Phreaking Not Dead Yet

santos_douglas writes "From Wired comes this article about an exploit involving weak voicemail passwords and automated voice recognition systems for accepting collect calls. The providers involved, SBC and AT&T, don't seem too concerned about their customers receiving tens of thousands in fraudulant charges from places like Saudi Arabia and the Phillipines."

Old Voice mail exploit

[Lowen+Na]

We used to hit 9 three times in a row on the Nike 1-800 number to get a dail tone and make long distance phone calls on Nikes tab. Not really phreaking but it was a phone system exploit

Re:Old Voice mail exploit

[British]

Here's what I did once.

1. Hack a direct dial voice mail #(after hours business)
2. Record the message "hello??.........Yes I'll accept"
3. Call Long distance operator to do a 3rd party billing for a call, give voice mail # to bill to

The call went through, regardless of the fact that the person calling her, and the person she called both had the same voice.

Re:Old Voice mail exploit

[Menkhaf]

I wish I was born 10 years earlier. Then I could have been cool too. But unfortunately my parents weren't thinking of me at that time. Stupid bastards.

Re:Old Voice mail exploit

[Shant3030]

Here is what I did once...

I posted on a website how I scammed a large company.

Then I got arrested.

Re:Old Voice mail exploit

[vDave420]

Sigh...

From article:
[Quote]
Here's how the scam works: The default passwords that SBC issues to new users of their voicemail services are in a specific format and are easily guessed.

If the default password is not changed after the system is set up, it's ripe for exploitation by malicious hackers, who have been breaking into SBC voicemail systems and replacing the owners' recorded greetings with recordings of a voice saying "yes" at appropriate intervals.
[/Quote]

So, "you did that once?"

-dave-

Social engineering more than phreaking

[JUSTONEMORELATTE]

IMHO, this is more social engineering scam than phreaking. The telephone network is still operating perfectly normally, and the folks doing the hack aren't using any extra-ordinary control over the network.
Interesting read, just the same.

--

Re:Social engineering more than phreaking

[stretch0611]

this is more social engineering scam than phreaking.

No, the article says that people are attacking the system with the default password that SBC sets when the voicemail is installed.

AT&T doesn't seem concerned because they are still charging people for the calls. (Gee, a 30% discount on a $10,000 phone call that a person did not make, how generous -sic.)

SBC probably doesn't care because it makes their competitor (or future competitor depending on your state), AT&T, look bad to consumers when they try to collect the bill.

Thats not 'Real Phreaking'!

[NETHED]

Real phreaking is sneaking out of your parents house at ungodly hours to clip into your neighbor's line, or to build a BlueBox and scream 2600hz down the handset. Those were the days.

Re:Thats not 'Real Phreaking'!

[unicron]

Back in my day we stole our lineman's headsets from the MaBell truck. None of this pussy catalog order shit you little whipersnapers got these days. And they were even touch-tone! They were rotary! I still have a rotary lineman's headset lying around here somewhere. The rotary wheel is made of cast-iron, I shit you not. Thing weighs like 25lbs and looks like the meanest bludgening weapon ever made.

Re:Thats not 'Real Phreaking'!

[Waffle+Iron]

Thing weighs like 25lbs and looks like the meanest bludgening weapon ever made.

It was designed that way so that linemen could use it beat the crap out of teenaged punks who they caught trying to steal their equipment.

Re:Thats not 'Real Phreaking'!

[Pharmboy]

Yeah, one good thing about phreaking was that it got you OUT OF THE HOUSE!

Well yea, so does car jacking, volunteering for charity or skateboarding, but I don't think mom is gonna tell little Johnie to take his blue box, and go outside and get some fresh air....

Re:Thats not 'Real Phreaking'!

[pa-guy]

LOL. I've got two of those. The outside is thick plastic, inside everything is waterproofed. These were designed to last forever.

I've also got a really old one with the outside encased in rubber, and little prongs on the tiny rotary mech, so you could dial even with gloves on, at the top of a pole in any weather.

Dad was a lineman for MTS (Manitoba Telephone System). When he died I got all of this stuff, and a bunch of other cool stuff like climbing spikes and safety belts.

