THE SUNDAY TIMES, OCTOBER 15 1972 --------------------------------- INSIGHT ON PHONE PHREAKS -- the pranksters who have turned the world's telephone systems into an electronic playground. Their `Bleeper' (left) allows them to make calls free. HOW THE SECRET TELEPHONE WAR CAME TO BRITAIN -------------------------------------------- LAST CHRISTMAS DAY a ward sister at the maternity hospital in Bethlehem was startled to receive a phone call from a student in London. He was calling, he explained, to pay his respects to all babies born in Bethlehem that day. The gesture was marred only by the fact that the student was not paying for the call. Using a small electronic device, he had blotted out all controls on the British telephone system. He had dialled his way, free, to the Middle East. The student was, in fact, one of the growing British band of "phone phreaks": the apt American term for the few hundred students, engineers and computer men who have grasped that, with diligence and technical know-how, it is possible to turn the world's telephone networks into a huge electronic adventure playground -- free of charge. Phone-phreaking has been a growing cult in the United States for some time. But it is only in the last five years that British addicts have succeeded in unravelling the more complex secrets of our own STD system. Already it is causing the Post Office serious problems. It has been forced to set up an inquiry to tighten internal security; the attentions of its overworked Investigation Branch have been diverted from more orthodox -- and more substantial -- postal and telephone frauds; and its engineers are currently being compelled to spend millions of pounds re-structuring telephone equipment to protect the system. On their side, British phreaks have cracked the network of secret Post Office trunk codes -- and other data designed only for operators -- by sheer intellectual sweat. Meanwhile, to catch them, the Post Office is using on a national scale what amounts to a form to tapping which does not apparently need the permission of the Home Secretary. But what one Post Office executive called "this war of attrition between us and the phone phreaks" -- it has hotted up somewhat over the past year -- has been fought in almost complete secrecy. The phone phreaks are naturally silent. And the Post Office, too, has much to hide. For over the last decade as Britain's telephone system crept into the 20th century, the Post Office consistently underestimated the experience of bruised American telephone companies over the opportunities for misuse that the new systems present. The dedicated phone phreak is usually interested purely in the intellectual satisfaction of mastering the system, and his activities might seem no worse than an irritating prank. But what worries the telephone companies is that his techniques clearly open the door to commercial exploitation. Meanwhile, the Post Office, entrenched behind the protection of the Official Secrets Act, has so far blocked all enquiries on the subject. Yet we have found that its security is, in fact, so lax that the phone phreaks of Britain have assembled all the technical data they need from the Post Office's own publications. ---------------------------------------------------------------------------- Recipients of phreak calls ---------------------------------------------------------------------------- HAD THE STUDENT who phoned Bethlehem chosen, he could have dialled to almost any country in the world possessing an advanced telephone system. He could, for example, have been told "Amazing Bible Facts" by the Melbourne exchange, listened to classical music on the Vienna telephone circuit, dialled the Kremlin on Moscow 2240625 or the Swahili speaking-clock on Kampala 994, been given the descriptions of all dogs lost in San Francisco, or had a sultry-voiced lady named Suzanne invited him to enjoy the " respect and honesty" -- either "singly or in groups" -- of her "Love Playhouse" just off Hollywood's Sunset Boulevard. Those, at any rate, are some favoured recipients of British phone phreaks' triumphs. The disparity between the technical feat and the juvenilia often at the other end of the line is the hall-mark of the true phone phreak. And it points to the difficulties the Post Office engineers face in countering the assault. Since phone phreaking is -- at least in its "innocent" form -- an irrational activity, the tougher the engineers make the system the more satisfying the phreaks find it. To demonstrate the obsession, it is only necessary to consider the effort that has gone into cracking the system so far. Systematic phone phreaking began in America in the summer of 1967, when an obscure technical journal published a long and arid treatise on the theory of switching operations in long-distance telephone systems. The article had been innocently written by an engineer with Bell Telephone, part of the giant American Telephone and Telegraph group, which dominates the country's phone business. The article was aimed at telephone engineers, but it contained some extremely practical information -- a list of all frequencies used by Bell to produce the multi-frequency tones that control the company's entire long-distance network. It was a catastrophic mistake. A few weeks later a young American engineer with a passion for messing about with phones read the article. Within 12 hours he had built himself the first "blue-box," a remarkable device which is effectively, the key to making free phone calls around the world. (The boxes are, in fact, rarely blue; but they have to be distinguished from another phreaking device, the "black box.") By the time that Bell, horrified, realised what damage had been done and had recalled every copy of the journal from public circulation, photostats had been taken. A phone phreak network was born. Technological folk heroes who gave themselves pseudonyms like Captain Crunch, The Midnight Skulker and Blind Joe Engressia were soon to emerge. Since then, underground technology has kept ahead of every counter-move by the desperate phone companies. For the blue box utilises precisely the technology that AT&T used, in the early 1950s, to transform -- at the cost of millions of dollars -- its entire