362 lines
23 KiB
Plaintext
362 lines
23 KiB
Plaintext
The High Tech Hoods Presents...
|
|
|
|
*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*
|
|
* *
|
|
* PAGER, FAX, AND DATA INTERCEPT TECHNIQUES *
|
|
* *
|
|
*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*
|
|
|
|
One can only imagine the intemal trauma of being a paging company owner-it
|
|
would be sort of like owning a company that made lime glass vials, hell,
|
|
business has just suddenly shot through the roof over the last few years
|
|
making enormous profits for everyone lucky enough to be in the business of
|
|
manufacturing little glass vials, but sometimes, late at night, the owners
|
|
must wonder exactly why people are buying millions of little glass vials... So
|
|
it goes with pagers, the popularity of the common pager has exploded
|
|
concurrently with the drug trade. Pagers are so popular that in America 7.2%
|
|
of the entlre population carries a pager. In the good old days, wearing a pager
|
|
meant you were a doctor or maybe a car thief, but certainly nothing more
|
|
disreputable than that. Today doctors, and let's face it, even car thieves,
|
|
like to hide their pagers under jackets or tend towards those new little
|
|
pagers that masquer- ade as ballpoint pens so people don't assume they're drug
|
|
dealers. At this writing, one state (Virginia) actually has a law prohibiting
|
|
pager use on school grounds and several other states have tried to pass bills
|
|
(unsuccessfully) de- manding licensing of pagerized individuals.
|
|
|
|
Not to say that pager companies don't have some kind of conscience, they do.
|
|
In fact, have formed a group known as TELOCATOR, the Mobile Communications
|
|
Industry Association. Telocator promotes paging/police cooperation and
|
|
attempts to keep their individual members informed on the latest laws and
|
|
procedures as they apply to pagers. However, to be frank, their primary
|
|
success seems to be cute little stickers they say "MOBILEized" for the war on
|
|
drugs for pager companies to stick on their doors along with nice little
|
|
laser-written posters that remind perspective pager renters that the "use of a
|
|
pager in a commission of a felony is prohibited by federal law and carries a
|
|
penalty of up to four years imprisonment and/or a fine of up to $30,000 for
|
|
each offense.
|
|
|
|
One can only wonder exactly how effective these efforts are in shaping the
|
|
morals of the pager industry, especially since the subscriber base is expected
|
|
to continue growing and is estimated to reach 21 million users by the
|
|
mid-1990's. Pagers operate in the clear on radio frequen- cies that can be
|
|
received with any standard receiver or a scanner. The information trans-
|
|
mitted on pagers can be of interest to anyone from law enforcement to business
|
|
competitor groups. There are several interesting ways of extracting said
|
|
information.
|
|
|
|
TYPES OF PAGERS
|
|
Although numeric display pagers constitute more than half of the pagers in use
|
|
today other types are also in use. Here's a list ordered by popularity:
|
|
|
|
NUMERIC DISPLAY_ This service lets one receive numbers sent from any
|
|
touch-tone telephone. The pager beeps and shows tele- phone numbers,
|
|
previously agreed-upon codes, parts numbers, stock prices, purchase orders,
|
|
and so on. Limited information may be sent along in the form of numbers that
|
|
stand for initials, or simple codes.
|
|
|
|
TONE_ The tone pager emits a beep telling the user to call back a
|
|
predetermined location such as an office, home, voice mailbox, or telephone
|
|
answering machine.
|
|
|
|
TONE AND VOICE_ This paging service gives an audible tone
|
|
followed by the message in the caller's own voice. There is no operator, and
|
|
no need for the user to call in. The pager delivers the complete message.
|
|
|
|
ALPHANUMERIC DISPLAY_ This latest develop- ment is actually a miniature
|
|
message center that beeps and displays messages in words and numbers. Messages
|
|
are sent through an input device or dispatched by a live operator.