Note to all: don't install a resistor across the line to allow free incoming long distance calls when Dad's a lineman. Also, don't build a bluebox using parts you stole from dad's work. The phone company can get quite upset.

Dad was even madder.

Re:Thats not 'Real Phreaking'!

[Jason+Straight]

Shit - I just took the wires and touched them together in succession to dial rotary style. ;)

Not dead yet?

[macshune]

It's just a flesh wound!

Automated System Culpable

[dtolton]

It seems like AT&T is directly at fault here, even though they are warning people to change their default password, this type of scam wouldn't be possible if they didn't have an automated system processing collect calls.

Not only that, but AT&T is the one that chooses the default password, by picking something that is easily guessable they are doubly guilty of allowing this to happen.

Only paying 30% of a scam like this is shameful.

Re:Automated System Culpable

[British]

Then ATT needs to decide if it costs less to issue a random factory-made default password or to handle the fraud costs.

Re:Automated System Culpable

[stretch0611]

It seems like AT&T is directly at fault here...
...Not only that, but AT&T is the one that chooses the default password

Actually, SBC is at fault here. SBC is selling the voicemail system. SBC is setting the same default password for everyone.

AT&T is at fault for allowing someone's voicemail to accept collect calls and also by billing people that never made the calls.

Last, but not least, are the people that leave the default password on something.

Re:Automated System Culpable

[abhisarda]

I am at a loss to take sides in this case. In my department, when you open a new email account, they assign the username and say that the password is the first 5 digits of your social security number.

There are posters in the labs *strongly* advising one to change their password once they login for the 1st time. As far as I know it works just fine. If the user continues to use their social security no. and somebody hacks it, the user is totally at fault here.

Since there is the question of huge monetary losses, AT&T should assume responsibility here and ask the users to change their default password the first time they use their voicemail. Im sure AT&T has the technology to ensure that customers change their default passwords. Another way is to assign a hard to remember password so that the customer is *inclined* to change it.

When a website you sign up for assigns its own password, don't most people change it to a one that's convenient to them or do they keep using the uJl24fDSkPa they got in their email? Im betting on the former.

70 % AT&T's fault, 30 % customer's fault.

Phreaking

[Cyno01]

For more about Fone Phreaking, check out the grand master... Phone Losers of America

Re:Phreaking

[moonbender]

Short jargon file entry on it. If you're bored some day, be sure to read the report/short story on phreaking in the anarchists's cookbook, it's quite entertaining.

phreaking

/freek'ing/ [from `phone phreak'] n. 1. The art and science of cracking the phone network (so as, for example, to make free long-distance calls). 2. By extension, security-cracking in any other context (especially, but not exclusively, on communications networks) (see {cracking}). At one time phreaking was a semi-respectable activity among hackers; there was a gentleman's agreement that phreaking as an intellectual game and a form of exploration was OK, but serious theft of services was taboo. There was significant crossover between the hacker community and the hard-core phone phreaks who ran semi-underground networks of their own through such media as the legendary "TAP Newsletter". This ethos began to break down in the mid-1980s as wider dissemination of the techniques put them in the hands of less responsible phreaks. Around the same time, changes in the phone network made old-style technical ingenuity less effective as a way of hacking it, so phreaking came to depend more on overtly criminal acts such as stealing phone-card numbers. The crimes and punishments of gangs like the `414 group' turned that game very ugly. A few old-time hackers still phreak casually just to keep their hand in, but most these days have hardly even heard of `blue boxes' or any of the other paraphernalia of the great phreaks of yore.

Losers

[blackmonday]

Why would'nt the providers be concerned? Let's see, because they might lose money? Hmm..

Not really new ...

The basic idea being used here is *really* old, phreaks have been changing OGM's to "- pause - yes, we accept that collect call" and suchlike for ages. The novel aspect is that it's essentially automated, no SE'ing skills required to make a convincing message, due to AT+T and SBC being retards. Still amusing though.

thank god !?!?

[Brigadier]

For a second I thought this meant all my friends with dialers would start calling me long distance. I hated that every five minutes.

please insert more money
hang on dude (holding dialer to hand set)
waiting as dialer mimics the sound of one quarter at a time

You tell me who is right...

