hn-classics/_stories/1991/11102051.md

---
created_at: '2016-02-15T08:05:33.000Z'
title: 'Cordless Telephones: Bye Bye Privacy (1991)'
url: http://readtext.org/hamradio/cordless-telephones-privacy/
author: tux
points: 43
story_text: 
comment_text: 
num_comments: 9
story_id: 
story_title: 
story_url: 
parent_id: 
created_at_i: 1455523533
_tags:
- story
- author_tux
- story_11102051
objectID: '11102051'

---
This file may also be known as wombat file \#01, or wombat01 if I ever
bother to type/write something else. \\/\\/ombat (originally published
in Popular Communications, June 1991)

This file is a work of fiction. Everything in it is fictitious. Any
resemblance to persons living or dead, magazines, companies, products,
trademarks, copyrights, or anything else in the real world is purely
coincidental, and you should see a shrink about your over-active
imagination if you think otherwise.

A Boon to Eavesdroppers, Cordless Phones Are as Private as Conversing in
an Elevator. You’ll Never Guess Who’s Listening In\!

OK, so it took a while, but now you’ve accepted the fact that your
cellular phone conversations can easily be overheard by the public at
large. Now you can begin wrestling with the notion that there are many
more scanners in the hands of the public that can listen to cordless
telephone calls than can tune in on cellulars.

Monitoring cellular calls requires the listener to own equipment capable
of picking up signals in the 800 to 900 MHz frequency range. Not all
scanners can receive this band, so unless the scannist wants to purchase
a new scanner, or a converter covering those frequencies, \[see February
and March issues of Radio-Electronics for a converter project
-\\/\\/ombat-\] they can’t tune in on cellular calls. And let’s not
forget that it’s a violation of federal law to monitor cellular
conversations. Not that there seems to be any practical way yet devised
to enforce that law, nor does the U.S. Dept. of Justice appear to be
especially interested in trying.

On the other hand, cordless telephones operate with their base pedestals
in the 46 MHz band, and the handsets in the 49 MHz band. Virtually every
scanner ever built can pick up these frequencies with ease. Cordless
telephones are usually presented to the public as having ranges up to
1,000 feet, but that requires some clarification. That distance
represents the reliable two-way communications range that can be
expected between the handset and the pedestal, given their small
inefficient receivers and antennas, and that they are both being used at
ground level.

In fact, even given those conditions, 1,000 feet of range is far more
coverage than necessary for the average apartment or house and yard.
Consider that 1,000 feet is a big distance. It’s almost one-fifth of a
mile. It’s the height of a 100-story skyscraper. The Chrysler Building,
third tallest building in New York City, is about 1,000 feet high, so is
the First Interstate World Center, tallest building in Los Angeles. When
someone uses a sensitive scanner connected to an efficient antenna
mounted above ground level, the signals from the average 46 MHz cordless
phone base pedestal unit (which broadcasts both sides of all
conversations) can often be monitored from several miles away, and in
all directions.

Some deluxe cordless phones are a snoop’s delight. Like the beautiful
Panasonic KX-T4000. Its range is described as “up to 1,000 feet from the
phone’s base,” however the manufacturer brags that “range may exceed
1,000 feet depending upon operating conditions.” When you stop to think
about it, what at first seems like a boast is really a somewhat harmless
sounding way of warning you that someone could monitor the unit from an
unspecified great distance. In fact, just about all standard cordless
phones exceed their rated ranges. But the KX-T4000’s main bonus and
challenge to the snoop is that it can operate on ten different
frequencies instead of only a single frequency. The BellSouth Products
Southwind 170 cordless phone suggests a range of up to 1,500 feet.,
depending on location and operating conditions. The ten-channel Sony
SPP-1508 has a built-in auto-scan system to select the clearest
channels.

What with millions of scanners in the hands of the public, a cordless
telephone in an urban or suburban area could easily be within receiving
range of dozens of persons owning receiving equipment capable of
listening to every word said over that phone. Likewise, every urban or
suburban scanner owner is most likely to be within receiving range of
dozens of cordless telephones. Many persons with scanners program their
units to search between 46.50 and 47.00 MHz and do listen. Some do it
casually to pass the time of day, others have specific purposes.

