Listening To An IPhone With AM Radio

Electronic devices can be surprisingly leaky, often spraying out information for anyone close by to receive. [Docter Cube] has found another such leak, this time with the speakers in iPhones. While repairing an old AM radio and listening to a podcast on his iPhone, he discovered that the radio was receiving audio the from his iPhone when tuned to 950-970kHz.

[Docter Cube] states that he was able to receive the audio signal up to 20 feet away. A number of people responded to the tweet with video and test results from different phones. It appears that iPhones 7 to 10 are affected, and there is at least one report for a Motorola Android phone. The amplifier circuit of the speaker appears to be the most likely culprit, with some reports saying that the volume setting had a big impact. With the short range the security risk should be minor, although we would be interested to see the results of testing with higher gain antennas. It is also likely that the emission levels still fall within FCC Part 15 limits.

 

The phenomenon of electronics leaking unintended information in magnetic waves has been knows since WW2, and it even has a codename, TEMPEST. If you want to learn more about it and do some experimentation, there are a number of open source software toolkits you can play with.

39 thoughts on “Listening To An IPhone With AM Radio

  1. Ehhhmmm… “With the short range the security risk should be minor, although we would be interested to see the results of testing with higher gain antennas.”
    What has security got to do with it? Why is security an issue? This is about a device generating radio signals of such a strength that it interferes with the functionality of other devices! Considering the cost of the products from this fruity brand, you would expect that they delivered a quality product that under all circumstances compliant with the RF regulations.

    Security, is an illusion.
    We live in a world where many application or website ask you if it should remember the entered password, so you don’t have to type your password ever again, how is that secure? Although while entering we can hardly see what we type because we only see dot for every entered character.
    Hackaday features projects that require users to enter their current status, so everyone you know and others can see that your at the toilet or making a sandwich.
    For some reason people don’t like anymore to hold their phone to their ears, many are talking to their phone on hadnfree modes letting everyone in their surrounding hear the conversation (while holding the phone as a sort of dripping plate underneath their chin ?!?!).

    But could we at least keep the RF spectrum clear of undesirable noise?

    1. Um, the regulations don’t say that electronic devices have to be entirely RF silent – that is physically impossible. It *does* however require that intended and unintended emissions are within certain limits.

      Just because you can get arbitrarily close or arbitrarily sensitive with your receiver doesn’t mean the device is breaking the emission limits. Having the radio detect a quiet signal in an EMPTY part of the band isn’t “interfering with the functionality of the device”. Picking up signals IS the functionality of the radio!

      And even the weakest commercial transmitter is going to easily swamp the iPhone out.

      1. Hi Pelrum, you are correct. Although a strong (legal) transmitter from a long distance can be weaker then an (illegal) weak transmitter at close distance. Now I was a bit harsh in my judgement, because it might still be the case that the IPhone is within legal limits. I got a bit carried away there. My mistake.

    2. Security is not an illusion, its also not a singular goal but rather a tradeoff of risks and (in)conveniences.

      You are correct in your assessment of undesirable noise, but as others have said, this can still occur even when within FCC limits.

      Touching on your security points though:
      “We live in a world where many application or website ask you if it should remember the entered password, so you don’t have to type your password ever again, how is that secure?” It is, or it isn’t depending on your security risks. For most of the userbase, its secure enough and is very convenient. A browser password vault is pretty well protected from being grabbed remotely and is more secure than an easy to guess password. An easy to guess password could be guessed by many people, whereas a complex password that your browser remembers is harder to guess, more computationally difficult to brute force, and can only easily be obtained by getting a hold of your computer. Not impossible, but less of a risk. The in-browser password vault is not-so-secure for people who are at high risk of being targeted. For that, there are other ways to securely store passwords or authenticate the user.

      “For some reason people don’t like anymore to hold their phone to their ears, many are talking to their phone on hadnfree modes letting everyone in their surrounding hear the conversation” Just like above, it depends on your security risks. If you’re talking about your offspring’s latest bout of intestinal issues, most people don’t care if others listen in. (There may still be leaks of PII, doctor’s name, baby-sitter, etc. that go out there that people don’t realize) Again, for people that might be targeted, they don’t talk about sensitive topics in public. However, being able to listen in at a distance due to a flaw like this could compromise someone who has a higher requirement of security.

      As I said, security is a tradeoff. For example, no mechanical lock is preventative of all intrusion. Even if there were one, and it was on your front door, the window is a faster target. The lock is secure in that it dissuades entry because its highly inconvenient. The window is secure in that if its broken, it doesn’t go back together and is now proof of intrusion. A cheap lock picked in 5 seconds with a pick gun can be reset, leaving no readily visible traces of intrusion without any dissuasion of entry.

      Just because someone has nothing to hide, doesn’t mean they should be okay with broadcasting personal details to the world if they don’t want to.

    1. We’ve covered tuned loop antennae here. They can have quite a bit of gain at the tuned freq. With a two foot loop one could walk around and DF out these leaky phones even in bags or pockets.

    2. A phased array can be high gain and small, by combining a large number of small directional inefficient aerials into a single unit.

      You’ll need to use electrical tuning (LC tuner) to make the small antennas work well, but it can be done.

  2. I discovered a similar issue with my laptop leaking audio from the (disabled) mic on RF while playing around with a cheap SDR dongle (although it may be due to grounding issues since the SDR was connected to that same laptop)

  3. We used to have an FM radio in the machine room, listening to the activity of the mainframe. We could quickly tell if it hit a machine trap during testing without having to watch the lights all the time.

    1. That’s an interesting question! I’m curious as to whether the headphone cable would act like a transmit antenna, or if the connection to common would prevent the phenomenon from the article. I’d predict the audio would have to be set at teenage angst volumes to generate enough of an RF amplitude, and the specific length of the headphone cable might be relevant here.

