 Okay What come a teeny? Shaken or stirred Do I look like I give a damn? This was a game changer in James Bond casino Royale and so is modern technology in Modern microphone box Veronica Valeros and Sebastian Garcia both known from various Conferences like black hat or a cup party will tell you about the current situation and about the current state of microphone box Please welcome with a very very warm hand applause Spy versus by a modern study of microphone box. Thanks Hi everyone A lot of people here So first of all, thank you to the CCC to the Congress to the translation team For us is super awesome to be here. We're a little bit nervous. So We are eager to show you what we did I'm Sebastian Garcia. I'm from Argentina. I'm co-founder of the mates lab hackspace and usually my day-to-day Life I work as a malware and network security researcher using machine learning in a university in Prague And that's it So I'm Veronica. I'm also from Argentina and also co-founder of the hacker space mates lab and My daily job is nothing like this. I'm a threat researcher doing network traffic analysis. So We are here today to talk about microphone bags How to operate them and how to take them so we have a lot of material to go through So we are really eager to start so So spy versus a spy a modern study of mick bags operation and detection This is something that we start working like two years ago We were trying to see okay We don't know much about these probably few people know much about these and there is quite a black hole in there for us So say hey, we should get into that and see what it's the reality for us in this topic. Yeah, and everything started when We heard that Chinese artist Iowa way phone microphones hidden in the electrical sockets in his common studio back in 2015 This was shocking for us. I'm sure many of you heard this This story this was shocking because It was believed that the microphones were planted in his place back in 2011 when he was in jail, so There were four years of Time between the planted devices until he found the devices and four years is a lot of time for people To hear all your life and conversations and stories that go around your life. So we were shocked like How how is this we thought that this technology was old and deprecated and this was not used anymore, right? And we were wrong. So we stopped saying well why we don't hear about this anymore So we started digging news and there were a few other documented cases like the in this was that had a little political emphasis because they found a Bag in the Ecuadorian embassy in London and of course In these type of cases when you find a bag in London who can place a bag in London, right? So it was had like a strong political implications, but These cases is not that microphone bags are not used anymore is that people just don't speak about this freely so the documentation and And information available around these type of things is not freely and available and another thing is that It's it's very It's very hard to actually know that you are back, right? So it's very critical Yeah, and even if you find it most people maybe it's not telling others that they were back So the information is scarce and scarce every time there are few cases that are publicly available like this one Yeah, and we were we were thinking at this point. Okay What do we know about microphone bags and we found that most of the things that we know is From movies and TV shows and when your information Comes from movies and TV shows that's not very nice, right? So we started to dig more and more so we want to do this like a formal research like As thought it was possible. So we started as every research starts with that kind of What it was done before what information is available from the past and we did like okay Take the last hundred years and say what was there and in here We kind of highlight some of the cases that we found interesting of course there are hundreds of them So these are some of the ones that we like the most This one was invented in Russia it was Called the great silver or at the time it was known as the thing, you know how much people knew about this that they call it the thing It was very interesting case because it was planted in the US embassy in Moscow And they took seven years to find it Because it was planted in plain sight just in a room There was there was a gift for the embassy. So they put it there on the wall, right? And it was found by accident because some people was Some person that was listening to the radio Phone that actually he was hearing conversations that were coming from the embassy, but he was outside So he was like asking what is going on. So they started investigating and they found this So when they opened this thing When they opened the thing they found that there was no butter in there only the the microphone and some pieces of electronic So how did it work if there was no buttery if it was alone in the embassy for seven years Does anyone here have any idea how this meek work at the time? Anyone want to show it? Oh, just just showed what do you think? Exactly right wireless energy. So thank you very much. So the idea was that somebody from the outside was a meeting electromagnetic energy frequency right into the embassy into the thing Powering up the thing and then the thing was there Capturing the sound converting this into electricity modulating frequency antenna and transmitting back. They call this Illuminating the embassy, right? They were pointing electromagnetic frequency. So Yeah, the people between these inside this information area didn't feel so happy at the time So you can see that this is like NFC near field communication technology the same that we are using now You transmit some energy wireless. Okay. Maybe it was not near field. It was very far away field communication But it's the same idea right so the technologies not new it was the first time that we saw they were using it like that Yeah, so after they found these Americans, of course took the idea and they created something very similar that is called satir It was just a copy of this and this was after the Second World War 1940 something so and this was kind of novel because it didn't require energy, right? But few years later the transistor was invented so things started to shrink and that was a technological advance on the field and One example of this is the KGB