💾 Archived View for spam.works › mirrors › textfiles › hamradio › cordpriv.txt captured on 2023-06-14 at 17:00:34.
-=-=-=-=-=-=-
This file may also be known as wombat file #01, or wombat01 if I ever bother to
type/write something else. \/\/ombat
This file is a work of fiction. Everything in it is fictitious.
Any resemblance to persons living or dead, magazines, companies, products,
trademarks, copyrights, or anything else in the real world is purely
coincidental, and you should see a shrink about your over-active imagination
if you think otherwise.
- \/\/ O M B A T -
presents:
Cordless Telephones: Bye Bye Privacy!
#####################################
by Tom Kneitel, K2AES, Editor
=============================
A Boon to Eavesdroppers, Cordless Phones Are as Private as Conversing in an
Elevator. You'll Never Guess Who's Listening In!
(originally published in Popular Communications, June 1991)
OK, so it took a while, but now you've accepted the fact that your cellular
phone conversations can easily be overheard by the public at large. Now you
can begin wrestling with the notion that there are many more scanners in the
hands of the public that can listen to cordless telephone calls than can tune
in on cellulars.
Monitoring cellular calls requires the listener to own equipment capable of
picking up signals in the 800 to 900 MHz frequency range. Not all scanners
can receive this band, so unless the scannist wants to purchase a new scanner,
or a converter covering those frequencies, [see February and March issues of
Radio-Electronics for a converter project -\/\/ombat-] they can't tune in on
cellular calls. And let's not forget that it's a violation of federal law to
monitor cellular conversations. Not that there seems to be any practical way
yet devised to enforce that law, nor does the U.S. Dept. of Justice appear to
be especially interested in trying.
On the other hand, cordless telephones operate with their base pedestals in
the 46 MHz band, and the handsets in the 49 MHz band. Virtually every scanner
ever built can pick up these frequencies with ease. Cordless telephones are
usually presented to the public as having ranges up to 1,000 feet, but that
requires some clarification. That distance represents the reliable two-way
communications range that can be expected between the handset and the
pedestal, given their small inefficient receivers and antennas, and that they
are both being used at ground level.
In fact, even given those conditions, 1,000 feet of range is far more
coverage than necessary for the average apartment or house and yard. Consider
that 1,000 feet is a big distance. It's almost one-fifth of a mile. It's the
height of a 100-story skyscraper. The Chrysler Building, third tallest
building in New York City, is about 1,000 feet high, so is the First
Interstate World Center, tallest building in Los Angeles. When someone uses a
sensitive scanner connected to an efficient antenna mounted above ground
level, the signals from the average 46 MHz cordless phone base pedestal unit
(which broadcasts both sides of all conversations) can often be monitored from
several miles away, and in all directions.
Some deluxe cordless phones are a snoop's delight. Like the beautiful
Panasonic KX-T4000. Its range is described as "up to 1,000 feet from the
phone's base," however the manufacturer brags that "range may exceed 1,000
feet depending upon operating conditions." When you stop to think about it,
what at first seems like a boast is really a somewhat harmless sounding way
of warning you that someone could monitor the unit from an unspecified great
distance. In fact, just about all standard cordless phones exceed their rated
ranges. But the KX-T4000's main bonus and challenge to the snoop is that it
can operate on ten different frequencies instead of only a single frequency.
The BellSouth Products Southwind 170 cordless phone suggests a range of up to
1,500 feet., depending on location and operating conditions. The ten-channel
Sony SPP-1508 has a built-in auto-scan system to select the clearest channels.
What with millions of scanners in the hands of the public, a cordless
telephone in an urban or suburban area could easily be within receiving range
of dozens of persons owning receiving equipment capable of listening to every
word said over that phone. Likewise, every urban or suburban scanner owner
is most likely to be within receiving range of dozens of cordless telephones.
Many persons with scanners program their units to search between 46.50 and
47.00 MHz and do listen. Some do it casually to pass the time of day, others
have specific purposes.
