Blue box

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Blue box designed and built by Steve Wozniak and sold by Steve Jobs before they founded Apple. Displayed at the Powerhouse Museum, from the collection of the Computer History Museum[1]

A blue box is an electronic device, designed specifically for telephone toll fraud (but now obsolete for that purpose), that generates the in-band signaling tones formerly used within the North American long distance telephone network to send line status and called number information over voice circuits, either between a telephone operator switchboard or technician console and a switching machine, or machine to machine. First developed during the 1960s or possibly earlier, blue boxes allowed private individuals to call one number normally and redirect the call to a second number, with billing registering only the first number. The first number might be a toll free "800" or "information" number, a billable number, an unassigned number, or even, in some metropolitan areas, a local call. The call could be redirected to telephones elsewhere in North America or on many other continents, or, possibly, to ships at sea. Furthermore, the blue box gave the user access to numbers that were supposed to only be accessible to telephone operators and technicians.

(In some metropolitan areas, local calls to certain exchanges were connected through "tandem" machines, which also connected long distance calls. The user could dial a local number that was connected via one of those machines and redirect the call to a long distance number. In some areas, the caller might subscribe to a service which allowed unlimited calling to a particular distant exchange, with these calls connected via a tandem machine.)

At first, the use of these techniques was limited to a small group of "phreakers", who constructed blue boxes for personal use. The devices may have been breadboarded, with exposed wiring, not packaged for sale as a consumer product, and may have required adjustments from time to time to keep the oscillators on frequency. One phreaker, who was an exception, was Steve Wozniak. He built robust blue boxes which Steve Jobs sold.

Blue boxes worked because the telephone system used tones within the long distance network, but those tones could originate at user telephones to take over control of call routing, after the telephone was connected to the long distance network. Subsequent telephone switching technologies used out-of-band signaling methods in the form of Common Channel Interoffice Signaling (CCIS) in a separate channel not accessible to the caller. Blue boxes stopped working as toll fraud devices as these systems were deployed.

A related device, dubbed black box, enabled the reception of calls without incurring a charge to the caller.

Modern devices, designed for imitating toll fraud on emulations of the tone signaling system, are also called blue boxes.

Some musical instruments and pieces of test equipment are capable of producing the tones, but are not called blue boxes because they were not designed specifically for toll fraud.

History[edit]

Local calling had been increasingly automated through the first half of the 20th century, but long-distance calling still required operator intervention. Automation was deemed essential by the American Telephone and Telegraph Company (AT&T). By the 1940s they had developed a system that used audible tones played over the long-distance lines to control network connections. Tone pairs, referred to as multi-frequency (MF) signals, were assigned to the digits used for telephone numbers. A different, single tone, referred to as single frequency (SF), was used as a line status signal.

Bell Telephone Laboratories published a public relations advertisement, Playing a Tune for a Telephone Number, in the February 1950 issue of Popular Electronics. It showed the musical notes for the digits on a staff and described the telephone operator's pushbuttons as a "musical keyboard".[2] Two keys on a piano would need to be pushed simultaneously to play the tones for each digit. The illustration did not include the tone pairs for the special control signals KP and ST. The KP signal preceded the digits and ST concluded them. In the picture, the operator's finger is on the KP key and the ST key is visible.

In the 1950s, AT&T released a public relations film, "Speeding Speech", which described the operation of the system. In the film, the tone sequence for sending a complete telephone number are heard through a loudspeaker as a technician presses the keys for dialing.[3]

In November 1954, the Bell System Technical Journal published an article entitled "In-Band Single-Frequency Signaling", which described the signaling scheme used for starting and ending telephone calls for the purpose of routing over trunk lines.[4][5] In November 1960, an article in the Bell System Technical Journal provided an overview of the technical details of signaling systems, and disclosed the frequencies of the signals.[6]

Each end of a trunk line typically had a device called a signaling unit, which received a two-state DC status signal from the connected equipment, and provided a two-state DC status signal to the connected equipment. Telephone engineers referred to the states as "on hook" and off hook", drawing from early wall telephone states where an earpiece was hung on a hook when the telephone was not in use and removed from the hook when in use. The trunk lines did not pass DC, so an engineering decision was made to use a tone to indicate the status, tone present for on hook (idle) and tone absent for off hook (in use). The engineers chose a high pitched tone, 2600 Hz, approx. E7 in music, that normally was not present in a pure form in speech or background sounds. The signaling unit had transmit and receive sections. In a simplified view, the transmit section sent the tone when it received an on hook status from the connected equipment and the receive section provided an on hook status output when it was receiving tone.