|
|
|
|
PRIVACY LAWS AND PAGERS For each type of pager, different legal require- ments
|
|
must be met for intercepts. On the federal level, the easiest pager to deal
|
|
with is the simple tone-only device. The U.S. Justice Department had long held
|
|
that interception of a tone-only pager was not a search, since there is no
|
|
expectation of privacy in a device that only beeps or vibrates. Therefore, the
|
|
Depart- ment has maintained, interceptions raise no Fourth Amendment issues
|
|
and require neither a warrant nor a court order. This policy was certified by
|
|
Congress when it passed the Electronic Communications Privacy Act of 1986
|
|
(ECPA), which excludes tone-only pagers from its provisions. Although the
|
|
information conveyed by intercepting a tone-only pager is limited, such
|
|
intercepts can be helpful in documenting patterns of behavior by suspected
|
|
criminals. Since they are the cheapest and easiest to use of all pagers,
|
|
tone-only units may be most commonly encountered in connection with drug
|
|
activity, at least among lower echelon criminals. Federal and state laws treat
|
|
privacy interests in display and tone-and-voice paging commu- nications. Under
|
|
ECPA, for example, the police generally cannot intercept a tone and voice or a
|
|
display pager without first securing an appro- priate court order. This
|
|
restriction stems from Congress' conclusion that subscribers using such pagers
|
|
have a reasonable expectation of privacy in the paging communications they
|
|
send and receive. A similar conclusion is also reflected in state privacy
|
|
statutes, which often impose stricter requirements on carriers and law
|
|
enforcement officials than does the ECPA. As requirements for legal
|
|
protections increase, so do the rewards for intercepting display pagers. A
|
|
numeric display pager dis- plays a 10- or 12-digit number, usually the phone
|
|
number of a person who desires a retum call. More sophisticated drug dealers,
|
|
however, use the digits as code, with, for example, a "1" at the end of a
|
|
phone number meaning "the cocaine is not in."
|
|
|
|
Obviously, police and others intercepting such messages with monitoring
|
|
devices or cloned pagers can har~est considerable worth- while information.
|
|
The recent increase in the use of alphanu- meric paging is beneficial to law
|
|
enforcement due to the added bonus of text messages. Theoretically, exact
|
|
details of drug transactions could be made available to law enforcement if the
|
|
deal was conducted via alpha paging and an intercept was in progress. There
|
|
are several ways in which paging carriers aid law enforcement in preventing
|
|
illegal use of pagers for drug transactions including leasing pagers which are
|
|
cloned to police, assisting in intercepts of paging commu- nications and
|
|
providing the police with infor- mation about paging subscribers. Federal and
|
|
state privacy statutes, however, generally require law enforcement agencies to
|
|
secure appropriate authorization before enlist- ing the aid of paging
|
|
carriers. Specifically, most privacy laws prevent the police from using a
|
|
cloned pager or intercepting a paging commu- nication unless they have first
|
|
obtained a court order, a special emergehcy request or the subscriber's
|
|
consent. Similarly, law enforce- ment agencies may not gain access to informa-
|
|
tion about paging subscribers (such as transac- tional records) unless they
|
|
secure either a subpoena, a warrant, a court order, or the consent of the
|
|
customer.
|
|
|
|
|
|
INTERCEPTIONS AN OVERVIEW
|
|
Successful pager interception is dependent
|
|
upon several factors:
|
|
|
|
1. Frequency of the paging service. Law en-
|
|
forcement agencies or detectives are advised
|
|
to simply call local paging carriers and ask
|
|
them for their frequencies. This is public
|
|
information and usually will be given out
|
|
without any problem. Books are also avail-
|
|
able on this subject from CRB RESEARCH.
|
|
|
|
2. Paging number. Some intercept techniques
|
|
require the actual phone number that
|
|
activates a particular pager.
|
|
|
|
3. Cap code. A cap code is a seven or eight digit
|
|
number that is the actual EIN, or Electronic
|
|
Serial Number of the pager. This digital cap
|
|
code is what the pager looks for in the
|
|
stream of paging messages before it locks
|
|
onto a message and notifies its wearer.
|
|
|
|
4. Some interception methods require the
|
|
paging format. There are a number of
|
|
proprietary formats engineered by pager
|
|
manufacturers.
