concept Infinity transmitter can be
built that is substantially in conformance with the one I described in
my first article and which would be practically undetectable with
ordinary means. It would certainly resist LL's VOM assault. There is
one (or 2) chip(s) involved and a handful of discrete components. All
would comfortably fit in a network housing. Missing from this design
are stabilizing components, the hook interlock, spike protection and
the like. Perhaps this could be added with another 6 hours' work. A
bit more work would result perhaps halving the power consumption,
making the device even harder to detect.
One should note that the entire device could be powered for months
from a 4.5 volt mercury battery that would fit inside the network.
In terms of physical concealment, the whole works could be potted in
the network housing. Potting is not atypical. If one were worried
about X-Ray detection, a cadmium-copper-lead foil sandwich around the
inside of the box would stop all X-Rays in the range of about 30 to 80
kev and would severely attenuate higher energy rays. The opacity
could arouse suspicion, of course, but if suspicions have been raised
to the point of X-Raying the phone, it is probable that other
techniques such as simply monitoring the line have already detected
something abnormal.
It is true that abnormal busy signals to callers could tip off the
target. The solution is simply to use discretion when activating the
device. In my case, I had a secretary who would tell me when a
certain individual would visit the target. She was also the one who
alerted me to the developing problem after she overheard in person a
conversation about me.
Editorial and Ad Hominem Attack.
So here we have a situation where a pompous ass named Larry Lippman
has decreed from his throne that a rather detailed description of an
infinity transmitter I used years ago was a lie simply because HE had
never heard of it. In reply to his accusations, I spent an evening's
worth of spare time and designed a device such as according to Larry,
could not exist and then built it using parts from the era.
I think that part of the problem is that Larry does not approve of my
use of the device. If he had stated his case as such, we could have
acknowledged a difference of opinion and continued respecting each
other. I rather imagine that Larry is being a bit two-faced about
this. I'd not be surprised at all to find that Larry has phreaked as
much as I have. I used phreaking as an educational tool, never stole
a dime's worth of services, and freely admit my activities. I used my
knowledge outside of the law exactly once in order to protect my
career. At that point in my life, I thought that my government job
would literally last me 'til retirement and that I would have to
protect it at all costs. So I had a mistaken concept of work life.
After all, as Larry has so noted, I WAS young.
So Larry, let's get to the point. I've not only demonstrated that an
"impossible" device could be built in an evening, I've also described
the use of a professionally built unit. Let's see if you are as
assertive and aggressive in you apology and retraction as you were in
your slanderous assault on my character.
And finally to Pat the Moderator: Let's see if you precede this
posting with all the fanfare and glee you greeted Larry's with. After
all, fair's fair.
John De Armond, WD4OQC Radiation Systems , Inc
...!emory!rsiatl!jgd Marietta, GA (404) 578-9547
[Moderator's Note: Thank you for an excellent presentation. I am left
speechless at this point. PT]
From: w1gsl@athena.mit.edu
Subject: Re: Infinity Transmitters
Date: Thu, 19 Apr 90 18:43:46 EDT
In several recent issues of TELECOM Digest John DeArmond and Larry
Lippman have shared descriptions of similar telephone room bugging
devices with us. In the last Larry calls John's description a fairy
tale.
I am not sure why I should defend John but...
Larry,
You are jumping to some poor conclusions if you think John's device
was not practical. You have compared a 1963 commercial device made in
a garage workshop, with what would have been available in 1972 to a
high tech (high budget) government agency.
Now I have no specific knowledge of John's sources but, I was building
many electronic devices back then...
Many advances in low power and complexity of IC's had been made
between those dates. CMOS logic was available, which would easily
allow lowering the on hook current to a few micro amps, which would be
undetectable, and allow a complex enable code. Building it into a
network would make the installation much easier. Just swap the dial
and plastic cover, any telco tech can do it in about five minutes.
There is no need to do a field rivet job and even if the target opened
the phone there would be no obvious extra circuits.
Now would it work? Your main point is it won't work with a modern CO.
The question is would it work with the PBX? Remember it only had to
work within the same office. Around 1972 a tremendous number of
ancient PBXs were still out there, It didn't really matter what the CO
equipment was. Perhaps the reason it was available to be "borrowed"
was that it was not universally useful anymore.
