Part of a series on |
Computer hacking |
---|
Phreaking is a slang term coined to describe the activity of a culture of people who study, experiment with, or explore telecommunication systems, such as equipment and systems connected to public telephone networks. [1] The term phreak is a sensational spelling of the word freak with the ph- from phone , and may also refer to the use of various audio frequencies to manipulate a phone system. Phreak, phreaker, or phone phreak are names used for and by individuals who participate in phreaking.
The term first referred to groups who had reverse engineered the system of tones used to route long-distance calls. By re-creating the signaling tones, phreaks could switch calls from the phone handset while avoiding long-distance calling charges which were common then. These fees could be significant, depending on the time, duration and destination of the call. To ease the creation of the routing tones, electronic tone generators known as blue boxes became a staple of the phreaker community. This community included future Apple Inc. co-founders Steve Jobs and Steve Wozniak.
The blue box era came to an end with the ever-increasing use of digital telephone networks which allowed telecommunication companies to discontinue the use of in-band signaling for call routing purposes. Instead, telecom companies began employing common-channel signaling (CCS), through which dialing information was sent on a separate channel that was inaccessible to the telecom customer. By the 1980s, most of the public switched telephone network (PSTN) in the US and Western Europe had adopted the SS7 system which uses out-of-band signaling for call control (and which is still in use to this day), therefore rendering blue boxes obsolete. Phreaking has since become closely linked with computer hacking. [2]
Phreaking began in the 1960s when it was discovered that certain whistles could replicate the 2600 Hz pitch used in phone signalling systems in the United States. [3] Phone phreaks experimented with dialing around the telephone network to understand how the phone system worked, engaging in activities such as listening to the pattern of tones to figure out how calls were routed, reading obscure telephone company technical journals (often obtained through dumpster diving), [3] social engineering, building electronic devices called blue boxes, black boxes, and red boxes to help them explore the network and make free phone calls, hanging out on early conference call circuits and "loop arounds" to communicate with one another and writing their own newsletters to spread information. Phreaking was especially prevalent in universities, [3] where it began spreading much like computer hacking would in the following decades.
Before 1984, long-distance telephone calls were a premium item in the United States, with strict regulations. In some locations, calling across the street counted as long distance. [4] To report that a phone call was long-distance meant an elevated importance because the calling party is paying by the minute to speak to the called party.
Some phreaking consists of techniques to evade long-distance charges, which is criminalized as "toll fraud". [5] In 1990, the pager cloning technique arose and was used by law enforcement. [6]
In the UK the situation was rather different due to the difference in technology between the American and British systems, the main difference being the absence of tone dialing and signaling, particularly in the 1950s and 1960s.
The tone system in the United States has been almost entirely replaced, but in some countries, in addition to new systems, the tone system is still available, for example in Italy.
Possibly one of the first phreaking methods was switch-hooking, which allows placing calls from a phone where the rotary dial or keypad has been disabled by a key lock or other means to prevent unauthorized calls from that phone. It is done by rapidly pressing and releasing the switch hook to open and close the subscriber circuit, simulating the pulses generated by the rotary dial. Even most current telephone exchanges support this method, as they need to be backward compatible with old subscriber hardware. [7]
By rapidly clicking the hook for a variable number of times at roughly 5 to 10 clicks per second, separated by intervals of roughly one second, the caller can dial numbers as if they were using the rotary dial. The pulse counter in the exchange counts the pulses or clicks and interprets them in two possible ways. Depending on continent and country, one click with a following interval can be either "one" or "zero" and subsequent clicks before the interval are additively counted. This renders ten consecutive clicks being either "zero" or "nine", respectively. Some exchanges allow using additional clicks for special controls, but numbers 0-9 now fall in one of these two standards. One special code, "flash", is a very short single click, possible but hard to simulate. Back in the day of rotary dial, technically identical phone sets were marketed in multiple areas of the world, only with plugs matched by country and the dials being bezeled with the local standard numbers.[ citation needed ]
Such key-locked telephones, if wired to a modern DTMF capable exchange, can also be exploited by a tone dialer that generates the DTMF tones used by modern keypad units. These signals are now very uniformly standardized worldwide. It is notable that the two methods can be combined: Even if the exchange does not support DTMF, the key lock can be circumvented by switch-hooking, and the tone dialer can be then used to operate automated DTMF controlled services that can not be used with rotary dial.
