Chapter Nine: Phone Phreaking in the US & UK

Introduction

The phone system is the largest network on the planet, spanning thousands of miles, covering almost every country and location from the busiest cities to far flung Indian villages. It is also the largest machine ever built by human beings, a machine in the sense that it is a single object, designed for a simple purpose, but which is distributed across the planet. Small wonder then that it attracts the attention of the some of the most dedicated hackers on the planet, the phone "phreak".

There's a lot of scuttlebutt about who and how and why phreaking started, but out of those myths there seem to be some constant refrains that mark out "the history" of phreaking.

• Joe Engressia a blind kid who discovered by accident that he could whistle a perfect 2600 Hertz signal and learned about the phone systems from the inside out. All he wanted to do was work for the phone company, but finally he was arrested and prosecuted for "malicious mischief" for his phreaking exploits.
• "Cap'n" Crunch, who discovered a tiny whistle in the cereal "Captain Crunch" which blew a perfect 2600 Hertz, becoming a legendary phreaker until he was caught and sent to jail after being featured in the 1971 Esquire article "Secrets of the Little Blue Box" by On Rosenbaum.
• Bell Labs, who were kind enough to publish the complete set of in-band tones controlling the US phone system, allowing students and wire-heads everywhere to construct "blue boxes".
• The legendary "TAP" magazine, publishing "self-help" for the phreaking masses, and which stopped publishing after a mysterious fire, which some say, was started by agents of the phone companies.

Somewhere between those events, plus many more, evolved a community who were devoted to explore the telephone system across the planet, discovering and sharing information, talking to each other on "loops" and conferences. The early phreaks helped to cross-pollinate the emerging hacker scene, and seeded it with many of its own techniques and attitudes. Unsurprisingly, Phone Phreaks soon gave themselves a code of ethics, some black-hat and some white. This came from the Internet, and unfortunately I can't credit the anonymous phreak who wrote it, because there is no name attached to the file.

• Never intentionally damage any equipment that is not yours.
• Respect the system you phreak, and treat it like was your own.
• Do not profit unfairly from phreaking.
• Never take stupid risks - know your own abilities.
• Always be willing to freely share and teach your gained information and methods.

Table 9.1: Phreaks have ethics as well as hackers

In addition to this, TAP #86 published it's own "Ten Commandments of Phreaking", reprinted here from the first of the phreaking tutorials distributed by "BIOC Agent 003", and it shows the more "black-hat" darkside of the phreak ethic.

1. Box thou not over thine home telephone wires, for those who doest must surely bring the wrath of the chief special agent down upon thy heads.
2. Speakest thou not of important matters over thine home telephone wires, for to do so is to risk thine right of freedom.
3. Use not thine own name when speaking to other phreaks, for that every third phreak is an FBI agent is well known.
4. Let not overly many people know that thy be a phreak, as to do so is to use thine own self as a sacrificial lamb.
5. If thou be in school, strive to get thine self good grades, for the authorities well know that scholars never break the law.
6. If thou workest, try to be a good employee, and impressest thine boss with thine enthusiasm, for important employees are often saved by their own bosses.
7. Storest thou not thine stolen goodes in thine own home, for those who do are surely nonbelievers in the Bell System Security Forces, and are not long for this
8. Attractest thou not the attention of the authorities, as the less noticeable thou art, the better.
9. Makest sure thine friends are instant amnesiacs and will not remember that thou have called illegally, for their cooperation with the authorities will surely lessen thine time for freedom on this earth.
10. Supportest thou TAP, as it is thine newsletter, and without it, thy work will be far more limited.

Table 9.2: Ten Commandments of Phreaking from TAP magazine #86 via BIOC Agent 003

Legal Stuff

Let's make no mistake about this, 90% of the stuff that phreaks do is considered theft of service or toll fraud by the cops, feds and TelCo security. People go to jail all the time for abusing PBXs or VMBS, making Red Box calls or Blue Boxing from home. Although the global phone system is a fascinating thing to learn about, the people who choose to explore it take considerable risks with their life and liberty. Bear in mind that what phone phreaks consider legitimate exploration is a crime in most countries.

