Steal This Computer Book 2:
  What They Won't Tell You about the Internet

by Wallace Wang

Paperback | 450 Pages | 7 x 9 in | ISBN 1886411425
2nd edition
Published in November 2000 by No Starch Press

 

Excerpted from the book Steal This Computer Book 2 by Wallace Wang

Phone Phreaking and Other Phun
Phone phreaking is about manipulating the telephone system in ways that the telephone company itself doesn't truly understand or believe is possible. On the noblest level, phone phreaking is about exploring, experimenting, and learning as much as you can about the telephone system out of sheer curiosity. On a more malicious level, it can mean making free phone calls at somebody else's expense, denying phone service to valid customers, or wrecking telephone company equipment.

Unlike computer hacking, which can often be practiced in isolation on a single personal computer, phone phreaking requires more extensive preparation that includes software, hardware, and social engineering expertise. One moment you may be reprogramming the phone company's computers, another you may be soldering wires together to alter a pay phone, and still another you may be chatting with a telephone employee to get the passwords for a different part of the phone system. Like computer hacking, phone phreaking is an intellectual game where players try to learn as much as they can about the system (usually) without breaking any laws to do so.

A Short History of Phone Phreaking

In the early days of the phone system, you picked up a telephone and talked to an operator who put your call through. As more people got phone lines, the phone company began to replace its operators with special switching equipment. When you dialed a number, your telephone sent a signal to the switching equipment, which routed your call to its destination. Such switching systems could handle more calls more efficiently than human operators. But they also opened the door to phone phreaking. Trying to trick a human operator into letting you make a free phone call to Brazil was nearly impossible, but tricking a mindless machine into letting you make free phone calls only required sending signals identical to the phone company's. If you knew the right signals, the switching systems would blindly obey your orders.

Perhaps the most famous phone phreak was a man nicknamed Captain Crunch because of his accidental discovery of a unique use for a toy whistle found in a box of Cap'n Crunch cereal. He found that blowing this toy whistle into his phone's mouthpiece emitted a 2600 Hz tone, which was the exact frequency used to instruct the telephone company's switching systems.

Other people soon discovered this secret, and some even developed the ability to whistle a perfect 2600 Hz tone. For those unable to obtain the original Cap'n Crunch toy whistle, entrepreneurs started selling devices, known as blue boxes, that simply emitted the 2600 Hz tone. With the introduction of personal computers such as the Apple II, phone phreaks started writing computer programs that could emit the proper 2600 Hz tone from their computer's speaker.

Blue boxes worked as long as the telephone company relied on their old electromechanical switching systems. But eventually these were replaced with newer electronic switching systems (known as ESS), which rendered blue boxes (and the infamous 2600 Hz tone) useless for manipulating the telephone system (although blue boxes may still work on older phone systems outside the United States).

Of course, the introduction of ESS brought a whole new set of problems. With the older electromechanical switching systems, a technician had to physically manipulate switches and wires to modify the switching system. With ESS, technicians could alter the switching system remotely over the phone lines.

Naturally, if a technician could perform this feat of magic over the telephone, phone phreakers could do the same--if they only knew the proper codes and procedures to use. Obviously the telephone company wanted to keep this information secret, and the phone phreakers wanted to let everyone know how the telephone system works (which is partly what the ongoing struggle between the telephone company and phone phreakers is all about).

To learn more about phone phreaking, visit one of the following phone phreaking Web sites: Hack Canada (http://www.hackcanada.com), Phone Losers of America (http://www.phonelosers.org), Phone Rangers (http://www.phonerangers.org), SWAT Magazine (http://www.swateam.org), or United Phone Losers (http://www.phonelosers.net). Or try the alt.phreaking and alt.2600.phreakz newsgroups for messages about phreaking.

Possibly True Stories about Phone Phreaking

If you have a telephone, anyone in the world, including the legions of phone phreakers just goofing around with the telephone system, can call you. Steve Wozniak reportedly once called the Vatican and pretended to be Henry Kissinger. Other phone phreakers have attempted to call the Kremlin through the White House hot line and have rerouted a prominent TV evangelist's business number to a 900-number sex hot line. Because a large part of phone phreaking lore involves performing progressively more outrageous acts and then boasting about them, the following phone phreaking stories may or may not be true. Nevertheless they will give you an idea of what phone phreakers can achieve given the right information. The three stories are "urban myths" circulating around the Internet and are reprinted here verbatim.