The receiving portion required safeguards against falsely interpreting speech, noise, music, office equipment, bells, etc. received from the user telephone as the on hook signal, and, possibly, disconnecting the call. For example, 2600 Hz might be present as an overtone in music playing in the background during a call. The signaling unit compared the signal power from a bandpass filter centered on 2600 Hz to signal power in other parts of the audio band. In the overtone case, the power in the fundamental would more than offset the power at 2600 Hz and the signaling unit would continue to report off hook.

When the call ended, the signaling unit conveyed an on hook status to the distant end by sending a "pure" 2600 Hz tone at an elevated level. The receiving signaling unit would detect the pure tone, report on hook status to the connected equipment, and connect a band stop filter to block the tone. The receiving signaling unit then went into a mode where it continued to send on hook status to the connected equipment as long as tone was present, even if there was signal in other parts of the audio frequency band. After a short time, the sending end reduced the tone level and continued to send tone as long as it received on hook status from its connected equipment.

Discovery and early use[edit]

Before the technical details were published, many users discovered unintentionally, and to their annoyance, that a 2600 Hz tone played into the caller's handset would cause a long-distance call to disconnect. The 2600 Hz tone might be present if the caller were whistling into the telephone microphone while waiting for the called party to answer. Upon detecting the tone from the caller's end, the receiving signaling unit sent an on hook status to the connected equipment, which disconnected the call from that point forward, as if the caller had hung up. When the whistling stopped, the far end signaling unit sent an off hook signal to the connected equipment, which would connect equipment to connect a new call. In many cases, a tone receiver was connected which accepted digits sent in the MF tone code.

Among the earliest to discover this effect was Joe Engressia, known as Joybubbles, who accidentally discovered it at the age of seven by whistling (with his mouth). He became fascinated with the phone network, and over the next decade had built up a considerable base of knowledge about the system and how to place calls using the control tones[7] He and other famous phone phreaks, such as "Bill from New York" and "The Glitch", trained themselves to whistle 2600 Hz to reset a trunk line. They also learned how to route telephone calls by causing trunks to flash in certain patterns[clarification needed].

At one point in the 1960s, packages of the Cap'n Crunch breakfast cereal included a free gift: a small whistle that, by coincidence, generated a 2600 Hz tone when one of the whistle's two holes was covered.[8] The phreaker John Draper adopted his nickname "Captain Crunch" from this whistle.[9]

It was possible for the user to generate the tones and get the long distance equipment to behave differently from the way it worked in normal operation. The caller would dial one number and allow the equipment to start processing the call normally. Before the dialed number was answered, the caller would send 2600 Hz and distant equipment would disconnect the call. Then, the caller would remove the tone and a digit receiver would be connected. The caller would dial a new call using the MF tone code. The billing equipment would register the original dialed number and the call would connect to a different number. If the original dialed number were a toll free number, the caller would not be charged for the call.

It was technically possible to generate the tones with technology available at the time the system was first deployed. A piano or electronic organ had keys that were close enough in frequency to work. With tuning, they could even be made dead on frequency. For dialing the phone number, the user would press 2 keys at a time. An experienced pianist might have find the key combinations awkward to play. However, a blank player piano roll could have been punched to operate the required keys and dial a phone number. Another strategy would have been to purchase doorbells, remove the plungers, and mount them on a frame that could be set over the piano keyboard. Twelve DPDT pushbuttons, labelled KP, ST and the 10 digits, would operate pairs of plungers to play the phone company tones, after the E7 piano key had been pressed and released.

At the time, there were consumer devices for recording on wire or blank phonograph records, so the piano did not have to be near the phone. Consumer tape recorders came later and made the recording process easier. Small, battery powered, tape recorders allowed the tones to be played back almost anywhere.

Originally, long distance calls were placed through operators, who acted as "gatekeepers", able to listen in on calls and detect irregularities that machines would not catch. However, customer dialing of long distance calls was being deployed throughout the 1950s. Quite often, an operator came on line to ask for the caller's number,. The caller could dial a non-existent exchange and give the operator someone else's number. The call would be routed through the network to a "reorder" signal or recorded announcement. The caller could use tones to redirect the call to a different number. A day later or longer, the billing computer would get the information about the call and be unable to bill it. If telephone security people were presented with information about the call, they would have neither the correct called nor calling number.

The "toll free" 800 service was launched in 1967 and gave the hackers numbers to call.

