Secure Phones: Not Secure, Wikileaks Hacked By TOP-SECRET Govt Implant, CryptoPhone IP-19

grarpamp grarpamp at
Mon Apr 3 17:13:00 PDT 2023

#OpenFabs , #OpenHW , #OpenAudit , #FormalVerification ,
#CryptoCrowdFunding , #OpenTrust , #GuerrillaNets ,
#P2PFiber , #GNURadioRF , #PrivacyCoins , #DropGangs , ...

  Spy radio   _________________________________
    Burst     <D7> [ Search ]
                          Click for homepage
  encoders    Bugs
  Intercept   Phones
   Covert     <- IP-19
Cameras       CryptoPhone implant
    Radio     Embedded covert listening device . 2018
Microphones   This page describes a highly professional covert
listening device (bug) that was discovered in
  Earpieces   March 2018 in Germany, inside a CryptoPhone IP-19 that
was used by activists working for the
   Optics     whistleblower website WikiLeaks [4]. It was used by
WikiLeaks for secure communication between
Concealments  London and Berlin, whilst coordinating the revelations
of NSA whistleblower Edward Snowden in
 Dead drops   mid-2013. It was also used in the days that WikiLeaks
founder Julian Assange [5] was a resident of
    Tools     the Embassy of Equador in London. The expensive
high-tech implant was tailor-made ^1 and is
   Stories    attributed by some experts to the US Central
Intelligence Agency (CIA) or a related agency [1][2].
  Tracking    CryptoPhone IP19 is a cryptographically secured desktop
telephone -- based on        Implant with
    Radio     the Snom 870 -- that is marketed by GSMK in Berlin
(Germany). It enables             battery and
     PC       encrypted voice communications with other CryptoPhone
subscribers only, using         amplifier
    Telex     VoIP.
                           circuit (metal
                           cover removed)
   People     One day in March 2018, the phone was brought back to
Germany to replace its
  Agencies    faulty display that had somehow been overheated. But
when it was dismantled, the
Manufacturers contents appeared to differ from a regular IP-19 and the
implant was discovered.
   DONATE     It was subsequently photographed and reported to the
police who initiated an
Publications  investigation [1]. ^2
  For sale    The bug circumvents the device's strong encryption, by
connecting directly to the audio circuits.
    Kits      It is passive in that it does not transmit the
intercepted conversations immediately. Instead, it
    Shop      records the conversations in its internal memory. Upon
receiving a remote command, it transmits
    News      the recorded conversations (probably encrypted) in a
short wideband burst. This makes it virtually
   Events     impossible to detect and discover the device in a
regular bug sweep. * Location of the bug
   Contact    It is difficult to determine the origin of this bug, but
given the fact that it is professionally
  About us    made in quantity and that it is tailor-made for this
type of telephone, it seems likely that it
    Links     was a state actor, probably the US Central Intelligence
Agency (CIA). Note that this covert
              implant is not only suitable for the CryptoPhone IP-19,
but for every Snom IP-phone that uses the
              same chassis.

              * Origin of the bug

               1. Partly tailor-made and partly off-the-shelf.
               2. Led by the Federal Criminal Police
(Bundeskriminalamt) in Berlin. According to the German
                  Federal Prosecutor (Bundesanwaltschaft) the
investigation is ongoing under number 3 ARP
                  692/20-3. [9].

              Replacement   Implant   Replacement  Replacement
Implant   Implant   Replacement  Replacement
                keypad       with     board with   board with     with
    2: small  board aside  board aside
              board with    battery     implant      implant
battery   PCB with  an original  an original
               implant,       and       (metal                     and
     flying     keypad       keypad
              batteries,   amplifier     cover
amplifier   leads       board        board
              antenna and   circuit    removed)
circuit     for       (metal       (metal
               amplifier    (metal
    tapping    cover in       cover
                circuit      cover
      the       place)      removed)


              A 1 / 8
              Replacement keypad board with implant, batteries,
antenna and amplifier circuit
              A 2 / 8
              Implant with battery and amplifier circuit (metal cover removed)
              A 3 / 8
              Replacement board with implant (metal cover removed)
              A 4 / 8
              Replacement board with implant
              A 5 / 8
              Implant with battery and amplifier circuit
              A 6 / 8
              Implant 2: small PCB with flying leads for tapping the
audio circuits
              A 7 / 8
              Replacement board aside an original keypad board (metal
cover in place)
              A 8 / 8
              Replacement board aside an original keypad board (metal
cover removed)
                                                             * *

              These images were taken from the website [3].


                 * RF passive
                 * Conversations are recorded
                 * Remotely triggered activation
                 * Burst transmission
                 * High-tech FPGA-based design         CryptoPhone
IP-19 - right angle view - click for more
                 * Hardware-based encryption
                 * 16GB Flash Memory
                 * Built-in rechargeable battery
                 * Invisible from the outside
                 * Almost invisible on the inside


              The diagram below shows how the system worked. At the
left is the Listening Post (LP) with a
              command transmitter and a receiver. At the right is the
modified CryptoPhone IP-19 of which the
              keypad board is replaced by a replacement board of
identical size, that contains the implant.