long-distance trunk network. As any call progresses through a telephone system, it has to be switched along from one exchange to another. The digits of the phone number dialled must, therefore, be converted into switching instructions. In Bell's system, every digit from one to ten (zero) produces in the system its own musical tone. The digit 5, for example, triggers a switching signal combining tones of 1,300 and 900 cycles per second. ---------------------------------------------------------------------------- An original genius ---------------------------------------------------------------------------- The early blue boxes were constructed around tape-recordings of these precious tones duplicated on an electric organ. More sophisticated models now incorporate electronic oscillators to produce the tones. The blue box comes equipped with buttons. Putting the box to his telephone mouthpiece, the phreak plays the number he wants -- plus any necessary signalling instructions -- into the system. And, of course, the tones his box produces are precisely those which the system is constructed to obey. There have been phreaks of original genius -- the legendary Captain Crunch, who found that the free plastic whistle in every packet of Cap'n Crunch breakfast cereal gave out the precise pitch required to unlock Bell's long-distance circuits; or Joe Engressia, the blind teenager from Florida who can whistle phone tones with perfect pitch. But no phreak could have got away with it for long with a human operator. The very quality of Bell's automated technology -- with a luxurious choice of routes between any two distant points and built-in free circuits, for booking hotels and the like, which the phreaks can tune into -- has been the key to successful American phreaking. BRITISH PHREAKS, by comparison, have had an uphill struggle -- not because, as the Post Office claims, the telephone system here is more sophisticated than Bell's, but because British STD is, in fact, very cumbersome. To understand what the British phreaks do, it is helpful to visualise the telephone network in three layers: local lines, above them the trunk lines and at the top the international lines. "STD" is the mechanism which takes a legitimate call from the local line and lifts it to trunk level. Parts of the country also have "International Subscriber Dialling," which is basically STD that takes your call to international level. The key to phreaking is that a call at trunk level can be routed through as many trunk exchanges as you like -- provided you know the codes. These are not the same as the STD codes printed in the directories: those numbers are " translated " by the STD apparatus into the operational trunk codes. The aim of phreaking, therefore, is to find a way from local level up to trunk level bypassing the STD mechanism. British phreaks have found four principal methods. The oldest is "chaining." As our diagram (above right) shows, most local lines radiate from a big group exchange. But many exchanges are also directly inter-connected. So a phreak can -- if he looks up the right local codes -- dial from one exchange to another across the country by-passing the STD apparatus. "Chains" more than about 50 miles long gave almost inaudible reception. However, some phreaks claim a successful "chaining" over the 397 miles from London to Kirkcaldy in Scotland. (It took about 45 digits to dial and speech was totally inaudible.) For what the phreaks call "trunk access," however, subtler means are required. As our diagram also shows, trunk lines between group exchanges carry local traffic, too. Painstaking hours of dialling all possible combinations of numbers between these group exchanges gave the phreaks about 40 pairs of exchanges where a local call from one end could be persuaded, as it were, to turn left at the other and stay on the trunk instead of going down to local level again. But it was in the course of these experiments that the phreaks stumbled across method three -- and one of the Post Office's most closely guarded secrets. Some experts had managed to wire up their own routes into the national and international trunk network. All of these methods can be used in combination, of course. Indeed, we have worked out a route whereby the Prime Minister, should he feel so inclined, could phreak his way from Broadstairs to the Queen at Balmoral for the cost of a local call. He would go via Canterbury and Ashford on to national trunks. then through London to Aberdeen and down to Balmoral. But Mr Heath would have to dial 19 digits. He would, like most phreaks are, have to be obsessional. Those three methods might be described as trails of skill between the phreaks and the system. But method four is the phreaks' ultimate weapon: the "bleeper," the British equivalent of the American "blue box." British STD is again cruder than the Americans: the "bleeper" only has to emit one tone, 2280 cycles per second, for a carefully controlled period, and the STD meters which cost the call simply cut out. The phreak with a bleeper need not use any of the other three methods. He merely sabotages one piece of equipment in the normal STD system. IT IS A LITTLE unclear what finally persuaded the Post Office to act. All we can discover is that about May, 1971, a special study group was set up inside the Post Office. And according to the Post Office's director of telecommunications services. C.R. Dancey, it was "entirely a matter of internal discipline within the Post Office, control of papers and control of personnel...." From other sources, there is good reason to think that this primarily concerned the STD system. At about the same time, the Post Office discovered that its secret trunk dialling codes, normally only available to operators, were being fed into a computer by the phreaks and resulting beautifully produced sheets of codes distributed. ---------------------------------------------------------------------------- A £5 million remedy ---------------------------------------------------------------------------- The Investigation Branch -- the Post Office's own 80-man detective force, housed in Euston Tower, London -- promptly gave phreaking their top priority. Meanwhile Post Office engineers began laboriously to