Phreaking

Phreaking is a slang term coined to describe the activity of a culture of people who study, experiment with, or explore telecommunication systems, such as equipment and systems connected to public telephone networks. The term phreak is a sensational spelling of the word freak with the ph- from phone, and may also refer to the use of various audio frequencies to manipulate a phone system. Phreak, phreaker, or phone phreak are names used for and by individuals who participate in phreaking.

The term first referred to groups who had reverse engineered the system of tones used to route long-distance calls. By re-creating these tones, phreaks could switch calls from the phone handset, allowing free calls to be made around the world. To ease the creation of these tones, electronic tone generators known as blue boxes became a staple of the phreaker community, including future Apple Inc. cofounders Steve Jobs and Steve Wozniak.

The blue box era came to an end with the ever-increasing use of computerized phone systems, which sent dialing information on a separate, inaccessible channel. By the 1980s, much of the system in the US and Western Europe had been converted. Phreaking has since become closely linked with computer hacking.[1] This is sometimes called the H/P culture (with H standing for hacking and P standing for phreaking).

History

Phone phreaking got its start in the late 1950s in the United States. Its golden age was the late 1960s and early 1970s. Phone phreaks spent a lot of time dialing around the telephone network to understand how the phone system worked, engaging in activities such as listening to the pattern of tones to figure out how calls were routed, reading obscure telephone company technical journals, learning how to impersonate operators and other telephone company personnel, digging through telephone company trash bins to find "secret" documents, sneaking into telephone company buildings at night and wiring up their own telephones, building electronic devices called blue boxes, black boxes, and red boxes to help them explore the network and make free phone calls, hanging out on early conference call circuits and "loop arounds" to communicate with one another and writing their own newsletters to spread information.

Before 1984, long-distance telephone calls were a premium item, with archaic regulations. In some locations, calling across the street counted as long distance.[2] To report that a phone call was long distance meant an elevated importance universally accepted because the calling party is paying by the minute to speak to the called party; transact business quickly.

Phreaking consisted of techniques to evade the long-distance charges. This evasion was illegal; the crime was called "toll fraud."[3]

In the UK the situation was rather different due to the difference in technology between the American and British systems, the main difference being the absence of tone dialling and signalling particularly in the 1950s and 1960s.

Switch hook and tone dialer

Possibly one of the first phreaking methods was switch-hooking, which allows placing calls from a phone where the rotary dial or keypad has been disabled by a key lock or other means to prevent unauthorized calls from that phone. It is done by rapidly pressing and releasing the switch hook to open and close the subscriber circuit, simulating the pulses generated by the rotary dial. Even most current telephone exchanges support this method, as they need to be backward compatible with old subscriber hardware.[4]

By rapidly clicking the hook for a variable number of times at roughly 5 to 10 clicks per second, separated by intervals of roughly one second, the caller can dial numbers as if they were using the rotary dial. The pulse counter in the exchange counts the pulses or clicks and interprets them in two possible ways. Depending on continent and country, one click with a following interval can be either "one" or "zero" and subsequent clicks before the interval are additively counted. This renders ten consecutive clicks being either "zero" or "nine", respectively. Some exchanges allow using additional clicks for special controls, but numbers 0-9 now fall in one of these two standards. One special code, "flash", is a very short single click, possible but hard to simulate. Back in the day of rotary dial, very often technically identical phone sets were marketed in multiple areas of the world, only with plugs matched by country and the dials being bezeled with the local standard numbers.

Such key-locked telephones, if wired to a modern DTMF capable exchange, can also be exploited by a tone dialer that generates the DTMF tones used by modern keypad units. These signals are now very uniformly standardized worldwide, and along with rotary dialing, they are almost all that is left of in-band signaling. It is notable that the two methods can be combined: Even if the exchange does not support DTMF, the key lock can be circumvented by switch-hooking, and the tone dialer can be then used to operate automated DTMF controlled services that can't be used with rotary dial.