The origins of phone phreaking trace back at least to AT&T's implementation of fully automatic switches. These switches used tone dialing, a form of in-band signaling, and included some tones which were for internal telephone company use.[ citation needed ] One internal-use tone is a tone of 2600 Hz which causes a telephone switch to think the call had ended, leaving an open carrier line, which can be exploited to provide free long-distance, and international calls. At that time, long-distance calls were more expensive than local calls. [8]
The tone was discovered in approximately 1957, [8] by Joe Engressia, a blind seven-year-old boy. Engressia had perfect pitch, and discovered that whistling the fourth E above middle C (a frequency of 2637.02 Hz) would stop a dialed phone recording. Unaware of what he had done, Engressia called the phone company and asked why the recordings had stopped. Joe Engressia is considered to be the father of phreaking. [9]
Other early phreaks, such as "Bill from New York" (William "Bill" Acker 1953-2015), began to develop a rudimentary understanding of how phone networks worked. Bill discovered that a recorder he owned could also play the tone at 2600 Hz with the same effect. John Draper discovered through his friendship with Engressia that the free whistles given out in Cap'n Crunch cereal boxes also produced a 2600 Hz tone when blown (providing his nickname, "Captain Crunch"). This allows control of phone systems that work on single frequency (SF) controls. One can sound a long whistle to reset the line, followed by groups of whistles (a short tone for a "1", two for a "2", etc.) to dial numbers. [10] [11]
While single-frequency worked on certain phone routes, the most common signaling on the then long-distance network was multi-frequency (MF) controls. The slang term for these tones and their use was "Marty Freeman". The specific frequencies required were unknown to the general public until 1954, when the Bell System published the information in the Bell System Technical Journal in an article describing the methods and frequencies used for inter-office signalling. The journal was intended for the company's engineers; however, it found its way to various college campuses across the United States. With this one article, the Bell System accidentally gave away the "keys to the kingdom", and the intricacies of the phone system were at the disposal of people with a knowledge of electronics. [12]
The second generation of phreaks arose at this time, including New Yorkers "Evan Doorbell", "Ben Decibel" and Neil R. Bell and Californians Mark Bernay, Chris Bernay, and "Alan from Canada". Each conducted their own independent exploration and experimentation of the telephone network, initially on an individual basis, and later within groups as they discovered each other in their travels. "Evan Doorbell", "Ben" and "Neil" formed a group of phreaks, known as "Group Bell". Bernay initiated a similar group named the "Mark Bernay Society". Both Bernay and Evan received fame amongst today's phone phreakers for internet publications of their collection of telephone exploration recordings. These recordings, conducted in the 1960s, 1970s, and early 1980s are available at Mark's website Phone Trips. [13]
In October 1971, phreaking was introduced to the masses when Esquire magazine published a story called "Secrets of the Little Blue Box" [14] [15] [16] [14] by Ron Rosenbaum. This article featured Engressia and John Draper prominently, synonymising their names with phreaking. The article also attracted the interest of other soon-to-be phreaks, such as Steve Wozniak and Steve Jobs, who went on to found Apple Computer. [17] [18]
1971 also saw the beginnings of YIPL (Youth International Party Line), a publication started by Abbie Hoffman and Al Bell to provide information to Yippies on how to "beat the man", mostly involving telephones. In the first issue of YIPL, writers included a "shout-out" to all of the phreakers who provided technological information for the newsletter: "We at YIPL would like to offer thanks to all you phreaks out there." [19] In the last issue, YIPL stated:
YIPL believes that education alone cannot affect the System, but education can be an invaluable tool for those willing to use it. Specifically, YIPL will show you why something must be done immediately in regard, of course, to the improper control of the communication in this country by none other than bell telephone company. [19]
In 1973, Al Bell would move YIPL over and start TAP (Technological American Party). [20]
Al Bell was denied opening a bank account under the name of Technological American Party, since he was not a political party, so he changed the name to Technological Assistance Program to get a bank account. [21]
TAP developed into a major source for subversive technical information among phreaks and hackers all over the world.[ according to whom? ] TAP ran from 1973 to 1984, with Al Bell handing over the magazine to "Tom Edison" in the late 1970s. TAP ended publication in 1984 due mostly to a break-in and arson at Tom Edison's residence in 1983. [22] Cheshire Catalyst then took over running the magazine for its final (1984) year.