re-wire vulnerable parts of the main group exchanges and the most obvious local ones to "bar" the phreaks' access to "chaining" and the trunk network. But "barring" is a formidably costly task, anything up to £20,000 a time if the exchange to be re-wired is large. According to one engineering source, the Post Office is currently "barring" all the phreaks' main access routes in a circle round London. This is said to be a £5 million job. Meanwhile, the Investigation Branch's main weapon against the phreaks has been a telephone tapping device called a Printer-meter. Attached to a suspect's phone, this device records the time, duration and number dialled of every call they make. Its most common use before the anti-phreak campaign was to check contested accounts. And its virtue is that, besides being far less costly in manpower than a full-scale telephone tapping with tape recorders, use of the Printer-meter does not, apparently, require permission from the Home Secretary. But some phreaks claim, plausibly, to know a way of cutting off a Printer-meter by an ingenious electronic wiping mechanism -- an indication of how technically refined the conflict has become. THE PHREAKS themselves scarcely warrant such activity. Because, in real terms, their cost to the Post Office is negligible. As the Post Office's chief press officer, Mr Kenneth Ley, points out, phreaks prefer to work in off-peak hours -- and the electricity actually consumed even in international calls is miniscule. "It is very much a private war between us and the phreaks," Mr Ley said. And it is a war with a substantial element of plain technical one-upmanship in it. It is hard to avoid the conclusion that, with the amateur phreaks at least, Post Office has brought most of this on itself. For at least ten years, Bell has been warning the Post Office that phreaks are a challenge endemic to any trunk-dialling system. Yet as late as the beginning of last year -- when yet another liaison team returned from a visit to Bell -- the Post Office was still claiming to be phreak-proof. Even where its planners did foresee trouble -- for instance, on the links between group exchanges -- lack of cash prevented them from designing blocks into the system. So the Post Office has been forced to use the powers of the Official Secrets Act -- in the hope that no information about the failings and loopholes of the system would leak. Yet the Post Office has itself published much vital data. The bible of the telecommunications business is Atkinson's "Telephony," a hefty two-volume text-book compiled by successive generations of Post Office engineers. It is a standard work at technical reference libraries: and it contains descriptions of the circuits of virtually all key telephone equipment. It is, of course, reasonable and necessary that technical information is widely disseminated: the Post Office, like any technological concern, has little choice but to supply it through text-books like Atkinson's. And since telecommunications is an international affair, it is equally reasonable that international reference books are made available. Yet some of these incorporate extremely sensitive material. In Geneva, for example, the Consultative Committee on International Telegraphs and Telephones publishes -- for about £46 -- a nine-volume "White Book" which provides the frequencies of all international and most national communications channels. Volume 6 lists the frequencies of the signals needed to control theses channels. And on pages 362-363, there is a table showing that the British telephone system is controlled by signals of 2,280 cycles per second. But even if this sort of leakage is unavoidable, the Post Office seems to be rather casual with even more sensitive material -- as the history of the British phreaks' own "bleeper" indicates. ---------------------------------------------------------------------------- `Leaks' in a journal ---------------------------------------------------------------------------- The Institution of Post Office Electrical Engineers publishes a quarterly journal available to anyone for 21p an issue. About 4,500 of its 38,000 readers are not Post Office employees. The journal is, moreover, available at such public reference libraries as Glasgow, Manchester and Acton and Wandsworth in London. Yet it was from the journal, in an article baldly entitled "Signalling System A.C. No.9," written by two senior Post Office engineers, that some British phone phreaks built their first bleepers. And there is an interesting comparison between British and American attitudes regarding such publications. When Bell's signalling frequencies were published in the American technical journal in 1967, the company systematically hunted down and withdrew every issue of the journal. Over the next five years Britain proposes to move from the present single-tone signalling system to a multi-tone system similar to that used by Bell. The vital frequencies of such a system have been publicly available in the Post Office Electrical Engineers Journal for the past three years. From one of hundreds of photostats already well-thumbed by intending phone phreaks, we reproduce the Journal's frequency table (below). ________________________________________ | | | TABLE 5 | | | | Signalling Code for S.S.M.F. No.3 | |________________________________________| | | | | | Frequency | | Digit or Signal | Combination | | | (Hz) | |____________________|___________________| | | | | 1 | 1,380 + 1,500 | | 2 | 1,380 + 1,620 | | 3 | 1,500 + 1,620 | | 4 | 1,380 + 1,740 | | 5 | 1,500 + 1,740 | | 6 | 1,620 + 1,740 | | 7 | 1,380 + 1,860 | | 8 | 1,500 + 1,860 | | 9 | 1,620 + 1,860 | | 0 | 1,740 + 1,860 | | Code 11 | 1,380 + 1,980 | | Code 12 | 1,500 + 1,980 | | Prefix (guard) | 1,740 + 1,980 | | Keying finished | 1,860 + 1,980 | |____________________|___________________| The first trials of this proposed signalling system started on the lines between Leeds and Huddersfield earlier this year. Some phreaks knew of the coming trials using the Journal's information, they had already built their own bleepers. On the very first day, a phreak bleeped his way to -- the Speaking Clock. He recorded the call as he made it. "It is another phreak said re????? to?ic recording. end.