Blue Boxes[edit]

It was possible to construct an electronic blue box with 1940s vacuum tube technology, but the device would have been relatively large and power hungry. Just as it did for radios, shrinking them from the size of toasters to the size of cigarette packages and allowing them to be powered by small batteries, transistor technology made a small, battery powered, electronic blue box practical.

AT&T security captured its first blue box in about 1962, but it probably wasn't the first one built.

A typical blue box had 13 pushbuttons. One button would be for the 2600 Hz tone, pressed and released to disconnect the outgoing connection and then connect a digit receiver. There would be a KP button, to be pressed next, 10 buttons for telephone number digits, and the ST button to be pressed last. The blue box may have had 7 oscillators, 6 for the 2 out of 6 digit code and one for the 2600 Hz tone, or 2 oscillators with switchable frequencies.

The blue box was thought to be a sophisticated electronic device and sold on the black market for a typical $800-1000 or as much as $3500. Actually, designing and building one was within the capabilities of many electronics students and engineers with knowledge of the required tones, using published designs for electronic oscillators, amplifiers and switch matrixes, and assembled with readily available parts. Furthermore, it was possible to generate the required tones using consumer products or lab test equipment. The tones could be recorded on small, battery powered, cassette recorders for playback anywhere.

To reduce call set up time, telephone numbers were transmitted from machine to machine in a "speed dial" format, about 1.5 seconds for a 10 digit number, including KP and ST. To catch the cheaters, AT&T could have connected monitors to digit receivers that weren't being used for operator dialed calls and logged calls dialed at manual speed. So, some hackers went to the extra trouble of building blue boxes that stored telephone numbers and played the tones with the same timing as the machines.

Here's a link to a video of a commercially available test set which played the tones "speed dial":[10]

The Blue Box Subculture[edit]

The widespread ability to blue box, once limited to just a few isolated individuals exploring the telephone network, developed into a subculture.[11][12] Famous phone phreaks such as "Captain Crunch", Mark Bernay,[13] and Al Bernay used blue boxes to explore the various 'hidden codes' that were not dialable with a standard telephone.[citation needed]

Some of the more famous pranksters were Steve Wozniak and Steve Jobs, founders of Apple Computer.[14] On one occasion, Wozniak dialed Vatican City and identified himself as Henry Kissinger (imitating Kissinger's German accent) and asked to speak to the Pope (who was sleeping at the time).[15][14] Wozniak said in 1986:[16]

I called only to explore the phone company as a system, to learn the codes and tricks. I'd talk to the London operator, and convince her I was a New York operator. When I called my parents and my friends, I paid. After six months I quit—I'd done everything that I could.

I was so pure. Now I realize others were not as pure, they were just trying to make money. But then I thought we were all pure.

Jobs later told his biographer that if it hadn't been for Wozniak's blue boxes, "there wouldn't have been an Apple."[17]

The Blue Box in the Media[edit]

Blue boxing hit the mainstream media when an article by Ron Rosenbaum titled Secrets of the Little Blue Box was published in the October 1971 issue of Esquire magazine.[7] Suddenly, many more people wanted to get into the phone phreaking culture spawned by the blue box, and it furthered the fame of Captain Crunch.

Two major amateur radio magazines ('73' and "CQ') published articles on the telephone system in the mid-1970s. CQ Magazine published details on phone phreaking, including the tone frequencies and several working blue box schematics in 1974.[18] The June 1975 issue of '73' featured an article describing the rudiments of the long-distance signaling network, how to construct red and blue boxes, and put them into operation.[19] Around the same time, do-it-yourself kits were available to build one's own blue box.[20][21]

In November 1988, the CCITT (now known as ITU-T) published recommendation Q.140 for the Signaling System No. 5, which caused a resurgence of blue boxing incidents in a new generation of users.[citation needed]

During the early 1990s, blue boxing became popular with the international warez scene, especially in Europe. The software was made to facilitate blue boxing using a computer to generate the signaling tones and play them into the phone. For the PC there were BlueBEEP, TLO, and others, and blue boxes for other platforms such as Amiga were available as well.[citation needed]

Theory[edit]

Local plain old telephone service works by watching the voltage on the telephone lines between the telephone company's exchange office and the customer's telephone. When the phone is on-hook ("hung up") the approximately 48 volt electricity from the exchange flows to the phone and is looped back without passing through the handset. When the user picks up the handset, the current has to flow through the speaker and microphone in it, causing the voltage to drop to under 10  V. This sudden drop in voltage signals the user has picked up the phone. This system works well for short-distance lines on the order of a few kilometers, but as the distance grows the capacitance of the wires begins to filter out the sharp changes in voltage. So while the system is fine for local connections to the exchange, it is not useful for watching the status of lines on long-distance connections between exchanges.