Not Covered
===========
The Electronic communications Privacy Act of 1986, the federal law that
supposedly confers privacy to cellular conversations, doesn't cover cordless
telephones.
A year and a half ago, the U.S. Supreme Court wasn't interested in reviewing
a lower court decision that held that some fellow didn't have any
"justifiable expectation of privacy" for their cordless phone conversations.
It seems that man's conversations regarding suspected criminal activity were
overheard and the police were alerted, which caused the police to investigate
further and arrest the man after recording more of his cordless phone
conversations.
Yet, even though (at this point) there is no federal law against monitoring
cordless phones, there are several states with laws that restrict the
practice. In New York State, for instance, a state appellate court ruled that
New York's eavesdropping law prohibits the government from intentionally
tuning in on such conversations.
California recently passed the Cordless and Cellular Radio Telephone Privacy
Act (amending Sections 632, 633, 633.5, 634, and 635 of the Penal Code,
amending Section 1 of Chapter 909 of the Statutes of 1985, and adding Section
632.6 to the Penal Code) promising to expose an eavesdropper to a $2,500 fine
and a year in jail in the event he or she gets caught. Gathering the evidence
for a conviction may be easier said than done.
There may be other areas with similar local restrictions, these are two
that I know about. Obviously listening to cordless phones in major population
areas is sufficiently popular to have inspired such legislative action. There
are, however, reported to be efforts afoot to pass federal legislation
forbidding the monitoring of cordless phones as well as baby monitors. Such
a law wouldn't stop monitoring, nor could it be enforced. It would be, like
the ECPA, just one more piece of glitzy junk legislation to hoodwink the
public and let the ACLU and well-meaning, know-nothing, starry-eyed privacy
advocates think they've accomplished something of genuine value.
Strange Calls
=============
On April 20th, The Press Democrat, of Santa Rosa, Calif., reported that a
scanner owner had contacted the police in the community of Rohnert Park to say
that he was overhearing cordless phone conversations concerning sales of
illegal drugs. The monitor, code named Zorro by the police, turned over
thirteen tapes of such conversations made over a two month period.
Police took along a marijuana-sniffing cocker spaniel when they showed up
at the suspect's home with a warrant one morning. Identifying themselves,
they broke down the door and found a man and a woman, each with a loaded gun.
They also found a large amount of cash, some cocaine, marijuana, marijuana
plants, and assorted marijuana cultivating paraphernalia.
In another example, Newsday, of Long Island, New York, reported in its
February 10, 1991 edition another tale of beneficial cordless phone
monitoring.
It seems a scanner owner heard a cordless phone conversation between three
youths who were planning a burglary. First, they said that they were going to
buy a handheld CB radio so they could take it with them in order to keep in
contact with the driver of the car, which had a mobile CB rig installed.
Then, they were going to head over to break into a building that had, until
recently, been a nightclub.
The scanner owner notified Suffolk County Police, which staked out the
closed building. At 10:30 p.m., the youths appeared and forced their way
into the premises. They were immediately arrested and charged with
third-degree burglary and possession of burglary tools.
I selected these two examples from the many similar I have on hand because
they happen to have taken place in states where local laws seek to restrict
the monitoring of cordless telephones.
Most of the calls people monitor aren't criminal in nature, but are
apparently interesting enough to have attracted a growing audience of
recreational monitors easily willing to live with accusations of their being unethical, nosy, busybodies, snoops, voyeurs, and worse.
As it turns out, recreational monitors are undoubtedly the most harmless
persons listening in on cordless phone calls.
They're All Ears
================
A newsletter called Privacy Today, is put out by Murray Associates, one of
the more innovative counterintelligence consultants serving business and
government. This publication noted (as reported in the mass media) that IRS
investigators may use scanners to eavesdrop on suspected tax cheats as they
chat on their cordless phones.
But, the publication points out that accountants who work out of their homes
could turn up as prime targets of such monitoring. Their clients might not
even realize the accountant is using a cordless phone, and therefore assume
that they have some degree of privacy. One accountant suspected of preparing
fraudulent tax returns could, if monitored, allow the IRS to collect evidence
on all clients.
