mirrors
/
phrack
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
phrack/phrack29/8.txt

279 lines
16 KiB
Plaintext
Raw Permalink Blame History

==Phrack Inc.==
Volume Three, Issue 29, File #8 of 12
...........................................
||||||!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!||||||
|||!!! !!!|||
||| The Myth and Reality About |||
||| Eavesdropping |||
||| |||
||| by Phone Phanatic |||
||| |||
|||... October 8, 1989 ...|||
||||||...............................||||||
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Most Central Office (CO) eavesdropping intercepts in a Bell Operating Company
(BOC) CO are today performed using a modified Metallic Facility Termination
(MFT) circuit pack which places about a 100,000 ohm isolated bridging impedance
across the subscriber line. Supervisory signaling is detected on the
subscriber loop using a high-impedance electronic circuit, and the signaling is
repeated in an isolated fashion using the A and B leads of the repeating coil
in the MFT to "reconstruct" a CO line for the benefit of monitoring apparatus.
The entire purpose of the above effort is to prevent any trouble or noise on
the intercept line or monitoring apparatus from causing any trouble, noise or
transmission impairment on the subject line.
Some BOCs may elect to use service observing apparatus to provide the necessary
isolation and repeated loop supervisory signaling. Less common are locally
engineered variations which merely use an isolation amplifier from an MFT or
other 4-wire repeater, and which provide no repeated supervisory signaling
(which is not all that necessary, since voice-activated recorders and DTMF
signaling detectors can be used, and since dial pulses can be counted by
playing a tape at slow speed).
Today, the use of a "bridge lifter" retardation coil for the purpose of
connecting an eavesdropping intercept line is virtually non-existent since they
do not provide sufficient isolation and since they provide a fair amount of
insertion loss without loop current on the "observing" side. Bridge lifter
coils are primarily intended for answering service intercept lines, and consist
of a dual-winding inductor which passes 20 Hz ringing and whose windings easily
saturate when DC current flows. Bridge lifter coils are used to minimize the
loading effect (and consequent transmission impairment) of two subscriber loops
on one CO line. Bridge lifter coils provide a significant insertion loss at
voice frequencies toward the idle loop; i.e., the loop in use will have DC
current flow, saturating the inductor, and reducing its insertion loss to
1.0 dB or less.
Despite gadget advertised in magazines like The Sharper Image, the simple truth
of the matter is that there is NO WAY for any person using ANY type of
apparatus at the telephone set location to ascertain whether there is a
properly installed eavesdropping device connected across their line in the CO.
The only way such a determination can be made is through the cooperation of the
telephone company.
For that matter, there is virtually no way for any person using any type of
apparatus in their premises to ascertain if there is ANY type of eavesdropping
apparatus installed ANYWHERE on their telephone line outside their premises,
unless the eavesdropping apparatus was designed or installed in an
exceptionally crude manner (not likely today). Some types of eavesdropping
apparatus may be located, but only with the full cooperation of the telephone
company.
The sole capability of these nonsense gadgets is to ascertain if an extension
telephone is picked up during a telephone call, which is hardly a likely
scenario for serious eavesdropping!
These screw-in-the-handset gadgets work by sensing the voltage across the
carbon transmitter circuit, and using a control to null this voltage using a
comparator circuit. When a person makes a telephone call, the control is
adjusted until the light just goes out. If an extension telephone at the
user's end is picked up during the call, the increased current drain of a
second telephone set will decrease the voltage across the carbon transmitter
circuit, unbalancing the voltage comparator circuit, and thereby causing the
LED to light.
These voltage comparator "tap detectors" cannot even be left with their
setpoint control in the same position, because the effective voltage across a
subscriber loop will vary depending upon the nature of the call (except in the
case of an all digital CO), and upon other conditions in the CO.
Electromechanical and analog ESS CO's may present different characteristics to
the telephone line, depending upon whether it is used at the time of: An
originated intraoffice call (calling side of intraoffice trunk), an answered
intraoffice call (called side of intraoffice trunk), an originated tandem call
(interoffice tandem trunk), an originated toll call (toll trunk), or an
answered tandem/toll call (incoming tandem or toll trunk). There is usually
enough variation in battery feed resistance due to design and component
tolerance changes on these different trunks to cause a variation of up to
several volts measured at the subscriber end for a given loop and given
telephone instrument.