To address this need, the Bell System adopted a second system on the circuits that connected the exchanges. These lines were switched by a system known as a "tandem", which the local exchange would switch to when it recognized the number was not local. In North America, this was typically triggered by dialling a "1" at the beginning of the number. The tandem included the routing systems and long-distance trunk lines needed to talk to tandems at other exchanges, thereby linking the exchanges together. The tandems also faced the problem that the DC signals did not work over long distances, so instead, they used tones played into the lines to indicate status and dial numbers.[22]

The basic protocol worked by playing a 2600  Hz tone into the line whenever it was not being used. The tandems at both ends of a given trunk line did this. When a local exchange received a call that was being routed to a remote system, it decoded the number to determine which trunk lines connected to the selected remote tandem, and then scanned those lines looking for the tone. When it heard the tone on one of the lines, it knew that line was free to use. They would then select that line and drop the 2600  Hz tone from their end. The remote tandem would hear the tone stop, drop their tone, and then play a supervision flash, making a "ka-cheep" sound, to indicate they had noticed the signal. The line was now free on both ends to place a call.[22]

Dialing a POTS phone used the same voltage-drop system to indicate digits by rapidly cycling the hook, nine times to dial the digit 9 for instance. This was known as pulse dialing. As it also required rapid voltage changes, it too did not work over long-distance links. This is why long-distance calling required operator assistance well into the 20th century, long after local calling had been completely automated.

To address this problem and allow end-to-end user long-distance dialing, Bell introduced a second system that encoded digits as two tones, the multi-frequency signaling system, or "MF". Before the widespread use of end-user phones with touchpad dialing, the tone dialer was located in the tandem. Once the local tandem had found a free line and connected to it, it then relayed the rest of the phone number over the line using the tone dialing method. The remote tandem then decoded the tones and turned them back into pulses on the local exchange.[22]

When the call was complete and one of the parties hung up the phone, that end of the connection would indicate this by playing the 2600 Hz tone again. The other end of the connection would hear the tone and cause their local call to hang up as well, and then began playing the tone into their end as well to mark the line free on both ends.[22]

Operation[edit]

The operation of a blue box was simple: First, the user placed a long distance telephone call, often to a number that was in the target area. Usually, this initial call would be to a toll-free number or some other non-supervising telephone number like directory assistance.[22] Using a toll-free number ensured that the phone being used for access would not be billed.

When the call began to ring, the caller would use the blue box to send a 2600 Hz tone (or 2600+2400 Hz on many international trunks followed by a 2400 Hz tone). Hearing this tone, the remote office believes the user hung up before the call completed, and disconnects the call on their exchange. As always, it then begins playing 2600 to mark the line free. However, this does not disconnect the call locally, only physically hanging up the phone will do that. So, in this case, the user is left on a live line, one that is connected via a long-distance trunk line to a target exchange.[22]

The user now stops playing the tone. The remote exchange interprets this loss of tone to mean the exchange's tandem is attempting to place another call. It responds by dropping its tone and then playing the flash to indicate it is ready to accept routing tones. Once the far end sends the supervision flash, the user uses the blue box to send a "Key Pulse" or "KP", the tone that starts a routing digit sequence, followed by either a telephone number or one of the numerous special codes that were used internally by the telephone company, then finished with a "Start" tone, "ST".[22] At this point, the far end of the connection would route the call the way it was told, while the user's local exchange would presume the call was still ringing at the original number. There were two KP tones, KP1 would generally be used for domestic dialing, and KP2 for international calls.

The blue box consisted of a set of audio oscillators, a telephone keypad, an audio amplifier and speaker. Its use relied, like much of the telephone hacking methods of the time, on the use of a constant tone of 2600 Hz to indicate an unused telephone line. A free long-distance telephone call (such as a 1-800 number or, less commonly, the information operator from another area code) was made using a regular telephone, and when the line was connected, a 2600 Hz tone from the blue box was fed into the mouthpiece of the telephone, causing the operator to be disconnected and a free long-distance line to be available to the blue box user. The keyboard was then used to place the desired call, using multi-frequency tones specific for telephone operators. These frequencies are different from the normal touch tone frequencies used by telephone subscribers, which is why the telephone keypad could not be used and the blue box was necessary.

