Basic Phone Security: Making and Breaking It By The Mob Boss The other day I was sitting in class and I was bored out of my head so I picked up a dictionary. I was curious to see how a hacker was defined, considering that seems to be one of the most passionately fought arguments, good against evil, hackers against crackers. I found the definition to be "A computer enthusiast, someone who breaks into computers". Not suprising but when I went to look for "Phreak" and "Phone Phreak", low and behold, it was not there. This seems to be common these days. Everyone is shaking in their boots about big, bad, evil hackers and what might happen to their home or business computer, but no one ever stops to think about the phone system. This article is not geared towards anyone specific, in fact this is just an abstract to guide all those who are interested in general security, privacy, and h/p. Whether your a small business owner, a homemaker, or an executive, there is something here that you should know, if you don't already. Phone Phreaking can be loosely defined as the exploration and exploitation of the phone system and everything that goes along with it. Back in the 60's and 70's there was blue boxing, back in the eighties and early nineties there was red boxing, but nothing compares to the things that are here now, in the early part of the 21st century. Seems everything is hooked up to the phone system one way or another these days. People are sporting voicemail, pagers, cell phones, home answering machines, fax machines, computers hooked up to the internet, cell phones hooked up to the internet, and there are plans to have cars on the internet pretty soon as well (i.e. 2600 issue 16:4, I OWN YOUR CAR). 1984 is here, just a little late . Now considering all that why would someone ignore learning about the phone system considering the whole backbone of telecommunications is the phone system. Thet’s a mistake a lot of companies and individuals make. Besides theft of phone service, as there are ! so many legal ways to make a free call these days, but how about privacy. How would you like someone monitoring your business via the voicemail system or maybe monitoring your house by using the remote access feature on your answering machine to actually listen in on what’s going on. How about someone tapping your analog cell phone or old cordless phone? Now from the attackers point of view, what better way to watch a target? You want to break into a computer network, monitor the voicemail systems for possible technical information and logins. You want to break into a house, listen to messages on the answering machine to find out the patterns of those who reside there. Want to blackmail, extort, and steal, well then there are tons of possibilities for you. Lets start at home. What communication devices do you own? Cordless phone, PC, Fax machine, answering machine? I'm willing to bet you have at least one or all of those items in your home. First I will touch on answering machines, personally I could live without it. Most people hate talking on answering machines , and when its not meant to be its not meant to be. But I still own one and the first thing I did when I learned about breaking into answering machines was to check my manual to see if my machine had remote access. As it turned out, it did have remote access but lucky for me it has a strong security policy, two bad tries will boot you off, plus the code is a good one. Now machines I have encountered in businesses and homes were as easy as dialing 123 after the tone. So what you say? You have nothing to hide? Well privacy is privacy and either way I don't want some thug hearing when I'll be at the dentist or vacation. This is twice as bad if you're a business and you h! ave customers leave orders on the phone after hours. Credit card fraud has been booming since the 1980's and two decades later its still a problem, and its a safe bet that it always will be a problem. Here is an easy to follow system for getting into an answering machine, out of the many techniques I have read, tried, or heard of this one is the most rewarding... after the tone start dialing this sequence, 9876543210000123456789 then 2000, 3000, till you hit 9000, then 1111, 2222, and so on till you hit 9999. That technique will break into answering machines in the homes of government officials, mail order stores, and places that should be more secure. Try that on your machine or a friends (with his permission of course) and see how secure that answering machine really is. Another problem that has been around for many years is that of people tapping cordless phones with simple frequency scanners. Now this problem has been dying out but when I flip on the Ol' Bearcat I still hear morons yacking away on there old, ten dollar, garage sale, cordless phones. These aren't wholesome conversations either. Drug deals, phone sex, and fights. I guess it all depends on where you live but just the same there are a lot of possibilities here. Like I said, this is not a new problem, but its still wide spread even though a whole decade of cordless terror has gone by. By programming the following frequencies into your scanner you'll here many conversations: Base Handset 1 43.720 48.760 2 43.740 48.840 3 43.820 48.860 4 43.840 48.920 5 43.920 49.000 6 43.960 49.080 7 44.120 49.100 8 44.160 49.160 9 44.180 49.200 10 44.200 49.240 11 44.320 49.280 12 44.360 49.360 13 44.400 49.400 14 44.460 49.480 15 44.480 49.500 16 46.610 49.670 17 46.630 49.845 18 46.670 49.860 19 46.710 49.770 20 46.730 49.875 21 46.770 49.830 22 46.830 49.890 23 46.870 49.930 24 46.930 49.990 25 46.970 49.970 Obviously you want to listen into the base frequencies so that you hear both sides of the conversation. Now you may say well I don't have an old phone, "I have a brand new cordless phone that runs on the 900mhz band and scrambles the conversation". The only thing I have to say to that is, what if your business partner, mistress, and/or accomplice are using a old cordless phone, then your security measures mean nothing and its out there. That’s why you have to analyze security from afar, missing the big picture will really screw you up. Are you running a dialup server at your residence or small business? If you think its safe because no one but you had the dialup then you my friend are dead wrong. For years people have been using programs called war dialers (i.e. ToneLoc) to scan exchanges looking for computers and just because times have changed and the internet seems to dominate all doesn't mean that people have stopped looking to their local exchanges either. In fact