78 lines
5.0 KiB
Plaintext
78 lines
5.0 KiB
Plaintext
Cellular Phreaking courtesy of The Jolly Roger
|
|
|
|
The cellular/mobile phone system is one that is perfectly set up to be
|
|
exploited by phreaks with the proper knowledge and equipment. Thanks to
|
|
deregulation, the regional BOC's (Bell Operating Companies) are scattered
|
|
and do not communicate much with each other. Phreaks can take advantage of
|
|
this by pretending to be mobile phone customers whose "home base" is a city
|
|
served by a different BOC, known as a "roamer". Since it is impractical
|
|
for each BOC to keep track of the customers of all the other BOC's, they
|
|
will usually allow the customer to make the calls he wishes, often with a
|
|
surcharge of some sort.
|
|
|
|
The bill is then forwarded to the roamer's home BOC for collection.
|
|
However, it is fairly simple (with the correct tools) to create a bogus ID
|
|
number for your mobile phone, and pretend to be a roamer from some other
|
|
city and state, that's "just visiting". When your BOC tries to collect for
|
|
the calls from your alleged "home BOC", they will discover you are not a
|
|
real customer; but by then, you can create an entirely new electronic
|
|
identity, and use that instead.
|
|
How does the cellular system know who is calling, and where they are?
|
|
When a mobile phone enters a cell's area of transmission, it transmits its
|
|
phone number and its 8 digit ID number to that cell, who will keep track of
|
|
it until it gets far enough away that the sound quality is sufficiently
|
|
diminished, and then the phone is "handed off" to the cell that the customer
|
|
has walked or driven into. This process continues as long as the phone has
|
|
power and is turned on. If the phone is turned off (or the car is), someone
|
|
attempting to call the mobile phone will receive a recording along the
|
|
lines of "The mobile phone customer you have dialed has left the vehicle
|
|
or driven out of the service area." When a call is made to a mobile phone,
|
|
the switching equipment will check to see if the mobile phone being called is
|
|
"logged in", so to speak, or present in one of the cells. If it is, the
|
|
call will then act (to the speaking parties) just like a normal call - the
|
|
caller may hear a busy tone, the phone may just ring, or the call may be
|
|
answered.
|
|
How does the switching equipment know whether or not a particular
|
|
phone is authorized to use the network? Many times, it doesn't. When a
|
|
dealer installs a mobile phone, he gives the phone's ID number (an 8 digit
|
|
hexadecimal number) to the local BOC, as well as the phone number the BOC
|
|
assigned to the customer. Thereafter, whenever a phone is present in one
|
|
of the cells, the two numbers are checked - they should be registered to
|
|
the same person. If they don't match, the telco knows that an attempted
|
|
fraud is taking place (or at best, some transmission error) and will not
|
|
allow calls to be placed or received at that phone. However, it is
|
|
impractical (especially given the present state of deregulation) for the
|
|
telco to have records of every cellular customer of every BOC. Therefore,
|
|
if you're going to create a fake ID/phone number combination, it will need
|
|
to be "based" in an area that has a cellular system (obviously), has a
|
|
different BOC than your local area does, and has some sort of a "roamer"
|
|
agreement with your local BOC.
|
|
|
|
How can one "phreak" a cellular phone? There are three general areas
|
|
when phreaking cellular phones; using one you found in an unlocked car
|
|
(or an unattended walk-about model), modifying your own chip set to look
|
|
like a different phone, or recording the phone number/ID number combinations
|
|
sent by other local cellular phones, and using those as your own. Most
|
|
cellular phones include a crude "password" system to keep unauthorized
|
|
users from using the phone - however, dealers often set the password
|
|
(usually a 3 to 5 digit code) to the last four digits of the customer's
|
|
mobile phone number. If you can find that somewhere on the phone, you're
|
|
in luck. If not, it shouldn't be TOO hard to hack, since most people
|
|
aren't smart enough to use something besides "1111", "1234", or whatever.
|
|
If you want to modify the chip set in a cellular phone you bought
|
|
(or stole), there are two chips (of course, this depends on the model and
|
|
manufacturer, yours may be different) that will need to be changed - one
|
|
installed at the manufacturer (often epoxied in) with the phone's ID
|
|
number, and one installed by the dealer with the phone number, and possible
|
|
the security code. To do this, you'll obviously need an EPROM burner
|
|
as well as the same sort of chips used in the phone (or a friendly and
|
|
unscrupulous dealer!). As to recording the numbers of other mobile phone
|
|
customers and using them; as far as I know, this is just theory... but it
|
|
seems quite possible, if you've got the equipment to record and decode it.
|
|
The cellular system would probably freak out if two phones (with valid
|
|
ID/phone number combinations) were both present in the network at once,
|
|
but it remains to be seen what will happen.
|
|
|
|
-----------------Jolly Roger
|
|
|