Furthermore, Privacy Today notes that this has ramifications on the IRS
snitch program (recycle tax cheats for cash). They say, "Millions of scanner
owners who previously listened to cordless phones for amusement will now be
able to do it for profit. Any incriminating conversation they record can be
parlayed into cash, legally."
In fact, in addition to various federal agents and police, there are private
detectives, industrial spies, insurance investigators, spurned lovers, scam
artists, burglars, blackmailers, and various others who regularly tune in with
deliberate intent on cordless telephones in the pursuit of their respective
callings. If you saw the film Midnight Run, starring Robert DeNiro, you'll
recall that the bounty hunter was shown using a handheld scanner to eavesdrop
on a cordless phone during his effort to track down a fugitive bail jumper.
No, cordless phone monitoring isn't primarily being done for sport by the
incurably nosy for the enjoyment and entertainment it can provide. The
cordless telephone has been recognized as a viable and even important tool for
gathering intelligence.
Intelligence Gathering?
=======================
In fact, there are differences between cordless and cellular monitoring.
When a cellular call is monitored, it's quite difficult to ascertain the
identity of the caller, and impossible to select a particular person for
surveillance. These are mostly portable and mobile units that are passing
through from other areas, and they're operation on hundreds of different
channels. Sometimes the calls cut off right in the middle of a conversation.
The opportunities for ever hearing the same caller more than once are very
slim.
Not so with cordless phones. These units are operated at permanent
locations in homes, offices, factories, stores. Most models transmit on only
one or two specific frequencies, and while a few models can switch to any of
ten channels, that's still a lot fewer places to have to look around than
scanning through the hundreds of cellular frequencies. So, with only minor
effort, it's possible to know which cordless phones in receiving range are
set up to operate on which channels. And you continually hear the same
cordless phone users over a long period of time. They soon become very
familiar voices; you might even recognize some of them.
The diligent, professional intelligence gatherer creates a logbook for each
of the frequencies in the band, then logs in each cordless phone normally
monitored using that frequency. Then, each time a transmission is logged from
a particular phone, bits and scraps of information can be added to create a
growing dossier picked up from conversations. With very little real effort,
it doesn't take long to assemble an amazing amount of information on all
cordless phones within monitoring range.
Think about the information that is inadvertently passed in phone calls that
would go into such files. Personal names (first and last) which are easily
obtained from salutations, calls, and messages left on other people's answering
machines; phone numbers (that people give for callbacks or leave on answering
machines); addresses; credit card numbers; salary and employment information;
discussions of health and legal problems; details of legit and shady business
deals; even information on the hours when people are normally not at home or
will be out of town, and much more, including the most intimate details of
their personal lives. Anybody who stops for a moment to think about all the
things they say over a cordless telephone over a period of a week or two
should seriously wonder how many of those things they'd prefer not be
transmitted by shortwave radio throughout their neighborhood.
Cordless phone users don't realize that these units don't only broadcast
the phone calls themselves. Most units start transmitting the instant the
handset is activated, and will broadcast anything said to others in the room
before and while the phone is being dialed, and while the called number is
ringing. Using a DTMF tone decoder, it's even possible to learn the numbers
being called from cordless phones. [see the classified ads in Popular
Communications for DTMF decoders; also for books on how to modify scanners to
restore the cellular frequencies, and more! -\/\/ombat-]
One private investigator told me that part of a infidelity surveillance he
just completed included a scanner tuned to someone's cordless phone channel,
feeding a voice-operated (VOX) tape recorder. Every day he picked up the old
tape and started a new one. The scanner was located in a rented room several
blocks away from the person whose conversations were being recorded.
Hardware Topics
===============
Many people are under the impression that the security features included in
some cordless phones provide some sort of voice scrambling or privacy. They
don't do anything of the kind. All they do is permit the user to set up a
code so that only his or her own handset can access the pedestal portion of
his own cordless phone system. In these days of too few cordless channels,
neighbors have sometimes ended up with cordless phones operating on the
identical frequency pair. That created the problem of making a call and
accessing your neighbor's dial tone instead of your own, or your handset
ringing when calls come in on your neighbor's phone.