Countermeasures[edit]

The ultimate "solution" to the blue box vulnerability was to purge the network of the tone supervision system, which gave users the ability to reroute calls using tones, and send that information securely. A next generation upgrade to the long distance network was already in the plans when phreaking first became a major problem in the early 1970s, as Bell Telephone Laboratories was developing the No. 4 Electronic Switching System (4ESS). The signaling information would be transmitted over separate data channels rather than over the trunk lines. After the system was fully deployed, the users would not be able to manipulate the call routing using blue boxes.

As originally proposed, this system was to be an upgrade to the long distance network to make it more efficient, rather than be a solution to the blue box problem. The system would replace existing switching machines with more modern equipment that would cost less to maintain, take up less floor space and use less energy. Along those lines, switching would be done by digital electronics, rather than mechanical relays (although the system would still have relays). Fully deployed, the system would centrally select the optimum end to end route for the call, rather than have the call "wander" through the network, being routed around busy trunk groups. If the called phone's central office supported it, the system would query if the destination phone was available before allocating any trunk lines to the call. If that phone was busy, the busy tone could be provided at the caller's end. Calls would take less time to connect because time required to pass the number from machine to machine would be eliminated and connections through machines would be done faster and in parallel, rather than sequentially. Faster connect times would use the trunk lines more efficiently. The system would be more economical even if revenue wasn't being lost to blue box fraud. When blue box fraud became a major problem, development and deployment of this next generation system was expedited.

The blue box vulnerability in the short haul portion of the network was essentially purged starting in the early 1960s. Bell Telephone Laboratories commenced development of a digital transmission system, designated T1, in about 1957 and the phone companies began installation in about 1962. The system passed the signaling "on hook" and "off hook" states between switching machines in a manner that was secure from customer manipulation. As for the reasoning behind this design decision, the engineers may not have even recognized that the tone system was vulnerable to user manipulation. Instead, they may have recognized that the chosen digital design was not really compatible with inserting a tone at one end of the system and filtering it out at the other. The tone would generate "quantization noise" that would not be filtered out and the tone would also introduce distortion in any audio present. Until the call is answered, "on hook" must be returned from the distant end, so the tone would be present. The "audible ringback" tone, indicating that the called phone is ringing, would be distorted. Sometimes calls were connected to recorded announcements, which would be less intelligible. If the called party had a new number, an operator might be connected to provide that number, and her voice would be less intelligible.

Furthermore, designing the signaling into the transmission system probably was more economical than installing 24 signaling units at each end, one for each of the 24 channels on the system. The signaling units took up space, consumed power, and required maintenance. At the time, the signaling units still used vacuum tube technology and the new system was fully transistorized.

The T1 system was deployed extensively for short distance circuits, especially in metropolitan areas. With T1 fully deployed, a blue box could no longer access a tandem office's digit receiver for rerouting a local call to a long distance destination. This type of fraud would have been difficult to detect because telephone security would not have records of the local numbers dialed. Even if they did, those records would offer few clues as to which calls were legitimate and which were fraudulent.

To be complete, there were a few cases where a blue box would work over a T1 circuit (by manipulating signaling units downstream) but would not have worked if a circuit with signaling units had been used in place of the T1.

Analog transmission systems remained more cost effective for the long haul circuits until, at least, the 1970s. Even then, there was a huge installed base of analog circuits, and it made better economic sense to keep using them, rather than replace them. It wasn't until competitor Sprint built its all digital, "quiet", network, where "you could actually hear a pin drop",[23] that AT&T took a multi-billion dollar write-off and upgraded its long distance network to digital technology.

At the time, phreakers felt there was nothing Bell Telephone could do to stop blue boxing because it would require Bell to upgrade all their hardware.[22] That was precisely what Bell was already planning to do, but as the network already included large numbers of existing switches that were susceptible to blue boxing, the switchover would take some time.

For the immediate term, Bell responded with a number of blue box detection and law enforcement countermeasures. Armed with records of all long distance calls made, kept by both mechanical switching systems and newer electronic switching systems, including calls to toll-free telephone numbers which did not appear on customer bills, telephone security employees began examining those records looking for suspicious patterns of activity. For instance, at the time, calls to long distance information, while answered, deliberately didn't return the electrical "off hook" signal indicating that they had been answered. When an information call was diverted to another number that answered, the billing equipment would log that event. Billing computers processing the logs and would generate lists of calls to information that were answered. In the early days, the lists were probably intended to detect equipment malfunctions, but the follow up investigation did lead to blue box users. After the toll free "800" service was inaugurated, the billing computers were also programmed to generate lists of lengthy calls to toll free numbers. While many of these calls were legitimate, telephone security employees would examine the lists for irregularities and follow up.

