PBX Bugging

PBX Bugging

by R. Bernie Pritchard, MBA


This essay will examine PBX bugging. It begins by defining this attack strategy and discussing basic telephony. Next, it examines different types of bugging devices that can be used to conduct such an operation. The essay then explores several examples of PBX bugging and possible countermeasures. It concludes with a brief examination of future trends based on the changing world of telecommunications.


Is someone listening? Many employees of private companies and government organizations ponder that question every time they pick up the telephone. The answer is maybe, and if not there are several methods they could use to start. The US Department of State, in its annual Country Reports on Human Rights Practices for 1994, reported widespread, illegal or uncontrolled phone tapping by both government and private groups in over 70 countries. [3] Due to the sharp rise in corporate and economic espionage, businesses and government agencies are most vulnerable to a form of wiretapping known as PBX bugging.


A PBX or Private Branch Exchange is a private telephone network used within an organization. [8] The PBX connects directly to the Central Office (CO) of the local telecommunication company in most cases using trunks. Internal users of the PBX system can then share lines for internal and external calls, use features like voicemail, and even communicate with each other via extensions. [8] Therefore, PBX Wiretapping (Bugging) is an attack whose focus is to exploit weaknesses, allowing connected telephone instruments to be tapped. [2]

Types of Wiretaps and Bugs

Wiretapping is the basic premise of PBX bugging. The goal of wiretapping is to secure quality information and/or ensure successful exploitation of features. [1] Wiretaps can be broken down into four categories. A hardwire tap is when physical access is gained to a section of wire that the signal travels on. [1] In the case of a telephone line, a second set of wires is attached and data is transmitted to the listener. It is difficult to detect but easy to trace to the source. Next, is the soft wiretap. This involves the software used to run the PBX or phone system. [1] This method can give an individual unfettered access to all the internal properties of the PBX. Both methods are popular with law enforcement and intelligence gathering agencies. [1] Hackers can access the PBX via a modem, which is generally reserved for maintenance, and they prefer the soft wiretap. There is also the Record wiretap, which is simply used to record conversations using a recorder and hardwire tap. [1] Finally, there is a transmit wiretap which uses a transmitter connected to a hardwire to radio information back to a listener. [1] This type of tap can be especially difficult to identify.

A bug is a device, which is placed in an area which then intercepts communications and transmits information to the listener(s). There are five primary categories of bugs. An acoustic bug is the placing of a water glass, stethoscope, or rubber hose into the target area. [1] This type of eavesdropping requires no electronics. The ultrasonic bug is a technique used to convert sound into an audio signal above the range of human sound. [1] Next, is the RF bug. This is the most commonly used bug; it involves placing a listening device at the target site and transmitting information directly to the perpetrator. [1] Finally, there is the optical bug, which converts sound or data to a beam of light. This method is the least used due to cost and complexity. [1] Information on bugs is included to illustrate that these methods can be used in conjunction with or in support of PBX bugging.

Examples of PBX bugging

PBX bugging can occur in several forms including the on-hook bugging of hand-held instruments, open microphone listening, and exploitation of silent conference calling features. [2] On hook bugging uses the phone as an active bug; the hook switch is shorted in some way. [5] A listen-down the line amplifier is then connected to the line. This allows the listener to monitor audio in the room through the phone. [5] Additionally, cordless phones and private phone systems may have the functionality to monitor a room by pressing the correct sequence of keys. [5] Conference calling has eliminated the need for many face-to-face meetings. At the same time, it has required additional functionality in handsets as well as the software of the PBX. Using this feature can allow a listener to use the conference function to secretly listen in on conference calls as a member of the call. This occurs while the participants are unaware. It appears that many of the advancements in telecommunications meant to enhance productivity also enhance the threat of bugging and eavesdropping. In order to better understand this process, I have provided two distinct examples.