bag. It was this generic as we found it If you can see that it's really small is seven centimeters long It has like two pins on the bottom Where it was a power supply one pin in the top for the antenna and the small screws on the middle were For tuning the frequency. So that was also innovative and the small sides make it really portable You can see there that the number we thought it was the serial number which It's pretty large, but actually somebody told us that the first two numbers was the year So that's supposed to be from 1964. Yeah, so this was not the only thing small that was invented in around these These dates this was a model TY 5748 This was a invented in Czech Republic or the old Czechoslovakia. It's a modular microphone So it was very noble by the time Every little cube have different functionality. So you can assemble it in with different combinations and the small kids have like Functionalities like one of them can be conhome whatever that mean at the time So it was it was kind of very clever and we found some magazine that All magazine that explain how it was used and you can see here that they made like fake wooden box Where there was a microphone and then the the pile of batteries That it needed to to power it up and it was placed under the table So how many of you would check under the table like daily? Yeah This can go and it acted like for very long It was very clever and you can imagine how many of these you have to use to start making the modules right like like Object or oriented spine or something. Yeah, so another device that was very interesting because all these different microphones and we will see in the future presentations that It's a problem is how you power these microphones to last very long time, right and this was It was very nice. It's called OPEC It's because of the it was a phone in the offices of the OPEC is Organization for petroleum something it was fun in Austria in the 70s And if you pay attention to the image, it doesn't have pins for power supply, right? So it takes A very interesting twist and this is a microphone that you place near electric wires So it's powered up by induction electrical induction. So you it makes it really Interesting because you can just put it in the wall and or near electric wires And you know where they are and it will stay there as long as you want it Very clever way. Yeah again NFC in another way, but super super interesting twist. Yeah So this is from an old magazine from the 80s And the idea here is to give you a hint of how many ways they are there to spy people by using audio In in a room like these so there are plenty of those the technologies These are super old and you can see that they are yes using the telephone But also microwave and also monitoring the typewriter key. So this one now it's called Back monitoring typewriter key sounds is called keystroke dynamic in in the area and they were doing that with sounds Long time ago and you can have also from the windows Redirecting frequencies in there. You have also all the places to put them the microphones that we are going to study today So this is all but there are plenty of ways of doing is including they are the laser pointing in the window From the 80s, right? Yeah, and all of these or many of these were trying to solve the Power supply problem, right? So the typical uses is in our inside phones or in the Electrical sockets why because you need like you have free constant supply also with the lamps and so on these are typical locations Using the past and still now right, but this is this is kind of old technology Right now we technology advanced right and we went to why put a microphone in your in your home If you I can infect your phone with malware And I know the phone will be with you all the time and I can listen to all conversations So Finn Fisher is one of the the fault. Let's say most use malware for these It was very well documented different cases But also there were right now other clever solutions like lasers Yeah, this is a new technology that they are already they are Pointing laser to mist in the air So what are molecules in the air floating and while you are talking and you are close to this mist They're pointing a laser to that and they can then hear you back So there are a lot of new things that are going on, but we are going to focus in Days, but the fact that a person was four years had the microphone in their home Without detecting it that was something that we thought that we needed to focus instead of this right So we wanted to get our hands on the technology we wanted to try it on we we read some stuff Oh, we wanted to prove it for ourselves how it work how it sounds how was the audio quality and so on so The spectrum of different microphones is huge. So we wanted to focus on something concrete It's like a baby step on the research. So we focus on FM and GSM commercially a viable Microphone banks, but that also they are wireless and they are also Stationary that means that they are microphones designed For to to be put in a place and be left there, right? You put it on the electrical socket and you just leave it So there are other type of microphones that do not feel this characteristic So we focus try to reduce this cup somehow in this direction We started looking in typical ways Amazon eBay and other sites for microphones This is one of the first one the F 908 it it's very small as you can see in the video it has a Plastic case it has the For power supply and I'm ball battery, but it has a very long antenna So all these movies I'd say yeah, let's fight. Let's hit a microphone. They just put it there Well, you still need to hide antenna so So that was it's a very interesting model We we try to buy we have a limited budget, so we try to buy like different models that have some differences This one was around 33 dollars US dollars and it has an advertised range of 500 meters Another model was this micro spy it was we wanted like the smallest thing that we can find and This works in the same range of frequency same power supply Is half of the price doesn't have the case battery, but You can see there that there is a microphone The socket for the battery and also the very long antenna and even this this microphone you can see that it's really small but You need to put the battery which is This big right so it's not that big that that small anymore. You just have to hide the