In this case, filters could be installed on those lines to block the blue box. Bell also would wiretap the affected lines. In one 1975 case, the Pacific Telephone Company targeted one defendant's line with the following equipment:

  • A CMC 2600, a device which registers on a counter the number of times a 2600 Hz tone is detected on the line;
  • A tape recorder, activated automatically by the CMC 2600 to record two minutes of telephone audio after each burst of 2600 Hz activity; and
  • A Hekemian 51A, which replicates the functions of the CMC 2600 and also produces a paper tape print-out of outgoing calls. Ordinary calls were recorded in black ink and destination numbers called via the blue box were recorded in red ink.[24]

Demise and legacy[edit]

In the 1970s and 1980s, some legacy trunks were modified to filter out single frequency tones arriving from a caller.

The development of digital switching equipment and out-of-band signaling systems with separate bearer and signaling channels (such as Common Channel Interoffice Signaling and Signaling System 7) prevented the use of blue boxes. The "blue box" terminology has since been recycled for other purposes. The hacking community evolved into other endeavors[original research?] and there currently exists a commercially published hacking magazine, titled 2600, a reference to the 2600 Hz tone that was once central to so much of telephone hacking.[25]

Frequencies and timings[edit]

Each multifrequency tone consists of two frequencies chosen from a set of six, shown in the table on the left. The Touch Tone encoding is shown by the table on the right:

Multifrequency signals
Code 700 Hz 900 Hz 1100 Hz 1300 Hz 1500 Hz 1700 Hz
1 X X
2 X X
3 X X
4 X X
5 X X
6 X X
7 X X
8 X X
9 X X
0/10 X X
11/ST3 X X
12/ST2 X X
KP X X
KP2 X X
ST X X
Customer-dialed Touch-Tone (DTMF) frequencies
1209 Hz 1336 Hz 1477 Hz 1633 Hz
697 Hz 1 2 3 A
770 Hz 4 5 6 B
852 Hz 7 8 9 C
941 Hz * 0 # D

The rightmost column is not present on
consumer telephones.

Normally, the tone durations for passing numbers from machine to machine in a "speed dialing" format are on for 60ms, with 60ms of silence between digits. The 'KP' and 'KP2' tones are sent for 100ms. KP2 (ST2 in the R1 standard) was used for dialing internal Bell System telephone numbers. However, actual tone durations can vary slightly depending on location, switch type, and the machine status.

For operators, technicians, and blue box phone phreakers, the tone durations would be set by how long the buttons were held down and, for silence, how long before manually pressing the next button.

A blue box could have been constructed which would send the tones with machine to machine timing, with the number either stored in digital memory or a matrix of switches. In the switch matrix, there might be 10 rows for digits, each with 5 switches. Two switches would be moved to on, selecting the 2 tones. (KP and ST would be hard wired.) The 5 switches could be labelled 0, 1, 2, 4, and 7, with the user selecting pairs of switches adding to each digit, with special case 4 plus 7 for digit 0.

Alternatively, the tones could be recorded on magnetic tape, which would be cut into pieces and spliced together, using a commercial splicer for accurate alignment. If the phreaker matched machine dialing and recorded at 7.5 ips (inches per second), the splices for tone and silence would be about 1/2 inch long., with KP 3/4 inch long. For more manageable splicing lengths, the phreaker could use a 15 ips tape recorder, which was less common, and double those lengths. For those without a 15 ips machine but having 2 tape recorders, the tones could be recorded an octave low at 7.5 ips, the pieces spliced together would be were double those lengths. The spliced tape would be re-recorded from a 7.5 ips machine to a 3.75 ips machine. The resulting recording could be played back at 7.5 ips. An interval of 2600 Hz, to disconnect the trunk, followed by an interval of silence, to give enough time for a digit receiver to connect, would be added to precede KP.

This set of MF tones was originally devised for Bell System long-distance operators placing calls manually, as well as machine to machine dialing, and predates the DTMF Touch-Tone system used by subscribers. The leading 1 for customer dialed long distance calls was not dialed. For operators, the line was muted during dialing, but, for customer telephones, it was only muted while a key was pressed. The Touch Tone frequencies were chosen to minimize the risk of customer talking while dialing, or background sounds, being registered as a digit or digits and resulting in a wrong number. Muting guarded against that happening during operator dialing, so the MF system didn't have to be, and wasn't, so robust. The tones have a simple 200 Hz spacing. For Touch Tone, harmonic relationships and intermodulation products were taken into account in the choice of tones.

