Fuhs Security Consultants

Telecommunication Security

E-Mailby Howard Fuhs

 

This page is sponsored by
Fuhs Security Consultants
Lichtbildwerkstatt
The Imagery Art of Howard Fuhs
EDV-Beratung Frank Ziemann
Abschirmblech.De
CNC-Parts.Net

 

Content:

    Disclaimer

    1. Abstract

    2. The Underground
        2.1 The Technical Equipment
            2.1.1 Red Box, Blue Box and other boxes
                2.1.1.1 The Blue Box
            2.1.2 War Dialer
            2.1.3 Modem
            2.1.4 Legal Tone Dialer
            2.1.5 Lock Picks
            2.1.6 Scanner

    3. Potential Targets
        3.1 Dial-In Lines with Modem
            3.1.1 Countermessures
        3.2 Toll Free Numbers
            3.2.1 Toll Free Number for Marketing Purposes
            3.2.2 Toll Free Numbers with Dial Out Lines
        3.3 Voice Mailbox Systems
        3.4 Cellular Phone Fraud
            3.4.1 Cellular Telephone ESN Emulation
            3.4.2 How to cheat
            3.4.3 Legal Emulation
            3.4.4 The GSM Standard
        3.5 Wireless Phones
        3.6 Pager Systems
        3.7 Shoulder Surfing
        3.8 Answering Machines

    4. How/where do they get their Information?
        4.1 Social Engineering
        4.2 Trashing
        4.3 Underground Publications
        4.4 World-wide Computer Networks
        4.5 Internal Computer Networks of Telecom Companies

    5. Conclusions

    Copyrights

Telecommunication Security

Disclaimer

The material presented in this document is implicitly copyrighted under various national and international laws and is for information purposes only.

Information in this document is subject to change without notice and does not represent a commitment on the part of Fuhs Security Consultants.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic or mechanical, including photocopying and recording for any purpose or published by Magazines, Journals or any other professional non-profit or profit organization in any form, without prior written permission from Howard Fuhs.

1. ABSTRACT

Everybody is discussing Data Security, Computer Security and Anti-Virus Measures to make certain that systems and data remain clean and safe. Companies spend considerable amounts of money and time on data security experts, fail-safe plans, security hardware and software but often forget a major leak in their security plans: Telecommunication Security.

Many companies argue that the local telecom company is responsible for telecom security, and at first sight they are right.
But the problem of telecom security is more complex than even the telecom companies will admit. Especially government operated telecom companies have a tendency to take telecom security somewhat lightly, and it can happen that they won't believe you even if you can demonstrate the weaknesses of their systems (this actually did happen in Germany). Their official statement is always: "Our system is secure and not vulnerable".

If the lines and switching systems are vulnerable, it is the responsibility of the telecom company to correct this. The average telecom customer has little or no influence on this level of security, but what about telephone equipment owned and operated by other companies? This type of equipment is also vulnerable, in many cases more vulnerable than telecom lines and switching systems. In this case it is the responsibility of the company owning the equipment to prevent misuse of the installed system or network. Most companies do not even know that their telecom equipment is vulnerable. To close that security gap it is necessary to know which techniques to use and whom to deal with.
 

2. THE UNDERGROUND

People who try to break the security of telecom systems call themselves "phreaks" or "phreakers". Phreaks are usually technically very knowledgeable about telephone systems, and their main intention is to make calls around the world free of charge.
Whether an individual, the telephone company or some other company has to pay for their abuse does not concern them.

Phone phreaks often look for companies operating dial-in lines with modems, toll free numbers or voice mailbox systems, because they assume that the telephone bill of a company of this character is so high that the abuse of the system will not be detected because of a slightly increased bill.

Often phreaks are organised in loose groups and most of them are trading their secrets over computer networks to other interested phreaks. This means that if someone discovers a new and interesting or challenging telephone number, information about it is often spread all over Europe within 24 hours.

The consequence of dissemination of this type of information is that an increasing number of phreaks will try to abuse the published telephone number or telephone system.
If the misuse is only detectable through an increasing telephone bill, it may go undetected for several months in the worst cases, depending on the frequency of invoicing used by the utility supplier.

2.1 THE TECHNICAL EQUIPMENT

The computer underground, in that case better known as the phreakers, uses a wide variety of electronic gadgets, gizmos and devices to abuse telecom equipment and lines, to manipulate switching systems and to break through digital firewalls. Knowledge of these devices is very important for company security staff because they must know what to look for.
 

2.1.1 RED BOX, BLUE BOX, WHITE BOX AND OTHER BOXES

All these colourfully named boxes are devices designed to cheat telecom equipment. Most of them are (sometimes modified) tone diallers or self-made electronic devices, all having several functions. To provide free calls from public phone booths one of the types is able to emulate the insertion of a coin (works only in the USA), another box can emulate the audible code-signals used to communicate between switching systems or to switch the telephone line into special modes (which differ from system to system) for maintenance staff, who normally has more privileges in a telecom switching system than ordinary users. Boxes are also available to send a false caller ID to telecom equipment used to display the telephone number of the caller.
Also most private telecom equipment may be programmed by means of such a tone-dialler or box. The consequence is that a phreaker is able to alter the program and thus work mode of telecom equipment in a company from a remote location.

All these types of boxes are described in underground publications, and they are relatively easy to build or to modify.

A serious legal problem in connection with these boxes is that their use is not traceable under normal circumstances. The phreaker is over 98% sure not to get caught. Even if he should get caught it is hard to produce legal evidence proving his abuse of telecom lines and equipment.
In most cases an expert is needed to identify a suspicious device as being in fact a box intended to misuse telecom lines. Possession of such devices is only illegal in a few countries (USA, Canada).
 

2.1.1.1 THE BLUEBOX

The information given in this chapter is absolutly out of date and is provided here for information purposes only.