              Judging from the type of antenna, the LP must have been
in the immediate vicinity of the bugged
              telephone set. It seems likely that the distance between
the LP and the target was no more than 50
              metres and probably less. This means that the LP must
have been in the same appartment, or across
              the street, or in a car driving by regularly to collect
the intelligence. * Block diagram

              Location of the implant

              The implant was placed inside an IP-19 CryptoPhone in
such a way that it was virtually invisible,
              even after opening the device. To understand how and
where it was located inside the telephone, we
              will use the photograph of the interior of a regular
IP-19 CryptoPhone (below) as a guide.

              After removing the rear case shell and turning the
device over (front panel facing down), we see
              two green printed circuit boards (PCBs). The largest one
is at the bottom of the stack. It is
              fitted directly to the front panel and holds the
contacts for the keypad. In addition, it covers
              the Liquid Crystal Display (LCD). In the image below
this board is highlighted with a blue

                                                      Click to see more

              The smaller PCB is the main board that contains the
actual telephone electronics, the
              microcontroller and the firmware. It has components on
both sides and is highlighted here with a
              yellow outline. It is connected to the keypad board by
means of a 20-pin header in the bottom
              right corner. The side that is visible here, holds the
UTP connectors, the ethernet interface and
              two USB expansion sockets. The microcontroller and the
audio circuits are at the other side.

                                                      Click to see more

              The image above shows the reverse side of the main
board. At the right is the 20-pin inter-board
              connector. At the centre of the image, in the yellow
circle, is a small board (implant 2) that is
              not present on the original board. It is glued to the
PCB and is used to 'tap' the audio signals
              from the microphone and speaker circuits by means of
four thin green wires. The tap board is
              connected to the main implant (the replacement keypad
board) by means of the three black wires at
              the top.

                                                      Click to see more

              The main implant (implant 1) is on the large PCB and is
hidden underneath the main board. It is
              fitted to a PCB which has the same outer dimensions as
the original keypad board and is shown in
              the image above. The empty area at the left is the part
that covers the display. The rest of the
              PCB holds the implant, and is normally covered by the
main board. The actual implant is at the
              centre. It is a separate PCB that is soldered to the
keypad PCB by means of short wires. When it
              was discovered, it was covered by a metal enclosure
(removed here) that was printed with a serial
              number. This suggests that the implant was a
volume-produced off-the-shelf solution.

              Above the implant is a Li-ION battery pack that is
connected to a 2-pin header. It is used to
              power the implant when the telephone set is disconnected
from its power source. To the right of
              the implant are the audio amplifiers (for the microphone
and speaker signals) and a circuit for
              charging the battery pack. At the bottom is the antenna
by which the device is connected to the
              Listening Post (LP) outside the building. The LP had to
be in the immediate vicinity of the bug.

              When the telephone is reassembled, the implant and the
additional parts on the replacement keypad
              board (implant 1) are virtually invisible, as they are
obstructed from view by the main board. The
              tap board (implant 2) is also invisible as it is at the
rear side of the main board.

              From the available photographs it is difficult to
identify the various components, in particular
              because the photographs are unsharp and the implant PCB
is covered by a conformal coating. But
              some information can be gained from Andy
Mueller-Maguhn's presentation on the subject [1]. All
              components have manufacturing date codes of April 2013
or earlier, which implies that the implant
              was made after that date. Furthermore, the dimensions of
the board suggest a non-metric origin.
              The antenna is dimensioned for operation at a UHF
frequency on or near 800 MHz.

              Interior   Reverse side of    Area     Implant
Replacement  Relacement  Replacement  Replacement
               of the    the main board,   where a   2: small
keypad     board with  board aside  board aside
              telephone    holding the    miniature  PCB with  board
with    implant    an original  an original
              with the   microcontroller    board     flying
implant,      (metal      keypad       keypad
                front     and the audio   (implant    leads
batteries,     shield       board        board
                panel       circuits        2) is      for     antenna
and   removed)     (metal       (metal
               facing                       added    tapping
amplifier                cover in       cover
                down                                   the
circuit                  place)      removed)

              B 1 / 8
              Interior of the telephone with the front panel facing down
              B 2 / 8
              Reverse side of the main board, holding the
microcontroller and the audio circuits
              B 3 / 8
              Area where a miniature board (implant 2) is added
              B 4 / 8
              Implant 2: small PCB with flying leads for tapping the
audio circuits
              B 5 / 8
              Replacement keypad board with implant, batteries,
antenna and amplifier circuit
              B 6 / 8
              Relacement board with implant (metal shield removed)
              B 7 / 8
              Replacement board aside an original keypad board (metal
cover in place)
              B 8 / 8
              Replacement board aside an original keypad board (metal
cover removed)
                                                             * *


              It is difficult to determine who planted the bug in the
CryptoPhone IP-19, but judging from its
              professional signature, the choice of components and the
no doubt high development cost, it seems
              likely that it was a state actor. Furthermore, to plant
the device, an operative had to gain
              access to the premises where the phone was kept, which
is not without risk. Taking into account
              that the United States wanted Assange for violating the
Espionage Act and revealing state secrets,
              it seems likely the US Central Intelligence Agency (CIA)
was behind the operation, probably with
              help from the US National Security Agency (NSA) and
British intelligence service GCHQ or MI5.