whole thing Another example that we bought Is a ear one this have is very similar This has for adjusting the frequency as well the same range advertises 18 US dollars and The only thing different is that he has like this cable for putting the better battery Which is is a bit easier to kind of place it on height because you can stretch it a bit more Right. It has also a very long battery. Sorry antenna We wanted to also find things okay, these three models were models that Of microphones designed to be like spy microphones, right? And we started to think what kind of devices could people Normally have at their homes that can use for a spy microphone. So we found this. This is the VEVRA BY04 These are baby monitors that work on FM frequency for some reason This is very interesting is it's more expensive the frequency is higher 800 megahertz and Advertise range is 800 meters because it seems that it's kind of common just to leave your baby and just go 10 blocks away, right? So I'm not sure why it It's like that so We wanted to also try some variety and we bought this mini a 8 is a GSM Microphone so it has a place for a sim card has battery In there has cost like ten dollars and Is GSM so you can call from anywhere in the world and you can listen to the conversations where the microphone is planted and Also, you can configure it for To automatically detect a conversation when it hears noise it will automatically call you back and you can Respond and you will hear what is going on. So it's very clever. It's a small But it's a different technology. So it's not FM and the detection is different Yeah, and this is what's a huge advantage I know so you can put it anywhere in the world and call that it's quite improving in range and also you can actually Wait for somebody to make some noise, right? So this is a total different way of listening to others. Yeah so This is kind of a summary of the comparison of the different models The the three FM ones who work in the same kind of frequency the the baby monitor works in a bit Different frequency, but it's kind of the same It has more range advertised and you can see the difference in prices. It's kind of commercially accessible, right? so The next step was let's let's try to hear them, right? Let's try to to see how it actually works so we started doing experiments of listening and We we were doing this in a normal neighborhood And we found that there was actually several blocks away. You can hear perfectly the the microphones of this Typical movie that there is a van in front of your home Hearing does not need it actually you can hear from 300 meters away and it's perfectly fine So that was that was very interesting Their first experiment on yes, and all the microphones were having this feature I saw usually you don't need to be less than a hundred meters away Like this is perfectly hearing unless you are inside some iron box. There is there is no need for that Yeah, of course the more buildings that maybe the audio quality differs, but it's actually perfectly fine So we wanted to do as I say in the in the in the beginning as sort of as possible so we documented all these experiments Is everything all these tables are in the paper you can read later. This is one of the experiments where the the bag was Stationary in one place and the receiver was 300 meters away and getting closer. So we were recording the audio quality and most of the in most of the cases it was very good quality and Also in the I think the best case was where the distance was 15 meters and the person was five meters away, but even with 300 meters away. It was not that big of a difference. So that was very interesting for us to find out like a first field experiments We forgot the big Lee at the beginning you want to take the big Lee to see the slides Yeah So so super fast, but we forgot if you go to that link at the beginning beat Lee slash spy 34 C3 you will see the slides in your computer moving with us So you can actually see click and copy the images and everything better than in here, right? Sorry for God okay so there So based on these first experiments of only listening, right? We started to understand more like and these are some geolocation remarks Which are really interesting because an attacker needs to be close, right? And this is good for you and it's also really bad for you for several reasons first is good for you because it filters Your kind of attackers population It's not that anyone in the world can attack you right is the attacker and you have to be sharing the same kind of Physical space or city or or or neighborhood? So that's kind of good for you They they is bad for them that they need to be close because you have more chances to kind of spot them like suspicious behavior But it's also bad for you that they are close because they are physically Close to you right? They is it's it's a it's a different kind of A threat yeah, so this is this is not good and With other type of threats even dropping threats like malware infections anyone in the Internet can help you right? But in this case You need to have people that people conduct need can help you need to be kind of also close Geographically, so that's not very good for you another remarks We try to do a battery autonomy validation, so The different devices have advertised battery duration. I for example the micro spy has advertised battery of 168 hours The we tried it to leave it there and it's in most of the cases It was lower than advertised the only two cases that was accurate was the ear one Was around hundred hours and the gsm one which was two hours That is really Small time even the hundred hours is really small imagine that when the battery is out You need to come back and just change the battery So you need to have physical access to a place and that gets things really complicated Yeah, and this is related to how you are targeting your operation if you want to put the microphone You have to know where and what you want to listen to whom it which place because your window of opportunity super small So this is a good new idea of okay. What can you do with which microphone? It's not that you can just use any microphone, right? Yeah, exactly We wanted because we work in our daily lives working on a lights in malware We wanted to make some notes on the whole this is different from malware Why would I choose malware to infect your phone or why would