Also I don't see your point in John turning twenty in 1974, I had my
first "high tech" job at sixteen and had worked at several others before I
got my BSEE at twenty-one.
As for the ethics/legality - what about the action of the boss? Do
you really think he would take it to court and risk having the
evidence played? However, you are right it was illegal. Be sure to
see your lawyer before doing anything ;-).
Now the real question ... why was it necessary to use such a device ?
The Telephone Company provided a much better way to bug most executive
offices, with out ever entering the room, as a stock feature of many
instruments of that era.
We discovered it quite by accident in 1968 while installing some newly
acquired 2564 HK touch tone sets on a previously rotary only, 1A2 key
system at my college radio station. A couple of the spare pairs had
been used for a custom intercom/signalling system. On plugging in
the new sets the intercom and the new phones stopped working. The
problem was traced to a continuous connection of the earphone to the
vi-sl pair (?? I don't have my old notes here and it has been twenty
years) which we had used for signaling! This pair was brought out in
any instrument set up for speaker phone operation. It allowed
mounting the speaker phone control box in the remote telephone closet.
I was never clear as to why it was a necessary connection, however
most five line 2564 sets, I have seen, have it connected.
Now if it isn't obvious - the earphone makes an excellent dynamic
microphone !! A quick test (with a couple of the radio stations
drypairs looped back from a remote dorm, and a common balanced input
mike amp) demonstrated it would work quite well at least up to a mile
away. All someone had to do is bridge a pair across vi-sl and properly
terminate the remote end. It would make no noticeable difference in
the phones operation and would work even when the phone was in use.
Of course we never bugged anyone, we only did some experiments in the
station's studios.
I do however recall a couple years ago, hearing about some state
governor who had caught someone bugging his office, The newspapers
were quite specific that no physical access was gained to the office;
only to the phone closet in the hallway.
I am surprised that more bugging wasn't done this way. I know I was
always careful to see that pair was disconnected on any set in my
office.
Now that 2500 sets are being replaced by new digital sets the problem
may be moot ;-). Then again who knows what is on the digital line
with the set hung up. The hook switch on the brand new IBX set on my
desk doesn't disconnect anything, it only sends a code down the line!
Note: 2564's are the common old style (1965 - 1985) 5 line office
phones made by ATT and others. Each has a 25 pair cable running to a
Key System box which controls hold and common ringing etc.
While it is not telco stock, it wouldn't take much to wire the
earphone directly out on the unused pair of the currently popular
modular jack on a single line 2500 set. :-(
73 Steve F
W1GSL
[Moderator's Note: Like yourself, I thought Mr. Lippman's reference to
DeArmond's age as a likely reason the story was fraudulent was in
itself not very valid. My first employer, when I was a junior in high
school, age sixteen, was the University of Chicago, where I worked in
the old phone exchange, at 5801 South Ellis Avenue. When I was 18-20
years old, I was in charge of the facility overnight, which basically
meant I was the overnight campus phone operator. Of course, times were
different; it was certainly not 'high-tech' as we think of it today,
thirty years later; but it was sophisticated equipment in its era, and
a responsible position. PT]
Subject: "Infinity Transmitters", John De Armond and the BIG LIE
Date: 21 Apr 90 14:33:50 EST (Sat)
From: Larry Lippman <kitty!larry@uunet.uu.net>
In article <6406@accuvax.nwu.edu> "John G. De Armond" <jgd@rsiatl.uucp>
writes:
...and writes and writes and digs himself a deeper hole...
Before delving into Mr. De Armond's new morass, I would like
to state that TELECOM Digest has to date one of the best signal-to-noise
ratios of any group distributed through Usenet or the Internet, and I
would not like to see it degenerate through the nonsense started by
Mr. De Armond. This will be my last comment on this issue, and it
should provide TELECOM Digest readers with sufficient information as
to form a belief on the matter.
Quoted article sources are keyed as follows: ">" refers to the
most recent article from Mr. De Armond; "$D>" refers to Mr. De Armond's
original article; and "$L>" refers to my original article.