UK network

Because the UK network as run by the Post Office was reliant on Strowger switches, the techniques used in the UK were different. The exchanges worked on pulses received from each subscriber's phone, so tone signaling was of no use. The techniques primarily relied on the quirks of the exchange wiring, or facilities put in by the engineering staff. Some typical tricks used between the 1950s and 1970s included:

9-1-11. By dialing an exchange local to the caller's phone (preferably a call box phone), dialing 9-1-10 then at the right moment tapping the phone rest to add an extra pulse, this could give irregular STD (Subscriber Trunk Dialing) access.

Sometimes it was possible to find a nearby local exchange which when the caller dialed the local code, then added 0, he would get free STD access. For those in the know, it was possible to modify the Post Office phone (preferably the 700 series) by fitting a suitable diode and push button. This allowed one to receive a call but prevent the charging relay from operating, hence not charging the calling party. The drawbacks were that the caller only got 5 or 6 minutes before the system would drop the call thinking it had not been completed. It was also advisable to contact the recipient to ensure he was expecting the caller before making the call.

Some other techniques were deliberately put in by exchange staff, the most popular being the use of an unused number. When the number was dialed the "number unobtainable" tone would be returned, but after a minutes or two it would clear and give STD access. Other techniques were used but the technicians involved always had to be wary of the Post Office Special Investigation Branch.

As the UK network phased out Strowger and moved over to System "X" these practices vanished.

2600 hertz

The origins of phone phreaking trace back at least to AT&T's implementation of fully automatic switches. These switches used tone dialing, a form of in-band signaling, and included some tones which were for internal telephone company use. One internal-use tone was a tone of 2600 Hz which caused a telephone switch to think the call had ended, leaving an open carrier line, which could be exploited to provide free long-distance, and international, calls. At that time, long-distance calls were quite expensive.[5]

The tone was discovered in approximately 1957,[5] by Joe Engressia, a blind seven-year-old boy. Engressia had perfect pitch, and discovered that whistling the fourth E above middle C (a frequency of 2600 Hz) would stop a dialed phone recording. Unaware of what he had done, Engressia called the phone-company and asked why the recordings had stopped. Joe Engressia is considered to be the father of phreaking.[6]

Other early phreaks, such as "Bill from New York" (William "Bill" Acker 1953-2015), began to develop a rudimentary understanding of how phone networks worked. Bill discovered that a recorder he owned could also play the tone at 2600 Hz with the same effect. John Draper discovered through his friendship with Engressia that the free whistles given out in Cap'n Crunch cereal boxes also produced a 2600 Hz tone when blown (providing his nickname, "Captain Crunch"). This allowed control of phone systems that worked on single frequency (SF) controls. One could sound a long whistle to reset the line, followed by groups of whistles (a short tone for a "1", two for a "2", etc.) to dial numbers.[7]

Multi frequency

While single-frequency worked on certain phone routes, the most common signaling on the then long-distance network was multi-frequency (MF) controls. The slang term for these tones and their use was "Marty Freeman." The specific frequencies required were unknown to the general public until 1954, when the Bell System published the information in the Bell System Technical Journal in an article describing the methods and frequencies used for inter-office signalling. The journal was intended for the company's engineers; however, it found its way to various college campuses across the United States. With this one article, the Bell System accidentally gave away the "keys to the kingdom," and the intricacies of the phone system were at the disposal of people with a knowledge of electronics.[8]

The second generation of phreaks arose at this time, including the New Yorkers "Evan Doorbell", "Ben Decibel" and Neil R. Bell and Californians Mark Bernay, Chris Bernay, and "Alan from Canada". Each conducted their own independent exploration and experimentation of the telephone network, initially on an individual basis, and later within groups as they discovered each other in their travels. "Evan Doorbell," "Ben" and "Neil" formed a group of phreaks, known as Group Bell. Mark Bernay initiated a similar group named the Mark Bernay Society. Both Mark and Evan received fame amongst today's phone phreakers for Internet publication of their collection of telephone exploration recordings. These recordings, conducted in the 1960s, 1970s, and early 1980s are available at Mark's website Phone Trips.[9]

