Eavesdropping in the Former Soviet Union

Interesting story:

The phone’s ringer is a pretty simple thing: there’s a coil, a magnet and a hammer controlled by the magnet that hits the gongs when there is AC current in the coil. The ringer system is connected directly to the phone line when the phone is on hook. (Actually through a capacitor that protects the ringer system from DC current normally present in the line.)

If you haven’t figured yet, the coil with the hammer is a speaker, not a perfect one, but a speaker anyway, and that also means that the system can be used as an electrodynamic microphone. Any ordinary speaker is an electrodynamic microphone at the same time, if you hook it up to an audio amplifier using normal microphone input.

So this was how actually they, the KGB, did their eavesdropping, I thought. They didn’t need to freeze outside or put bugs in our homes, because they had a nice wiretapping device in every single home in the country. The shocking part of it was that they didn’t just eavesdrop phone conversations – that one was kind of obvious. They were able to hear everything. The PSTN switching stations were considered strategic objects, they were under KGB’s control and surely it was no problem for them to get a few powerful amplifiers hooked up to certain lines leading to homes they needed to eavesdrop. Simple!

Tags: , , , ,

Posted on January 19, 2010 at 6:03 AM49 Comments

Comments

Oleg January 19, 2010 6:43 AM

Sorry, but it’s a peace of shit. To begin with that home phones were rare enough thing by itself. And far, far away from “in every single home in the country” 🙂
Last phrase better describe USA situation. How about FBI and McCarthy times 😉
I was born in USSR.

uk visa January 19, 2010 7:00 AM

I don’t expect there was too much difference between the US and the USSR – both were as paranoid as each other!
It appears to be part of the psychology of being a superpower that you have to eavesdrop on as many of your own people as money and technology will allow… China is now playing the same game…
It’s war out there – governments against their own peoples… were it always thus.
I read on a blog, earlier today:
“The nine most terrifying words in the English language are, I’m from the government and I’m here to help.” Ronald Reagan
http://www.chinalawblog.com/2010/01/will_china_will_be_taking_down.html

kevinm January 19, 2010 7:28 AM

In the plain old telephone the hook switch disconnected the line when you put down the handset. However if you had access to the wire pair you could inject a high frequency signal. At several MHz the hook switch capacitance was enough to complete the circuit and you could use the microphone to listen in on the room audio. In the UK it was comon to use a 3 wire wiring inside the house (to eliminate bell tinkle while another extension was dialing in Strowger systems) so the 1.8uF capacitor was in a master socket. That can facilitate this eavesdropping method.

BF Skinner January 19, 2010 7:35 AM

Isn’t this how GCHQ collected plaintext from the Bulgarian Embassy?

MI6 had BT take a phone sitting on the cipher station consol off hook and they recorded the voltage spikes as the crypto operator key punched the messages.

ivlad January 19, 2010 7:40 AM

In US you listen the ringer, in Soviet Russia ringer listens YOU!

The article lacks any serious evidence, but is, well, entertaining. Hope, you’re not going to compete with lolcats in the area of humorous web sites.

christopher January 19, 2010 7:42 AM

The typical method of eavesdropping in this manner in the US was to call the person in question and wait for pickup. By some means undisclosed to me, eavesdroppers could keep the line open even when the phone went back on-hook physically.

kevinm January 19, 2010 7:50 AM

@christopher in the POTS (plain old telephone system) the connection was usualy not broken down until the calling party went on hook. There a physical circuit (assuming old Strowger type switching equipment) existed to the called phone. Even though the called phone was on hook RF signals could collect some audio.

Frank Bitterlich January 19, 2010 7:50 AM

“Or, let’s say, this is not true. It means I invented a method of using an ordinary rotary phone as a wiretapping device, right? I still can’t believe nobody thought about this before me.”

That’s because it doesn’t work that way. What this guy more probably experienced was a faulty hook switch combined with a crosstalk effect (to which he should be used to when living in the USSR. But then again he’s probably talking about a different Soviet Union, where there were phones “in every single home in the country” and the landlines wre of such high quality that you could even pick up the tiny signals generated by tiny vibrations to the ringer coil. If they make it through the capacitor by some magical means.)