> After this brief history lesson, LL proceeds to extrapolate from the
> microscopic particular to the general and claim that the infinity
> transmitter I described could have NEVER existed and that I had simply
> made up a fairy tale (his words.).
My credibility assessment of Mr. De Armond's original story is
now strengthed to a virtual certainty based upon the content of his
second article. The basis for my belief includes but is not limited
to:
I - IMPRACTICABLE DEVICE WITH IMPROBABLE CLAIM AS TO ORIGIN
The "infinity transmitter" is a largely impracticable device
creating an unacceptable risk of detection by the subject. For any
dialup connection to the device, there is at *least* a 25% chance that
the subject's telephone will emit a full or partial ring, thus raising
suspicion. The subject's telephone line will be busy to outside
callers during the entire time that "infinity transmitter" is in use;
such a false busy condition is likely to be noticed by other callers
who may alert the subject to this anomaly. Furthermore, the quiescent
current consumption of such a device is readily ascertained using
simple test apparatus available to the telephone company or others.
$D> I got my infinity transmitter from a friend who worked for a well
$D> known government agency whose name begins with a "C" :-).
This is not credible since the "government agency" alluded to
above would not utilize such a crude device when alternative devices
of a superior nature with virtually no risk of of detection are
available. Furthermore, Mr. De Armond embellishes his story by not
only claiming that the device was built into a telephone network, but
by claiming that the device utilized a multi-tone actuation method.
The claim of a multi-tone actuation method is akin to building a bank
vault with one wall made of plywood. While it is possible to design
and build such a device into a network, this would have required a
considerable effort, with such design and packaging being improbable
for this type of device.
II - CONTRADICTORY TIME FRAMES
$D> I used one in the early '70s to get the
$D> goods on my boss who was, it turns out, planning on having some pot
$D> planted in my car in order to have me fired.
This is improbable since Mr. De Armond was fifteen years old in
1970, and even if "early 70's extends to 1974, it is still improbable
that at 19 years of age Mr. De Armond would hold a "government job"
and have connections to a "government agency whose name begins with a
'C'".
In his second article Mr. De Armond substantially alters time
frames of his alleged experience in a contradictory and inconsistent
manner, in an apparent after-the-fact effort to reconcile his story
with available technology and the revelation of his age at the time of
his original claim.
> with the government in the mid 70's.
> obviously do not still have the device in question, having left it in
> place when I left the government service in 1979.
> 4. My device was probably built closer
> 1977 or '78 but '75 is conservative.
> I modified the functional design a bit from the one I used a decade
> ago in the interest of simplicity and perhaps in the interest of added
The time frame of Mr. De Armond's story now varies as much as
*TEN YEARS* from "the early '70s" to "mid 70's" to "1977 or '78" to
"1979" to "a decade ago" [1980].
III - IMPROBABLE COMBINATION OF "INFINITY TRANSMITTER" WITH WIRETAP
$D> Oh yeah, about my problem. I confronted my boss behind closed doors
$D> with those tapes and tapes from a phone tap I'd installed too and we
$D> reached an agreement on a truce until I could transfer to another agency.
Now here is an interesting point not raised in my original
article. Mr. De Armond claims to have also installed a "phone tap",
which implies that he already has access to the tip and ring of the
subject's telephone at some remote location. If this were the case,
then no one in their right mind would risk detection by using an
infinity transmitter since by using just one resistor and one
capacitor, the transmitter in the telephone handset could be made live
ALL OF THE TIME. All one would need is a high-gain amplifier bridged
across the tip and ring of the subject's telephone line to detect the
resultant sound. No false rings or unusual line busy conditions to
create suspicion.
Surely Mr. De Armond's "friend who worked for a well known
government agency whose name begins with a 'C'" could have informed
him about this simpler, safer and more effective alternative.
IV - SERIOUS TECHNICAL INCONSISTENCIES IN MR. De ARMOND'S SECOND ARTICLE
> 3) Larry had absolutely no knowledge of the environment under which
> the device was used. For example, it was used on the relatively
> controlled environment of an old crosspoint PBX and not a Bell
> subscriber loop or phone. He did not know this, as evidenced by
> his description of a CO switch.
