Remove ads
Hacking of analog telephone network From Wikipedia, the free encyclopedia
Phreaking is a slang term coined to describe the activity of a culture of people who study, experiment with, or explore telecommunication systems, such as equipment and systems connected to public telephone networks.[1] The term phreak is a sensational spelling of the word freak with the ph- from phone, and may also refer to the use of various audio frequencies to manipulate a phone system. Phreak, phreaker, or phone phreak are names used for and by individuals who participate in phreaking.
The term first referred to groups who had reverse engineered the system of tones used to route long-distance calls. By re-creating the signaling tones, phreaks could switch calls from the phone handset while avoiding long-distance calling charges which were common then. These fees could be significant, depending on the time, duration and destination of the call. To ease the creation of the routing tones, electronic tone generators known as blue boxes became a staple of the phreaker community. This community included future Apple Inc. co-founders Steve Jobs and Steve Wozniak.
The blue box era came to an end with the ever-increasing use of digital telephone networks which allowed telecommunication companies to discontinue the use of in-band signaling for call routing purposes. Instead, telecom companies began employing common-channel signaling (CCS), through which dialing information was sent on a separate channel that was inaccessible to the telecom customer. By the 1980s, most of the public switched telephone network (PSTN) in the US and Western Europe had adopted the SS7 system which uses out-of-band signaling for call control (and which is still in use to this day), therefore rendering blue boxes obsolete. Phreaking has since become closely linked with computer hacking.[2]
Phreaking began in the 1960s when it was discovered that certain whistles could replicate the 2600 Hz pitch used in phone signalling systems in the United States.[3] Phone phreaks experimented with dialing around the telephone network to understand how the phone system worked, engaging in activities such as listening to the pattern of tones to figure out how calls were routed, reading obscure telephone company technical journals (often obtained through dumpster diving),[3] social engineering, building electronic devices called blue boxes, black boxes, and red boxes to help them explore the network and make free phone calls, hanging out on early conference call circuits and "loop arounds" to communicate with one another and writing their own newsletters to spread information. Phreaking was especially prevalent in universities,[3] where it began spreading much like computer hacking would in the following decades.
Before 1984, long-distance telephone calls were a premium item in the United States, with strict regulations. In some locations, calling across the street counted as long distance.[4] To report that a phone call was long-distance meant an elevated importance because the calling party is paying by the minute to speak to the called party.
Some phreaking consists of techniques to evade long-distance charges, which is criminalized as "toll fraud".[5] In 1990, the pager cloning technique arose and was used by law enforcement.[6]
In the UK the situation was rather different due to the difference in technology between the American and British systems, the main difference being the absence of tone dialing and signaling, particularly in the 1950s and 1960s.
The tone system in the United States has been almost entirely replaced, but in some countries, in addition to new systems, the tone system is still available, for example in Italy.
Possibly one of the first phreaking methods was switch-hooking, which allows placing calls from a phone where the rotary dial or keypad has been disabled by a key lock or other means to prevent unauthorized calls from that phone. It is done by rapidly pressing and releasing the switch hook to open and close the subscriber circuit, simulating the pulses generated by the rotary dial. Even most current telephone exchanges support this method, as they need to be backward compatible with old subscriber hardware.[7]
By rapidly clicking the hook for a variable number of times at roughly 5 to 10 clicks per second, separated by intervals of roughly one second, the caller can dial numbers as if they were using the rotary dial. The pulse counter in the exchange counts the pulses or clicks and interprets them in two possible ways. Depending on continent and country, one click with a following interval can be either "one" or "zero" and subsequent clicks before the interval are additively counted. This renders ten consecutive clicks being either "zero" or "nine", respectively. Some exchanges allow using additional clicks for special controls, but numbers 0-9 now fall in one of these two standards. One special code, "flash", is a very short single click, possible but hard to simulate. Back in the day of rotary dial, technically identical phone sets were marketed in multiple areas of the world, only with plugs matched by country and the dials being bezeled with the local standard numbers.[citation needed]
Such key-locked telephones, if wired to a modern DTMF capable exchange, can also be exploited by a tone dialer that generates the DTMF tones used by modern keypad units. These signals are now very uniformly standardized worldwide. It is notable that the two methods can be combined: Even if the exchange does not support DTMF, the key lock can be circumvented by switch-hooking, and the tone dialer can be then used to operate automated DTMF controlled services that can not be used with rotary dial.