A controversially suppressed article "Regulating the Phone Company In Your Home" [23] in Ramparts magazine (June 1972) increased interest in phreaking. This article published simple schematic plans of a "black box" used to make free long-distance phone calls, and included a very short parts list that could be used to construct one. AT&T forced Ramparts to pull all copies from shelves, but not before numerous copies were sold and many regular subscribers received them. [24]
This section needs additional citations for verification .(July 2014) |
In the 1980s, the revolution of the personal computer and the popularity of computer bulletin board systems (BBSes) (accessed via modem) created an influx of tech-savvy users. These BBSes became popular for computer hackers and others interested in the technology, and served as a medium for previously scattered independent phone phreaks to share their discoveries and experiments. This not only led to unprecedented collaboration between phone phreaks, but also spread the notion of phreaking to others who took it upon themselves to study, experiment with, or exploit the telephone system. This was also at a time when the telephone company was a popular subject of discussion in the US, as the monopoly of AT&T Corporation was forced into divestiture. During this time, exploration of telephone networks diminished, and phreaking focused more on toll fraud. Computer hackers began to use phreaking methods to find the telephone numbers for modems belonging to businesses, which they could exploit later. Groups then formed around the BBS hacker/phreaking (H/P) community such as the famous Masters of Deception (Phiber Optik) and Legion of Doom (Erik Bloodaxe) groups. In 1985, an underground e-zine called Phrack (a combination of the words phreak and hack) began circulation among BBSes, and focused on hacking, phreaking, and other related technological subjects. [25]
In the early 1990s, groups like Masters of Deception and Legion of Doom were shut down by the US Secret Service's Operation Sundevil. Phreaking as a subculture saw a brief dispersion in fear of criminal prosecution in the 1990s, before the popularity of the internet initiated a reemergence of phreaking as a subculture in the US and spread phreaking to international levels.[ citation needed ]
The 1984 AT&T breakup gave rise to many small companies intent on competing in the long-distance market. These included the then-fledgling Sprint and MCI, both of whom had only recently entered the marketplace. At the time, there was no way to switch a phone line to have calls automatically carried by non-AT&T companies. Customers of these small long-distance operations would be required to dial a local access number, enter their calling card number, and finally enter the area code and phone number they wish to call. Because of the relatively lengthy process for customers to complete a call, the companies kept the calling card numbers short – usually 6 or 7 digits. This opened up a huge vulnerability to phone phreaks with a computer.
6-digit calling card numbers only offer 1 million combinations. 7-digit numbers offer just 10 million. If a company had 10,000 customers, a person attempting to "guess" a card number would have a good chance of doing so correctly once every 100 tries for a 6-digit card and once every 1000 tries for a 7-digit card. While this is almost easy enough for people to do manually, computers made the task far easier. [26] [27] "Code hack" programs were developed for computers with modems. The modems would dial the long-distance access number, enter a random calling card number (of the proper number of digits), and attempt to complete a call to a computer bulletin board system (BBS). If the computer connected successfully to the BBS, it proved that it had found a working card number, and it saved that number to disk. If it did not connect to the BBS in a specified amount of time (usually 30 or 60 seconds), it would hang up and try a different code. Using this method, code hacking programs would turn up hundreds (or in some cases thousands) of working calling card numbers per day. These would subsequently be shared amongst fellow phreakers.
There was no way for these small phone companies to identify the culprits of these hacks. They had no access to local phone company records of calls into their access numbers, and even if they had access, obtaining such records would be prohibitively expensive and time-consuming. While there was some advancement in tracking down these code hackers in the early 1990s, the problem did not completely disappear until most long-distance companies were able to offer standard 1+ dialing without the use of an access number.
