34C3: Microphone Bugs

Inspiration can come from many places. When [Veronica Valeros] and [Sebastian Garcia] from the MatesLab Hackerspace in Argentina learned that it took [Ai Weiwei] four years to discover his home had been bugged, they decided to have a closer look into some standard audio surveillance devices. Feeling there’s a shortage of research on the subject inside the community, they took matters in their own hands, and presented the outcome in their Spy vs. Spy: A modern study of microphone bugs operation and detection talk at 34C3. You can find the slides here, and their white paper here.

Focusing their research primarily on FM radio transmitter devices, [Veronica] and [Sebastian] start off with some historical examples, and the development of such devices — nowadays available off-the-shelf for little money. While these devices may be shrugged off as a relic of Soviet era spy fiction and tools of analog times, the easy availability and usage still keeps them relevant today. They conclude their research with a game of Hide and Seek as real life experiment, using regular store-bought transmitters.

An undertaking like this would not be complete without the RTL-SDR dongle, so [Sebastian] developed the Salamandra Spy Microphone Detection Tool as alternative for ready-made detection devices. Using the dongle’s power levels, Salamandra detects and locates the presence of potential transmitters, keeping track of all findings. If you’re interested in some of the earliest and most technologically fascinating covert listening devices, there is no better example than Theremin’s bug.

32 thoughts on “34C3: Microphone Bugs

    1. I think it’s not exactly mentioned in their whitepaper, but basically in the talk they’ve discussed the trade-offs of spyware. Points I remember:
      – many ways of infecting are harder to control (e.g. you can’t predict if or when someone would open your exploited data, that leads to infection with your spyware)
      – spyware won’t always be stationary
      – traces of spyware not always as easy to remove as physical bugs
      – probably some more, that I’ve just forgot…

      In my opinion, the real lesson is to create more awareness on surveillance and that physical bugs are probably less uncommon, than we might expect.

      1. I think he means taking one of those tiny “prison butt-plug phones”*, removing the speaker and modifying the firmware to auto-answer (or just changing a setting to auto-answer).

        *you know the ones marketed as a “Bluetooth earpiece and phone in one” things that are shaped and targeted towards convicted criminals world wide.

        What is missing in the video is that the GSM bug, although would only last 2 hours on batteries… if wired into the mains (AKA “the charger”) behind a plug socket or switch, then it should last theoretically indefinitely, or until either the battery epic-fails or an electrolyte dries out.

  1. Wow, that is impressive and an excellent overview of the 70’s technology. I envision now we need an additional tracker device to make some of the work easier since can be more complicated. That is, once I get my lab set up… like a solar or sound or facial camera tracker for RF basically to help pin point. Maybe mounted on a tri-pod in the middle of a room. Also, with the advanced satellite based or telecom LRAD and/or Active Denial systems… the increased range to detect can be overwhelming seems. Then adding as I’ve found frequency hopping to bring another dimension in, not only the remote/local activation or de-activation.

    Another challenging example is using say a UV or IR flashlight with filters as a relay… if not a laser with such simple COTS components if close range like a TV remote control or wireless range extenders.

    One of the strangest observations I made and forgot to document was when I was staying at a hotel and with an RF Explorer of the wireless signals coming from my power-lines. A lot of 15MHz and others ranges for some reason. So, think… what can be like power line communications in either environmentally ISM masked ranges or other ranges that we are not allowed to transmit on. There are even COTS Wifi range extenders that plug into wall outlets and use power lines communication either to relay and I suspect there are those that can make the power lines emit and receive directly basically turning the powerline into an antenna versus a feed line.

    Great article, excellent brief presentation and work to all involved! The HamItUp Plus really is interesting to look into with the ultrasonic issues. I’m amazed what I’ve found with the Mini-Bat detector. To think and be part of this exposure where a few days after I posted online my observations very crudely being hit and shot at with ultrasound to have really basic released Diplomats recordings is something I never expected.

    We need to keep this momentum up and increasing so like with cybercrimes there are more EMS crimes enforcement operations to take down malicious operations of false pretense, perjurous, malicious intent to destroy out personality and property and worse continuing criminal operations that intend on mass murdering because they are no way leaders, managers, or even supervisor grade of human beings… other than penal/mafia/tribal/gambling colonies that are appearantly revolting. OK… my brain is being jammed with static, noise and interference just writing this. Signing off.