[greenskyx]

#1 --> "Victims say that AT&T and SBC know about the scam and are taking no
concrete action to protect consumers from it."

OR

#2 --> "But AT&T spokesman Gordon Diamond said that AT&T has been instrumental
in stopping the scam."

CLUE :

"Later Hatcher was told that AT&T would take 35 percent off her bill,
but she'd have to pay $8,000"

HMMMM.......

Quick summary of the exploit

[Levine]

Users are given a brand new phone system, with some default password used to set voicemail messages. Users did not change that default password. Enterprising na'er-do-wells realize this is going on, use the default password to change the voicemail greetings to "yes, yes, I will accept the charges, yes, yes" and proceed to make free collect calls.

We have a classic case of stupid users.

It's not that I don't feel for them. And I certainly think AT&T/SBC will start provisioning these systems with pseudorandom passwords as defaults. But if you don't change your password, and someone else finds out about it... that's no one's fault but your own.

Should the people who did this be punished? Absolutely, they clearly broke the law. But now, maybe people will begin to realize that security isn't something that they can leave up to third parties -- it's something they need to take in their own hands, lest they find themselves $12,000 up shit creek and lacking any means of locomotion.

levine

Re:Quick summary of the exploit

[mabu]

How difficult is it for SBC to employ a password scheme which isn't so easy to crack?

While it is foolish for the user to not change his/her password, that pales in comparison to the blatant negligence on the part of the voicemail provider, who presumably has plenty of resources and expertise at their disposal, though obviously not evidenced in this fiasco.

Whoever is responsible for this scheme at SBC should be fired. And SBC should be responsible for the victims' bills.

Re:Quick summary of the exploit

[T-Kir]

Well I suppose it's not really restricted to phone systems (me stating the obvious here).... all I have to say is:

login: cisco
password: cisco

And then you can add 'stupid admins/BOFHs' to the list.

Re:Quick summary of the exploit

[liquidsin]

Ideally what would be in place is that when someone activates the voicemail service, they have to enter a password right then, or at most have a default password that expires in 24 hours. So long as AT&T knew about the default passwords, which I'm sure they did, I can't say SBC is to blame. AT&T *knew* the risk was there, they could have required their new users to set a new password.

Before everyone starts talking..

[bazmonkey]

...about how much they love to "phreak", keep in mind that a good deal of us thought girls had "koodies" when the real phreaking was going on.

This ties in with our general hacker degredation. Phreaking is nearly gone, everything today is a DOS attack, a script kiddie, or a win32 virus, etc. Hell, I mutter "All your base..." in my compSci class and I am hard-pressed to find someone that can complete the phrase!

Sad, sad world...

Re:Before everyone starts talking..

[Elwood+P+Dowd]

I'm sorry, when was "All your base are belong to us" a phrase only known by an elite few hackers?

Passwords

[rf0]

Going from what I'm reading here it looks like they are using the default password that are shipped with systems. A quick search of google will chuck up the default for loads of systems. So bascically the adminstrators of the system aren't doing the job correctly or am I just misreading this?

Rus

Even worse

[zipwow]

Its not just that the fact the system is automated that is causing the problem, its the fact that the system is automated stupidly that casues problems.

Why can other systems (telemarketers, for example) tell that you've got an answering machine, but the phone company's can't?

And the article claims that they're happy with it that way:

Diamond said AT&T has no plans to change the automated system, "which has proven to be extremely reliable for many, many years."

I'll bet the people with the $12k bills wouldn't describe it as "extremely reliable"...

-Zipwow

Re:Even worse

[Zirnike]

Even just a minor change would be good.

Example: "YOu are about to accept a collect call. DO you accept?" (wait for 'yes', 'yep', 'uh-huh', whatever, interpret it, continue) 'To verify, please say the following word: (random word from set A)' (verify)

It wouldn't even take much effort. Suppose A includes 'toast', 'ummagumma', 'vaccum', 'moose', 'arbitrary', and of course, 'Forty-two'. They're all VERY distinctive, more so than 'nope' and 'yep', which they have to contend with anyway. Have, oh, 20 different lists, rotate them week to week (they're all on some server, not a problem there). Instant secure. Well, not absolute, but by an order of magnitude or 12.

