ELECTRONIC TOLL FRAUD DEVICES BLUE BOXING The following information applies primarily to the AT&T network. It is the largest long distance carrier and has been around the longest; therefore, more is known about its technical operation. The other carriers have their own special weaknesses and are more easily breached using methods described in another chapter. What is a Blue Box? The blue box is so named because that happened to be the color of the first one found. A basic blue box contains 13 buttons or switches for the digits 0-9 plus two control signals labeled "KP" and "ST". One of the buttons is used to produce the **** Hz "disconnect" signal. Blue boxes are used to circumvent telephone company billing equipment and make free calls to anywhere in the world. It may be conncted directly to the phone line or acousticaly coupled to the mouth piece of the handset. The signaling tones produced by the box may also be recorded on a cassett tape for later playback. In spite of continuing efforts to protect the system from fraudulent use, there has been a new wave of blue boxing in recent years due to the advent of the personal computer and new knowledge about "holes" in the integrity of the system. A phone preak can buy a personal computer in a department store for less than $200.00. Armed with this hardware and the right knowledge, he can make long distance calls including overseas calls, set up interstate conferences with his friends that go on for hours, call special operators who normally can be reached only by other operators, and other "tricks"; all without charge. With the addition of a cheap cassett recorder, he can become highly mobile and illusive. Highly advanced and knowledgable phone prheaks are constantly probing the system for flaws in its security. Their ability to call internal operators gives them the power to pose as telephone company personel for the purpose of gaining priviledged information about the system. It would be hard to estimate how many calls from "Telephone Repair Service" or "Security" were actually placed by phreaks doing experiments of their own or fishing for information. How It Works The most common form of signaling between toll offices uses a code derived from six tones. This is refered to as multifrequency signaling or MF signaling. The tones are played together two at a time to represent the digits 0 - 9. In addition there are two special signals designated KP and ST. These are also sent as dual tones. KP stands for key pulse. It is a gate opening signal which tells the system that digits are to follow. ST means "start transit". It tells the system that all digits have been sent. It is an end of transmission signal and is a command to the system to start processing the information. The principle is basicaly the same as that used for tone signaling with a push button telephone except that the frequecies of the tones are different. Table (X) shows the combinations of frequencies used in North America and on CCITT Signaling System No. 5: . Signal Frequency pair . ------------------------------------ . KP1 (start-of-digit A + B . transmission for a . national call) . KP2 (start-of-digit C + B . transmission for an . international call from . an intermediate (transist) exchange) . Digits: 1 E + D . 2 E + A . 3 D + A . 4 E + C . 5 D + C . 6 A + C . 7 E + F . 8 D + F . 9 A + F . 0 C + F . ST (End of digit F + B . transmission) The MF signals are sent over the normal voice channels. They may be sent by a switchboard operator or by automatic equipment. On some systems the operator's signaling is audible and sometimes the automatic signaling can be heard due to cross talk between lines. A **** Hz tone is transmitted continuously on all voice channels between toll offices when the channel is free. This frequency also acts as a disconnect signal, indicating that the voice channel should return to its unused status. When a subscriber dials a number it reaches his local central office and possibly toll office by dc pulsing or push button tone signaling. The toll office selects a free voice channel in an appropriate trunk and stops the **** Hz tone. The office at the end of that trunk detects the break in the **** Hz signal and is alerted to receive a toll telephone number. The number is sent in the MF code listed in table (X). One toll office passes the number to another until the called central office is reached. The central office then rings the called telephone. When either party hangs up, the call is disconnected and the toll offices start transmitting the **** Hz tone again to indicate that the channel is idle. If a short burst of **** Hz is transmitted from a subscriber's telephone, the toll office receives this as a signal that the subscriber has hung up. It then places **** Hz on the channel to the next toll office. Phone phreaks call this "whistling off" or "beeping off" a trunk. The subscriber is still connected to a long distance switching office. This is the first step to bypass the phone company's billing computer and make free calls to anywhere in the world. A blue box call is started by dialing a long distance call in the normal way to a toll free "800" number. Directory assistance numbers can also be used or a call can be placed to a nearby destination which is cheap to call. This is the call which will appear on the CAMA tape. Once dialing is completed, and the called number starts to ring, you feed **** Hz into your phone for one second. Experienced phone phreaks familiar with the timing whistle off a second or two before the called number actually rings. The **** Hz tone is acousticaly coupled to the phone by simply placing the blue box against the mouth piece and pressing the appropriet button. The local CO is not listening for **** Hz to indicate a disconnect. It monitors the current flow in the