Alex January 19, 2010 8:00 AM

I think the standard UK implementation of this, going by Peter Wright’s Spycatcher, was that BT would “fault” the target line – i.e. cause a spurious fault – and initiate a truck-roll. The truck roll would be carried out by a special internal group that worked with the intelligence services. Usually, MI5 personnel would come along posing as BT staff.

Then they would open up and alter the telephone so that the microphone in the handset could be used to listen remotely.

Dan @ Airships.net January 19, 2010 8:04 AM

That was a great post by Hovik Melikyan! Thanks for telling us about it, Bruce.

While the details about the telephone were fascinating, Hovik’s larger point about the legal restrictions on our right to understand the devices we own is equally interesting.

Do you think the inability of the average person to understand the technology that surrounds him may have contributed to the sheep-like attitude of 21st century citizens? As we line up in TSA queues and submit obediently to procedures we know are meaningless, is it partly because we have become so accustomed to being surrounded by things that we cannot understand and are not allowed to question?

Andy Dingley January 19, 2010 8:20 AM

Technically I have a small issue with the detail of this (and yes, I was a phone engineer in the ’80s) but the general aspect and the politics of it are right.

The ringer is a poor microphone. You’ve already installed a better one. So instead, use that. It’s called an “infinity transmitter” and has been widely discussed and published in the 2600 / phreak world since the ’70s.

The difference is that it attacks (sic) the switch hook, the switch that takes the phone “off line”. The main function of the switch hook is to switch the DC voltage from the exchange, which is how the exchange tells that the phone has been picked up. The AC signals for the voice don’t need to be switched on and off quite so obviously, so in fact they’re not – there are all sorts of AC signal paths inside a phone through the other components. So change the exchange’s behaviour (i.e. not much more than, “listen for a signal even when on the hook”) and there’s a signal to be had.

Why does the ringer go “ping” once? Because that’s when someone plugs & unplugs the listening gear. The static DC voltage on the phone line changes, and that DC jump is the classic “one ping” from a bellset.

47 January 19, 2010 8:29 AM

Cool story, bro.

Oh and something I really like about such people is how they had a phone in 1981 in Armenia (which isn’t exactly the center of the world). I don’t think we had a phone at home until the nineties. Makes me wonder where they got one.

anonymouser January 19, 2010 8:53 AM

Predictably, one could get in all sorts of interesting trouble by disconnecting one’s phone, in the USSR and Bloc countries. Phone socket/jack setups were something of a rarity, with most phones tied directly into the respective phone lines via a small junction box.

Compare to the recent trend in the UK, US and elsewhere to use the fact that a defendant had turned off their cellphone as proof of criminal intent or premeditation.

Odalchini January 19, 2010 9:00 AM

I think Hovik’s general point is about “abstraction”.  I don’t need to know how a device works, if I know how to use it and it does what I want.  The landline telephone is a perfect example.  I pick it up and dial a number:  it works (OK, not 100%, but 99.9999%).  If the number is valid, the system connects me to the phone at the other end, and rings or gives a busy tone.  I, the user, don’t need to know, or care, what happens between my phone and the other person’s phone.  Most people don’t really have any idea:  we may understand in principle, as we understand in principle how a TV works, but the real application is mind-boggling.

This is a fact of life, ever since we started to trade with far-away places, and ever since there began to be more devices and technologies than any one person can understand.  When spices from what were then called the Spice Islands (the Molucca or Maluku islands in modern Indonesia) began to be sold in Europe, only a very few people understood where the spices came from or how they were produced;  but that didn’t matter – everyone just ate them and liked them.  Today, with more people and more trade, that’s greatly extended:  we use gasoline, for example, without needing to know or care where it comes from or the detail of how it’s produced, transported and refined.  Some people don’t even know that milk comes from a cow.

Similarly, today I can write a program using (say) a Windows API to perform a function.  I don’t need to know how it performs that function, and I don’t care, so long as it does it according to specification.

JRR January 19, 2010 10:04 AM

I call BS. If you had a direct, super clean connection DIRECTLY to the electromagnets, and there were very loud noises going on in the room, you MIGHT be able to amplify enough to hear them.

