#OpenFabs , #OpenHW , #OpenAudit , #FormalVerification , #CryptoCrowdFunding , #OpenTrust , #GuerrillaNets , #P2PFiber , #GNURadioRF , #PrivacyCoins , #DropGangs , ... https://buggedplanet.info/ https://media.ccc.de/v/rc3-11512-cia_vs_wikileaks https://earsandeyes.noblogs.org/files/2023/03/list-pictures-en-2023-03.pdf https://www.schneier.com/blog/archives/2013/12/more_about_the.html https://en.wikipedia.org/wiki/Tailored_Access_Operations https://wikileaks.org/vault7/ https://www.spiegel.de/ausland/mutmassliche-jagd-auf-julian-assanges-unterst... https://archive.is/mt4fT Homepage Crypto Spy radio _________________________________ Burst <D7> [ Search ] Click for homepage encoders Bugs Intercept Phones Covert <- IP-19 Index Glossary Cameras CryptoPhone implant Recorders Radio Embedded covert listening device . 2018 Bugs Microphones This page describes a highly professional covert listening device (bug) that was discovered in Earpieces March 2018 in Germany, inside a CryptoPhone IP-19 that was used by activists working for the Optics whistleblower website WikiLeaks [4]. It was used by WikiLeaks for secure communication between Concealments London and Berlin, whilst coordinating the revelations of NSA whistleblower Edward Snowden in Dead drops mid-2013. It was also used in the days that WikiLeaks founder Julian Assange [5] was a resident of Tools the Embassy of Equador in London. The expensive high-tech implant was tailor-made ^1 and is Stories attributed by some experts to the US Central Intelligence Agency (CIA) or a related agency [1][2]. Software Tracking CryptoPhone IP19 is a cryptographically secured desktop telephone -- based on Implant with Radio the Snom 870 -- that is marketed by GSMK in Berlin (Germany). It enables battery and PC encrypted voice communications with other CryptoPhone subscribers only, using amplifier Telex VoIP. circuit (metal Telephones cover removed) People One day in March 2018, the phone was brought back to Germany to replace its Agencies faulty display that had somehow been overheated. But when it was dismantled, the Manufacturers contents appeared to differ from a regular IP-19 and the implant was discovered. DONATE It was subsequently photographed and reported to the police who initiated an Publications investigation [1]. ^2 Standards For sale The bug circumvents the device's strong encryption, by connecting directly to the audio circuits. Kits It is passive in that it does not transmit the intercepted conversations immediately. Instead, it Shop records the conversations in its internal memory. Upon receiving a remote command, it transmits News the recorded conversations (probably encrypted) in a short wideband burst. This makes it virtually Events impossible to detect and discover the device in a regular bug sweep. * Location of the bug Wanted Contact It is difficult to determine the origin of this bug, but given the fact that it is professionally About us made in quantity and that it is tailor-made for this type of telephone, it seems likely that it Links was a state actor, probably the US Central Intelligence Agency (CIA). Note that this covert implant is not only suitable for the CryptoPhone IP-19, but for every Snom IP-phone that uses the same chassis. * Origin of the bug 1. Partly tailor-made and partly off-the-shelf. 2. Led by the Federal Criminal Police (Bundeskriminalamt) in Berlin. According to the German Federal Prosecutor (Bundesanwaltschaft) the investigation is ongoing under number 3 ARP 692/20-3. [9]. Replacement Implant Replacement Replacement Implant Implant Replacement Replacement keypad with board with board with with 2: small board aside board aside board with battery implant implant battery PCB with an original an original implant, and (metal and flying keypad keypad batteries, amplifier cover amplifier leads board board antenna and circuit removed) circuit for (metal (metal amplifier (metal tapping cover in cover circuit cover the place) removed) removed) audio circuits A * A 1 / 8 Replacement keypad board with implant, batteries, antenna and amplifier circuit A 2 / 8 Implant with battery and amplifier circuit (metal cover removed) A 3 / 8 Replacement board with implant (metal cover removed) A 4 / 8 Replacement board with implant A 5 / 8 Implant with battery and amplifier circuit A 6 / 8 Implant 2: small PCB with flying leads for tapping the audio circuits A 7 / 8 Replacement board aside an original keypad board (metal cover in place) A 8 / 8 Replacement board aside an original keypad board (metal cover removed) * * These images were taken from the website Buggedplanet.info [3]. Features * RF passive * Conversations are recorded * Remotely triggered activation * Burst transmission * High-tech FPGA-based design CryptoPhone IP-19 - right angle view - click for more * Hardware-based encryption information * 16GB Flash Memory * Built-in rechargeable battery * Invisible from the outside * Almost invisible on the inside Setup The diagram below shows how the system worked. At the left is the Listening Post (LP) with a command transmitter and a receiver. At the right is the modified CryptoPhone