home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Software Vault: The Sapphire Collection
/
Software Vault (Sapphire Collection) (Digital Impact).ISO
/
cdr16
/
wired1_1.zip
/
PHREAKS
< prev
next >
Wrap
Text File
|
1994-09-18
|
14KB
|
256 lines
***************************************************************************
********************* Wired InfoBot Copyright Notice **********************
***************************************************************************
************ All material retrieved from the Wired InfoBot is *************
***************** Copyright 1993 Wired, Rights Reserved. ******************
***************************************************************************
Requesting information from the Wired InfoBot (other than the help file)
indicates your acceptance of the following terms and conditions:
(1) These articles and the contents thereof may be reposted, remailed,
or redistributed to any publicly accessible electronic forum provi-
ded that this notice remains attached and intact.
(2) These articles may not under any circumstances be resold or redis-
tributed for compensation without prior written agreement of Wired.
(3) Wired keeps an archive of all electronic address of those requesting
information from the Wired InfoBot. An electronic mailing list will
be compiled from this archive. This list may from time to time be
used by the staff of Wired Online Services for the purpose of dis-
tributing information deemed relevant to Wired's online readers.
If you wish to have your name removed from this mailing list,
please notify us by sending an electronic mail message to
infoman@wired.com.
If you have any questions about these terms, or would like information
about licensing materials from Wired, please contact us via telephone
(+1.415.904.0660), fax (+1.415.904.0669), or email (info@wired.com).
***************************************************************************
**************************** G*E*T**W*I*R*E*D*! ***************************
Hacking Chips on Cellular Phones is the Latest Thing in the Digital
Underground
by John Markoff
In Silicon Valley, each new technology gives rise to a new generation of
hackers. Consider the cellular telephone. The land-based telephone
system was originally the playground for a small group of hardy
adventurers who believed mastery of telephone technology was an end in
itself. Free phone calls weren't the goal of the first phone phreaks.
The challenge was to understand the system.
The philosophy of these phone hackers: Push the machines as far as they
would go.
Little has changed. Meet V.T. and N.M., the nation's most clever
cellular phone phreaks. (Names here are obscured because, as with many
hackers, V.T. and N.M.'s deeds inhabit a legal gray area.) The original
phone phreaks thought of themselves as "telecommunications hobbyists"
who explored the nooks and crannies of the nation's telephone network -
not for profit, but for intellectual challenge. For a new generation of
mobile phone hackers, the cellular revolution offers rich new veins to
mine.
V.T. is a young scientist at a prestigious government laboratory. He has
long hair and his choice in garb frequently tends toward Patagonia. He
is generally regarded as a computer hacker with few equals. N.M. is a
self-taught hacker who lives and works in Silicon Valley. He has
mastered the intricacies of Unix and DOS. Unusually persistent, he spent
almost an entire year picking apart his cellular phone just to see how
it works.
What V.T. and N.M. discovered last year is that cellular phones are
really just computers - network terminals - linked together by a
gigantic cellular network. They also realized that just like other
computers, cellular phones are programmable.
Programmable! In a hacker's mind that means there is no reason to limit
a cellular phone to the paltry choice of functions offered by its
manufacturer. That means that cellular phones can be hacked! They can be
dissected and disassembled and put back together in remarkable new ways.
Optimized!
Cellular phones aren't the first consumer appliances to be cracked open
and augmented in ways their designers never conceived. Cars, for
example, are no longer the sole province of mechanics. This is the
information age: Modern automobiles have dozens of tiny microprocessors.
Each one is a computer; each one can be reprogrammed. Hot rodding cars
today doesn't mean throwing in a new carburetor; it means rewriting the
software governing the car's fuel injection system.
This is the reality science fiction writers William Gibson and Bruce
Sterling had in mind when they created cyberpunk: Any technology, no
matter how advanced, almost immediately falls to the level of the
street. Here in Silicon Valley, there are hundreds of others like V.T.
and N. M. who squeeze into the crannies of any new technology, bending
it to new and more exotic uses.
On a recent afternoon, V.T. sits at a conference room table in a San
Francisco highrise. In his hand is an OKI 900 cellular phone. It nestles
comfortably in his palm as his fingers dance across the keyboard.
Suddenly, the tiny back-lit screen flashes a message: "Good Timing!"
Good Timing? This is a whimsical welcome message left hidden in the
phone's software by the manufacturer's programmers. V.T. has entered the
phone's software sub-basement - a command area normally reserved for
technicians. This is where the phone can be reprogrammed; a control
point from which the phone can be directed to do new and cooler things.
It is hidden by a simple undocumented password.
How did V.T. get the password, or even know one was required? It didn't
even take sophisticated social engineering - the phone phreak's term for
gaining secret engineering data by fooling unwitting employees into
thinking they are talking to an official phone company technician.
Rather, all he did was order the technical manual, which told him he
needed special codes to enter the software basement. V.T. then called
the cellular phone maker's technical support hotline. "They said 'sorry
about that,' and asked for a fax number.
A couple of minutes later we had the codes," he recalls with a faint
grin.
V.T.'s fingers continue darting across the keys - he is issuing commands
built into the phone by the original programmers. These commands are not
found in the phone's user manual. Suddenly, voices emerge from the
phone's ear piece. The first is that of a salesman getting his messages
>from a voice mail system. V.T. shifts frequencies. Another voice. A
woman giving her boss directions to his next appointment.
What's going on here? V.T. and N.M. have discovered that every cellular
phone possesses a secret mode that turns it into a powerful cellular
scanner.
