This file may also be

Found at: 0x1bi.net:70/textfiles/file?hamradio/cordpriv.txt

This file may also be known as wombat file #01, or wombat01 if I ever bother to
type/write something else.  \/\/ombat

This file is a work of fiction.  Everything in it is fictitious.
Any resemblance to persons living or dead, magazines, companies, products,
trademarks, copyrights, or anything else in the real world is purely
coincidental, and you should see a shrink about your over-active imagination
if you think otherwise.

                         - \/\/ O M B A T -

               Cordless Telephones: Bye Bye Privacy!

                   by Tom Kneitel, K2AES, Editor
A Boon to Eavesdroppers, Cordless Phones Are as Private as Conversing in an 
Elevator.  You'll Never Guess Who's Listening In!

(originally published in Popular Communications, June 1991)

  OK, so it took a while, but now you've accepted the fact that your cellular 
phone conversations can easily be overheard by the public at large.  Now you 
can begin wrestling with the notion that there are many more scanners in the 
hands of the public that can listen to cordless telephone calls than can tune 
in on cellulars.

  Monitoring cellular calls requires the listener to own equipment capable of 
picking up signals in the 800 to 900 MHz frequency range.  Not all scanners 
can receive this band, so unless the scannist wants to purchase a new scanner, 
or a converter covering those frequencies, [see February and March issues of 
Radio-Electronics for a converter project -\/\/ombat-] they can't tune in on
cellular calls.  And let's not forget that it's a violation of federal law to 
monitor cellular conversations.  Not that there seems to be any practical way 
yet devised to enforce that law, nor does the U.S. Dept. of Justice appear to 
be especially interested in trying.

  On the other hand, cordless telephones operate with their base pedestals in 
the 46 MHz band, and the handsets in the 49 MHz band.  Virtually every scanner 
ever built can pick up these frequencies with ease.  Cordless telephones are 
usually presented to the public as having ranges up to 1,000 feet, but that 
requires some clarification.  That distance represents the reliable two-way 
communications range that can be expected between the handset and the 
pedestal, given their small inefficient receivers and antennas, and that they 
are both being used at ground level.

  In fact, even given those conditions, 1,000 feet of range is far more 
coverage than necessary for the average apartment or house and yard.  Consider 
that 1,000 feet is a big distance.  It's almost one-fifth of a mile.  It's the 
height of a 100-story skyscraper.  The Chrysler Building, third tallest 
building in New York City, is about 1,000 feet high, so is the First 
Interstate World Center, tallest building in Los Angeles.  When someone uses a 
sensitive scanner connected to an efficient antenna mounted above ground 
level, the signals from the average 46 MHz cordless phone base pedestal unit 
(which broadcasts both sides of all conversations) can often be monitored from 
several miles away, and in all directions.
  Some deluxe cordless phones are a snoop's delight.  Like the beautiful 
Panasonic KX-T4000.  Its range is described as "up to 1,000 feet from the 
phone's base," however the manufacturer brags that "range may exceed 1,000 
feet depending upon operating conditions."  When you stop to think about it, 
what at first seems like a boast is really a somewhat harmless sounding way 
of warning you that someone could monitor the unit from an unspecified great 
distance.  In fact, just about all standard cordless phones exceed their rated 
ranges.  But the KX-T4000's main bonus and challenge to the snoop is that it 
can operate on ten different frequencies instead of only a single frequency.  
The BellSouth Products Southwind 170 cordless phone suggests a range of up to 
1,500 feet., depending on location and operating conditions.  The ten-channel 
Sony SPP-1508 has a built-in auto-scan system to select the clearest channels.

  What with millions of scanners in the hands of the public, a cordless 
telephone in an urban or suburban area could easily be within receiving range 
of dozens of persons owning receiving equipment capable of listening to every 
word said over that phone.  Likewise, every urban or suburban scanner owner 
is most likely to be within receiving range of dozens of cordless telephones.  
Many persons with scanners program their units to search between 46.50 and 
47.00 MHz and do listen.  Some do it casually to pass the time of day, others 
have specific purposes.