Blue boxes

Blue Box

In October 1971, phreaking was introduced to the masses when Esquire Magazine published a story called "Secrets of the Little Blue Box"[10][11][12][13] by Ron Rosenbaum. This article featured Engressia and John Draper prominently, synonymising their names with phreaking. The article also attracted the interest of other soon-to-be phreaks, such as Steve Wozniak and Steve Jobs, who went on to found Apple Computer.[14][15]

1971 also saw the beginnings of YIPL (Youth International Party Line), a publication started by Abbie Hoffman and Al Bell to provide information to Yippies on how to "beat the man," mostly involving telephones. In the first issue of YIPL, writers included a "shout-out" to all of the phreakers who provided technological information for the newsletter: "We at YIPL would like to offer thanks to all you phreaks out there."[16] At the end of the issue, YIPL stated:

YIPL believes that education alone cannot affect the System, but education can be an invaluable tool for those willing to use it. Specifically, YIPL will show you why something must be done immediately in regard, of course, to the improper control of the communication in this country by none other than bell telephone company.[16]

In 1973, Al Bell would move YIPL over and start TAP (Technological American Party).[17] TAP would develop into a major source for subversive technical information among phreaks and hackers all over the world. TAP ran from 1973 to 1984, with Al Bell handing over the magazine to "Tom Edison" in the late 70s. TAP ended publication in 1984 due mostly to a break-in and arson at Tom Edison's residence in 1983.[18] Cheshire Catalyst then took over running the magazine for its final (1984) year.

A controversially suppressed article "How to Build a 'Phone Phreaks' box" in Ramparts Magazine (June, 1972) touched off a firestorm of interest in phreaking. This article published simple schematic plans of a "black box" used to make free long-distance phone calls, and included a very short parts list that could be used to construct one. Bell sued Ramparts, forcing the magazine to pull all copies from shelves, but not before numerous copies were sold and many regular subscribers received them.

Computer hacking

In the 1980s, the revolution of the personal computer and the popularity of computer bulletin board systems (BBSes) (accessed via modem) created an influx of tech-savvy users. These BBSes became popular for computer hackers and others interested in the technology, and served as a medium for previously scattered independent phone phreaks to share their discoveries and experiments. This not only led to unprecedented collaboration between phone phreaks, but also spread the notion of phreaking to others who took it upon themselves to study, experiment with, or exploit the telephone system. This was also at a time when the telephone company was a popular subject of discussion in the US, as the monopoly of AT&T Corporation was forced into divestiture. During this time, exploration of telephone networks diminished, and phreaking focused more on toll fraud. Computer hackers began to use phreaking methods to find the telephone numbers for modems belonging to businesses, which they could exploit later. Groups then formed around the BBS hacker/phreaking (H/P) community such as the famous Masters of Deception (Phiber Optik) and Legion of Doom (Erik Bloodaxe) groups. In 1985, an underground e-zine called Phrack (a combination of the words Phreak and Hack) began circulation among BBSes, and focused on hacking, phreaking, and other related technological subjects.

In the early 1990s, H/P groups like Masters of Deception and Legion of Doom were shut down by the US Secret Service's Operation Sundevil. Phreaking as a subculture saw a brief dispersion in fear of criminal prosecution in the 1990s, before the popularity of the internet initiated a reemergence of phreaking as a subculture in the US and spread phreaking to international levels.

Into the turn of the 21st century, phreaks began to focus on the exploration and playing with the network, and the concept of toll fraud became widely frowned on among serious phreakers, primarily under the influence of the website Phone Trips, put up by second generation phreaks Mark Bernay and Evan Doorbell.

Toll fraud

The 1984 AT&T breakup gave rise to many small companies intent upon competing in the long distance market. These included the then-fledgling Sprint and MCI, both of whom had only recently entered the marketplace. At the time, there was no way to switch a phone line to have calls automatically carried by non-AT&T companies. Customers of these small long distance operations would be required to dial a local access number, enter their calling card number, and finally enter the area code and phone number they wish to call. Because of the relatively lengthy process for customers to complete a call, the companies kept the calling card numbers short – usually 6 or 7 digits. This opened up a huge vulnerability to phone phreaks with a computer.