line and knows the subscriber hung up when the current flow drops below a certain minimum. The **** Hz tone is passed on to the toll switching office as if it were a voice signal. The toll office is not listening for **** Hz from a CO and so passes it on to the next toll office. At this point the tone is heard as signal that the caller has hung up. The call is cancelled leaving the caller still connected to a toll line between switching offices. After sending **** Hz for approximately one second you remove it. The removal of the tone tells the distant switching office that the line is no longer idle. It connects an incoming sender and waits for instructions in the form of MF signaling. At this point you have about ten seconds to start dialing the desired number on the blue box. The number is dialed in a manner simmiler to using a push button telephone. It is in this format: KP+(area code)+(7 digit phone number)+ST. When the called number answers, a signal is sent back causing the CAMA tape to be punched with the time the connection was made. At the end of the call, the CAMA tape is punched with the number called from, the time and the number you originally dialed. This is the information that will be used to compute your bill. The call will be free if an 800 numer was used. The number actually reached with the blue box is not recorded. Modern systems frequently use magnetic tape instead of punched paper tape to record the billing information but it works the same. Getting Into the System Many CO's are now using CCIS (Common Channel Interoffice Signaling). With this system control signaling is done over different lines than those used for voice transmission. If a toll free call is placed from an area using CCIS to another CCIS area, transmitting **** Hz will not cause a disconnect. In 1984, just when it appeared that blue boxing was dead except when done from a few areas of the country, advanced "researchers" discovered holes in the system that opened it up again all over the country including nearly every street corner pay phone. New "holes" are constantly being found and usually are soon pluged after it is discovered they are being used to make illegal calls. The main method in use at this time is to call an 800 number that rings into a non CCIS area. Knowledg- able phone phreaks predict that all of these "holes" will not be plugged until sometime after the year 2000. By then new and better ways will probably have been developed to beat the system. The trick to using this method is to find an 800 number that rings into one of the few remaining areas that still use the older switching equipment. This is not difficult when you know how. When **** Hz is transmitted, it travels over the voice channel to the toll office at the distant end where it is recieved as a disconnect. Usually a "chirp" or "kachink" is heard and you're in! A few pay phones, especially those located in rural areas, will disconnect locally if **** Hz is played into them. The effect is the same as hanging up the receiver, then picking up again after a few seconds. This is useless for blue boxing and would seem to be an obstical. Actually, it was a delishious challenge to the "researchers" and soon fell as a barrier to boxing under the probing of a few tone combinations. The local disconnect occurs because the local CO is listening for **** Hz. The device that does the listening is called a SF (single frequency) unit. These units are designed to disconnect only when **** Hz is received without the presence of any other voice band frequencies. This is to prevent accidental disconnects on voice components. To get by this unit, **** Hz is played in combination with a second tone in the range of 3400 to 3600 Hz. This is a "guard" tone. When the SF unit hears the higher tone along with the **** Hz signal, it does not disconnect. The CO passes the two tones along the voice channel toward the switching office at the distant end. As the tones pass through the long distance network, the higher tone becomes atenuated to a subaudible level. Only the **** Hz tone reaches the distant toll office where it produces the desired disconnect. Once again technology triumps in determined hands. The following is a list of 800 prefixes in order by state. The number in parentheses indicates the area code served by that prefix. An asterisk (*) to the left of the prefix indicates that one or more 800 numbers have been found in that prefix which can be whistled off using **** Hz. An asterisk to the right indicates that a toll switching office has been located in the area code served by that prefix which will accept MF. There is a lot of research yet to be done on this list. In its present form, it is a road map of great value to the advanced blue boxer. This system is gradually being replaced by the expanded 800 service. Prefixes in the expanded 800 service have no relationship to area codes, but thousands of numbers are still in place under the old system. Some of the prefixes listed below are easy to hack for blowable numbers. (A "blowable" number is one which will disconnect on **** Hz). Look for the ones with asterisks before and after them like this: *XXX*. (The following numbers are publically available, therefore legal to display): Alabama 633 (205) Alaska 544 (907) Arizona 528 (602) Arkansas 643 (501) California 227 (415) 421 (213) 423 (213) 854 (714) 824 (916) 538 (408) 235 (805) 344 (209) 358 (707) Colorado *525 (303) 255 (303) Connecticut 243 (203) Delaware 441 (302) District of Col. 424 (202) 368 (202) For high volume traffic Florida 327 (305) 237 (813) *874* (904) Georgia 841 (912) *241 (404) 554 (404) Hawaii 367 (808) Idaho *635 (208) Illinois 621 (312) 323 (312) 637 (217) 435 (815) 447 (309) 851 (618) Indiana 428 (317) 457 (812) 348 (219) Iowa 553 (319) *247 (515) 831 (712) Kansas 835 (316) 255 (913) Kentucky 626 (502) 354 (606) Louisiana 535 (504) 551 (318) Maine 341 (207) Maryland 368 (301) Massachusetts 343 (617) 225 (617) 628 (413) Michigan 253 (616) 521 (313) 338 (906) 517 (248) Minnesota 328 (612) 533 (507) *346 (218) Mississippi 647 (601) Missouri 821 (816) 325 (314) 641 (417) Montana *548* (406) Nebraska 228 (402) 445 (308) Nevada *634 (702) (Las Vegas) 648 (702) Reno New Hampshire 258 (603) New Jersey 257 (609) New Mexico 545 (505) New York 223 (212) 847 (607) 221 (212) 431 (914) 828 (716) 645 (516) 448 (315) 833 (518) North Carolina 334 (919) 438 (704) North Dakota *437 (701) Ohio 321 (216) 543 (513) 537 (419) 848 (614) Oklahoma 654 (405) 331 (918) Oregon *547* (503) Pennsylvania 523 (215) 345 (215) *458* (814) 245 (412) 233 (717) Puerto Rico 468 (809) Rhode Island 556 (401) South Carolina *845* (803) South Dakota *843* (605) Tennessee 251 (615) 238 (901) Texas 527 (214) 433 (817) 531 (512) 231 (713) 351 (915) *858* (806) Utah 453 (801) Vermont *451 (802) Virginia 446 (804) 368 Arlington - 336 (703) Virgin Islands 524 (809) Washington 426 (206) 541 (509) West Virginia 624 (304) Wisconsin *356 (608) 558 (414) Wyoming 443 (307) How to Make Overseas Calls With a Blue Box Overseas dialing is done in two stages of outpulsing. The first stage routes to an overseas sender and uses 011, which is the international access code for International Direct Distance Dialing (IDDD) plus the paired country code. If the country code is two digits, the paired country code can be derived by adding a "0" to the left of the country code. Example: The country code for England is 44. The paired country code would be 044. First stage outpulsing for England would then be: KP-011044-ST. If the country code contains three digits, the paired country code cannot be derived in this way and must be looked up. Example: The country code for Guam is 671. The paired country code is 067. First stage outpulsing for Guam would be KP-011067-ST. Second example: The country code for Cyprus is 357. The paired country code is 087. It is a rule that a paired country code must never be the same as any country code. About five seconds after the STart pulse, an international dial tone will be heard. This will time out to a reorder in about ten seconds. When the dial tone is heard, the system is ready to accept the second stage of pulsing in the format: KP-country code-city code-digits-ST. At this stage it is the country code not the paired country code which is used. Use the paired country codes when calling inward operators. Some toll offices are screened against 011 coming in on a long distance trunk. In that case precede the 011 with the area code which would apply for that toll office. Example: for a toll office in Gainsville, FL use KP-904+011+paired CC-ST. Another way to reach the overseas senders is to call them directly with KP- sender number-ST. If this doesn't work add the area code of the sender. Example: KP-904185-ST. The routing for a particular country can be found by dialing normally (pulse or touch-tone) 011+CC+000+enough digits to add up to a total of seven including the country code. Example: 011+44+00011. You will get a recording. At the end of the recording, the area code of the international center will be given. The sender used to call a particular country can vary depending on the area of the country from which the call is originated. An international call can sometimes be completed through the wrong sender, but this causes a print out that will later be investigated to find out which CO it came from. To find the correct routing when pulsing through any particular toll office use KP+paired CC+000+ST. For example, KP-011044000-ST would give the same result as dialing normally 011-44-00011 if you were dialing it in the area where the toll office is located. The first digit of a country code is the world region in which that country is located. The world regions are: 1--North America, 2--Africa, 3 and 4--Europe, 5--South and Central America, 6--South Pacific, 7--Union of Soviet Socialist Republics (U.S.S.R.), 8--Far East, 9--Middle East and South-East Asia. Note 1. KP2 is not used in first or second stage outpulsing when calling any country in the IDDD network. Note 2. Public telephones are interfaced to TSPS (Traffic Service Position System). If you call an 800 number and whistle off using **** Hz, the distant toll office sends a wink back signal (a short on-hook) indicating it is ready to receive pulsing. TSPS responds to this wink back by printing out the original number called, the number called from, and the number MFed after the wink back. This print out goes to the billing and security departments. Red Boxing Red boxing consists of simulating the tones produced when coins are deposited in a pay phone. Coin tones are beeps of G Hz + B Hz as follows: 5 cents - 1 beep, 66 milliseconds duration. 10 cents - 2 beeps, each 66 milliseconds duration with 66 millisecond pause. 25 cents - 5 beeps, each 33 milliseconds duration with a 33 millisecond pause. Two methods have commonly been used by phone phreaks to produce these tones and make free calls. The traditional Red Box consisting of a pair of Wien-bridge oscillators with the timing controlled by 555 timer chips. Producing the signals with a computer which are recorded and then played back into the mouth piece of a pay phone. A third very novel method has recently appeared. A phreak in the Midwest has extensively tested a method of red boxing which uses nothing more than a pair of brass or aluminum whistles. The whistles are 1/4 inch in diameter by 4 inches long and are tuned by means of a wooden dowel rod which fits snugly inside. The whistles can be brought precisely on frequency by tuning them against a known signal source such as a computer capable of producing the tones. Once tuned, the whistles are glued or taped together so they can be blown together to produce the dual tone used in coin signaling. It has been tested and proven that with a little practice these whistles can be used to make free calls. Now you can blow your money without spending a cent. Black Boxes Like blue boxes, black boxes got their name from the color of the first one found. The black box, also known as a mute, is a device which permits a subscriber to receive incoming long distance calls without charge to the calling party. This information is presented mainly for its historical interest since black boxes will not work on the new electronic switching systems (ESS). The construction and use of a black box was quite simple. A resistor of about **** ohms was connected in series with one side of the phone line. Connected in parallel across the resistor were a .