Slashdot Mirror
Researchers Convert Phones Into Secret Listening Devices
CowboyRobot writes "Columbia University grad student Ang Cui demonstrated how networked printers and phones can be abused by attackers. 'The attack I demonstrated is caused by the multiple vulnerabilities within the syscall interface of the CNU [Cisco Native Unix] kernel,' Cui tells Dark Reading. 'It is caused by the lack of input validation at the syscall interface, which allows arbitrary modification of kernel memory from userland, as well as arbitrary code execution within the kernel. This, in turn, allows the attacker to become root, gain control over the DSP [Digital Signal Processor], buttons, and LEDs on the phone. The attack I demonstrated patches the existing kernel and DSP in order to carry out stealthy mic exfiltration.'"
Don't worry, Harold and John will stop listening when you get hot and heavy with your date.
Seems like it'd be easier to just slap a traditional bug under the filing cabinet if you're going to need physical access anyway. And maybe leave behind a hardware keylogger while you're at it. Possibly also an annoyatron. :)
But is normally is not a listening device.
Now that exploiting a device with a microphone can turn it into a listening device isn't exactly new either (I remember having heard the same about ISDN phones quite some time ago). However that doesn't change the fact that there's still a huge gap between tracking and listening.
The Tao of math: The numbers you can count are not the real numbers.
Learn how to put your point across in a calm, reasonable manner, and people might start listening to you.
systemd is Roko's Basilisk.
Activating phones to eavesdrop predates cellular phones by several decades. By default rotary dial phones shared with the central office any sound within range. It was assumed that if you hadn't called a number the device was dead, but that was not so.
Help stamp out iliturcy.
The rotary phones I knew mechanically disconnected the line when the cradle was pressed. Of course if you had removed the receiver from the cradle and still thought you were not connected anywhere just because you had not dialled a number, you were stupid. You just would have had to listen to it to know that it was connected to somewhere. Note that unpressing the cradle was not possible remotely. Of course someone might have physically modified the phone, but that's on the same level as installing a bug.
Also note that the ISDN phones I was speaking of weren't cell phones either. I don't think there's a wireless version of ISDN. They had not been rotary phones, though.
The Tao of math: The numbers you can count are not the real numbers.
I get +2 automatically because I have high Karma and I'm a subscriber. You get +1 for each of those. You could get the subscriber bonus for about $1/month. The high karma thing you have to work at. Karma is easier to get and lose though when all of your posts are +1 because you're a subscriber.
I could discount these in my settings, and I used to. Most subscribers with high Karma do, as they consider posting at 3 "shouting". If my Karma falls back to normal, I probably will do that. Once upon a time I had such bad Karma I was posting at -1. But I recovered.
I would still post just at 1, but the retarded sockpuppets and idiots do need shouting down with confidence. The price I pay for this is that I almost never get mod points.
Help stamp out iliturcy.
I'm guessing you never disassembled one to see how it actually worked. I did. Go ahead and find an exemplar and give it a go.
I have done so, and what you say makes no sense. The old carbon microphones require a current flowing through them in order to produce any signal, and that current draw is what signals to the CO that the receiver is off-hook. Therefore the microphone has to be disconnected from the line when the phone is on-hook (or else the CO would see the phone as permanently off-hook) and that is indeed the case in actual phones.
Need to type accents and special characters in Windows? Use FrKeys
I'm guessing you never disassembled one to see how it actually worked. I did. Go ahead and find an exemplar and give it a go.
OK, here is the schematic of the most widely used mechanical telephone in The Netherlands: the T65.
When the telephone is on hook ("hoorn"), only the ringer (bel) is connected to the line.
I really cannot think of another arrangement: the ringer voltage is high (100V?) so you don't want that appearing over your mic or speaker.
Please share with us the schematic of the phones you disassembled, or are you really a troll?
So if the ringer was ringing and you pick up the phone there might leak some of the 90 V signal into the microphone?
And did you consider what happens if you put a High frequency signal onto the line? Some of the signal might be affected by the condensator combined with the mic, and a usable signal might gotten of it.
There are some court cases where the police declares that the bad guys forgot to hang up the phone and thus could be listened on... but if that is what technically really happened is a big question.
When the phone is on-hook a minor current is still flowing through it. This is enough for sensitive equipment to pick up the background sound in the room, and this mode of monitoring has actually been used in US court cases, as well as US intelligence gathering operations. It only works with old-school analog phones though.
Help stamp out iliturcy.
You are arguing with a "conspiracy theorist". There is no sense in arguing with a lunatic, especially when your argument is based on "facts".
Seven puppies were harmed during the making of this post.
See? My point has been proven for me. The "schematic" is wrong, but the "real" phones are different. Didn't you know this? And if you manage to dissect a "real" phone that proves your point then of course you are guilty of tampering with it You did something to it to hide the evidence. In fact, you're one of THEM, aren't you?
