[H[70C3
the KP and S lamps.[14[K  At the terminating CO, the two MF tones of each digit are amplified and
limited in the MF receiver unit associated with the incoming sender and
register circuit. The frequencies are selected by channel filters in the MF
receiver and then detected. The DC voltage that results will operate the
proper channel relays to continue with the process of placing the call.[67D[K[23C[1K Written in July of 1986[K
[K[31C==Phrack Inc.==
[K         [10CVolume Two, Issue Eleven, Phile #9 of 12
  --------------------------------------------------------------------------
     The following is reprinted from the November 1985 issue of Personal    
     Communications Technology magazine by permission of the authors and
     the publisher, FutureComm Publications Inc., 4005 Williamsburg Ct.,
     Fairfax, VA  22032, 703/352-1200.[K
[75C[H[70C4
[K     Copyright 1985 by FutureComm Publications Inc.   All rights reserved.
  --------------------------------------------------------------------------[72D[K
[K              THE ELECTRONIC SERIAL NUMBER: A CELLULAR 'SIEVE'?            
                  'SPOOFERS' CAN DEFRAUD USERS AND CARRIERS             
[K    by Geoffrey S. Goodfellow, Robert N. Jesse, and Andrew H. Lamothe, Jr.
What's the greatest security problem with cellular phones? Is it privacy of
communications?  No.[11C               
Although privacy is a concern, it will pale beside an even greater problem:
spoofing.[10C[K
'Spoofing' is the process through which an agent (the 'spoofer') pretends to
be somebody he isn't by proffering false identification, usually with intent
to defraud.  This deception, which cannot be protected against using the
current U.S. cellular standards, has the potential to create a serious  
problem--unless the industry takes steps to correct some loopholes in the
[75C[H[70C5
present cellular standards.[22D[K
Compared to spoofing, the common security concern of privacy is not so severe.
Most cellular subscribers would, at worst, be irked by having their
conversational privacy violated.  A smaller number of users might actually
suffer business or personal harm if their confidential exchanges were
compromised.  For them, voice encryption equipment is becoming increasingly
available if they are willing to pay the price for it.[50D[K
Thus, even though technology is available now to prevent an interloper from
overhearing sensitive conversations, cellular systems cannot--at any
cost--prevent pirates from charging calls to any account. This predicament is
not new to the industry.  Even though cellular provides a modern,
sophisticated quality mobile communications service, it is not fundamentally
much safer than older forms of mobile telephony.[K
         
History of Spoofing Vulnerability
[KThe earliest form of mobile telephony, unsquelched manual Mobile Telephone  
Service (MTS), was vulnerable to interception and eavesdropping.  To place a
call, the user listened for a free channel.  When he found one, he would key
his microphone to ask for service: 'Operator, this is Mobile 1234; may I 
[75C[H[70C6
please have 555-7890.'  The operator knew to submit a billing ticket for
account number 1234 to pay for the call.  So did anybody else listening to the
channel--hence the potential for spoofing and fraud. [K
[KSquelched channel MTS hid the problem only slightly because users ordinarily
didn't overhear channels being used by other parties.  Fraud was still easy
for those who turned off the squelch long enough to overhear account numbers.
[KDirect-dial mobile telephone services such as Improved Mobile Telephone
Service (IMTS) obscured the problem a bit more because subscriber          
identification was made automatically rather than by spoken exchange between
caller and operator.  Each time a user originated a call, the mobile telephone
transmitted its identification number to the serving base station using some
form of Audio Frequency Shift Keying (AFSK), which was not so easy for      
eavesdroppers to understand.[K
Committing fraud under IMTS required modification of the mobile--restrapping
of jumpers in the radio unit, or operating magic keyboard combinations in
later units--to reprogram the unit to transmit an unauthorized identification
number. Some mobile control heads even had convenient thumb wheel switches  
installed on them to facilitate easy and frequent ANI (Automatic Number     
Identification) changes.[K
[75C[H[70C7
[KCellular Evolution[K
[KCellular has evolved considerably from these previous systems.  Signaling
between mobile and base stations uses high-speed digital techniques and     
involves many different types of digital messages.  As before, the cellular
phone contains its own Mobile Identification Number (MIN), which is programmed
by the seller or service shop and can be changed when, for example, the phones
sold to a new user.  In addition, the U.S. cellular standard incorporates a
second number, the 'Electronic Serial Number' (ESN), which is intended to
uniquely and permanently identify the mobile unit.[K
[KAccording to the Electronic Industries Association (EIA) Interim Standard   
IS-3-B, Cellular System Mobile Station--Land Station Compatibility    
Specification (July 1984), 'The serial number is a 32-bit binary number that
uniquely identifies a mobile station to any cellular system.  It must be
factory-set and not readily alterable in the field.  The circuitry that     
provides the serial number must be isolated from fraudulent contact and  
tampering.  Attempts to change the serial number circuitry should render the 
mobile station inoperative.'[K
[KThe ESN was intended to solve two problems the industry observed with its
[75C[H[70C8
older systems.