Ahh, a "crosspoint PBX"! Perhaps an AE/Leich 40, 80 or
100-series? The AE/Leich crosspoint PABX is a bit unusual in many
respects, one of which pertains to PABX station-to-station dialing
(which is what I presume Mr. De Armond now claims to have done).
I have some truly devastating news for you, Mr. De Armond.
Station-to-station dialing on a AE/Leich crosspoint PABX is
accomplished through a "link circuit" (H-850289). Unlike any SxS, XY,
XBAR or ESS apparatus, the Leich link circuit functions under LAST
PARTY CONTROL. This means that while an "infinity transmitter" would
have answered, it could NEVER HAVE DISCONNECTED UNDER CONTROL OF THE
CALLING PARTY. Not a very wise or useful situation. In fact,
depending upon circumstances, it is possible that once activated, the
device could not be released by ANY MEANS other than the subject
having to physically disconnect their telephone set!
Oh well, maybe it wasn't an AE/Leich crosspoint PABX after
all. But that doesn't seem very likely since AE/Leich made the only
"crosspoint PBX" I can think of which might have been sold to the U.S.
government, or to the state of Tennessee, for that matter.
Or maybe it was an AE/Leich PABX and Mr. De Armond modified
the link circuits for calling party control. That's it! Yeah, that's
right, that's the ticket! :-)
> One of the central themes of LL's posting was that my device must be a
> fairy tale because the technology did not exist to make such a not-
> easily-detectable device. After stewing on this for a day or two, I
> decided to get proactive and prove that indeed such a device was not
> only feasible but easy to make.
I'm impressed. Mr. De Armond wasted time in allegedly
designing and building a device which will today work on less than 5%
of all CO and PABX lines in North America. And he used circuit
technology which did not exist for several years following the date
when he originally claimed to have used such a device.
> The design criteria for my "bug" are as follows:
> 1. Be undetectable by DC means. This implies a quiescent current draw
> under 100 microamps.
I wonder if Mr. De Armond has ever seen any countermeasures
apparatus built by F. G. Mason Engineering? I suspect not. But if he
did, he would realize that quiescent current drain must be << 100 uA
to avoid detection.
> 2. Be undetectable by AC means applied to a subscriber loop. This implies
> a high AC impedance, preferably over 100kohms.
So what? The telephone set is already sitting with a bridged
ringer that is going to have an AC impedance of << 1000 ohms.
> 3. Be undetectable via emitted or induced EMI. In other words, no
> oscillators and no inductors.
Mr. De Armond slipped up. Later in his article he talks about
a relay in his circuit. Last I knew, relay windings were "inductors".
> This device is designed to respond to a pair of tones
> alternately applied to the line at a moderate switching rate. Out of
> convenience, I used the tones of 1209 hz and 3266 hz alternated at a 7
> hz rate. I'll explain why later.
7 Hz? Poor choice of frequency, Mr. De Armond. I bet I could
spoof your alleged device with a 76C Cable Splicer's Test Set.
> I have a HUGE "junk box" (actually, about 2500 sq feet of floor space)
> and a large library so I have a wide selection of parts to choose from
> and a good library that dates back to the late 60s (Yes, Larry, when I
> was in my early teens.).
I'm turning green with envy.
> My active device is my old favorite of the linear devices, the 74C04
> hex inverter. Yes, sportsfans, a digital CMOS part. This device,
> when properly biased and fed-back, is an excellent low power audio and
> low RF amplifier.
I can't imagine why anyone could want to diddle with a 74C04
as an amplifier when manufacturers such as National and GE/Intersil
have a wide variety of CMOS and JFET devices which are far superior
and have quiescent supply currents of 10 uA or less.
> I measured the
> consumption at 5 volts with a Keithley Model 614 digital picoammeter.
Is Mr. De Armond *sure* that he used a Keithley Model 614? My
organization has one, and the last time I saw it the front panel said
"ELECTROMETER". Keithley does have other models, though, which are
called "picoammeters".
I wonder if Mr. De Armond will now want to change the model
number?
> With inputs grounded, this particular part consumed 0.002 microamp.
> With an input tied to an output to bias the device linear, the current
> rose to 0.015 microamps.