Not Covered

  The Electronic communications Privacy Act of 1986, the federal law that 
supposedly confers privacy to cellular conversations, doesn't cover cordless 
  A year and a half ago, the U.S. Supreme Court wasn't interested in reviewing 
a lower court decision that held that some fellow didn't have any 
"justifiable expectation of privacy" for their cordless phone conversations.  
It seems that man's conversations regarding suspected criminal activity were 
overheard and the police were alerted, which caused the police to investigate 
further and arrest the man after recording more of his cordless phone 

  Yet, even though (at this point) there is no federal law against monitoring 
cordless phones, there are several states with laws that restrict the 
practice.  In New York State, for instance, a state appellate court ruled that
New York's eavesdropping law prohibits the government from intentionally 
tuning in on such conversations.

  California recently passed the Cordless and Cellular Radio Telephone Privacy 
Act (amending Sections 632, 633, 633.5, 634, and 635 of the Penal Code, 
amending Section 1 of Chapter 909 of the Statutes of 1985, and adding Section 
632.6 to the Penal Code) promising to expose an eavesdropper to a $2,500 fine 
and a year in jail in the event he or she gets caught.  Gathering the evidence 
for a conviction may be easier said than done. 

  There may be other areas with similar local restrictions, these are two
that I know about.  Obviously listening to cordless phones in major population 
areas is sufficiently popular to have inspired such legislative action.  There 
are, however, reported to be efforts afoot to pass federal legislation 
forbidding the monitoring of cordless phones as well as baby monitors.  Such 
a law wouldn't stop monitoring, nor could it be enforced.  It would be, like 
the ECPA, just one more piece of glitzy junk legislation to hoodwink the 
public and let the ACLU and well-meaning, know-nothing, starry-eyed privacy 
advocates think they've accomplished something of genuine value.

Strange Calls

  On April 20th, The Press Democrat, of Santa Rosa, Calif., reported that a 
scanner owner had contacted the police in the community of Rohnert Park to say 
that he was overhearing cordless phone conversations concerning sales of 
illegal drugs.  The monitor, code named Zorro by the police, turned over 
thirteen tapes of such conversations made over a two month period.
  Police took along a marijuana-sniffing cocker spaniel when they showed up 
at the suspect's home with a warrant one morning.  Identifying themselves, 
they broke down the door and found a man and a woman, each with a loaded gun.  
They also found a large amount of cash, some cocaine, marijuana, marijuana 
plants, and assorted marijuana cultivating paraphernalia.
  In another example, Newsday, of Long Island, New York, reported in its 
February 10, 1991 edition another tale of beneficial cordless phone 
  It seems a scanner owner heard a cordless phone conversation between three 
youths who were planning a burglary.  First, they said that they were going to 
buy a handheld CB radio so they could take it with them in order to keep in 
contact with the driver of the car, which had a mobile CB rig installed.  
Then, they were going to head over to break into a building that had, until 
recently, been a nightclub.

  The scanner owner notified Suffolk County Police, which staked out the 
closed building.  At 10:30 p.m., the youths appeared and forced their way  
into the premises.  They were immediately arrested and charged with 
third-degree burglary and possession of burglary tools.

  I selected these two examples from the many similar I have on hand because 
they happen to have taken place in states where local laws seek to restrict 
the monitoring of cordless telephones.
  Most of the calls people monitor aren't criminal in nature, but are 
apparently interesting enough to have attracted a growing audience of 
recreational monitors easily willing to live with accusations of their being unethical, nosy, busybodies, snoops, voyeurs, and worse.

  As it turns out, recreational monitors are undoubtedly the most harmless 
persons listening in on cordless phone calls.  

They're All Ears

  A newsletter called Privacy Today, is put out by Murray Associates, one of 
the more innovative counterintelligence consultants serving business and 
government.  This publication noted (as reported in the mass media) that IRS 
investigators may use scanners to eavesdrop on suspected tax cheats as they 
chat on their cordless phones.

  But, the publication points out that accountants who work out of their homes 
could turn up as prime targets of such monitoring.  Their clients might not 
even realize the accountant is using a cordless phone, and therefore assume 
that they have some degree of privacy.  One accountant suspected of preparing 
fraudulent tax returns could, if monitored, allow the IRS to collect evidence 
on all clients.