[KFirst, the number of subscribers that older systems could support fell far
short of the demand in some areas, leading groups of users to share a single
mobile number (fraudulently) by setting several phones to send the same
identification.  Carriers lost individual user accountability and their means
of predicting and controlling traffic on their systems.[K
[KSecond, systems had no way of automatically detecting use of stolen equipment
because thieves could easily change the transmitted identification.      
[KIn theory, the required properties of the ESN allow cellular systems to check
to ensure that only the correctly registered unit uses a particular MIN, and
the ESNs of stolen units can be permanently denied service ('hot-listed').
This measure is an improvement over the older systems, but vulnerabilities  
remain.[K
[KEase of ESN Tampering[K
[KAlthough the concept of the unalterable ESN is laudable in theory, weaknesses
are apparent in practice.  Many cellular phones are not constructed so that
'attempts to change the serial number circuitry renders the mobile station
[75C[H[70C9
inoperative.'  We have personally witnessed the trivial swapping of one ESN
chip for another in a unit that functioned flawlessly after the switch was
made.[K
[KWhere can ESN chips be obtained to perform such a swap?  We know of one recent
case in the Washington, D.C. area in which an ESN was 'bought' from a local  
service shop employee in exchange for one-half gram of cocaine.  Making the
matter simpler, most manufacturers are using industry standard Read-Only
Memory (ROM) chips for their ESNs, which are easily bought and programmed or 
copied. [K
Similarly, in the spirit of research, a west coast cellular carrier copied the
ESN from one manufacturer's unit to another one of the same type and        
model--thus creating two units with the exact same identity.              
[KThe ESN Bulletin Board
For many phones, ESN chips are easy to obtain, program, and install.  How does
a potential bootlegger know which numbers to use?  Remember that to obtain
service from a system, a cellular unit must transmit a valid MIN (telephone  
number) and (usually) the corresponding serial number stored in the cellular
switch's database.[K
[75C[H[69C60
[KWith the right equipment, the ESN/MIN pair can be read right off the air  
because the mobile transmits it each time it originates a call.  Service shops
can capture this information using test gear that automatically receives and
decodes the reverse, or mobile-to-base, channels. [K
[KS[11Cs keep ESN/MIN records on file for units they have sold or     
serviced, and the carriers also have these data on all of their subscribers.
Unscrupulous employees could compromise the security of their customers'    
telephones.
In many ways, we predict that 'trade' in compromised ESN/MIN pairs will       
resemble what currently transpires in the long distance telephone business
with AT&T credit card numbers and alternate long-distance carrier (such as
MCI, Sprint and Alltel) account codes.  Code numbers are swapped among
friends, published on computer 'bulletin boards' and trafficked by career
criminal enterprises.
[KUsers whose accounts are being defrauded might--or might not--eventually  
notice higher-than-expected bills and be reassigned new numbers when they  
complain to the carrier.  Just as in the long distance business, however, this
number 'turnover' (deactivation) won't happen quickly enough to make abuse
[75C[H[70C1
unprofitable.  Catching pirates in the act will be even tougher than it is in
the wireline telephone industry because of the inherent mobility of mobile
radio.[K
[KAutomating Fraud[K
Computer hobbyists and electronics enthusiasts are clever people.  Why should
a cellular service thief 'burn ROMs' and muck with hardware just to install 
new IDs in his radio?  No Herculean technology is required to 'hack' a phone
to allow ESN/MIN programming from a keyboard, much like the IMTS phone thumb
wheel switches described above.
[KThose not so technically inclined may be able to turn to mail-order       
entrepreneurs who will offer modification kits for cellular fraud, m
some now sell telephone toll fraud equipment and pay-TV decoders.     