Inputs grounded, eh? Not a very useful measurement condition,
Mr. De Armond. How much *noise* do think is going to be present when
your alleged device is connected to a real telephone line? Especially
when the bandpass filter has to operate in the presence of 80 to 110
volts RMS of 20 Hz AC signal during ringing while still *rejecting*
such a huge signal.
> The output of the comparator is fed to a sensitive relay
> from the junque box. This relay picks up at about 100 microamps and
> probably came out of an old piece of process control equipment. It
> has 2 dpdt dry contacts.
This is interesting. Assuming that Mr. De Armond has 6 volts of
DC power as stated below:
> The power supply for this device consists of 4 1n4742 12 volt, 1 watt
> zeners in series feeding a bridge rectifier whose output is clamped by
> a 1n4735 6.3 volt, 1 watt zener.
Mr. De Armond's DPDT relay is picking up at 100 uA at 6 VDC
for a power consumption .6 mW.
That is a truly *AMAZING* relay, Mr. De Armond! I, along with
perhaps other TELECOM Digest readers, would sure like to know its
manufacturer and model number.
You see, Mr. De Armond, here's the problem: A sensitive DPDT
subminiature relay, like the Teledyne Centagrid [tm] mil-spec series,
rated at 6 volts DC requires at least 30 MILLIamperes of pickup
current. Mr. De Armond's alleged relay is at least 300 times MORE
SENSITIVE than any DPDT relay that I can think of. And I can think of
a *lot* of relays.
Now, Mr De Armond did mention above that the relay "probably
came out of an old piece of process control equipment". So, perhaps
he was referring to a Weston Sensitrol [tm] or Barber-Colman
Micropositioner [tm] series relay. These are the most sensitive
relays that I can think of offhand which might be found in process
equipment. (See, I'm trying to lend credibility to Mr. De Armond's
story, nice guy that I am.) Except there are three new problems
created with *this* scenario: (1) these relays were never available in
a DPDT configuration, being SPDT only; (2) the Sensitrol relay had
magnetic latching contacts in the microampere ranges; and (3) even
these relays are no where near as sensitive as the one in his claim (6
VDC @ 100 uA).
If Mr. De Armond had any knowledge of eavesdropping devices
beyond what he was able to glean from my article, he would not even
*think* of using a relay (which I mentioned *only* because it was
employed in the original Mittelman "infinity transmitter"). He would
have instead used what anyone else would have used after 1970 or so -
an SCR.
> The design purpose of this arrangement is for the circuit to draw zero
> current until the applied voltage reaches about 40 volts. This
> prevents the device from being detected by applying an ohmmeter to the
> terminals of the phone. It also prevents the device from being
> activated or detected by the application of 24 volts, a value common
> to phone test boxes.
Telephone company subscriber line test apparatus does not use
less than 48 volts for test purposes. Neither does any electronic
countermeasures test apparatus. No reliance on a traditional ohmmeter
circuit would ever be made by a knowledgeable person conducting any
electronic countermeasures inspection.
> When activated,
> the device represents about 6 extra volts' of drop across the set.
6 volts drop on say, 50 mA of loop current is 300 mW of power
dissipation in your device. Since Mr. De Armond's alleged relay and
linear circuit consumes, say 1 mW maximum, what circuit elements
dissipate the other 299 mW of power?
> 3) Reliable activation with no voice-falsing occurred with about
> 600 mv of tone.
How about in the presence of 90 volts RMS at 20 Hz?
> I have proven that with about 6 hours of work and using components
> from the junk box, a proof-of-concept Infinity transmitter can be
> built that is substantially in conformance with the one I described in
> my first article and which would be practically undetectable with
> ordinary means.
> It would certainly resist LL's VOM assault.
No, it wouldn't. I would start on a 200 mA scale and work
down to 200 uA.
> There is
> one (or two) chip(s) involved and a handful of discrete components. All
> would comfortably fit in a network housing.
How about the, uh, "micropower" relay?
> In terms of physical concealment, the whole works could be potted in
> the network housing. Potting is not atypical.
Many an eavesdropping device has been potted into a network.
