From: Alan  Hoffman                Base   : Business T-Phone Topics & Voice
To  : John Fender                  Refer #: None
Subj: Scrambled cordless           Replies: None

John> Can anyone tell me the technology (technical name) used for the
John> scrambled cordless phones and how easy or not so easy it would be, for
John> someone to descramble my conversation. In other words, How private are
John> they?   I just purchased one and still uneasy about using it in my
John> business or for conversation that really should be private.  I know
John> nothing is ever 100% safe. I work in radio and electronics but haven't
John> had the opportunity to check up on this. I don't need any replies that
John> are guessing at this or assuming I am knowledgable enough in electronic
John> to do that. I would really like to hear from someone who knows what
John> they are talking about.       -= John in N.C. =-


                    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                    COMMUNICATIONS SECURITY OVERVIEW
                      A Non-Technical Discussion of
                       Modern Transmission Methods
                    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                      written by Alan Hoffman ("Q")
                      =============================   



----------------------------
SCRAMBLING versus ENCRYPTION
----------------------------
First let me comment on the matter of your use of the word "SCRAMBLED".
Their are generally two types of methods to protect the content of
communications.

The first  is:  ENCRYPTION
The second is:  SCRAMBLING

Now alot of people might argue over what the word scrambling really means,
and indeed it has different meanings.  But industry jargon states that the
difference is that "ENCRYPTION" uses an actual mathematical algorithm
to create a "cipher" of the communications.  Also the word encrypted is
usually meant to refer to "strong encryption". The term really isnt meant
to apply to weak encryption (phones that have algorithms that are easy to
break).

The term "SCRAMBLING" on the other hand is a bit more complex. Industry
jargon states that a phone that uses scrambling may use either a very
simple cipher algorithm (weak algorithm), or the phone may use some other
method to  "HIDE" the communications. The method of  "HIDING" communications
is a very popular method used nowadays because it provides better protection
than "weak algorithm scrambling", and it does this at nearly the same
cost factor. I'll explain communications "hiding" techniques later.


----------------------------------------------------
WHAT DO CORDLESS PHONES USE FOR PRIVACY PROTECTION??
----------------------------------------------------
Most cordless phones (costing under $1,000) use the primitive technology
of "SCRAMBLING".  These phones have used the same primitive technology
for 15 or more years.  Although in the last few years (last 8 years) the
techniques used for scrambling have become very diversifed and due to
new technologies in Intergrated Chip manufacturing (IC) manufacturers can
now use more advanced technology in cordless phones which are both cheap
in cost and compact in size. Wheras some old scrambling methods would have
required a large circuit board, (hence increasing the size and cost of the
cordless phone considerably) nowadays its as simple as installing a few
Integrated Chips which are only a few dollars at most.

METHODS USED:  ('Scrambling' and 'Signal Hiding')
-------------------------------------------------------------------------
[1] Inversion Scrambling                      SCRAMBLING
[2] Digital Transmission                      SCRAMBLING (sort of)
[3] Slow Burst Transmissions                  SCRAMBLING (sort of)
[4] Odd Modulation Techniques                 SCRAMBLING (sort of)
[3] Ultra-Fast Burst Transmission             SCRAMBLING & SIGNAL HIDING
[3] Frequency Hopping                         SCRAMBLING & SIGNAL HIDING
[4] Spread Spectrum                           SCRAMBLING & SIGNAL HIDING
[6] Extremely Narrow-Band Transmission        SIGNAL HIDING
[7] SubCarrier Transmission                   SIGNAL HIDING

I'd just like to explain the terms 'scrambling' and 'signal hiding'.
Their are two techniques for providing communications security. The
first method is "VOICE SECURITY" and that is accomplished through the
techniques of "scrambling" or "encryption".  The second method of COMSEC
is to use "TRANSMISSION SECURITY", alternatively called" EMMISSIONS SECURITY"
an example of which I shall describe herein as "signal hiding".

SCRAMBLING is where the actual content of the conversation is protected
so that a person who is listening in, would not understand the content
of the conversation.

