85 lines
5.3 KiB
Plaintext
85 lines
5.3 KiB
Plaintext
|
|
||
|
|
Cellular Phreaking Theory
|
||
|
|
|
||
|
|
|
||
|
|
The cellular/mobile phone system is one that is perfectly set up to be
|
||
|
|
exploited by phreaks with the proper knowledge and equipment. Thanks to
|
||
|
|
deregulation, the regional BOC's (Bell Operating Companies) are scattered and
|
||
|
|
do not communicate much with each other. Phreaks can take advantage of this
|
||
|
|
by pretending to be mobile phone customers whose "home base" is a city served
|
||
|
|
by a different BOC, known as a "roamer". Since it is impractical for each BOC
|
||
|
|
to keep track of the customers of all the other BOC's, they will usually allow
|
||
|
|
the customer to make the calls he wishes, often with a surcharge of some sort.
|
||
|
|
|
||
|
|
The bill is then forwarded to the roamer's home BOC for collection. However,
|
||
|
|
it is fairly simple (with the correct tools) to create a bogus ID number for
|
||
|
|
your mobile phone, and pretend to be a roamer from some other city and state,
|
||
|
|
that's "just visiting". When your BOC tries to collect for the calls from
|
||
|
|
your alleged "home BOC", they will discover you are not a real customer; but
|
||
|
|
by then, you can create an entirely new electronic identity, and use that
|
||
|
|
instead.
|
||
|
|
|
||
|
|
How does the cellular system know who is calling, and where they are?
|
||
|
|
|
||
|
|
When a mobile phone enters a cell's area of transmission, it transmits its
|
||
|
|
phone number and its 8 digit ID number to that cell, who will keep track of it
|
||
|
|
until it gets far enough away that the sound quality is sufficiently
|
||
|
|
diminished, and then the phone is "handed off" to the cell that the customer
|
||
|
|
has walked or driven into. This process continues as long as the phone has
|
||
|
|
power and is turned on. If the phone is turned off (or the car is), someone
|
||
|
|
attempting to call the mobile phone will receive a recording along the lines
|
||
|
|
of "The mobile phone customer you have dialed has left the vehicle or driven
|
||
|
|
out of the service area." When a call is made to a mobile phone, the
|
||
|
|
switching equipment will check to see if the mobile phone being called is
|
||
|
|
"logged in", so to speak, or present in one of the cells. If it is, the call
|
||
|
|
will then act (to the speaking parties) just like a normal call - the caller
|
||
|
|
may hear a busy tone, the phone may just ring, or the call may be answered.
|
||
|
|
|
||
|
|
How does the switching equipment know whether or not a particular
|
||
|
|
phone is authorized to use the network? Many times, it doesn't. When a
|
||
|
|
dealer installs a mobile phone, he gives the phone's ID number (an 8 digit
|
||
|
|
hexadecimal number) to the local BOC, as well as the phone number the BOC
|
||
|
|
assigned to the customer. Thereafter, whenever a phone is present in one of
|
||
|
|
the cells, the two numbers are checked - they should be registered to the same
|
||
|
|
person. If they don't match, the telco knows that an attempted fraud is
|
||
|
|
taking place (or at best, some transmission error) and will not allow calls to
|
||
|
|
be placed or received at that phone. However, it is impractical (especially
|
||
|
|
given the present state of deregulation) for the telco to have records of
|
||
|
|
every cellular customer of every BOC. Therefore, if you're going to create a
|
||
|
|
fake ID/phone number combination, it will need to be "based" in an area that
|
||
|
|
has a cellular system (obviously), has a different BOC than your local area
|
||
|
|
does, and has some sort of a "roamer" agreement with your local BOC.
|
||
|
|
|
||
|
|
How can one "phreak" a cellular phone? There are three general areas
|
||
|
|
when phreaking cellular phones; using one you found in an unlocked car (or an
|
||
|
|
unattended walk-about model), modifying your own chip set to look like a
|
||
|
|
different phone, or recording the phone number/ID number combinations sent by
|
||
|
|
other local cellular phones, and using those as your own. Most cellular
|
||
|
|
phones include a crude "password" system to keep unauthorized users from using
|
||
|
|
the phone - however, dealers often set the password (usually a 3 to 5 digit
|
||
|
|
code) to the last four digits of the customer's mobile phone number. If you
|
||
|
|
can find that somewhere on the phone, you're in luck. If not, it shouldn't be
|
||
|
|
TOO hard to hack, since most people aren't smart enough to use something
|
||
|
|
besides "1111", "1234", or whatever. If you want to modify the chip set in a
|
||
|
|
cellular phone you bought (or stole), there are two chips (of course, this
|
||
|
|
depends on the model and manufacturer, yours may be different) that will need
|
||
|
|
to be changed - one installed at the manufacturer (often epoxied in) with the
|
||
|
|
phone's ID number, and one installed by the dealer with the phone number, and
|
||
|
|
possible the security code. To do this, you'll obviously need an EPROM burner
|
||
|
|
|
||
|
|
as well as the same sort of chips used in the phone (or a friendly and
|
||
|
|
unscrupulous dealer!). As to recording the numbers of other mobile phone
|
||
|
|
customers and using them; as far as I know, this is just theory... but it
|
||
|
|
seems quite possible, if you've got the equipment to record and decode it.
|
||
|
|
The cellular system would probably freak out if two phones (with valid
|
||
|
|
ID/phone number combinations) were both present in the network at once, but it
|
||
|
|
remains to be seen what will happen.
|
||
|
|
|
||
|
|
Note/Disclaimer: Ok, I don't pretend to know everything about
|
||
|
|
cellular phones; I've screwed around with them a little, but I figured I'd
|
||
|
|
make a file with the things I've learned about them, to at least share what I
|
||
|
|
know and possible bring about further discussion.
|
||
|
|
|
||
|
|
Downloaded From P-80 Systems - 304-744-2253 - Since Halloween 1980
|
||
|
|
|