Sorry for talking over you, symbolset, but I stopped speaking with the insane a while ago.
Seven puppies were harmed during the making of this post.
On my phone here, and when I click the link the dark whatever domain appears briefly and tennis appears their page refreshes with this (screwed up) "url" /133696/show/3fd8d00f6b22f3da5506ef43feaf8168/?
location:
You may want to do a little research on "Passive HookSwitch Bypass Methods". Most require modifications to the phone itself, but not all, that is some of these methods can be accomplished between the phone and outside service line. Here's a quick list of the most common methods;
That's what I expected. ;-)
My post was mainly intended for people who might believe his claims.
For them, maybe, facts would be helpful
Headline and summary are both misleading.
The exploit demonstrated is specific to Cisco VOIP phones. No other manufacturer's devices are affected.
Check out my novel.
Let's see, Red Light Cameras, the recent Counter-terrorism unit getting all our private data, strict gun laws, and now this? I think we might be heading into a George Orwell 1984. All we need now is the censorship police and the removal of the first amendment and we can officially say he was right and that we should have expected this.
Sounds very interesting, but unless you can link to transcripts or other documentation, referring to "court cases" and "intelligence operations" simply counts as weasel words.
I have often thought that /. should automatically delete any AC post with a karma of -1. There is a potential for abuse, but it would get rid of many of the trolls very quickly.
Just because you are paranoid does not mean that no-one is out to get you.
Let's see, Red Light Cameras, the recent Counter-terrorism unit getting all our private data, strict gun laws, and now this? I think we might be heading into a George Orwell 1984. All we need now is the censorship police and the removal of the first amendment and we can officially say he was right and that we should have expected this.
And here I figured the flyers saying "Thought Police are double-plus good" at the movie theater were just a joke (it's just a small local/indie place ... not out of the ordinary to have stuff along those lines)
Right?!
Seriously, did they look at the Dark Knight and say "Hey, that massively illegal cell-phone-Sonar concept was a good idea, lets look into it"
Yes, I know the difference.
I have disassembled T65 telephones, myself, and I did not find any difference to the schematic I linked to.
That is why I asked you to post the schematic of the telephones you disassembled that were different.
Unless you can do so, and explain how a telephone off hook can be used to eavesdrop on you, you confirm my opinion that you are a troll.
A moderately competent one, I must say: I'm still feeding you...
So if the ringer was ringing and you pick up the phone there might leak some of the 90 V signal into the microphone?
That wouldn't be too good for the microphone.
The switches of the hook are there to prevent that.
They connect/disconnect in such an order that the telephone exchange is signalled that you pick up the receiver so the ringer signal is switched off before the speaker and mic are connected. I once had a telephone where this dis not work properly. When you picked it up at the exact moment of a ring, a loud buzzing sound came out of the earpiece. Not nice.
And did you consider what happens if you put a High frequency signal onto the line? Some of the signal might be affected by the condensator combined with the mic, and a usable signal might gotten of it.
If the receiver is on hook, both mic and speaker are completely disconnected, as you can see.
The capacitor is in series with the ringer, not with mic/speaker.
Please let me know from the schematic (the one I linked to, or another one if mine is not correct for the phone you have in mind) what exact signal pathway you have in mind. "Some of the signal might be affected" is too vague to be refuted or confirmed.
When the phone is on-hook a minor current is still flowing through it. This is enough for sensitive equipment to pick up the background sound in the room, and this mode of monitoring has actually been used in US court cases, as well as US intelligence gathering operations. It only works with old-school analog phones though.
Whether there's any current flowing at all will depend on the exact design of the telephone, of course (there wouldn't be any at all in the one I looked at). However, I'm sceptical that any sound could be reliably picked up at the CO: the magnitude of the signal current would likely be dwarfed by the level of background noise from interference etc... if this has been claimed in court cases it seems more likely to me that it's a cover story to hide the actual surveillance techniques used (e.g. modifying the phone / installing bugs / etc).
Need to type accents and special characters in Windows? Use FrKeys
You may want to do a little research on "Passive HookSwitch Bypass Methods". Most require modifications to the phone itself, but not all, that is some of these methods can be accomplished between the phone and outside service line.
If you can modify the phone, it's easy, granted. If you can intercept the line between the phone and the outside line, then with the right design of telephhone there's a possibility you might get something audible. But the claim was that the sound is always relayed all the way to the CO; picking up such a tiny signal at that distance (over all the noise picked up along the way) seems implausible to me.
Need to type accents and special characters in Windows? Use FrKeys
Earlier versions of the Cisco VOIP phone firmware allowed users associated with the phone to connect via http and instruct the phone to initiate a voice stream from the phone's mic to another ip address and eavesdrop. The only indication that the mic was active and the phone streaming was a small arrow on the screen. That's since been fixed so that the function starts the voice stream remotely but the phone is muted. This could also be done the other way to stream sounds to the speaker on the phone - I had a bit of fun with that :}