  Furthermore, Privacy Today notes that this has ramifications on the IRS 
snitch program (recycle tax cheats for cash).  They say, "Millions of scanner 
owners who previously listened to cordless phones for amusement will now be 
able to do it for profit.  Any incriminating conversation they record can be 
parlayed into cash, legally."

  In fact, in addition to various federal agents and police, there are private 
detectives, industrial spies, insurance investigators, spurned lovers, scam 
artists, burglars, blackmailers, and various others who regularly tune in with 
deliberate intent on cordless telephones in the pursuit of their respective 
callings.  If you saw the film Midnight Run, starring Robert DeNiro, you'll 
recall that the bounty hunter was shown using a handheld scanner to eavesdrop 
on a cordless phone during his effort to track down a fugitive bail jumper.
  No, cordless phone monitoring isn't primarily being done for sport by the 
incurably nosy for the enjoyment and entertainment it can provide.  The 
cordless telephone has been recognized as a viable and even important tool for 
gathering intelligence.

Intelligence Gathering?

  In fact, there are differences between cordless and cellular monitoring.  
When a cellular call is monitored, it's quite difficult to ascertain the 
identity of the caller, and impossible to select a particular person for 
surveillance.  These are mostly portable and mobile units that are passing 
through from other areas, and they're operation on hundreds of different 
channels.  Sometimes the calls cut off right in the middle of a conversation.  
The opportunities for ever hearing the same caller more than once are very 

  Not so with cordless phones.  These units are operated at permanent 
locations in homes, offices, factories, stores.  Most models transmit on only 
one or two specific frequencies, and while a few models can switch to any of
ten channels, that's still a lot fewer places to have to look around than 
scanning through the hundreds of cellular frequencies.  So, with only minor 
effort, it's possible to know which cordless phones in receiving range are 
set up to operate on which channels.  And you continually hear the same 
cordless phone users over a long period of time.  They soon become very 
familiar voices; you might even recognize some of them.

  The diligent, professional intelligence gatherer creates a logbook for each 
of the frequencies in the band, then logs in each cordless phone normally 
monitored using that frequency.  Then, each time a transmission is logged from 
a particular phone, bits and scraps of information can be added to create a 
growing dossier picked up from conversations.  With very little real effort, 
it doesn't take long to assemble an amazing amount of information on all 
cordless phones within monitoring range.
 Think about the information that is inadvertently passed in phone calls that 
would go into such files.  Personal names (first and last) which are easily 
obtained from salutations, calls, and messages left on other people's answering
machines; phone numbers (that people give for callbacks or leave on answering 
machines); addresses; credit card numbers; salary and employment information; 
discussions of health and legal problems; details of legit and shady business 
deals; even information on the hours when people are normally not at home or 
will be out of town, and much more, including the most intimate details of 
their personal lives.  Anybody who stops for a moment to think about all the 
things they say over a cordless telephone over a period of a week or two 
should seriously wonder how many of those things they'd prefer not be 
transmitted by shortwave radio throughout their neighborhood.

  Cordless phone users don't realize that these units don't only broadcast 
the phone calls themselves.  Most units start transmitting the instant the 
handset is activated, and will broadcast anything said to others in the room 
before and while the phone is being dialed, and while the called number is 
ringing.  Using a DTMF tone decoder, it's even possible to learn the numbers 
being called from cordless phones.  [see the classified ads in Popular 
Communications for DTMF decoders; also for books on how to modify scanners to 
restore the cellular frequencies, and more! -\/\/ombat-]

  One private investigator told me that part of a infidelity surveillance he 
just completed included a scanner tuned to someone's cordless phone channel, 
feeding a voice-operated (VOX) tape recorder.  Every day he picked up the old 
tape and started a new one.  The scanner was located in a rented room several 
blocks away from the person whose conversations were being recorded.

Hardware Topics

  Many people are under the impression that the security features included in 
some cordless phones provide some sort of voice scrambling or privacy.  They 
don't do anything of the kind.  All they do is permit the user to set up a 
code so that only his or her own handset can access the pedestal portion of 
his own cordless phone system.  In these days of too few cordless channels, 
neighbors have sometimes ended up with cordless phones operating on the 
identical frequency pair.  That created the problem of making a call and 
accessing your neighbor's dial tone instead of your own, or your handset 
ringing when calls come in on your neighbor's phone.

