It is possible to remotely intercept telephone audio by flooding the speaker/microphone circuitry in a target phone with microwave energy. The electronics inside the telephone modulate this microwave energy and the reflected microwave signal will contain this new modulated signal. The equipment to begin experiments with this type of surveillance can be found in Decatur RM-715 or MV-715 Range Master X-band police radars from the late 1970s. One reason for using this older model of Doppler radar is the fact they use a pseudo-quadrature receiver architecture to increase the radar's performance. Another reason is that Range Master radars utilize a M/A-Com MA86651 10.525 GHz Gunn diode oscillator which has a RF output power of +16 dBm (40 mW) into a circular horn antenna with approximately 20 dB of gain and 3 dB beamwidth of around 15°. The Effective Radiated Power (ERP) of this radar gun is around +36 dBm or 4 watts. This is fairly high RF power for a 10 GHz operation, when you compare it to those wimpy little 5 mW Gunn oscillators which are common today. Now you can see why they created RF exposure laws...
For just experimenting, the receive audio can be taken straight off the Range Master's speaker. You may wish to pass the audio through further band-pass or high-pass filtering to remove the significant amount of low-frequency "rumble" which will be on the received audio signal.
Using a device of this type in a remote surveillance operation can be quite tricky. The horn antenna's beamwidth will be very narrow and you'll need to be able to position the antenna in any direction as the "sweet spot" for receiving audio from a telephone will be quite small. The idea is to aim at the circuitry which contains an audio amplifier or microphone pre-amplifier in the phone. The problem is that every phone will be different. This is where experimenting will be the key.
Older phones with long component leads, wires, and PC board traces are ideal as they all act as little antennas. Really old phones with only passive carbon microphones and speakers are actually quite immune to this type of RF flooding attack. Something to keep in mind... Private Branch Exchange (PBX) systems which convert the audio signal into a digital stream can also be intercepted, as long as you can intercept the audio signal before it reaches the analog-to-digital conversion stage. There are even some older PBX systems which pass audio signals while the phone is still on hook! On systems like this, attacking the PBX's backplane circuitry could provide audio interception throughout an entire building.
Note that not just telephones are vulnerable to this type of attack. Pretty much anything containing an electronic audio amplifier or microphone could potentially be intercepted. This technique is also a good way to intercept encrypted two-way radio or digital cellular phone transmissions, as long as your target is fairly stationary or easily followed. It's even possible to intercept a key exchange between two cryptographic devices using a RF flooding technique like this, but pulling the actual key out the noise is a project for someone else...
To extend the operating range of this device, you'll need to increase the output RF power, narrow the antenna's beamwidth, and lower the phase noise of any oscillator stages. A common 18-inch DSS satellite receiving dish has a gain of around 30 dB at 10 GHz and 3 dB beamwidth of 5°. Refer to GBPPR 'Zine Issue #63 for more info on how to modify these satellite dishes.
An easy way to lower the phase noise of a Gunn oscillator is to replace the stock regulated power supply with a modern lower-noise equivalent. The M/A-Com MA8665 Gunn diode oscillator in the Range Master uses a LM723 voltage regulator to provide the +10 VDC Gunn diode bias and there are newer voltage regulators which can be dropped in.
Another method to improve overall performance is to modulate the DC bias on the Gunn diode with an ultrasonic carrier so the received signal is occupying a "sideband" of this modulating signal. This gets you away from the close-in phase noise of the main oscillator carrier and allows the received signal to be demodulated using a higher-performance synchronous detector.
You can see a real-world application of this technique in William McGrath's U.S. Patent Application 2005/0220310 for "Technique and Device for Through-the-Wall Audio Surveillance." His device modulates the transmitting microwave signal with a 1 kHz tone and the received signal is further downconverted and AM demodulated using a diode detector. This audio signal then passes through a lock-in amplifier which tracks the phase of the input 1 kHz tone and tries to follow that same tone on the received signal. This allows one to extract a signal which is down significantly (100 dB or more) in the noise. This method of remote audio surveillance by using microwaves is a little more complicated than just using a stock radar gun, but should be doable by the dedicated experimenter. Government-level microwave surveillance devices of this type (supposedly - hehe...) use a special range-gating modulation which allows one to tune in on a particular range "cell" in which to receive the remote audio. This helps to eliminate any background clutter or noise and the final result will let you listen to a human heartbeat at 300 feet. Still trying to figure this device out, though...
Pictures & Construction Notes
A stock Decatur RM-715 Range Master X-band (10.525 GHz) Doppler radar used for this experiment.
A stock Decatur MV-715 Range Master X-band (10.525 GHz) Doppler radar will also work.
Note that K-band (24 GHz) radars give fairly poor performance when used in this type of application. This is most likely due to the poor penetration of the higher operating frequency. There are probably certain applications where a 24 GHz signal will be ideal, as it's possible to get the 3 dB beamwidth down to 2° or lower.
