💾 Archived View for gemini.spam.works › mirrors › textfiles › hamradio › cordpriv.txt captured on 2020-10-31 at 18:33:04.
-=-=-=-=-=-=-
This file may also be known as wombat file #01, or wombat01 if I ever bother to type/write something else. \/\/ombat This file is a work of fiction. Everything in it is fictitious. Any resemblance to persons living or dead, magazines, companies, products, trademarks, copyrights, or anything else in the real world is purely coincidental, and you should see a shrink about your over-active imagination if you think otherwise. - \/\/ O M B A T - presents: Cordless Telephones: Bye Bye Privacy! ##################################### by Tom Kneitel, K2AES, Editor ============================= A Boon to Eavesdroppers, Cordless Phones Are as Private as Conversing in an Elevator. You'll Never Guess Who's Listening In! (originally published in Popular Communications, June 1991) OK, so it took a while, but now you've accepted the fact that your cellular phone conversations can easily be overheard by the public at large. Now you can begin wrestling with the notion that there are many more scanners in the hands of the public that can listen to cordless telephone calls than can tune in on cellulars. Monitoring cellular calls requires the listener to own equipment capable of picking up signals in the 800 to 900 MHz frequency range. Not all scanners can receive this band, so unless the scannist wants to purchase a new scanner, or a converter covering those frequencies, [see February and March issues of Radio-Electronics for a converter project -\/\/ombat-] they can't tune in on cellular calls. And let's not forget that it's a violation of federal law to monitor cellular conversations. Not that there seems to be any practical way yet devised to enforce that law, nor does the U.S. Dept. of Justice appear to be especially interested in trying. On the other hand, cordless telephones operate with their base pedestals in the 46 MHz band, and the handsets in the 49 MHz band. Virtually every scanner ever built can pick up these frequencies with ease. Cordless telephones are usually presented to the public as having ranges up to 1,000 feet, but that requires some clarification. That distance represents the reliable two-way communications range that can be expected between the handset and the pedestal, given their small inefficient receivers and antennas, and that they are both being used at ground level. In fact, even given those conditions, 1,000 feet of range is far more coverage than necessary for the average apartment or house and yard. Consider that 1,000 feet is a big distance. It's almost one-fifth of a mile. It's the height of a 100-story skyscraper. The Chrysler Building, third tallest building in New York City, is about 1,000 feet high, so is the First Interstate World Center, tallest building in Los Angeles. When someone uses a sensitive scanner connected to an efficient antenna mounted above ground level, the signals from the average 46 MHz cordless phone base pedestal unit (which broadcasts both sides of all conversations) can often be monitored from several miles away, and in all directions. Some deluxe cordless phones are a snoop's delight. Like the beautiful Panasonic KX-T4000. Its range is described as "up to 1,000 feet from the phone's base," however the manufacturer brags that "range may exceed 1,000 feet depending upon operating conditions." When you stop to think about it, what at first seems like a boast is really a somewhat harmless sounding way of warning you that someone could monitor the unit from an unspecified great distance. In fact, just about all standard cordless phones exceed their rated ranges. But the KX-T4000's main bonus and challenge to the snoop is that it can operate on ten different frequencies instead of only a single frequency. The BellSouth Products Southwind 170 cordless phone suggests a range of up to 1,500 feet., depending on location and operating conditions. The ten-channel Sony SPP-1508 has a built-in auto-scan system to select the clearest channels. What with millions of scanners in the hands of the public, a cordless telephone in an urban or suburban area could easily be within receiving range of dozens of persons owning receiving equipment capable of listening to every word said over that phone. Likewise, every urban or suburban scanner owner is most likely to be within receiving range of dozens of cordless telephones. Many persons with scanners program their units to search between 46.50 and 47.00 MHz and do listen. Some do it casually to pass the time of day, others have specific purposes. Not Covered =========== The Electronic communications Privacy Act of 1986, the federal law that supposedly confers privacy to cellular conversations, doesn't cover cordless telephones. A year and a half ago, the U.S. Supreme Court wasn't interested in reviewing a lower court decision that held that some fellow didn't have any "justifiable expectation of privacy" for their cordless phone conversations. It seems that man's conversations regarding suspected criminal activity were overheard and the police were alerted, which caused the police to investigate further and arrest the man after recording more of his cordless phone conversations. Yet, even though (at this point) there is no federal law against monitoring cordless phones, there are several states with laws that restrict the practice. In New York State, for instance, a state appellate court ruled that New York's eavesdropping law prohibits the government from intentionally tuning in on such conversations. California recently passed the Cordless and Cellular Radio Telephone Privacy Act (amending Sections 632, 633, 633.5, 634, and 635 of the Penal Code, amending Section 1 of Chapter 909 of the Statutes of 1985, and adding Section 632.6 to the Penal Code) promising to expose an eavesdropper to a $2,500 fine and a year in jail in the event he or she gets caught. Gathering the evidence for a conviction may be easier said than done. There may be other areas with similar local restrictions, these are two that I know about. Obviously