SIGNAL HIDING is a method used to protect NOT the content of the conversation
but the signal itself. In other words, signal hiding protects against a
perpetrator from intercepting your conversation with a scanner or receiver
of most types.  Scanning Receivers have limitations on them, they can only
receive a signal for which their specifications allow. Receivers can
only lock onto a signal, if it is present for a ceartain period of time,
and if the transmission is short enough (frequency hopping) or ultra-fast
burst, the scanner will not be able to lock onto the signal in time and
will thusly NEVER be able to intercept the conversation.  Also, most
scanners can only demodulate the MAIN CARRIER of a signal. If one sent the
transmitted signal on a SUB CARRIER, the scanning receiver would NOT be
ability to listen in on the signal, it would be as if it didnt even exist.
If a clever individual were to modify his reception equipment so that
it was able to receive these hidden signals, he would then be able to
freely monitor the content of the conversation. Once again, signal
hiding does NOT protect the conversation itself, it merely guards against
a person tuning to a specific frequency.

COMBINATION Methods.  Some technologies use a combination of scrambling
and data hiding. In other words, it protects not only the content of
the conversation itself... but the frequency which the transmission operates
on. This is a significant advancement over the above two methods because
it provides double protection, while the above two methods only provide
single protection. This means, that even if a user were able to find the
frequency which the device operated on, and could modify his receiver to
listen to that frequencies, the eavesdropper would then have to contend
with yet another challenge of trying to defeat the scrambling.


INVERSION SCRAMBLING:
---------------------
The oldest method and still THE MOST COMMON method used today, which dates
back.. to.. well. long before I was born. Is the method of
"INVERSION SCRAMBLING".  Inversion scramblers were invented circa WW I era
to protect military communications.  The technique involves splitting up
the communications (voice) into many different frequentcy bands. These
bands are then  "shifted" to another band, and all the different bands in
essense become another frequnecy band. This is done with a user programmable
key (which is extremely small by todays standards 56,000 keys maximum)
and that key determines in simplistic terms how the frequency bands will
be shifted.   On the other end, an identical chips receives the scrambled
signal, and using the same identical key as the transmit chip, it
reconstitutes the frequency bands by putting them back in their original
order. This is similar to a MONOALPHABETIC SUBSTITUTION CIPHER, if your
familiar with that method. In which 1 letter is in a message is
switched for another.
(Example:  Message is   :  CAT
           All C's will be switched to F, A switched to Z, and T becomes G.
           Codes message:  FZG

The person who intercepts the conversation (or in this case the
monoalphabetically substituted cipher will see  "FZG" and as you can see
thats not the original message.  But if you had the "KEY", if you knew what
the F and the Z and the G stood for, you could convert it back to its
original form.    Technically, "inversion scrambling" is actually a form
of encryption.. but it is one of the most simple types, and as I said
above, weak encryption is usually just referred to as "scrambling".

Each year, tens of millions of inversion scrambling chips are sold to the
public and electronics industry. These chips sell retail for $30 - $300
apiece and are sold as stand-alone chips for use by industry and
hobbyists, or can be installed in devices such as cordless telephones and
scrambled walkie-talkie transceivers for law enforcement and business.

The net effect of monitoring an inversion scrambled transmission is
somewhat akin to listening to a tape recorder play on FAST FORWARD.
You would be able to recognize the demodulated signal as a "voice"
but it would be completely unintelligable.

[See Discussion Later on the methods of defeat for inversion]


DIGITAL SCRAMBLING:
-------------------
Digital Scrambling is now commonly used in new cordless telephones which
use the 900MHz spectrum. If one has a 900MHz cordless, an individual should
take care to note, that their are the ANALOG 900MHz phones and the
DIGITAL 900MHz cordless phones. At all costs, one should purchase the
DIGITAL models, because it provides much greater clarity, slightly greater
transmission range (although not as much the manufacturers like to claim)
and most importantly it provides communications security (COMSEC) protection
through the use of digital transmission.  You'll note in my chart above that
I said that digital transmission was not exactly "scrambling" in itself,
which is true. Its kind of in a grey-area, but for the sake of simplicity
lets just call it "scrambling" because it does prevent people from listening
in with a scanner.  Normal Scanners have the ability to intercept digital
signals (using standard FM/NFM transmission modulation), but all the scanner
eavesdropper will hear is  "noise" similar to static, or a buzzing sound
(the noise it makes is kind of to the beholder of the listener), but
either way, with digital transmission, even though someone can intercept
your call, and record your call on tape, they will not be able to
understand one damned bit of your conveersation as it will alas sound
like static or buzzing (which is the Digital transmission of your voice).
The technology is much like that used in Compact Disc (CD) players.
In fact the best example I can give you, is to take a computer program thats
on CD. And run it through your music CD player. What you will hear is
buzzing sounds which is the digital signals. (You might also hear music
too.. but skip past that part till you get to the actual computer program
code on the CD). This is what the eavesdropper would hear if listening in.