6-digit calling card numbers only offer 1 million combinations. 7-digit numbers offer just 10 million. If a company had 10,000 customers, a person attempting to "guess" a card number would have a good chance of doing so correctly once every 100 tries for a 6-digit card and once every 1000 tries for a 7-digit card. While this is almost easy enough for people to do manually, computers made the task far easier.[19][20] "Code hack" programs were developed for computers with modems. The modems would dial the long distance access number, enter a random calling card number (of the proper number of digits), and attempt to complete a call to a computer bulletin board system (BBS). If the computer connected successfully to the BBS, it proved that it had found a working card number, and it saved that number to disk. If it did not connect to the BBS in a specified amount of time (usually 30 or 60 seconds), it would hang up and try a different code. Using this method, code hacking programs would turn up hundreds (or in some cases thousands) of working calling card numbers per day. These would subsequently be shared amongst fellow phreakers.

There was no way for these small phone companies to identify the culprits of these hacks. They had no access to local phone company records of calls into their access numbers, and even if they had access, obtaining such records would be prohibitively expensive and time-consuming. While there was some advancement in tracking down these code hackers in the early 1990s, the problem did not completely disappear until most long distance companies were able to offer standard 1+ dialing without the use of an access number.

Diverters

Another method of obtaining free phone calls involved the use of so-called "diverters". Call forwarding was not an available feature for many business phone lines in the 1980s and early 1990s, so they were forced to buy equipment that could do the job manually between two phone lines. When the business would close, they would program the call diverting equipment to answer all calls, pick up another phone line, call their answering service, and bridge the two lines together. This gave the appearance to the caller that they were directly forwarded to the company's answering service. The switching equipment would typically reset the line after the call had hung up and timed out back to dial tone, so the caller could simply wait after the answering service had disconnected, and would eventually get a usable dial tone from the second line. Phreakers recognized the opportunity this provided, and they would spend hours manually dialing businesses after hours, attempting to identify faulty diverters. Once a phreaker had access to one of these lines, he could use it for one of many purposes. In addition to completing phone calls anywhere in the world at the businesses' expense, they could also dial 1-900 phone sex/entertainment numbers, as well as use the phone line to harass their enemies without fear of being traced. Victimized small businesses were usually required to foot the bill for the long distance calls, as it was their own private equipment (not phone company security flaws) that allowed such fraud to occur. By 1993, call forwarding was offered to nearly every business line subscriber, making these diverters obsolete. As a result, hackers stopped searching for the few remaining ones, and this method of toll fraud died.

Voice mail boxes and bridges

Before the BBS era of the 1980s phone phreaking was more of a solitary venture as it was difficult for phreaks to connect with one another. In addition to communicating over BBSs phone phreaks discovered voice mail boxes and party lines as ways to network and keep in touch over the telephone. It was rare for a phone phreak to legally purchase access to voice mail. Instead, they would usually appropriate unused boxes that were part of business or cellular phone systems. Once a vulnerable mailbox system was discovered, word would spread around the phreak community, and scores of them would take residence on the system. They would use the system as a "home base" for communication with one another until the rightful owners would discover the intrusion and wipe them off. Voice mailboxes also provided a safe phone number for phreaks to give out to one another as home phone numbers would allow the phreak's identity (and home address) to be discovered. This was especially important given that phone phreaks were breaking the law.

Phreakers also used "bridges" to communicate live with one another. The term "bridge" originally referred to a group of telephone company test lines that were bridged together giving the effect of a party-line. Eventually, all party-lines, whether bridges or not, came to be known as bridges if primarily populated by hackers and/or phreakers.

The popularity of the Internet in the mid-1990s, along with the better awareness of voice mail by business and cell phone owners, made the practice of stealing voice mailboxes less popular. To this day bridges are still very popular with phreakers yet, with the advent of VoIP, the use of telephone company owned bridges has decreased slightly in favor of phreaker-owned conferences.