Of all the devices which *could* be installed within the confines of a
station network, the "infinity transmitter" is unquestionably the
least useful and one most prone to inadvertent detection.
> So here we have a situation where a pompous ass named Larry Lippman
> has decreed from his throne that a rather detailed description of an
> infinity transmitter I used years ago was a lie simply because HE had
> never heard of it. In reply to his accusations, I spent an evening's
> worth of spare time and designed a device such as according to Larry,
> could not exist and then built it using parts from the era.
Quite frankly, I don't believe that the circuit Mr. De Armond
alleges to have designed and built in six hours exists, either.
V - MISCELLANEOUS COMMENTS
> And yet he makes a slanderous attack on my character. What a guy.
^^^^^^^^^
What "character"?! Mr. De Armond admitted to having committed
a *felony* violation of both state and federal law, for which there
was no lawful justification. He should have been indicted, convicted
and appropriately sentenced. Period.
> I used phreaking as an educational tool, never stole
> a dime's worth of services, and freely admit my activities.
Where have we heard that line before?
> So Larry, let's get to the point. I've not only demonstrated that an
> "impossible" device could be built in an evening, I've also described
> the use of a professionally built unit. Let's see if you are as
> assertive and aggressive in you apology and retraction as you were in
> your slanderous assault on my character.
I am now "assertive and aggressive", but not in the manner which
Mr. De Armond naively expects.
$L> I'm sorry if I may appear harsh to Mr. De Armond, but there are
$L> enough *real* problems in the world involving unlawful eavesdropping,
$L> without the need to invent any more myths.
I no longer feel sorry about being harsh to Mr. De Armond.
Larry Lippman @ Recognition Research Corp. "Have you hugged your cat today?"
UUCP: {boulder|decvax|rutgers|watmath}!acsu.buffalo.edu!kitty!larry
TEL: 716/688-1231 || FAX: 716/741-9635 {utzoo|uunet}!/ \aerion!larry
[Moderator's Note: Well readers, YOU be the judge. This concludes the
publication in the Digest of the debate between the gentlemen. PT]
Date: Fri, 4 May 90 08:46:35 -0700
From: Brian Kantor <brian@ucsd.edu>
Subject: Re: De Armond vs. Lippman - a Solomon Solution
Organization: The Avant-Garde of the Now, Ltd.
D'Arsonval meter relays do exist. They are little used nowadays,
since most modern plant instrumentation is digital, but I have seen
one and two-pole "meter-relays" in service. They have some small
contacts on the indicator pointer, and these are usually capable of
carrying a few mA to switch external relays. One very common past
usage of such things are setpoint controllers on thermocouple
indicators for furnaces and such. They are not small.
- Brian
Subject: Re: DeArmond-Lippman Childishness
Date: 23 Apr 90 17:18:36 EDT (Mon)
From: "John G. De Armond" <jgd@rsiatl.uucp>
In comp.dcom.telecom you write:
>The recent exchanges between two valuable contributers to this Digest
>saddens me. These two gentlemen have both made a great many
>constructive and useful postings to the Digest over the past two years
>I have been fortunate enough to receive it.
>If only both had put nearly as much effort in educating us on the
>topic rather that berating each other, all the Digest readers would be
>the better. This flame fest benefits no reader.
I agree with you that this whole affair has been unfortunate, and one
that I'd have rather not engaged in. My only comment is to ask you to
put yourself in my shoes for a moment. If the assault had not come
from someone as respected as Lippman, I would have ignored it. To
have done so with him involved would have been tacitly admitting that
he was correct and that I was lying. A response had to me made. I
would have hoped it would have ended there but apparently it has not,
as I see Lippman at it again. Oh well, I will be the one who lets it
die this time.
73 john
John De Armond, WD4OQC Radiation Systems, Inc. Atlanta, Ga
{emory,uunet}!rsiatl!jgd
From: "John G. De Armond" <rsiatl!jgd@gatech.edu>
Subject: Re: De Armond vs. Lippman - a Solomon Solution
Date: 4 May 90 04:44:21 GMT
Organization: Radiation Systems, Inc. (a thinktank, motorcycle, car
and gun works facility)
>(It seems reasonable to me that a relay could work on 100 uA.