Re:Even worse

[kesuki]

Then have the system say
"you have a collect call from "(name spoken by collect caller)" If you would like to accept charges say (random word or number) now. (pause) To accept charges say (same random word) now. To repeat this message press the # key"
The pause allows them to say 'umm what' and then figure it out. It's no harder than leaving a message on a voice mail system.

I originally thought of allowing the users to press a number on the telephone pad -- however that would allow them to input a sequence of all the numbers on the keypad into the voicemail message. Using random words is better. # key resets the random word, so that if the person can't pronounce the word so the system can understand it then gives them another chance to try.
Instead of a question, you tell them how to accept charges. you tell them how twice. Most people will be able to figure it out by the second time it's played to them. Those who can't shouldn't be accepting a collect call (or reproducing for that matter).

But here's the question

[Chagatai]

In the article, it discusses two individuals who failed to change their default password on their voicemail, leaving them vulnerable to a scam where people would make collect calls to their voicemail (after someone gained access to it), where the message was replaced by someone saying, "yes, I'll accept the charges". AT&T agreed that the individuals did not make the calls, but insist that the individuals (or their companies) still pay about two-thirds of the bill.

Here's the real question-should the people be forced to pay the bill because they were too dumb to not understand the words, "change your default password immediately." I say that we have already made things in life enough idiot-proof and AT&T has every right to ask them for thousands of dollars. Call it a "Stupid Bill".

Don't pay that bill!

[fname]

My advice to the consumers: don't pay the bill. Write a letter and have your lawyer, stating why you will not pay the bill. There is no legal reason why the victim should be obliged to pay. The biggest joke is AT&T offering a 30% "discount," when there gross margins are probably in excess of 90% for these collect calls.

Don't pay the bill. Call a lawyer, write your congressman, and tell AT&T you WILL NOT pay, and ignore the collection agency. They have no right to engage in a shakedown like this; AT&T is reaping huge profits from the scam victims. This scam costs AT&T almost no money, yet they are reaping giant rewards. Seems like AT&T is the one running the scam.

Re:Don't pay that bill!

[HaeMaker]

I agree, especially since AT&T had admitted she didn't accept the call. She can not be held responsible for a collect call she didn't accept. AT&T has to prove she accepted it.

Turing test for phones..

[pres]

I would think that something simple, like yahoo uses for account creation. Instead of "please say yes", it should be "please say XXXXX" where XXXX is randomly selected.

Re:Turing test for phones..

[protonman]

Easily defeated.

You just record & play back whatever they say. You could even use sox or something to fiddle with speed, noise, whatever, to make it sound less perfect.

Asking people to spell words or to complete an easy password cycle (like "Who's the current president of the USA?" or "Knock, knock?", etc. etc.) would be a lot thougher to beat. Thougher to implement too.

Default Password

[SwansonMarpalum]

I'm curious why everyone is pointing at the telcos when the users should have changed their passwords. While I wouldn't abdicate either party from being guilty, I think that the people who leave their voicemail wide open are just as irresponsible as the telephone companies using an automated system.

There is a solution however and I feel that the easiest would be for SBC to require users to change their passwords upon logging in for the first time. I know that voicemail systems which I have used have made that the very first step, before even allowing you to record your "I'm away" message.

Fix the problem and the rest will fall into place.

An idea to improve the automated collect calls

[Ryu2]

If AT&T is too stingy to use live humans for collect call acceptance, here should be some randomly chosen sort of challenge/response mechanism asked by the voice recognition system (eg, asking a simple question like "what day of the week is it?") or even "please repeat the word I say" (randomly chosen) to ensure that a simple pre-recorded static greeting can't work.

Sort of like the "Turing tests" that services like Yahoo and even Slashdot itself set up to foil automated registrations.