The origins of phone phreaking trace back at least to AT&T's implementation of fully automatic switches. These switches used tone dialing, a form of in-band signaling, and included some tones which were for internal telephone company use.[citation needed] One internal-use tone is a tone of 2600 Hz which causes a telephone switch to think the call had ended, leaving an open carrier line, which can be exploited to provide free long-distance, and international calls. At that time, long-distance calls were more expensive than local calls.[8]
The tone was discovered in approximately 1957,[8] by Joe Engressia, a blind seven-year-old boy. Engressia had perfect pitch, and discovered that whistling the fourth E above middle C (a frequency of 2637.02 Hz) would stop a dialed phone recording. Unaware of what he had done, Engressia called the phone company and asked why the recordings had stopped. Joe Engressia is considered to be the father of phreaking.[9]
Other early phreaks, such as "Bill from New York" (William "Bill" Acker 1953-2015), began to develop a rudimentary understanding of how phone networks worked. Bill discovered that a recorder he owned could also play the tone at 2600 Hz with the same effect. John Draper discovered through his friendship with Engressia that the free whistles given out in Cap'n Crunch cereal boxes also produced a 2600 Hz tone when blown (providing his nickname, "Captain Crunch"). This allows control of phone systems that work on single frequency (SF) controls. One can sound a long whistle to reset the line, followed by groups of whistles (a short tone for a "1", two for a "2", etc.) to dial numbers.[10][11]
While single-frequency worked on certain phone routes, the most common signaling on the then long-distance network was multi-frequency (MF) controls. The slang term for these tones and their use was "Marty Freeman". The specific frequencies required were unknown to the general public until 1954, when the Bell System published the information in the Bell System Technical Journal in an article describing the methods and frequencies used for inter-office signalling. The journal was intended for the company's engineers; however, it found its way to various college campuses across the United States. With this one article, the Bell System accidentally gave away the "keys to the kingdom", and the intricacies of the phone system were at the disposal of people with a knowledge of electronics.[12]
The second generation of phreaks arose at this time, including New Yorkers "Evan Doorbell", "Ben Decibel" and Neil R. Bell and Californians Mark Bernay, Chris Bernay, and "Alan from Canada". Each conducted their own independent exploration and experimentation of the telephone network, initially on an individual basis, and later within groups as they discovered each other in their travels. "Evan Doorbell", "Ben" and "Neil" formed a group of phreaks, known as "Group Bell". Bernay initiated a similar group named the "Mark Bernay Society". Both Bernay and Evan received fame amongst today's phone phreakers for internet publications of their collection of telephone exploration recordings. These recordings, conducted in the 1960s, 1970s, and early 1980s are available at Mark's website Phone Trips.[13]
In October 1971, phreaking was introduced to the masses when Esquire magazine published a story called "Secrets of the Little Blue Box"[14][15][16] by Ron Rosenbaum. This article featured Engressia and John Draper prominently, synonymising their names with phreaking. The article also attracted the interest of other soon-to-be phreaks, such as Steve Wozniak and Steve Jobs, who went on to found Apple Computer.[17][18]
1971 also saw the beginnings of YIPL (Youth International Party Line), a publication started by Abbie Hoffman and Al Bell to provide information to Yippies on how to "beat the man", mostly involving telephones. In the first issue of YIPL, writers included a "shout-out" to all of the phreakers who provided technological information for the newsletter: "We at YIPL would like to offer thanks to all you phreaks out there."[19] In the last issue, YIPL stated:
YIPL believes that education alone cannot affect the System, but education can be an invaluable tool for those willing to use it. Specifically, YIPL will show you why something must be done immediately in regard, of course, to the improper control of the communication in this country by none other than bell telephone company.[19]
In 1973, Al Bell would move YIPL over and start TAP (Technological American Party).[20]
Al Bell was denied opening a bank account under the name of Technological American Party, since he was not a political party, so he changed the name to Technological Assistance Program to get a bank account.[21]
TAP developed into a major source for subversive technical information among phreaks and hackers all over the world.[according to whom?] TAP ran from 1973 to 1984, with Al Bell handing over the magazine to "Tom Edison" in the late 1970s. TAP ended publication in 1984 due mostly to a break-in and arson at Tom Edison's residence in 1983.[22] Cheshire Catalyst then took over running the magazine for its final (1984) year.