  The FCC is going to require this feature on all new cordless telephones, but 
it still won't mean that the two neighbors will be able to talk on their 
identical-channel cordless phones simultaneously.  Such situations allow 
neighbors to eavesdrop on one another's calls, even without owning a scanner.  
The FCC is attempting to relieve the common problem of too many cordless 
phones having to share the ten existing base channels in the 46.50 to 47.00 
MHz band.  These frequencies are 46.61, 46.63, 46.67, 46.71, 46.73, 46.77, 
46.83, 46.87, 46.93, and 46.97 MHz.  Each of these frequencies are paired with 
a 49 MHz handset channel.

  Manufacturers are going to be permitted to produce cordless phones with 
channels positions in between the existing ten frequency pairs.  Cordless 
phones will now be permitted operation on these additional offset frequencies 
to relieve the congestion.

  A date for implementing these new frequencies hasn't yet been announced, but 
it should be soon.  The FCC feels that the life expectancy of a cordless phone 
isn't very long, and they'd like these new phones to be ready to go on line as 
the existing phones are ready to be replaced.  The new model phones are going 
to have to also incorporate the dial tone access security encoding feature I 

  Let's hope the new batch of cordless phones is less quirky than some of the 
ones now in use.  We understand that the transmitters of some cordless phones 
switch on for brief periods whenever they detect a sharp increase in the 
sound level, such as laughter, shouting, or a loud voice on the extension 
  Privacy Today tells of the cordless phone that refused to die.  They noted
it was reported that the General Electric System 10 cordless phone, Model 
2-9675, just won't shut up.  It broadcasts phone calls even when they are made 
using regular extension phones!
  As for receiving all of these signals, any scanner will do.  Antennas that 
do an especially good job include 50 MHz (6 meter ham band) omnidirectional 
types, or (secondarily) any scanner antenna designed for reception in the 30 
to 50 MHz range.

  There is a dipole available that is specifically tuned for the 46 to 49 MHz 
band, which you can string up in your attic (or back yard) and get a good shot 
at all signals in the band.  This comes with 50 ft. of RG-6 coaxial cable 
lead-in, plus a BNC connector for hooking to a scanner.  This cordless phone 
monitoring antenna is $49.95 (shipping included to USA, add $5 to Canada) from 
the Cellular Security Group, 4 Gerring Road, Gloucester, MA 01930.  [you can 
build one yourself for much less $; look in the chapter on antennas in the 
ARRL Radio Amateur's Handbook -\/\/ombat-]
  The higher an antenna is mounted for this reception, the better the range 
and reception quality, and the more phones will be heard.

Zip The Lip
  Once you understand the nature of cordless phoning, you should easily be 
able to deal with these useful devices.  Let's face it, it isn't really 
absolutely necessary for all of your conversations to achieve complete 
privacy.  You are perfectly willing to relinquish expectations of 
conversational privacy.  You do it every time you converse in an elevator, a 
restaurant, a store, a waiting room, a theatre, on the street, etc.  You take 
precautions not to say certain things at such times, so you don't feel that 
you are being threatened by having been overheard.  Think of speaking on a 
cordless phone as being in the same category as if you were in a crowded 
elevator, and you'll be just fine.  It's only when a person subscribes to the 
completely erroneous notion that a cordless phone is a secure communications 
device that any problems could arise, or paranoia could set in.

  Manufacturers don't claim cordless phones offer any privacy.  Frankly, 
because they instill a false and misleading expectation of privacy, the 
several well-intentioned but unenforceable local laws intended to restrict 
cordless monitoring actually do more harm than good.  The laws serve no other 
purpose or practical function.  It would be far better for all concerned to 
simply publicize that cordless phones are an open line for all to hear.
  So, cordless phones must be used with the realization that there is no 
reason to expect privacy.  Not long ago, GTE Telephone Operations Incorporated 
issued a notice to its subscribers under the headline "Cordless Convenience 
May Warrant Caution."  Users were told to "recognize that cordless messages 
are, in fact, open-air FM radio transmissions.  As such, they are subject to 
interception (without legal constraint) by those with scanners and similar 
electronic gear...  Discretion should dictate the comparative advisability of
hard-wired phone use."