The "blue box" was so named because of the color of the first one found. The design and hardware used in the blue box is fairly sophisticated, and its size varies from a large piece of equipment to the size of a pack of cigarettes.

The blue box contains 12 or 13 buttons or switches that emit multi - frequency tones characteristic of the tones used in the normal operation of the telephone toll (long distance) switching network.
The blue box enables the user to place phree long distance calls by circumventing toll billing equipment. The blue box may be directly connected to a phone line, or it may be acoustically coupled to a telephone handset by placing the blue box's speaker next to the transmitter or the telephone handset.

To understand the nature of a fraudulent blue box call, it is necessary to understand the basic operation of the direct distance dialing (DDD) telephone network. When a DDD call is properly originated, the calling number is identified as an integral part of establishing the connection. This may be done either automatically or, in some cases, by an operator asking the calling party for his telephone number. This information is entered on a tape in the automatic message accounting (AMA) office. This tape also contains the number assigned to the trunk line over which the call is to be sent. The information relating to the call contained on the tape includes: called number indentification, time of origination of call, and info that the called number answered the call and time of disconnect at the end of the call.

Although the tape contains info with respect to many different calls, the various data entries with respect to a single call are eventually correlated to provide billing info for use by your BELL's accounting department.

The typical blue box user usually dials a number that will route the call into the telephone network without charge. For example, the user will very often call a well-known INWATS (toll-free) customer's number. The blue box user, after gaining this access to the network and, in effect, "seizing" control and complete dominion over the line, operates a key on the blue box which emits a 2600 hertz (cycles per second) tone. This tone causes the switching equipment to release the connection to the INWATS customer's line. the 2600Hz tone is a signal that the calling party has hung up. The blue box simulates this condition. However, in fact the local trunk on the calling party's end is still connected to the toll network. The blue box user now operates the "KP" (key pulse) key on the blue box to notify the toll switching equipment that switching signals are about to be emitted. The user then pushes the "number" buttons on the blue box corresponding to the telephone # being called. After doing so he/she uses the "ST" (start) key to tell the switching equipment that signalling is complete. If the call is completed, only the portion of the original call prior to the 'blast' of 2600Hz tone is recorded on the AMA tape. The tones emitted by the blue box are not recorded on the AMA tape.

Although the above is a description of a typical blue box call using a common way of getting into the network, the operation of a blue box may vary in any one or all of the following respects:

(A) The blue box may include a rotary dial to apply the 2600Hz tone and the switching signals. this type of blue box is called a "dial pulser" or "rotary SF" blue box.

(B) Getting into the ddd toll network may be done by calling any other toll-free # such as universal directory assistance (555-1212) or any number in the INWATS network, either inter-state or intrastate, working or non-working.
 
(C) Entrance into the ddd toll network may also be in the form of "short haul" calling. A "short haul" call is a call to any # which will result in a lesser amount of toll charges than the charges for the call to be completed by the blue box. For example, a call to Birmingham from Atlanta may cost $.80 for the first 3 minutes while a call from Atlanta to Los Angeles is $1.85 for 3 minutes. thus, a short haul, 3-minute call to Birmingham from Atlanta, switched by use of a blue box to Los Angeles, would result in a net fraud of $1.05 for a 3 minute call.

(D) a blue box may be wired into the telephone line or acoustically coupled by placing the speaker of the blue box near the transmitter of the phone handset. The blue box may even be built inside a regular touch-tone phone, using the phone's pushbuttons for the blue box's signalling tone.

(E) A magnetic tape recording may be used to record the blue box tones for certain phone numbers. This way, it's less conspicous to use since you just make it look like a Walkman or whatever, instead of a box.

All blue boxes, except "dial pulse" or "rotary SF" blue boxes, must have the following 4 common operating capabilities:

(A) it must have signalling capability in the form of a 2600Hz tone. this tone is used by the toll network to indicate, either by its presence or its absence, an "on hook" (idle) or "off hook" (busy) condition of the trunk.

(B) The blue box must have a "KP" tones that unlocks or readies the multi-frequency reciever at the called end to receive the tones corresponding to the called phone #.

(C) The typical blue box must be able to emit MF tones which are used to transmit phone #'s over the toll network. each digit of a phone # is represented by a combination of 2 tones. For example, the digit 2 is transmitted by a combination of 700 Hz and 1100 Hz.

(D) The blue box must have an "ST" key which consists of a combination of 2 tones that tell the equipment at the called end that all digits have been sent and that the equipment should start switching the call to the called number.

The "dial pulser" or "rotary SF" blue box requires only a dial with a signalling capability to produce a 2600 Hz tone. The most common form of signaling between toll officed uses multifrequency tones (MF). Multifrequency signaling uses six frequencies placed in that part of the voice spectrum where different channels have the smallest deviation in loss. On the bell system the frequencies used are 700, 900, 1100, 1300, 1500, and 1700 Hz. Digits are coded as two out of the first five of these frequencies and are sent between start-of-digit-transmission and end-of-digit-transmission codes.

The MF signals are sent over the normal voice channels and are transmitted like speech. They may be sent either by a switchboard operator or, by automatic equipment. The reader may possibly have heard these interoffice signals. On some systems the operator's signaling is occasionally audible, and sometimes the automatic signaling can be faintly heard due to Crosstalk.
The quiet listener may hear a faraway flurry of faint discordant notes. The frequency 2600 Hz is transmitted continuously on all voice channels between toll offices when the channel is free. This frequency also acts as a disconnect signal, indicating that the voice channel should return to its unused status. When the subscriber dials the number it reaches his local central office and possibly toll office by DC pulsing (unless touch-tone dialing was used). The toll office selects a free voice channel in an appropriate trunk and stops the 2600 Hz tone. The office at the end of that trunk detects the break in the 2600 Hz signal and is alerted to receive a toll telephone number. The number is sent in the MF code listed above. One toll office passes the number to another until the called central office is reached. The central office rings the called telephone. When either party replaces his receiver the call is disconnected and the toll offices tell each other this by transmitting the 2600 Hz tone again. It is possible to interfere with the telephone trunking mechanism by transmitting the 2600 Hz tone from the subscriber's telephone.

