Phreaking
From Wikipedia, the free encyclopedia
Phreaking is a slang term coined to describe the activity of a subculture of people who study, experiment with, or explore telephone systems, the equipment of telephone companies, and systems connected to public telephone networks. The term "phreak" is a portmanteau of the words "phone" and "freak." It may also refer to the use of various audio frequencies to manipulate a phone system[verification needed]. "Phreak", "phreaker", or "phone phreak" are names used for and by individuals who participate in phreaking. Additionally, it is often associated with computer hacking. This is sometimes called the H/P culture (with H standing for Hacking and P standing for Phreaking).
Contents |
[edit] History of phreaking
The precise origins of phone phreaking are unknown, although it is believed that phreak-like experimentation began with widespread deployment of automatically switched telephone networks. Modern day phreaking is more likely to be traced to the United States in the mid-to-late 1950s when AT&T began introducing fully automatic direct-dial long distance and certain forms of trunking carriers which used in-band signalling[citation needed]. At this time, phone system experimentation began, similar to the way modern-day hackers use the Internet.
In approximately 1957, a blind eight-year old named Joe Engressia, skilled with perfect pitch, discovered that whistling the fourth E above middle C (a frequency of 2600 Hz) would stop a dialed phone recording. Engressia, alias "Joybubbles", taught himself to whistle a tone (2600 Hz) that would cause a trunk to reset itself. What the eight-year-old didn't realise at first was that the 2600 Hz frequency was an internal telephone company signal to take control of a trunk line, which opened up almost limitless possibilities for routing calls without charges. Unaware of what he had done, Engressia called the phone company and asked why the recordings had stopped. This was the beginning of his love of exploring the telephone system. [1]
Other early phreaks, such as "Bill from New York", began to develop a rudimentary understanding of how phone networks worked. "Bill" discovered that a recorder he owned could also play a tone at 2.6 kHz with the same effect. John Draper discovered through his friendship with "Joybubbles" that the free whistles given out in Cap'n Crunch cereal boxes also produced a 2600 Hz tone when blown (providing his nickname, "Captain Crunch"). This allowed control of phone systems that worked on SF, or Single Frequency, controls. One could sound a long whistle to reset the line, followed by groups of whistles (a short tone for a "1", two for a "2", etc.) to dial numbers. This process later led to MFing.
While SF worked on certain phone routes, the most common signalling on the then long distance network was MF, or Multi-Frequency Controls. The specific frequencies required were unknown until 1964, when Bell Systems published the information in the Bell System Technical Journal in an article describing the methods and frequencies used for inter-office signalling. The journal was intended for the company's engineers; however, it found its way to various college campuses across the United States. With this one article, the Bell System accidentally gave away the 'keys to the kingdom', and the intricacies of the phone system were at the disposal of anyone with a cursory knowledge of electronics.[citation needed]
The second generation of phreaks arose at this time, including the New Yorkers "Evan Doorbell", "Ben Decibel" and Neil R. Bell and Californians Mark Bernay, Al Bernay, Chris Bernay, and "Alan from Canada". Each conducted their own independent exploration and experimentation of the telephone network, initially on an individual basis, and later within groups as they discovered each other in their travels. "Evan Doorbell", "Ben" and "Neil" formed a group of phreaks known as Group Bell. Mark Bernay initiated a similar group named the Mark Bernay Society. Both Mark and Evan received fame amongst today's phone phreakers for Internet publication of their collection of telephone exploration recordings. These recordings, conducted in the 60s, 70s, and early 80s are available at Mark's website Phone Trips. [2]
In October 1971, phreaking was introduced to the masses when Esquire Magazine published a story called "Secrets of the Little Blue Box" [3] by Ron Rosenbaum. This article featured Joybubbles and John Draper prominently, synonymising their names with phreaking. The article also attracted the interest of other soon-to-be phreaks, such as Steve Wozniak and Steve Jobs who went on to found Apple Computer. [4]
In the 1980s, the revolution of the personal computer and the popularity of computer bulletin board systems (accessed via modem) created an influx of tech-savvy users. These BBSes became popular for computer hackers and others interested in the technology, and served as a medium for previously scattered independent phone phreaks to share their discoveries and experiments. This not only led to unprecedented collaboration between phone phreaks, but also spread the notion of phreaking to others who took it upon themselves to study, experiment with, or exploit the telephone system. This was also at a time when the telephone company was a popular subject of discussion in the US, as the monopoly AT&T was forced into divestiture. During this time, phreaking lost its label for being the exploration of the telephone network, and began to focus more on toll fraud. Computer hackers began to use phreaking methods to find the telephone numbers for modems belonging to businesses, which they could later exploit. Groups then formed around the BBS hacker/phreaking (H/P) community such as the famous Masters of Deception (Phiber Optik) and Legion of Doom (Erik Bloodaxe) groups. In 1985 an underground e-zine called Phrack (a combination of the words Phreak and Hack) began circulation among BBSes, and focused on hacking, phreaking, and other related technological subjects.