All the information in this chapter is for informational purposes only, and anyone who is stupid enough to go out and use this information to try and break the law, don't bother blaming the author or publisher because we are telling you now, don't do it. Having said that, learning about things isn't illegal yet, and nobody can be arrested for just reading about how phone signalling systems work. Nothing here is any great secret, and any information that would have enabled fraudulent use of the telephone systems has been left out. What is here is just some information that will help people to understand more about how some parts of the phone system work.

Understanding the phone system is vital to any computer enthusiast or systems administrator who needs to move data around via the PSTN, ISDN, X25 or WAN links. For those people learning how phreaks think and understanding the types of things that phreaks do, can make the difference between a secure phone system and and an insecure phone system. Any systems administrator entrusted with security should also be aware of the types of tools available to the phreak community, and learn to use the commonest types of tools to check and secure their PBX, VMB or other telephony equipment. Further recommendations about securing telephone systems are given in Chapter 13: Maximizing Security.

Space is tight, so I've left loads of stuff out, and if you are really interested, look up some of the stuff listed in Chapter 14: "Learning More".

Just like hackers, phone phreaks use special tools and software to explore the phone system. Here are just a few of the tools most commonly used by phone phreaks, and what they can be used for.

A "beigebox" or linesman's phone

A beigebox is a linesman's phone, normally terminating in crocodile clips and a phone plug. A phreak can make a beigebox by cutting the end off an "all in one" phone, where the buttons are inserted into the handset, and replacing them with crocodile clips. A real linesman's phone has a few other switches and features, but a homemade beigebox can be very useful if you regularly need to test or install phones and phone wiring. Sometimes it is possible to pick up second hand linesman's phones from technical sales, radio ham meets, and in the UK, "car boot" sales.

Remember that using a beigebox on someone else's phone line will involve theft, and a phreak could get an a whole world of trouble. The calls they make will show up on a phone bill that belongs to someone eventually, and when they query it, the phreak *will* eventually get a visit from the cops and TelCo security if they break the law in this way. Several people are arrested, charged and convicted every year for offences that include "teeing in" to TelCo distribution points, not to mention any problems that might occur if their gun-owning good ol' boy next door takes exception to having his phone service stolen. Anyway, what is the challenge and exploration of learning how to steal a neighbor's phone service? That's not phreaking, it's stealing, so I recommend that you use a beigebox legally. If you are involved in data communications, or have been entrusted to administer a PBX, then a beige box is an essential piece of hardware for testing phone sockets and phone lines.

DTMF "Pocket Tone Dialer"

An essential tool for any telephony enthusiast is a DTMF pocket tone dialer, so that they can send tones down lines which only accept pulses. Also useful for accessing your AnswerPhone or VMB, speed dialing and accessing any other service that uses DTMF tones. Anyone who buys one should make sure that they get one that does all the tones including A,B,C,D # and * because they are the most useful. I use an old Radio Shack 33 memory pocket tone dialer which us useful for storing numbers, testing PBXs and using VMB services from older exchanges that only use old style pulse signalling.

Hand Held Cassette or Dictaphone

This vital part of the phreak's armory has been getting smaller and smaller as handheld cassettes, Walkman's and Dictaphones have plunged in price and size. The big problem with a handheld tape recorder is the non-random access of the tape, so a phreak needs to be well organized if they use one. A minidisk or MP3 player could provide a better means of pumping tones down the line, and give a better access to tone sequences, so I wouldn't be surprised to see those or even some of the newer digital Dictaphones that store up to 30 seconds of audio, being used to box with. Don't forget also that some companies make greetings cards that store an audio message, and the internals of these can be very simply removed and remounted into a DAT case, but many phreaks never had much luck with these because the sound quality was so bad. If you are a systems administrator responsible for the phones, these devices make a useful replacement for a tone dialler for testing purposes, and can also be used to check security of a VMB or PBX by storing all the scanning tones to check that the admin password is secure.