[See discussion on defeating Digital Technology]


FREQUENCY HOPPING:
------------------
Frequency hopping is a technique used for data hiding. It is used mainly
on military communication systems ([RARELY]. Usually they use multiplexed
spread spectrum), and also is used a bit by clandestine listening devices
such as "bugs".  I honestly do not know of any cordless phones which use
frequency hopping, but to build one would be a very simple task because
frequency hopping chips, much like inversion chips are widely available
and sold by the millions for a relatively cheap retail price of $50 - $300.

Frequency hopping is the process of changing frequencies at a rapid
rate. Hoppers can switch anywhere from 3 times a second, to 100 times
a second, to 10,000 times a second, and I have even heard that technology
exists for quite a few years which allows over 35,000 hops per second.
Very often the frequency range in which the hops are made is 15 - 40MHz.
I might point out that I am referring to the "BANDWITH" and not the actual
frequency range.
The reason this provides protection is very obvious. First off, a
scanning receiver only tunes to one frequency. And as such, when the
transmitter changes frequency, the scanner is no longer picking the
signal up.  Also, alot of modern scanners are not even capable of picking up
an extremely fast hopped signal because the unit doesnt have a fast enough
gate time. Either way, the most an eavesdropper would ever hear is a faint
"CLICK" on a frequency which lasts a fraction of a second.

Frequency hopping also provides a unique method of "scrambling". Unlike
other methods of scrambling which protect the actual content of commu-
nications, some frequency hoppers apply the scrambling to the protection
of the data hiding.  To clarify, the "hops" are not made in any specific
pattern which could be determined and then cracked, but are instead
(apparently to the eavsdropper) randomly hopping at any old frequency.
In reality, a "KEY" is controlling the scrambling which controls which
frequency the unit will hop to next.  Since the matching receiver circuit
knows the KEY also, it will thusly know what frequency to turn the
receiver to next.  Frequency hopping isnt always done with a "key" though.
On the cheaper units, the transmission just hops frequencies in a set
specific order, and then cycles back to the original starting frequency
and does it all over. This is very very weak protection and the professional
armed with a decent spectrum analyzer could crack the system trivially but
against amateurs, it is extremely formidable protection which probably
far exceeds the protection of "inversion scrambling".


SPREAD SPECTRUM:
----------------
Spread Spectrum is another technology which has been around for well
longer than I can remember (ceartainly over 50 years), but because of
advances of Integrated Chip manfacturing, and a need for privacy in the
consumer market, this method is becoming EXTREMELY popular in the 1990's
and is being used on a massive scale on cordless phone systems. The
technology is still a bit on the expensive side (as you will note that
spread spectrum phones are about 100 USA Dollars more money than the
other 900MHZ phones which use inversion.)

Spread Spectrum provides a combination of both SCRAMBLING and SIGNAL HIDING.
This technique is probably noted to be the most secure method, short of
using actual strong-encryption technology.  This is a technology which
has the ability to thwart virtually every amateur eavesdropper and can
ceartainly elude even a large number of professionals who are armed with
the most expensive equipment. This technique even rivals frequency hopping
perhaps in safety. In many ways it exceeds frequency hopping, on the other
hand ultra-fast frequency hopping too has its advantages, but either way
their both very formidable technologies.
Generally, it is said that ultra-fast frequency hopping has better
capabilities at signal hiding and thusly its ALOT harder to find a hopped
signal than a spread spectrum, but once the hopped signal signal is found
and its pattern determined or decoded, the modulated audio can then usually
be decoded fairly easily (unless secondary encryption is also used to
protect the main modulated carrier, which it often is in cases of ultra-
fast hopped signals which use digital as opposed to analog).
Spread spectrum although quite a bit easier to locate, is usually harder
to decode once it is detected. 