much can still be found by having a war dialer go for a few hours and attackers know this. A company can have a big fancy firewall but a dialup sticking out like a sore thumb a few numbers up from their main switchboard number. That kind of ignorance can be very very costly and it would be wise to see how your computers are set up. If a dialup server is necessary be sure to pick strong passwords and keep up with a good policy for protecting that data, physically and remotely. Lets move on to your small (or large) business. Most businesses worth anything at least have a small PBX and voicemail system, plus the kind of stuff you may have at home, as all the same of rules of home security apply at the office as well. Its very important that a person takes his sweet time with setting up the phone system, baby it just as much you would the computer network because leaving the phone system open will lead the path to your precious network. If someone gets into your phone system what do you have to lose? Privacy, valuable information about customers (credit card information), use of your lines to call Europe and what not. I must say that PBXs are more challenging now then they were ten years ago but considering most voicemail systems run hand in hand with the PBX, having weak passcodes on your voicemail system can lead to exploitation of your PBX services. Meridian Mail, which is put out by Nortel (www.nortel.com), for instance has a nice little feature w! here you can set the operator assistance number, which in what I have seen is local numbers, just the same it can be useful for bouncing through to avoid tracing. I don't think anyone wants their phone system used as a jumping off point for attack against something big. The same rules of breaking into answering machines applies to voicemail, but one can get more creative here. There is usually multiple accounts on a system so if you can't get into one, more onto another. 999 or 9999 is usually an administrators box and 100 or 1000 is usually a general delivery box. Its been my experience that the general delivery box can be the most influential as that’s where your general information can be obtained and that’s also a very easy box to get into, a lot of the time the passcode is just 1000. In general though some passcodes to try are the number of the box as the passcode, 1234, 1111 to 9999, 1000 to 9000, the name of the person or company in DTMF, and the last four digits of th! e phone number. Knowing that, its possible to use these private phone networks for a lot of different things and I think its very clear why someone should take this into consideration. Ok now that its clear that your everyday conversations are at risk lets talk about some of the ways we can insure that our distant party is the only other person to hear the conversation. Remember the only secure conversation is one in person, free of any monitoring. Getting back to the point, one must consider what level of security is needed for a conversation before they begin to put security measures in place. For instance I doubt you need to encrypt a voice conversation with your grandmother (unless she works for a three letter agency) nor do I think you want to be on that old cordless phone while buying arms from third world terrorists (not that I'm advocating that). Lets say you are interested in securing voice communication, here are some ideas on what you can do to protect your privacy. The first method is accomplished through PGPphone, a nice little program from the makers of PGP (Pretty Good Privacy). This program allows for secure modem to modem or tcp/ip based v! oice communication. Using PGP keys at the strength preselected the conversation can be encrypted and secured from prying ears. Only drawback is that there is a little bit of lag and the stronger the key, the more static and breakup you will get. Another idea for shaking any taps on your phone line or your counterparts phone line is through the use of a number of payphone. If you keep a good list of payphone numbers in your area that allow for incoming calls you can be at a certain payphone at a preselected time to receive that call. If its busy you can always have a backup payphone not too far away or your contact will simply try back every two minutes. In my area at least there are still some neighborhood COCOTs (customer owned coin operated telephone) that still take in calls. Your best bet is to call a voicemail number that has ANI every time your at a payphone. When you get home call all the payphone numbers you accumulated and see which ones take in calls. Some owned by ! the Telco will not allow the call to go through, some COCOTs will have a modem pick up. As another approach you could always invest in one of those expensive communication devices that hook up to the telephone and allow you to call another telephone with the device. The price is definitely a drawback ($500 area) so using one of the less expensive methods is most likely the best way to go). Be creative and use your common sense, doing that you'll come up with many creative ideas. This was meant simply as a primer to phone security. Yes these are old problems but they needed to retouched on because it seems many people are still mystified by simple phone phreaking techniques. There are other phone risks, such as beige boxing and social engineering, but those topics have been covered already in some very well detailed articles that are available on sites all over the internet and fine BBSs like Ripco. I hope this has opened your eyes to the dangers out there or at least refreshed your memory. And to cut off all those flames that I ripped this information off and what not, I have spent many hours on the phone testing and perfecting these techniques, there is nothing here that I don't have first hand knowledge of. I'd like to leave off with these words that good friend recently told me, "When you take from one its plagiarism, but when you take from many its research.". Appendix PGPphone http://web.mit.edu/network/pgpfone/ Phreaking Info http://come.to/mobdomain http://www.phonelosers.org http://www.hackersclub.com/km -The Mob Boss; http://come.to/mobdomain Voicemail and fax: 1-877-203-3043 Special Thanks To... Deo Ryan Websulker (http://www.websulker.com) and anyone else I left out... Visit these great BBSs Ripco BBS ripco2.ripco.com Northland Underground BBS nub.dhs.org L0pht BBS bbs.l0pht.com The Sacrifial Lamb Login as BBS english.gh0st.net Post Cards From the Edge Login as BBS luna.iirg.org Subcultural Niche +45-3888.9120 Freedom Fortress freedom.darktech.org Perpetual Illusion +45-9816.2348