An AT&T story has it that a New York shirt manufacturer once broke his front tooth in such a way that he transmitted a brief 2600 Hz whistle every time he said the word "shirt" on the telephone. An Eastern airline office in Atlanta was plagued by telephone disconnects for seven years and then discovered that they were caused by the shrieks of exotic birds in the hotel lobby cocktail lounge. Captain Crunch breakfast cereal packets were once delivered with a toy whistle which produced a pure 2600 Hz tone. A brief 2600 Hz tone received by a toll office causes it to free the voice channel in question and place a 2600 Hz tone on the channel to the next toll office.

A blue box call is started by placing a long distance call in the normal way either to a free number (information or a valid 800 series number) or else to a close-by destination which is cheap to call. This is the call which will appear on the CAMA tape. Once dialing is completed, your nearby tandem (toll office) routes the call to the tandem office at the destination, possibly through intermediate tandems along the way. As soon as you hear ringing from the other end, you feed 2600 Hz into your phone for one second. Your local Co is unaccustomed to getting 2600 Hz and so simply ignores it, but passes it on to the nearby tandem. This tandem can recognize 2600 Hz as a disconnect idle from other tandems, but is not built to react to the signal coming from a Co. so it ignores it and passes it on.

But the next tandem, thinking you hung up, cancels the call. This leaves you hanging, still connected to a toll line between tandems. After one second of 2600 Hz, you remove it. The distant tandem now sees that the line is no longer idle, and so it connects an incoming sender. As soon as you hear the click signifying this, you have ten seconds to dial the desired number, preceded by KP and followed by ST. when the number answers, a signal is sent back and the CAMA tape punched to indicate the connection time. At the end of the call, the CAMA tape is again punched with your number, the time and the number you originally dialed. This is the call and time for which you will be billed (unless it is free) and the number actually reached with the blue box is not recorded. Because of the widespread use of 2600 Hz detectors and ess which can trace in seconds, blue boxing is a high risk method of phreaking if it is made from the personal phone.

2.1.2 WAR DIALER

A war dialler is a computer program used to automatically dial all telephone numbers within a range defined by the phreaker using it. While doing this the war dialler produces a log file listing for each individual number who or what picked up the phone (modem, human, busy, fax, not in use, etc.). Log files of this type, listing interesting free-call numbers, are regularly posted on some computer networks and thus made publicly available.
List keepers in nearly every country with toll free numbers update this type of log file at least on a monthly basis.

In some countries (e.g. the USA) war diallers are illegal. In one case innocent-looking software was used to hide a war dialler. A password was simply needed to invoke the hidden function of the war dialler, and everybody who had seen the movie "War games" knew the password (the name of Prof. Falken's son).
 

2.1.3 MODEM

A modem is a widespread hardware device and not primarily intended to be used for something illegal. In most cases, however, a modem may be used to war-dial numbers without a special war-dial program, and without technical alterations it can also emulate tones, which can be used to cheat switching systems. A modem is also necessary to hack computer systems etc.
 

2.1.4 LEGAL TONE DIALER

A legal tone dialer is a small device, which is usually delivered together with an answering machine for remote control. It looks like a small pocket calculator and has the capability to store a lot of phone numbers together with the names and addresses of the people. Even these legal tone dialers are able to cheat a telephone system.

For a long period of time it was possible in Germany to make phone calls from a public pay phone without paying for the call. You just lifted the handset and dialled the number using the tone dial device, and you got your connection. The weakness of that pay phone system was that a coin needed to be inserted in order to enable the keypad of the pay phone. Thus, when you did not need the keypad to dial the number, no coin was needed and the security system was circumvented in a very easy manner.

Completely legal tone dial devices can be altered to produce the tones needed to cheat the switching system. A Radio Shack dialler was alterable in such a way, for instance. The only thing needed was to replace a crystal used to define the tone frequencies and it was possible to transmit the tones needed for communication between two switching sites.

2.1.5 LOCK PICKS

What do lock picks have to do with telecom misuse?", you will ask. A lot, as will be demonstrated! It is very interesting to see that a lot of phreakers (especially in America) are skilled lock pickers. Even telecom companies are getting wise and have begun to lock up all kinds of telecom cable boxes and small switching stations situated in public areas and not under constant surveillance.

However, our enterprising phreaker occasionally needs access to this type of installation, and if he were to use a device that damages the lock, everybody would know at first sight that someone broke into the installation. Destroying the lock also means making noise, which could attract curious bystanders or even (worst case for the phreaker) the police. A lock picking set is not going to ruin your budget. It takes a lot of practice to use, and it opens nearly every cheap and/or simply designed lock.

For organisations and companies it is mandatory to choose the best locks available, even if they are more expensive than simple ones. It only takes a few design changes to make a lock unpickable. This forces the phreaker to destroy the lock (thereby making the violation evident) or to give up. For advice or support contact a security expert or a professional locksmith.

Once the phreaker has gained physical access to the installation he is able to install any kind of cheating device, call diverters, remote switches or even a wiretapping device or small transmitter.

Owning lock picks is not illegal, but using lock picks to gain unauthorised access of course is.
 

2.1.6 SCANNER

Radio scanners are mainly used to find and listen to different frequencies in use. A modern scanner not larger than a pack of cigarettes can cover a frequency range from a few kHz up to 5 GHz. Scanners can be used to find the working frequencies of cordless phones or to listen to wiretapping devices. Many journalists are equipped with scanners to check the frequencies of police and fire departments.