Spread Spectrum, I shall explain quickly. Although it should be obvious.
Their are a couple of types of spread spectrum. Different people define
the term in different ways.  In its SIMPLEST form, it is basically a
very wideband carrier signal. In that wideband carrier signal, a voice
modulated signal which is much smaller in bandwith is transmitted in
a complex pattern. Some people liken this to 'frequency hopping' but the
reader should not get confused between regular frequency hopping and
spread spectrum frequency hopping (direct sequency spread spectrum).
Regular frequency hopping uses a simple narrowband FM signal, (it uses
narrowband for both the main carrier and the modulating carrier)
while spread spectrum uses a wideband signal for the main carrier and
a narrowband carrier for voice modulation.


BURST TRANSMISSION:
-------------------
Burst transmissions are not usually used in cordless phones, but it is
another technique which 'could' be used in the future. I have actually
seen a model of burst transmission digital cordless phone, but it was
rather expensive and as such was unfortunately discontinued.

Burst transmission is used mainly for military communications and is
used on a number if INTEL satellites, and for other military communictions
applications where data is transmitted.

Their are two types,  SLOW and FAST.
Slow burst transmission was invented a long time ago. During World War I.
Slow burst uses an analog signal which is simply sped up in speed much
like you would press  "FAST" on a dictation type tape recorder, and it
speeds up the voice. It would allow analog voice signals to be sent at
high speed (twice to 10 times the regular speed).

Fast burst however requires digital technology. Their comes a ceartain
point when analog is no longer good for fast burst. The point is somewhere
around 10 - 15 times the normal transmission speed. Anything faster than
10 times speed should use digital technology.  A persons voice is digitized
with a Digital to Analog (D/A) conversion circuit. The Digital ("sampled" or
"digitized" voice, is then fed into a compression circuit which may signi-
ficantly compress the voice signal, the signal is then fed into some more
circuitry where it gets "BURSTED" in a short packet either over a wireline
or throgh RF transmission.

I'm not an expert on burst technology, but I've read about systems which
could burst a 1 minute conversation in a matter of 3 seconds. That was
however an arbitrary figure. and that is NOT the way in which burst
communications usually works.

"Burst Communications" has 2 meain functions:
(1) To provide compression of data or voice which allows more content to
    flow over a wireline of radio wave in a shirter period of time.
(2) Communications Security. Another function is "signal hiding". That is
    the signal is transmitted at such a fast rate (much like a frequency
    hopper) that the signal cannot be detected by traditional scanning
    receivers, or even some cheaper spectrum analyzers).

So normally, when burst technology is used with the intent of "signal hiding"
the bursts are usually limited to something like around several hundred
thousandth of a second (as a rough guess. I wont even bother figuring the
actual math out). Basically the burst has to be short enough so that it
will be shorter than the gate time of most detection equipment such
as broadband receivers, spectrum analyzers, frequency counters, etc..)
At the very least, the burst has to be very low profile, almost so as to
be unnoticeable when viewed on a spetcum analyzer so that a person
monitoring the unit will not know the signal is their, unless he is
specifically looking for it.  Burst transmission can also incorporate
encryption technology, to further protect not only the signals integrity
but the actual content of communications.  Theirein lies a fundamental
problem however with burst transmission. That problem is namely that
the devices dont function too well with "STRONG ENCRYPTION" (to my
knowledge anyway) because the strong encryption has a ceartain amount of
"latency time", and that latency time cannot be any longer (and in fact
must be slightly shorter) than the actual burst process. If it takes
a longer amount of time to encrypt the data than it does to burst it,
then that will slow the whole process down and cause a "bottleneck"
reaction where the data burts will start to slow down more and more
while the unit is waiting for the encryption of the packets to finish.
This causes great synchronization problems with ultra-fast burst
transmission systems.


EXTREMELY NARROW BAND TRANSMISSION:
-----------------------------------
Extremely narrowband (NFM) transmission is not really a method of
scrambling, but is a method of "LIGHT" signal hiding. NarrowBand
transmission does not prevent a person from listening into the
content of the signal once he has aquired the signal. It merely makes
it more difficult to aquire the signal in the first place by utilizing
limitations in most modern scanning equipment.