    1. I think I agree with UV (in the window where almost no UV is present at ground level) being hard to detect (or be at least very unexpected) since very dim light levels behind a wavelength selective filter would be necessary. This combined with logging sound to say flash memory, the transfer to the receiver only occuring when woken up by the appropriate UV emitted by the receiver, this way even with the correct UV bug tracking equipment, you need the equipment running all the time in order to detect the occasional unanounced transmission potentially once a month…

  2. OK, thankfully… I complain to all my U.S. Jurisdiction (ok… U.S and State) executive, legislative and somewhat judiciary that I can find is more valid since most are not until you work you’re way up and still can get malfeasant. I do admit, I do happen to have the best, if not one of the best as long as the best in the World stay focused on the worst threats, Cyber Crimes Enforcement Teams on the planet ever know to exist. We’re moving forward with the Electromagnetic Spectrum Crimes Enforcement… vetting valid teams or maybe leaving in the Third Party Auditing model is better???

    So, I’ll deal with the tazing for a few since they’re stinging/modulating/phasing my cardiovascular system here lately and not some much the G.I. tract or groin region.

    I want to share some interesting cultural logic from my breed stock that is more thought provoking. Latin groups do a great job presenting in the news too and with tech also. I’ve never seen presentations other than from Brazil though until this. Awesome. Not as much commercial off the shelf (COTS), though thought provoking to expand that range of EMS potential to be used for certain and like me… we’re focused on “baby steps” which will help the laymen be brought up to level.

    Here is a demonstration by one of my favorite shows, Bang Goes the Theory (they’re a more valid Myth Busters, though Myth Buster’s has stayed neutral with psychic abilities and some controversial subjects… though off with others like the Brown note) regarding Near Infrared (NIR) for use in wireless power transmission so use your imagination for communications like pulse train, heterodyne and more advanced mind control like the presentation and paper notes very subtly (laser in air water vapor) with more like the Theremin device operation and diagram of other laser and focus dish/trough based systems though say on human body signals:

  3. Here is my comment on… I don’t have a demonstration for “talking” and “listening” anything that resonates sympathetically.

    Fans and refrigerators are interesting to study and I need to from a RADINT-RINT coupled with RADINT-COMINT perspective.

    Even the talking house is something else… seems Wisconsin was the last to complain about “earthquakes”… most others clam up around the lake I guess with leading their constitutional republics sanguine projects upper your me chi g an no way are supposed to be locations where MCL 780.972 occur. Way puns. I don’t know what is on the internet to demonstrate. Stormwise has some great antennas as well as some other ELF sites. https://en.wikipedia.org/wiki/Project_Sanguine

    I wonder how Jeri Ellsworth is doing with the Magnet Loop? I’ve been trying to inspire some more magnetic loop antenna teams since some aren’t sure how to RDF the lower range. This is a clue to why the really long dipole antennas with nuclear power plants weren’t required so much. Power lines anyone? I think on the Tesla Tractor Semi-Truck we exposed how much loss is on the lines that we can detect and use.

  4. re: Project Sanguine.
    I can vaguely recall an early 1970’s era magazine (Elementary electronics?) ran an article about “underground radio” (or was it audio?)
    Along with radio frequencies, the author mentioned people supposedly feeding large audio amps into the buried antenna.
    There was also a very simple receiver circuit that was had a part count about like a crystal radio.

      1. Awesome magazine issue in general. Thanks for the link too.

        I forgot about mentioning water pipes and drain pipes.

        Especially if you have a well is something I had never read about. I was more into the Water Company like other Utilities Potential for Brain Trust Assets that are not supposed to be illegal in their operations and are brain damaged trust liabilities. I just can’t stand this juvenile degrade the first world countries down to having to deal with adult looking humanoids that are supposed to be mature… though can’t now because they killed off all the not inbreds that have the capabilities and performance quantitative potential to not be sub-human primate predators most the time at the least if ever most the time. This point is an issue that is ridiculous how in the U.S., society has lowered the standards to juvenile suicidal sexual deviant greedy rotten, rotting everyone they can to death, looking all clean cut, cute, sweet and innocent old cocaine on who knows what addicted to pedophiles that poach in stealth ways.