Overview of the display and control electronics inside a Decatur RM-715 Range Master radar.
Yes, those are Nixie tubes for the speed display!
The main counter and display circuitry is based around standard 7400-series logic and most are socketed for easy repair. If you find a "dead" Range Master radar, you can most likely get it operating again by reseating all the logic chips in their sockets.
Overview of the radar's 1N23B mixer diode assembly and post-mixer amplifier circuits.
A 1N23B point-contact diode is under the large screw cap on the left.
The post-mixer amplifier appears to just be a common-emitter (low-impedance) 2N5089 transistor and LM358 op-amp with a gain cell to act as some type of level control.
Needless to say, this amplifier circuit is rip for experimentation and updating for higher gain and lower noise.
Overview of the M/A-Com MA86651 10.525 GHz Gunn diode assembly and its LM723-based +10 VDC voltage regulator.
This is just a Gunn diode mount and doesn't contain a varactor diode.
Replacing the 1N23B mixer diode with one with a lower noise figure.
1N23-series diodes are classified by their noise figure. Noise figure is a measure of the degradation to a system's overall Signal-to-Noise Ratio (SNR) caused by actual components in the RF signal chain. Simply put, the lower the noise figure, the better.
An easy trick to slighty improve the range and/or signal quality of a microwave surveillance device of this type is to replace the stock 1N23B with one having a better noise figure. The noise figure for a 1N23B diode is usually around 10 dB. I replaced it with a 1N23D diode, having a noise figure of around 8.5 dB. 1N23C (9.0 dB), 1N23E (7.5 dB), 1N23F (7.0 dB), 1N23G (6.5 dB), and 1N23H (6.0 dB) all have respective lower noise figures, but these diodes are getting to be difficult to find. You'll have to scrounge hamfests for older X-band microwave receiving converters for a good source of 1N23-series diodes.
Note that 1N21-series diodes are only designed for operation up to around 3 GHz.
1N23D Point-Contact Diode
Intercepting the audio from an old telephone test set connected to a regular POTS line.
The sample audio is straight from the Range Master's speaker with no additional filtering.
Audio is the dial tone then the standard "If you'd like to make a call..." message. After that is the off-hook alert tone, which really gave good interception results, but that's because the tone leaves the central office at a fairly high power level.
Note that the range of this test was only a few feet. Range can be significantly increased by taking the time to aim at just the right spot in the target phone. You can also use metal ducting, and other structures like hallways, as a makeshift waveguide to direct your illuminating RF signal.
There will be several short videos containing intercepted audio samples at the following URLs and on the GBPPR YouTube channel at youtube.com/GBPPR2 - provided they are not deleted or marked "offensive" by you-know-who:
Video & Audio Samples
- GBPPR Microwave Surveillance Device #5 Using a slighty modified Decatur RM-715 X-band police radar. (YouTube) (MP3 Audio)
- GBPPR Microwave Surveillance Device #6 Using a slighty modified Decatur RM-715 X-band police radar. (YouTube) (MP3 Audio)
- GBPPR Microwave Surveillance Device #3 Using a stock Kustom Signals Hawk K-band police radar antenna (MA86732 Gunnplexer). (YouTube)
- GBPPR Microwave Surveillance Device #4 Phone dial tone at 40 feet with a hallway acting as a waveguide other other test sounds. (YouTube)
- Kaiser 2010 Doppler Stethoscope - Test Audio Sample #1 Aimed at a phone three feet away. You can hear the dial tone and recording. Raw audio output with a Kaiser 1059 Preamplifier. (1M MP3)
Datasheets & Notes
- Higher resolution pictures and the original project article are available in GBPPR 'Zine Issue #77
- TEMPEST: A Signal Problem The story of the discovery of various compromising radiations from communications and COMSEC equipment, Cryptologic Spectrum, Vol. 2, No. 3, Summer 1972. The entire section under "flooding" is censored. Hmmm... (285k PDF)
- STU-III Secure Telephone Units, Crypto Key Generators, Encryption Equipment, and Scramblers
- Security Engineering A guide to building dependable distribuated systems, by Ross Anderson. (Download)
- Fortifying Phones From Attackers AT&T hires Ph.Ds for security lab; Verizon Wireless teams with start-up on data security app.
- Telephone Defenses Against the Dark Arts SOURCE Boston 2008 presentation by James Atkinson. (Part 2) (Slides) (PDF) (Original)
- Phone Talk 2009 presentation about the issues involved in tracing out and then evaluating phone systems, by James Atkinson. (8.5M PDF)
Other Related GBPPR Projects:
- Passive Resonant Cavity & "Spycatcher" Technical Surveillance Devices
- GBPPR Interferometric Surveillance Device Experiments
- Laser Bounce Listening Device
- Doppler Stethoscope for E.O.D. Applications