From 1989 to 1991, Kevin Poulsen monitored his girlfriend, associates, and federal wiretaps using Pacific Bell's COSMOS system. He was able to take control of the system remotely. Consequently, he was able to determine which lines serviced by Pacific Bell the Federal Government tapped. [7] Another example of such activity occurred while President Clinton was in the White House. It is believed that Israeli intelligence sources placed agents at a local telecommunications company. The FBI asserts that they used sophisticated means to listen to conversations from remote telephone sites, and may have had the capability of providing real-time audio feeds directly to Tel Aviv. [6] The nature of this type of activity should illustrate its serious implications to national security.


Speech scrambling is a tactic that can be used to counter bugging. Speech inversion is a variation of this and works by taking a signal and turning it inside out. [5] Encryption is the ideal method and is much more robust than any other form of protection. [5] Voice encryption occurs by digitizing the conversation at the handset. [5] Using this method requires the listener to have the ability to not only wiretap but also decrypt the intercepted information. Removing multi-line analog sets from the PBX is prudent; these phones should be placed on individual POTS (Plain Old Telephone Switching) lines that are unassociated with the PBX. To protect against unauthorized recordings of conversations, experts suggest a technique called "band masking" where noise is played into the line to prevent recording. [5] Finally, telephone cables should be shielded to prevent RF bugging. [5] While not 100 percent secure, these techniques coupled with proper training for network and telecommunications administrators should help reduce the risk of PBX bugging.

The Future

New technologies, such as computerized voice recognition, are being used by U.S. intelligence agencies. Voice Recognition is primarily used with cellular phones, however as organizations employ more wireless voice and data infrastructures, such technology will become more germane to this topic.

Wiretapping capability is already built into many central office telephone switches, and the government can require carriers to intercept or report on communications by request [4]. However, these requirements do not apply to corporations that use PBX systems. [4] Interestingly, as voice, data, and video converge, they will use the Internet as the medium to communicate; the question of wiretapping may become less pressing. However, there will still be opportunities to exploit legacy TDM (Time Division Multiplexing) based PBX systems via the methods mentioned earlier, as well as new methodologies for breaking down the encryption used to transfer data over the Internet.


Finally, we must acknowledge the ongoing debate regarding the constitution and right to privacy. Today, it is illegal to eavesdrop on conversations without consent of the party or a warrant. It is also unlawful to manufacture or sell such equipment in the United States. Nonetheless, it takes little effort to acquire such equipment via the Internet. This issue will continue to be fueled by the war on terror and legislation like the Patriot Act. Needless to say, the government will continue to seek ways to gather information, as they deem appropriate. PBX bugging is not a new phenomenon. Consequently, it safe to assume thieves, spies, and the government will continue to develop the capabilities and means to accomplish the goals accomplished today via traditional PBX bugging.


[1] Atkinson, James. "Types of Wires, Bugs, and Methods" Granite Island Group-TSCM 2002 http://www.tscm.com/typebug.html

[Information on various types of Bugs and Wiretao]

[2] Cohen, Fredric; "The All.net Security Database" http://all.net/CID/Attack/Attac k51.html


[3] "Wiretapping" Securecom.net http://www.phone-tapping.net/in dex.html

[Group serves to inform the general public on wiretapping technology and abuses]

[4] Duffy-Marsan, Carolyn. "Internet Community debates Wiretapping". CNN October 1999 http://www. cnn.com/TECH/computing/9910/19/ietf.wiretap.idg/

[Article focuses on the changing environment of telephony in terms of surveillance]

[5] "The Whole World is Watching" Felons.org http://www.phone-tapping.net/in dex.html

[Article is similiar to those in this class, examines PBX bugging in greater detail]

[6] McCullagh, Declan. "Politech: FBI probing Israeli wiretapping at White House" Insight Mag May 2000 http://list s.insecure.org/lists/politech/2000/May/0015.html

[Example of PBX bugging in the White House]

[7] Mason, Aron. "The Internet: The Promise and the Perils" Freedom Magazine. http://www.freedomm ag.org/english/vol2704/crime.htm

[Example of PBX bugging-PacBell]

[8] Webopedia.com http://www.webopedia.com/TERM/ P/PBX.html

[Definition/Technical Information on PBX]