In the early 1990s H/P groups like Masters of Deception and Legion of Doom were shut down by the US Secret Service's Operation Sundevil. Phreaking as a subculture saw a brief dispersion in fear of criminal prosecution in the 1990s, before the popularity of the internet initiated a reemergence of phreaking as a subculture in the US and spread phreaking to international levels.
Into the turn of the 21st century, phreaks began to focus on the exploration and playing with the network, and the concept of toll fraud became widely frowned on among serious phreakers, primarily under the influence of the website Phone Trips, put up by second generation phreaks Mark Bernay and Evan Doorbell.
[edit] 2600 Hz
2600 Hz, the key to early phreaking, was the frequency of the SF supervisory tone sent by the phone to the long-distance switch, indicating that the user has gone on-hook. Although to the long-distance hardware the call was disconnected, the user was still physically connected to their local crossbar switch as the line voltage had not dropped. This left the system in an inconsistent state; the dialer was still connected to a long-distance trunk line and switch at a remote switching center which was perfectly willing to complete or further route calls.
A number of people in the 1960s discovered a loophole that resulted from this combination of features. The trick was to call a toll free number or long-distance directory number and then play the 2600 Hz tone into the line before the call was answered on the other side of the line. By then dialing the number they actually wanted on a blue box, the remote crossbar happily connected them for free. However, when connected to the diverted call, the local central office would be alerted, whereby technicians would search for inordinately long directory calls or excessive dialing to particular toll free numbers. Many phreakers were forced to use pay telephones as the telephone company technicians regularly tracked long-distance toll free calls in an elaborate cat-and-mouse game.
As knowledge of phreaking spread, a minor culture emerged from the increasing number of phone phreaks. Sympathetic (or easily social-engineered) telephone company employees began to provide the various routing codes to use international satellites and trunk lines. The phone companies quickly caught on to the scheme and slowly deployed a number of systems to defeat it, however the phreaks felt that a true solution would be impossible as it would require adding hardware (a filter) to every line on every crossbar in the world. Unless the phone company replaced all their hardware, phreaking would be impossible to stop. AT&T instead turned to the law for help, and a number of phreaks were caught by "The Man".
Eventually, the phone companies in North America did, in fact, replace all their hardware. They didn't do it to stop the phreaks, but simply as a matter of course whilst moving to fully digital switching systems. Unlike the crossbar, where the switching signals were carried on the same lines, the new systems used separate lines for signalling that the phreaks couldn't get to. This system is known as Common Channel Interoffice Signaling.
[edit] Toll fraud era
The 1984 AT&T breakup gave rise to many small companies intent upon competing in the long distance market. These included the then-fledgling Sprint and MCI, both of whom had only recently entered the marketplace. At the time, there was no way to switch a phone line to have calls automatically carried by non-AT&T companies. Customers of these small long distance operations would be required to dial a local access number, enter their calling card number, and finally enter the area code and phone number they wish to call. Because of the relatively lengthy process for customers to complete a call, the companies kept the calling card numbers short -- usually 6 or 7 digits. This opened up a huge vulnerability to phone phreaks with a computer.
6-digit calling card numbers only offer 1 million different combinations. 7-digit numbers offer just 10 million. If a company had 10,000 customers, a person attempting to "guess" a card number would do so correctly once every 100 tries for a 6-digit card and once every 1000 tries for a 7-digit card. While this is almost easy enough for people to do manually, computers made the task far easier. "Code hack" programs were developed for computers with modems. The modems would dial the long distance access number, enter a random calling card number (of the proper number of digits), and attempt to complete a call to a computer bulletin board system (BBS). If the computer connected successfully to the BBS, it proved that it had found a working card number, and it saved that number to disk. If it did not connect to the BBS in a specified amount of time (usually 30 or 60 seconds), it would hang up and try a different code. Utilizing this methodology, code hacking programs would turn up hundreds (or in some case thousands) of working calling card numbers per day. These would subsequently be shared amongst fellow phreakers.
Worse yet, there was no way for these small phone companies to identify the culprits of these brute-force hacks. They had no access to local phone company records of calls into their access numbers, and even if they had access, obtaining such records would be prohibitively expensive and time-consuming. While there was some advancement in tracking down these code hackers in the early 1990s, the problem did not completely disappear until most long distance companies were able to offer standard 1+ dialing without the use of an access number.
Another method of obtaining free phone calls involved the use of so-called "diverters". Call forwarding was not an available feature for many business phone lines in the 1980s and early 1990s, so they were forced to buy equipment that could do the job manually between two phone lines. When the business would close, they would program the call diverting equipment to answer all calls, pick up another phone line, call their answering service, and bridge the two lines together. This gave the appearance to the caller that they were directly forwarded to the company's answering service. Unfortunately, the switching equipment would typically reset the line after the call had hung up and timed out back to dialtone, so the caller could simply wait after the answering service had disconnected, and would eventually get a usable dial tone from the second line. Phreakers recognized the opportunity this provided, and they would spend hours manually dialing businesses after hours, attempting to identify faulty diverters. Once a phreaker had access to one of these lines, he could use it for one of many purposes. In addition to completing phone calls anywhere in the world at the business' expense, they could also dial 1-900 phone sex/entertainment numbers, as well as use the phone line to harass their enemies without fear of being traced. Victimized small businesses were usually required to foot the bill for the long distance calls, as it was their own private equipment (not phone company security flaws) that allowed such fraud to occur. By 1993, call forwarding was offered to nearly every business line subscriber, making these diverters obsolete. As a result, hackers stopped searching for the few remaining ones, and this method of phreaking died.