IP-19 of which the keypad board is replaced by a replacement board of identical size, that contains the implant. Judging from the type of antenna, the LP must have been in the immediate vicinity of the bugged telephone set. It seems likely that the distance between the LP and the target was no more than 50 metres and probably less. This means that the LP must have been in the same appartment, or across the street, or in a car driving by regularly to collect the intelligence. * Block diagram Location of the implant The implant was placed inside an IP-19 CryptoPhone in such a way that it was virtually invisible, even after opening the device. To understand how and where it was located inside the telephone, we will use the photograph of the interior of a regular IP-19 CryptoPhone (below) as a guide. After removing the rear case shell and turning the device over (front panel facing down), we see two green printed circuit boards (PCBs). The largest one is at the bottom of the stack. It is fitted directly to the front panel and holds the contacts for the keypad. In addition, it covers the Liquid Crystal Display (LCD). In the image below this board is highlighted with a blue outline. Click to see more The smaller PCB is the main board that contains the actual telephone electronics, the microcontroller and the firmware. It has components on both sides and is highlighted here with a yellow outline. It is connected to the keypad board by means of a 20-pin header in the bottom right corner. The side that is visible here, holds the UTP connectors, the ethernet interface and two USB expansion sockets. The microcontroller and the audio circuits are at the other side. Click to see more The image above shows the reverse side of the main board. At the right is the 20-pin inter-board connector. At the centre of the image, in the yellow circle, is a small board (implant 2) that is not present on the original board. It is glued to the PCB and is used to 'tap' the audio signals from the microphone and speaker circuits by means of four thin green wires. The tap board is connected to the main implant (the replacement keypad board) by means of the three black wires at the top. Click to see more The main implant (implant 1) is on the large PCB and is hidden underneath the main board. It is fitted to a PCB which has the same outer dimensions as the original keypad board and is shown in the image above. The empty area at the left is the part that covers the display. The rest of the PCB holds the implant, and is normally covered by the main board. The actual implant is at the centre. It is a separate PCB that is soldered to the keypad PCB by means of short wires. When it was discovered, it was covered by a metal enclosure (removed here) that was printed with a serial number. This suggests that the implant was a volume-produced off-the-shelf solution. Above the implant is a Li-ION battery pack that is connected to a 2-pin header. It is used to power the implant when the telephone set is disconnected from its power source. To the right of the implant are the audio amplifiers (for the microphone and speaker signals) and a circuit for charging the battery pack. At the bottom is the antenna by which the device is connected to the Listening Post (LP) outside the building. The LP had to be in the immediate vicinity of the bug. When the telephone is reassembled, the implant and the additional parts on the replacement keypad board (implant 1) are virtually invisible, as they are obstructed from view by the main board. The tap board (implant 2) is also invisible as it is at the rear side of the main board. From the available photographs it is difficult to identify the various components, in particular because the photographs are unsharp and the implant PCB is covered by a conformal coating. But some information can be gained from Andy Mueller-Maguhn's presentation on the subject [1]. All components have manufacturing date codes of April 2013 or earlier, which implies that the implant was made after that date. Furthermore, the dimensions of the board suggest a non-metric origin. The antenna is dimensioned for operation at a UHF frequency on or near 800 MHz. Interior Reverse side of Area Implant Replacement Relacement Replacement Replacement of the the main board, where a 2: small keypad board with board aside board aside telephone holding the miniature PCB with board with implant an original an original with the microcontroller board flying implant, (metal keypad keypad front and the audio (implant leads batteries, shield board board panel circuits 2) is for antenna and removed) (metal (metal facing added tapping amplifier cover in cover down the circuit place) removed) audio circuits B * B 1 / 8 Interior of the telephone with the front panel facing down B 2 / 8 Reverse side of the main board, holding the microcontroller and the audio circuits B 3 / 8 Area where a miniature board (implant 2) is added B 4 / 8 Implant 2: small PCB with flying leads for tapping the audio circuits B 5 / 8 Replacement keypad board with implant, batteries, antenna and amplifier circuit B 