Spy vs. Spy

A modern study of mic bugs operation and detection

Veronica Valeros
@verovaleros

Sebastian Garcia

@eldracote

MatesLab Hackerspace

bit.ly/SpyBud

Audio eavesdropping is a threat

A brief tour through the last century FM mic bugs

KGB bug

The Thing

OPEC

TI-574A

Mic Technology Advances

From lasers in the air to malware

Try all the Mics!

Comparison

MicroSpy

F-908

EAR-1

Beurer BY

MiniA8

Listening Experiments

No need for a van in front of your house

Listening Experiments

Most mics have a lower battery autonomy than advertised

Geolocation Remarks

Attackers need to be close
- Good for you, filters your attackers
- Bad for them, they need to be close
- Bad for you, they are close
Nobody can help from the Internet
- Bad for you

Comparison with Malware

A successful malware infection is not guaranteed
Malware leaves traces. Others can find the attack.
People from the Internet can help with Malware

Comparison with non commercial

Battery vs. electricity
Transmit vs. storage
One-time conversation vs. all the time
One time access vs. continuous access

Contact a company if you are in a life-threatening situation

Salamandra

SDR-based, free software detection and location of hidden microphones

https://github.com/eldraco/Salamandra

USB SDR device

DVB-T+DAB+FM

Normal FM Radio Station

Mic F908

Detection Feature

Trained thresholds with ~85 experiments
Fixed the thresholds for the best detection

Location Feature

Salamandra new features

Detect and locate microphones
You can use rtl_power to record and send the signal to others with Salamandra
Profile your environment in different times and compare

Real Life Experiments

Experiments Methodology

Seeker goes out. Hider hides mic (or not)
Seeker gets in. Speaks passwords. Hider tries to catch them
Measure time to detection
Measure time to location
Measure recall: (passwords heard / total passwords)

Real Life Experiments

Experiments Conclusions

Hiding is hard
- Power, behavior, know your target, physical access
Location is hard
Listening is hard
Detection is fast (w/Salamandra)
Music doesn't hide your voice

Conclusions

Audio eavesdropping is a real threat. Don't be fooled.
Now you know how it works.
Now you know how to protect yourself.

Spy vs. Spy

A modern study of mic bugs operation and detection

Veronica Valeros @verovaleros

Sebastian Garcia

@eldracote

MatesLab Hackerspace

bit.ly/SpyBud

Audio eavesdropping is a threat

A brief tour through the last century FM mic bugs

KGB bug

The Thing

OPEC

TI-574A

Mic Technology Advances

From lasers in the air to malware

Try all the Mics!

Comparison

Listening Experiments

Listening Experiments

No need for a van in front of your house

Listening Experiments

Most mics have a lower battery autonomy than advertised

Geolocation Remarks

Attackers need to be close

Good for you, filters your attackers

​Bad for them, they need to be close

Bad for you, they are close

Nobody can help from the Internet

​Bad for you

Comparison with Malware

A successful malware infection is not guaranteed

Malware leaves traces. Others can find the attack.

People from the Internet can help with Malware

Comparison with non commercial

Battery vs. electricity

Transmit vs. storage

One-time conversation vs. all the time

One time access vs. continuous access

Contact a company if you are in a life-threatening situation

Salamandra

SDR-based, free software detection and location of hidden microphones

https://github.com/eldraco/Salamandra

USB SDR device

DVB-T+DAB+FM

Normal FM Radio Station

Mic F908

Detection Feature

Trained thresholds with ~85 experiments

Fixed the thresholds for the best detection

Location Feature

Salamandra new features

Detect and locate microphones

You can use rtl_power to record and send the signal to others with Salamandra

Profile your environment in different times and compare

Real Life Experiments

Experiments Methodology

Seeker goes out. Hider hides mic (or not)

Seeker gets in. Speaks passwords. Hider tries to catch them

Measure time to detection

Measure time to location

Measure recall: (passwords heard / total passwords)

Real Life Experiments

Real Life Experiments

Real Life Experiments

Experiments Conclusions

Hiding is hard

Power, behavior, know your target, physical access

Location is hard

Listening is hard

Detection is fast (w/Salamandra)

Music doesn't hide your voice

Conclusions

Audio eavesdropping is a real threat. Don't be fooled.

Now you know how it works.

Now you know how to protect yourself.

Try Salamandra, find mics.

Advance the field. Help others.

Questions?

Veronica Valeros

@verovaleros

Veronica Valeros
@verovaleros

Bad for them, they need to be close

Bad for you