Bluebox or Bluebox software

Please note that simple possession of a bluebox can get someone into legal trouble, so it would be better if the reader didn't acquire one, let alone use it to emulate trunk signalling systems. However, if you are a systems adminstrator or telephony professional responsible for securing telephony equipment, then you should familiarise yourself with as many of the software blueboxes as possible, then use them for testing and securing your equipment.

The most popular bluebox software appears to be "BlueBeep" or "The Little Operator", but there are loads of other bits of software out there. The better software allows a phreak to define new signaling MF digits and codes. Phreaks like a bluebox with flexibity in its "Clear Forward" and "Seize" tones because some aren't, and they're pants. In the old days a phreak playing with C5 systems would need a piece of software to do C5 tones and a tape recorder, but nowadays if the phreak has a laptop with sound output, this makes a perfectly adequate blueboxing device. These days there are also smart hackers writing blueboxing programs for the new generation of PDAs and palmtops, and these are smaller and more functional. If the phreak hasn't got any of these devices then they will resort to generating the tones they need then storing and carrying them using a dictaphone or walkman.

RedBox or RedBox software

A "Red Box" is a device designed to allow a phreak to commit toll fraud by placing free calls and because of this possession of a redbox is illegal in many places. For this reason,it is recommended that you do not acquire a red box as to do so could leave you open to legal action just for owning such a device, regardless of whether you have attempted to use it.

In recent years telephone companies have gone to great lengths to stamp out redboxing and it is now reported that red boxing is "dead" due to technical changes made to the phone systems to prevent this form of toll fraud.

A "Red Box" is designed to emulate the signals sent down a pay phone when a phreak inserts coins into the slot. A RedBox can be made of a converted Radio Shack tone dialer, a custom device (see "2600"), a laptop generating RedBox tones, or a hand held tape recorder with the correct tones. When using a RedBox the phreak needs to wait until the Automated Call Toll System (ACTS) asks them for their money and then send down the tones. Note that this only works in the US/Canada, and in recent times TelCos have taken to muting the voice circuit to prevent this form of inband signaling toll fraud. Also be aware that TelCo security take a very dim view of RedBoxing, as the only purpose of RedBoxing is to perform toll fraud, and arguments about "learning about phones" are not going to cut much ice if anyone is caught with one. Once again it must be reiterated, possession or attempted use of a Red Box is an offence and although included here for completeness, it is recommended that the reader neither acquire nor attempt to use such a device.

A "War Dialer".

A "war dialer" is used to dial a large number of numbers in an exchange in the hope of finding something interesting, tones, carriers, loops VMBs, PBXs etc. War Dialers were covered in Chapter 4, "The Hacker's Toolbox", and I only included them here for completeness sake. Suffice it to say that a systems adminsitrator needs a copy of "ToneLoc" only if they want to start scanning and securing their PBX and internal telephone systems. Although scanning is not illegal in some places, it is in others, so anyone interested is directed to the legal warning in Chapter 4 if they haven't already done so. They should then make sure that they understand the relevant state, federal or national statues governing scanning before attempting to acquire or use such a piece of software.

A Fully Functioning Brain (FFB)

No, I'm not joking including this a phreakers "tool". More than in any other area of hacking a phreak needs to have a fully working brain with a healthy sense of paranoia in order prevent themselves inadvertently breaking the law. Because TelCo security considers 90% of phreaking as a crime, telephony enthusiasts must engage their brain before doing anything that might be construed as a criminal act. There is no chance of becoming a phreak equivalent of a "script kiddy" unless the phreak sticks to abusing calling card or credit card numbers to make free calls, because phreaking is about learning about the phone system. If a phreak sticks to working out why things work the way they do, and sometimes why they don't, while refraining from taking any actions that are illegal, then they can learn about the phone system without falling foul of the law. Thanks to Phed-One for suggesting a brain as part of the phreaker's toolbox as too many people forget this vital piece of equipment.