However, the ringer is behind a low-value capacitor, something like a 0.1 MFD one, SPECIFICALLY PUT THERE to isolate the ringer from audio frequencies, so that the rather high load of the ringer coil wouldn’t attenuate the audio too much. The ringer is driven by putting about 40 volts AC over the top of the normal DC present on the line; the higher voltage AC gets through the capacitor and rings the bell.

So not only do you have a “microphone” element that’s incredibly weak to start with, it’s also intentionally isolated from passing audio frequencies down the wire.

Add to that that most analog lines are a few miles long and not that clean, and I’d be absolutely amazed if you could even hear a gunshot in the room, let alone speech.

Alobar January 19, 2010 12:48 PM

During the Viet Nam war, us radical peaceniks used to believe that the FBI was doing the same thing to us. No idea if they were, but we believed they were.
Whenever we had people over to one of our homes or offices, where we would talk of things which needed to be kept private, we put our phones into a box surrounded by pillows.

Bulgarian January 19, 2010 1:33 PM

That’s complete BS, at least as far as Bulgaria is concerned. Phones weren’t that rare here in thes 80s as compared to USSR. However, practically each third Bulgarian worked for Darjavna Sigurnost (State Security). You tell the authorities about your neighbour telling jokes about the Party, you may get promoted. You tell the authorities about your neighbour listening to some evil station like “Radio Free Europe”, you certainly get promoted while he may disappear in some dark “Narodna Milicia” (people’s police) building.

That system proved to be very effective and cheap to maintain as well.

finid January 19, 2010 2:04 PM

Ok, enough about the former USSR already. Let’s look closer to home. Is there a special chip in that Cisco/Linksys router near your PC? How about that Verizon FIOS router?

James Sutherland January 19, 2010 2:23 PM

JRR: No need to be at the far end of the miles of local loop – pop a manhole cover somewhere nearby and tap in there, a hundred yards from the target building. The ringer might be difficult or even impossible to use this way, but as Andy Dingley says it should be much easier to use the actual microphone with a little trickery.

Of course telcos loved hard-wired extensions for the monopoly on handset rental (no sales: like IBM in the early mainframe days, a nice captive monthly fee for life), but did these government-owned companies have another motive in mind as well?

Jonathan Thornburg January 19, 2010 3:16 PM

Following up on @Alex: According to Peter Wright’s book “Spycatcher”, not only did MI[56] deploy a somewhat similar system to tap phones in the UK, but they had the required hardware modification (Wright describes it as a “washer”) permanently installed on all phones at Claridge’s Hotel in London. Since many foreign diplomatic & trade delegations stayed there, this gave them “dial-a-microphone” access…

Clive Robinson January 19, 2010 3:35 PM

Hmm I’m not sure where the most BS the article or some of the comments.

First of could the bell be used as a microphone. Well yes but have you considered what it’s frequency response is?

The bell is a chime and as such has a ressonant frequency (around 1KHz ish) and it would by dint of it’s design have quite a narow bandwidth.

Secondly what effect would the capacitor in series with it have well. Th first thing o consder is the ring voltage is around 150vp-p @50Hz so electricaly the circuit will if not tuned to the ring frequency more likely than not pass the high frequency of an audio signal.

So in theory yes in practice not.

There appears to be a bit of confusion about how telephones work.

Ignoring the dialer all a phone is is three transducers a capacitor and a hook switch. There are two basic circuits the ring circuit and the speach circuit.

The ring circuit is as described the ring transducer (bell) and non polarised capacitor in series. The reason the ring voltage is so high (~150V AC) is to overcome the effective high resistance of the capacitor. Oh by the way most bell circuits could easily be rewired for DC operation in low voltage phones networks via the hook switch (not uncommon when used in industrial environments as field telephones)

The speach circuit consists of two transducers (mic and ear piece) in series with the hook switch. This circuit is supposed to draw enough current to keep a type 600 relay pulled in at the Central Office which is used to show the phone is off hook this relay breakes the 50Hz ring signal and connects the phone onto a line pair usuallly brought in via a pair of uniselectors (don’t worry they are unimportant).