Special codes[edit]

Some of the special codes a person could get onto are in the chart below. "NPA" is a telephone company term for 'area code'.

Many of these appear to have been originally three-digit codes, dialed without the leading area code, and the format of destination numbers dialed to the international senders has changed at various points as the ability to call additional nations was added.[26]

  • NPA+100 – Plant Test – Balance termination
  • NPA+101 – Plant Test – Toll Testing Board
  • NPA+102 – Plant Test – Milliwatt tone (1004 Hz)
  • NPA+103 – Plant Test – Signaling test termination
  • NPA+104 – Plant Test – 2-way transmission and noise test
  • NPA+105 – Plant Test – Automatic Transmission Measuring System
  • NPA+106 – Plant Test – CCSA loop transmission test
  • NPA+107 – Plant Test – Par meter generator
  • NPA+108 – Plant Test – CCSA loop echo support maintenance
  • NPA+109 – Plant Test – Echo canceler test line
  • NPA+121 – Inward Operator
  • NPA+131 – Operator Directory assistance
  • NPA+141 – Rate and Route Information
  • 914+151 – Overseas incoming (White Plains, NY)
  • 212+151 – Overseas incoming (New York, NY)
  • NPA+161 – trouble reporting operator (defunct)
  • NPA+181 – Coin Refund Operator
  • 914+182 – International Sender (White Plains, NY)
  • 212+183 – International Sender (New York, NY)
  • 412+184 – International Sender (Pittsburgh, PA)
  • 407+185 – International Sender (Orlando, FL)
  • 415+186 – International Sender (Oakland, CA – in this era, 510 was TWX)
  • 303+187 – International Sender (Denver, CO)
  • 212+188 – International Sender (New York, NY)

Not all NPAs had all functions. As some NPAs contained multiple cities, an additional routing code was sometimes placed after the area code. For instance, 519+044+121 may reach the Windsor inward operator and 519+034+121 the London inward operator 175 km (109 mi) distant, but in the same area code.[27]

Blue boxes in other countries[edit]

Another signaling system widely used on international circuits (except those terminating in North America) was CCITT Signaling System No. 4 (friendly named 'SS4').

Technical definitions are specified in formerly CCITT (now ITU-T) Recommendations Q.120 to Q.139.[28]

This was also an in-band system but, instead of using multifrequency signals for digits, it used four 35 ms pulses of tone, separated by 35 ms of silence, to represent digits in four-bit binary code, with 2400 Hz as a '0' and 2040 Hz as a '1'. The supervisory signals used the same two frequencies, but each supervisory signal started with both tones together (for 150 ms) followed, without a gap, by a long (350 ms) or short (100 ms) period of a single tone of 2400 Hz or 2040  Hz. Phreaks in Europe built System 4 blue boxes that generated these signals. Because System 4 was used only on international circuits, the use of these blue boxes was more specialized.

Typically, a phreak would gain access to international dialing at low or zero cost by some other means, make a dialed call to a country that was available via direct dialing, and then use the System 4 blue box to clear down the international connection and make a call to a destination that was available only via operator service. Thus, the System 4 blue box was used primarily as a way of setting up calls to hard-to-reach operator-only destinations.[citation needed]

A typical System 4 blue box had a keypad (for sending four-bit digit signals) plus four buttons for the four supervisory signals (clear-forward, seize-terminal, seize-transit, and transfer-to-operator). After some experimentation, nimble-fingered phreaks found that all they needed was two buttons, one for each frequency. With practice, it was possible to manually generate all the signals with sufficient timing precision, including the digit signals. This made it possible to make the blue box quite small.

A refinement added to some System 4 blue boxes was an anti-acknowledgment-echo guard tone. Because the connection between the telephone and the telephone network is two-wire, but the signaling on the international circuit operates on a four-wire basis (totally separate send and receive paths), signal-acknowledgment tones (single pulses of one of the two frequencies from the far end of the circuit after receipt of each digit) tended to be reflected at the four-wire/two-wire conversion point. Although these reflected signals were relatively faint, they were sometimes loud enough for the digit-receiving circuits at the far end to treat them as the first bit of the next digit, messing up the phreak's transmitted digits.

What the improved blue box did was to continuously transmit a tone of some other frequency (e.g., 600 Hz) as a guard tone whenever it was not sending a System 4 signal. This guard tone drowned out the echoed acknowledgment signals so that only the blue box-transmitted digits were heard by the digit-receiving circuits at the far end.

