Electronic devices can be surprisingly leaky, often spraying out information for anyone close by to receive. [Docter Cube] has found another such leak, this time with the speakers in iPhones. While repairing an old AM radio and listening to a podcast on his iPhone, he discovered that the radio was receiving audio the from his iPhone when tuned to 950-970kHz.
[Docter Cube] states that he was able to receive the audio signal up to 20 feet away. A number of people responded to the tweet with video and test results from different phones. It appears that iPhones 7 to 10 are affected, and there is at least one report for a Motorola Android phone. The amplifier circuit of the speaker appears to be the most likely culprit, with some reports saying that the volume setting had a big impact. With the short range the security risk should be minor, although we would be interested to see the results of testing with higher gain antennas. It is also likely that the emission levels still fall within FCC Part 15 limits.
I've confirmed this on an 8 non-pro AND discovered that when you're around 960 KHz you ALSO can detect the haptic clicks! I am suspecting that they are running a class D amp with the PWM at 960 KHz, which would be 20x 48khz-right on the mark for a class D amp. Video demo of both. pic.twitter.com/EbodZS11kB
— iCarly Shinji (@jonny290) September 3, 2020
The phenomenon of electronics leaking unintended information in magnetic waves has been knows since WW2, and it even has a codename, TEMPEST. If you want to learn more about it and do some experimentation, there are a number of open source software toolkits you can play with.
38 thoughts on “Listening To An IPhone With AM Radio”
Ehhhmmm… “With the short range the security risk should be minor, although we would be interested to see the results of testing with higher gain antennas.”
What has security got to do with it? Why is security an issue? This is about a device generating radio signals of such a strength that it interferes with the functionality of other devices! Considering the cost of the products from this fruity brand, you would expect that they delivered a quality product that under all circumstances compliant with the RF regulations.
Security, is an illusion.
We live in a world where many application or website ask you if it should remember the entered password, so you don’t have to type your password ever again, how is that secure? Although while entering we can hardly see what we type because we only see dot for every entered character.
Hackaday features projects that require users to enter their current status, so everyone you know and others can see that your at the toilet or making a sandwich.
For some reason people don’t like anymore to hold their phone to their ears, many are talking to their phone on hadnfree modes letting everyone in their surrounding hear the conversation (while holding the phone as a sort of dripping plate underneath their chin ?!?!).
But could we at least keep the RF spectrum clear of undesirable noise?
Um, the regulations don’t say that electronic devices have to be entirely RF silent – that is physically impossible. It *does* however require that intended and unintended emissions are within certain limits.
Just because you can get arbitrarily close or arbitrarily sensitive with your receiver doesn’t mean the device is breaking the emission limits. Having the radio detect a quiet signal in an EMPTY part of the band isn’t “interfering with the functionality of the device”. Picking up signals IS the functionality of the radio!
And even the weakest commercial transmitter is going to easily swamp the iPhone out.
Hi Pelrum, you are correct. Although a strong (legal) transmitter from a long distance can be weaker then an (illegal) weak transmitter at close distance. Now I was a bit harsh in my judgement, because it might still be the case that the IPhone is within legal limits. I got a bit carried away there. My mistake.
Within legal limits or not, it still doesn’t exactly scream “high quality design” when your iPhone is belching RF noise that can be picked up by an AM radio 20 feet away.
A high gain antenna at 960 kHz it’s several football fields in size. That may be a Little bit conspicuous to carry around with your RTL dongle.
We’ve covered tuned loop antennae here. They can have quite a bit of gain at the tuned freq. With a two foot loop one could walk around and DF out these leaky phones even in bags or pockets.
A phased array can be high gain and small, by combining a large number of small directional inefficient aerials into a single unit.
You’ll need to use electrical tuning (LC tuner) to make the small antennas work well, but it can be done.
you are holding it wrong
I discovered a similar issue with my laptop leaking audio from the (disabled) mic on RF while playing around with a cheap SDR dongle (although it may be due to grounding issues since the SDR was connected to that same laptop)
We used to have an FM radio in the machine room, listening to the activity of the mainframe. We could quickly tell if it hit a machine trap during testing without having to watch the lights all the time.