The toilet paper crisis in Los Angeles

One thing that was really easy to do was pop into the AutoVerify trunks by accessing the trunks with that "class mark." You couldn't just dial an 800 number that terminates into Washington DC; you also had to pop over to a trunk class marked for "auto-verification."

This is used when a phone user has to reach someone and the line is busy. The normal procedure goes like this: The operator selects a special trunk, class marked for this service, and dials either the last five digits of the phone number, or a special TTC code like 052, followed by the whole seven-digit number. After that, the operator hears scrambled conversation on the line. The parties talking hear nothing, not even a click.

Next, the operator "flashes forward" by causing the equipment to send a burst of 2600 Hz, which makes a three-way connection and places a beep tone on the line so that both parties originally on the line can hear the initial click (flash, in this case) followed by a high-pitched beep. At this point, the parties can hear you, and you can hear them. Usually, the operator announces that it's an emergency, and the line should be released. This is called an "emergency interrupt" and is a service normally reserved for emergencies. It's available today for a $2 fee ($1 in certain areas).

Earlier, I had mapped every 800 number that terminated in Washington DC by scanning the entire 800-424 prefix, which then indicated Washington DC.

That scan found an impressive quantity of juicy numbers that allowed free access to Congressional phone lines, special White House access numbers, and so on.

While scanning the 800-424, I got this dude whose bad attitude caught my attention. I determined to find out who it was. I called back and said, "This is White Plains tandem office for AT&T, which subscriber have we reached?"

This person said, "This is the White House CIA crisis hot line!"

"Oh!" I said, "We're having problem with crossed lines. Now that I know who this is, I can fix it. Thank you for your time—good-bye!"

I had a very special 800 number.

Eventually my friends and I had one of our info-exchanging binges, and I mentioned this incident to them. One friend wanted to dial it immediately, but I persuaded him to wait. I wanted to pop up on the line, using AutoVerify to hear the conversation.

Our first problem was to extract what exchange this number terminated in, because AutoVerify didn't know about 800 numbers.

At that time, all 800 numbers had a one-to-one relation between prefix and area code. For instance, 800-424 = 202-xxx, where xxx was the three-digit exchange determined by the last four digits. In this case, 800-424-9337 mapped to 202-227-9337. The 227 (which could be wrong) was a special White House prefix used for faxes, telexes, and, in this case, the CIA crisis line.

Next we got into the class marked trunk (which had a different sounding chirp when seized) and MF'ed KP-054-227-9337-ST into this special class marked trunk. Immediately we heard the connection tone and put it up on the speaker so we would know when a call came in.

Several hours later, a call did come in. It did appear to have CIA-related talk, and the code name "Olympus" was used to summon the president. I had been in another part of the building and rushed into the room just in time to hear the tail end of the conversation.

We had the code word that would summon Nixon to the phone. Almost immediately, another friend started to dial the number. I stopped him and recommended that he stack at least four tandems before looping the call to the White House.

Sure enough, the man at the other end said "9337."

My other friend said, "Olympus, please!"

The man at the other end said, "One moment sir!" About a minute later, a man that sounded remarkably like Nixon said, "What's going on?"

My friend said, "We have a crisis here in Los Angeles!"

Nixon said, "What's the nature of the crisis?"

My friend said in a serious tone of voice, "We're out of toilet paper, sir!"

Nixon said, "WHO IS THIS?"

My friend then hung up. We never did learn what happened to that tape, but I think this was one of the funniest pranks — and I don't think that Woz would even come close to this one. I think he was jealous for a long time.

To the best of my recollection, this was about four months before Nixon resigned because of the Watergate crisis.

The Santa Barbara nuclear hoax

General Telephone, once the sole phone service for Santa Barbara, used older equipment. Some calls into certain exchanges got routed through inter-region exchanges. A lot of these used the older 2600 Hz–pulse method of signaling.