** mfd capacitor and a single pole single throw toggle switch. A momentary contact push button was connected across the line ahead of the other components for the purpose of briefly shorting the line. While waiting for an incomming call, the switch was left in the "on" position which shorted out the resistor and left the phone connected to the line as usual. When a call was received, the proceedure was to throw the switch, lift the receiver and push the button for a period less than one second. That brief short simulated taking the receiver off hook, which stopped the phone from ringing. Releasing the button simulated placing the receiver back on hook. Keep in mind that the receiver is really "off hook", but the presence of the resistor in series with the line reduces the current drawn by the phone below the level needed by telephone company equipment to detect the "off hook" condition. The capacitor bypassed the resistor for audio signals permitting normal conversation to take place. All the billing equipment knew was that a toll call was placed and the called party picked up the receiver and replaced it in less than one second. Since calls of less than 1 second are not billed, there was no charge for the call. Later models of the black box featured diodes to automatically do the button pushing and switch funtions. Aside from this refinement, they worked the same as the one described. Cheese Boxes The first divice of this kind was found in a cheese box, thus the name. A cheese box is a call diverter. Calls placed to one number are rerouted to another. This requires two phone lines each with its own number. Both lines terminate at the same location, ususally a vacant apartment or the apartment of an elderly widow. Only the first number is given out. When this number is called, the cheese box connects the first line to the second. The call is then answered on the second line at a location far removed from the cheese box. This has been a favorite trick among bookies. Law enforcement officers trace the calls to the location of the cheese box and stage raids. When they get to the location all they find is an empty apartment or a confused old lady. Sometimes, realizing a cheese box is being used, they make a search for it. They don't always find the cheese box even though they know what they are looking for. Early cheese boxes were quite simple consisting of only a few diodes and capacitors. They could be as small a fifty cent coin. Because of changes in the system, later models are more sofisticated. In use today and have been advertized in a national magazine. Apparently not illegal unless put to an illegal use. Silver Boxes Used to talk or send computer data over long distance lines free of charge. A silver box is a normal tone pad with the addition of four keys normally reserved for military or amateur radio use. These four additional keys are designated as follows: A - Flash B - Flash override priority C - Priority communication D - Priority override Push button tone dialing uses a signaling method called Dual Tone Multi- frequency or DTMF for short. It is a method of representing digits by playing two tones together using different tones for different digits. The following table lists the frequencies used by a tone pad including the signals of the silver box. All frequencies are in Hertz. Tone Dialing Frequencies LOW TONE HIGH TONE GROUP (HZ) GROUP (HZ) 1209 1336 1477 H 697 1 2 3 A 770 4 5 6 B 852 7 8 9 C 941 * 0 D Silver boxes can be made by modifying an existing key pad or they can be built up from a readily available tone encoder integrated circuit chip. The tones used can also be produced by many personal computers. Making Free Calls with a Silver Box. Silver boxes are used to seize long distance directory assistance lines. Two people calling at about the same time dial directory assistance for a selected area code. Not all area codes work for this. Those in the midwest seem to be favored. When the number rings, the "D" key is pressed. The caller will hear a pulsing tone. The first caller presses "6" on his keypad and waits. The second caller, following the same proceedure to this point, presses "7" on his key pad. The two are instantly connected. Those who have experimented with this say it doesn't matter wether the "6" or the "7" is pressed first so long as one caller uses "6" and the other "7". Because of the necessity of prearranging the time of a silver box call, this method hasn't really caught on except as a fun experiment amoung advanced phone phreaks. I have gone through this file, eliminating only references to specific frequencies reqired for fraud. I have also eliminated the specific values for a resistor and capacitor used to make the black box mentioned above. For your information, all frequencies listed A - H are specific and there are no repeats. they are not in any specific order. The beep-off tone described and listed as **** Hz is also a single specific Frequency.