[KAt least one manufacturer is already offering units with keyboard-programmable
MINs.  While intended only for the convenience of dealers and service shops,
and thus not described in customer documentation, knowledgeable and/or  
determined end users will likely learn the incantations required to operate
the feature.  Of course this does not permit ESN modification, but easy MIN   
reprogrammability alone creates a tremendous liability in today's roaming 
[75C[H[70C2
environment.[K
[KThe Rolls Royce of this iniquitous pastime might be a 'Cellular Cache-Box.' It
would monitor reverse setup channels and snarf ESN/MIN pairs off the air,
keeping a list in memory.  Its owner could place calls as on any other
cellphone.  The Cache-Box would automatically select an ESN/MIN pair from its
catalog, use it once and then discard it, thus distributing its fraud over   
many accounts.  Neither customer nor service provider is likely to detect the
abuse, much less catch the perpetrator.[K
[KAs the history of the computer industry shows, it is not far-fetched to
predict explosive growth in telecommunications and cellular that will bring
equipment prices within reach of many experimenters.  Already we have seen the
appearance of first-generation cellular phones on the used market, and new
units can be purchased for well under $1000 in many markets.     
How High The Loss?[K
[KSubscribers who incur fraudulent charges on their bills certainly can't be
expected to pay them.  How much will fraud cost the carrier?  If the charge is
for home-system airtime only, the marginal cost to the carrier of providing
that service is not as high as if toll charges are involved.  In the case of
[75C[H[70C3
toll charges, the carrier suffers a direct cash loss.  The situation is at its
worst when the spoofer pretends to be a roaming user.  Most inter-carrier
roaming agreements to date make the user's home carrier (real or spoofed)     
responsible for charges, who would then be out hard cash for toll and airtime
charges.[K
[KWe have not attempted to predict the dollar losses this chicanery might   
generate because there isn't enough factual information information for anyone
to guess responsibly.  Examination of current estimates of long-distance-toll
fraud should convince the skeptic.
[KSolutions[K
[KThe problems we have described are basically of two types.  First, the ESN
circuitry in most current mobiles is not tamper-resistant, much less
tamper-proof.  Second and more importantly, the determined perpetrator has
complete access to all information necessary for spoofing by listening to the
radio emissions from valid mobiles because the identification information
(ESN/MIN) is not encrypted and remains the same with each transmission.   
[KManufacturers can mitigate the first problem by constructing mobiles that more
realistically conform to the EIA requirements quoted above.  The second     
[75C[H[70C4
problem is not beyond solution with current technology, either.  Well-known   
encryption techniques would allow mobiles to identify themselves to the  
serving cellular system without transmitting the same digital bit stream each
time.  Under this arrangement, an interloper receiving one transmission could
not just retransmit the same pattern and have it work a second time.
An ancillary benefit of encryption is that it would reasonably protect 
communications intelligence--the digital portion of each transaction that     
identifies who is calling whom when.[K
[KThe drawback to any such solution is that it requires some re-engineering in
the Mobile-Land Station Compatibility Specification, and thus new software or
hardware for both mobiles and base stations.  The complex logistics of
establishing a new standard, implementing it, and retrofitting as much of the
current hardware as possible certainly presents a tough obstacle, complicated
by the need to continue supporting the non-encrypted protocol during a    
transition period, possibly forever.[K
[KThe necessity of solving the problem will, however, become apparent.  While we
presently know of no documented cases of cellular fraud, the vulnerability of
the current standards and experience with similar technologies lead us to     
conclude that it is inevitable.  Failure to take decisive steps promptly will
[75C[H[70C5
expose the industry to a far more expensive dilemma.  XXX[K
[K[KGeoffrey S. Goodfellow is a member of the senior research staff in the       
Computer Science Laboratory at SRI International, 333 Ravenswood Ave., Menlo
Park, CA 94025, 415/859-3098.  He is a specialist in computer security and
networking technology and is an active participant in cellular industry
standardization activities.  He has provided Congressional testimony on  
telecommunications security and privacy issues and has co-authored a book on
the computer 'hacking' culture.
[KRobert N. Jesse (2221 Saint Paul St., Baltimore, MD 21218, 301/243-8133) is an
independent consultant with expertise in security and privacy, computer
operating systems, telecommunications and technology management.  He is an   
active participant in cellular standardization efforts.  He was previously a 
member of the senior staff at The Johns Hopkins University, after he obtained
his BES/EE from Johns Hopkins.      
Andrew H. Lamothe, Jr. is executive vice-president of engineering at Cellular 
Radio Corporation, 8619 Westwood Center Dr., Vienna, VA 22180, 703/893-2680. 
He has played a leading role internationally in cellular technology      
development.  He was with Motorola for 10 years prior to joining American    
[75C[H[70C6
TeleServices, where he designed and engineered the Baltimore/Washington market
trial system now operated by Cellular One.