Most scanners have a variety of  "selectivity" modes. The selectivity of
a scanner or spectrum analyzer refers to the "IF Bandwith" which is
currently in use. Traditional scanners in the past had only provision for
FM, WFM, NFM etc.. FM is used to listen to the tradition commercial
radio bands as well as the as the audio portion of television.
Narrowband Frequency Modulation (NFM) was used for most everything that
was FM modulated (police, public utility, handheld transceivers, etc..)

FM has a specific IF bandwith determined by the model of scanner somewhere
around 12kHz, WFM has a rough bandwith of 150kHz, and NFM has a rough bandwith
of 5kHz.

If one were to create a transmission that were outisde the range of your
traditional scanner (such as spread spectrum or ultra-narrowband) the
receiver would not be able to completely demodulate the audio which was on
the frequency of transmssion. As a result, at the very most the eavsdropper
would only hear a highly distorted signal and the voice would be virtually
unintelligable. It would however be recognizable as a "voice" but theirs
no chance that anything would ever be understood clearly.

Unless a scanner or spectrum analyzer had "infinite tuning resolution"
down to 1Hz tuning steps, its possible that the eavesdropper might not
be able to intercept the signal at all because the carrier wave might be
in between the tuning step capability of a partcular receiver.


'ODD' MODULATION TECHNIQUES:
----------------------------
An odd modulation technique basically as I use the term, refers to a
method of modulation which is not commonly used and cannot be readily
be demodulated by your typical scanner or spectrum analyzer.

Most scanners have the capability of decoding FM, AM, FM-SC, AM-SC,
FM-S-SC (supressed sub-carrier), and FSK (Frequency Shift Keying).
In fact, virtually all units are limited simply to AM, and FM demodulation
with a few of the better units capable of FSK and FM-SC demods.

To decode some of the more esoteric modulation methods requires a
special circuit card which can be added to some of the top-of-the-line
scanners or spectrum analyzers. These add-on units usually cost $100 -
$500. An example of a common ad-on item is a sub-carrier demodulator
(or a video demodulator card) which can be interfaced with quality
scanners or spec-ans.

If one wanted to enhance communications security, one could employ
odd modulation techniques. As you have figured out, this is a method of
"signal hiding".  It is not a "real" method of signal hiding per' se,
although I dont know what method is indeed "real".  Rather this method
simply utilizes deficiences and limitations of modern reception equipment
insofar as their all pretty much limited to AM, FM and FM-SC at most.

One can readily intercept your communications signal, however the
eavesdropper would be prohibited from actually monitoring the content of
the conversation unless he had a special circuit intalled on the scanner
(or a scanner capable of) demodulating your transmission.

The net effect of monitoring a signal which uses odd modulation techniques
is varied. The eavesdropper will be able to readily measure the carrier
signal and can observe its strength on the signal meter so he knows that
your transmitting on such and such a frequency.  But when he listens to
the actual demodulated portions content,  he will hear either random
unintelligable noise, or in some cases may hear nothing but silence
(due to the scanner squelching out the ensuing noise).


SUBCARRIER TRANSMISSION:
------------------------
The method of subcarrier transmission is a classic quality example of
"signal hiding". Once again, this technique really only relies on fooling
the eavsdropper by exploiting limitations in modern reception equipment.
Most scanners today and even most spectrum analyzers will not readily
decode SUB-CARRIER (SC)(SCA) signals. Although subcarrier decoders can be
purchased rather cheaply and interfaced with some scanners and many
spectrum analyzers (if its not build into the spec-an) the fact is the
transmission is a fairly safe method to fool most eavesdroppers except
the most sophisticated ones.

