The convenience of the telephone is an essential part of modern life, but it also has a down side that is too often overlooked. Telephones -- or the people who use them -- are responsible for the wholesale compromise of much sensitive information that should be better protected.

The telephone can be turned against us in two ways:

  • The telephone system can be penetrated and manipulated electronically so that the microphone in the telephone handset picks up room conversations and transmits them down the phone line to a receiver even when the telephone handset is hung up. This is discussed below under Penetrating Telephone Systems.
The security and intelligence services of many friendly as well as unfriendly countries have active communications intercept programs targeted against U.S. Government offices and selected U.S. businesses and academic research programs. For information on how to protect yourself against these operations, see Countermeasures in the Introduction to this module on Intercepting Your Communications. cartoon

Satellite Transmissions
And Land-Based Microwave

When you pick up a telephone to make a call or send a fax, you generally have no idea through what channel the call will be routed. Automatic switching equipment routes the call by land line, by land-based microwave relay towers, or via satellite depending on which method is available and most efficient at the time.

bullet  Most long distance calls travel at least part of the way via the airwaves – by satellite or between land-based microwave towers -- and anything in the air can be intercepted. The technology for monitoring microwave and satellite communications used to be so expensive and complicated that it required a major government investment. Now, any reasonably well-financed group or individual can do it with readily available, off-the-shelf equipment.

The advent of digital communications has brought a large increase in the number of simultaneous digital voice or data transmissions over a single communications media. However, technological advances in high-speed computer search engines have kept up with this increase in volume. Therefore, it is still easy to sort through the billions of telephone calls and fax and data transmissions to identify targeted phone numbers or do key-word searches to pick out calls that mention watch-listed topics. Manpower requirements for processing the voluminous intercept material are greatly reduced by doing the initial screening by computer. Communications intercepted in the United States may be relayed back to another country for analysis and translation of significant messages.

Here’s how intercepting telephone and fax communications works. 1


Let's suppose your signal has traveled by land line or land-based microwave to a long-haul switching station. The telephone company's computer searches for the most efficient path to send the signal and picks out a satellite connection. Your call is relayed to a ground station where it is transmitted by a transponder up to a satellite and then relayed down to a distant ground station. The call then goes via land line or land-based microwave to a switching station where it is unlinked from the other signals, passed over cable to the recipient's telephone, and converted back into voice or a fax message.

All this happens within a fraction of a second. More satellites are being put up all the time to meet the increasing demand for telecommunications.

The downlink from the satellite is easily intercepted. It is not a narrow beam, but a microwave signal that goes out in many directions. The higher the satellite, the larger the area on earth from which that radio wave can be received and, therefore, intercepted. For many satellites, the satellite "footprint," or area in which the satellite signals can be received on earth, is a couple thousand miles in diameter. The footprint can be reduced by lowering the satellite orbit or increasing the size of the satellite antenna, but the signals can still be received over a wide area.

Anyone within this footprint with a satellite dish and some readily available equipment can pick up the signal in the same way that a backyard satellite dish pulls in television signals. Interception of satellite signals can be done from embassies or other foreign-owned buildings, from ships at sea off the coast, or from a foreign base. Satellite communications to and from most areas of the United States are vulnerable to interception from one or more of these locations.

Land-Based Microwave

Land-based microwave used to be a major means of transmitting long distance communications across the country. Now, long haul communications increasingly go via satellite or fiber optic land lines. Land-based microwave is used mainly for traffic over short distances or between a local phone office and the nearest major satellite or land line link.

Land-based microwave transmissions are relayed from one tower to another. The towers are placed at about 25 to 30-mile intervals, because the signals go mainly in a straight line and don't follow the curvature of the earth. (You can often see the towers as you drive along an interstate highway.)

Like satellite communications, land-based microwave communications are easily intercepted by anyone within range using readily available equipment. One security weakness of all microwave transmissions, whether land-based or via satellite, is that the beams have "side lobes" or "spill" along the full distance between relay points. Using a well-aimed parabolic dish antenna, it is possible to intercept the signal from the side if there is direct line of sight to a section of the beam.

Many foreign embassies, consulates, trade offices, and foreign-owned office buildings and residences in the United States are located in areas that provide opportunities to intercept land-based microwave as well as satellite signals. Rooftop antennas of foreign offices in Washington DC, New York, San Francisco and elsewhere sometimes indicate which countries are actively monitoring U.S. communications.

Tapping Landlines

A tap on a phone line allows an eavesdropper to monitor or record all conversations on that line. Telephone taps come in many varieties. Contrary to some popular belief, a sophisticated phone tap is unlikely to be noticed by the phone user and may not be apparent even to a professional technical security countermeasures team using the latest equipment.