A controversially suppressed article "Regulating the Phone Company In Your Home"[23] in Ramparts magazine (June 1972) increased interest in phreaking. This article published simple schematic plans of a "black box" used to make free long-distance phone calls, and included a very short parts list that could be used to construct one. AT&T forced Ramparts to pull all copies from shelves, but not before numerous copies were sold and many regular subscribers received them.[24]
This section needs additional citations for verification. (July 2014) |
In the 1980s, the revolution of the personal computer and the popularity of computer bulletin board systems (BBSes) (accessed via modem) created an influx of tech-savvy users. These BBSes became popular for computer hackers and others interested in the technology, and served as a medium for previously scattered independent phone phreaks to share their discoveries and experiments. This not only led to unprecedented collaboration between phone phreaks, but also spread the notion of phreaking to others who took it upon themselves to study, experiment with, or exploit the telephone system. This was also at a time when the telephone company was a popular subject of discussion in the US, as the monopoly of AT&T Corporation was forced into divestiture. During this time, exploration of telephone networks diminished, and phreaking focused more on toll fraud. Computer hackers began to use phreaking methods to find the telephone numbers for modems belonging to businesses, which they could exploit later. Groups then formed around the BBS hacker/phreaking (H/P) community such as the famous Masters of Deception (Phiber Optik) and Legion of Doom (Erik Bloodaxe) groups. In 1985, an underground e-zine called Phrack (a combination of the words phreak and hack) began circulation among BBSes, and focused on hacking, phreaking, and other related technological subjects.[25]
In the early 1990s, groups like Masters of Deception and Legion of Doom were shut down by the US Secret Service's Operation Sundevil. Phreaking as a subculture saw a brief dispersion in fear of criminal prosecution in the 1990s, before the popularity of the internet initiated a reemergence of phreaking as a subculture in the US and spread phreaking to international levels.[citation needed]
The 1984 AT&T breakup gave rise to many small companies intent on competing in the long-distance market. These included the then-fledgling Sprint and MCI, both of whom had only recently entered the marketplace. At the time, there was no way to switch a phone line to have calls automatically carried by non-AT&T companies. Customers of these small long-distance operations would be required to dial a local access number, enter their calling card number, and finally enter the area code and phone number they wish to call. Because of the relatively lengthy process for customers to complete a call, the companies kept the calling card numbers short – usually 6 or 7 digits. This opened up a huge vulnerability to phone phreaks with a computer.
6-digit calling card numbers only offer 1 million combinations. 7-digit numbers offer just 10 million. If a company had 10,000 customers, a person attempting to "guess" a card number would have a good chance of doing so correctly once every 100 tries for a 6-digit card and once every 1000 tries for a 7-digit card. While this is almost easy enough for people to do manually, computers made the task far easier.[26][27] "Code hack" programs were developed for computers with modems. The modems would dial the long-distance access number, enter a random calling card number (of the proper number of digits), and attempt to complete a call to a computer bulletin board system (BBS). If the computer connected successfully to the BBS, it proved that it had found a working card number, and it saved that number to disk. If it did not connect to the BBS in a specified amount of time (usually 30 or 60 seconds), it would hang up and try a different code. Using this method, code hacking programs would turn up hundreds (or in some cases thousands) of working calling card numbers per day. These would subsequently be shared amongst fellow phreakers.