Now let us see for the reasons I have given above the bell/ring circuit does not seam plausable.

However the Peter Wright “Spy Catcher” system Maggie Thatcher so successfully advertised was shown to work in the 1980’s. All that had been noticed was a simple but cleaver trick.

The contacts of a “micro switch” are two parallel metal plates with spots of soft white metal contacts. As such they look like the plates of a 10 or 20 Pico Farad capacitor. Which is how they behave when the switch is open.

Now the trick is realising you have the speach circuit not switched out put still connected by a very small value capacitor.

Well you need to examin the transducers. Traditionaly the earpiece has always been a metal plate and electromacnetic circuit. However the electromagnet has a very ver high inductance topresent a load to balance the microphone. In reality the circuit is a little more complicated to alow for side tone (hear yourself speak so you don’t shout into the phone). This complication effectivly puts a small value capacitor across the inductor of the earpiece. Thus this transducer can work in both ways to both receive and transmit audio however the circuit made it receive as intended at audio frequencies but transmit at frequencies in the long to medium wave band (0.3-2MHz) all be it poorly. The traditional microphone is a variable resistance consisting of carbon granuals between a shaped carbon plate and a metalic audio plate. Thus is inherantly a broadband device.

If you assume that the CO 600 relays made one half of a bridge with respect to ground you could inject a phantom LF RF signal into the speach circuit that forms the other side of the bridge. Thus you can see an Amplitude Modulated signal across the bridge teminals which is the audio in the room.

Now there has been some confusion with the name of the device and the Mafia sponsored “infinity bug” (which you put across somebodies hook switch that will keep the line open). The spycatcher device required no entry to the “customer premises” to install the bug unlike the Mafia infinity bug.

However for many in the know the spycatcher device was easily foild just by a very very minor rewire of the speach circuit that effectivly shunted the active high impeadence transducer with a very very low impeadence shunt at RF frequencies.

The “PO secret Squiral” brigade where actually regular employed members of BT that had received extra training.

If the spycatcher device failed then the “officers” would fault the line and the exchange squirel would be sent out to look for and remove any filters or other components they thought might be stopping the spycatcher device from working. Some did other activities but by and large they kept themselves to themselves and banked the extra pay at Xmas for their families as “overtime”.

Even before Peter Wright put pen to paper the device he described was a nolonger required it did not work with the trendy 70’s Trimphone that was so badly deigned that it was a bug in it’s own right.

By the time Peter write had published his book the device was virtualy redundant it had been replaced by a modified IR Laser and pickup system developed by Marconi from plans stolen from somebody else (there is even less than no honour amonst spies 😉

Part of the reason for it’s retirment was that the LF RF signal was to easy to detect or stop and it was becoming well known in certain NGOs 😉

Gaijin January 19, 2010 4:15 PM

Apart from two major points already mentioned:

  • general lack of in-house phones even in otherwise well-developed cities.
  • ease of obtaining information from “friends” and neighbours by KGB.

there is one more — at lest in Kiev (capital of Ukraine) in 1980s most of the phones were sharing single line in pairs (for Russian speakers out there — think “blokirator”).

So I call this BS and shameless self-promotion.

Orwell January 19, 2010 4:39 PM

Basically this does work as described, but requires a small distance between the amplifier and the phone, otherwise you pick up too much noise.

Much better results can be obtained if you (once) have access to the phone and put a resistor across the hook-switch, so that a small current permanently runs through the microphone, but not enough to consider the phone off-hook.

Other advanced methods (with unmodified phones) put a high-frequency signal on the line and monitor changes of various electrical parameters of the phone due to surrounding sound.

hm January 19, 2010 5:25 PM

Clive Robinson:

So how would you explain those sounds coming from the ringer’s hammer as described in the article?

Peter E Retep January 19, 2010 7:40 PM

I do belkieve Mr. Dunnagan’s comment has made this blog particular page unreproducible, and unreportable, to the official minders of the PRC CP Department of Surveillance,
as any one reporting it would automatically become suspected of unreliability.

; – )

Lou Conein January 19, 2010 9:24 PM

Tapping TELEPHONES??? Oh, come ON now!