A "sub-carrier" can be thought of, as an  "invisible" signal which is
piggy-backed onto the main carrier signal of a transmission. For example,
most radio stations have an "invisible" subcarrier signal which actually
allows the radio stations to transmit 2 signals in one.  Most people go
through life believing that a radio station only plays 1 signal at a time.
That signal being what the person hears on their home/car radio. The reality
of the situation is the some stations actually transmit a hidden signal
which can consist of music (or anything for that matter) which cannot be
heard by the average listener with the average radio.  It takes a special
"decoder circuit" (subcarrier demodulator or decoder) to actually hear
this "hidden signal". This subcarrier signal explains the age old question
of why "elevator music" never has commercials. Many people foolishly
go through life thinking that department stores have some magical "tape
player" with endless amounts of music on it, all commercial free. Of
course the truth is, that the facility simply is listening to a regular
radio station and has a sub-carrier decoder installed allowing them to
hear "invisible" programming (which is usually commercial free, or in
foreign languages, etc..) Your supposed to pay for decoding subcarrier
signals from commercial companies, under the law.

Although, this method is not extremely secure, it does however provide
a large degree of protection and is perhaps is equal to inversion
scrambling as far a safety goes.

Most modern cordless phones DO NOT use this technique, because it presents
a variety of problems. The main problem is in signal strength. The SC
signal is only a fraction of a percent in strength of the original
carrier wave, and as such the signal dissipates very quickly. With a typical
cordless phone which already has a weak power output to begin with, using
SC technology would cut the usefull distance of the cordless phone down
by approximately 60 percent.


-----------------------------------------------
METHODS OF DEFEAT FOR DATA HIDING OR SCRAMBLING
-----------------------------------------------
Method                      Avg Cost      Defeat Time    Complexity Rating
--------------------------------------------------------------------------
Inversion Scrambling        $80 - $500    .5 - 2seconds  SIMPLE - MEDIUM
Digital Transmission        $30 - $500    Instantaneous  SIMPLE - MEDIUM
Slow Burst Transmissions    $100- $700    .5 - 1 second  DIFFICULT        
Ultra-Fast Burst Transmis   $500- $15,000   *****        VERY DIFFICULT 
Frequency Hopping           $500- $15,000   *****        VERY DIFFICULT  
Spread Spectrum             $1000-$30,000   *****        EXTREMELY DIFFICULT 
Odd Modulation Techniques   $50 - $800     Instantaneous MEDIUM       
Extremely Narrow-Band       $20 - $200     Instantaneous SIMPLE
SubCarrier Transmission     $25 - $200     Instantaneous SIMPLE           

[NOTE] ******
The reason I did not list defeat times for Burst, Frequency Hopping, and
Spread Spectrum is because it involves a two step process unlike the
other methods because of its complexity.

First, the eavesdropper must use sophisticated spectrum analyzers to
determine the patterns of frequency hops, the modulation modes, the
transmission of subcarriers, the bandwith of the carrier, the bandwith
of the modulating carriers, burst times, etc.. etc.. and that could days,
weeks, months to analze and detrmine depending one ones knowledge,
persistance, and the quality of equipment one posesses.

Once the patterns have been established the eavesdropper can reconstitute
a  "KEY"  or a "pattern" by which the systems operates and then from their
the eavesdropper can reconfigure his equipment so it will function the
same as the targets equipment. At this point the signal reconstruction
can be done instantaneous. Another method is to store all the intercepted
signals on DAT (Digital Audio Tape) and then reconstitute it piece by
piece in the laboratory off-line. This technique can be used when it
is impossible or impractical to modify the eveasdroppers receiving
equipment.  (ie: this would mainly apply to burst transmission defeats).


------------------------------------------------------------------
COMMON DEFEAT METHODS DESCRIBED FOR CORDLESS PHONES COMSEC SCHEMES
------------------------------------------------------------------

          -=-=-=-=- INVERSION SCRAMBLING -=-=-=-=-

Inversion scrambling remains by far, the most commonly used method of
communications security (COMSEC) used on cordless phones today.
Although inversion is used mainly on the old 46/49MHz phones, it is
still widely used on the newer model 900MHZ analog phones. SPECIFICALLY
the ANALOG type 900MHz phones..

Defeating inversion scrambling in the past has always been a formidable
task which could thwart even the most avid amateur radio eavesdroppers.
But it never has been a match for professionals armed with the proper
equipment and the electrical engineering knowledge needed in order to
build a scrambling cracker.

Well (un)fortunately, depending on whos side your on,.. Those days are over.
Their now exists on the public market, readily available to anyone with
$50, electronic "kits" which when built can defeat inversion scrambling
within a matter of a second or two. [In reality it is a couple of seconds,
but once the key is reconstituted, and the eavesdropper verifies that
the key is authentic, then the decryption is instantaneous.)