Advanced Tools.

There are more advanced tools that phreaks can use, but mostly they don't need them unless they are on the way to becoming a serious Telecom professional, rather than a phreak. Owning these tools is not a crime, and they can be purchased from many equipment suppliers if you have a legitimate need for them.

• A DTMF decoder will take DTMF tones and turn them back into the digits that were dialed. Expensive unless the telephony enthusiast builds it themselves, they could also feed the tones that they have recorded into a pager service or a VMB password prompt if they really need to know the number.
• An old fashioned oscillator and pickup, sometimes known as a "tone and amp", allows the an engineer to inject a signal into a line and then probe across a bunch of lines to find the one they want.
• A line tracer which will pick up the conductive current running down the lines and lets an engineer know which lines are which. Newer ones don't even need to touch the wire, they pick it up from the magnetic field coming off the wire caused by the current flowing down it.
• A "punch down" tool for connecting wires into those punchdown blocks that are used in distribution points and other installations is also very useful if you routinely maintain or fix phone systems for a company.

This chapter is too short to give a full overview of the theory of telephony and the many signaling systems around, so check out Chapter 14: "Learning More" for some more detailed and more technical expositions or phone theory. This should be enough to give you a taste of what's out there and get you started, and once you start to dig into the phreaking resources on the Internet, you'll find a lot more to get your teeth into.

This was the old form of dialing, used in the days when exchanges were large lumbering beasts made up of thousands of relays. What happens with an old rotary dial is that when you release the dial the relay in the phone ticks the x number of times, where x is the digit dialed, with the exception of "0", which is ten times. Because this pulse dialing of the line is effectively taking the phone on and off hook very quickly. A phreak can achieve the same result by tapping the off hook switch of the phone in the same rhythm as the relay would normally click. Sounds quite hard, but if they first set their phone to "pulse" and listen to the clicks they can get the rhythm of the dialing pulses quite easily, and learn to dial with the off hook switch instead of the keypad or dial.

The big problem with pulse dialing is that it takes more time to dial longer digits than short ones, preventing fast dialing and delaying the phone user. One way round this is to find a system that uses single tones, one for each character in the signaling set, and which take the same amount of time for whatever digit or signal is being send. The solution to this leads to the commonest form of signaling around today, "Dual Tone Multi Frequency" (DTMF). Almost everyone is familiar with DTMF, as its the tones that each key on a phone keypad generates. DTMF is "Dual Tone" because each digit it represented by two frequencies, hence also "Multi Frequency". Apart from the standard 0-9, * and # keys there are also ABCD keys which do not exist on normal phones, but are used to control VMBs, PBXs, AnswerPhones, etc. Here is the list of DTMF frequencies for anyone who might need them for any reason. Normally DTMF tones are generated by a "pocket tone dialer" for anyone who needs to control any DTMF enabled equipment remotely, but if you want to program one of the new generation of PDAs, then this might come in useful.

Table 9.3: Multi-frequency tones used by DTMF

R1 is the system which used to be used by American phreaks when blueboxing was still possible in the US. It used a similar multi-frequency (MF) control set to CCITT5, but the lines which carried calls from exchange to exchange, called "trunks" used a unique method to announce they were in use or not. When a trunk was not busy, it carried a continual 2600 hz tone to announce to other trunks that it was "on hook". By sending a 2600 Hz tone at the correct time, a phreak could fool the trunk into thinking that the phonecall had completed, and release it for the next call. Once the line has been released, it could be "seized", and the phreaker could then send the correct trunk routing codes to place another call anywhere in the world.