Even more significant are variations in CO battery voltage, which can vary
(within "normal limits") from 48 volts to slightly over 52 volts, depending
upon CO load conditions. 50 to 51 volts in most CO's is a typical daily
variation. If anyone is curious, connect an isolated voltage recorder or data
logger to a CO loop and watch the on-hook voltage variations; in many CO's the
resultant voltage vs 24-hour time curve will look just like the inverse of a
busy-hour graph from a telephone traffic engineering text!
In some all-digital CO apparatus, the subscriber loop signaling is performed by
a solid-state circuit which functions as a constant-current (or
current-limiting) device. With such a solid-state circuit controlling loop
current, there is no longer ANY meaningful reference to CO battery voltage;
i.e., one cannot even use short-circuit loop current at the subscriber location
to even estimate outside cable plant resistance.
To explode this myth even further, let's do a little Ohm's Law:
1. Assume a CO loop with battery fed from a dual-winding A-relay (or
line relay, ESS ferrod line scanner element, or whatever) having 200
ohms to CO battery and 200 ohms to ground.
2. Assume a CO loop of 500 ohms (a pretty typical loop).
3. Assume an eavesdropping device with a DC resistance of 100,000 ohms
(this is still pretty crude, but I'm being generous with my example).
4. Using some simple Ohm's law, the presence or absence of this
hypothetical eavesdropping device at the SUBSCRIBER PREMISES will
result in a voltage change of less than 0.5 volt when measured in the
on-hook state. This voltage change is much less than normal
variations of CO battery voltage.
5. Using some simple Ohm's law, the presence or absence of this
hypothetical eavesdropping device at the CENTRAL OFFICE LOCATION will
result in a voltage change of less than 0.2 volt when measured in the
on-hook state. This voltage change is an order of magnitude less than
the expected normal variation of CO battery voltage!
Measuring voltage variations on a subscriber loop in an effort to detect a
state-of-the-art eavesdropping device is meaningless, regardless of resolution
of a voltage measuring device, since the "signal" is in effect buried in the
"noise".
Moving on to the subject of subscriber line impedance...
There is simply no way for any device located on the subscriber's premises to
obtain any MEANINGFUL information concerning the impedance characteristics of
the subscriber loop and whether or not anything "unusual" is connected at the
CO (or for that matter, anywhere else on the subscriber loop). There are a
number of reasons why this is the case, which include but are not limited to:
1. The impedance of a typical telephone cable pair results from
distributed impedance elements, and not lumped elements. Non-loaded
exchange area cable (22 to 26 AWG @ 0.083 uF/mile capacitance) is
generally considered to have a characteristic impedance of 600 ohms
(it actually varies, but this is a good compromise figure). Loaded
exchange area cable, such as H88 loading which are 88 mH coils spaced
at 6 kft intervals, is generally considered to have a a characteristic
impedance of 900 ohms (it actually varies between 800 and 1,200 ohms,
but 900 ohms is generally regarded as a good compromise figure for the
voice frequency range of 300 to 3,000 Hz). What this means is that a
bridged impedance of 100,000 ohms located in the CO on a typical
subscriber loop will result in an impedance change measured at the
SUBSCRIBER LOCATION of 0.1% or less. That's IF you could measure the
impedance change at the subscriber location.
2. As a general rule of thumb, the impedance of an exchange area
telephone cable pair changes ONE PERCENT for every TEN DEGREES
Fahrenheit temperature change. Actual impedance changes are a
function of the frequency at which the impedance is measured, but the
above rule is pretty close for the purposes of this discussion.
3. Moisture in the telephone cable causes dramatic changes in its
impedance characteristics. While this may appear obvious in the case
of pulp (i.e., paper) insulated conductors, it is also characteristic
of polyethylene (PIC) insulated conductors. Only gel-filled cable
(icky-PIC), which still represents only a small percentage of
installed cable plant, is relatively immune from the effects of
moisture.
4. From a practical standpoint, it is extremely difficult to measure
impedance in the presence of the DC potential which is ALWAYS found on
a telephone line. The subscriber has no means to remove the telephone
pair from the switching apparatus in the CO to eliminate this
potential.
Therefore, any attempt at impedance measurement will be subject to DC
current saturation error of any inductive elements found in an
impedance bridge. The telephone company can, of course, isolate the
subscriber cable pair from the switching apparatus for the purpose of
taking a measurement -- but the subscriber cannot. In addition to the
DC current problem, there is also the problem of impulse and other
types of noise pickup on a connected loop which will impress errors in
the impedance bridge detector circuit. Such noise primarily results
from the on-hook battery feed, and is present even in ESS offices,
with ferrod scanner pulses being a good source of such noise. While
one could possibly dial a telephone company "balance termination" test
line to get a quieter battery feed, this still leaves something to be
desired for any actual impedance measurements.