|
|
|
|
Most paging systems operate in the FM band normally from 35 MHz to new
|
|
super-high microwave pagers in the 931-932 MHz area. These signals can be
|
|
received on any receiver but they will come in as frequenc,v shift data
|
|
signals, nothing that is intelligible to the normally equipped listener. Most
|
|
paging systems have a local coverage area determined by the number and
|
|
placement of their trans- mitters, the average area is probably 4(}60 miles in
|
|
size although many companies are now expanding their coverage by adding
|
|
additional transmitters or making deals with other companies to give statewide
|
|
coverage. A new paging system actually gives nation- wide coverage. The system
|
|
known as Wide Area Paging and is typified by CUE Paging Corpora- tion. The
|
|
user rents a "Cue Pager" which is actually not a fixed receiver but rather a
|
|
scanner that scans the FM commercial radio band. Cue (and other companies)
|
|
rent space on one or more commercial FM stations in most cities in the United
|
|
States. In fact, Cue boasts of over 200 FM stations in their nationwide
|
|
network. The paging signal is carried on a sub-carrier or, SCA portion of the
|
|
broadcast signal that is inaudible to standard receivers. No matter where the
|
|
subscriber finds him- self, his unit will scan until it finds the paging
|
|
sub-carrier signal and then lock on to that signal, waiting for its own cap
|
|
code to appear. To page a subscriber, the caller dials an 800 number and then
|
|
plugs in the specific pager identity code. This data is flashed by an uplink
|
|
by a satellite where it is transmitted across the country to various downlink
|
|
stations and then land lined or microwaved to FM radio transmit- ting towers.
|
|
In a Cue-type system, it is not necessary to know where the subscriber is,
|
|
simply the fact that he is in the United States gives a very high probability
|
|
of reaching him on his pager. The pager itself is no larger than a standard
|
|
Motorola-type paging unit. These wide area systems normally offer some sort of
|
|
echo back or voice mail system to let subscribers retrieve messages from an
|
|
800 number in case they happen to be between SCA stations when a message comes
|
|
in.
|
|
|
|
There are a couple of ways of intercepting pager messages. One of the niftiest
|
|
is through the use of a clone. A cloned pager is simply a pager which operates
|
|
on the same frequency and has the same cap code as the target's pager, in
|
|
short, the paging system has no way of knowing how many receivers are actually
|
|
listening at any given time so any message that is transmitted will be
|
|
received simultaneously 'by all identical pagers. Traditionally this has been
|
|
the favorite method of law enforcement to intercept a suspect's messages,
|
|
paging companies will cooperate with departments who have authori- zation by
|
|
issuing them details on the owner of any pager or by physically manufacturing
|
|
a cloned pager and giving it to a detective. One narc I know uses the vaguely
|
|
dubious trick of "borrowing" a subject's pager during a body search, popping
|
|
out the EIN chip and replacing it with a non-programmed chip. When the pager
|
|
is retumed to its owner it will, of course, no longer work. Disgruntled owner
|
|
takes pager back to company and complains. With any luck the company will
|
|
program a new pager to the same cap code on the spot and give it back to the
|
|
suspect. The cop simply pops the EIN chip into his own pager and now owns a
|
|
non-registered clone that will duplicate the perp's messa es... A TRICK
|
|
|
|
The second paging intercept option is to purchase one of several software
|
|
packages that work in conjunction with a scanner or a receiver and an IBM or a
|
|
Mac PC. These soft- ware packages "listen" to the scanner which is set up to
|
|
listen to a certain paging frequency. In this type of operation, the potential
|
|
inter- ceptor only needs to know either the cap code or the call
|
|
number-nothing else. Assuming one has the phone number to activate the target
|
|
pager, one simply tums on the receiver, initializes the software and then
|
|
dials the pager sending a unique code (for some reason 6666 seems to be in
|
|
vogue with most law enforcement agencies), and then watches a computer monitor
|
|
to see when the code is broadcast. The program will immediately display the
|
|
cap code of the pager and, if it is an alphanumeric pager, the text message.
|
|
Once this has transpired, the program will set up an automatic file in the
|
|
computer to grab any and all further messages to that pager, storing them as
|
|
to time, date, and phone number or text message to be called. Most systems
|
|
will take any of the paging formats including the POCSAG fommat. Case files
|
|
can be pAnted immediately or pAnted when reviewed or stored on floppy disks
|
|
and reviewed at any time. Most of these systems will monitor from 1-32,000
|
|
pagers at any given time and set up a file for each individual pager. These
|
|
systems began as propAetary systems to be used by paging companies to monitor
|
|
hacking attempts, traffic pattems, and system problems but have spread to law
|
|
enforcement and now civilian intercept markets. Do these systems work? Yes,
|
|
I've tested the INTERCEPTOR-LE system and it pretty much does what it says
|
|
it's going to do. The system grabs and displays incoming messages
|
|
simultaneously or in many cases faster than the pager receives them and works
|
|
with all existing paging formats as well as has the capability to use new
|
|
formats as they are introduced. The LE system sells in the $4,000 range at the
|
|
time of this wAting but, folks let's face it, it's just a little software
|
|
package and lower-pAced clones are going to appear on the market if they
|
|
haven't by this wAting. LE is available from SHERWOODCOMMUNICATIONS. A second
|
|
paging intercept program is avail- able from TGA Technologies in Dunwoody,
|
|
Georgia. Or you can get it from The New York Hack Exchange BBS.