So, if one was using earbuds on an iPhone (one of those with an earphone jack), would someone with an AM radio be able to listen in?
That’s an interesting question! I’m curious as to whether the headphone cable would act like a transmit antenna, or if the connection to common would prevent the phenomenon from the article. I’d predict the audio would have to be set at teenage angst volumes to generate enough of an RF amplitude, and the specific length of the headphone cable might be relevant here.
” I’m curious as to whether the headphone cable would act like a transmit antenna, or if the connection to common would prevent the phenomenon from the article. I’d predict the audio would have to be set at teenage angst volumes to generate enough of an RF amplitude, and the specific length of the headphone cable might be relevant here. ”
Not for medium-frequency AM radio (carrier freq 0.5 to 1.7 MHz). The VLF (under 30kHz) at the audio frequencies of the current passing through the wires might modulate the detector in an AM radio if very close. And the cable length is very important for VLF, as the wave length is on the order of thousands or tens of thousands of meters. So the length as an antenna would be electrically very short.
Which one of us is the One True Brian?
“Which one of us is the One True Brian?”
Depending on the design, the carrier of the RF may be mostly independent of audio level.
A lot of devices give off quite a lot of information like this, and when it is used to hack the devices it’s called a side channel attack. It is possible to use either a software defined radio or an AM radio plugged into a recorder to find out what RSA key is being typed into a nearby laptop. https://link.springer.com/chapter/10.1007/978-3-662-48324-4_11
Smells like an intermediate product of a sigma-delta DAC.
Might also be a case of Class D amplifier (for speaker) PWM harmonics.
Before you emit erroneous stuff [pun intended], please reference 47 CFR 15.209 (intentional radiated emissions limits for stuff not under part 18). Although, if not considered a radio circuit, there are times where the EMC report references the unintentional limits per 47CFR15.109, where this frequency range of emissions is not considered.
The measurement distance for this frequency range is 30m, so past the near field transition point.
Compliance engineering is a bizarre and unholy combination of statute and admin law, physics, chemistry, and hubris. It is best left to a writer that knows the subject.
When I got my first old Nokia brick, I discovered, purely by accident, that an AM radio would make a noise about five or ten seconds before a text message arrived. I subsequently made myself a circuit to hone the idea. I amplified the signal enough to not only power a speaker but also a few LEDs. It worked pretty well considering it was made from old bits of television and VCR :D
At some point, that became a known “feature” of GSM; I remember commercial versions of your hack sold as phone charms — little LED bobs hanging off the then-ubiquitous straps.
Oh I remember those !
A good AM radio is surprisingly sensitive. It wouldn’t surprise me that this is totally legal emi…
Doing the same thing with a pocket calculator has been a party trick since the 1970s. The fact that portable devices packed with radio emitters and high-frequency electronics emit noise in the AM band doesn’t strike me as a huge surprise.
The suggestion that the class-D amplifier is the source is mildly interesting, but the text above seems to be making an effort to turn a minor curiosity into an excuse to push the FUD button.
There might be a market for Tempest security grade smartphones but for one overwhelming problem. Shielding emissions does not work with a device that has to send and/or receive cellular, WiFi, Bluetooth and GPS signals. It has to leak like a sieve.
I wonder if this but might become a feature if used to play podcasts through a car AM radio.
Intrigued, I tried testing this with the little emergency radio I had lying around and my LG Q7+. I couldn’t get audio to pick up, though with the radio quite close to the phone — under 3cm — there was a lot of noise that eased back when the radio moved away. Now, that’s no surprise; an AM radio will often pick up anything radiating.