According to an EU regulation, the ownership of a scanner is legal. The usage of scanners is regulated in laws which differ from country to country. It is nearly impossible to prove the misuse of a scanner in court.
 

3. POTENTIAL TARGETS

In this paragraph it is explained what can happen to telecom equipment and telecom lines and how to avoid this misuse of important and expensive company resources.

To prevent phreaking it is mandatory to know what constitute the main targets for phreaks, which techniques they use to sneak around security barriers and which security holes they use.

To prevent this article from becoming a "Phreaker's Tutorial" the techniques used will only be described generally. This is no "technical in depth" article. Some technical facts and standards differ from country to country. This is not the case with the Euro-ISDN standard and GSM. If there is an urgent need for technical support or advice against phreakers it is strongly recommend to contact security experts in the field of data and telecom security.
 

3.1 DIAL IN LINES WITH MODEM

If a phreaker locates a dial-in telephone line with a modem, he will probably switch himself into hacker mode and attempt to hack it, trying to gain access to the company computer system. If he is not a skilled hacker he will trade his new-found information to a person with more knowledge.

If he successfully hacks the computer system, he is often able to alter, copy or delete data, read confidential files, read private E-Mail, spread vira or even shut down the whole system. He will usually look for passwords, network connections or gateways to networks like the Internet or other world-wide networks and E-Mail services. If there are any gateways to other networks, he will start using them and thus increase the usage costs for the particular network. It is very likely that the hacker/phreaker will use all features of the company computers, networks and gateways to international networks. The simple reason is that he does not have to pay for the use.

Even though it may be evident that a hacker/phreaker has gained access to the corporate computer-network via a telephone line it is very difficult to find that person.

In cases like this it is necessary to work together with the local police and the telephone company. The person in charge of the co-operation between your company and the local authorities should be your data security specialist. If there is no person in your company that is able to cope with a problem of this type, it is strongly recommended to get advice from a professional data security expert. He knows what to do and has the necessary connections to police and telecom companies.

The telephone company has the technical equipment and can obtain permission to trace a telephone call, and line tracing is the most successful method to detect an intruder. Furthermore, it produces valuable evidence that can be presented in court. If it is necessary to install a wiretapping device this must be done by police after obtaining a warrant.

For a company to take this type of action itself, would in most cases be a violation of the law and thus very risky business. Even if the company is able to detect the phreaker, it would not be able to present the evidence in court, and there would be no possibility to sue the illegal intruder.
 

3.1.1 COUNTERMEASURES

First step to prevent this type of damage is to close the security gap, e.g. by means of a password program.
This must ask for the name of the user and for a password. The password should have a minimum length of six characters and all ASCII and/or ANSI characters should be allowed. The program should also look for forbidden passwords like "abcde" or "qwertz".
After three attempt to gain access using an invalid user name or password the program must inform the system administrator automatically. If the user name is valid but the password not, the password program must cancel all access rights for the user who is trying to gain access with an invalid password.
All users should be educated about how to choose a secure password or how to build up his own private password selection scheme. A personal mnemonic scheme like that is very helpful, because it serves to prevent stupid and easy-to-guess passwords and valid passwords from being written on Post-It papers stuck to the monitor.
A password generator can also be helpful. This type of program generates random passwords, which are difficult to guess or hack (or remember).

Next step would be to use a call-back device (integrated in many advanced modems). It functions by allowing users to call a particular telephone number and type a password to the modem, which subsequently hangs up. After validating the user name and password the computer will call the user, using a fixed telephone number either stored in modem or computer. The user again has to type the correct password and is then granted access. For the method to be secure, at least two different telephone lines should be used in order to place the call-back on a different line.

Under some circumstances a call-back device can be circumvented by a skilled phreaker by reprogamming the telecom switching system.

In modern digital switching systems it is possible to use the extended services to program a call diverter, so that when a particular telephone number is dialled, the call is in fact automatically redirected to a different subscriber. Call diverter functions are integrated in digital switching systems and Euro-ISDN. Many cases are known, in which a phreaker has used the call diverter functions to fool call-back devices and redirect calls to his desired phone number.

One of the most secure ways to prevent intrusion is a hardware security protocol for caller authentication and log-in procedure. This modem access control and security hardware is installed in front of the host modem. Callers needs a hardware key, e.g. a dongle, a chip card or a PCMCIA Card installed in his computer in order to gain access to the host computer.

This type of modem access control system first verifies the presence and authenticity of the hardware key. Only after successful completion of this procedure is the user asked for his personal password. The described modem access control system is also available for network access control to verify local users during their log-in procedure to a network.

To prevent theft of information because of wiretapping of telephone lines used for data communication, a good modem access security and control system should be able to scramble and encrypt the transmitted data. This kind of encryption is most often performed by an onboard chip and not by software running on the computer system, although both types are known. This can be a factor of importance, because software en/decryption slows down a computer system as the number of dial-in lines is increased.

It is recommended to use all the above described techniques in combination to prevent illegal intrusion by a phreaker/hacker.
 

3.2 TOLL FREE NUMBERS

Toll free numbers are a very attractive target for phreakers, because it costs nothing to call a number like that, incoming calls being paid for by the company operating the toll free number.

It doesn't even cost anything to scan all available toll free numbers to find out who or what picks up the phone. So it is easy to find out which numbers are connected to fax machines, modems, are not in use, are used in voice mailbox systems, etc.

To perform the scanning, the phreaker needs about one night and a "war dialler" scanning program as described above.

Toll free numbers can normally be divided into a few groups with different purposes.
 

3.2.1 TOLL FREE NUMBER FOR MARKETING PURPOSES

This type of number is normally connected to a play-back device, which plays a promotion text when called. These numbers are often promoted in big advertisements in newsletters and journals and  normally only available for a couple of weeks.