See also[edit]

References[edit]

  1. ^ "Steve Jobs' First Business was Selling Blue Boxes that Allowed Users to Get Free Phone Service Illegally". 2012-10-06.
  2. ^ Playing a tune for a telephone number, Popular Electronics, February 1950
  3. ^ AT&T, Speeding Speech, 1950
  4. ^ Weaver, A.; Newell, N. A., "In-Band Single-Frequency Signaling" (PDF), Bell System Technical Journal
  5. ^ Wilson, E. Jan (December 6, 1998). Telecom and Network Security: Toll Fraud & Telabuse Update. TRI-Telecommunications Reports International, Incorporated. ISBN 9780938866091 – via Google Books.
  6. ^ Breen, C.; Dahlbom, C. A. (1960), "Signaling Systems for Control of Telephone Switching" (PDF), Bell System Technical Journal, XXXIX (6): 1381–1444, doi:10.1002/j.1538-7305.1960.tb01611.x, The keyer relay M operates and releases from signals on the M lead and alternately removes or applies 2600 cycles to the transmit line of the facility. ... Table IV—Frequencies and Digit Codes for MF Pulsing: Digit 1: Frequencies 700 + 900 ...
  7. ^ a b Price, David (June 30, 2008), "Blind Whistling Phreaks and the FBI's Historical Reliance on Phone Tap Criminality", CounterPunch, archived from the original on July 1, 2008
  8. ^ Gitlin, Martin; Goldstein, Margaret J. (December 6, 2015). Cyber Attack. Twenty-First Century Books. ISBN 9781467725125 – via Google Books.
  9. ^ Yan, Laura (October 22, 2019). "An Early Hacker Used a Cereal Box Whistle to Take Over Phone Lines". Popular Mechanics.
  10. ^ Berry 314A test set., retrieved 2021-03-14
  11. ^ Shinder, Debra Littlejohn; Cross, Michael (July 21, 2008). Scene of the Cybercrime. Elsevier. ISBN 9780080486994 – via Google Books.
  12. ^ Wozniak, Steve (October 17, 2007). iWoz: Computer Geek to Cult Icon. W. W. Norton & Company. p. 110. ISBN 9780393066869 – via Internet Archive. bluebox subculture.
  13. ^ "Esquire". Esquire, Incorporated. July 6, 1971 – via Google Books.
  14. ^ a b Lapsley, Phil (February 20, 2013). "The Definitive Story of Steve Wozniak, Steve Jobs, and Phone Phreaking". The Atlantic.
  15. ^ Wozniak, S. G.; Smith, G. (2006), iWoz: From Computer Geek to Cult Icon: How I Invented the Personal Computer, Co-Founded Apple, and Had Fun Doing It, New York: W. W. Norton & Company, ISBN 0-393-06143-4
  16. ^ Stix, Harriet (1986-05-14). "A UC Berkeley Degree Is Now the Apple of Steve Wozniak's Eye". Los Angeles Times. Retrieved 2015-01-05.
  17. ^ Isaacson, Walter (2015). Steve Jobs. Simon and Schuster. ISBN 9781501127625. p. 30
  18. ^ Olsen, Hank (April 1974). "A One-Chip, Two Tone Generator". CQ. p. 48.
  19. ^ Whipple Jr., Spencer (1 June 1975). "Inside Ma Bell". 73. p. 68-80. Retrieved 9 May 2019 – via Internet Archive.
  20. ^ LLC, New York Media (June 6, 1977). "New York Magazine". New York Media, LLC – via Google Books.
  21. ^ Pursell, Carroll W. (December 6, 2007). Technology in Postwar America: A History. Columbia University Press. ISBN 9780231123044 – via Google Books.
  22. ^ a b c d e f g h Rosenbaum 1971.
  23. ^ Sprint Phone Service commercial 1986 pin drop, retrieved 2021-03-16
  24. ^ UNITED STATES of America vs. Bernard CORNFIELD, dba Grayhall Inc, No. 76-3391, United States Court of Appeals, Ninth Circuit. Oct. 27, 1977.
  25. ^ "Archived copy". Archived from the original on 2016-06-02. Retrieved 2016-05-31.CS1 maint: archived copy as title (link)
  26. ^ Phil Lapsley (2013). Exploding The Phone – Extra Goodies – Overseas Dialing. ISBN 978-0-8021-2061-8.
  27. ^ Traffic Routing Guide, AT&T, 1977
  28. ^ CCITT SS4 / ITU-T Q.120-139 https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-Q.120-Q.139-198811-I!!PDF-E&type=items

Bibliography[edit]

External links[edit]