I choose to place a microphone? and when you try to infect someone with malware imagine that you don't have physical access to their phone you have to Plan a phishing campaign you send a leak to somebody and the successful Infection is not warranty the guy my clique or the version of the operating system might be wrong or something can happen And infection is not successful And also you cannot choose the time right like yes You are trying to infect somebody but you never know when it's going to be infected can be today tomorrow or in a week And actually are there a lot of casualties around like they are not the people you wanted to infect So it's not straightforward to do this. Yeah, and also when you find the malware, right? Imagine that you are analyzing some mobile device and you find the malware you can You can analyze the malware you can reverse it you can find the malware live traces, right? And and you can use that to know who the attacker was ideally or have some idea Well, you know that something happened right because the malware is there happen in the case of the microphones if the Operation was successful. You can go there and the microphone just take it out and there is no trace at all You didn't know it happened. So that was kind of big differences and also People from the internet as we say before can help you with malware with the time with it with the microphones. It's not that easy so a big Warning here like we are trying to think about which is the difference between these commercial available microphones and the not commercial available microphones We don't have access to these not commercial microphones So we really don't know how far away they are in the technology of Microphone bagging right now. Our ideas are that First is the choice between electricity or battery So if you want to listen a specific conversation Maybe with battery you are okay If you need to listen everything that it's been said for a long time Then you need to plug to electricity and this constraining eruptions a lot And then we have a problem with the transmission or storage a lot of microphones if you look at the Okay, so we we don't know what happened with the microphone that was fine But I way way, but if you look at it it looks that there are several Modules there is antenna and the battery and the microphone and there is another box that maybe is a storage We don't know of course So the idea is that you can store The audio in sd car or something like that So this is good because you are not transmitting so you are less prone to be detected However, you have to come back and get the sd car. So depending of your Availability to get into the premises you can use storage or not There were versions of microphones that were having the microphones inside the room and then a cable To the module that was transmitting like from 50 meters away So this is like a hybrid option, right? You have the microphone You are transmitting in real time, but from the room there is no detection of this transmission And then it's the thing of okay There is one time conversation like we said or versus I want to listen at all and finally how much access you have to the room So depending of these variables is your peak between maybe okay this is something I can do with a commercial available or This is something that maybe some people can do with the not commercial available microphones out there Yeah, and one thing that is important to have in mind is that when we think about microphones Or at least when I thought about microphones like two years ago I The first thing that I thought it was governments right governments putting microphones in your home But actually all these commercially available microphones are not used by governments. They are used for intellectual espionage Wives or husbands trying to find if the other partner is cheating on them and all these type of things that there is like a lot of variety of Usages that goes around this this technology and that's why all these type of things like coming to place So right now we are heading into the part of the presentation that we were talk about detection but Please if you really are in a life threatening situation We we recommend to just contact like a professional company where do they do? Professional swiping of devices and they do these for a living right so just Yeah, be mindful. So well, yes, there are a lot of companies that are actually doing this for living and they're very good The problem is that imagine that you have some suspicion that maybe it's somebody's bugging you You may call one of these companies But then the other day you have the same suspicion in your office or your room or your car So it's not easy to call them the work can take up to ten ten hours, which is a lot and it's super expensive So the problem we saw is that there was no room in the middle for any quick tool that you can use and adjust and hack a Little bit and modify to make your everyday detection in any place you go So this is why we created the salamandra salamandra is a free software tool. It's SDR base So for the fine radio base and you can go there You can download it and the idea of salamandra is to make the detections of hidden microphones around you easier Something that you can go download the plug this year USB have some detection around you and then you have some idea of what's going on The other problem is that if you buy one of the big hardware equipment for for spy microphone detections It may be suspicious if somebody's looking at you They will notice that you are buying this which is telling them that actually you know that you are bad Which is bad for you again So the less they know and the more you know it's better in this case It's just a software you download it USB and you have an idea of what's going on So this is the type of device we are using is very well known as their basic device It's a TV Turner that you can buy from Ten dollars online and a lot of people has been using it for years for SDR so we are using one of these devices like this one I have in here is the same and Salamandra is actually in the background using a tool that is very well known tool called RTL power it's one of the tools that is Reading the information coming from the USB device and it's converting this into power levels and it's giving you from a range of Frequencies the power levels detected by the RTL power tool