There was no way for these small phone companies to identify the culprits of these hacks. They had no access to local phone company records of calls into their access numbers, and even if they had access, obtaining such records would be prohibitively expensive and time-consuming. While there was some advancement in tracking down these code hackers in the early 1990s, the problem did not completely disappear until most long-distance companies were able to offer standard 1+ dialing without the use of an access number.
Another method of obtaining free phone calls involves the use of "diverters". Call forwarding was not an available feature for many business phone lines in the late 1980s and early 1990s, so they were forced to buy equipment that could do the job manually between two phone lines. When the business would close, they would program the call diverting equipment to answer all calls, pick up another phone line, call their answering service, and bridge the two lines together. This gave the appearance to the caller that they were directly forwarded to the company's answering service. The switching equipment would typically reset the line after the call had hung up and timed out back to dial tone, so the caller could simply wait after the answering service had disconnected, and would eventually get a usable dial tone from the second line. Phreakers recognized the opportunity this provided, and they would spend hours manually dialing businesses after hours, attempting to identify faulty diverters. Once a phreaker had access to one of these lines, they could use it for one of many purposes. In addition to completing phone calls anywhere in the world at the businesses' expense, they could also dial 1-900 phone sex/entertainment numbers, as well as use the line to harass their enemies without fear of being traced. Victimized small businesses were usually required to foot the bill for the long-distance calls, as it was their own private equipment (not phone company security flaws) that allowed such fraud to occur. By 1993, call forwarding was offered to nearly every business line subscriber, making these diverters obsolete. As a result, hackers stopped searching for the few remaining ones, and this method of toll fraud died. Many (different type) of diverters still exist and are actively "phreaked" in the United States as of 2020. It is rare to find a diverter solely used for Answering Service forwarding anymore, but the many other types such as phone-company test numbers and remote PBX DISAs are still used as diverters.[citation needed]
Before the BBS era of the 1980s phone phreaking was more of a solitary venture as it was difficult for phreaks to connect with one another.[citation needed] In addition to communicating over BBSs phone phreaks discover voice mail boxes and party lines as ways to network and keep in touch over the telephone. They usually appropriate unused boxes that are part of business or cellular phone systems. Once a vulnerable mailbox system is discovered, word would spread around the phreak community, and scores of them would take residence on the system. They use these systems as a "home base" for communication with one another until the rightful owners discover the intrusion and wipe them off. Voice mailboxes also provide a safe phone number for phreaks to give out to one another as home phone numbers and personal cellular numbers would allow the phreak's identity (and home address) to be discovered. This is especially important given that phone phreaks are breaking the law.
Phreakers also use "bridges" to communicate live with one another. The term "bridge" originally referred to a group of telephone company test lines that were bridged together giving the effect of a party-line. Eventually, all party-lines, whether bridges or not, came to be known as bridges if primarily populated by hackers and/or phreakers.
The popularity of the Internet in the mid-1990s, along with the better awareness of voice mail by business and cell phone owners, made the practice of stealing voice mailboxes less popular. To this day bridges are still very popular with phreakers yet, with the advent of VoIP, the use of telephone company-owned bridges has decreased slightly in favor of phreaker-owned conferences.
The end of multi-frequency (MF) phreaking in the lower 48 United States occurred on June 15, 2006, when the last exchange in the contiguous United States to use a "phreakable" MF-signalled trunk replaced the aging (yet still well kept) N2 carrier with a T1 carrier. This exchange, located in Wawina Township, Minnesota, was run by the Northern Telephone Company of Minnesota.[28]
Recent notable instances of phreaking involve hacking of VOIP systems. In 2011, the government of the Philippines and the FBI arrested four hackers for phone phreaking through PBX hacking.[29] In 2015, Pakistani officials arrested a prominent phreaker who had amassed more than $50 million from PBX hacking activities.[30]
Seamless Wikipedia browsing. On steroids.
Every time you click a link to Wikipedia, Wiktionary or Wikiquote in your browser's search results, it will show the modern Wikiwand interface.
Wikiwand extension is a five stars, simple, with minimum permission required to keep your browsing private, safe and transparent.