One of my phone-phreak friends got the bright idea of dialing out on two lines at once to see what happens. Normally, one line would be busy, and the other one would get through. But sometimes, this would jam the lines on both sides of the trunk but still indicate the trunk was free. In telephone talk, this creates a "glare" condition, where one side glares at the other. Calls coming in would just terminate into emptiness, and the trunk would appear to be free to the trunk selector.

Eventually calls came in that terminated to our phone(s). One of my pranky friends said the following to a caller: "What number are you calling? This is a special operator!" The other person said they were calling Santa Barbara and gave us the number. My friend asked, "What area is that in?" then said, "We've had a nuclear accident in that area, please hang up so we can keep the lines open for emergencies only."

Pretty soon, others called—some reporters and other official types. When calls really started to pour in, we broke the connection.

That next day, the Los Angeles Times carried a short news article headlined "Nuclear hoax in Santa Barbara." The text explained how authorities were freaked out and how puzzled they were. The phone company commented, "We don't really know how this happened, but it cleared right up!" Five years later, Santa Barbara replaced that old faulty equipment with newer electronic systems.

The President's secret

Recently, a telephone fanatic in the Northwest made an interesting discovery. He was exploring the 804 area code (Virginia) and found that the 840 exchange did something strange. In all of the cases except one, he would get a recording as if the exchange didn't exist. However, if he dialed 804-840 followed by four rather predictable numbers, he got a ring!

After one or two rings, somebody picked up. Being experienced at this kind of thing, he could tell that the call didn't "supe," that is, no charges were being incurred for calling this number. (Calls that get you to an error message or a special operator generally don't supervise.) A female voice with a hint of a southern accent said, "Operator, can I help you?"

"Yes," he said, "What number have I reached?"

"What number did you dial, sir?"

He made up a number that was similar.

"I'm sorry. That is not the number you reached." Click.

He was fascinated. What in the world was this? He knew he was going to call back, but before he did, he tried some more experiments. He tried the 840 exchange in several other area codes. In some, it came up as a valid exchange. In others, exactly the same thing happened—the same last four digits, the same southern belle.

He later noticed that the areas where the number worked were located in a beeline from Washington, DC, to Pittsburgh, Pennsylvania. He called back from a pay phone.

"Operator, can I help you?"

"Yes, this is the phone company. I'm testing this line and we don't seem to have an identification on your circuit. What office is this, please?"

"What number are you trying to reach?"

"I'm not trying to reach any number. I'm trying to identify this circuit."

"I'm sorry, I can't help you."

"Ma'am, if I don't get an ID on this line, I'll have to disconnect it. We show no record of it here."

"Hold on a moment, sir."

After about a minute, she came back. "Sir, I can have someone speak to you. Would you give me your number, please?"

He had anticipated this and had the pay phone number ready. After he gave it, she said, "Mr. XXX will get right back to you."

"Thanks." He hung up the phone. It rang. INSTANTLY! "Oh my God," he thought, "They weren't asking for my number — they were confirming it!"

"Hello," he said, trying to sound authoritative.

"This is Mr. XXX. Did you just make an inquiry to my office concerning a phone number?"

"Yes. I need an identi- . . ."

"What you need is advice. Don't ever call that number again. Forget you ever knew it."

At this point my friend got so nervous he just hung up. He expected to hear the phone ring again, but it didn't.

Over the next few days, he racked his brains trying to figure out what the number was. He knew it was something big — so big that the number was programmed into every central office in the country. He knew this because if he tried to dial any other number in that exchange, he'd get a local error message, as if the exchange didn't exist.

It finally came to him. He had an uncle who worked in a federal agency. If, as he suspected, this was government related, his uncle could probably find out what it was. He asked the next day and his uncle promised to look into it.

When they met again, his uncle was livid. He was trembling. "Where did you get that number?" he shouted. "Do you know I almost got fired for asking about it? They kept wanting to know where I got it!"

Our friend couldn't contain his excitement. "What is it?" he pleaded. "What's the number?"

"IT'S THE PRESIDENT'S BOMB SHELTER!"

