Hacking Telephone Answering Machines by Doctor Pizz and Cybersperm ****************************************************************************** DISCLAIMER: The following is for informational purposes only. All information provided is simply to point out how easy it is to access such a system. The author accepts no responsibility for irresponsible use of this knowledge, and it is provided solely so people can be aware of the low security of such systems. (Now that I'm off the hook in case you do something stupid...). ****************************************************************************** It seems that lately there is very little discussion of one of the most simple but useful and rewarding forms of electronic information gathering, hacking the telephone answering machine. Almost everyone has one of these wonderful devices these days, to catch important messages while they are away from their phones, or to screen important telephone calls. Nowadays, they typically have the added advantage of being accessible from remote telephones, so one needs to simply call his or her answering machine, enter their secret code, and then either retrieve new messages, or listen to anything they had previously recorded on the incoming messages tape, or perform any of a set of additional functions determined by which key they press on their touch tone phone. They also typically ignore the fact that virtually anyone else can gain access to their messages by entering the appropriate code. Hence this is a wonderful system to gather information from anyone without their knowledge, especially if they are technologically illiterate. For the most part, there are two main types of "electronic password" used by these systems. They are amazingly simple to crack, as they are typically only 2-digit or even 1-digit numbers!!!!!! On some machines, the code must be entered before the outgoing message is over, on others, it must be entered after the outgoing message, and on more sophisticated models, it can be entered at any time. MODERN 2-DIGIT PASSCODE SYSTEMS: These are the most common systems in use today, typically made by Panasonic, AT&T, etc. In these systems, the code can be entered before during or after the beep tone. For security reasons, we recommend BEFORE the beep tone, so your intrusions are unnoticed... We will begin by discussing how to identify the passcode. Now, the question of how to hack their code. Well, this is so simple, you don't even need a computer to do it. You can just enter all 2-digit combinations until you get the right one (usually signalled by a series of beeps on the other end). A relatively crude way was to enter each number in sequence 01, 02, 03, 04,...,99. This works, but may take too long to enter all numbers within the 20-30 second window we typically have before the beep (The best time to play arounnd, as any tones entered after the beep will be recorded on his incoming messages tape, and could let him know something is up...). It is also important to stop as soon as you hit the right number, as the additional entered numbers may be interpreted by the answering machine as codes, and cause you to delete all their messages, or record a new greeting, etc. That is really asking for trouble, and may cause them to try and change their password (though it's usually only possible to choose from a range of three consecutive numbers anyway...). Still, you need to be careful not to let them catch on, eh? A more sophisticated and fast way to do this is to take advantage of the fact that such machines typically do not read two numbers at a time, and discard them, but just look for the correct sequence, reading one at a time. In other words, you can enter all 100 possible codes with roughly 1/2 the number of keystrokes. Just enter as follows: 0 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 8 0 9 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9,etc. By reading in one phase we get: 0 0,1 0,2 0,3 0,4 0,5 0,6 0,7 0,8 0,9 1,1 2,1 3,1 4,1 5,1 6,1 7,1 8,1 9,etc. In the other phase we get: 0 1,0 2,0 3,0 4,0 5,0 6,0 7,0 8,0 9,1 1,2 1,3 1,4 1,5 1,6 1,7 1,8 1,etc. So by proceeding as follows we enter the following matrix sequentially, encompassing all possible 2 digit numbers: 0 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 8 0 9 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 3 3 4 3 5 3 6 3 7 3 8 3 9 4 4 5 4 6 4 7 4 8 4 9 5 5 6 5 7 5 8 5 9 6 6 7 6 8 6 9 7 7 8 7 9 8 8 9 9 0 The last zero is important, as it completes the cycle, and allows for the code 9 0, which is the only one not as yet allowed for. I must emphasize the importance of quitting as soon as you get the correct code, and also do not keep going after the beep, if you are on a modern 2-digit access code system. This way, you can record the passcode for your future reference, and prevent detection. Now, we shall get on to the question of how to use their system, once you've broken in. In general, it is recommended to obtain a copy of the owners' manual for various machines, but I have summarized some of the basics below. PANASONIC Here are the codes for a Panasonic Easa-phone KX-T1450. The KX-T2420 is identical without Room Monitor function In this case, strange things happen when you enter 5: 1 = Back Space (Rewind the OGM tape) 2 = Skip Forward (Fast forward the OGM tape) 3 = Reset (Go back to the beginning of the OGM tape. MAY CAUSE ERASURE!!!) 