That's just the beginning. Using a special program called a
"disassembler," V.T. has read-out the OKI's software, revealing more
than 90 secret commands for controlling the phone.
That's how the two hackers found the undocumented features that turn the
phone into a scanner. Best of all, the manufacturer has included a
simple interface that makes it possible to control the phone with a
standard personal computer.
A personal computer! The most programmable of a hacker's tools! That
means that what appears to be a simple telephone can be easily
transformed into a powerful machine that can do things its designers
never dreamed of!
V.T. and N.M. have also discovered that the OKI's 64-Kbyte ROM - a
standard off-the-shelf chip that stores the phone's software - has more
than 20 Kbytes of free space. Plenty of room to add special features,
just like hot rodding the electronics of a late-model car. Not only do
the hackers use the software that is already there, but they can add
some of their own as well. And for a good programmer, 20 Kbytes is a lot
of room to work with.
It is worth noting that V.T. and N.M. are not interested in getting free
phone calls. There are dozens of other ways to accomplish that, as an
anonymous young pirate recently demonstrated by stealing the electronic
serial number from a San Diego roadside emergency box and then racking
up thousands of phone calls before the scam was discovered. (Such a
serial number allowed the clever hacker to create a phone that the phone
network thought was somewhere on a pole by the side of the freeway.)
It's also possible to wander to street corners in any borough in New
York City and find a code dude - street slang for someone who illegally
pirates telephone codes - who will give you 15 minutes of phone time to
any corner of the world for $10. These "dudes" find illegally gathered
charge card numbers and then resell them on the street until telephone
security catches on. The tip-off: often an unusually large number of
calls to Ecuador or France emmanating from one particular street corner.
Then again, it's possible for you to join the code hackers who write
telephone software that automatically finds codes to be stolen. Or you
can buy a hot ROM - one that contains magic security information
identifying you as a paying customer. Either way, your actions would be
untraceable by the phone company's interwoven security databases.
But free phone calls are not what V.T. and N.M. are about. "It's so
boring," says V.T. "If you're going to do something illegal, you might
as well do something interesting."
So what's tempting? N.M. has hooked his portable PC and his cellular
phone together. He watches the laptop's screen, which is drawing a map
of each cellular phone call currently being placed in our cell - a term
for the area covered by one broadcast unit in the cellular phone
network. The network can easily query each cellular phone as to its
current location. When phones travel from one cell to the next - as they
tend to do in a car - information is passed on in the form of hidden
code married to the phone transmission. Since N.M. knows where each
local cell is, he can display the approximate geographic locations of
each phone that is currently active.
But for that tracking scheme to work, the user must be on the phone. it
would take only a few days of hacking to extend the software on N.M.'s
PC to do an even more intriguing monitoring task: Why not pirate the
data from the cellular network's paging channel (a special frequency
that cellular networks use to communicate administrative information to
cellular phones) and use it to follow car phones through the networks?
Each time there is a hand-off from one cell to the next, that fact could
be recorded on the screen of the PC - making it possible to track users
regardless of whether or not they are on the phone.
Of course this is highly illegal, but N.M. muses that the capability is
something that might be extremely valuable to law enforcement agencies -
and all at a cost far below the exotic systems they now use.
Hooking a cellular phone to a personal computer offers other
surveillance possibilities as well. V.T. and N.M. have considered
writing software to monitor particular phone numbers. They could easily
design a program that turns the OKI 900 on when calls are originated
>from a specific number, or when specific numbers are called. A simple
voice-activated recorder could then tape the call. And, of course, a
reprogrammed phone could automatically decode touch-tone passwords -
making it easy to steal credit card numbers and voice-mail codes.
Then there's the vampire phone. Why not, suggests V.T., take advantage
of a cellular phone's radio frequency leakage - inevitable low-power
radio emissions - to build a phone that, with the press of a few
buttons, could scan the RF spectrum for the victim's electronic serial
number. You'd have to be pretty close to the target phone to pick up the
RF, but once you have the identity codes, a reprogrammed phone becomes
digitally indistinguishable from the original. This is the type of phone
fraud that keeps federal investigators up at night.
Or how about the ultimate hacker's spoof? V.T. has carefully studied
phone company billing procedures and found many examples of inaccurate
bills. Why not monitor somebody's calls and then anonymously send the
person a corrected version of their bill: "According to our records...."
Of course, such software hacks are probably highly illegal, and
authorities seem to be catching on. The Electronic Communi-cations
Privacy Act of 1986 makes it a federal crime to eavesdrop on cellular
phone calls. More recently, Congress passed another law forbidding the
manufacture of cellular scanners. While they may not be manufacturers,
both N.M. and V.T. realize that their beautifully crafted phones are
probably illegal.
For now, their goals are more modest. V.T., for example, would like to
be able to have several phones with the same phone number. Not a
problem, as it turns out. Although federal law requires that electronic
serial numbers be hidden in specially protected memory locations, V.T.
and N.M. have figured out how to pry the OKI's ESN out and write
software so that they can replace it with their own number.
V.T. and N.M.'s explorations into the soul of the OKI 900 have left them
with a great deal of admiration for OKI's programmers. "I don't know
what they were thinking, but they had a good time," V.T. said, "This
phone was clearly built by hackers."
The one thing V.T. and N.M. haven't decided is whether or not they
should tell OKI about the bugs - and the possibilities - they've found
in the phone's software.===
Copyright (c) 1993 Wired Magazine