5. Devices which connect to a telephone pair and use a 2-wire/4-wire
hybrid with either a white noise source or a swept oscillator on one
side and a frequency-selective voltmeter on the other side to make a
frequency vs return loss plot provide impressive, but meaningless
data. Such a plot may be alleged to show "changes" in telephone line
impedance characteristics. There is actual test equipment used by
telephone companies which functions in this manner to measure 2-wire
Echo Return Loss (ERL), but the ERL measurement is meaningless for
localization of eavesdropping devices.
6. It is not uncommon for the routing of a subscriber line cable pair to
change one or more times during its lifetime due to construction and
modification of outside cable plant. Outside cable plant bridge taps
(not of the eavesdropping variety) can come and go, along with back
taps in the CO to provide uninterrupted service during new cable plant
additions. Not only can the "active" length of an existing cable pair
change by several percent due to construction, but lumped elements of
impedance can come and go due to temporary or permanent bridge taps.
The bottom line of the above is that one cannot accurately measure the
impedance of a telephone pair while it is connected to the CO switching
apparatus, and even if one could, the impedance changes caused by the
installation of an eavesdropping device will be dwarfed by changes in cable
pair impedance caused by temperature, moisture, and cable plant construction
unknown to the subscriber.
About a year ago on a bulletin board I remember some discussions in which there
was mention of the use of a time domain reflectometer (TDR) for localization of
bridge taps and other anomalies. While a TDR will provide a rather detailed
"signature" of a cable pair, it has serious limitations which include, but are
not limited to:
1. A TDR, in general, cannot be operated on a cable pair upon which there
is a foreign potential; i.e., a TDR cannot be used on a subscriber
cable pair which is connected to the CO switching apparatus.
2. A TDR contains some rather sensitive circuitry used to detect the
reflected pulse energy, and such circuitry is extremely susceptible to
noise found in twisted pair telephone cable. A TDR is works well with
coaxial cable and waveguide, which are in effect shielded transmission
lines. The use of a TDR with a twisted cable pair is a reasonable
compromise provided it is a _single_ cable pair within one shield.
The use of a TDR with a twisted cable pair sharing a common shield
with working cable pairs is an invitation to interference by virtue of
inductive and capacitive coupling of noise from the working pairs.
3. Noise susceptibility issues notwithstanding, most TDR's cannot be used
beyond the first loading coil on a subscriber loop since the loading
coil inductance presents far too much reactance to the short pulses
transmitted by the TDR. There are one or two TDR's on the market
which claim to function to beyond ONE loading coil, but their
sensitivity is poor.
There is simply no device available to a telephone subscriber that without the
cooperation of the telephone company which can confirm or deny the presence of
any eavesdropping device at any point beyond the immediate premises of the
subscriber. I say "immediate premises of the subscriber" because one presumes
that the subscriber has the ability to isolate the premises wiring from the
outside cable plant, and therefore has complete inspection control over the
premises wiring.
I have used the phrase "without the cooperation of the telephone company"
several times in this article. No voltage, impedance or TDR data is meaningful
without knowing the actual circuit layout of the subscriber loop in question.
Circuit layout information includes such data as exact length and guages of
loop sections, detailed description of loading (if present), presence and
location of multiples and bridge taps, calculated and measured resistance of
the loop, loop transmission loss, etc. There is NO way that a telephone
company is going to furnish that information to a subscriber! Sometimes it's
even difficult for a government agency to get this information without judicial
intervention.
Despite what I have stated in this article, you will see claims made by third
parties as to the existence of devices which will detect the presence of
telephone line eavesdropping beyond the subscriber's immediate premises. With
the exception of the trivial cases of serious DC current draw by an extension
telephone or the detection of RF energy emitted by a transmitter, this just
ain't so. Companies like Communication Control Corporation (which advertises
in various "executive" business publications) get rich by selling devices which
claim to measure minute voltage and impedance changes on a telephone line --
but consider those claims in view of the voltage changes due to CO battery
variations and due to temperature changes in outside cable plant -- and you
should get the true picture.
>--------=====END=====--------<
Reference in New Issue View Git Blame Copy Permalink