4 = Memory Playback (Listen to new messages) 5 = Room Monitor (!!!! Listen to what is going on in the room NOW !!!!) (This is only available on some models... But, try it...) 7 = OGM-REC (Record a new greeting!!!) 9 = OGM-STOP (Stop recording the new greeting) * = OGM Skip (Don't Listen to the OGM) 0 = Turn off the machine !!!!! To set to the answer mode remotely, 1. Dial the phone number 2. Wait 15 rings and hang up To turn off the unit remotely (!!), 1. Dial the phone number 2. Push the code number, wait for the beep, enter 0, and hang up. Panasonic answering machines also respond to the user with a series of codes which I will now outline. If you hear something different, you may not be on a Panasonic system. 1 long beep : This is the "beep" after which people can leave their messages. Also, this is sounded when the correct passcode is entered from a remote telephone. (Same sound- Hint for software developpers) It sounds when the tape has fully rewound, and after each message is played back in entirety. 3 short bps : This sounds after the last message has been played back. 2 short bps : (10 seconds later) You are then being recorded - marker message 6 short bps : End of the incoming message tpe 6 short bps : (Quickly) Tape Broken (either incoming or outgoing) Also, after entering the correct code, and after the one long beep, you will hear n additional short beeps, where n is the number of new messages since the last time the messages were retrieved. Remember, you can listen to earlier ones on the same tape, by additionally backspacing from the first new message. Anyway, that is a basic summary of the Panasonic answering machine system for this machine. Many machines unfortunately do not have the Room monitor function, so you can not see if you left your TV on, or anything like that... Also, not all systems are identical, but on Panasonic machines, the numbers 1- 4 are the same, so this is the most important thing for you to remember anyway... AT&T On AT&T machines, like the Answering System 1304, the passcode is again a 2- digit number enterable before, during, or after the beep. Follow the same guidelines as above. After you enter the correct code on these machines, the system will automatically begin to play back new messages. This is one key way to distinguish these machines from the Panasonic ones discussed above. To summarize the key functions for the AT&T system, look below: 2 Rewind tape (tape rewinds for as long as this key is depressed) 3 3 Clear messages (reset the tape to the beginning.) 5 Fast Forward (tape ffwds for as long as this key is depressed) 7 Replay messages from the beginning 8 8 Turn off the answering machine * Record a memo (After listening to messages) OR Skip the greeting (w/o entering code) 0 Turn on the machine (after hearing two beeps) # Pause (for 5-7 seconds) Basically this system is less sophisticated than the Panasonic. You cannot change the OGM remotely (Damn!). As seen above, the codes are also quite different, but fortunately they are easily distinguished by how they answer after the security code is entered. The AT&T plays the messages, while the Panasonic just beeps to tell you how many new messages are waiting. Here also, the rewind and fast forward functions operate for the length of time you depress the 2 and 5 keys respectively. On the Panasonic, they reewind or fast forward for 15 seconds. Also, this system has a pause feature. By entering the # sign, you can pause for a few seconds while listening to a message. One extra safety (from your perspective...) feature is that on this system you cannot erase messages until they have all played back, so you have less risk of fucking up someone's system if it is an AT&T. You cannot change his greeting, and it is difficult to accidentally erase his messages. If you wish to do so, however, you must hit the 3 key twice after listening to the messages in their entirety. To record a memo (why would you want to do this???), you can press the * key after you hear 5 beeps (after listening to the messages). Then begin to record. Also, the * key can be used before the message is finished to skip listening to the OGM (useful for long distance callers who are actually paying for the calls...) without the need for entering a security code. To turn on the system from remote points, you need to let it ring ten times, and after it answers with 2 "beeps", hit the 0 key. It will subsequently be on. Similarly to turn it off, just enter 88. If the machine answers the phone with no greeting, and just 2 beeps, it means the tape is full. You can now enter the security code (without risk of them recording the BEEPS!!!) and listen away for a long time!!! Basically, this sums up the properties of the two most common systems I've encountered of the 2-digit passcode variety. SINGLE DIGIT PASSCODE MACHINES: On some old model Panasonic and Phone Mate systems, the secret entry passcode is only a one digit number(!!!). On these primitive systems, one merely enters the correct number, during the message, and playback begins. The other codes are simple to derive, and just for the sake of making this hobby a sport, I will not give details for these systems. It is easy enough to figure them out, and on these systems, it is hard to screw things up, as there is little you can do anyway. APPLICATIONS: This can be a rewarding adventure if you decide to follow those instructions (though