  Good advice.  We might add that if you are using a cordless phone, you don't 
give out your last name, telephone number, address, any credit card numbers, 
bank account numbers, charge account numbers, or discuss any matters of a 
confidential nature.  Moreover, it might be a good idea to advise the other 
party on you call that the conversation is going through a cordless phone.

  Some people might not care, but others could find that their conversations 
could put them in an unfortunate position.  Harvard Law School Professor Alan 
M. Dershowitz, writing on cordless phone snooping in The Boston Globe (January 
22, 1990), said, "The problem of the non-secure cordless telephone will be 
particularly acute for professionals, such as doctors, psychologists, lawyers, 
priests, and financial advisors.  Anyone who has an ethical obligation of 
confidentiality should no longer conduct business over cordless phones, unless 
they warn their confidants that they are risking privacy for convenience."

  That's more good advice.  Not that the public will heed that advice.  People 
using cellulars have been given similar information many times over, and 
somehow it doesn't sink in.  But _you_ got the message, didn't you?  Zip your 
lip when using any of these devices.  And, if you've got a scanner,you can 
tune in on everybody else blabbing their lives away, and maybe even help the 
police catch drug dealers and other bad guys -- well, unless you live in 
California or some other place where the local laws are more protective of 
cordless phone privacy than the federal courts are.


  That's it.  There wasn't much high-tech intelligence there, but it was
a lot more readable than something copied out of The Bell System Technical 
Journal, right? 

  Think about the implications: Someone who'd turn in their neighbours for 
enjoying recreational chemicals would probably narc on phreaks, hackers, 
anarchists or trashers as well.  It isn't just the FBI, Secret Service, and 
cops you have to worry about -- it's the guy down the street with a dozen 
antennas on his roof.  The flip side is that if you knew someone was listening 
in, you could have a lot of fun, like implicating your enemies in child 
prostitution rings, or making up outrageous plots that will cause the
eavesdropper to sound like a paranoid conspiracy freak when he she or it talks
to the cops.

  On the more, uh, active side, the potential for acquiring useful information 
like long-distance codes is obvious.  Other possibilities will no doubt occur 
to you.

  Cordless phones also have the potential to allow you to use someone's phone 
line without the hassles of alligator clips.  With a bit of luck you could buy 
a popular model of phone, then try various channels and security codes until 
you get a dial tone.  Since many phones have these codes preset by the 
factory, one might have to capture the code for a given system and play it 
back somehow to gain access.  The ultimate would be a 10 channel handset with 
the ability to capture and reproduce the so-called security codes 

  This subject requires further research.  Guess I'd better get a scanner.  
Most short-wave receivers don't go past 30 MHz, and they generally don't have 
FM demodulators.  Looking in the Radio Shark catalog, any of their scanners
would do the job.  Some scanners can be modified to restore cellular coverage
and increase the number of channels just by clipping diodes.  If you're going 
to buy a scanner, you might as well get one of those.  The scanner modification
books advertised in Pop Comm would help, or check out Sterling's article 
"Introduction to Radio Telecommunications Interception" in Informatik #01.  
He lists many interesting frequencies, and has the following information on 
the Radio Shark scanners:

Restoring cellular reception.

     Some scanners have been blocked from receiving the cellular band.  This 
can be corrected.  It started out with the Realistic PRO-2004 and the PRO-34, 
and went to the PRO-2005.  To restore cellular for the 2004, open the radio 
and turn it upside down.  Carefully remove the cover.  Clip one leg of D-513 
to restore cellular frequencies.  For the PRO-2005, [and for the PRO-2006 
-\/\/ombat-] the procedure is the same, except you clip one leg of D-502 to
restore cellular reception.  On the PRO-34 and PRO-37, Cut D11 to add 824-851 
and 869-896 MHz bands with 30 kHz spacing.

     All these are described in great detail in the "Scanner Modification
Handbook" volumes I. and II. by Bill Cheek, both available from Communications
Electronics Inc. (313) 996-8888. They run about $18 apiece.
(reproduced from Informatik #01, file 02)