   --------
[K[KA later note indicates that one carrier may be losing something like $180K per
month....[K
[K[30C[1K ==Phrack Inc.== [K
[K[18CVolume Two, Issue Eleven, Phile #10 of 12
[K[27C[1K BUSY LINE VERIFICATION[K
[K[24C[1K WRITTEN BY PHANTOM PHREAKER[K
[K[K    This file describes how a TSPS operator does a BLV (Busy Line
Verification) and an EMER INT (Emergency Interrupt) upon a busy line that a  
customer has requested to be 'broken' into. I have written this file to     
hopefully clear up all the misconceptions about Busy Line Verification and
Emergency Interrupts.[K
[75C[H[70C7
[K    BLV is 'Busy Line Verification'. That is, discovering if a line is
busy/not busy. BLV is the telco term, but it has been called Verification,
Autoverify, Emergency Interrupt, break into a line, REMOB, and others. BLV is
the result of a TSPS that uses a Stored Program Control System (SPCS) called
the Generic 9 program. Before the rise of TSPS in 1969, cordboard operators   
did the verification process. The introduction of BLV via TSPS brought about
more operator security features. The Generic 9 SPCS and hardware was first
installed in Tucson, Daytona, and Columbus, Ohio, in 1979. By now virtually
every TSPS has the Generic 9 program.[19D[K[14DA TSPS operator does the actual verification. If caller A was in the 815
Area code, and caller B was in the 314 Area code, A would dial 0 to reach a
TSPS in his area code, 815. Now, A, the customer, would tell the operator he
wished an emergency interrupt on B's number, 314+555+1000. The 815 TSPS op who
answered A's call cannot do the interrupt outside of her own area code, (her
service area), so she would call an Inward Operator for B's area code, 314,
with KP+314+TTC+121+ST, where the TTC is a Terminating Toll Center code that
is needed in some areas. Now a TSPS operator in the 314 area code would be 
reached by the 815 TSPS, but a lamp on the particular operators console would
tell her she was being reached with an Inward routing. The 815 operator then
would say something along the lines of  she needed an interrupt on
[75C[H[70C8
314+555+1000, and her customers name was J. Smith. Now, the 314 Inward (which
is really a TSPS) would dial B's number, in a normal Operator Direct Distance
Dialing (ODDD) fashion. If the line wasn't busy, then the 314 Inward would
report this to the 815 TSPS, who would then report to the customer (caller A)
that 314+555+1000 wasn't busy and he could call as normal. However if the   
given number (in this case, 314+555+1000) was busy, then several things would
happen and the process of BLV and EMER INT would begin. The 314 Inward would
seize a Verification trunk (or BLV trunk) to the toll office that served the
local loop of the requested number (555+1000). Now another feature of TSPS 
checks the line asked to be verified against a list of lines that can't be
verified, such as radio stations, police, etc. If the line number a customer
gives is on the list then the verification cannot be done, and the operator 
tells the customer.[K
[K    Now the TSPS operator would press her VFY (VeriFY) key on the TSPS        
console, and the equipment would outpulse (onto the BLV trunk)              
KP+0XX+PRE+SUFF+ST. The KP being Key Pulse, the 0XX being a 'screening code'
that protects against trunk mismatching, the PRE being the Prefix of the    
requested number (555), the SUFF being the Suffix of the requested number 
(1000), and the ST being STart, which tells the Verification trunk that no   
more MF digits follow. The screening code is there to keep a normal Toll    
Network (used in regular calls) trunk from accidentally connecting to a
[75C[H[70C9
Verification trunk. If this screening code wasn't present, and a trunk       
mismatch did occur, someone calling a friend in the same area code might just
happen to be connected to his friends line, and find himself in the middle of
a conversation. But, the Verification trunk is waiting for an 0XX sequence,  
and a normal call on a Toll Network trunk does not outpulse an 0XX first.
(Example: You live at 914+555+1000, and wish to call 914+666+0000. The routing
for your call would be KP+666+0000+ST. The BLV trunk cannot accept a 666 in 
place of the proper 0XX routing, and thus would give the caller a re-order  
tone.) Also, note that the outpulsing sequence onto a BLV trunk can't contain
an Area Code. This is the reason why if a customer requests an interrupt  
outside of his own NPA, the TSPS operator must call an Inward for the area  
code that can outpulse onto the proper trunk. If a TSPS in 815 tried to do an
interrupt on a trunk in 314, it would not work. This proves that there is a
BLV network for each NPA, and if you somehow gain access to a BLV trunk, you
could only use it for interrupts within the NPA that the trunk was located in.