Another method of obtaining free phone calls involves the use of "diverters". Call forwarding was not an available feature for many business phone lines in the late 1980s and early 1990s, so they were forced to buy equipment that could do the job manually between two phone lines. When the business would close, they would program the call diverting equipment to answer all calls, pick up another phone line, call their answering service, and bridge the two lines together. This gave the appearance to the caller that they were directly forwarded to the company's answering service. The switching equipment would typically reset the line after the call had hung up and timed out back to dial tone, so the caller could simply wait after the answering service had disconnected, and would eventually get a usable dial tone from the second line. Phreakers recognized the opportunity this provided, and they would spend hours manually dialing businesses after hours, attempting to identify faulty diverters. Once a phreaker had access to one of these lines, they could use it for one of many purposes. In addition to completing phone calls anywhere in the world at the businesses' expense, they could also dial 1-900 phone sex/entertainment numbers, as well as use the line to harass their enemies without fear of being traced. Victimized small businesses were usually required to foot the bill for the long-distance calls, as it was their own private equipment (not phone company security flaws) that allowed such fraud to occur. By 1993, call forwarding was offered to nearly every business line subscriber, making these diverters obsolete. As a result, hackers stopped searching for the few remaining ones, and this method of toll fraud died. Many (different type) of diverters still exist and are actively "phreaked" in the United States as of 2020. It is rare to find a diverter solely used for Answering Service forwarding anymore, but the many other types such as phone-company test numbers and remote PBX DISAs are still used as diverters.[ citation needed ]
Before the BBS era of the 1980s phone phreaking was more of a solitary venture as it was difficult for phreaks to connect with one another.[ citation needed ] In addition to communicating over BBSs phone phreaks discover voice mail boxes and party lines as ways to network and keep in touch over the telephone. They usually appropriate unused boxes that are part of business or cellular phone systems. Once a vulnerable mailbox system is discovered, word would spread around the phreak community, and scores of them would take residence on the system. They use these systems as a "home base" for communication with one another until the rightful owners discover the intrusion and wipe them off. Voice mailboxes also provide a safe phone number for phreaks to give out to one another as home phone numbers and personal cellular numbers would allow the phreak's identity (and home address) to be discovered. This is especially important given that phone phreaks are breaking the law.
Phreakers also use "bridges" to communicate live with one another. The term "bridge" originally referred to a group of telephone company test lines that were bridged together giving the effect of a party-line. Eventually, all party-lines, whether bridges or not, came to be known as bridges if primarily populated by hackers and/or phreakers.
The popularity of the Internet in the mid-1990s, along with the better awareness of voice mail by business and cell phone owners, made the practice of stealing voice mailboxes less popular. To this day bridges are still very popular with phreakers yet, with the advent of VoIP, the use of telephone company-owned bridges has decreased slightly in favor of phreaker-owned conferences.
The end of multi-frequency (MF) phreaking in the lower 48 United States occurred on June 15, 2006, when the last exchange in the contiguous United States to use a "phreakable" MF-signalled trunk replaced the aging (yet still well kept) N2 carrier with a T1 carrier. This exchange, located in Wawina Township, Minnesota, was run by the Northern Telephone Company of Minnesota. [28]
Recent notable instances of phreaking involve hacking of VOIP systems. In 2011, the government of the Philippines and the FBI arrested four hackers for phone phreaking through PBX hacking. [29] In 2015, Pakistani officials arrested a prominent phreaker who had amassed more than $50 million from PBX hacking activities. [30]
A rotary dial is a component of a telephone or a telephone switchboard that implements a signaling technology in telecommunications known as pulse dialing. It is used when initiating a telephone call to transmit the destination telephone number to a telephone exchange.
Pulse dialing is a signaling technology in telecommunications in which a direct current local loop circuit is interrupted according to a defined coding system for each signal transmitted, usually a digit. This lends the method the often used name loop disconnect dialing. In the most common variant of pulse dialing, decadic dialing, each of the ten Arabic numerals are encoded in a sequence of up to ten pulses. The most common version decodes the digits 1 through 9, as one to nine pulses, respectively, and the digit 0 as ten pulses. Historically, the most common device to produce such pulse trains is the rotary dial of the telephone, lending the technology another name, rotary dialing.
A red box is a phreaking device that generates tones to simulate inserting coins in pay phones, thus fooling the system into completing free calls. In the United States, a nickel is represented by one tone, a dime by two, and a quarter by a set of five. Any device capable of playing back recorded sounds can potentially be used as a red box. Commonly used devices include modified Radio Shack tone dialers, personal MP3 players, and audio-recording greeting cards.
A blue box is an electronic device that produces tones used to generate the in-band signaling tones formerly used within the North American long-distance telephone network to send line status and called number information over voice circuits. During that period, charges associated with long-distance calling were commonplace and could be significant, depending on the time, duration and destination of the call. A blue box device allowed for circumventing these charges by enabling an illicit user, referred to as a "phreaker," to place long-distance calls, without using the network's user facilities, that would be billed to another number or dismissed entirely by the telecom company's billing system as an incomplete call. A number of similar "color boxes" were also created to control other aspects of the phone network.
John Thomas Draper, also known as Captain Crunch, Crunch, or Crunchman, is an American computer programmer and former phone phreak. He is a widely known figure within the computer programming world and the hacker and security community, and generally lives a nomadic lifestyle.