Re:An idea to improve the automated collect calls

[mpost4]

Be careful on how you implement this, there will always a group of people that will not be able to use the feature. Lets take you example of yahoo registration, which is a word that is done via a picture. Well there is a group of people that have trouble registering at yahoo, the group of people who have that problem are the blind. I remember I had to go over to a friends place to help him register for yahoo because their screen reader can not read a image.
How could there be a group of people that have problems with that, well lets take some one that might be mute, they can hear but can not talk but they have a TTY setup but that can not work on the collect call, so they have a recoding of a person saying "yes" to accept now the call is complete and they can hook up their TTY devices and continue on.

Re:An idea to improve the automated collect calls

[mbstone]

Another group that won't like your idea is: Lawyers. Some of us say "yes" on the outgoing greeting so as to be able to take voice mail from jail and prison inmates.

Of course it easy money for AT&T

[SmoothTom]

Hmmmmm ... Who's to say AT&T really WANTS to fix this problem.

Every time someone pulls this scam (not Phreak) AT&T makes money. In the two cases cited each one is worth about $8000 to AT&T.

Yes, some will fight the bill, and even win out against AT&T and SBC, but for every one who fights the charge hard enough to win, I'll bet that ten more just swallow and pay.

Uh, who knows, maybe SBS and AT&T are even making the calls, eh? ;o)

Not just user neglagence

The thing is, even if you do change your password this kind of exploit is still wide open. A dedicated phreak can set up a wardialer (a program that will call repeatedly if necessary and perform simply touch tone codes to a number) to try all possible combinations. Just have it play something like 00010020030040050060070080090110120130140150160170 18019021022023024025025026028....etc and all possible three or four digit numbers will be hit, thereby cracking the code. A lot of VMBs have it so you can only try one set then call back for another, but this is no problem. Just set the wardialer to try four, then call back and try the next four. Many VMBs have been seized through this method.

More on personal responsibility...

[kerika]

Let me get this straight. Person A orders voice mail. Said person: 1. never changes his password 2. never changes his voice message 3. never =listens= to his voice message 4. never gets told by his family/friends that he has an odd message, probably because he... 5. never receives calls May I ask why these people are ordering voice mail service in the first place?!

Re:Old Sk00l Phreaking

[Rinikusu]

One of the more amusing things I've come across lately is that there's usually a telephone "access" box attached to the exterior of houses these days so the lineman and do some cursory checks without needed access to the interior. Standard jack on the "access" box, with no lock. Just walk up, plug in, dial away...

Can't read the article but...

[allism]

(seems like Wired actually got /.ed?)

We have had something like this happen at our company. The problem is not just the default password here...here is what happened (and yeah, this could be offtopic, but I found it interesting so maybe you will too)

Precursors to the condition:

1. We have multiple 800 numbers running into our phone bank.

2. Phones may be set up to forward phone calls to a remote number, including numbers overseas, if the user has the 4-digit password. (Yes, we actually have a need for that - we're UK-owned)

Here's what happened:

We had someone war-dialing our system to hack the passwords for users. (I am assuming they were using war-dialing since they hit extension 201 first, then 202, etc.) They were calling in on our 800 number, then brute-forcing the 4-digit password.

When the hacker got the password, he/she would set up the phone so that the phone automatically forwarded all incoming calls to somewhere overseas (Pakistan and Taiwan, to name a couple of places).

The hacker then called back and dialed the extension, which automatically forwarded the call to the pre-selected number.

The only solution our IS/IT department came up with was to start requiring everyone to use 8-digit passwords which must be approved for complexity by their department. The calls in to our 800 number didn't stop for a long time.

My companys voice mail server used to get hacked

[eyeareque]

my companys voice mail server used to get hacked all the time. we have over 20,000 mail boxes so toll fraud is something that we just had to deal with. A simple fix for our problem.. turn off the ability to dial out of the voice mail server, and viola, problem solved. :)

AT&T's fault!

[rMortyH]

You can use a radioshack scanner and plug it into a computer running pd with a DTMF decoder patch and get anyone's voicemail password who has a cordless phone. For some cordless phones, you can even use an old TV set that goes up to channel 83!

You can also get long distance calling cards this way too, I'm paranoid and I now dial these on the cord phone, then pick up the cordless. Are user's responsible for using encrypted phones?

