34th Chaos Communication Congress

»Spy vs. Spy: A Modern Study Of Microphone Bugs Operation And Detection«
2017-12-28, 14:15–15:15, Saal Borg

In 2015, artist Ai Weiwei was bugged in his home, presumably by government actors. This situation raised our awareness on the lack of research in our community about operating and detecting spying microphones. Our biggest concern was that most of the knowledge came from fictional movies. Therefore, we performed a deep study on the state-of-the-art of microphone bugs, their characteristics, features and pitfalls. It included real life experiments trying to bug ourselves and trying to detect the hidden mics. Given the lack of open detection tools, we developed a free software SDR-based program, called Salamandra, to detect and locate hidden microphones in a room. After more than 120 experiments we concluded that placing mics correctly and listening is not an easy task, but it has a huge payoff when it works. Also, most mics can be detected easily with the correct tools (with some exceptions on GSM mics). In our experiments the average time to locate the mics in a room was 15 minutes. Locating mics is the novel feature of Salamandra, which is released to the public with this work. We hope that our study raises awareness on the possibility of being bugged by a powerful actor and the countermeasure tools available for our protection.

Most of what the general public knows about microphones bugs comes from movies and other fictional sources, which usually is far from real. An example of these inaccuracies is the public speculation made by the Counselor of the United States President, Kellyanne Conway, who expressed that a microwave oven can spy as a camera; the answer is NO, as refuted in article by WIRED. The current literature about microphones bugs is disturbingly scarce, leaving most people to believe the myths distributed by the media. One of the goals of this work is to debunk the fictional beliefs around mics bugs by performing a thorough study and real life experiments with them. This paper is divided into three phases. First, we perform a survey of the state-of-the-art of mic bugs and their characteristics. Second, we develop our own free software detection tool, called Salamandra. Third, we perform several real life experiments on placing and detecting bugs to examine how difficult it was. Finally, we conclude with a thorough analysis of our experience. The first phase makes a deep survey of all the civilian-accessible microphone bugs. It takes into account physical characteristics, frequencies, transmission modes, battery options, operational lifetime, operational listening distance, easiness of listening by the operator, advantages & disadvantages, configurations if any, and easiness of detection by various means. The end goal of the first phase is to show the difficulty in using microphone bugs. The second phase presents our free software, SDR-based tool to detect hidden microphones called Salamandra. Although a professional microphone search usually requires more complex hardware, we show that a simple SDR USB device and our tool can be used to detect the mic bugs accurately. Moreover, Salamandra has a novel location feature to find mics quickly; a feature that is not available in most commercial detectors. The two most important limitations of the hardware detection solutions are their false detection of mics and their false positive detections of ghost mics. Salamandra uses several novel techniques to detect mics by taking advantage of its execution in a computer, including continuous discovery and location of mics. The third phase consists in a group of offensive/defensive experiments on placing and detecting bugs in real life. While one of the researchers places the mics and tries to listen to meaningful spoken passwords, the other runs Salamandra to try to know if there was a mic and where. These real life experiments shone light about the difficulty of placing mics and how easy is to find them. As far as we know this work is one of the few on the topic of analyzing the real performance of placing and detecting spying microphones. The main contributions of this paper are: • As far as we know, the first scientific research on the topic of real life spy microphones. • A novel free software SDR-based detection tool to locate microphone bugs, called Salamandra. A tool trained with real experiments. • The first comparison of mic bugs characteristics, ranges and performance, based on field experiments in real life scenarios. • The first experiments of real-life placing and detection of mics to analyze their performance, quality and time to detection. • The first analysis of spy mics audio quality and improvement.