Sincerely,

Manny Mittelman
CEO, Wireless Guitar Company
NY,NY

Kevin D. Murray January 19, 2010 10:16 PM

The story Hovik Melikyan relates is quite believable. Using phone ringers as microphones was a common eavesdropping technique in the days of electro-mechanical ringers.

Since the 1970’s, I have inspected many (10k+) telephone instruments / lines for bugs / taps / attacks. The phenomena described is called a “microphonic ringer.” I can say – from personal experience – this technique can produce very intelligible audio.

This technique, along with the previously mentioned radio-frequency flooding technique, took advantage of some inherent vulnerabilities of ‘normal’ electro-mechanical phones of the era.

A microphonic ringer attacks produce audio of varying quality depending upon several factors: how loose the coil fits on the core assembly; the gain of the amplifier being used; and the amount of extraneous noise on the line (if it can not be filtered out).

Sometimes extracted audio quality is very high, other times it is just barely intelligible. The important point is not fidelity, however, it is >intelligibility<.

When one could not get into an area to tamper with the phone or place a bug, the microphonic ringer attack was a very acceptable alternative – on both sides of the Iron Curtain.

If you still don’t believe, conduct a little experiment. Open an old Bell rotary dial phone (model 500 series) and open a touchtone version (model 2500 series). Both have electro-mechanical ringers. On the older model, the bell’s coil is loose on the core. On the newer model, you will see a small “L” shaped piece of aluminum wedged against the coil to keep it from moving. That piece was added there for a reason.

Hook a high-gain audio amplifier to each phone (do it on-line for realism, or off-line for ease). You’ll believe.

P.S. Thank you, Kevinm for mentioning The Great Seal Bug. We had a lot of visitors today.

Clive Robinson January 20, 2010 3:52 AM

@ hm,

“So how would you explain those sounds coming from the ringer’s hammer as described in the article?”

Not quite sure what you mean by explain.

As for the physics of it the artical’s author explained most transducers are two way that is you put a current in and the transducer produces an output. However it also produces a reverse force or as more normaly called with electromagnetic components a “back EMF” (you can for instance tell exactly how fast a motor is running simply by measuring it’s back EMF it’s not easy but you can do it).

Now when I was at school some “herumph herumph” years ago (okay okay over a third of a centuary ago 8( a friend and I somehow (don’t ask) obtained parts of existing phone headsets specificaly the ear pieces.

We found that just by connecting two in series with a battery you could talk quite normaly into one and hear quite clearly in the other and the other way arround. (DO NOT TRY THIS AT HOME FOLKS as the impedence of PO ear pieces is a hundred Ohms or so, ordinary speakers under 4 or 8 ohms which means yould fry them unless you used a very low battery voltage etc etc..)

We actually mounted these transducers in a couple of tin cans and twisted up some fake looking “washing line” using electrical flex.

We convinced a number of our more gullable peers that you could make a “string can phone” work without having to tighten the “string”.

So from the point of view of acting as a microphone the earpieces where sensitive enough for the right supply voltage.

And yes the hammer for the bells will act as a microphone (if you think back to “studio ribbon microphones and their construction) but what the frequency response is I could not even make a guess at.

Now knowing it is possible under physics is not the same as explaining how what the author say’s he heard in the article.

Soo… lets work it backwards, their was an AC signal on the ringer in the phone he had. Joggling the “hook switch” on the phone did not cause it to apear on the phone handset. Which suggests it was a “fault” of some kind down stream of the house he was in.

That is operating the hook switch appeard to connect and disconnect the phone from the line as expected but rather than get a “dial tone” in the off hook, he got no signal.

Now what he does not say is what type of telephone line was laid onto the house. It might have been a shared “party line” or a multi bearer non baseband line.

That is one pair of physical telephone wires or line but confusingly more than one bearer circuit…

Now the cost of putting in aditional telephone line pairs in a growing market is very very expensive so since the late 1940’s it was common practice to “multiplex” user calls in quite complex ways onto a single wire pair (Tommy Flowers of the PO research center at Dollis Hill had shown beyond doubt that thermionic valves could be made reliable and low cost but that’s a story for another day).