In practice the phreak would make a call which needed to be routed via a trunk, send 2600Hz for around 1-2 seconds while listening for the "wink" - "kerchunk" that indicated the trunk at the other end was ready to receive a new call. Once the trunk was ready, the phreaker would use the MF signaling set to send "KP", followed by a 3 digit area code if necessary, followed by the number to be dialed, and a final "ST" to start the trunk by saying that nothing else is coming. The phone call then went through as normal, without any charges accruing for the call. R1 blueboxing has died in the states for many reasons, but the death knell for the blueboxer was the introduction of new digital switches such as the ESS which used out of band signaling. In the UK a similar system called MF2 was capable of being blueboxed for years using 2280 hz as the break tone, but the introduction of the digital System-X finally killed boxing in the UK also.

Although there are many other CCITT signaling systems, CCITT 5 (C5) is best example, mostly because until recently it was still being used by phreakers to get calls using a "bluebox" designed to emit C5 tones. Nowadays C5 is restricted to out of the way places in the world, so unless a phreak is in a country that uses C5 signaling, then blueboxing C5 has gone the way of American blueboxing using R1, gone but not forgotten.

Table 9.4: CCITT5 tones

In addition to these tones the phreaker also used an tone called "Clear Forward", 2400+2600 hz, and "Seize" 2400+2400 hz, together used to break and seize the trunk. Timings for C5 used to vary with different trunks, but generally the Clear Forward and Seize tones could be sent with timings varying from 150-500 ms, KPx, ST and Cxx tones for 100 ms with 55 ms between and the digits 55ms with 55ms between.

Trunk routings could be either "terminal", for local calls within the host country, or "transit" for international calls, and the internal routings could send the call via a number of possible routes, i.e. cable, satellite or maybe even microwave. The routing information is a single digit, normally 0 for cable, 1 for satellite, 2 for operator, 3 for military and 9 for microwave, but the implementation of this varies from country to country. Here are what the two types of calls look like.

KP1 - < route > - < area code > - < number > - ST

Table 9.5: Terminal calls using C5 break down like this

KP2 - < country code > - < route > - < area code > - < number > - ST

Table 9.6: Transit calls in C5 look like this

In recent times C5 blueboxing, which was once common, has been suppressed by TelCo security globally, and they have clamped down on phreaks who bluebox by using such security measures such as (a) filters on the line to prevent the tones getting through, (b) muting the voice channel until the call is complete, (c) 2600/2400 detectors on phone lines and (d) tapping trunks and recording activity where C5 boxing is being committed. Because of this, everyone now knows that blueboxing using C5 is not possible unless they are in a third world country, which are precisely the sorts of places that shoot first and ask questions later. Should you find yourself in a third world country you should not attempt any manipulation of the phone system because of the legal and personal risks involved.

Now because everyone knows that traditional C5 blueboxing is not possible now, it is quite safe to give examples of blueboxing in the C5 system without encouraging anyone to commit toll fraud. Although this only covers C5, the principles remain the same for any other system, and I leave the implementation details of boxing on other systems as an exercise for the reader. The actual mechanics of blueboxing on the C5 system are not much different to blueboxing the old US R1 system, and anyone who has read about R1 above might already have an idea how it might have been done. Here are the steps that a phreak would have used to bluebox off a C5 line before it became impossible.

1. The phreak dialled a call which crossed or terminated on a C5 trunk.
2. When the call was connected there would be an audible "pleep".
3. Then the "Clear Forward" signal was sent, 2400/2600 hz for approx. 150 ms. This timing used to vary from as little as 80 ms to as much as 450 ms.
4. The trunk would respond with an audible "wink" or "pleep".
5. Now the "Seize" signal 2400 hz for approx. 150 ms. In general the timing of the Clear Forward and Seize signals was nearly the same.
6. The trunk would respond with an audible "pleep" again.
7. Key Pulse, KP1 for terminal and KP2 for transit calls.
8. Routing digit 0,1,2 or 9.
9. If KP2 has been sent, the country code goes next.
10. Now the area code was sent.
11. Now the number to be dialled used to be sent.
12. Finally the ST signal to initiate the connection was sent.

Table 9.7: Outline of how C5 "blueboxing" used to done