Was the person in the basement eavesdroping or actuall performing a man-in-the-middle attack?
Very much the easiest way of doing this is a classic man in the middle attack with two vanilla off the shelf modems and a vanilla off the shelf central office simulator. The modems would be tied more or less back to back through two serial ports and software on a laptop in the basement, one modem connected to the actual phone line to the central office and the other connected to the local wires to the targets home through the central office simulator. This way all traffic in both directions would go through the modems and software on the laptop allowing the connection to be taken over cleanly between packets, and packets to be injected and deleted as needed. I beleive that it would not be hard to make such a MITM decode the DTMF dialing from the target and dial the same number on its outgoing modem thus enabling the MITM to passively relay modem calls it wasn't interested in spoofing. And incoming modem calls could be similarly handled. While I might hasten to add that my interest is entirely academic and I've never tried configuring such a thing, I'm quite sure that standard off the shelf consumer modems and cheap and widely available central office simulators could be configured to set up such a MITM without requiring any special hardware, hardware modifications, or modified modem firmware, or special programming expertise beyond that required to operate modems through a serial port, And obviously the cost of such a thing might well be kept under $1000 and perhaps under $500 compared to the multiple tens or hundreds of thousands that the specialized modem and protocol analyzer test equipment that can do this sort of thing costs. A slightly more realistic version with a sound card and some simple coupling transformers available at Radio Shack (or free from an old junk modem) would allow full simulation/cutover of the call progress tones and wrong number announcements and so forth and might make such a device rather difficult to detect for a casual non technical modem user. While this is not 100% off the shelf hardware, the technical skills required are rather low.
Don't high speed modems transmit and receive on the same frequencies, using echo cancelation to decode the receive signals? Does that make it impossible to eavesdrop on high-speed (i.e. V32bis) modems?
That has been widely reported. In fact given a four wire (directional) tap this is probably not true in many cases, in that the inherent directionality (echo return loss) of the line gives enough separation between the data going in one direction and the data going in the other for successful separation. This is further enhanced by the generally true fact that the line is idle in at least one direction for most of the time, and the pattern of date transmitted on an idle line under LAPM is predictable and can be subtracted out even if the actual SNR is not good enough to reliably demodulate it. As far as I know, the firmware to allow passive monitoring of V.32 and V.34 data is not part of any standard modem firmware, but many modems can passively monitor the lower speed transmissions.
David
Dave Emery die@die.com