Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phreaking Not Dead Yet

Posted by CowboyNeal on from the red-box-blue-box-beige-box-new-box dept.

santos_douglas writes "From Wired comes this article about an exploit involving weak voicemail passwords and automated voice recognition systems for accepting collect calls. The providers involved, SBC and AT&T, don't seem too concerned about their customers receiving tens of thousands in fraudulant charges from places like Saudi Arabia and the Phillipines."

8 of 193 comments (clear)

  1. Phreaking by Cyno01 · · Score: 4, Informative

    For more about Fone Phreaking, check out the grand master... Phone Losers of America

    --
    "Sic Semper Tyrannosaurus Rex."
    1. Re:Phreaking by moonbender · · Score: 2, Informative
      Short jargon file entry on it. If you're bored some day, be sure to read the report/short story on phreaking in the anarchists's cookbook, it's quite entertaining.

      phreaking

      /freek'ing/ [from `phone phreak'] n. 1. The art and science of cracking the phone network (so as, for example, to make free long-distance calls). 2. By extension, security-cracking in any other context (especially, but not exclusively, on communications networks) (see {cracking}). At one time phreaking was a semi-respectable activity among hackers; there was a gentleman's agreement that phreaking as an intellectual game and a form of exploration was OK, but serious theft of services was taboo. There was significant crossover between the hacker community and the hard-core phone phreaks who ran semi-underground networks of their own through such media as the legendary "TAP Newsletter". This ethos began to break down in the mid-1980s as wider dissemination of the techniques put them in the hands of less responsible phreaks. Around the same time, changes in the phone network made old-style technical ingenuity less effective as a way of hacking it, so phreaking came to depend more on overtly criminal acts such as stealing phone-card numbers. The crimes and punishments of gangs like the `414 group' turned that game very ugly. A few old-time hackers still phreak casually just to keep their hand in, but most these days have hardly even heard of `blue boxes' or any of the other paraphernalia of the great phreaks of yore.

      --
      Switch back to Slashdot's D1 system.
  2. Not really new ... by Anonymous Coward · · Score: 5, Informative

    The basic idea being used here is *really* old, phreaks have been changing OGM's to "- pause - yes, we accept that collect call" and suchlike for ages. The novel aspect is that it's essentially automated, no SE'ing skills required to make a convincing message, due to AT+T and SBC being retards. Still amusing though.

  3. Quick summary of the exploit by Levine · · Score: 4, Informative

    Users are given a brand new phone system, with some default password used to set voicemail messages. Users did not change that default password. Enterprising na'er-do-wells realize this is going on, use the default password to change the voicemail greetings to "yes, yes, I will accept the charges, yes, yes" and proceed to make free collect calls.

    We have a classic case of stupid users.

    It's not that I don't feel for them. And I certainly think AT&T/SBC will start provisioning these systems with pseudorandom passwords as defaults. But if you don't change your password, and someone else finds out about it... that's no one's fault but your own.

    Should the people who did this be punished? Absolutely, they clearly broke the law. But now, maybe people will begin to realize that security isn't something that they can leave up to third parties -- it's something they need to take in their own hands, lest they find themselves $12,000 up shit creek and lacking any means of locomotion.

    levine

  4. My companys voice mail server used to get hacked by eyeareque · · Score: 4, Informative

    my companys voice mail server used to get hacked all the time. we have over 20,000 mail boxes so toll fraud is something that we just had to deal with. A simple fix for our problem.. turn off the ability to dial out of the voice mail server, and viola, problem solved. :)

  5. Watch out for fraud! by rice_burners_suck · · Score: 3, Informative
    Here's one to watch out for: Fraudulent calls to 900-like numbers in the U.S. Virgin Islands. Yup. Someone can call your house and leave a message, telling you that there is an important matter and you need to call them back. The phone number has an area code that looks NOTHING like 1-900. Kind of like those 877 and 888 numbers that are toll-free, except that these are toll-cost numbers. So you call back and hear a recording, the only purpose of which is to keep you on the line for as long as possible. Next thing you know, you get a phone bill for $1000.00 or so because this company charged you $500.00 a minute for two minutes. It's fraud but it's international, so you're screwed.

    I never call back numbers that I don't recognize. If it's important, they'll call me again.

  6. Re:Thats not 'Real Phreaking'! by pa-guy · · Score: 2, Informative

    LOL. I've got two of those. The outside is thick plastic, inside everything is waterproofed. These were designed to last forever.

    I've also got a really old one with the outside encased in rubber, and little prongs on the tiny rotary mech, so you could dial even with gloves on, at the top of a pole in any weather.

    Dad was a lineman for MTS (Manitoba Telephone System). When he died I got all of this stuff, and a bunch of other cool stuff like climbing spikes and safety belts.

    Note to all: don't install a resistor across the line to allow free incoming long distance calls when Dad's a lineman. Also, don't build a bluebox using parts you stole from dad's work. The phone company can get quite upset.

    Dad was even madder.

  7. Re:Even worse by kesuki · · Score: 2, Informative

    Then have the system say
    "you have a collect call from "(name spoken by collect caller)" If you would like to accept charges say (random word or number) now. (pause) To accept charges say (same random word) now. To repeat this message press the # key"
    The pause allows them to say 'umm what' and then figure it out. It's no harder than leaving a message on a voice mail system.

    I originally thought of allowing the users to press a number on the telephone pad -- however that would allow them to input a sequence of all the numbers on the keypad into the voicemail message. Using random words is better. # key resets the random word, so that if the person can't pronounce the word so the system can understand it then gives them another chance to try.
    Instead of a question, you tell them how to accept charges. you tell them how twice. Most people will be able to figure it out by the second time it's played to them. Those who can't shouldn't be accepting a collect call (or reproducing for that matter).

    --
    https://www.gnu.org/philosophy/free-sw.html