              It is unknown how long the device had been in operation
before it was discovered, but this might
              have been years. The phone was first used from the UK
for confidential talks with the German
              magazine Der Spiegel in mid-2013, in relation to the
revelations of NSA whistleblower Edward
              Snowden. From the date codes on the components found in
the implant, it is certain that it was
              made some time after April 2013. In theory it could have
been inserted later that year or early in
              2014, in which case it might have been operational for
four years before it was discovered.

              The device is partly based on an existing (NSA?) product
(the actual implant in the metal case),
              but its carrier board -- the replacement keypad board --
is specifically made for this type of
              telephone. Such designs are typically made by the
Tailored Access Operations (TAO) unit of the US
              National Security Agency (NSA) [6][7]. From the way the
implant is installed -- implant 2 and its
              thin wires are glued to the main board -- it can be
concluded that the intelligence agency
              responsible for planting the bug had to get access to
the premises at least twice: once to remove
              the telephone and once to put it back. Such operations
are typically carried out by the Physical
              Access Group (PAG) of the Center for Cyber Intelligence
(CCI} of the CIA [8].

              Block diagram

              Below is an educated guess of the block diagram of the
implant, based on information provided by
              Andy Mueller-Maguhn in a presentation at CCC on 28
December 2020 [1]. At the bottom is a miniature
              amplifier board (implant 2) that is soldered onto the
main board of the telephone set.

              The other part of the bug (implant 1) is a large printed
circuit board (PCB) that replaces the
              existing keypad PCB of the telephone set. It contains
two amplifiers -- one for the microphone
              circuit of the telephone and one for the speaker circuit
-- a rechargeable Li-ION battery, a patch
              antenna (part of the PCB) and a rectangular metal
enclosure that contains the actual bug.

              The encapsulated unit is a sophisticated listening
device that contains two field-programmable
              gate arrays (FPGAs), 16GB Flash Memory, an FSK modem and
a wideband transceiver. Audio is picked
              up from the microphone and speaker circuits of the
telephone's main board, amplified and
              digitised, before it is fed to an Actel FPGA where it is
encoded en possibly also encrypted. The
              encoded audio is temporarily stored in the on-board 16GB
Flash Memory device.

              When commanded by a nearby Command and Control
transmitter, the data from the Flash Memory device
              is converted to a digital wideband waveform, and
transmitted as a burst via a built-in
              transmitter, via a patch antenna at the edge of the PCB.
Also connected to the antenna is the
              Command and Control receiver through which the listening
post (LP) can request the data.

              The Li-ION battery, which is mounted on the large
implant board and is recharged by the telephone,
              allows the device to deliver its data even when the
telephone itself is disconnected. It is likely
              that the bug is controlled by a (virtual)
microcontroller that is part of one of the FPGAs.


                1. Andy Mueller-Maguhn, CIA vs WikiLeaks
          (website), 18 December 2020.

                2. Ears and eyes, List of found surveillance devices
                   Ears and eyes (website), March 2023. Chapter
14.1.1, pp. 62-63.

                3. High resolution photopgraphs of the IP-19 implant
                   Bugged planet (website), 23 March 2018.

                4. Wikipedia, WikiLeaks
                   Visited 21 March 2023.

                5. Wikipedia, Julian Assange
                   Visited 21 March 2023.

                6. Bruce Schneier, More about the NSA's Tailored
Access Operations Unit
                   Blog, 31 December 2013.

                7. Wikipedia, Tailored Access Operations
                   Visited 22 March 2023.

                8. WikiLeaks, Vault7: Projects
                   3 August 2017.
                9. Jens Gluesing & Jorg Schindler, Jagt die CIA
Assanges Unterstuetzer?
                   Der Spegel, 23 February 2023. * Cached

              Further information

                 * Central Intelligence Agency (CIA)
                 * National Security Agency (NSA)

                 * CryptoPhone IP-19
                 * WikiLeaks founder Julian Assange
                 * NSA whistleblower Edward Snowden
                 * Other secure telephones
                 * Other bugs

               Any links shown in red are currently unavailable. If
you like the information on this website,
                                                  why not make a donation?
               <A9> Crypto Museum. Created: Tuesday 21 March 2023.
Last changed: Tuesday, 28 March 2023 - 13:05
                                                     Click for homepage

More information about the cypherpunks mailing list