## Not Covered

The Electronic communications Privacy Act of 1986, the federal law that
supposedly confers privacy to cellular conversations, doesn’t cover
cordless telephones.

A year and a half ago, the U.S. Supreme Court wasn’t interested in
reviewing a lower court decision that held that some fellow didn’t have
any “justifiable expectation of privacy” for their cordless phone
conversations. It seems that man’s conversations regarding suspected
criminal activity were overheard and the police were alerted, which
caused the police to investigate further and arrest the man after
recording more of his cordless phone conversations.

Yet, even though (at this point) there is no federal law against
monitoring cordless phones, there are several states with laws that
restrict the practice. In New York State, for instance, a state
appellate court ruled that New York’s eavesdropping law prohibits the
government from intentionally tuning in on such conversations.

California recently passed the Cordless and Cellular Radio Telephone
Privacy Act (amending Sections 632, 633, 633.5, 634, and 635 of the
Penal Code, amending Section 1 of Chapter 909 of the Statutes of 1985,
and adding Section 632.6 to the Penal Code) promising to expose an
eavesdropper to a $2,500 fine and a year in jail in the event he or she
gets caught. Gathering the evidence for a conviction may be easier said
than done.

There may be other areas with similar local restrictions, these are two
that I know about. Obviously listening to cordless phones in major
population areas is sufficiently popular to have inspired such
legislative action. There are, however, reported to be efforts afoot to
pass federal legislation forbidding the monitoring of cordless phones as
well as baby monitors. Such a law wouldn’t stop monitoring, nor could it
be enforced. It would be, like the ECPA, just one more piece of glitzy
junk legislation to hoodwink the public and let the ACLU and
well-meaning, know-nothing, starry-eyed privacy advocates think they’ve
accomplished something of genuine value.

## Strange Calls

On April 20th, The Press Democrat, of Santa Rosa, Calif., reported that
a scanner owner had contacted the police in the community of Rohnert
Park to say that he was overhearing cordless phone conversations
concerning sales of illegal drugs. The monitor, code named Zorro by the
police, turned over thirteen tapes of such conversations made over a two
month period.

Police took along a marijuana-sniffing cocker spaniel when they showed
up at the suspect’s home with a warrant one morning. Identifying
themselves, they broke down the door and found a man and a woman, each
with a loaded gun. They also found a large amount of cash, some cocaine,
marijuana, marijuana plants, and assorted marijuana cultivating
paraphernalia.

In another example, Newsday, of Long Island, New York, reported in its
February 10, 1991 edition another tale of beneficial cordless phone
monitoring.

It seems a scanner owner heard a cordless phone conversation between
three youths who were planning a burglary. First, they said that they
were going to buy a handheld CB radio so they could take it with them in
order to keep in contact with the driver of the car, which had a mobile
CB rig installed. Then, they were going to head over to break into a
building that had, until recently, been a nightclub.

The scanner owner notified Suffolk County Police, which staked out the
closed building. At 10:30 p.m., the youths appeared and forced their way
into the premises. They were immediately arrested and charged with
third-degree burglary and possession of burglary tools.

I selected these two examples from the many similar I have on hand
because they happen to have taken place in states where local laws seek
to restrict the monitoring of cordless telephones.

Most of the calls people monitor aren’t criminal in nature, but are
apparently interesting enough to have attracted a growing audience of
recreational monitors easily willing to live with accusations of their
being unethical, nosy, busybodies, snoops, voyeurs, and worse.

As it turns out, recreational monitors are undoubtedly the most harmless
persons listening in on cordless phone calls.

## They're All Ears

A newsletter called Privacy Today, is put out by Murray Associates, one
of the more innovative counterintelligence consultants serving business
and government. This publication noted (as reported in the mass media)
that IRS investigators may use scanners to eavesdrop on suspected tax
cheats as they chat on their cordless phones.

But, the publication points out that accountants who work out of their
homes could turn up as prime targets of such monitoring. Their clients
might not even realize the accountant is using a cordless phone, and
therefore assume that they have some degree of privacy. One accountant
suspected of preparing fraudulent tax returns could, if monitored, allow
the IRS to collect evidence on all clients.

