Secure Phones: Not Secure, Wikileaks Hacked By TOP-SECRET Govt Implant, CryptoPhone IP-19
grarpamp
grarpamp at gmail.com
Mon Apr 3 17:13:00 PDT 2023
#OpenFabs , #OpenHW , #OpenAudit , #FormalVerification ,
#CryptoCrowdFunding , #OpenTrust , #GuerrillaNets ,
#P2PFiber , #GNURadioRF , #PrivacyCoins , #DropGangs , ...
https://buggedplanet.info/
https://media.ccc.de/v/rc3-11512-cia_vs_wikileaks
https://earsandeyes.noblogs.org/files/2023/03/list-pictures-en-2023-03.pdf
https://www.schneier.com/blog/archives/2013/12/more_about_the.html
https://en.wikipedia.org/wiki/Tailored_Access_Operations
https://wikileaks.org/vault7/
https://www.spiegel.de/ausland/mutmassliche-jagd-auf-julian-assanges-unterstuetzer-im-schleppnetz-a-403c1e32-939d-4534-985d-2dd8e30573d7
https://archive.is/mt4fT
Homepage
Crypto
Spy radio _________________________________
Burst <D7> [ Search ]
Click for homepage
encoders Bugs
Intercept Phones
Covert <- IP-19
Index
Glossary
Cameras CryptoPhone implant
Recorders
Radio Embedded covert listening device . 2018
Bugs
Microphones This page describes a highly professional covert
listening device (bug) that was discovered in
Earpieces March 2018 in Germany, inside a CryptoPhone IP-19 that
was used by activists working for the
Optics whistleblower website WikiLeaks [4]. It was used by
WikiLeaks for secure communication between
Concealments London and Berlin, whilst coordinating the revelations
of NSA whistleblower Edward Snowden in
Dead drops mid-2013. It was also used in the days that WikiLeaks
founder Julian Assange [5] was a resident of
Tools the Embassy of Equador in London. The expensive
high-tech implant was tailor-made ^1 and is
Stories attributed by some experts to the US Central
Intelligence Agency (CIA) or a related agency [1][2].
Software
Tracking CryptoPhone IP19 is a cryptographically secured desktop
telephone -- based on Implant with
Radio the Snom 870 -- that is marketed by GSMK in Berlin
(Germany). It enables battery and
PC encrypted voice communications with other CryptoPhone
subscribers only, using amplifier
Telex VoIP.
circuit (metal
Telephones
cover removed)
People One day in March 2018, the phone was brought back to
Germany to replace its
Agencies faulty display that had somehow been overheated. But
when it was dismantled, the
Manufacturers contents appeared to differ from a regular IP-19 and the
implant was discovered.
DONATE It was subsequently photographed and reported to the
police who initiated an
Publications investigation [1]. ^2
Standards
For sale The bug circumvents the device's strong encryption, by
connecting directly to the audio circuits.
Kits It is passive in that it does not transmit the
intercepted conversations immediately. Instead, it
Shop records the conversations in its internal memory. Upon
receiving a remote command, it transmits
News the recorded conversations (probably encrypted) in a
short wideband burst. This makes it virtually
Events impossible to detect and discover the device in a
regular bug sweep. * Location of the bug
Wanted
Contact It is difficult to determine the origin of this bug, but
given the fact that it is professionally
About us made in quantity and that it is tailor-made for this
type of telephone, it seems likely that it
Links was a state actor, probably the US Central Intelligence
Agency (CIA). Note that this covert
implant is not only suitable for the CryptoPhone IP-19,
but for every Snom IP-phone that uses the
same chassis.
* Origin of the bug
1. Partly tailor-made and partly off-the-shelf.
2. Led by the Federal Criminal Police
(Bundeskriminalamt) in Berlin. According to the German
Federal Prosecutor (Bundesanwaltschaft) the
investigation is ongoing under number 3 ARP
692/20-3. [9].
Replacement Implant Replacement Replacement
Implant Implant Replacement Replacement
keypad with board with board with with
2: small board aside board aside
board with battery implant implant
battery PCB with an original an original
implant, and (metal and
flying keypad keypad
batteries, amplifier cover
amplifier leads board board
antenna and circuit removed)
circuit for (metal (metal
amplifier (metal
tapping cover in cover
circuit cover
the place) removed)
removed)
audio
circuits
A
*
A 1 / 8
Replacement keypad board with implant, batteries,
antenna and amplifier circuit
A 2 / 8
Implant with battery and amplifier circuit (metal cover removed)
A 3 / 8
Replacement board with implant (metal cover removed)
A 4 / 8
Replacement board with implant
A 5 / 8
Implant with battery and amplifier circuit
A 6 / 8
Implant 2: small PCB with flying leads for tapping the
audio circuits
A 7 / 8
Replacement board aside an original keypad board (metal
cover in place)
A 8 / 8
Replacement board aside an original keypad board (metal
cover removed)
* *
These images were taken from the website Buggedplanet.info [3].
