Cellular Phreaking courtesy of The Jolly Roger
The cellular/mobile phone system is one that is perfectly set up to be
exploited by phreaks
with the proper knowledge and equipment. Thanks to
deregulation, the regional BOC’s (Bell
Operating Companies) are scattered
and do not communicate much with each other. Phreaks can
take advantage of
this by pretending to be mobile phone customers whose "home base"
is a city
served by a different BOC, known as a "roamer". Since it is impractical
will usually allow
the customer to make the calls he wishes, often with a
surcharge of some sort.
The bill is then forwarded to the roamer’s home BOC for collection.
However, it is fairly
simple (with the correct tools) to create a bogus ID
number for your mobile phone, and pretend
to be a roamer from some other
city and state, that’s "just visiting". When your BOC
tries to collect for
the calls from your alleged "home BOC", they will discover you
are not a
real customer; but by then, you can create an entirely new electronic
identity, and use that instead.
How does the cellular system know who is calling, and where
they are?
When a mobile phone enters a cell’s area of transmission, it transmits its
phone number and its 8 digit ID number to that cell, who will keep track of
it until it gets
far enough away that the sound quality is sufficiently
diminished, and then the phone is
"handed off" to the cell that the customer
has walked or driven into. This process
continues as long as the phone has
power and is turned on. If the phone is turned off (or the
car is), someone
attempting to call the mobile phone will receive a recording along the
lines of "The mobile phone customer you have dialed has left the vehicle
or driven out of
the service area." When a call is made to a mobile phone,
the switching equipment will
check to see if the mobile phone being called is
"logged in", so to speak, or
present in one of the cells. If it is, the
call will then act (to the speaking parties) just
like a normal call - the
caller may hear a busy tone, the phone may just ring, or the call may
be
answered.
How does the switching equipment know whether or not a particular
phone is authorized to use the network? Many times, it doesn’t. When a
dealer installs a
mobile phone, he gives the phone’s ID number (an 8 digit
hexadecimal number) to the local BOC,
as well as the phone number the BOC
assigned to the customer. Thereafter, whenever a phone is
present in one
of the cells, the two numbers are checked - they should be registered to
the same person. If they don’t match, the telco knows that an attempted
fraud is taking place
(or at best, some transmission error) and will not
allow calls to be placed or received at
that phone. However, it is
impractical (especially given the present state of deregulation)
for the
telco to have records of every cellular customer of every BOC. Therefore,
if
you’re going to create a fake ID/phone number combination, it will need
to be
"based" in an area that has a cellular system (obviously), has a
different BOC than
your local area does, and has some sort of a "roamer"
agreement with your local
BOC.
How can one "phreak" a cellular phone? There are three general areas
(or an unattended
walk-about model), modifying your own chip set to look
like a different phone, or recording
the phone number/ID number combinations
sent by other local cellular phones, and using those
as your own. Most
cellular phones include a crude "password" system to keep
unauthorized
users from using the phone - however, dealers often set the password
(usually a 3 to 5 digit code) to the last four digits of the customer’s
mobile phone number.
If you can find that somewhere on the phone, you’re
in luck. If not, it shouldn’t be TOO hard
to hack, since most people
aren’t smart enough to use something besides "1111",
"1234", or whatever.
If you want to modify the chip set in a cellular phone you
bought
(or stole), there are two chips (of course, this depends on the model and
manufacturer, yours may be different) that will need to be changed - one
installed at the
manufacturer (often epoxied in) with the phone’s ID
number, and one installed by the dealer
with the phone number, and possible
the security code. To do this, you’ll obviously need an
EPROM burner
as well as the same sort of chips used in the phone (or a friendly and
unscrupulous dealer!). As to recording the numbers of other mobile phone
customers and using
them; as far as I know, this is just theory… but it
seems quite possible, if you’ve got the
equipment to record and decode it.
The cellular system would probably freak out if two phones
(with valid
ID/phone number combinations) were both present in the network at once,
but
it remains to be seen what will happen.
—–Compiled by: RFLAGG——-
Add A Comment