It would be totally wrong to assume a number like that to be without risk. The following incident happened during a large German electronics and computer exhibition:

A leading software company advertised a toll-free number to call for information about the computer virus problem. Each caller heard a tape with information denouncing ownership and distribution of illegal copies of software, emphasising the risk of catching a computer virus. The advertisements were placed in journals normally read by business people and not by phreakers.
After the number had been propagated by a phreaker through computer-networks like the FIDO net, more and more people started to call it with a war-dialler.
The result was a rapidly increasing telephone bill for the company, because when the war-diallers called the number, the phone was picked up by the play-back device and the telecom company added one more call to the bill. The war-diallers hung up the phone a few seconds later and started to dial the same number again. This unexpected massive cost overrun forced the software company to shut down the line after a very short period of time.
In a case such as this nothing can be done to prevent that kind of misuse.
 

3.2.2 TOLL FREE NUMBER WITH DIAL OUT LINES

A toll-free number with dial-out lines will attract phreakers like honey a brown bear. These systems are mainly used to limit expenses in companies, whose employees travel extensively. They make it possible for the employees to reach their company free of charge (the company pays for the call), and they can place (often world wide) calls by means of the dial-out function of the toll-free number. These calls are debited the company. Phreakers use the system the same way the employees do. They route all their calls through a toll-free system with dial-out lines, because this costs the phreaker nothing. The company thus targeted has to pay the expenses.

Two things can be done to prevent misuse of this type of system.

First of all it is mandatory to keep the toll free number with all its functions secret. Regular users should be informed on a need-to-know basis. They also should be told to keep the number secret.
Keeping the number secret, however, does not mean that it will not be detected by phreakers. Bear in mind that it costs a phreaker nothing to scan for toll-free numbers on a regular base (eg. each month).

The second thing to do is to secure the system with individual access codes, which must be entered through the telephone key-pad. The length of this individual access code must be minimum 6 digits.

Currently, most toll-free systems with dial out lines are not protected by access codes. Most companies rely on no strangers calling the toll-free number and attempting to invoke hidden functions by trial and error. This is a false sense of security. All phreakers try out things like this, because it costs them no money to mess around with the system for as long as they want. In principle they have all the time they want to look for hidden functions. Most of the functions like dial-out lines are invoked by pressing one single digit on the key-pad. A few systems use two digits. This despite the fact that it will only take a phreaker a few minutes to discover how to (mis)use a toll-free system.
In the worst of cases the toll-free system even features a voice menu telling callers which options are available in the system. In this case it is not even necessarty to use trial and error.

If it is suspected that a phreaker misuses a toll-free system with dial-out lines it is best to contact the police and take legal action. The police in co-operation with the telecom company possesses the technical and legal means to trace the phreaker.
 

3.3 VOICE MAILBOX SYSTEMS

For the past few years the use of voice mailbox systems in Europe has been increasing. Voice mailbox systems must be divided into two different types: Toll-free voice mailbox systems used by many types of companies, and voice mailbox systems from companies providing party lines, dating lines and other, mostly expensive, services.
Normally a phreaker will primarily select the toll-free voice mailbox system. If no toll-free voice mailbox is available he probably has the knowledge and the technical capability to call a voice mailbox of a service provider in an illegal toll-free way. The problem, however, is not which voice mailbox system he will call, but how he will use it.

To understand how to misuse a voice mailbox system, the basic system use must be understood. A voice mailbox is like a house. When you enter the house your host welcomes you. The host in this case is a voice menu explaining all the functions of the system. To choose one of these functions you just have to press the corresponding button of the key-pad.

Having made a selection you will leave the entrance and enter a "room". Each room is dedicated to a special topic. Topics can be live discussions with as many people as are in the room, public message areas, private message areas, playing a game, etc. A large voice mailbox system can have more than 100 different "rooms". If the number is not toll free, the phreaker uses techniques to call the voice mailbox system free of charge anyway.

If the voice mailbox is interesting, easy to hack and fits his needs, the phreaker has a lot of  uses for such a system. It has been evidenced by court trials that phreakers use voice mailbox systems as their "headquarters", to meet, to discuss, to have conferences with up to 20 persons participating at the same time, to leave messages to other phreakers or to deposit and share knowledge. They waste system resources without paying for it. In some cases all dial-in lines were busy, so no paying customer was able to connect to the system.

It is also interesting to see how the phreakers used system resources. As mentioned above, a voice mailbox is like a house, a house with easy-to-pick or no locks in the doors. The business of the service provider requires the voice mailbox to be easy to use without big security installations. The voice mailbox must be an open house for everybody, and that makes it easy for the phreaker.

First a phreaker will look for hidden functions in the voice mailbox. Hidden functions are normally used to reprogram the voice mailbox from a remote location. Commonly, hidden functions are available to increase the security level of certain rooms and for creating new rooms with new possibilities and features. With knowledge of the hidden functions of a system, the phreaker can create new rooms for meetings with other phreakers, and he is able to raise the security level of such rooms so that only insiders can gain access. Increasing the security level means assigning an access code to a room. Without knowledge of the access code the room cannot be entered. Thus, he is able to create a voice mailbox inside the voice mailbox for a closed user group, "Entrance for phreakers only".
This voice mailbox for phreakers can be used to post calling card numbers, private messages for other phreakers, the newest access codes for other voice mailbox systems, the newest tricks on how to cheat the telephone system, etc.

All owners of voice mailbox systems can do is to watch the traffic inside his system and look for changes such new rooms suddenly appearing. From a pratical point of view it is very difficult to increase the security of a voice mailbox without causing problems for paying users. In case of misuse it is necessary to co-operate with a security expert and the local authorities to limit financial losses.
 

3.4 CELLULAR PHONE FRAUD

There are a lot of cellular phone systems available worldwide. Even in Germany are already 5 cellular nets available. Depending on how old the cellular technology is as easy it is to misuse the cellular net. In that article I just want to discuss the vulnerability of the american cellular phone net because it is one of the biggest and most modern analog cellular phone nets available. Mostly the rest of the world is using the digital GSM standard for a modern cellular phone net concept or relativly old analog cellular nets. To understand how a cellular phone can be misused it is necessary to know some technical details.