far be it from me to suggest you to do this...). I will point out some of the potentially entertaining, useful, and/or informative applications of this technology. As the true weirdos that we are, we shall begin with what we consider the truly entertaining applications... If you have ever read the Village Voice, Screw or other such newspaper, you will notice a large number of advertisements for "unlicensed massage parlors", "Oriental relaxation spas", "Escort services", etc. Call some of those numbers, preferrably at off-duty hours (6-9 AM??) and try to hack their answering machine codes, listen to their messages, and let the fun begin. You can hear lots of perverts, and lowlifes making appointments for "services" about which they are sometimes graphic. Also, they often leave telephone and credit card numbers (What fun!!!). In case they are married, think of the blackmail potential... Further, these "adult entertainment companies" also often run help wanted ads in the Village Voice, and other such publications. Call these, and you will get a plethora of phone numbers for nubile young women who might believe you are the proprietor of the establishment in question. You might be able to con some "free samples" as a sort of "job interview"... (hehehe) Especially given the illegal activity they desire to become involved in, they will be in no position to complain when they find out you are not for real... Also, this way, the girls are often not so jaded as the old pros... They will be trying to impress you if you get my drift, so you'll "hire" them. Other similar companies can be hacked to get similar entertaining and enjoyable results. In many cases, the outcomes can be QUITE LUCRATIVE in one way or another... I do not advocate that you do these things, but I just want to point out what COULD be done... Let us move on to the informative espionnage type of application of this technology. One could very easily use this technology to listen to the messages of friends, and see what they are up to. If you are trying to call your buddy Evan, and he isn't home, perhaps you can find out where he is by going through some of his old answering messages. Say, Eric called him a couple of hours ago and suggested that Evan come over to his place for some beers. Well, you could then call Eric and voila, you may connect with Evan. Now, let us assume you have a girlfriend, and you suspect she might be cheating on you, yet you do not wish to confront her about it without any evidence, or certainty of her cheating. Well, her new beau probably thinks her answering machine is secure, and calls leaving messages about their upcoming dates, or various discussions of their relationship. If you can hack her machine {actually, you might even look at the bottom (where the passcode is usually printed...) to save time and energy.} you will be afforded with a plethora of potentially incriminating evidence. Hehehe. A similar application can be when you have a new love interest. Suppose there is some woman you are interested in, but you aren't sure if she is available. A little phone answering machine surveillance can provide all of the answers, and then some... In case she asks her friends about you, you'll know everything she does. Also, you will learn details about her life, and schedule, the better to run into her "accidentally", or strike up a conversation about "common" interests... Now, if you know someone in the same profession, say musicians, and you call his answering machine, and hear someone offering him a gig. You could call that person back, and accept the gig in your name, saying the originally called musician was unavailable, but suggested that you call. Then be sure to erase the original message on your buddy's machine. He'll never be the wiser, and you'll get more work. Though he may wonder why he isn't getting much work anymore... Millions of applications exist, and if you have any additional suggestions, please leave them with us. We can be reached on several BBS'es, in 212, 718, and 914 area codes. Thanks. Also, if you have information on other answering machine systems, please pass it along... Again, in closing, we reiterate that the authors take no responsibility for the misuse of this information. The ideas for applications were presented for informational and entertainment purposes only, and we do not encourage you to try any of the above suggestions. Remember, listening to the pass-code protected messages of others constitutes an invasion of privacy, and may be in violation of state and federal laws. ****************************************************************************** ANOTHER FINE PIZZ-SPERM T-FILE... Please upload this file to other fine BBS'es, and give credit to the original authors, Doctor Pizz and Cybersperm, of the TUBA crew. ****************************************************************************** *************************************************************** * * * Another Fine File From the libraries of the TUBA crew. * * * *************************************************************** ____ _______ * / \ ___ ___ ____ ___ ___ / / ___ ___ / // // / / // / /______/ / / / / // // / / //-< / / / / /_____//__//__ / /__// / / / /__ /__ -N- CCCC Y Y BBB EEEE RRR SSSS PPP EEEE RRR M M C Y Y B B E R R S P P E R R MM MM C Y BBB EEE RRR SSSS PPP EEE RRR M M M C Y B B E R R S P E R R M M M CCCC Y BBB EEEE R R SSSS P EEEE R R M M M