listening to cordless phones in major population areas is sufficiently popular to have inspired such legislative action. There are, however, reported to be efforts afoot to pass federal legislation forbidding the monitoring of cordless phones as well as baby monitors. Such a law wouldn't stop monitoring, nor could it be enforced. It would be, like the ECPA, just one more piece of glitzy junk legislation to hoodwink the public and let the ACLU and well-meaning, know-nothing, starry-eyed privacy advocates think they've accomplished something of genuine value. Strange Calls ============= On April 20th, The Press Democrat, of Santa Rosa, Calif., reported that a scanner owner had contacted the police in the community of Rohnert Park to say that he was overhearing cordless phone conversations concerning sales of illegal drugs. The monitor, code named Zorro by the police, turned over thirteen tapes of such conversations made over a two month period. Police took along a marijuana-sniffing cocker spaniel when they showed up at the suspect's home with a warrant one morning. Identifying themselves, they broke down the door and found a man and a woman, each with a loaded gun. They also found a large amount of cash, some cocaine, marijuana, marijuana plants, and assorted marijuana cultivating paraphernalia. In another example, Newsday, of Long Island, New York, reported in its February 10, 1991 edition another tale of beneficial cordless phone monitoring. It seems a scanner owner heard a cordless phone conversation between three youths who were planning a burglary. First, they said that they were going to buy a handheld CB radio so they could take it with them in order to keep in contact with the driver of the car, which had a mobile CB rig installed. Then, they were going to head over to break into a building that had, until recently, been a nightclub. The scanner owner notified Suffolk County Police, which staked out the closed building. At 10:30 p.m., the youths appeared and forced their way into the premises. They were immediately arrested and charged with third-degree burglary and possession of burglary tools. I selected these two examples from the many similar I have on hand because they happen to have taken place in states where local laws seek to restrict the monitoring of cordless telephones. Most of the calls people monitor aren't criminal in nature, but are apparently interesting enough to have attracted a growing audience of recreational monitors easily willing to live with accusations of their being unethical, nosy, busybodies, snoops, voyeurs, and worse. As it turns out, recreational monitors are undoubtedly the most harmless persons listening in on cordless phone calls. They're All Ears ================ A newsletter called Privacy Today, is put out by Murray Associates, one of the more innovative counterintelligence consultants serving business and government. This publication noted (as reported in the mass media) that IRS investigators may use scanners to eavesdrop on suspected tax cheats as they chat on their cordless phones. But, the publication points out that accountants who work out of their homes could turn up as prime targets of such monitoring. Their clients might not even realize the accountant is using a cordless phone, and therefore assume that they have some degree of privacy. One accountant suspected of preparing fraudulent tax returns could, if monitored, allow the IRS to collect evidence on all clients. Furthermore, Privacy Today notes that this has ramifications on the IRS snitch program (recycle tax cheats for cash). They say, "Millions of scanner owners who previously listened to cordless phones for amusement will now be able to do it for profit. Any incriminating conversation they record can be parlayed into cash, legally." In fact, in addition to various federal agents and police, there are private detectives, industrial spies, insurance investigators, spurned lovers, scam artists, burglars, blackmailers, and various others who regularly tune in with deliberate intent on cordless telephones in the pursuit of their respective callings. If you saw the film Midnight Run, starring Robert DeNiro, you'll recall that the bounty hunter was shown using a handheld scanner to eavesdrop on a cordless phone during his effort to track down a fugitive bail jumper. No, cordless phone monitoring isn't primarily being done for sport by the incurably nosy for the enjoyment and entertainment it can provide. The cordless telephone has been recognized as a viable and even important tool for gathering intelligence. Intelligence Gathering? ======================= In fact, there are differences between cordless and cellular monitoring. When a cellular call is monitored, it's quite difficult to ascertain the identity of the caller, and impossible to select a particular person for surveillance. These are mostly portable and mobile units that are passing through from other areas, and they're operation on hundreds of different channels. Sometimes the calls cut off right in the middle of a conversation. The opportunities for ever hearing the same caller more than once are very slim. Not so with cordless phones. These units are operated at permanent locations in homes, offices, factories, stores. Most models transmit on only one or two specific frequencies, and while a few models can switch to any of ten channels, that's still a lot fewer places to have to look around than scanning through the hundreds of cellular frequencies. So, with only minor effort, it's possible to know which cordless phones in receiving range are set up to operate on which channels. And you continually hear the same cordless phone users over a long period of time. They soon become very familiar voices; you might even recognize some of them. The diligent, professional intelligence gatherer creates a logbook for each of the frequencies in the band, then logs in each cordless phone normally monitored using that frequency. Then, each time a transmission is logged from a particular phone, bits and scraps of information can be added to create a growing dossier picked