He never called the number after that. He knew that he could probably cause quite a bit of excitement by calling the number and saying something like, "The weather's not good in Washington. We're coming over for a visit." But my friend was smart. He knew that there were some things that were better unsaid and undone.

Getting Started

To start phone phreaking, you need access to a telephone other than your personal phone. Phreaking from your own phone will not only cost you in phone charges, but also provide the telephone company with a convenient way to track you by tracing your phone line. To be a true phone phreak, you need access to the telephone system and a way not to get billed.

"Shoulder Surfing" Calling Card Numbers

The crudest level of phreaking is known as shoulder surfing, which is simply looking over another person's shoulder who is typing in a calling card number at a public pay phone.

The prime locations for shoulder surfing are airports, because travelers are more likely to use calling cards rather than spare change to make a call. Given the hectic nature of a typical large airport, few people will notice someone peering over their shoulder while they punch in their calling card number, or listening in as they give it to an operator.

Once you have another person's calling card number, you can charge as many calls as you can to it until the victim receives the next billing statement and notices your mysterious phone calls. As soon as the victim notifies the phone company, they will usually cancel that calling card number, and you'll have to steal a new calling card number. Since it is theft, true phone phreakers look down on calling card number stealing as an activity unworthy of anyone but common thieves and juvenile delinquents.

Telephone Color Boxes

The simplest method to access the telephone system anonymously is through a pay phone, and one of the earliest ways phone phreaks learned to manipulate the telephone system was through telephone "color boxes." These boxes emit special tones or physically alter the wiring on the phone line, allowing anyone to make free phone calls, reroute phone lines, or otherwise raise havoc with the phone system.

Although the Internet abounds with different instructions and plans for building various telephone color boxes, just remember that many of them no longer work with today's phone system—although they might work in other countries or in rural areas. To satisfy your curiosity, though, here are some descriptions of various color boxes that others have made and used in the past. But first, a warning from a phone phreaker regarding the legality of building and using such boxes:

You have received this information courtesy of neXus. We do not claim to be hackers, phreaks, pirates, traitors, etc. We only believe that an alternative to making certain info/ideas illegal as a means to keep people from doing bad things - is make information free, and educate people how to handle free information responsibly. Please think and act responsibly. Don't get cockey, don't get pushy. There is always gonna be someone out there that can kick your ass. Remember that.

Aqua box

The surest way to catch a phone phreak is to trace his phone calls. One technique the FBI uses is called a Lock-in-Trace, which allows the FBI to tap into a phone line much like a three-way call connection. Because every phone connection is held open by electricity, the Lock-in-Trace device simply cuts into a phone line and generates the same voltage as when the phone line is being used. The moment you hang up, the Lock-in-Trace device maintains the voltage of the phone line as if the phone were still in use, thus allowing the FBI (or anyone else) to continue tracing the origin of a particular phone call.

The aqua box simply lowers the voltage level on a phone line, preventing the Lock-in-Trace device from maintaining the necessary voltage to keep the line open (and possibly even shorting out the Lock-in-Trace device itself). It should block any attempt by the FBI (or anyone else) to trace your phone call.

Beige box

A beige box mimics a lineman's handset, which means that you can do anything a telephone company lineman can. Just open up any of the telephone company's protective metal boxes (usually found on a street corner), attach your beige box to an existing phone line (preferably not your own, which would defeat the whole purpose of the beige box), and you can make free long-distance calls at your neighbor's expense or eavesdrop on their calls.

Black box

Before you receive a phone call, the voltage in your phone line is zero. The moment someone calls you and the phone starts ringing, the voltage jumps to 48V. As soon as you pick up the phone, it drops to 10V, and the phone company starts billing the calling party.

A black box keeps the voltage on your phone line at a steady 36 volts so that it never drops low enough to signal the phone company to start billing—incoming callers never get billed for talking to you.

Cheese box

A cheese box tricks the phone company into thinking that your ordinary phone is actually a pay phone that can make outgoing calls but can't accept incoming calls. Cheese boxes were supposedly invented by bookies as a way of making calls to people while making it impossible for others (such as the police) to call them.

Crimson box

A crimson box is a device that lets you put someone on hold so that they can't hear you but you can still hear them. Great for listening to what telemarketers say to their co-workers when they think you're not listening.