Prior to this a single line pair was just shared like a common extension. The first “private” is the infomous “Phantom line”.

What you do is put in “DC Circuit breaks” or “Line bridges” at either end and make the existing line pair balanced “against ground”. This is done with a couple of “1:1+1” transformers and a bunch of type 600 relays to isolate the DC signaling.

What you do is then put in the phantom circuit between the center taps of the transformers. This uses the CMRR of the transformers to issolate the phantom circuit from the existing line…

However if you “unbalance the setup” then no CMRR, and if the other party leaves the “phone off hook” to get peace and quiet at home then you will get the effect the author reports.

The question then falls to how or why the fault occured and that I cannot answer as I suspect neither can the author.

It might have been due to an inept “tap” on a dual party phantom line, or just a simple “CO frame” wiring issue.

Clive Robinson January 20, 2010 4:59 AM

@ Lou Conein,

Manny’s moved from “The Wired Harmonica Co” then?

For those that don’t know it’s an old “in joke” google [“Manny Mittelman” “harmonica bug”]

Now for a real old “in joke” fromt the DWS,

Q : How do you tell a squirel from his nuts?

A : He’s the one who says “V” when you ask “What’s ire”

If you don’t get it (not surprising realy) the joke revolves around “blue collar” PO engineer (the squirel) and his “5 handlers” being “Camb/Oxford clasics men”

You would expect the answer “anger” from the five types. But your PO engineer not being classicaly trained might think you where asking Ohms law (V=IR)…

There is a heirachy in “intel services” not all are MI’s. The two UK MI’s you may know about are 5 (home) and 6 (forigen). There where others 8 being one. It and the BBC and various other bits and bobs became the Diplomatic Wireless Service (DWS) being of the F&CO and Diplomates naturaly looked down on the 6,5 and the Police in that decending order. Thus “one might club with a six man, drink with a 5 man, but a policeman no no they are rough trade”.

The head of 6 (the “service”) was once Sir Cuningham known in his “secret service” by the “officers” simply as “C” and a knighthood always goes with the job so “Sir C”. The DWS classical men refered to him and his successors dismisivly as “Circe” (prounounced “Sir C”) who is a “greek” female minor deity or nymph ( http://en.wikipedia.org/wiki/Circe)

Iikewise the head of the Met Police gets a knighthood with the job and the DWS refered to him as “Cerment” (as in Sir Met) but also you would expect somebody wearing “cement boots” to PLOD a bit. The word Plod ia also a derogatory name for Police Officers.

There where other such “s/whitisisums” in the various Mi’s etc. It makes them sound like a bunch of “Posh School boys” thinking up names for their “masters” and they most certainly did that.

Sadly the likes of the DWS who worked out of “Powndon and Gawcot etc” have been absorbed into “Hanslope Park” and have lost their identities that explains many many historic quirks.

Thankfully people in their 80’s and 90’s have finally broken the “vowes of silence” and the almost forgoton histories of the likes of the RSS / MI8 / DWS the various SCU’s etc are being recorded at last and a lot of bits can now be found on the Internet due to the work of people like Pat Hawker and Tony Sale.

I grew up in Russia January 20, 2010 6:28 AM

I don’t know where the idea that very few people in Russia had the phones comes from. I grew up in Moscow and all my friends had phones. My sister did not, but theirs was a new coop home. I bet most dissidents in bid cities had phones. We knew that the phones could be used by the government to listen in on us. When you wanted to talk frankly, you covered your phones with pillows, went to a bathroom and turned on the water. Close the bathroom door and you have a safe eavesdropping-resistant environment. I could not live like that anymore and left that country for US, where individual rights and laws were respected. Imagine my shock when the government here decided that sovietisation of this country was a good idea. There are kinds of knowledge that you are lucky not to have or need.

hm January 20, 2010 7:18 AM

@”I grew up in Russia”, same here. Everyone I knew – friends, relatives, classmates, neighbors – everyone had a phone in their homes in the 80s. Let alone that this has very little to do with the story.