Consider the miles of telephone lines between your phone and the telephone company’s central office. Conversations can be intercepted at any point along this path by several techniques. Sophisticated devices may be attached to or placed in or near communications equipment and cables. The tap may include a miniature transmitter that broadcasts the signal to a nearby listening post, a switch that allows monitoring from another line, or a voice-actuated recorder.

The limiting factor is that the installer of a telephone tap must somehow gain physical access to the telephone cables, terminals, or switching equipment for a brief period of time. In some cases the physical access may be readily available – for example, if the customer service box is located on the outside of a home or other target building. In other cases, a member of an unescorted cleaning crew might be recruited to provide access to the cables in a large office building, or a telephone repairman might be recruited to provide direct access to the lines or to a switching station.

bullet  In tapping phone lines, a local security service that can tap lines legally has a huge advantage over anyone who might try to do so without official support. American government and business offices overseas must assume their telephone lines are tapped, as this is a common practice.  The capability is certainly there to tap any telephone, fax, e-mail, computer, or other form of electronic communication that might carry information of potential interest. Large volumes of tapes can be screened by computer programs that search for key words. Artificial intelligence algorithms can pick out the conversations most likely to contain useful information.

Fiber-optic cables are gradually replacing copper wire as a transmission media for both inside and outside wiring. While not as vulnerable as copper cable to simple methods of attack, fiber-optic cables are nonetheless vulnerable. Devices are readily available to extract information from cable previously billed by some as tap proof.

Penetrating Telephone Systems

The telephone system can be penetrated to steal information or to steal valuable processing time. The computerization of telephone systems is now opening these systems to new channels of attack.2

Stealing Information

The standard telephone instrument has always contained all the classic components of a surveillance device -- a microphone and wire line designed to carry information from a target area. We used to think the telephone was safe as long as the handset was in the cradle, or "on-hook."

Now, however, one cannot simply look at a phone, see that it is hung up, and therefore know it is secure. The software features of most computerized phone systems make it possible to manipulate the instrument so that it acts like a microphone to pick up and transmit room conversations even when the handset is hung up. Many telephone instruments are designed with a speaker phone option, but it is possible to turn a handset into an active microphone to pick up room conversations even if this was not a part of its design or construction. Room conversations can then be monitored from another telephone far away.

There are many different methods for mounting such an attack, some of which do not even require physical access to the telephone hardware or the room in which the telephone is located. Those that do not require physical access are:

  • Using the computer telephone system maintenance procedures to put a phone in the monitor mode -- that is, off-hook.
  • Using the computer telephone system software that permits a phone instrument to answer in the hands-free mode -- that is, remote activation of the speaker phone option.
  • Applying externally generated electrical voltages or control signals onto the telephone line.
  • Modifying the telephone equipment or control unit software through exploitation of a remote maintenance port.

Methods that do require physical access to the telephone equipment are:

  • Modifying or reconfiguring the existing telephone components.
  • Modifying the equipment or control unit software.
  • Installing a clandestine technical surveillance device -- a bug.

An acceptable level of protection for telephones and other telecommunications devices against this type of penetration requires a combination of technical measures and controls on physical access to the hardware. It is not possible to eliminate all risk, but technical measures are available to greatly reduce the risk of an outsider monitoring your room conversations via the telephone while the phone is on the hook. These measures must be supported by physical security measures to prevent unauthorized persons from gaining physical access to the telephone equipment.

Stealing Processing Time

Telephone fraud has become a serious problem in the modern office environment. "Phreakers" (phone breakers who break into computerized phone systems) surf telephone systems like hackers surf computer networks looking for vulnerabilities. The most common weakness is the system for remote maintenance and testing of the lines. When phreakers gain illicit access, they make long distance calls at no cost to themselves, or they sell the access to fraudulent call-sell operators who then resell to others the ability to make long distance calls at reduced rates.

Denial of Service Attack

Interception and penetration are not the only risks. Communications systems are also vulnerable to a type of infowar attack called a "denial of service attack." This is when a telephone system is flooded with so many calls, and the main communication lines are tied up with so much trash traffic, that they cannot be used for business. This is the telephone equivalent of an "e-mail flooding attack" on a computer system. An adversary can use such an attack to temporarily cripple a communication or telephone system or cause financial damage to a company.

Related Topics: Using the STU-III, Fax Machines, Overseas Communications.

1. Much of this description of the mechanics of intercepting microwave and satellite communications is from an article by Senator Daniel Patrick Moynihan, "Privacy Disappears as America is Plagued by 'Bugs:' To the Soviets, All of America is a Party Line, as their Devices Tap Phone Communications." Published in Popular Mechanics and reprinted in Orange County Register, April 14, 1987.
2. All information in this section is from the National Reconnaissance Organization publication Everything You Always Wanted to Know about Telephone Security, December 1998.





The Chroma Group, Ltd.