up from conversations. With very little real effort, it doesn't take long to assemble an amazing amount of information on all cordless phones within monitoring range. Think about the information that is inadvertently passed in phone calls that would go into such files. Personal names (first and last) which are easily obtained from salutations, calls, and messages left on other people's answering machines; phone numbers (that people give for callbacks or leave on answering machines); addresses; credit card numbers; salary and employment information; discussions of health and legal problems; details of legit and shady business deals; even information on the hours when people are normally not at home or will be out of town, and much more, including the most intimate details of their personal lives. Anybody who stops for a moment to think about all the things they say over a cordless telephone over a period of a week or two should seriously wonder how many of those things they'd prefer not be transmitted by shortwave radio throughout their neighborhood. Cordless phone users don't realize that these units don't only broadcast the phone calls themselves. Most units start transmitting the instant the handset is activated, and will broadcast anything said to others in the room before and while the phone is being dialed, and while the called number is ringing. Using a DTMF tone decoder, it's even possible to learn the numbers being called from cordless phones. [see the classified ads in Popular Communications for DTMF decoders; also for books on how to modify scanners to restore the cellular frequencies, and more! -\/\/ombat-] One private investigator told me that part of a infidelity surveillance he just completed included a scanner tuned to someone's cordless phone channel, feeding a voice-operated (VOX) tape recorder. Every day he picked up the old tape and started a new one. The scanner was located in a rented room several blocks away from the person whose conversations were being recorded. Hardware Topics =============== Many people are under the impression that the security features included in some cordless phones provide some sort of voice scrambling or privacy. They don't do anything of the kind. All they do is permit the user to set up a code so that only his or her own handset can access the pedestal portion of his own cordless phone system. In these days of too few cordless channels, neighbors have sometimes ended up with cordless phones operating on the identical frequency pair. That created the problem of making a call and accessing your neighbor's dial tone instead of your own, or your handset ringing when calls come in on your neighbor's phone. The FCC is going to require this feature on all new cordless telephones, but it still won't mean that the two neighbors will be able to talk on their identical-channel cordless phones simultaneously. Such situations allow neighbors to eavesdrop on one another's calls, even without owning a scanner. The FCC is attempting to relieve the common problem of too many cordless phones having to share the ten existing base channels in the 46.50 to 47.00 MHz band. These frequencies are 46.61, 46.63, 46.67, 46.71, 46.73, 46.77, 46.83, 46.87, 46.93, and 46.97 MHz. Each of these frequencies are paired with a 49 MHz handset channel. Manufacturers are going to be permitted to produce cordless phones with channels positions in between the existing ten frequency pairs. Cordless phones will now be permitted operation on these additional offset frequencies to relieve the congestion. A date for implementing these new frequencies hasn't yet been announced, but it should be soon. The FCC feels that the life expectancy of a cordless phone isn't very long, and they'd like these new phones to be ready to go on line as the existing phones are ready to be replaced. The new model phones are going to have to also incorporate the dial tone access security encoding feature I mentioned. Let's hope the new batch of cordless phones is less quirky than some of the ones now in use. We understand that the transmitters of some cordless phones switch on for brief periods whenever they detect a sharp increase in the sound level, such as laughter, shouting, or a loud voice on the extension phone. Privacy Today tells of the cordless phone that refused to die. They noted it was reported that the General Electric System 10 cordless phone, Model 2-9675, just won't shut up. It broadcasts phone calls even when they are made using regular extension phones! As for receiving all of these signals, any scanner will do. Antennas that do an especially good job include 50 MHz (6 meter ham band) omnidirectional types, or (secondarily) any scanner antenna designed for reception in the 30 to 50 MHz range. There is a dipole available that is specifically tuned for the 46 to 49 MHz band, which you can string up in your attic (or back yard) and get a good shot at all signals in the band. This comes with 50 ft. of RG-6 coaxial cable lead-in, plus a BNC connector for hooking to a scanner. This cordless phone monitoring antenna is $49.95 (shipping included to USA, add $5 to Canada) from the Cellular Security Group, 4 Gerring Road, Gloucester, MA 01930. [you can build one yourself for much less $; look in the chapter on antennas in the ARRL Radio Amateur's Handbook -\/\/ombat-] The higher an antenna is mounted for this reception, the better the range and reception quality, and the more phones will be heard. Zip The Lip =========== Once you understand the nature of cordless phoning, you should easily be able to deal with these useful devices. Let's face it, it isn't really absolutely necessary for all of your conversations to achieve complete privacy. You are perfectly willing to relinquish expectations of conversational privacy. You do it every time you converse in an elevator, a restaurant, a store, a waiting room, a theatre, on the street, etc. You take precautions not to say certain things at such times, so you don't feel that you are being threatened by having been overheard. Think of speaking on a cordless phone as being in the same category