3.4.1 CELLULAR TELEPHONE ESN EMULATION

The term "Emulation" is used to describe the process of making two, or more, phones look alike to the cellular system. A basic understanding of the terms NAM and ESN is required before proceeding.

NAM or "Number Allocation Module" is the term used to describe a cellular telephone's dealer programmable system parameters.  These parameters include the users telephone number and other settings required to identify the phone to the cellular system.  Older phones use an PROM chip that has to be programed or "burnt" using an PROM programmer.  On all newer phones the NAM information can be re-programed at will from the handset be anyone possessing the relevant programing instructions, and in some cases a programming or "password" adaptor.

ESN or "Electronic Serial Number" is the term used to describe a cellular telephones "un-alterable" fingerprint and is programed into the phone by the manufacturer.  The ESN is commonly expressed as an eleven digit decimal, or eight digit hex number.  The decimal format includes a three digit manufacturers identification and an eight digit unique serial number, the hex format includes a two digit manufacturers identification and a six digit unique serial number.

When combined the NAM and ESN provide the cellular carriers a way of identifying the phone and determining whether to allow the phone to place a call.  Whenever the phone is used it transmits this information to the cellular switch where it is compared to a data base of current subscribers. If the system recognizes the phone as being an out of area, or "roaming", subscriber a check is made with the home system.  This check is either made
during the first call, or more commonly these days before the first call is completed.
 

3.4.2 HOW TO CHEAT

In the past it was often possible for hackers to change the ESN and NAM information and make one call before the system locked the unit out. The NAM and ESN information would be changed and another call could be completed.  This is known as ESN "Tumbling" and over the last few years the Cellular Carriers have lost millions of dollars to this scam. It has been estimated that at the height of tumbling in New York City up to 30% of calls placed were fraudulent.
To change the ESN the hacker would generally remove the phone's ESN chip and install a socket to take an easily reprogramable EPROM chip, the ESN could then be reprogramed at will. More recently people have reverse engineered certain manufacturer's software to allow simple reprograming using a lap top computer connected to the phone's data port.

The Cellular industry has reacted to this in various ways. Initially the simple way to prevent tumbling was to ban all roaming customers from direct dialing, legitimate callers had to pre-register using a credit card to guarantee payment. Newer advanced software allows pre-screening of callers information and has now all but eliminated tumbling. In most service areas the ESN and NAM information is checked on power up or as soon as the SEND button is pressed, prior to allowing the completion of the call.

The Cellular hackers have now turned to other ways of making fraudulent calls. The most common of these is to obtain a legitimate subscriber's telephone number and ESN and re-program a phone with this information, therefore making an exact clone able to make (and receive) phone calls. This method allows anything from a few days to a full month of "free"
calls, and can go on indefinitely if the cloned number is a corporate account as executive's phone bills are rarely questioned.
 

3.4.3 LEGAL EMULATION

The above illegal cloning of subscriber's cellular telephones and the reverse engineering of manufacturer's software has been adapted by a number of legitimate companies.  It is now possible to have more than one phone per cellular telephone number. Several companies are now offering legal cloning or emulation where for a fee of around $200-$300 they will program your second phone with the ESN of your currently active phone.

To avoid fraud these companies often ask for a copy of a current cellular telephone bill showing the mobile number and subscribers name. This is then compared with picture ID to insure that the customer is a legitimate bill paying subscriber.

Once a phone has been emulated the following should be noted:

  1. If an attempt is made to use both phones at the same time and in the same system one of the following will occur:
     
    • OUTGOING CALLS - First call will complete as normal, second phone will get a fast busy, system deny recording, or call will drop.
    • INCOMING CALLS - Both phones may ring and call can be answered but might immediately drop.  Strongest signal may ring and call can be answered. Neither phone will ring.

      •  
  2. If one phone is in the home market and one is roaming both phones should work and it should be possible to call your own number. This depends on the roaming agreement between the two systems. In systems with "Automatic Roaming" or "Super Access" agreements it may be necessary to turn off the auto call forwarding to avoid problems, dial * O F F SEND in many locations.
     
  3. If both phones are roaming in DIFFERENT systems do NOT attempt to have both phones turned on at the same time as your home system will probably generate a roam fraud message and CUT THE PHONE OFF!
     
  4. If the secondary (cloned) phone is stolen call the carrier and have the mobile number changed, re-program the primary phone with the new number. Do not report the phone stolen as the ESN will be locked out and neither phone will work. If you know the secondary phone's ORIGINAL ESN report this as stolen and tell the carrier that the phone was not active.
     
    Nine times out of ten if the thief tries to activate the phone the hardware serial number (assumed to be the correct ESN) will be checked on the deny list and service will be denied. If the original ESN has not been reported stolen and the phone is activated using the hardware serial number the phone won't work as the ESN is incorrect! If the "correct" emulated ESN is read from the phone service will probably be denied if the thief tries to activate the phone on the same home system as the primary phone. This is because many systems do not allow two numbers on one ESN. The thief could activate service on an alternate system.
     
    You could prevent the emulated phone from working by having the ESN in the primary phone emulated to another phone, you can then report the phone's ESN as stolen. This is not recommended as using a phone with a stolen ESN would cause problems if you ever need to use the original ESN. Remember that legitimate emulation does not remove the original ESN, it simply adds some code to make the phone appear to have a different ESN.
     
  5. If the primary phone is stolen you can report the theft, then have the secondary phone's ESN changed back to it's original or re programed to match another phone. This will usually be done for a minimal charge.