[K    BLV trunks 'hunt' to find the right trunks to the right Class 5 End Office[73Dserves the given local loop. The same outpulsing sequence is passed along
BLV trunks until the BLV trunk serv[8CToll Office that serves the given
End Office is found.[K
[K    There is usually one BLV trunk per 10,000 lines (exchange). So, if a Toll
[75C[H[69C70
Office served ten End Offices, that Toll Office would have 100,000 local loops
that it served, and have 10 BLV trunks running from TSPS to that Toll Office.
[K    Now, the operator (in using the VFY key) can hear what is going on on the
line, (modem, voice, or a permanent signal, indicating a phone off-hook) and
take appropriate action. She can't hear what's taking place on the line       
clearly, however. A speech scrambler circuit within the operator console   
generates a scramble on the line while the operator is doing a VFY. The   
scramble is there to keep operators from listening in on people, but it is not
enough to keep an op from being able to tell if a conversation, modem signal,
or a dial tone is present upon the line. If the operator hears a permanent
signal, she can only report back to the customer that either the phone is    
off-hook, or there is a problem with the line, and she can't do anything about
it. In the case of caller A and B, the 314 Inward would tell the 815 TSPS, and
the 815 TSPS would tell the customer. If there is a conversation on line, the 
operator presses a key marked EMER INT (EMERgency INTerrupt) on her console.
This causes the operator to be added into a three way port on the busy line.  
The EMER INT key also deactivates the speech scrambling circuit and activates 
an alerting tone that can be heard by the called customer. The alerting tone
that is played every 10 seconds tells the customer that an operator is on the
line. Some areas don't have the alerting tone, however. Now, the operator
would say 'Is this XXX-XXXX?' where XXX-XXXX would be the Prefix and Suffix of
[75C[H[70C1
the number that the original customer requesting the interrupt gave the       
original TSPS. The customer would confirm the operator had the correct line. 
Then the Op says 'You have a call waiting from (customers name). Will you
accept?'. This gives the customer the chance to say 'Yes' and let the calling
party be connected to him, while the previous party would be disconnected. If
the customer says 'No', then the operator tells the person who requested the
interrupt that the called customer would not accept. The operator can just
inform the busy party that someone needed to contact him or her, and have the
people hang up, and then notify the requesting customer that the line is free.
Or, the operator can connect the calling party and the interrupted party     
without loss of connection.[K
[K    The charges for this service (in my area at least) run 1.00 for asking the
operator to interrupt a phone call so you can get through. There is an .80    
charge if you ask the operator to verify whether the phone you're trying to  
reach is busy because of a service problem or because of a conversation. If 
the line has no conversation on it, there will be no charge for the         
verification.[K
[K    When the customer who initiated the emergency interrupt gets his telephone
bill, the charges for the interrupt call will look similar to this:      
[K[75C[H[70C2
12-1   530P     INTERRUPT  CL       314 555 1000  OD     1               1.00
[K    The 12-1 is December first of the current year; 530P is the time the call
was made to the operator requesting an interrupt; INTERRUPT CL is what took  
place, that is, an interrupt call; 314 555 1000 is the number requested; OD  
stands for Operator Dialed; the 1 is the length of the call (in minutes); and
the 1.00 is the charge for the interrupt.  The format may be different,   
depending upon your area and telephone company.[K
[K    One thing I forgot to mention about TSPS operators. In places where a
Remote Trunking Arrangement is being used, and even places where they aren't
in use, you may be connected to a TSPS operator in a totally different area
code. In such a case, the TSPS that you reach in a Foreign NPA will call up an
inward operator for your Home NPA, if the line you requested an EMER INT on
was in your HNPA. If the line you requested EMER INT on was in the same NPA of
the TSPS that you had reached, then no inward operator would be needed and the
answering operator could do the entire process.[K
             [9DVerification trunks seem to be only accessible by a TSPS/Inward operator.
However, there have been claims to people doing Emergency Interrupts with blu
boxes. I don't know how to accomplish an EMER INT without the assistance of an
operator, and I don't know if it can be done. If you really wish to
[75C[H[70C3
participate in a BLV/EMER INT, call up an Inward Operator and play the part of
a TSPS operator who needs an EMER INT upon a pre-designated busy line. Billing
is handled at the local TSPS so you will not have to supply a billing number 
if you decide to do this.[K
[K[K    If you find any errors in this file, please try to let me know about it,
and if you find out any other information that I haven't included, feel free
to comment.[7D[K
-End of file-[K
[K[31C[1K ==Phrack Inc.==[K
[K                   Volume Two, Issue Eleven, Phile #11 of 12[K
[KPWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN[73CPWN
PWN                      *>=-{ Phrack World News }-=<*                      PWN
PWN                                                                         PWN
PWN                                 Issue X                                 PWN
PWN                                                                [9CPWN
[75C