Lunch box

The lunch box connects to an ordinary phone and turns that phone into a transmitter. That way you can use a receiver and eavesdrop on other people's phone calls while listening from a safe distance away.

Red box

Each time you drop a coin into a pay phone, the pay phone sends a tone over the line. When you toss in enough coins, the telephone company opens up the line so you can place a call. The red box simply generates the same tones that the pay phone generates when it receives a coin. By playing the tones from a red box into the mouthpiece of a pay phone, you can fool the phone company into thinking that you dropped coins into the pay phone, thus allowing you to make a free phone call.

Many of the above color boxes were developed to work with the older phone systems, which means they may not work with your phone systems. Of course, if you happen to live somewhere remote that hasn't updated its phone system, or if you're living in a country that still uses obsolete telephone equipment, you might experience better results. Since phone phreaking is about experimenting, you could try these telephone color boxes at your own risk and see what happens.

Color Box Programs

To make a telephone color box, you often needed to solder or connect different wires together. But with the popularity of personal computers, people soon wrote programs to mimic the different telephone color boxes (see Figure 9-1). By running a telephone color box program on a laptop computer, you can experiment with the phone system from any pay phone in the world.

Screenshot of computer telephone color box.

Figure 9-1:
With the right program,
any computer can be
turned into a telephone
color box.

Of course, personal computers aren't the only tools available to phone phreaks. If you visit the Hack Canada (http://www.hackcanada.com) Web site, not only can you learn about hacking the Canadian phone system, but you can also download the source code to telephone color box programs (dubbed RedPalm) that run on a PalmPilot handheld computer.

By using the RedPalm program, you can make your PalmPilot emit tones that mimic the sounds made when you put real money into a Canadian payphone. The tones make the pay phone respond as if you had dropped in a nickel, dime, or quarter, letting you make phone calls for free.

In addition to using a personal computer or PalmPilot to run telephone boxing programs, a group of hackers calling themselves TeamKNOx has released a program called PhreakBoy, which mimics red and blue telephone boxes and includes C source code. The PhreakBoy program even runs on Nintendo GameBoy systems.

War Dialers and Prank Programs

Besides writing programs to mimic telephone calling boxes, phone phreakers have also created special programs called war dialers or demon dialers. War dialers are an old, but still effective, method for breaking into another computer (see Figure 9-2).

Screenshot of a war dialing program

Figure 9-2:
A war dialing program
relentlessly dials
phone numbers, looking
for answering modems
that reveal a possible
entrance into a computer.


War dialers work by hunting for telephone lines connected to a modem and a computer, which means that every person, corporation, and organization are potential targets. Because most people don't advertise their modem numbers, war dialers dial a range of phone numbers and keep track of any of the dialed numbers that respond with the familiar whine of a computer modem. A hacker can then use this list and dial each number individually to determine what type of computer he has reached and how he might be able to break in to it.

For example, many businesses have special phone lines that allow traveling employees to control their desktop computers with their laptop computers and special remote-control software, such as pcAnywhere, RapidRemote, or CarbonCopy. If a hacker finds this special phone number and uses a copy of the same remote-control software, guess what? With the right password, the hacker can take over the desktop computer too and then erase or copy all of its files.

Since war dialers can dial a number over and over again, they can also be used to harass people. Some of the more unusual harassment programs include a pager program that repeatedly dials a victim's pager number and randomly types in a phone number. Other phone harassment programs dial a single number over and over again at random intervals or play a computer-generated voice to insult a caller the moment he or she picks up the phone. (Just remember that with caller ID, available in most parts of the country, a victim can track your phone number, so it's not a good idea to call from any phone number that can be traced back to you.)

Voice Mailbox Hacking

Voice mail is the corporate alternative to answering machines. Rather than give each employee a separate answering machine, voice mail provides multiple mailboxes on a single machine. Because a voice mail system is nothing more than a programmable computer, phone phreaks quickly found a way to set up their own private voice mailboxes buried within a legitimate voice mailbox system.