3.4.4 THE GSM STANDARD

The GSM Standard stands for Globale Standard for Mobile communication and is widely represented in the world. The GSM Standard is one of the most secure standard for cellular phones. It is actually no way known to cheat or misuse a GSM phone in a way to cheat the GSM standard itself. It is also actually not possible to wiretap a GSM phone. This is one of the reasons why GSM phones are loved by criminals too. Each GSM phone has an implemented IMEI number (International Manufacturer Equipment Identifier). If the phone tries to enter a cellular phone net (GSM Net) it will sent this IMEI number together with the card number for identification. To prevent that a stolen GSM phone can be used by the thief it is possible to list the IMEI number in your home net (in Germany D1 or D2). If the theif tries to log into the net the GSM net will deny access. It is mandatory for everybody to keep his IMEI number secret because there is a little prank known. If somebody else knows your IMEI number he can list it as stolen and it will take a lot of time and action to get the IMEI number from the net list for stolen GSM telephones.
 

3.5 CORDLESS PHONES

It is very easy today to set up a complete telephone system in a small company, using only cordless telephones and that is one of the reasons for the sales of cordless phones rapidly increasing throughout Europe. However, only a few people know how dangerous it can be to use a cordless phone, especially for company purposes. This type of wireless phones can be divided into two groups. The first group employs a transmission frequency around 48 MHz and is mainly used in the USA. It can be used legally in some European countries as well. The second group employs a frequency in the 870 - 940 MHz range. This type is mainly used in European countries.

The first major problem with wireless phones is that anybody with a suitable scanner can listen in on the conversation. A good scanner needs less than 30 seconds to find the correct frequency. This is a major weakness inherent to these systems, which can of course be fatal to a company.

A new standard for European cordless phones (870 - 940 MHz) has emerged. These phones automatically scramble the transmitted signal between handset and base station. With this system in place, nobody with a scanner can stumble over the phone conversation by accident, but this standard still is not foolproof. The scrambling method employed by the system can comparatively easily be circumvented by a knowledgeable person with only a minimum of extra hardware.

The American type cordless telephones (48 - 49 MHz) are the most unsecure devices available. They can easily be scanned as described as mentioned above. There is no signal scrambling standard, and they do not even check to see the handset and the base station in use match each other.

Only very few cordless phones allow signal scrambling at all. In most cases this is just an option, the scrambling device must be bought separately and this is designed in a very cheap and thoroughly unsecure manner. It is no problem to circumvent this quality of scrambling with a little hardware. 99% of the American phones are without any scrambling option, they can't be made more secure, even if the customer wishes to do so.

This cordless phone type opens the door to the possibility of misuse of a very special character because of a major system design flaw.
Handset and base station are communicating on a fixed frequency between 48 and 49 MHz. The problem is that a handset works with all base stations set to the same frequency as the handset. It has become very popular in the USA when making a call first to switch off the base station and check if there is another basis station in the area, which can be reached by the handset. In this case it is very easy to use a base station belonging to someone else. And this person has to pay for the phone calls made by a stranger in the same house or area. It has also been seen that handsets were modified in a way so as to work on different frequencies, thus enabling the owner of the handset to make phone calls through a number of different base stations in his area. The usual range of a cordless phone is about 300 meters.

To prevent this kind of misuse the European cordless telephones are working in a slightly different way. The first difference is that the phone does not use a single fixed frequency. European phones are using a wide range of frequencies which are divided into channels. When the handset is picked up, it first finds out which channels are in use and whichare available. The first available channel will be used.

The next built-in security is a validation between handset and base station. Every few seconds the handset is checking, if it is using a base station having a correct id-number and vice versa. If the handset or the base station does not receive the correct id-number the connection will be disconnected immediatly. This feature makes it nearly impossible that a handset uses two or more different base stations within its range. The usual range of an European cordless phone is about 300 meters in an area free of obstructions, and about 50 meters inside buildings.
 

3.6 PAGER SYSTEMS

Pager systems are not directly abuseable, but if the pager in use has a character display so that it can receive complete messages or telephone numbers and not just beep, the messages are subject to easy interception by a person with the necessary knowledge and hardware. Telephone numbers have been known to be intercepted by "prankster", who later called the numbers and was rude to whoever answered. This has happend in the USA, but no European cases are known to the author.
Nothing can be done to prevent this kind of misuse.
 

3.7 SHOULDER SURFING

A phreaker is mainly interested in making telephone calls without having to pay, and in our modern world of plastic money it is very easy for skilled people to accomplish this. To achieve his goal, a phreak is always looking for Calling Card Codes. Major international telephone companies (like AT&T, MCI, SPRINT and also the German TELEKOM) are issuing calling cards to interested customers. Just dial the service number of the telecom company and give them your credit card number and you will get your calling card.
Using a calling card is very easy. Dial the toll-free number specified by the calling card company and the operator will ask you for your calling card number and the phone number you wish to call. In some cases there is an automatic operator and the calling card number must be entered using the key-pad or tone dialler.
After verification of the calling card number (similar to a credit card number) you will get connected immediately.

If a card holder uses his calling card from a public phone all the phreaker has to do is spotting the number on the card, watching the number being entered on the key-pad or simply listening, if the number has to be told to an operator.

Holders of calling cards should protect these the same way he protects credit cards. If the calling card number is spread about in the underground, a few thousand Dollars of damage to the holder of the card can easily be the result.

If the card holder discovers that his calling card number is misused, he must notify the card issuing company immediately. The calling card number subsequently becomes invalid and a new calling card is issued to the card holder. However, until the card company has been notified, the holder is liable for the damage.
 

3.8 ANSWERING MACHINES

Answering machines are nothing special. We are routinely using them every day without ever reading the operating manual. This is why we know almost nothing about a few special features built into most answering machines to make our lives more comfortable.