So Salamandra is reading these power levels and it's working with these for detections So which is the basic idea behind Salamandra for detection of hidden microphones? It's taking the power levels in this case you have here normal FM radio This is the transmission the frequency where it's transmitting and it's taking these Peaks and it's actually counting them. So when you plug a microphone, you will see this So you can see that there is much more noise in the frequencies And also you will see that there are a lot of peaks around this is because you are usually close to the microphone So the closer you are to the power source the more spurious frequencies you will find the most noise around and You will see other Frequencies being also having this peak of power. So if you move away from the microphone, you will see that these Frequencies are going down and there is only one frequency the frequency which the microphone is using for transmission So we are using this idea and counting these noise in a sense to know how close or far away You are from the microphone. So in here This is an idea of putting a threshold that it's the blue line and then we are counting how many peaks are Over this threshold. This is super basic idea It's not a new idea probably but it's a very simple way of reading very fast a huge range of frequencies and Finding if you are closer or not to these source of power Frequencies this is helping us to split and separate between the FM radio station That is super powerful, but it's far away against the microphone that is super small and less powerful, but it's close to you so We run several experiments because as Research background that we have we wanted to know, okay, which is the best threshold for this So this table is showing the first two thresholds That means the high of the power level that we want to detect that is the first column And the second column is the amount of peaks that we are counting Okay, these two values are the values that we are modifying to know how good or bad It's the detection. So we run 85 experiments with different microphones different setups different thresholds in different situations scenarios rooms train in the street and then we count Okay, there was a microphone. Did you detect it? That is a true positive If there is a detection from the tool, but there is no microphone that is a false positive, right? And then if there is no microphone, and I'm not detecting it I'm having a true negative in there and if I'm saying oh no, there is no microphone and there is in reality that is called a false negative So we count these errors and then we compute some numbers We call them metrics to know which is the best detection, right? So the third column we call it the F measure ratio This is a balance between the accuracy and the precision and then we have the false positive rate This is a ratio of how many times you said oh, it's positive There is a detection and actually there was not microphone and then the accuracy the precision and the ratio of true positives The times that you have a good detection So we count all of these and we found the best solution for us To compare we also bought these two that is called the ghost. This is a hardware detector You can also buy online for very very Small amount of money and this is a tool that you can press a button and you can see if there are microphones around you So it's one of the easiest way to have some also some hardware tool to help you So we were comparing salamandra with this tool. This is the line you can see there the ghost This is the performance of the ghost and this is the performance of salamandra So the best setup for us is the last one where we have some 73 percent of F measure This is pretty good and they have 11 percent of false positive ratio So this means that we lose some microphones So there were situations where we say oh, there's a microphone and there was not and there were some situations where we say Here if if measure, okay here, right there were some ways to say Oh, there I think that there are no microphones around me and actually there were so this is showing that no tool is perfect And you should modify the values until finding whatever is best for you, right? So this is not perfect There are errors you will have situations where you are not finding the microphone with any tool and you will Situations where you will say oh, there are a lot of bugs around me and there are none even with the hardware one So the good thing about salamandra is that you can key on these parameters And then you have a better detection and actually you can find the zero percentage false positive Which means that there were no no errors if you want, right? So using salamandra. This is an example. Let me show you salamandra running So one of the good things that we thought about salamandra was that in the detectors hardware detectors like these Like the cost you need to be pressing the buttons in order to be able to have a detection or not And you cannot just be pressing the button all the time, right? so the These type of softwares make it that you can leave it running and then you just Go to work and come back and try to see if there is a difference or not So here this is the basic interface of salamandra now. It's running. It's running in some frequencies and Now there are no detection and then this is the first bug I was showing you I'm going to plug it to the to the battery and now this is pouring on It's taking my voice is converting into the the the antenna frequency in transmitting around and then here I have plugged the antenna of the USB device and there you can see that there is there are some detections already so you can see That there is the time of detection. There is the frequency 113 megahertz and then those Sharp signboards is telling me how many of the peaks are in the frequency that I will detect So you can see there that there are more and then there are less right Which means that I'm closer to the source or I'm farther away, right? You can see there there are more of them more of them and I'm moving away There is a time delay of course in there Until there is no more detection because I'm so far away. So yeah, so this also Brings a problem that is not that you just going to a place and put a microphone, right? You need to think about the interference of devices that are there and it's like really complicated so The