        Darn, thanks again for sharing. I didn’t think about this as I haven’t tried sensing pipes yet. The worst leaks in the basement were the areas around the water well line coming in. Dad never wanted to connect to the water line and only connected the sewer to the city when they ran it. There is a hydrant, transformer and telephone/cable box in the front yard also. Wondering what’s up with other wells or the new well(s) the City drilled as I notice the water is way worse looking than I ever remember. That’s not counting the pre-Michigan inspection noting higher than should be ornamental banned pesticide I forget what as was on my computer that was stolen that I didn’t backup the data I scanned from then.

        I forget about putting my ear to the ground to hear if something is moving around or coming. Same goes with rail road line communications and listening mechanically with our ear.

        I did focus on draining around the house and installed new drain pipes for the eaves troughs as well as new eaves troughs since they were corroded pretty bad. I am going to lay some corrugated around the poured areas boundaries outside also to the drain field. I wasn’t planning on new pipes in the house… though I can tell there is corrosion and like I said… especially pulverizing the brick and mortar around the well line coming in.

        I guess before Mom got cancer or around that time she was noticing people talking on the phone when she was talking and was obvious as I’d hear “brotherly love” and other comments that hopefully something valid surveillance recorded and if not… unfortunately I didn’t as I was still recovering from the GSW, keeping moving on the road to pump and dump tails into competing communities and other safer areas where I could read and think and not be hacked into so much. However, the power was being hacked into at my parents place also where whomever must have been impedance matching and tuning into the spark gap in the main breaker to cause that to corrode faster than can. I replaced that and drove two new ground rods in the front yard meeting and exceeding code 16 feet across and bridged everything as well as added a line to the gas line that I also find suspicious where I was thinking I can call on just in case to see if they notice anything atypical. Strangely, here… the power company doesn’t like the main meter box grounded. What’s up with that????

        In regards to hacking the power lines to cause corrosion faster in the meter box, at least that is my theory as deadly force trained operators and even the intelligence invasive nuisance inbred species tend to damage whatever they can since they can’t stay focused on stealing, copying and returning or at least gathering information such as image intelligence to copy or document as originally designed in training. They become far more dangerous as typical primate predators from mafia herds of wild animals like pan troglodyte or worse who can’t restrain themselves and/or others more civilized, and advanced domesticated human complex being that can’t imagine that dangerous, restrain them and forget to lethal force prosecute the butchers that two faced back stab pulverize whatever they can to a incinerated or whatever mess they hope no one finds.

        Man, I can’t believe I totally wasn’t thinking about the underground pipes down to the well water, water table! Thanks again!.

        1. Edit: Foggy minded a little with a weird chest feeling… In regards to “…exceeding code 16 feet…” change “…across…” to “…apart…”

          Also in regards to “…hacking the power lines to cause corrosion faster in the…” change “…meter…” to “…main breaker in the panel….” There may be something to the meter box also corroding or being manipulated that the power company is aware of. I do not know.

        2. Does look like a new water pressure tank was installed, a new pressure switch (though I think I recall when I sealed the south side of the house in high school and ran drain line around the footing changing the pressure switch too since I poured a basin wall around the tank since was leaking a little) and a new pump motor. Makes sense to sense now, no pun intended. Man, I’m getting emotionally magnified.

      2. actually I found the Forrest Mims infrared voice transceiver on page 29 more interesting and probably more relevent as its one of the cheap/DIY methods you could use that a SDR would not detect.

        1. I relevant for that range. I was wondering if they’re using UV or higher frequency systems also since might be even higher resolution. Though did seem to get intense with the sound, mind and body assaults just prior to me going public with my NIR research if that is related. http://www.americanlaboratory.com/1413-Issues/37116-October-2008/

          I think there is something more local related though and that may have inspired even worse maybe even Fire Department DHS operations desperate to look official and not really required so much since based on my Fire related training at Perrigo with Nuclear Power Plant Security and Fire Personnel. People are the cause of fires is what I was told… so that was my eye opening moment into corruption around 2001.