Law Enforcement Officers also have these units readily available to
them, however they are even more powerfull and have more features.
Although the units are overpriced (at around $300 - $1,200 dollars)
they do nevertheless perform their job quite a bit faster and also
can defeat a variety of different "types" of inversion scrambling.
(Their are different inversion chipsets on the market, and some of
them work a little differently. The LEO units can decode these alternate
inversion techniques).

I should also however point out, that cordless phones automatically choose
the inversion key. And that process is performed when the handset is
placed back onto the base set. The one-time code is sent through the
electrical contacts (of the battery) and into the handset where a different
code is used each time.  Since cordless phones use a one time code for
inversion, it is necessary for the eavesdropper to "crack" the inversion
each and every time that the target uses the cordless phone.  However, in
reality that is not 100 percent true. Many times persons will leave a
handset off the base unit all day while making multiple calls.. This is
VERY VERY VERY bad for security. Not only does that allow the eveasdropper
to use the same code (since if you dont hang the handset up each time,
the phone re-uses the same key code),  but also allows fraudulent calls
to be placed on your cordless phone by other parties, this can be done
inadvertently or intentionally.  And this happens to be one of the reasons
that many cordless phones will intentionally force you to hang the
handset up after each call. Sometimes you may have notices that your
handset has "locked up", this is a security measure wbuilt into the
phone which forces you to reset the security code and thus preventing
fraudulent calls.    Please NOTE, that when I say  "security code"
I am NOT, repeat NOT just referring to encryption (inversion) codes,
but am referring to the codes that almost ALL cordless phones transmit
which prevents your neighbors from dialing out on your phone line. Such
security codes have been used for 10 years after it was promptly figured
out just how easy it was to dial-out on your neighbors line at their expense.


So just how safe is your inversion scrambled cordless phone
or walkie-talkie transciever??

You know as well as I, that the question is rhetorical and cannot be
answered.

  "It is NOT a  "MATTER OF FACT",  but it IS a  "MATTER OF SITUATION".

In other words, it all depends on who could be targeting you, why would
they want to target you, do you have any valuable information that needs
real protection, and if they are targeting you.. does it really matter?

If you want me to throw blind statistics out which I feel are very accurate
I would say that of all the people that have the ability to eavesdrop on
your conversations, even the ones with sophisticated equipment and
knowledge..  Only 1 thousand of 1 percent (.001percent) of such people would
actually make a concerted effort to listen to you, if you were an average
individual. (and that is a VERY high figure at that. its probably
significantly less people).

I'd also like to discuss another type of newly implemented technology.
(that is is newly implemented in consumer equipment in compact form).
The method is called  ROLLING CODE INVERSION SCRAMBLING, and is very
much more secure than tradition "inversion scrambling".  One manufacturer
of such systems is  CYCOMM Inc, another is TRANSCRYPT, Inc and also
REI (RESEARCH ELECTRONICS INC.)    Rolling code scrambling utilizes
traditional split-band inversion for scrambling,  however to defeat
the eavesdropper from using a simple device (as i previously mentioned)
that will find the "key" code for inversion by brute force (finding the
center frequnecy). Rolling code defeats all such attempts by changing the
code on a routine basis, (the period of the rolling code varies by
manufacturer, but usually the code is changed many times per second
thus thwarting virtually all "real-time" attempts to decode. In order to
decode such a rolling code system in real-time (as one is monitoring)
the eavesdropper would have to posess equipment capable of cracking the
inversion in a thousandth of a second.  Most people including professionals
are not privy to such equipment with such speed, but we all know which
agencies can easily defeat such systems.

Rolling code inversion does have one drawback however, and that is
that the intercepeted signal could be recorded on DAT tape, and then
the signal reconstituted in the laboratory enviroment fairly easily.

One technicality that I did not mention, is that these rolling codes
are transmitted from 1 unit to another by a PUBLIC KEY ENCRYPTION system.
the eavesdropper could also attempt to defeat the public key portion of
the transmission which would yield all of the rolling code keys, However,
such an attempt would be foolhardy because attacking public key algorithms
is generally a far harder task than is attacking inversion techniques.