good thing about salamandra is that you can walk around and you can see what's going on all the time Continually and you can record it. So you can go and see. Oh, there is some frequency here. I don't like Because you have devices at home, right? You have TVs and you have Radials and you have phones and you have a lot of things going on So it may happen that in some situations you are picking another frequency, right? So yesterday, for example, I was walking around and trying to see what's going on if I walk in there in the Congress And actually I was surprised that there were no detection. So salamander was not picking up any hidden microphones Which is good and then I Start having some detections in the frequency of 400 something This is usually used by the radio people that is speaking with these radios So I say oh somebody's speaking actually so I will try to see what's going on with this So I keep walking around and actually start to try to find them, right? So okay, where are they so I was walking around until I was close to the place that they were Transmitting because I can see the amount of noise they were generating. So in a sense this can be used to pinpoint any type of emitter, but we are focusing of course in the hidden microphones So what salamander why salamander is different to others first you can walk around you can find different places You can do it for a long time You can leave it running during the night, for example, which you cannot do if you are pressing the button of the hardware detectors You you you don't have to be there doing it So you can detect but more importantly and this is super new because we don't know any tool that was doing this before you can Locate microphones detection tools there are a lot like hardware ones software I don't know anyone any tool but more importantly This is the first time that we saw a tool that can help you locate. So of course what we are doing here. It's some kind of Translation from the amount of peaks in the frequency to the distance which is not accurate, of course These are not matters or centimeters. It's just an estimation but it's helping you know if you are far away or not and second the idea is that you can use RTL power to actually store The audio profiles in these power levels and this is a file So you can send these to anyone in the internet to help you with salamander or not to see if you have a MIG at home and this is something very new you can do this in any room and then send the file to other people that actually Can help you know if there was something we are around and finally you can profile your environment You can take a measurement today that you know there are no bugs and then take it tomorrow or in the night Or in a special situation and then you will see the differences because remember that you have the TV and the telephone and your neighbors Phone so if you know your environment you will notice the differences. Okay, so Real life experiments. Yeah, so Again, we wanted to make this research fun for us not only like all these experiments and numbers so we wanted to try them out and to to kind of The sign experiments like okay Let's let's think that one of us is the victim and one of us is evil So I will be the evil one planting devices and he will have this salamander tool trying to detect them So the methodology of the experiments were something like this the the seeker that is in this case Sebastian He will go out of the room and I will get in and I will hide a microphone or not Right and then that he gets in He starts picking some passwords not real ones or Yes keywords right and I will try to be Listening to this to try to measure again like the accuracy of the words and the listening quality And then we will measure two things The first thing that we will measure is the time to detection which is do I know if there is a microphone here or not? And then we will measure the time to actually find the microphone that was hidden So that that is two completely different things, right? So we will we wanted to know how hard it is to actually find them And then we will measure what we call the recall which is he mentioned Certain amount of passwords are critical words So I will try to write them down and then the recall is a amount of passwords that I heard Over the total passwords that he is spoken so we can this way we can we have some measure of how to compare these Experiments we did several like this and here is a small table comparing them In the in this case in all the cases we were hiding microphones and We were finding them which is good with news the time to detect was All in almost all cases like really short like in a matter of minutes you can save with a Certain level of certainty that there was a microphone But you can see the difference between the detection and the time to locate them. It was like kind of Takes far more time to actually find them, right? and We also measure The the recall as we saw the the amount of password spoken over the passwords that I could listen and This was in only one case. It was 100% In all the other cases it was the amount of passwords that I could listen properly were very low compared to the password spoken Yeah, and you can see there that there is one experiment that it took 25 minutes to look to detect and Then we found at the end that actually the microphone was running out of battery So it was not transmitting all the time and it was super frustrating Right, there are no detection like no location even the ghost was not detecting it and then at the end it was super amount of Frequency energy going out of the microphone signal and salamander detected so there was a detection 20 minutes after that No location, right? I was not able to find it because it was poor off because yeah So sorry, and you can see that there were no password listen there So I was saying password but but there were no password being listen Which is super good for the for me in this yeah And and and you can see how this this make it difficult if the password as the as the thing or the great seal It was not a meeting anything you can actually not find it because it's not a meeting anything so this is this was very nice to compare and here are some pictures of the best locations that I found to hide the microphones This was actually From the example of the Czechoslovak bug. So I hid it under the table. It looks like a really