Gaijin January 20, 2010 7:58 AM

@I grew up in Russia
Some people (you obviously one of them) grew up in the different Russia. Please, note that I did not say “fictitious”. Even in Moscow high phone penetration was contained to the central parts of the city (e.g not Chimki, Vnukovo, Sheremetievo, etc.). Traveling beyond Moscow, not necessary even as far as Armenia, one would quickly discover that phone is symbol of status and tells something about the position of the owner WRT the powers that be, KGB included. In the USSR I grew up in person who has telephone in the otherwise telephone-less cluster of high-rises (“sleeping bag” neighborhoods) was not the person you discuss something you did not want KGB to hear about in front of.

@hm
You, obviously have not read the article (emphasis in the quote below is mine):
“They didn’t need to freeze outside or put bugs in our homes, because they had a nice wiretapping device in every single home in the country.” As this is more security-related blog and not the history-related one, the obvious question was the applicability of such attack to the prospective victim population.

hm January 20, 2010 8:58 AM

@Gaijin, true, I didn’t read the article, I just wrote it.

All I can say is in the 70s and 80s probably some 95% or more of homes in Armenia had phones. We actually had two separate phone lines in our home, I didn’t mention that in the article as it was irrelevant. So with 95% coverage the surveillance method would be pretty viable.

Lou Conein January 20, 2010 9:44 AM

@Clive Robinson,

Clive, we have a theory that you older Limey operators have such a strange sense of humor from eating way too many meals made from some sort of animal guts.

Mind you, I’d still have a beer with you, if you people could just learn to properly refrigerate one first.

OK, all you borscht-eaters can go back to arguing about telephone bells now.

Gaijin January 20, 2010 10:22 AM

@hm
Even if what you say about Armenia’s 95% phone penetration is true, Armenia itself constituted slightly more than 1% of the USSR population. And 95% was certainly nowhere near phone penetration in the places, I am familiar with, which include Russia, Ukraine, Uzbekistan and Lithuania. Maybe it was different in Yerevan, but in those places it was customary to build cluster of high-rises housing 3,000-5,000 appartments (4,000-10,000 people) and then think about complementing it with the niceties like food stores, schools and phone central offices.
Just out of curiosity… were party line setups (“blokirators”) popular in your parts of the world? They were majority of the phone setups where I grew up and you can engage in listening to your counterpart’s conversation any time, frequently by merely picking up the handset.

I grew up in Russia January 20, 2010 10:23 AM

@hm

I am sorry I helped to deepen a pretty irrelevant discussion of how many phones there were in the USSR. Your thoughtful article helped me understand an observation that always puzzled me: how can the same person be a hero and a coward at the same time? A lot of people who came from the war covered with awards for bravery from head to toe were deathly afraid of their government and often demonstrated contemptible civilian cowardice. Your article helped me to figure out that they were courageous when they knew exactly who their enemy was: this guy with a gun, this group in a tank. However, the government was faceless and, as prince Hamlet once noted, we are afraid of unknown. Same here: people who were not afraid of Timothy McVeigh sitting in jail in their country (a guy with a similar background to theirs) are terrified of pre-teen Afganis, who are so different. I guess fear of unknown explains a lot of bad security decisions.

hm January 20, 2010 11:00 AM

@Gaijin

Yes, I remember in some newly built residential areas “blokirators” weren’t uncommon. An awful invention to save some copper wire.

@I grew up in Russia

I don’t think it was fear of unknown. From the perspective of a totalitarian regime, KGB’s practices were largely relevant in terms of keeping the state going. Any tyranny requires a (way oversized) security infrastructure.

There is an interesting theory that the USSR was in effect a huge oil/gas corporation with its own army and security. That explains a lot about the country, its policies and the reasons of its bankruptcy in 1991.

Gaijin January 20, 2010 11:11 AM

@hm
[Blokirators] So what is the chance that you were listening to (possibly illicit) one? BTW: random dings and crosstalk were trademark side effect of such a device.

hm January 20, 2010 11:33 AM

@Gaijin

Ours definitely wasn’t a “blokirator”, and another thing that was certain was that the single ding at 9am and 9pm wasn’t random and was related to our guest’s visit. Andy Dingley gives an explanation to that in his comment above.