The FCC is going to require this feature on all new cordless telephones, but
it still won't mean that the two neighbors will be able to talk on their
identical-channel cordless phones simultaneously. Such situations allow
neighbors to eavesdrop on one another's calls, even without owning a scanner.
The FCC is attempting to relieve the common problem of too many cordless
phones having to share the ten existing base channels in the 46.50 to 47.00
MHz band. These frequencies are 46.61, 46.63, 46.67, 46.71, 46.73, 46.77,
46.83, 46.87, 46.93, and 46.97 MHz. Each of these frequencies are paired with
a 49 MHz handset channel.
Manufacturers are going to be permitted to produce cordless phones with
channels positions in between the existing ten frequency pairs. Cordless
phones will now be permitted operation on these additional offset frequencies
to relieve the congestion.
A date for implementing these new frequencies hasn't yet been announced, but
it should be soon. The FCC feels that the life expectancy of a cordless phone
isn't very long, and they'd like these new phones to be ready to go on line as
the existing phones are ready to be replaced. The new model phones are going
to have to also incorporate the dial tone access security encoding feature I
mentioned.
Let's hope the new batch of cordless phones is less quirky than some of the
ones now in use. We understand that the transmitters of some cordless phones
switch on for brief periods whenever they detect a sharp increase in the
sound level, such as laughter, shouting, or a loud voice on the extension
phone.
Privacy Today tells of the cordless phone that refused to die. They noted
it was reported that the General Electric System 10 cordless phone, Model
2-9675, just won't shut up. It broadcasts phone calls even when they are made
using regular extension phones!
As for receiving all of these signals, any scanner will do. Antennas that
do an especially good job include 50 MHz (6 meter ham band) omnidirectional
types, or (secondarily) any scanner antenna designed for reception in the 30
to 50 MHz range.
There is a dipole available that is specifically tuned for the 46 to 49 MHz
band, which you can string up in your attic (or back yard) and get a good shot
at all signals in the band. This comes with 50 ft. of RG-6 coaxial cable
lead-in, plus a BNC connector for hooking to a scanner. This cordless phone
monitoring antenna is $49.95 (shipping included to USA, add $5 to Canada) from
the Cellular Security Group, 4 Gerring Road, Gloucester, MA 01930. [you can
build one yourself for much less $; look in the chapter on antennas in the
ARRL Radio Amateur's Handbook -\/\/ombat-]
The higher an antenna is mounted for this reception, the better the range
and reception quality, and the more phones will be heard.
Zip The Lip
===========
Once you understand the nature of cordless phoning, you should easily be
able to deal with these useful devices. Let's face it, it isn't really
absolutely necessary for all of your conversations to achieve complete
privacy. You are perfectly willing to relinquish expectations of
conversational privacy. You do it every time you converse in an elevator, a
restaurant, a store, a waiting room, a theatre, on the street, etc. You take
precautions not to say certain things at such times, so you don't feel that
you are being threatened by having been overheard. Think of speaking on a
cordless phone as being in the same category as if you were in a crowded
elevator, and you'll be just fine. It's only when a person subscribes to the
completely erroneous notion that a cordless phone is a secure communications
device that any problems could arise, or paranoia could set in.
Manufacturers don't claim cordless phones offer any privacy. Frankly,
because they instill a false and misleading expectation of privacy, the
several well-intentioned but unenforceable local laws intended to restrict
cordless monitoring actually do more harm than good. The laws serve no other
purpose or practical function. It would be far better for all concerned to
simply publicize that cordless phones are an open line for all to hear.
So, cordless phones must be used with the realization that there is no
reason to expect privacy. Not long ago, GTE Telephone Operations Incorporated
issued a notice to its subscribers under the headline "Cordless Convenience
May Warrant Caution." Users were told to "recognize that cordless messages
are, in fact, open-air FM radio transmissions. As such, they are subject to
interception (without legal constraint) by those with scanners and similar
electronic gear... Discretion should dictate the comparative advisability of
hard-wired phone use."