long to find It was kind of the last stone left in our place We were almost Sebastian was almost starting to kick off the wall So it was it was very fun And it was it was very interesting to see the To understand like the logic of the people where are the typical places where you go to search and the other places that you just Keep for granted that there is not there because the signal is bouncing around So the problem is that you may have good detections in two places in the room So it's super easy to say oh it's here and start Breaking everything apart, but maybe it's not there right so it was super difficult to come down Okay, this is the place. I really think it's here and then searching around you right so detection It's at most one meter around you. So it's actually a lot of places if you think about it Okay, five minutes. Yes. So another Place that was very very hard to find was this one. Okay, so so we can ask. Do you know what is the microphone in there? It's a whiteboard in case you yeah, it's a whiteboard and This was this was very interesting because it had like a little thing that you can open and hide it there So it was very fun because I took someone's forever to find and it was it was very fun to see People searching for it and not finding it because it was again just in front of people's eyes, right? It was very clever. So also be in front of a whiteboard is a very nice location because the people is having talks in there Yeah, maybe very interesting talks. So conclusions Hiding a microphone in my experience was very hard because it's not that you hide it in in the bathroom or in the kitchen, right? You have to know your target. You have to have physical access You need to know where the convert important conversations happen, right? So and what what is what you want to find out? So you also need to sort the problem of the power and you need to understand the behavior of the people Yeah, and even if you have some locations that you want to hide remember that yes You can put it underground and nobody will find it, but you are not going to listen So the location is super hard because you need to listen and not to be found So this is something that it was very very hard I was moving around half of the house and it was not able to find For a long time. Yeah, so the take shown with salamander is really fast You can see that it was a matter of minutes and listening was hard. I think we have some examples here Yes, we can quickly play. So, yeah Do we have audio? Yeah No, can we have it out here from the computer? Thank you. So this is with music we are trying some FM music in the background So you can see how it was kind of you can hear the voice you can see that someone is talking But in you can hear the music as well but in and it is believed that 50 years ago putting radio on and then Speaking was a technique to kind of not making people not able to listen to you But with current technologies. This doesn't apply any no any longer. So we ask Fermin Valerius to help us cleaning this audio with computer. You can see it's much more cleaner, right? No music Okay, so yeah, so basically the point is that you can kind of really quickly this was half-hour work and And it's really easy to completely remove the music, right? So it's not that you should not put music But it's you should not believe that music will cover up for you because it's that's not longer Imagine if you have resources and a large organization. This is very easy to do, right? So don't trust any noise around you to do this. Yeah, so be more creative. Sorry. There you go. Yeah So we believe like for closing this up We believe that this or work I have like tricky contributions first that We did a systematic research on the usage and performance of these bags And we haven't seen any other work doing things like this We hope that after this talk you just get your Is here and you try to do stuff like this with other mothers Maybe I don't know your grandma has a microphone that stores somewhere so you can try it out We have the first as your base Meek detection tool Use is available on github And we have the first real-life experiments documented That can be used to compare with other technologies and you can use to actually Yeah, learn and compare with other things So before concluding yeah, I Want to say that we are going to give now to the people here We have one sdr usb sdr that it's for you So and now at the end of the talk we are going to give to somebody there So be prepared for that and remind us. This is for you Second can can you give us please the microphones that were there? So so yeah There are spying microphones, but we want them back. So remember to bring them and To conclude we can say that audio is dropping. It's a real threat. Don't be fooling here. Yes. It's not straightforward Yes malware. It's easier in some ways. This is still happening as happening as far as we know So be be aware of the threat Now you know how at least commercially available microphones work So you have an idea of what can be done at what cannot be done this is important for your protection and then Be sure that you are taking the measurements to protect yourself. So go there that low Salamandra help it modify it Hockey find microphones tell us about them Advance the fields and try to help others. So every time we are talking about this There are a lot of people concerned about this and say oh, I can do with some sweeping off my hotel room For example, right? This is something that can help you a lot. Yeah, so try it out. Let us know how it works and Yeah, thank you You want to do it now or after? So, thank you. I don't know. We have you can try it just I don't do we have yes Yes, yes, yes questions now questions in the room, please use the microphones We have microphones over there. Okay, so they're so maybe before the questions We were gonna give the USB Yeah, it's here. So we are going to throw it. Okay. This is the best way we found to throw it We we came up with several ideas, but this is the easiest we got so We would yeah, we will throw the small thing you can pick up the antenna later. Okay. Yeah, so yeah So I will hold this and the one that gets the USB it's going to get the antenna come here and get antenna, okay? Are you ready for that? There one be careful I think he got that a round of applause Yeah, if you don't want it, don't sell it. Please just give it to