I think the most intriguing part of the story regardless of what actually happened was that the ringer worked as a speaker in on-hook mode. I’m sure about this because I was able to “mute” the sound by touching the hammer. So if sound goes one way through the capacitor etc it surely can go the other way too.

averros January 21, 2010 1:25 AM

This article is, of course, total BS. To understand why one only needs to consider quality and noiseness of Soviet phone lines – often, it was hard to hear what the other side was speaking!

Add to that the fact that until very late 80s switches in USSR were either mechanical (yep, good old coordinate seekers and relays, with motor-driven tone signal generators) or electro-mechanical (reed relays, anyone?) – both kinds producing copious amounts of noise.

Even with modern signal processing it would be impossible to extract any useful signal from such a crappy microphone as the ringer from all that din.

Nobody January 21, 2010 11:55 AM

The Dutch police got caught doing something similar – a suspect accidentally left the phone off the hook and the police recorded the background conversation.
The court ruled the evidence acceptable because the suspect had effectively broadcast it in public so no warrant was required.

Following that ruling a suspicous number (ie 100%) of suspects left the phone off the hook – it became the standard way of avoiding getting a bugging warrant

JimFive January 21, 2010 4:00 PM

Clive,

It’s not the bell (per se) that would be used. The bell is not attached to anything (electrically/magnetically speaking). It would have to be the hammer. It’s still crap because that hammer isn’t going to have a good enough response to ambient sound to move enough to even affect the magnetic field. Forcing the phone off hook with line voltage and listening to the handset (speaker or mic) is easier and better.

JimFive

Clive Robinson January 21, 2010 5:35 PM

@ JimFive,

“It’s not the bell (per se) that would be used. The bell is not attached to anything (electrically/magnetically speaking).”

Ahg me not being as claer as I could, and making an assumption about Russian phones (as knock offs of either Bell or PO designs).

For using the bell ringer as a microphone, it needs to move an object in a field to create either a current (mag core) or voltage (peizo etc) or both.

In a normal microphone the object concerned is usually very very small and very very light. Which the bell hammer is most certainly not, so it would by it’s self have extreamly limited sensitivity (low surface area) and frequency.

However there is the process of using mechanical surfaces and levers to amplify movment.

In the human ear for instance sound activates the “finestra routunder (ear drum) which sends mechanical movment to the finestra ovalis” via the anvil, hammer and stirup bones, which amplify the lateral movment..

Thus the bell acts as the sound absorbing surface, and the hammer resting on it is vibrated by the bells movment. Giving an overall mechanical gain of around 5-20.

Now it has come to my attention that not all POTS bell transducers are equal and some do not actually rest on either bell but are by the use of springs held in between them.

The stuff I used to work on, (over three hundred moons ago) was designed such that the bell transducer just by changing a link would run on either AC or DC.

As a result off the hammer bias spring keeping the hammer against one bell, when you put “DC Line current” through the bell to the hammer and then into the drive coil through the hook switch and back to the line the bell would ring.

This is because when DC current is applied the hammer moves from the bell, it breaks the circuit so no more current flows. However the hammers inertia keeps it moving against the spring and it hits the other bell where it transfers the inertial energy into the other bell. Just like a battery operated door bell does.

However at this point there is nomagnetic force to the spring pulls back the hammer so it returns to the other bell where the circuit is restored and the coil again pulls the hamer away from the bell breaking the circuit… The result is the plain DC current would get “choped” into an AC ring current by the hammer and bell circuit.

Thus I was expecting the hammer would normally be at rest against one of the two bells, and could use them as “sound multiplers”.

Tracy April 4, 2015 11:01 AM

Hello

I am concerned that my work telephone may be compromised by this technique.

I’ve noticed that the polarity on my ringer is reversed, and that the ringer is a near perfect microphone.

There are no other alterations to the telephone except the polarity change. (No extraneous ciruitary).

I purchased a CPM700 checked the line for presence of VLF carrier current signals and RF emission. I found nothing.

Is it possible that phone is transmitting low power VLF that is lower than the CPM700 sensitivity?
Would anyone like to see pictures of the phone?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.