A telephone keypad is a keypad installed on a push-button telephone or similar telecommunication device for dialing a telephone number. It was standardized when the dual-tone multi-frequency signaling (DTMF) system was developed in the Bell System in the United States in the 1960s – this replaced rotary dialing, that had been developed for electromechanical telephone switching systems. Because of the abundance of rotary dial equipment still on use well into the 1990s, many telephone keypads were also designed to be backwards-compatible: as well as producing DTMF pulses, they could optionally be switched to produce loop-disconnect pulses electronically.
A telephone call or telephone conversation, also known as a phone call or voice call, is a connection over a telephone network between the called party and the calling party. Telephone calls started in the late 19th century. As technology has improved, a majority of telephone calls are made over a cellular network through mobile phones or over the internet with Voice over IP. Telephone calls are typically used for real-time conversation between two or more parties, especially when the parties cannot meet in person.
In telephony, multi-frequency signaling (MF) is a type of signaling that was introduced by the Bell System after World War II. It uses a combination of audible tones for address transport and supervision signaling on trunk lines between central offices. The signaling is sent in-band over the same channel as the bearer channel used for voice traffic.
In telecommunications, in-band signaling is the sending of control information|transmission| within the same band or channel used for data such as voice or video. This is in contrast to out-of-band signaling which is sent over a different channel, or even over a separate network. In-band signals may often be heard by telephony participants, while out-of-band signals are inaccessible to the user. The term is also used more generally, for example of computer data files that include both literal data, and metadata and/or instructions for how to process the literal data.
Phone fraud, or more generally communications fraud, is the use of telecommunications products or services with the intention of illegally acquiring money from, or failing to pay, a telecommunication company or its customers.
Operation Sundevil was a 1990 nationwide United States Secret Service crackdown on "illegal computer hacking activities." It involved raids in approximately fifteen different cities and resulted in three arrests and the confiscation of computers, the contents of electronic bulletin board systems (BBSes), and floppy disks. It was revealed in a press release on May 9, 1990. The arrests and subsequent court cases resulted in the creation of the Electronic Frontier Foundation. The operation is now seen as largely a public-relations stunt. Operation Sundevil has also been viewed as one of the preliminary attacks on the Legion of Doom and similar hacking groups. The raid on Steve Jackson Games, which led to the court case Steve Jackson Games, Inc. v. United States Secret Service, is often attributed to Operation Sundevil, but the Electronic Frontier Foundation states that it is unrelated and cites this attribution as a media error.
Joybubbles, born Josef Carl Engressia Jr. in Richmond, Virginia, was an early phone phreak. Born blind, he became interested in telephones at age four. He had absolute pitch, and was able to whistle 2600 hertz into a telephone, an operator tone also used by blue box phreaking devices. Joybubbles said that he had an IQ of "172 or something". Joybubbles died at his Minneapolis home on August 8, 2007 (aged 58). According to his death certificate, he died of natural causes with congestive heart failure as a contributing condition.
2600 hertz (2600 Hz) is a frequency in hertz that was used in telecommunication signaling in mid-20th century long-distance telephone networks using carrier systems.
A phreaking box is a device used by phone phreaks to perform various functions normally reserved for operators and other telephone company employees.
Novation, Inc., is an early modem manufacturer whose CAT series were popular in the early home computer market in the late 1970s and early 1980s, notably on the Apple II. The Hayes Smartmodem 300, introduced in 1981, helped kill off Novation and many other early modem companies over the next few years.
The Signaling System No. 5 (SS5) is a multi-frequency (MF) telephone signaling system that was in use from the 1970s for International Direct Distance Dialing (IDDD). Internationally it became known as CCITT5 or CC5. It was also nicknamed Atlantic Code because it was used for the first IDDD connections between Europe and North America.
A push-button telephone is a telephone that has buttons or keys for dialing a telephone number, in contrast to a rotary dial used in earlier telephones.
The Bell Labs Technical Journal was the in-house scientific journal for scientists of Bell Labs, published yearly by the IEEE society.
Matthew Weigman is a blind American man who has used his heightened hearing ability to help him deceive telephone operators and fake various in-band phone signals. Before his arrest at the age of 18, Weigman had used this ability to become a well-known phone phreaker, memorizing phone numbers by tone and performing uncanny imitations of various phone line operators to perform pranks such as swatting his rivals.
Dialling is the action of initiating a telephone call by operating the rotary dial or the telephone keypad of a telephone.
The Cheshire Catalyst is Richard Cheshire, former editor of the TAP Newsletter.