Cell phones

By the late 1990s, the fraudulent aspect of phreaking all but vanished. Most cellular phones offered unlimited domestic long distance calling for the price of standard airtime (often totally unlimited on weekends), and flat-rate long-distance plans appeared offering unlimited home phone long distance for as little as $25 per month. Rates for international calls had also decreased significantly. Between the much higher risk of being caught (due to advances in technology) and the much lower gain of making free phone calls, toll fraud started to become a concept associated very little with phreaking.

End of multi-frequency

The end of multi-frequency (MF) phreaking in the lower 48 United States occurred on June 15, 2006, when the last exchange in the contiguous United States to use a "phreakable" MF-signalled trunk replaced the aging (yet still well kept) N2 carrier with a T1 carrier. This exchange, located in Wawina Township, Minnesota, was run by the Northern Telephone Company of Minnesota.

2600 Hz

In the original analog networks, short-distance telephone calls were completed by sending relatively high-power electrical signals through the wires to the end office, which then switched the call. This technique could not be used for long-distance connections, because the signals would be filtered out due to capacitance in the wires. Long-distance switching remained a manual operation years after short-distance calls were automated, requiring operators at either end of the line to set up the connections.

Bell automated this process by sending "in-band" signals. Since the one thing the long-distance trunks were definitely able to do was send voice-frequency signals, the Bell System used a selection of tones sent over the trunks to control the system. When calling long-distance, the local end-office switch would first route the call to a special switch which would then convert further dialing into tones and send them over an appropriately selected trunk line (selected with the area code). A similar machine at the far end of the trunk would decode the tones back into electrical signals, and the call would complete as normal.

In addition to dialing instructions, the system also included a number of other tones that represented various commands or status. 2600 Hz, the key to early phreaking, was the frequency of the tone sent by the long-distance switch indicating that the user had gone on-hook (hung up the phone). This normally resulted in the remote switch also going on-hook, freeing the trunk for other uses. In order to make free lines easy to find, the 2600 Hz tone was continually played into free trunks. If the tone was sent manually by the local user into the phone line, it would trigger the remote switch to go on-hook, but critically, the local switch knew he was still off-hook because that was signaled electrically, not by the tone (which their local switch ignored). The system was now in an inconsistent state, leaving the local user connected to an operational long-distance trunk line. With further experimentation, the phreaks learned the rest of the signals needed to dial on the remote switch.

Normally, long-distance calls were billed locally. Since the "trick" required a long distance call to be placed in order to connect to the remote switch, it would be billed as usual. However, there were some types of calls that had either no billing, like calls to directory service, or for which the billing was reversed or billed to another number, like WATS lines (area code 800 numbers). By dialing one of these "toll-free" numbers, the caller was connected to a remote switch as normal, but no billing record was made locally. The caller would then play the 2600 Hz tone into the line to return the remote switch to on-hook, and then use a blue box to dial the number to which they really wanted to connect. The local Bell office would have no record of the call.

As knowledge of phreaking spread, a minor culture emerged from the increasing number of phone phreaks. Sympathetic (or easily social-engineered) telephone company employees were persuaded to reveal the various routing codes to use international satellites and trunk lines. At the time it was felt that there was nothing Bell could do to stop this. Their entire network was based on this system, so changing the system in order to stop the phreakers would require a massive infrastructure upgrade.

In fact, Bell responded fairly quickly, but in a more targeted fashion. Looking on local records for inordinately long calls to directory service or other hints that phreakers were using a particular switch, filters could then be installed to block efforts at that end office. Many phreakers were forced to use pay telephones as the telephone company technicians regularly tracked long-distance toll free calls in an elaborate cat-and-mouse game. AT&T instead turned to the law for help, and a number of phreaks were caught by the government.

