Perhaps the most insidious and least recognized method of eavesdropping on room conversations is by telephone bugging or a hookswitch bypass.

The hookswitch bypass is a technique for room bugging which enables a telephone instrument to transmit room audio while the handset is in the on-hook position. This attack includes various methods by which the telephone instrument is modified or rewired to convert it to a continual listening device, even when it is hung up.

This simple technique usually allows the eavesdropper to intercept both telephone and room conversations without having to be concerned about hiding devices, running wires, or changing batteries within the target area.

There are several reasons why the telephone, as a listening device, is preferable to other bugging techniques:

The telephone, with up to three possible microphones or transducers (the transmitter, typically a carbon or electret microphone, the magnetic earphone receiver, and the ringer circuit), is usually at an optimum location to accomplish eavesdropping in a target area. An additional microphone could also be installed within the telephone instrument by an eavesdropper.

The telephone system provides conductors to carry the acquired audio to a listening post. Because the microphones and conductors are inherent to the telephone, there are no concealment requirements.

No power is required in the target area, since the power used is either telephone system power or provided from the listening post. Therefore, battery replacement is not necessary. Eavesdropping on telephone conversations is indeed a threat; however, far more critical information is frequently uttered after the telephone call has ended. this is particularly true in an office with the telephone on the desk or credenza, which is typically the center of most conversations.

A hookswitch bypass is the perfect eavesdropping method for gathering the maximum amount of intelligence.

There are several variations of hookswitch bypass types. The three general categories of hookswitch bypass types are: Passive, Active, and Ringer. Application variations include online, whereby the connection between the telephone and the exchange is maintained, and offline, whereby the connection to the exchange is automatically or manually broken.

Passive
Passive bypassing techniques are characterized as requiring no active devices in the telephone instrument. This technique provides for monitoring all on-going telephone conversations, as well as room conversations.
- Resistance/capacitance bypass
- Capacitance bypass
- Third wire bypass
- Ground return bypass
- Spare pair bypass

Active
Active bypassing techniques are characterized by the application of some external activation, without which the device will not function. Consequently, active devices can be turned on and off at will to monitor select room conversations.
Reverse biased diode
Neon tube
Four layer device
Infinity Transmitter

Ringer
This threat is one which is inherent in U.S. telephones and involves the fact that the telephone ringer, in some instruments, is a dynamic transducer. The ringer coil, loosely mounted on its core, is contiguous to a permanent magnet. As with a dynamic microphone, vibrations cause the coil to move in the flux field of the magnet and a voltage similar to room audio is transmitted down the telephone line. Normally, the audio quality is poor; however, occasionally a ringer is encountered which provides excellent audio. It should be noted that the ringer is on the out-going side of the hookswitch and, consequently, is always available to the eavesdropper without access to the telephone instrument.

Infinity Transmitter
The infinity transmitter or harmonica bug is an active device. When called, the device within the target telephone instrument is activated by a special tone signal, typically generated from the calling (eavesdropper) telephone. The infinity transmitter is designed to answer the call to the target telephone instrument before the target telephone rings. From this point on, conversations in the room are monitored by the eavesdropper at his telephone. The conventional infinity transmitter will not function properly on an ESS. However, variations are available, which would allow this device to function properly on an ESS telephone system.

Keep Alive
Another type of active hookswitch bypass is known as a keep alive. This attack requires the eavesdropper to call the target's telephone instrument. The device activates when the target answers the telephone call. After the target hangs up the telephone, the circuit remains closed, as if the telephone is still off-hook. From this point, conversations in the room are monitored by the eavesdropper at his telephone. After the eavesdropper hangs up, the telephone company's supervisory circuits will return the target's telephone line to an on-hook condition.

Aside from telephone line and telephone instruments, eavesdroppers may also choose to use Telephone System Attacks.