      1. ” I’m curious as to whether the headphone cable would act like a transmit antenna, or if the connection to common would prevent the phenomenon from the article. I’d predict the audio would have to be set at teenage angst volumes to generate enough of an RF amplitude, and the specific length of the headphone cable might be relevant here. ”

        Not for medium-frequency AM radio (carrier freq 0.5 to 1.7 MHz). The VLF (under 30kHz) at the audio frequencies of the current passing through the wires might modulate the detector in an AM radio if very close. And the cable length is very important for VLF, as the wave length is on the order of thousands or tens of thousands of meters. So the length as an antenna would be electrically very short.

        Which one of us is the One True Brian?

  4. Before you emit erroneous stuff [pun intended], please reference 47 CFR 15.209 (intentional radiated emissions limits for stuff not under part 18). Although, if not considered a radio circuit, there are times where the EMC report references the unintentional limits per 47CFR15.109, where this frequency range of emissions is not considered.

    The measurement distance for this frequency range is 30m, so past the near field transition point.

    Compliance engineering is a bizarre and unholy combination of statute and admin law, physics, chemistry, and hubris. It is best left to a writer that knows the subject.

    1. When I got my first old Nokia brick, I discovered, purely by accident, that an AM radio would make a noise about five or ten seconds before a text message arrived. I subsequently made myself a circuit to hone the idea. I amplified the signal enough to not only power a speaker but also a few LEDs. It worked pretty well considering it was made from old bits of television and VCR :D

      1. At some point, that became a known “feature” of GSM; I remember commercial versions of your hack sold as phone charms — little LED bobs hanging off the then-ubiquitous straps.

  5. Doing the same thing with a pocket calculator has been a party trick since the 1970s. The fact that portable devices packed with radio emitters and high-frequency electronics emit noise in the AM band doesn’t strike me as a huge surprise.

    The suggestion that the class-D amplifier is the source is mildly interesting, but the text above seems to be making an effort to turn a minor curiosity into an excuse to push the FUD button.

  6. Intrigued, I tried testing this with the little emergency radio I had lying around and my LG Q7+. I couldn’t get audio to pick up, though with the radio quite close to the phone — under 3cm — there was a lot of noise that eased back when the radio moved away. Now, that’s no surprise; an AM radio will often pick up anything radiating.

    What _did_ work to pick up audio playing on the phone — still at very close range — was my homebrew Elektrosluch. Hackaday covered this back in 2014 ( https://hackaday.com/2014/03/12/build-your-own-elektrosluch-2-and-save-e45/ ); I built mine on stripboard from the Elektrosluch 3 schematics on their github ( https://github.com/LOM-instruments ). It’s just an amplified receiving coil, doubled for stereo; they market it to electronic musicians and sound designers. It’ll pick up all kinds of electromagnetic emissions.

    (I used what I had lying around from an old Radio Shack parts assortment; I subbed in a TL082, left off the volume pot, and I think the prewound coils are slightly different values. I crammed the guts into a neon orange curvy plastic container from an old first aid kit, made I think in the era where every industrial designer was aping the original iMac, all dayglow translucent plastic.)

    At any rate, I got soft and noisy, but recognizable, audio by slapping one of the coils against the headphone jack, with the phone volume on full. I’m gonna conclude that my phone isn’t shedding enough for random people to eavesdrop on my podcast listening.

  7. Hi folks, jonny290 (the video poster in the tweet) here. Very excited to see this hit hackaday. I’ve done some further tests:

    Airpods pro: zero signal.
    Wired Lightning earbuds: zero signal. I suspect there’s actually a tiny DAC in the Lightning plug to drive the wired Apple earbuds that does not have a similar class D amp, but cannot say for sure.
    Wired 3.5mm headset via Lightning to 3.5 adapter: zero signal. Same theory as the Lightning earbuds.

    My big concern isn’t interference or unintentional radiation, it’s pure security. Imagine picking up some nice comfy high-back chairs for a conference room and sinking loop antennas into the upper parts of the chair back. Now invite a ‘competitor’ for a meeting and leave them alone in the room to make some phone calls not on speakerphone, not realizing that you have access to the earpiece audio on their phone. Huge corp espionage potential with this.

    So far a good countermeasure to this seems to be to stick to Airpods or plug-in headsets. I do not think the iPhones that are old enough to have native 3.5mm jacks are running this type of amplifier, but I might dig out my old iPhone 5 to see.

    Have fun snooping!

    1. Anything that used the cassette output to play music played quite well on an AM radio instead, aside from the background hiss of the CPU doing its thing, because the timing loops were already right. I also once converted a junk AM radio into a speaker amplifier to use with my Model I, which sort of turned the trick upside-down.

  8. My first comment apparently got eaten.

    In my testing, with my LG Q7+, I couldn’t get playing audio on an AM radio, but I did get a lot of noise at very close ranges (under, say, 3in/70mm). I did manage to listen in, faintly, with an Elektrosluch. Hackaday covered this gadget back in 2014; the inventor open-sourced the design and did a Weekend Project for MAKE on it a while back. I built one from the github schematics and junk bin components — it’s pretty much just two amplified receiving coils, set up so you get a stereo effect, so you can listen to or record electromagnetic waves. It’s fun for finding bleeps, squawks, and drones; anything with a rotating magnet or an oscillator is particularly good.

  9. I’m thinking about doing a bit of an experiment here. By connecting to a publicly shared remote SDR radio, can I listen to this range and by chance, intercept audio from an Apple device? I’ll give it a go with KIWI SDR and see if this amounts to anything.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.