              -=-=-=-=- DIGITAL SCRAMBLING -=-=-=-=-

Digital scrambling is a method used on approximately 30 percent of the
newer 900MHz cordless phones. These digital models are about $100 more
expensive than the analog models, as I have previously described, and
their security lies in the fact that the signal is DIGITAL rather than
analog.  That means that reception equipment (scanners, spec-ans)
CANNOT decode your conversation because scanners only decode ANALOG
signals... not digital ones. The eavesdropper merely hears a "buzzing"
sound while eavesdropping on your call.

The problem with DIGITAL, is that it really is NOT a method of "scrambling"
per se'.  Or rather, IT IS NOT a type of "ENCRYPTION".  It doesnt really
"scramble" your conversation either, we only call it scrambling merely
because a scanner cannot in itself decode digital signals.

Nothing however, could stop an individual from simply purchasing a
DIGITAL DECODER Integrated Circuit - Which converts the digital signal to
an analog one - which he can then interface with a scanner, spectrum
analyzer, etc.. which would decode the digital signal hence reconstituting
the original conversation so the eavesdropper can hear you.
Digital transmission relies on a variety of "STANDARDS". These standards
are industry standards, and for digital transmission of this type, the
number of protocols is very few. Almost all cordless phones use the same
digital transmission protocol, therefore the eavesdropper doesnt really
need to decode dozens of different digital protocols, but rather the
one or two which is used by most all cordless 900MHz Digital phones.
In fact... If a digital cordless phone uses "NATIVE" digital transmission
without any encryption (scrambling), it is actually possible to
decode the transmission using simply another digital phone!!  That means
that in a few more years we could very well end up with the same problems
as we have now. That is people will be able to intercept each others
cordless calls, just as they can do now.. only difference is we'll all
be using digital cordless phones rather than analog ones.

Well thankfully "some" of the cordless companies had the common sense
to realize this paradox, and have thusly combined both digital technology
with scrambling. This is a step in the right direction because digital
transmission works hand-in-hand with the more advanced "encryption"
chipsets as oppsed to the simpler "scrambling" chips which are analog
in nature (such as inversion chips).

I cannot get into all the algorithms which cordless phones now use in
conjunction with digital transmission. That would make this article
even longer than it already is.  But as an example, the most common
tactic used today is SPREAD SPECTRUM modulation and encryption.
Other types of algorithms are also used including the old "inversion"
techniques, however the oly difference is, that newer inversion chips
are used which use "digital to digital" inversion rather than
"analog to analog".

Some other cordless phone algorithms are in use. One of which is cropping
up now is called  LUCENT developed by LUCENT Technologies and AT&T. This
method uses a proprietary algorithm which provides fairly strong encryption
which is much more sophisticated than simple "INVERSION".



                -=-=-=-=- SPREAD SPECTRUM -=-=-=-=-

The last technology I'll discuss is spread spectrum. SS is used in
conjuction with DIGITAL PHONES (specifically the 900MHZ cordless phones.)
The most sophisticated cordless phones today for the consumer market
use the combination of DIGITAL transmission with SPREAD SPECTRUM scrambling.
In fact, spread spectrum is among the most secure methods of scrambling
and I might actually refer to it as ENCRYPTION. Spread Spectrums real
strength however does not just rely on the scrambling algorithm (which is
XOR based) but uses complex methods of SIGNAL HIDING including frequency
hopping and in general the security is enhanced because it of its wide
bandwith which requires special equipment to receive and demodulate.

I'll skip all the technicalities involved in how spread spectrum works
because their are many types (usually cordless phones use simple
direct-sequenc types), but I will say that it is definately among the
most secure phones to have.

What makes spread spectrum so sophisticated to defeat is NOT.. that
it provides such great algorithmic sophistication, in fact the algorithms
in Spread Spectrum are a bit simpler to defeat than rolling code inversion.
The real security lies in the fact that it takes  alot of sophisticated
equipment such as spectrum analyzers (which go for between $2,000 for an
AVCOM to $15,000 for an ECR-2 and $30,000 dollars for even more sophisticated
units) in order to view the full spreaded signal. Spread Spectrum is not
something that could ever be defeated by a person with only a "SCANNER"
as a sole piece of equipment.