Features
* RF passive
* Conversations are recorded
* Remotely triggered activation
* Burst transmission
* High-tech FPGA-based design CryptoPhone
IP-19 - right angle view - click for more
* Hardware-based encryption
information
* 16GB Flash Memory
* Built-in rechargeable battery
* Invisible from the outside
* Almost invisible on the inside
Setup
The diagram below shows how the system worked. At the
left is the Listening Post (LP) with a
command transmitter and a receiver. At the right is the
modified CryptoPhone IP-19 of which the
keypad board is replaced by a replacement board of
identical size, that contains the implant.
Judging from the type of antenna, the LP must have been
in the immediate vicinity of the bugged
telephone set. It seems likely that the distance between
the LP and the target was no more than 50
metres and probably less. This means that the LP must
have been in the same appartment, or across
the street, or in a car driving by regularly to collect
the intelligence. * Block diagram
Location of the implant
The implant was placed inside an IP-19 CryptoPhone in
such a way that it was virtually invisible,
even after opening the device. To understand how and
where it was located inside the telephone, we
will use the photograph of the interior of a regular
IP-19 CryptoPhone (below) as a guide.
After removing the rear case shell and turning the
device over (front panel facing down), we see
two green printed circuit boards (PCBs). The largest one
is at the bottom of the stack. It is
fitted directly to the front panel and holds the
contacts for the keypad. In addition, it covers
the Liquid Crystal Display (LCD). In the image below
this board is highlighted with a blue
outline.
Click to see more
The smaller PCB is the main board that contains the
actual telephone electronics, the
microcontroller and the firmware. It has components on
both sides and is highlighted here with a
yellow outline. It is connected to the keypad board by
means of a 20-pin header in the bottom
right corner. The side that is visible here, holds the
UTP connectors, the ethernet interface and
two USB expansion sockets. The microcontroller and the
audio circuits are at the other side.
Click to see more
The image above shows the reverse side of the main
board. At the right is the 20-pin inter-board
connector. At the centre of the image, in the yellow
circle, is a small board (implant 2) that is
not present on the original board. It is glued to the
PCB and is used to 'tap' the audio signals
from the microphone and speaker circuits by means of
four thin green wires. The tap board is
connected to the main implant (the replacement keypad
board) by means of the three black wires at
the top.
Click to see more
The main implant (implant 1) is on the large PCB and is
hidden underneath the main board. It is
fitted to a PCB which has the same outer dimensions as
the original keypad board and is shown in
the image above. The empty area at the left is the part
that covers the display. The rest of the
PCB holds the implant, and is normally covered by the
main board. The actual implant is at the
centre. It is a separate PCB that is soldered to the
keypad PCB by means of short wires. When it
was discovered, it was covered by a metal enclosure
(removed here) that was printed with a serial
number. This suggests that the implant was a
volume-produced off-the-shelf solution.
Above the implant is a Li-ION battery pack that is
connected to a 2-pin header. It is used to
power the implant when the telephone set is disconnected
from its power source. To the right of
the implant are the audio amplifiers (for the microphone
and speaker signals) and a circuit for
charging the battery pack. At the bottom is the antenna
by which the device is connected to the
Listening Post (LP) outside the building. The LP had to
be in the immediate vicinity of the bug.
When the telephone is reassembled, the implant and the
additional parts on the replacement keypad
board (implant 1) are virtually invisible, as they are
obstructed from view by the main board. The
tap board (implant 2) is also invisible as it is at the
rear side of the main board.
From the available photographs it is difficult to
identify the various components, in particular
because the photographs are unsharp and the implant PCB
is covered by a conformal coating. But
some information can be gained from Andy
Mueller-Maguhn's presentation on the subject [1]. All
components have manufacturing date codes of April 2013
or earlier, which implies that the implant
was made after that date. Furthermore, the dimensions of
the board suggest a non-metric origin.
The antenna is dimensioned for operation at a UHF
frequency on or near 800 MHz.
Interior Reverse side of Area Implant
Replacement Relacement Replacement Replacement
of the the main board, where a 2: small
keypad board with board aside board aside
telephone holding the miniature PCB with board
with implant an original an original
with the microcontroller board flying
implant, (metal keypad keypad
front and the audio (implant leads
batteries, shield board board
panel circuits 2) is for antenna
and removed) (metal (metal
facing added tapping
amplifier cover in cover
down the
circuit place) removed)
audio
circuits
B
*
B 1 / 8
Interior of the telephone with the front panel facing down
B 2 / 8
Reverse side of the main board, holding the
microcontroller and the audio circuits
B 3 / 8
Area where a miniature board (implant 2) is added
B 4 / 8
Implant 2: small PCB with flying leads for tapping the
audio circuits
B 5 / 8
Replacement keypad board with implant, batteries,
antenna and amplifier circuit
B 6 / 8
Relacement board with implant (metal shield removed)
B 7 / 8
Replacement board aside an original keypad board (metal
cover in place)
B 8 / 8
Replacement board aside an original keypad board (metal
cover removed)
* *
Origin
It is difficult to determine who planted the bug in the
CryptoPhone IP-19, but judging from its
professional signature, the choice of components and the
no doubt high development cost, it seems
likely that it was a state actor. Furthermore, to plant
the device, an operative had to gain
access to the premises where the phone was kept, which
is not without risk. Taking into account
that the United States wanted Assange for violating the
Espionage Act and revealing state secrets,
it seems likely the US Central Intelligence Agency (CIA)
was behind the operation, probably with
help from the US National Security Agency (NSA) and
British intelligence service GCHQ or MI5.