>D'Arsnoval meter movements can work on more than an order of magnitude
>less. A reed relay with a bias magnet might also be a contender. LL
>seemed to think that 100 uA was about two orders of magnitude beyond
>reality.)
I was hoping the Moderator was going to let this die but since he has
not, here is the poop on the relay. It was made by Leeds & Northrop
and was used as a galvo null detector in the old "sexy crab" type
stripchart recorder. (I'm not 100% sure that this is an accurate
discription of the instrument; I've only seen one at a distance but
this is what I've been told.) It is a dual-coil, magnetically biased
relay with micrometer thread adjustable armature gap, spring bias and
contact gap. It is physically a bit smaller than a standard plugin
control relay.
I got it back out tonight in order to measure the characteristics.
Unfortunately, I damaged the windings on one coil when I threw it back
in the relay box so I could only measure one coil. Again, using my
trusty Keithely digital picoammeter, I determined that the relay pulls
in at about 220 uamps with only one coil energized. Corrispondingly,
with both coils energized, the pullin current would be around 110
uamps. Not a bad guess on my part!
This relay is, of course, simply a typical example of instrumentation
galvo relays. I have other relays that will actuate on as little as
10 uamps. These consist of compact metermovements with the pointer
acting as a contact instead of an indicator. Most anyone who has some
instrumentation experience will have seen many of these. They used to
be quite popular (not necessarily in these sensitivity ranges) for
process control. I have a nice one here that takes a thermocouple
input and is an alarming pyrometer. I use it to control my bar-b-que.
Finally, and I hope this is the last word on the subject, regarding
the suggestions that I fabricate another infinity transmitter and send
it to some peer review person. While that idea is intriguing,
especially the suggestion that Lippman pay me for my time. At my
standard consulting rate of $120/hour, I could enjoy the money. But
some practicality has to enter into the equation. When we get right
down to it, Lippman, this spat, comp.dcom.telecom, and the Usenet in
general rate as pretty trivial in my life. Idle entertainment. It's
fun to debate and useful in that it keeps the skills sharp. But
treating the net as reality is a whole 'nuther matter.
SO...
This is the end of this issue as far as I'm concerned. Those of you
that think my experiment and historical account are accurate get my
thanks and appreciation. Those that believe Lippman.. well... Enough
said..
John
John De Armond, WD4OQC
Radiation Systems, Inc.
Atlanta, Ga
{emory,uunet}!rsiatl!jgd
Subject: More on Remote Eavesdropping with an Unmodified Telephone Set
Date: 7 Apr 90 22:12:56 EST (Sat)
From: Larry Lippman <kitty!larry@uunet.uu.net>
In article <6034@accuvax.nwu.edu> david@wraith.cs.uow.oz.au
(David E A Wilson) writes:
> >The latter is obviously false since there is no electrical connection
> >between the handset mike and the line in an on-hook telephone. Just
> >shows to go ya.
> A British program broadcast in Australia stated that this is done by
> tapping the wires leading into the property and applying a high
> frequency AC signal to the line - at this frequency the switch hook
> looks like a capacitor which conducts the AC which is then modulated
> when it passes through the microphone.
The above explanation is quite close; there are, in fact,
*multiple* mechanisms of coupling "around" the switchhook which
combine in a complex and unpredictable manner necessitating that any
apparatus used to eavesdrop based on this principle must be
empirically "tuned" to the characteristics of a particular telephone
set. More often than not, for a variety of reasons (most commonly
inability to locate the apparatus close enough to the subject
telephone set), suitable "tuning" cannot be achieved and the apparatus
will not function in a usable manner.
In the particular method mentioned in the referenced article,
the switchhook contacts themselves will be lucky to provide a few pF
of capacitance, which is far too much reactance to be useful at any
suitable frequencies. There is more mutual capacitance in the wires
connecting the network to the switchhook than in the switchhook
contacts themselves. However, the primary method of achieving
"coupling" across the on-hook contacts is magnetic coupling between
the bridged ringer windings and the transformer windings within the
network. While the inductive reactance of the ringer windings in toto
is rather high at the frequencies being used, there is mutual
capacitance between ringer coil layers which creates a succession of
smaller LC networks and makes this approach more feasible than one
might first imagine.