Furthermore, Privacy Today notes that this has ramifications on the IRS
snitch program (recycle tax cheats for cash). They say, “Millions of
scanner owners who previously listened to cordless phones for amusement
will now be able to do it for profit. Any incriminating conversation
they record can be parlayed into cash, legally.”

In fact, in addition to various federal agents and police, there are
private detectives, industrial spies, insurance investigators, spurned
lovers, scam artists, burglars, blackmailers, and various others who
regularly tune in with deliberate intent on cordless telephones in the
pursuit of their respective callings. If you saw the film Midnight Run,
starring Robert DeNiro, you’ll recall that the bounty hunter was shown
using a handheld scanner to eavesdrop on a cordless phone during his
effort to track down a fugitive bail jumper.

No, cordless phone monitoring isn’t primarily being done for sport by
the incurably nosy for the enjoyment and entertainment it can provide.
The cordless telephone has been recognized as a viable and even
important tool for gathering intelligence.

## Intelligence Gathering?

In fact, there are differences between cordless and cellular monitoring.
When a cellular call is monitored, it’s quite difficult to ascertain the
identity of the caller, and impossible to select a particular person for
surveillance. These are mostly portable and mobile units that are
passing through from other areas, and they’re operation on hundreds of
different channels. Sometimes the calls cut off right in the middle of a
conversation. The opportunities for ever hearing the same caller more
than once are very slim.

Not so with cordless phones. These units are operated at permanent
locations in homes, offices, factories, stores. Most models transmit on
only one or two specific frequencies, and while a few models can switch
to any of ten channels, that’s still a lot fewer places to have to look
around than scanning through the hundreds of cellular frequencies. So,
with only minor effort, it’s possible to know which cordless phones in
receiving range are set up to operate on which channels. And you
continually hear the same cordless phone users over a long period of
time. They soon become very familiar voices; you might even recognize
some of them.

The diligent, professional intelligence gatherer creates a logbook for
each of the frequencies in the band, then logs in each cordless phone
normally monitored using that frequency. Then, each time a transmission
is logged from a particular phone, bits and scraps of information can be
added to create a growing dossier picked up from conversations. With
very little real effort, it doesn’t take long to assemble an amazing
amount of information on all cordless phones within monitoring range.

Think about the information that is inadvertently passed in phone calls
that would go into such files. Personal names (first and last) which are
easily obtained from salutations, calls, and messages left on other
people’s answering machines; phone numbers (that people give for
callbacks or leave on answering machines); addresses; credit card
numbers; salary and employment information; discussions of health and
legal problems; details of legit and shady business deals; even
information on the hours when people are normally not at home or will be
out of town, and much more, including the most intimate details of their
personal lives. Anybody who stops for a moment to think about all the
things they say over a cordless telephone over a period of a week or two
should seriously wonder how many of those things they’d prefer not be
transmitted by shortwave radio throughout their neighborhood.

Cordless phone users don’t realize that these units don’t only broadcast
the phone calls themselves. Most units start transmitting the instant
the handset is activated, and will broadcast anything said to others in
the room before and while the phone is being dialed, and while the
called number is ringing. Using a DTMF tone decoder, it’s even possible
to learn the numbers being called from cordless phones. \[see the
classified ads in Popular Communications for DTMF decoders; also for
books on how to modify scanners to restore the cellular frequencies, and
more\! -\\/\\/ombat-\]

One private investigator told me that part of a infidelity surveillance
he just completed included a scanner tuned to someone’s cordless phone
channel, feeding a voice-operated (VOX) tape recorder. Every day he
picked up the old tape and started a new one. The scanner was located in
a rented room several blocks away from the person whose conversations
were being recorded.

## Hardware Topics

Many people are under the impression that the security features included
in some cordless phones provide some sort of voice scrambling or
privacy. They don’t do anything of the kind. All they do is permit the
user to set up a code so that only his or her own handset can access the
pedestal portion of his own cordless phone system. In these days of too
few cordless channels, neighbors have sometimes ended up with cordless
phones operating on the identical frequency pair. That created the
problem of making a call and accessing your neighbor’s dial tone instead
of your own, or your handset ringing when calls come in on your
neighbor’s phone.