Eventually, the phone companies in North America did, in fact, replace all their hardware. They didn't do it to stop the phreaks, but simply as a matter of course while moving to fully digital switching systems. Unlike the crossbar switch, where the switching signals and voice were carried on the same lines, the new systems used separate signaling lines which phreaks could not access. This system is known as Common Channel Interoffice Signaling. Classic phreaking with the 2600 Hz tone continued to work in more remote locations into the 1980s, but was of little use in North America by the 1990s.

The last 2600 Hz-controlled trunk in the contiguous United States was operated by the independent Northern Telephone Company with an N2 Carrier system serving Wawina, Minnesota until June 15, 2006, when it was replaced by T1 carrier.[21] The last 2600 Hz-controlled trunks in North America were located in Livengood, Alaska, survived another 5 years, and were finally retired in March 2011.[22]

See also

References

  1. Sterling, Bruce (2002) [1993]. The Hacker Crackdown. McLean, Virginia: IndyPublish.com. ISBN 1-4043-0641-2.
  2. Stott, Kim (22 July 1983). "Hung Up Glenpool Has Long-Distance Woes In Making Calls Across the Street". NewsOK. Retrieved 26 May 2013.
  3. "Notice to our customers regarding Toll Fraud" (PDF). BizFon. Retrieved 2014-07-25.
  4. SoftCab. "Phone Call Recorder". Modemspy.com. Retrieved 2014-07-24.
  5. 1 2 Robson, Gary D. (April 2004). "The Origins of Phreaking (link outdated)". Blacklisted! 411.
  6. DELON (February 27, 2008). "COMPLETE HISTORY OF HACKING". Hacking | LEMNISCATE. Retrieved 2014-12-25.
  7. Lapsley, Phil (2013-11-02). Exploding the Phone: The Untold Story of the Teenagers and Outlaws who Hacked Ma Bell. New York: Grove/Atlantic, corporated. ISBN 080212061X.
  8. Bell System Technical Journal. 43 (5). September 1964 https://web.archive.org/web/20120314023659/http://www.alcatel-lucent.com/bstj/vol43-1964/bstj-vol43-issue05.html. Archived from the original on March 14, 2012. Retrieved 24 June 2011. Missing or empty |title= (help)
  9. "Phone Trips". Retrieved 2008-06-21.
  10. Rosenbaum, Ron (2011-10-07). "The article that inspired Steve Jobs: "Secrets of the Little Blue Box"". Slate.com. Archived from the original on 2011-11-03. Retrieved 2013-11-30.
  11. "Secrets of the Little Blue Box". Retrieved 2010-09-04.
  12. "Steve Jobs and Me: He said my 1971 article inspired him. His iBook obsessed me.". Retrieved 2011-10-12.
  13. ""Secrets of the Little Blue Box": The 1971 article about phone hacking that inspired Steve Jobs.". Archived from the original on 2011-11-03. Retrieved 2011-10-12.
  14. "Welcome to Woz.org". Retrieved 2008-06-21.
  15. Lapsley, Phil (20 February 2013). "The Definitive Story of Steve Wozniak, Steve Jobs, and Phone Phreaking". theatlantic.com: The Atlantic. Archived from the original on 23 February 2013. Retrieved 24 September 2015.
  16. 1 2 Coleman, Gabriella. Phreaks, Hackers, and Trolls. p. 104.
  17. "Youth International Party Line (YIPL) / Technological American Party (TAP), New York FBI files 100-NY-179649 and 117-NY-2905 (3.2 Mbytes)." (PDF). Retrieved 2013-11-30.
  18. "Cheshire's Book - TAP.HTML". Retrieved 2008-06-21.
  19. "W32.Bugbear.B Worm Identified As Targeting Banks | Scoop News". Scoop.co.nz. 2003-06-09. Retrieved 2014-07-24.
  20. Angela Moscaritolo (2011-03-18). "AT&T sues two over scheme to steal customer data". SC Magazine. Retrieved 2014-07-24.
  21. "Telephone World - Sounds & Recordings from Wawina, MN". Phworld.org. Retrieved 2013-11-30.
  22. "The death of Livengood - Old Skool Phreaking - Binary Revolution Forums". Binrev.com. Retrieved 2013-11-30.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.