Good advice. We might add that if you are using a cordless phone, you don't
give out your last name, telephone number, address, any credit card numbers,
bank account numbers, charge account numbers, or discuss any matters of a
confidential nature. Moreover, it might be a good idea to advise the other
party on you call that the conversation is going through a cordless phone.
Some people might not care, but others could find that their conversations
could put them in an unfortunate position. Harvard Law School Professor Alan
M. Dershowitz, writing on cordless phone snooping in The Boston Globe (January
22, 1990), said, "The problem of the non-secure cordless telephone will be
particularly acute for professionals, such as doctors, psychologists, lawyers,
priests, and financial advisors. Anyone who has an ethical obligation of
confidentiality should no longer conduct business over cordless phones, unless
they warn their confidants that they are risking privacy for convenience."
That's more good advice. Not that the public will heed that advice. People
using cellulars have been given similar information many times over, and
somehow it doesn't sink in. But _you_ got the message, didn't you? Zip your
lip when using any of these devices. And, if you've got a scanner,you can
tune in on everybody else blabbing their lives away, and maybe even help the
police catch drug dealers and other bad guys -- well, unless you live in
California or some other place where the local laws are more protective of
cordless phone privacy than the federal courts are.
==============================================================================
That's it. There wasn't much high-tech intelligence there, but it was
a lot more readable than something copied out of The Bell System Technical
Journal, right?
Think about the implications: Someone who'd turn in their neighbours for
enjoying recreational chemicals would probably narc on phreaks, hackers,
anarchists or trashers as well. It isn't just the FBI, Secret Service, and
cops you have to worry about -- it's the guy down the street with a dozen
antennas on his roof. The flip side is that if you knew someone was listening
in, you could have a lot of fun, like implicating your enemies in child
prostitution rings, or making up outrageous plots that will cause the
eavesdropper to sound like a paranoid conspiracy freak when he she or it talks
to the cops.
On the more, uh, active side, the potential for acquiring useful information
like long-distance codes is obvious. Other possibilities will no doubt occur
to you.
Cordless phones also have the potential to allow you to use someone's phone
line without the hassles of alligator clips. With a bit of luck you could buy
a popular model of phone, then try various channels and security codes until
you get a dial tone. Since many phones have these codes preset by the
factory, one might have to capture the code for a given system and play it
back somehow to gain access. The ultimate would be a 10 channel handset with
the ability to capture and reproduce the so-called security codes
automatically.
This subject requires further research. Guess I'd better get a scanner.
Most short-wave receivers don't go past 30 MHz, and they generally don't have
FM demodulators. Looking in the Radio Shark catalog, any of their scanners
would do the job. Some scanners can be modified to restore cellular coverage
and increase the number of channels just by clipping diodes. If you're going
to buy a scanner, you might as well get one of those. The scanner modification
books advertised in Pop Comm would help, or check out Sterling's article
"Introduction to Radio Telecommunications Interception" in Informatik #01.
He lists many interesting frequencies, and has the following information on
the Radio Shark scanners:
==============================================================================
Restoring cellular reception.
Some scanners have been blocked from receiving the cellular band. This
can be corrected. It started out with the Realistic PRO-2004 and the PRO-34,
and went to the PRO-2005. To restore cellular for the 2004, open the radio
and turn it upside down. Carefully remove the cover. Clip one leg of D-513
to restore cellular frequencies. For the PRO-2005, [and for the PRO-2006
-\/\/ombat-] the procedure is the same, except you clip one leg of D-502 to
restore cellular reception. On the PRO-34 and PRO-37, Cut D11 to add 824-851
and 869-896 MHz bands with 30 kHz spacing.
All these are described in great detail in the "Scanner Modification
Handbook" volumes I. and II. by Bill Cheek, both available from Communications
Electronics Inc. (313) 996-8888. They run about $18 apiece.
==============================================================================
(reproduced from Informatik #01, file 02)
-30-
==============================================================================