One of these features is the remote access function used to check who called and left a message, or to change the message played back when people call. Remote access is accomplished by means of a tone dialler and a two or three digit access code. This fact makes it easy for a stranger to hack the access number within minutes, gain access to the answering machine and listen to the recorded messages. The default factory access code setting for most answering machines is is no big secret among phreakers.

There is also a digit sequence for three digit access codes available, which fits 99% of the needs. This sequence was made by a tiny little Turbo Pascal program, and both were published over computer networks.

For a couple of reasons it rarely ever happens that a phreaker tries to hack an answering machine. Firstly, it costs him money, because normally no private person owns a toll free number. Secondly, in 99% of the cases there are no big secrets to find on an answering machine. So, it's a waste of time for the phreaker.

Another built-in feature of a modern answering machine is a monitoring option. This option is normally protected by a two or three digit code and allows a caller to listen to the room in which the answering machine is installed. This is a useful option for parents, who are away from home and want to learn what the children are doing (sleeping or partying), and it is a very useful option for a curious phreaker, who wishes to invade the privacy of people's homes. The problem gets even bigger when the answering machine is installed in a company office. In that case it is possible for the phreaker to obtain vital and confidential information about the company and its future plans.

The only way to prevent misuse of these options and features is to buy an answering device without them.
 

4. HOW / WHERE DO THEY GET THEIR INFORMATION?

People often wonder what makes it possible to a phreaker to get his knowledge. There is nothing strange to it, however. It is a result of some tricky research or well-organised public libraries.
Most of the information used by a phreaker is legally and freely accessible in libraries and book stores. Only in very few cases the phreaker has to behave like Jim Phelps in "Mission Impossible". The technical standards from the former telephone system standardising organisation CCITT constitute a very interesting source of information for a phreaker. They are available in every good university library and describe international telecom standards like tone frequencies (used to develop the coloured boxes). Most telecom companies are also publishing technical journals for service technicians. These journals are normally available to anybody, who might wish to subscribe.
 

4.1 SOCIAL ENGINEERING

Some phreakers specialise in getting information through social engineering. Social engineering means in this case that a phreaker will phone up a person and pretend to be an employee of the telecom company (or some other important and well-known company), give an important reason for his call and subsequently ask for passwords, account numbers, technical data, specifications or whatever he is after. During his attempt to collect information the phreaker will appear very polite, trustworthy and adult even if he is just 16 years old. This type of information pillaging is done mostly by phone, and they are very often successful.

First rule of telecom security to prevent misuse of social engineering.
Nobody (!) needs your passwords, confidential account details, calling card numbers or any other type of confidential information. All requests for confidential information by phone should always be refused.

People from telecom companies are able to identify themselves with special ID cards, and even these people do not need confidential information. If they need to test something they have their own service access accounts for telephone lines and switching systems.

Again. Nobody has to ask for confidential information via telephone even if he gives very good reasons!
 

4.2 TRASHING

In the course of court cases against prominent phreakers it has become evident that they went out to "trash" telecom companies or other targets, which had their interest. To "trash" in this connections means searching through trash cans for diskettes with software or papers carrying technical knowledge for insiders, telephone numbers, passwords, access codes, planned installations, etc., etc.

The rule here is that no paper carrying information that could be important to outsiders should be thrown away. A good countermeasure is to install freely accessible paper shredders (e.g. one on each floor). Furthermore, the employees should be educated about paper security and advised to use the paper shredders.

The important rule to apply here, and this particularly goes for old back-up diskettes and tapes, is: If it is not economical to guard it, it is economical to destroy it. In other words, any company policy regarding archiving must contain rules regarding destruction of old archives. Simply throwing these out is rarely sufficient.

4.3 UNDERGROUND PUBLICATIONS

Some people are publishing more or less regularly issued underground magazines about phreaking which are also distributed through modem accessible Bulletin Board Systems as computer files. Every phreaker is welcome to contribute articles for such an underground magazine. One of the foremost publications in this category is Phrack, which is so popular that it has received an ISSN number in the USA and is published on a regular basis.
 

4.4 WORLD-WIDE COMPUTER NETWORKS

There are only a few innovative phreakers in each country. These phreakers are developing the leading technology of phreaking. Most of them share their knowledge with other people interested in phreaking via computer networks and bulletin board systems. It is thus no big problem to find information about phreaking, which means that malicious information gets spread rapidly to a large audience.
 

4.5 INTERNAL COMPUTER NETWORKS OF TELECOM COMPANIES

If the phreaker is also a skilled hacker he probably knows ways to access the internal computer network of a telecom company in search for information. A famous case in the USA was the stealing and publishing of a document about the 911 Emergency Service from the computer network of a telecom company. This case ended in court.
 

5. CONCLUSIONS

Telecom equipment is a vital resource for any company, and no company can permit a stranger to alter or abuse their telecom system. As described in this article there are many ways to abuse telecommunication equipment, and to prevent abuse from occurring it is absolutely necessary to check out the weakness and vulnerability of existing telecom systems. If it is planned to invest in new telecom equipment, a security plan should be made and the equipment tested before being bought and installed.
Every serious manufacturer of telecom equipment will assist with answering the question of telecom security, but it is also recommended to consult a independent source of information, such as an information security expert.

It is also mandatory to keep in mind that a technique which is discribed as safe today can be the most unsecure technique in the future. Therefore it is absolutly important to check the function of a security system once a year and if necessary update or replace it.

Das Werk einschließlich aller seiner Teile ist urheberrechtlich geschützt. Jeder Verwertung außerhalb der engen Grenzen des Urheberrechtsgesetzes ist ohne Zustimmung des Autors unzulässig und strafbar.

Copyright (C) 07/1994 by Howard Fuhs

Fuhs Security Consultants
Rathenauplatz 12
65203 Wiesbaden
Germany

Phone: +49 611 67713
Fax: +49 611 603789
E-Mail: info@fuhs.de
Web: www.fuhs.de

nach oben