|
|
|
|
What to do if you think your pages are being intercepted by some nameless
|
|
force? One gentleman I know (damn but I do know a lot of interesting people,
|
|
don't I?) got a "666" page on his pager in the middle of the night. He had
|
|
reason to suspect he was the target of a non-warranted police surveillance as
|
|
a close frend of his had just been popped on a weapons charge (later
|
|
dropped). My friend spent the next two days calling himself and entering 30 or
|
|
so "interesting" return numbers including CIA, NSA and FBI offices around the
|
|
country, plus intemational suppliers of anything interesting, phone numbers of
|
|
vaAous embassies and even a White House "inside" number he happened to have on
|
|
hand. It may not be a cure all, but the satisfaction of knowing he was dAving
|
|
several detectives crazy did provide a certain amount of satisfaction.
|
|
|
|
FAX INTERCEPTION
|
|
Alexander Graham Bell must be tuming over in his grave at the spread of the
|
|
ubiquitous fax machine. Fax machines are rapidly replacing telephones as the
|
|
pAmary method of commu- nication for many businesses and some individuals. I
|
|
personally know of at least two people who have impulsively Apped out their
|
|
telephones and replaced them with a fax machine, the implication being, of
|
|
course, that my time is too valuable to waste talking on the phone. Many
|
|
people who should know better think that faxes are a safer method of data
|
|
exchange than is the telephone because no words are transmitted, simply data.
|
|
As one might suspect, this data can be intercepted and logically regurgitated
|
|
to "bug" fax machines. There have been a couple of problems associated with
|
|
fax tapping that have just recently been solved; faxes trade data by means of
|
|
frequency- or phase-shift keying at speeds of 300 to 9600 baud. This type of
|
|
data transmission does not lend itself to recording and playback on most
|
|
audio tape recorders, as the speed is too high and the frequencies are too
|
|
close together. Any distortion renders the transmission unintelligible. Faxes
|
|
fall into several groups depending on what type of transmission peAmeters they
|
|
employ. The most common one at this time is called Group III. The particular
|
|
protocols for Groups I, II, III and IV, are set by something called CCITT and
|
|
are available in a $25.00 booklet.
|
|
|
|
Faxes trade setup information at the beginning of each call in something
|
|
known as the handshake period. During the handshake the sending fax will set
|
|
itself to the highest possible group protocol that the receiving fax will
|
|
accept before it begins transmitting data. The sending fax requires acceptance
|
|
and confimmation of this handshake before it will begin the actual
|
|
transmission. Some faxes offer limited secuAty by reading the phone number of
|
|
the receiving fax and compaAng it to an intemal list before sending the data,
|
|
but this should not concem anyone who is tapping into the line because if they
|
|
use a high impedience phone tap (just a simple .Olmfd capacitor in sences with
|
|
10k ohm resistor and perhaps a NE-2 neon lamp across the line between the two
|
|
components), the sending fax will not notice the "invisible" third party on
|
|
the phone line. Let's examine the handshake protocol of a typical fax machine.
|
|
What happens when one presses "send" on a fax machine? The answeAng fax
|
|
machine transmits a 2,100Hz tone for three seconds, and then begins a
|
|
negotiating process at 300bps including a single high-pitched tone, followed
|
|
by a lower, warbling tone. The second tone is the 300-bps receiver
|
|
capabilities packet. When the warbling ends, there is a bAef pause, and if the
|
|
calling fax hasn't responded, the process is repeated. The first step is to
|
|
send a digital identification signal (DIS) that tells the answeAng machine
|
|
what it can do including: What is the maximum transmission speed possible?
|
|
Does the sending unit support modified read compression? Does it include
|
|
error . correction? The sending fax transmits a digital command signal (DCS)
|
|
that tells the called unit which of the operating parameters descAbed in the
|
|
DIS will be used. This signal tums on these features in the receiving unit.
|
|
|
|
|
|
gzThe sending fax transmits a test signal to help the receiving unit lock onto
|
|
the proper signals. The receiving fax transmits a confirmation- to-receive
|
|
(CFR) signal to tell the sending unit it is ready to accept the first page.