It is unknown how long the device had been in operation
before it was discovered, but this might
have been years. The phone was first used from the UK
for confidential talks with the German
magazine Der Spiegel in mid-2013, in relation to the
revelations of NSA whistleblower Edward
Snowden. From the date codes on the components found in
the implant, it is certain that it was
made some time after April 2013. In theory it could have
been inserted later that year or early in
2014, in which case it might have been operational for
four years before it was discovered.
The device is partly based on an existing (NSA?) product
(the actual implant in the metal case),
but its carrier board -- the replacement keypad board --
is specifically made for this type of
telephone. Such designs are typically made by the
Tailored Access Operations (TAO) unit of the US
National Security Agency (NSA) [6][7]. From the way the
implant is installed -- implant 2 and its
thin wires are glued to the main board -- it can be
concluded that the intelligence agency
responsible for planting the bug had to get access to
the premises at least twice: once to remove
the telephone and once to put it back. Such operations
are typically carried out by the Physical
Access Group (PAG) of the Center for Cyber Intelligence
(CCI} of the CIA [8].
Block diagram
Below is an educated guess of the block diagram of the
implant, based on information provided by
Andy Mueller-Maguhn in a presentation at CCC on 28
December 2020 [1]. At the bottom is a miniature
amplifier board (implant 2) that is soldered onto the
main board of the telephone set.
The other part of the bug (implant 1) is a large printed
circuit board (PCB) that replaces the
existing keypad PCB of the telephone set. It contains
two amplifiers -- one for the microphone
circuit of the telephone and one for the speaker circuit
-- a rechargeable Li-ION battery, a patch
antenna (part of the PCB) and a rectangular metal
enclosure that contains the actual bug.
The encapsulated unit is a sophisticated listening
device that contains two field-programmable
gate arrays (FPGAs), 16GB Flash Memory, an FSK modem and
a wideband transceiver. Audio is picked
up from the microphone and speaker circuits of the
telephone's main board, amplified and
digitised, before it is fed to an Actel FPGA where it is
encoded en possibly also encrypted. The
encoded audio is temporarily stored in the on-board 16GB
Flash Memory device.
When commanded by a nearby Command and Control
transmitter, the data from the Flash Memory device
is converted to a digital wideband waveform, and
transmitted as a burst via a built-in
transmitter, via a patch antenna at the edge of the PCB.
Also connected to the antenna is the
Command and Control receiver through which the listening
post (LP) can request the data.
The Li-ION battery, which is mounted on the large
implant board and is recharged by the telephone,
allows the device to deliver its data even when the
telephone itself is disconnected. It is likely
that the bug is controlled by a (virtual)
microcontroller that is part of one of the FPGAs.
References
1. Andy Mueller-Maguhn, CIA vs WikiLeaks
media.ccc.de (website), 18 December 2020.
2. Ears and eyes, List of found surveillance devices
Ears and eyes (website), March 2023. Chapter
14.1.1, pp. 62-63.
3. High resolution photopgraphs of the IP-19 implant
Bugged planet (website), 23 March 2018.
4. Wikipedia, WikiLeaks
Visited 21 March 2023.
5. Wikipedia, Julian Assange
Visited 21 March 2023.
6. Bruce Schneier, More about the NSA's Tailored
Access Operations Unit
Blog, 31 December 2013.
7. Wikipedia, Tailored Access Operations
Visited 22 March 2023.
8. WikiLeaks, Vault7: Projects
3 August 2017.
9. Jens Gluesing & Jorg Schindler, Jagt die CIA
Assanges Unterstuetzer?
Der Spegel, 23 February 2023. * Cached
Further information
* Central Intelligence Agency (CIA)
* National Security Agency (NSA)
* CryptoPhone IP-19
* WikiLeaks founder Julian Assange
* NSA whistleblower Edward Snowden
* Other secure telephones
* Other bugs
Any links shown in red are currently unavailable. If
you like the information on this website,
why not make a donation?
<A9> Crypto Museum. Created: Tuesday 21 March 2023.
Last changed: Tuesday, 28 March 2023 - 13:05
CET.
Click for homepage
More information about the cypherpunks
mailing list