Spy vs. Spy

A modern study of mic bugs operation and detection

Veronica Valeros
@verovaleros

Sebastian Garcia

@eldracote

MatesLab Hackerspace

bit.ly/HITBsvs

Audio eavesdropping is a threat

A brief tour through the last century FM mic bugs

History: The Thing

History: KGB bug

History: TI-574A

History: OPEC

Mic Technology Advances

From lasers to malware

Mic Technology Advances

From lasers in the air to malware

Lets Experiment!

FM and GSM wireless stationary microphone bugs

F908

Frequency: 113.5MHz

Range: 500m

Battery: 9v

Price: 33 USD

MicroSpy

Frequency: 102MHz

Range: 500m

Battery: 9v

Price: 15 USD

Ear-1

Frequency: 102.2MHz

Range: 500m

Battery: 9v

Price: 18 USD

Beurer BY04

Frequency:
864MHz

Range:
500m

Battery:
3x AAA

Price:

65 USD

Mini A8

Frequency: EU GSM

Range: world-wide

Battery: li-ion 3v

Price: 9.29 USD

Comparison

Listening Experiments

No need for a van in front of your house

Listening Experiments

Hard to do it professionally
Listening was hard. Very.

Geolocation

Attackers need to be close
- Good for you, filters your attackers
- Bad for them, they need to be close
- Bad for you, they are close
Nobody can help from the Internet
- Bad for you

Contact a company if you are in a life-threatening situation.

Salamandra

SDR-based, free software detection and location of hidden microphones

https://github.com/eldraco/Salamandra

USB SDR device

DVB-T+DAB+FM

Normal FM Radio Station

Mic F908

Detection Feature

Trained thresholds with ~85 experiments
Fixed the thresholds for the best detection

Location Feature

Real Life Experiments

Seeker goes out. Hider hides mic (or not)
Seeker gets in. Speaks passwords. Hider tries to catch them
Measure time to detection
Measure time to location
Measure recall: (passwords heard / total passwords)

Real Life Experiments

Hiding is hard
- Power, behavior, know your target, physical access
Location is hard
Listening is hard
Detection is fast

Audio Improvements

Original

Improved

Don't use music to conceal your conversation

Conclusions

Audio eavesdropping is a real threat. Don't be fooled.
Now you know how it works.
Now you know how to protect yourself.

Try Salamandra, find mics.

Advance the field. Help others.

Questions?

Veronica Valeros

@verovaleros

vero.valeros@gmail.com

Sebastian Garcia @eldracote

eldraco@gmail.com

Spy vs. Spy

A modern study of mic bugs operation and detection

Veronica Valeros @verovaleros

Sebastian Garcia

@eldracote

MatesLab Hackerspace

bit.ly/HITBsvs

Audio eavesdropping is a threat

Audio eavesdropping is a threat

A brief tour through the last century FM mic bugs

History: The Thing

History: The Thing

History: KGB bug

History: TI-574A

History: TI-574A

History: OPEC

Mic Technology Advances

From lasers to malware

Mic Technology Advances

From lasers in the air to malware

Lets Experiment!

FM and GSM wireless stationary microphone bugs

F908

Frequency: 113.5MHz

Range: 500m

Battery: 9v

Price: 33 USD

MicroSpy

Frequency: 102MHz

Range: 500m

Battery: 9v

Price: 15 USD

Ear-1

Frequency: 102.2MHz

Range: 500m

Battery: 9v

Price: 18 USD

Beurer BY04

Frequency: 864MHz

Range: 500m

Battery: 3x AAA

Price:

65 USD

Mini A8

Frequency: EU GSM

Range: world-wide

Battery: li-ion 3v

Price: 9.29 USD

Comparison

Listening Experiments

Listening Experiments

No need for a van in front of your house

Listening Experiments

Listening Experiments

Hard to do it professionally

Listening was hard. Very.

Geolocation

Attackers need to be close

Good for you, filters your attackers

​Bad for them, they need to be close

Bad for you, they are close

Nobody can help from the Internet

​Bad for you

Contact a company if you are in a life-threatening situation.

Salamandra

SDR-based, free software detection and location of hidden microphones

https://github.com/eldraco/Salamandra

USB SDR device

DVB-T+DAB+FM

Normal FM Radio Station

Mic F908

Mic F908

Detection Feature

Trained thresholds with ~85 experiments

Fixed the thresholds for the best detection

Location Feature

Real Life Experiments

Real Life Experiments

Seeker goes out. Hider hides mic (or not)

Seeker gets in. Speaks passwords. Hider tries to catch them

Veronica Valeros
@verovaleros

Frequency:
864MHz

Range:
500m

Battery:
3x AAA

Bad for them, they need to be close

Bad for you