Telephone Testing Techniques
Detection of telephone taps is a complex process, perhaps even more so than the radio transmitter detection activities described on the radio transmitter detection equipment page.
Telephone testing can be divided into two categories:
POTS testing. POTS is the acronym for Plain Old Telepohone Service. It includes single line phones, fax machines, old style key telephone systems, Centrex type business systems, as well as the telephone service coming into certain small business systems.
Modern business telephone systems and instruments, defined as electronic telephones. These systems use one of two categories of telephones: Digital telephones where all of the telephones communcate wth a PBX via digital bit stream. Or IP based telephone instruments where the phones are connected to the network cabling and communicate through a server rather than a PBX.
TSCM Technical Services uses a variety of testing devices to assure that telephones are free of wiretaps and other eavesdropping modifications.
For general testing, we use an ISA ETA-3A telephone analyzer. This test device measures voltage and current on any wire pair in the telephone cable, does a unitone and multitone tone sweep, has a high voltage pulse, and a built-in high gain audio amplifier. It will detect a number of wire tap techniques including series radio transmitters, drop-out type tape recorder interfaces, hookswitch bypasses, infinity transmitters, and active microphones installed in the phone or connected to its wiring. It is used on both POTS and electronic instruments.
The ETA-3A is also used as an interface for other types of test equipment the can be connected to the telephone line.
One of the most difficult attacks to detect on digital phones is one where the phone has been modified to continue to transmit audio after the handset has been placed back on hook. The audio is converted into data in the telephone for transmission to the PBX. It is hard to detect because only data is detected on the telephone wiring. There is no actual analog room audio. We use a high bandwidth laboratory oscilloscope to analyze the bitstream for indications of room audio.
Telephone wiring can also carry low frequency radio signals, not unlike those transmitted on AC power lines as carrier current transmissions. We use RF detection equipment to test each phone line for this kind of bug.
Wiretaps can be installed outside of the facility being tested. Some types of wiretaps are designed to have no measurable electrical affect so they are nearly impossible to locate with analyzers like the ETA-3A and other voltage and current measuring testers. We use a line analyzer called a Time Domain Reflectometer in instances where the access to the cabling for visual inspection is limited. TDRs are like radar: they indicate what is connected to a line and how far away it is.