There is actually another methodology which can be applied to
eavesdropping on room conversations using an unmodified telephone set.
Most ringers will function as a variable reluctance microphone, if the
line from the telephone is amplified to an extreme degree, along with
application of suitable signal processing to eliminate an incredible
amount of noise. As in the above methods, the necessary apparatus
must be within a few hundred feet from the telephone set, and the CO
pair must be broken during the operation (with circuitry to detect an
incoming call or outgoing call attempt and reestablish the CO line
continuity to avoid any suspicion on the part of the subject). I am
not claiming that a ringer is a *good* microphone, but under some
selected circumstances this technique can provide useful intelligence.
I may later regret this suggestion, but as an example to
illustrate this principle, here is an experiment that an enterprising
reader can perform using apparatus found in any well-equipped
electronics laboratory. Take a 500-type or 2500-type set with a
bridged ringer and connect its tip and ring directly to the input of a
low-noise amplifier providing say, 80 dB of gain in the voice
frequency range. A suggested approach is to cascade two
Hewlett-Packard 465A amplifiers, with each amplifier being set for 40
dB gain. Take the 80 dB amplifier output and connect it to the input
of a variable bandpass filter having at least 20 db/octave attenuation
(like a Kron-Hite 3100, 3500 or 3700). Take the output from the
bandpass filter and feed it to another amplifier providing 20 to 40 dB
gain and capable of driving a pair of headphones.
Tune the bandpass filter to reject powerline noise, and you have just
turned the telephone set into a crude microphone. At that point it
does not take much imagination to realize that given some competent
engineering resources and a commensurate budget, this technique can be
refined into a practicable eavesdropping device. The availability of
digital signal processing can also do wonders to eliminate the vast
amount of power line, impulse noise and other interference which
develops at the gain necessary for speech pickup sensitivity.
While electromechanical ringers are becoming somewhat a thing
of the past, many electronic telephone sets with tone ringers will
function as an even better microphone. Such tone ringers usually rely
upon a piezoelectric element as the loudspeaker, although a few
low-quality "drugstore-variety" one-piece telephones utilize the
receiver element as the ringer transducer. As most readers of this
forum are no doubt aware, piezoelectric devices will generally
function as both a microphone and loudspeaker. Even a piezoelectric
element optimized for tone ringer use, i.e., with resonance in the
range of 1.5 to 2.5 kHz, will still function as a usable microphone
for lower frequencies.
An on-hook telephone set with electronic tone ringer, if
isolated from the CO line and connected to an ultra-high gain
amplifier with suitable bandpass filtering, and if also subjected to
an appropriate RF bias to cause conduction across the initial
full-wave bridge rectifier and subsequent semiconductor junctions, can
in many instances be turned into a microphone. While this technique
will not work with all electronic telephones, it will work with a
significant number.
The above technique of compromising a telephone with an
electronic tone ringer was first performed almost twenty years ago on
the Ericophone. The Ericophone was an early one-piece telephone, some
models of which contained an electronic tone ringer. While the
geometry of the Ericophone defies verbal description in this forum,
the overall design scheme may best be described as phallic in nature.
Those readers who are familiar with the Ericophone will no doubt
concur with this description :-).
I have commented much more on the above topics that I had
originally intended. However, since some of the above methodologies
have not only been mentioned in the media but are now well over 20
years old, I do not see any overt harm in my disclosure of some
further selected details in an effort to promote "awareness".
> [Moderator's Note: Larry Lippman has written us again! Some of you who
> have been readers for at least a few months will remember his interesting
> articles.
I have been rather busy in the past several months with the
startup of a new division of my organization, and have not had time to
contribute to TELECOM Digest, but I'll see if I can keep up for a
while.
<> Larry Lippman @ Recognition Research Corp. - Uniquex Corp. - Viatran Corp.
<> UUCP {boulder|decvax|rutgers|watmath}!acsu.buffalo.edu!kitty!larry
<> TEL 716/688-1231 || 716/773-1700 {utzoo|uunet}!/ \uniquex!larry
<> FAX 716/741-9635 || 716/773-2488
Index
Home
About
Blog