other people And pick up the cable, please whoever hold it. We have questions Okay, we would start with the Q&A starting with microphone number one, please Test test and the Snowden leaks there were kind of internal catalog where one department showed off to the other departments what they can technically do and what the Amount of money is they need for it and did you look at these catalogs? for equivalent techniques Technique in the of the NSA or didn't you look at these as a source? We didn't look at that No, we have no idea. So we don't know if there was some idea there about microphones. No, sorry Thank you Microphone number two. I think yes. He's hidden behind the cameras. Thank you One question you talked about FM microphones and you said that this is that technology that is commercially available But do you know which is the technology which is professionally used by? I don't know government agencies or Did I mean yes, yes everybody use FM of course No, yeah, no, I think that nowadays is easier to go digital way So like the GSM that we have in here. It's much more safe to do There are some limitations of the thing. It can still be detected, but it's not so noisy And remember that we didn't have access to any of these equipment So it's just our ideas based on the pictures on based on the information We found about real cases how they are doing it However, if you look at the microphone in the in the Chinese case doesn't look like to advance. All right. Yeah Thank you And microphone microphone number three, please Thank you. Thank you for talk. What I really like about your tool is that it can be run 24-7 so that will even work or detect more advanced box that store and The audio and then forward it compressed only when the victim is supposedly sleeping or out of the home That's a really good idea Okay, thank you very much Thanks for that comment Microphone number four, please now that SDRs are Available cheaply available so you can monitor the RF spectrum easily what you do. Thank you for doing that great project Have you thought of? extending it to the light spectrum because all the LED lighting works with Switch power supplies so that would it would be easy to kind of PWM signals out of that So No, we didn't thought about it. I think it's a good idea I'm not sure if the same methodology will apply of the noise around you probably not so I think that it's possible But we should came up with a new idea About how it's working as far as I know with lasers you have to be in the path of the laser So the detection is not being broadcast in that sense So maybe it's quite more complicated in that case But but but I think there are like you said Plenty of situations that we still have to go and check how we can do to protect ourselves in these situations Yeah, yeah, thank you. You can try it out. Yeah, you can try please Thanks Microphone number. I hope it's five. Yes. It is so as an inspiration of how to take this one step further if you Couldn't manage to attach the antenna to your mobile phone and run the application on your mobile phone Then you could make use of technology Recently developed or like released by Apple or Google like AR kit for augmented reality Tracking which would allow you to track where you are in the room and then you could by fusing the different The different signals you received over time you could show a heat map which would exactly show you the The the possibility or the possible places where there could be something. Yeah, sorry That would be awesome. Actually, we thought about like we need a heat map here Like I'm walking around and it was remembering the best location points And I was not able to plot that so I completely agree that a small location system trend and convert into This would be awesome I'm not sure maybe we can even do with Bluetooth devices or like like the VR like you said like there are infrared cameras Maybe now it's okay if we do that it's not going to be so so cheap are easy But I agree that it's going to help a lot on that. Yeah, you would basically get the location only one question, please Okay, it's all right. Thank you. I do not see the signal angel, but do we have We do okay, so please one question from Digi chat the internet wanted to know if If you have done research or research about back that use other Communication technologies such as Wi-Fi Yeah, no not so far. We we focus specifically on FM box because it was like Easy first step on this erection and we needed to reduce the amount of the spectrum to something that we could Manage to do like in one and a half years. So, yeah, no, we didn't Do that. Yeah, so hello internet, but No, we use GSM. That is also digital. It's not the similar as Wi-Fi. Okay. I think that Wi-Fi Can be more difficult because you have a lot of Wi-Fi around you all the time In the case of GSM, you may see the hoping frequency if you're using hoping frequency So we were we managed to detect the GSM that it's digital. We never try with Wi-Fi so far So maybe that is better for the listener. Yeah, and remember that we have like a 14 pages long paper with all the experiments documented So you can go check it out and let us know if you have questions or ideas or you can experiment it on yourself and try that Thanks, I think microphone number eight has a question. Yes. Yes. Thank you for your talk Is there any reason why you went with the strength of an FM signal signal versus trying to reproduce a Tone so a suggestion for salamander perhaps you emit a particular tone frequency and then you look for any FM broadcast on the spectrum that can also Match that tonal frequency not unlike a guitar tuner on your Android phone. Yes Yes, actually that was the the second idea to put in salamander. So that was super good We say oh we are going to actually generate a pattern of tones and then I will search this pattern matching the frequency And we were super excited to implement this and then we figured out that well We didn't need it because it was working so well that it was like, okay, maybe we don't so but I agree It's super good idea. I want to implement it or somebody implemented at some point in the time because it's super nice to have this pattern And then you can actually Filter out a lot of false positive errors a lot. So yeah, I agree. Yeah, thanks. Thanks Okay, ladies and gentlemen a really warm round of applause for Veronica and Sebastian from much left