What _did_ work to pick up audio playing on the phone — still at very close range — was my homebrew Elektrosluch. Hackaday covered this back in 2014 ( https://hackaday.com/2014/03/12/build-your-own-elektrosluch-2-and-save-e45/ ); I built mine on stripboard from the Elektrosluch 3 schematics on their github ( https://github.com/LOM-instruments ). It’s just an amplified receiving coil, doubled for stereo; they market it to electronic musicians and sound designers. It’ll pick up all kinds of electromagnetic emissions.
(I used what I had lying around from an old Radio Shack parts assortment; I subbed in a TL082, left off the volume pot, and I think the prewound coils are slightly different values. I crammed the guts into a neon orange curvy plastic container from an old first aid kit, made I think in the era where every industrial designer was aping the original iMac, all dayglow translucent plastic.)
At any rate, I got soft and noisy, but recognizable, audio by slapping one of the coils against the headphone jack, with the phone volume on full. I’m gonna conclude that my phone isn’t shedding enough for random people to eavesdrop on my podcast listening.
Hi folks, jonny290 (the video poster in the tweet) here. Very excited to see this hit hackaday. I’ve done some further tests:
Airpods pro: zero signal.
Wired Lightning earbuds: zero signal. I suspect there’s actually a tiny DAC in the Lightning plug to drive the wired Apple earbuds that does not have a similar class D amp, but cannot say for sure.
Wired 3.5mm headset via Lightning to 3.5 adapter: zero signal. Same theory as the Lightning earbuds.
My big concern isn’t interference or unintentional radiation, it’s pure security. Imagine picking up some nice comfy high-back chairs for a conference room and sinking loop antennas into the upper parts of the chair back. Now invite a ‘competitor’ for a meeting and leave them alone in the room to make some phone calls not on speakerphone, not realizing that you have access to the earpiece audio on their phone. Huge corp espionage potential with this.
So far a good countermeasure to this seems to be to stick to Airpods or plug-in headsets. I do not think the iPhones that are old enough to have native 3.5mm jacks are running this type of amplifier, but I might dig out my old iPhone 5 to see.
Have fun snooping!
Thanks for info and video! I was also thinking that listening devices could possibly exploit this. Would really like to see what range you can get with a simple AM loop antenna
TEMPEST is an acronym, not a codename. Many burglar alarm systems throw off easily detectable noise in the AM band.
Way back in the TRS-80 model one days I used to play music with it by using timing loops.. any AM radio within 30 ft would pick it up..
Anything that used the cassette output to play music played quite well on an AM radio instead, aside from the background hiss of the CPU doing its thing, because the timing loops were already right. I also once converted a junk AM radio into a speaker amplifier to use with my Model I, which sort of turned the trick upside-down.
It was this problem…and FCC part 15, that killed the model 1.
My first comment apparently got eaten.
In my testing, with my LG Q7+, I couldn’t get playing audio on an AM radio, but I did get a lot of noise at very close ranges (under, say, 3in/70mm). I did manage to listen in, faintly, with an Elektrosluch. Hackaday covered this gadget back in 2014; the inventor open-sourced the design and did a Weekend Project for MAKE on it a while back. I built one from the github schematics and junk bin components — it’s pretty much just two amplified receiving coils, set up so you get a stereo effect, so you can listen to or record electromagnetic waves. It’s fun for finding bleeps, squawks, and drones; anything with a rotating magnet or an oscillator is particularly good.
My first computer, a Proc Tech Sol, had a Star trek game that generated its sound effects when you put a AM radio close to the computer.
Just now figuring this out? I could tell when people were getting text messages over voice chat while playing COD back in the day thanks to the beeps and boops.
I’m thinking about doing a bit of an experiment here. By connecting to a publicly shared remote SDR radio, can I listen to this range and by chance, intercept audio from an Apple device? I’ll give it a go with KIWI SDR and see if this amounts to anything.
Curiously, the intermediate frequency of medium-wave AM radios (superheterodyne receiver) is 455 kHz
Please be kind and respectful to help make the comments section excellent. (Comment Policy)