6 / 8 Relacement board with implant (metal shield removed) B 7 / 8 Replacement board aside an original keypad board (metal cover in place) B 8 / 8 Replacement board aside an original keypad board (metal cover removed) * * Origin It is difficult to determine who planted the bug in the CryptoPhone IP-19, but judging from its professional signature, the choice of components and the no doubt high development cost, it seems likely that it was a state actor. Furthermore, to plant the device, an operative had to gain access to the premises where the phone was kept, which is not without risk. Taking into account that the United States wanted Assange for violating the Espionage Act and revealing state secrets, it seems likely the US Central Intelligence Agency (CIA) was behind the operation, probably with help from the US National Security Agency (NSA) and British intelligence service GCHQ or MI5. It is unknown how long the device had been in operation before it was discovered, but this might have been years. The phone was first used from the UK for confidential talks with the German magazine Der Spiegel in mid-2013, in relation to the revelations of NSA whistleblower Edward Snowden. From the date codes on the components found in the implant, it is certain that it was made some time after April 2013. In theory it could have been inserted later that year or early in 2014, in which case it might have been operational for four years before it was discovered. The device is partly based on an existing (NSA?) product (the actual implant in the metal case), but its carrier board -- the replacement keypad board -- is specifically made for this type of telephone. Such designs are typically made by the Tailored Access Operations (TAO) unit of the US National Security Agency (NSA) [6][7]. From the way the implant is installed -- implant 2 and its thin wires are glued to the main board -- it can be concluded that the intelligence agency responsible for planting the bug had to get access to the premises at least twice: once to remove the telephone and once to put it back. Such operations are typically carried out by the Physical Access Group (PAG) of the Center for Cyber Intelligence (CCI} of the CIA [8]. Block diagram Below is an educated guess of the block diagram of the implant, based on information provided by Andy Mueller-Maguhn in a presentation at CCC on 28 December 2020 [1]. At the bottom is a miniature amplifier board (implant 2) that is soldered onto the main board of the telephone set. The other part of the bug (implant 1) is a large printed circuit board (PCB) that replaces the existing keypad PCB of the telephone set. It contains two amplifiers -- one for the microphone circuit of the telephone and one for the speaker circuit -- a rechargeable Li-ION battery, a patch antenna (part of the PCB) and a rectangular metal enclosure that contains the actual bug. The encapsulated unit is a sophisticated listening device that contains two field-programmable gate arrays (FPGAs), 16GB Flash Memory, an FSK modem and a wideband transceiver. Audio is picked up from the microphone and speaker circuits of the telephone's main board, amplified and digitised, before it is fed to an Actel FPGA where it is encoded en possibly also encrypted. The encoded audio is temporarily stored in the on-board 16GB Flash Memory device. When commanded by a nearby Command and Control transmitter, the data from the Flash Memory device is converted to a digital wideband waveform, and transmitted as a burst via a built-in transmitter, via a patch antenna at the edge of the PCB. Also connected to the antenna is the Command and Control receiver through which the listening post (LP) can request the data. The Li-ION battery, which is mounted on the large implant board and is recharged by the telephone, allows the device to deliver its data even when the telephone itself is disconnected. It is likely that the bug is controlled by a (virtual) microcontroller that is part of one of the FPGAs. References 1. Andy Mueller-Maguhn, CIA vs WikiLeaks media.ccc.de (website), 18 December 2020. 2. Ears and eyes, List of found surveillance devices Ears and eyes (website), March 2023. Chapter 14.1.1, pp. 62-63. 3. High resolution photopgraphs of the IP-19 implant Bugged planet (website), 23 March 2018. 4. Wikipedia, WikiLeaks Visited 21 March 2023. 5. Wikipedia, Julian Assange Visited 21 March 2023. 6. Bruce Schneier, More about the NSA's Tailored Access Operations Unit Blog, 31 December 2013. 7. Wikipedia, Tailored Access Operations Visited 22 March 2023. 8. WikiLeaks, Vault7: Projects 3 August 2017. 9. Jens Gluesing & Jorg Schindler, Jagt die CIA Assanges Unterstuetzer? Der Spegel, 23 February 2023. * Cached Further information * Central Intelligence Agency (CIA) * National Security Agency (NSA) * CryptoPhone IP-19 * WikiLeaks founder Julian Assange * NSA whistleblower Edward Snowden * Other secure telephones * Other bugs Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation? <A9> Crypto Museum. Created: Tuesday 21 March 2023. Last changed: Tuesday, 28 March 2023 - 13:05 CET. Click for homepage