as if you were in a crowded elevator, and you'll be just fine. It's only when a person subscribes to the completely erroneous notion that a cordless phone is a secure communications device that any problems could arise, or paranoia could set in. Manufacturers don't claim cordless phones offer any privacy. Frankly, because they instill a false and misleading expectation of privacy, the several well-intentioned but unenforceable local laws intended to restrict cordless monitoring actually do more harm than good. The laws serve no other purpose or practical function. It would be far better for all concerned to simply publicize that cordless phones are an open line for all to hear. So, cordless phones must be used with the realization that there is no reason to expect privacy. Not long ago, GTE Telephone Operations Incorporated issued a notice to its subscribers under the headline "Cordless Convenience May Warrant Caution." Users were told to "recognize that cordless messages are, in fact, open-air FM radio transmissions. As such, they are subject to interception (without legal constraint) by those with scanners and similar electronic gear... Discretion should dictate the comparative advisability of hard-wired phone use." Good advice. We might add that if you are using a cordless phone, you don't give out your last name, telephone number, address, any credit card numbers, bank account numbers, charge account numbers, or discuss any matters of a confidential nature. Moreover, it might be a good idea to advise the other party on you call that the conversation is going through a cordless phone. Some people might not care, but others could find that their conversations could put them in an unfortunate position. Harvard Law School Professor Alan M. Dershowitz, writing on cordless phone snooping in The Boston Globe (January 22, 1990), said, "The problem of the non-secure cordless telephone will be particularly acute for professionals, such as doctors, psychologists, lawyers, priests, and financial advisors. Anyone who has an ethical obligation of confidentiality should no longer conduct business over cordless phones, unless they warn their confidants that they are risking privacy for convenience." That's more good advice. Not that the public will heed that advice. People using cellulars have been given similar information many times over, and somehow it doesn't sink in. But _you_ got the message, didn't you? Zip your lip when using any of these devices. And, if you've got a scanner,you can tune in on everybody else blabbing their lives away, and maybe even help the police catch drug dealers and other bad guys -- well, unless you live in California or some other place where the local laws are more protective of cordless phone privacy than the federal courts are. ============================================================================== That's it. There wasn't much high-tech intelligence there, but it was a lot more readable than something copied out of The Bell System Technical Journal, right? Think about the implications: Someone who'd turn in their neighbours for enjoying recreational chemicals would probably narc on phreaks, hackers, anarchists or trashers as well. It isn't just the FBI, Secret Service, and cops you have to worry about -- it's the guy down the street with a dozen antennas on his roof. The flip side is that if you knew someone was listening in, you could have a lot of fun, like implicating your enemies in child prostitution rings, or making up outrageous plots that will cause the eavesdropper to sound like a paranoid conspiracy freak when he she or it talks to the cops. On the more, uh, active side, the potential for acquiring useful information like long-distance codes is obvious. Other possibilities will no doubt occur to you. Cordless phones also have the potential to allow you to use someone's phone line without the hassles of alligator clips. With a bit of luck you could buy a popular model of phone, then try various channels and security codes until you get a dial tone. Since many phones have these codes preset by the factory, one might have to capture the code for a given system and play it back somehow to gain access. The ultimate would be a 10 channel handset with the ability to capture and reproduce the so-called security codes automatically. This subject requires further research. Guess I'd better get a scanner. Most short-wave receivers don't go past 30 MHz, and they generally don't have FM demodulators. Looking in the Radio Shark catalog, any of their scanners would do the job. Some scanners can be modified to restore cellular coverage and increase the number of channels just by clipping diodes. If you're going to buy a scanner, you might as well get one of those. The scanner modification books advertised in Pop Comm would help, or check out Sterling's article "Introduction to Radio Telecommunications Interception" in Informatik #01. He lists many interesting frequencies, and has the following information on the Radio Shark scanners: ============================================================================== Restoring cellular reception. Some scanners have been blocked from receiving the cellular band. This can be corrected. It started out with the Realistic PRO-2004 and the PRO-34, and went to the PRO-2005. To restore cellular for the 2004, open the radio and turn it upside down. Carefully remove the cover. Clip one leg of D-513 to restore cellular frequencies. For the PRO-2005, [and for the PRO-2006 -\/\/ombat-] the procedure is the same, except you clip one leg of D-502 to restore cellular reception. On the PRO-34 and PRO-37, Cut D11 to add 824-851 and 869-896 MHz bands with 30 kHz spacing. All these are described in great detail in the "Scanner Modification Handbook" volumes I. and II. by Bill Cheek, both available from Communications Electronics Inc. (313) 996-8888. They run about $18 apiece. ============================================================================== (reproduced from Informatik #01, file 02) -30- ==============================================================================