The FCC is going to require this feature on all new cordless telephones,
but it still won’t mean that the two neighbors will be able to talk on
their identical-channel cordless phones simultaneously. Such situations
allow neighbors to eavesdrop on one another’s calls, even without owning
a scanner. The FCC is attempting to relieve the common problem of too
many cordless phones having to share the ten existing base channels in
the 46.50 to 47.00 MHz band. These frequencies are 46.61, 46.63, 46.67,
46.71, 46.73, 46.77, 46.83, 46.87, 46.93, and 46.97 MHz. Each of these
frequencies are paired with a 49 MHz handset channel.

Manufacturers are going to be permitted to produce cordless phones with
channels positions in between the existing ten frequency pairs. Cordless
phones will now be permitted operation on these additional offset
frequencies to relieve the congestion.

A date for implementing these new frequencies hasn’t yet been announced,
but it should be soon. The FCC feels that the life expectancy of a
cordless phone isn’t very long, and they’d like these new phones to be
ready to go on line as the existing phones are ready to be replaced. The
new model phones are going to have to also incorporate the dial tone
access security encoding feature I mentioned.

Let’s hope the new batch of cordless phones is less quirky than some of
the ones now in use. We understand that the transmitters of some
cordless phones switch on for brief periods whenever they detect a sharp
increase in the sound level, such as laughter, shouting, or a loud voice
on the extension phone.

Privacy Today tells of the cordless phone that refused to die. They
noted it was reported that the General Electric System 10 cordless
phone, Model 2-9675, just won’t shut up. It broadcasts phone calls even
when they are made using regular extension phones\!

As for receiving all of these signals, any scanner will do. Antennas
that do an especially good job include 50 MHz (6 meter ham band)
omnidirectional types, or (secondarily) any scanner antenna designed for
reception in the 30 to 50 MHz range.

There is a dipole available that is specifically tuned for the 46 to 49
MHz band, which you can string up in your attic (or back yard) and get a
good shot at all signals in the band. This comes with 50 ft. of RG-6
coaxial cable lead-in, plus a BNC connector for hooking to a scanner.
This cordless phone monitoring antenna is $49.95 (shipping included to
USA, add $5 to Canada) from the Cellular Security Group, 4 Gerring Road,
Gloucester, MA 01930. \[you can build one yourself for much less $; look
in the chapter on antennas in the ARRL Radio Amateur’s Handbook
-\\/\\/ombat-\]

The higher an antenna is mounted for this reception, the better the
range and reception quality, and the more phones will be heard.

## Zip The Lip

Once you understand the nature of cordless phoning, you should easily be
able to deal with these useful devices. Let’s face it, it isn’t really
absolutely necessary for all of your conversations to achieve complete
privacy. You are perfectly willing to relinquish expectations of
conversational privacy. You do it every time you converse in an
elevator, a restaurant, a store, a waiting room, a theatre, on the
street, etc. You take precautions not to say certain things at such
times, so you don’t feel that you are being threatened by having been
overheard. Think of speaking on a cordless phone as being in the same
category as if you were in a crowded elevator, and you’ll be just fine.
It’s only when a person subscribes to the completely erroneous notion
that a cordless phone is a secure communications device that any
problems could arise, or paranoia could set in.

Manufacturers don’t claim cordless phones offer any privacy. Frankly,
because they instill a false and misleading expectation of privacy, the
several well-intentioned but unenforceable local laws intended to
restrict cordless monitoring actually do more harm than good. The laws
serve no other purpose or practical function. It would be far better for
all concerned to simply publicize that cordless phones are an open line
for all to hear.

So, cordless phones must be used with the realization that there is no
reason to expect privacy. Not long ago, GTE Telephone Operations
Incorporated issued a notice to its subscribers under the headline
“Cordless Convenience May Warrant Caution.” Users were told to
“recognize that cordless messages are, in fact, open-air FM radio
transmissions. As such, they are subject to interception (without legal
constraint) by those with scanners and similar electronic gear…
Discretion should dictate the comparative advisability of hard-wired
phone use.”