AT&T is clearly at fault for accepting the charges. That is the part of the system that is the weak link, not the voicemail passwords. Someone could have hung an answering machine on their phone line. It's a ridiculous hole.

As for SBC, Their system asks you for your password BEFORE your mailbox number, and if it's right for the phone you're using, it doesn't ask for the mailbox. So, if you have the same password as the person whose phone you're using, you hear THEIR messages, and there is no way to listen to your own! It's rare, but it happens. Telcos are lame.

=Rich

BTW, pd is the greatest, coolest, amazingest piece of linux software there is and hardly anyone seems to use it. You can make a DTMF decoder in no time, or generate any tones you need, and so much more! See the examples.....

current state of security sucks

[primus_sucks]

Just today I forgot my online banking password. All I had to do was call the bank give them my ss#, date of birth, and mother's maiden name and bingo, they gave me a new password. This is information that plenty of ex-wives/girfriends would have access to, not to mention the person from the bank I just told.

A couple of years ago someone apparently printed out checks from a laser printer with my name on them. Any jack-ass with a descent laser printer can make checks and a fake id.

Also today my wife's purse was stolen. I was helping her call credit card companies to cancel her cards. But the credit card companies wouldn't let me cancel them because I obviously wasn't my wife even though I had the answers to all their lame "security" questions.

The whole entire system is fucked up and easily beaten.

Watch out for fraud!

[rice_burners_suck]

Here's one to watch out for: Fraudulent calls to 900-like numbers in the U.S. Virgin Islands. Yup. Someone can call your house and leave a message, telling you that there is an important matter and you need to call them back. The phone number has an area code that looks NOTHING like 1-900. Kind of like those 877 and 888 numbers that are toll-free, except that these are toll-cost numbers. So you call back and hear a recording, the only purpose of which is to keep you on the line for as long as possible. Next thing you know, you get a phone bill for $1000.00 or so because this company charged you $500.00 a minute for two minutes. It's fraud but it's international, so you're screwed.

I never call back numbers that I don't recognize. If it's important, they'll call me again.

Re:How is it Social Engineering?

[Pharmboy]

Did you even read the article?

New here, huh?

where is the contract?

[g4dget]

Presumably, accepting third party charges involves some kind of contractual agreement. Normally, that happens when you say "yes" to another person. Can my answering machine, on its own, make legally binding decisions for me now? I don't think so.

AT&T screwed up with deploying voice recognition for this purpose (and presumably continuing to charge operator assist rates); that's their problem. I hope the lawyers are going to have a field day with them.

Blame the victim? Are you nuts?

[ChaosDiscord]

I see a hell of alot of posts to the effect "they kept the default password, they deserve the charges."

That's just stupid and shortsighted.

People balance security against realistic perceived risk. Realistic worst case risk for failing to reset my voice mail password: someone else hears my voice mail messages, deletes them without my ever hearing them, then records something embarrassing or damaging for my outgoing message. Bad, but perhaps I'm willing to live with that risk.

Getting hit with a $12,000 bill (or a $8,000 bill after AT&T generously reduces it) is completely unreasonable. Prior to reading this article, I didn't realize that this was a potential attack at all. I would have assumed that no company was stupid enough to let an answering machine accept charges on a phone call! You can't assess risks on attacks you aren't aware of. It's simply not possible to protect against all attacks (is your computer TEMPEST secure? Do you shred any documents you throw out with your social security number on them?). People need to balance risks against the cost to defend against them. Some people apparently decided against changing their password. They misjudged the risks because they were unaware that AT&T was doing something insanely stupid that could cost them alot of money.

Also remember that in many cases people are actively encouraged by their employers or service providers to not change the default passwords. I've specifically been told that in a number of cases. Depending on the reasonable risk level, I sometimes change the password anyway. I distinctly remember an ISP I was dealing with being shocked that I would want to change the factory standard password on the ISDN modem they sold us. If I changed it, how could they debug it remotely?)

Re:Old Sk00l Phreaking

[hoggoth]

> box attached to the exterior of houses
> Just walk up, plug in, dial away...

and get shot by the homeowner who figures you are cutting the phones before robbing his house.
I hope you have a "Plan B".