          Also, when getting into caregiving after Dad had the what I don’t think like with Mom was really cancer, cancer… around later than October 2009 (I’m thinking there are alibi’s created too regarding cult holidays or dates to look suspicious or something too like a more complex Religious Terrorist Cult Ritualistic Crimes thing)… I was introduced to the Z-Nose SAW systems and thinking I can invest in one of those to perform chemical purity and impurities testing more mobile with needed something bench base station related to calibrate against. That was when the torture got overwhelmingly intense where I ultimately was shot Jan. 21st 2013 (cult inauguration date). Dad died on Easter Sunday 2015, Grand Aunt died on the Summer Solstice 2011 and there are other dates where deaths look like some sort of cult holiday with my relatives and others also. Just prior to being “terminated” based on false pretense and fabricated.claims without any training or anything to correct or prevent what was claimed (which is illegal and reasonably suspicious also), an AKPsi fraternity brother (Mike Hall) living in Holland Mi also died suspiciously of an aortic aneurysm the week before. I was later found to have benzodiazapine, barbituates and suspected quinolines in my system around the time my Grand Aunt died though on a strange hot summer day prior to the 4th of July where I recall seeing someone that looked sort of like her at the funeral of Mike Hall noting that Mike and his father has something that was hereditary since he had issues also. Well, Mike was adopted. So there are doppel ganger issues as well as I had identity theft happen to me living in Holland. I mean this has been a mess. Hard to stay focused. I need to take a break again and go clean. Emotionally magnified moment.

          1. Darn it, forgot to edit. Replace “I” with “is”

            I forgot to mention, I picked up a GQ 320 Plus meter and was using that with the RTL-SDR, SDR# and Spectrum Lab v2.91with a microsoft lifecam around 2016 this time of year and was noticing 820MHz with a TETRA look signal hopping +/- 10MHz correlating with the audio I could see though guess the sampling rate was causing the replays of what was recorded in the audio range to not be audible. I haven’t found again though haven’t dedicated time to sweep either. This was at the former Value Place hotel in Holland, Mi. They’ve since changed their name.

            I like using the Spektrum application also since not all the python dependables required and you can scan a broader range. I need to look into the code and see if I can expand out past ~2GHz as there is a limit so if you have a HackRF might not work, though makes sense so you don’t burn out the RTL since they overheat at higher frequencies and need like a video card heat sink and/or fan to help keep the case (hopefully aluminum) cool. I like what they’re doing above… though need to read into the code first before using.

    1. K1nd4: Wrong, other than when I need reminders since I do forget and I do like to use references that do involve Google keyword searches typically. At the time I was still experiencing more electronic assaults more-so than now, so I wasn’t doing such a good job at editing.

      First off… read after the HaD article under the advertisement, before the thought or comments regarding the article. The comment section is explicitly titled, with the number of thoughts preceding, “THOUGHTS ON “34C3: MICROPHONE BUGS””

      This is the same WordPress I’m guessing format for all the articles. I’ve dealt with bugs, electronic surveillance, technical surveillance and more advanced electronic warfare related weapons since the U.S. President Clinton administration. I’ve also worked performing AR&D and Quality Systems classical and alternate related methods development as well as the whole systems development life cycle (SDLC) for basically hardware, software, documentation, methods, training and up to site plant master validation plans. I’ve done corrective action and preventative action investigations as well as out of specification investigations in regulated industry with the DHHS, DOJ and DHS potentially over my shoulder or working with me even training them in some systems.

      Then I got thrown out into the World of more DOJ & DHS civil servant on down knightmare not well disclosed systems and am trying to advocate awareness about the article and other issues that are more advanced alternate methods and systems that do in fact exist in a more “non official use” capacity and need to be disclosed to the public.

      For instance… would you want a sniper shooting at you whenever they want with lasers, masers, or you name it remote sensing & transmission tech that can go undetected if not one tries to learn about what is to be detected???

      Therefore, I have plenty of thoughts I like to share. That is all. What do you do to contribute?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.