Good advice. We might add that if you are using a cordless phone, you
don’t give out your last name, telephone number, address, any credit
card numbers, bank account numbers, charge account numbers, or discuss
any matters of a confidential nature. Moreover, it might be a good idea
to advise the other party on you call that the conversation is going
through a cordless phone.

Some people might not care, but others could find that their
conversations could put them in an unfortunate position. Harvard Law
School Professor Alan M. Dershowitz, writing on cordless phone snooping
in The Boston Globe (January 22, 1990), said, “The problem of the
non-secure cordless telephone will be particularly acute for
professionals, such as doctors, psychologists, lawyers, priests, and
financial advisors. Anyone who has an ethical obligation of
confidentiality should no longer conduct business over cordless phones,
unless they warn their confidants that they are risking privacy for
convenience.”

That’s more good advice. Not that the public will heed that advice.
People using cellulars have been given similar information many times
over, and somehow it doesn’t sink in. But you got the message, didn’t
you? Zip your lip when using any of these devices. And, if you’ve got a
scanner,you can tune in on everybody else blabbing their lives away, and
maybe even help the police catch drug dealers and other bad guys – well,
unless you live in California or some other place where the local laws
are more protective of cordless phone privacy than the federal courts
are.

That’s it. There wasn’t much high-tech intelligence there, but it was a
lot more readable than something copied out of The Bell System Technical
Journal, right?

Think about the implications: Someone who’d turn in their neighbours for
enjoying recreational chemicals would probably narc on phreaks, hackers,
anarchists or trashers as well. It isn’t just the FBI, Secret Service,
and cops you have to worry about – it’s the guy down the street with a
dozen antennas on his roof. The flip side is that if you knew someone
was listening in, you could have a lot of fun, like implicating your
enemies in child prostitution rings, or making up outrageous plots that
will cause the eavesdropper to sound like a paranoid conspiracy freak
when he she or it talks to the cops.

On the more, uh, active side, the potential for acquiring useful
information like long-distance codes is obvious. Other possibilities
will no doubt occur to you.

Cordless phones also have the potential to allow you to use someone’s
phone line without the hassles of alligator clips. With a bit of luck
you could buy a popular model of phone, then try various channels and
security codes until you get a dial tone. Since many phones have these
codes preset by the factory, one might have to capture the code for a
given system and play it back somehow to gain access. The ultimate would
be a 10 channel handset with the ability to capture and reproduce the
so-called security codes automatically.

This subject requires further research. Guess I’d better get a scanner.
Most short-wave receivers don’t go past 30 MHz, and they generally don’t
have FM demodulators. Looking in the Radio Shark catalog, any of their
scanners would do the job. Some scanners can be modified to restore
cellular coverage and increase the number of channels just by clipping
diodes. If you’re going to buy a scanner, you might as well get one of
those. The scanner modification books advertised in Pop Comm would help,
or check out Sterling’s article “Introduction to Radio
Telecommunications Interception” in Informatik \#01. He lists many
interesting frequencies, and has the following information on the Radio
Shark scanners:

Restoring cellular reception.

Some scanners have been blocked from receiving the cellular band. This
can be corrected. It started out with the Realistic PRO-2004 and the
PRO-34, and went to the PRO-2005. To restore cellular for the 2004, open
the radio and turn it upside down. Carefully remove the cover. Clip one
leg of D-513 to restore cellular frequencies. For the PRO-2005, \[and
for the PRO-2006 -\\/\\/ombat-\] the procedure is the same, except you
clip one leg of D-502 to restore cellular reception. On the PRO-34 and
PRO-37, Cut D11 to add 824-851 and 869-896 MHz bands with 30 kHz
spacing.

All these are described in great detail in the “Scanner Modification
Handbook” volumes I. and II. by Bill Cheek, both available from
Communications Electronics Inc. (313) 996-8888. They run about $18
apiece.

(reproduced from Informatik \#01, file 02)

  - Author: Tom Kneitel, K2AES / Wombat / Popular Communications
  - Original: <http://textfiles.com/hamradio/cordpriv.txt>