informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
278a90f7ce
textfiles/phreak/blv.txt
root@procul 278a90f7ce Initial commit
2021-04-15 13:31:59 -05:00

89 lines
4.4 KiB
Plaintext
Raw Blame History

The following short article appeared in the Winter 1991-92 issue of "2600", a
magazine that bills itself as "The Hacker Quarterly". (Their Internet address
is 2600@well.sf.ca.us) I thought it might be of interest, so I'm passing it
along. Enjoy!
-- Urizen
"U.S. Phone Companies Face Built-In Privacy Hole"
Phone companies across the nation are cracking down on hacker explorations
in the world of Busy Line Verification (BLV). By exploiting a weakness, it's
possible to remotely listen in on phone conversations at a selected telephone
number. While the phone companies can do this any time they want, this recently
discovered self-serve monitoring feature has created a telco crisis of sorts.
According to an internal Bellcore memo from 1991 and Bell Operating Company
documents, a "significant and sophisticated vulnerability" exists that could
affect the security and privacy of BLV. In addition, networks using a DMS-TOPS
architecture are affected.
According to this and other documents circulating within the Bell Operating
Companies, an intruder who gains access to an OA&M port in an office that has a
BLV trunk group and who is able to bypass port security and get "access to the
switch at a craft shell level" would be able to exploit this vulnerability.
The intruder can listen in on phone calls by following these four steps:
"1. Query the switch to determine the Routing Class Code assigned to
the BLV trunk group.
"2. Find a vacant telephone number served by that switch.
"3. Via recent change, assign the Routing Class Code of the BLV
trunks to the Chart Column value of the DN (directory number) of the vacant
telephone number.
"4. Add call forwarding to the vacant telephone number (Remote Call
Forwarding would allow remote definition of the target telephone number
while Call Forwarding Fixed would only allow the specification of one
target per recent change message or vacant line)."
By calling the vacant phone number, the intruder would get routed to the
BLV trunk group and would then be connected on a "no-test vertical" to the
target phone line in a bridged connection.
According to one of the documents, there is no proof that the hacker
community knows about the vulnerability. The authors did express great concern
over the publication of an article entitled "Central Office Operations--The End
Office Environment" which appeared in the electronic newsletter LEGION OF
DOOM/HACKERS TECHNICAL JOURNAL [sic]. In this article, reference is made to the
"No Test Trunk."
The article says, "All of these testing systems have one thing in common:
they access the line through a No Test Trunk. This is a switch which can drop
in on a specific path or line and connect it to the testing device. It depends
on the device connected to the trunk, but there is usually a noticeable click
heard on the tested line when the No Test Trunk drops in. Also, the testing
devices I have mentioned here will seize the line, busying it out. This will
present problems when trying to monitor calls, as you would have to drop in
during the call. The No Test Trunk is also the method in which operator
consoles perform verifications and interrupts."
In order to track down people who might be abbusing this security hole,
phone companies across the nation are being advised to perform the following
four steps:
"1. Refer to Chart Columns (or equivalent feature tables) and validate
their integrity by checking against the corresponding office records.
"2. Execute an appropriate command to extract the directory numbers to
which features such as BLV and Call Forwarding have been assigned.
"3. Extract the information on the directory number(s) from where the
codes relating to BLV and Call Forwarding were assigned to vacant directory
numbers.
"4. Take appropriate action including on-line evidence gathering, if
warranted."
Since there are different vendors (OSPS from AT&T, TOPS from NTI, etc.) as
well as different phone companies, each with their own architecture, the
problem cannot go away overnight.
And even if hackers are denied access to this "feature", BLV networks will
still have the capability of being used to monitor phone lines. Who will be
monitored and who will be listening are two forever unanswered questions.
Reference in New Issue View Git Blame Copy Permalink