The first step in hacking a voice mail system is finding the system's phone number — something a war dialer can do for you. (Many voice mailboxes even have toll-free numbers, so don't forget to scan those numbers too.) If you have legitimate access to a voice mail system, you could practice hacking into it so you have a better idea of what to expect when you work on somebody else's.

When you call a voice mail system, you might have to press a special key, such as * or #. Then a recording will usually ask for a valid mailbox number, typically three or four digits. After choosing a mailbox number, you'll need a password to access the mailbox, play back messages, or record your own messages.

People will usually choose a password that's easy to remember (and easy to guess). Some people base their password on their mailbox number, so try typing the mailbox number itself or backward (if the mailbox number is 2108, try 8012 as the password). Other people might use a password that consists of a repeated number (such as 3333) or a simple series (6789).

Once you manage to guess a password, you'll have free access to the voice mailbox, which means you can play back or erase any stored messages. Of course, if you start erasing somebody's messages, they'll notice fairly quickly and get the system administrator to change the password to lock you out again.

Most voice mail systems always have several empty mailboxes, either leftovers from previous employees or extra capacity for anticipated newcomers. Voice mailbox hackers simply hunt around a voice mailbox system until they find an unused mailbox that they can claim for themselves.

After they've claimed a voice mailbox, hackers can send and retrieve messages from their buddies all over the world. Many companies are providing mailboxes for hackers without even knowing it while other companies ignore or tolerate this minor transgression. As long as the hackers don't mess up the voice mail system for legitimate users, it's often cheaper just to pretend they don't exist on the system at all.

Cellular Phone Fraud and TV Satellite Descrambling

With the introduction of cellular phones, a whole new realm has opened up for phreaks. Unlike a beige box, which requires a physical connection to make a free call on an existing phone line, cellular phone theft requires only a radio scanner.

Even when your cellular phone isn't in use, it must constantly transmit its electronic serial number (ESN) and mobile identification number (MIN) so the cellular network knows where to send an incoming call. With a radio scanner and additional data-capture equipment, a thief can capture and store the ESN and MIN of a legitimate cellular phone. Later, the thief can program the stolen ESN and MIN into another cellular phone. All calls made from this "cloned" cellular phone now get billed to the victim's cellular phone.

(The cellular phone equivalent of shoulder surfing calling card numbers is to sign up for cellular phone service using a fraudulent name. Then just use the service until the cellular phone company cuts you off for nonpayment.)

To prevent cellular phone "cloning," phone companies now use encryption. When a user makes a call with these newer cellular phones, the cellular network asks for a special code. Legitimate cellular phones will be able to supply the proper authentication code; cloned cellular phones will not.

Cable and satellite TV companies face a similar problem: Cable and satellite TV broadcasts often get intercepted by people using special receivers and descramblers. By browsing the Internet, you can even find companies that sell plans, instructions, and actual kits for building your own cable or satellite TV descrambler (for educational or legitimate purposes only, of course!).

To buy cable or TV satellite descrambler equipment, kits, or instructions, visit one of the following Web sites: http://www.acelectronics.com, http://www.cable-tv-descramblers.net, or http://www.covertelectronics.net.

The corporations continue to develop more sophisticated methods for protecting their broadcasts, and the video pirates always come up with new methods for cracking the protection schemes. Video pirates often claim that if the broadcasting companies lowered their prices, fewer people would steal their services. Broadcasting corporations make the counter-claim that the cost of fighting the pirates keeps prices artificially high.

The question is, if video pirates and cellular phone cloners disappeared overnight, would corporations lower their prices? If you think so, then perhaps video pirates and cellular phone thieves deserve to be caught. But if you think that corporations would keep their prices the same whether they had to absorb the cost of fighting thieves or not, then video pirates and cellular phone thieves might be considered modern-day Robin Hoods after all.

Be careful if you steal service from the telephone or cable TV companies. Stealing service for yourself is enough to earn you a free trip to the police station, but if you get greedy and try to resell the service to other people, you're really asking for trouble.

Of course, if your government restricts the flow of information, stealing from the telephone and cable TV companies may be the only way to communicate with others and receive news from the rest of the world. Ultimately, you have to decide if you're breaking the law out of greed or rebellion against unfair government laws. And take the consequences.

www.hackcanada.com