|
|
The first page of the fax message is sent from the oAginating device. When the
|
|
end of the page is reached, the sending unit transmits an end-of-page (EOP)
|
|
signal and waits for a message confirmation (MCF) from the receiving unit.
|
|
This process continues until the final page is sent and the calling fax
|
|
transmits a disconnect (DCN) signal to sever the connection, freeing both
|
|
telephones. Note that the initial handshaking that establishes the
|
|
capabilities of each unit in the connection is conducted only once, at the
|
|
beginning of the link. Once the sending fax starts transmitting pages, there
|
|
is no need for this handshake again. Commercial fax interception devices are
|
|
made by a number of companies including HDS and STG, aimed at law enforcement
|
|
but, in some cases, sold to anyone with the bucks. Commercial facsimile taps
|
|
are based either on an IBM PC equipped with a fax modem which intercepts and
|
|
receives the protocol signals and the fax message, writing it directly to disk
|
|
and then reprinting it out on the screen or on a printer or by employing a
|
|
special tape recorder to save messages for later playback through a modified
|
|
fax machine. These devices do work and have been used in courts on numerous
|
|
occasions. They also average about $28,000 each. If money's no object, hey, I
|
|
say give 'em a call. In reality there's very liffle difference in tapping a
|
|
data transmission than there is in tapping a voice transmission. Here's how to
|
|
do it for about $27,000 less:
|
|
|
|
|
|
Intercept the data stream by use of a good dropout recorder or high impedience
|
|
capaci- tor circuit as described above. Record the entire transmission on a
|
|
digital audio tape recorder. DAT's are now commercially available for about
|
|
$800 but this will drop soon and may have dropped by the time you read this.
|
|
DAT's use a high sample rate to record the audio in the form of boolean
|
|
digits. There is no distortion, noise or error intro- duced in playback or
|
|
recording. What you hear is what you get. Therefore, DAT's are the ideal and
|
|
perhaps really the only method of recording fax transmissions.
|
|
|
|
Once the transmission is on tape, there are two choices: either feed it into a
|
|
fax modem and into a computer where it can be stored and manipulated, or feed
|
|
it directly into a fax machine. In either case the information should come
|
|
down a phone line. The simplest way to do this, if one has access to two phone
|
|
lines, is to unscrew the mouthpiece and clip a jumper cable from the output of
|
|
the DAT directly into the telephone line, dial up the other phone line and run
|
|
it into the computer or fax machine. However, a very nice alternative is to
|
|
employ your own central office in the form of a VIKING Phone Line Simulator.
|
|
For about $ 100 this liffle device provides a carrier that makes any phone
|
|
think it's hooked up to central office and another telephone. Signals, voice
|
|
and data can be fed into the simulator and will come out at line level at the
|
|
output.
|
|
|
|
If the resulting signal is to be fed into a computer, the carrier on the modem
|
|
should be turned off so it will not respond with a carrier of its own when
|
|
receiving the target's communications resulting in interference. If a Hayes
|
|
equivalent modem is used, the signal sequence to put it into the monitor mode
|
|
so it will still receive data without a carrier are as follows-
|
|
|
|
FOR ORIGINATE: AT C0 S10=255D
|
|
FOR ANSWER: AT C0 S10=255A
|
|
|
|
This turns off the carrier and sets the modem to ignore the carrier loss.
|
|
|
|
The output of the DAT can be fed into a fax machine, and with a little bit of
|
|
practice one can use the pause button in order to time the handshake sequence
|
|
setting up the fax machine to receive the intercepted transmis- sion just as
|
|
if it were the receiving end fax.
|
|
|
|
As long as the machines sync up with regard to baud rate and protocol, it
|
|
will reproduce the fax communication.
|
|
|
|
This procedure will also work for data communications between two
|
|
computers. Instead offeeding the result into a fax, simply feed it into your
|
|
modem. In fact, modem transmission which is frequency shift keying and less
|
|
subject to distortion than phase shift keying, can often be reproduced, by a
|
|
high quality reel-to-reel tape recorder.
|
|
|
|
Or yo can get the 'DATA TAP' program that will soon be avaible through out
|
|
the computer underground, this program allows on to TAP into various lines
|
|
with a stand alone unit or use of a laptop, the program is expected to be
|
|
released in Jan. of 94. It's written by The Raven and IBMMAN of The High
|
|
Tech Hoods. For an other info. contact them.
|