By the late 1990s, the toll fraud side of phreaking all but vanished. Most cellular phones offered unlimited domestic long distance calling for the price of standard airtime (often totally unlimited on weekends), and flat-rate long-distance plans appeared offering unlimited home phone long distance for as little as $25. International calling could be made very cheaply, as well. Between the much higher risk of being caught (due to advances in technology) and the much lower gain of making free phone calls, toll fraud as a form of phreaking became a dead art.
[edit] Voice mail boxes and bridges
Prior to the BBS era of the 1980s, phone phreaking was more of a solitary venture, as it was difficult for phreaks to connect with one another. In addition to communicating over BBSs, phone phreaks discovered voice mail boxes and party lines as ways to network and keep in touch over the telephone. It was rare for a phone phreak to legally purchase access to voice mail. Instead, they usually would appropriate unused boxes that were part of business or cellular phone systems. Once a vulnerable mailbox system was discovered, word would spread around the phreak community, and scores of them would take residence on the system. They would use the system as a "home base" for communication with one another, until the rightful owners would discover the intrusion and wipe them off. Voice mailboxes also provided a safe phone number for phreakers to give out to one another, as home phone numbers would allow the phreaker's identity (and home address) to be discovered. This was especially important, given that phone phreakers were by definition breaking the law.
Phreakers also used "bridges" to communicate live with one another. The term "bridge" originally referred to a group of telephone company test lines that were bridged together, giving the effect of a party-line. Eventually all party-lines, whether bridges or not, came to be known as bridges if primarily populated by hackers and/or phreakers.
The popularity of the internet in the mid-1990s, along with the better awareness of voice mail by business and cell phone owners, made the practice of stealing voice mailboxes less popular. To this day, bridges are still very popular with phreakers, yet with the advent of VoIP, the use of telephone company owned bridges has decreased slightly in favor of phreaker-owned conferences.
[edit] The end of MF
The end of MF phreaking in the lower 48 United States occurred on June 15, 2006, when the last exchange in the continental United States to use a "phreakable" MF-signalled trunk replaced the aging (yet still well kept) N2 carrier with a T1 carrier. This exchange, located in Wawina Township, Minnesota, was run by the Northern Telephone Company of Minnesota. Many phone phreaks from across North America and the world made calls into what was the last group of MF-able inward trunks in the continental United States. A message board was set up for Paul Revere on +1 (218) 488-1307, for phone phreaks across the world to "say their goodbyes" to MF signalling and the N2 in Wawina.
During the days prior to the cutover, many famous phone phreaks such as Mark Bernay, Joybubbles, Bob Bernay, and Captain Crunch could be heard leaving their comments on the message board. The official date for the cutover from N2 to T-carrier was Wednesday, June 14. As early as June 7, there was a noticeable static on what had previously been clear lines. By Monday, June 12, many numbers were unreachable, and the static had peaked. The recording on +1 (218) 488-1307 was generally inaccessible, and MFing through the switch was becoming increasingly more difficult due to the increased static. On June 15th, around 1:40am, Eastern Daylight Time, any new incoming calls were unreachable[citation needed].
[edit] Famous phone phreaks
- John Draper (Captain Crunch)
- Mark Abene (Phiber Optik)
- Mark Bernay
- Evan Doorbell
- Joybubbles (Joe Engressia, The Whistler)
- Patrick Kroupa (Lord Digital)
- Kevin Mitnick (Condor)
- Kevin Poulsen (Dark Dante)
- Steve Wozniak (The Woz)
- Boris Floricic (Tron)
- William Quinn (decoder)
- Lucky225 (Jered Morgan)
- Strom Carlson
- Steve Jobs
- Crazy Bart (Real name is unknown.)
[edit] See also
- Hacking
- Cracking
- Phrack
- 2600: The Hacker Quarterly
- Phone Losers of America
- In-Band Signalling
- Social engineering (security)
[edit] External links
- www.ozphreak.com ~ Offers a meeting site for Australian & International Hackers & Phreakers to gather and share ideas...
- www.ausphreak.com ~ ozphreak mirror page * used if main page is busy or down *...
- Home made phreaking projects
- Phreaks and Geeks
- Secrets of the Little Blue Box - article with photos
- Old Skool Phreak
- Nettwerked Dot Net
- West Coast Phreakers
- Phone Losers of America
- Binary Revolution Forums: Phreaking Forum
- Daily Phreak: Daily Telecom, Asterisk, and Phreaking Updates
- Telephone World - Sounds & Recordings of Wawina, Minnesota
- Fun with Dick and Jane - an Interview with a Phone Phreak that appeared in the 1978 Bell Telephone Magazine about telephone fraud and Phone Phreaks
- Telephone Tribute: Phone Phreaking
- John T. Draper's Website
- Phreaker voice mailbox audio recordings from 1990