Blue box

From Wikipedia, the free encyclopedia
  (Redirected from Blue box (phreaking))
Jump to navigation Jump to search
Blue box (designed and built by Steve Wozniak and sold by Steve Jobs prior to their founding of Apple) at the Powerhouse Museum, from the collection of the Computer History Museum

[1]

A blue box is an electronic device that generates the in-band signaling tones formerly generated by telephone operator consoles to control telephone switches. Developed during the 1960s, blue boxes allowed private individuals to control long-distance call routing and to bypass the toll-collection mechanisms of telephone companies,[2] enabling the user to place free long-distance telephone calls on national and international circuits.

At first the use of these techniques was limited to a small group of "phreakers", which included, among others, Steve Wozniak. After the publication of "Secrets of the Blue Box" in October 1971's edition of Esquire, interest in the topic grew tremendously, both among end-users as well as the Bell System. The practice was ruled as telephone fraud by the Bell System and the courts, and prosecuted vigorously.

Blue boxes worked because the telephone system used tones in the existing voice lines to send routing instructions, and these tones were not filtered out at the handsets. Subsequent telephone switching technologies used out-of-band signaling methods in the form of Common Channel Interoffice Signaling (CCIS) in a separate channel not accessible to the caller. Blue boxing stopped working as these systems were deployed.

A related device, dubbed black box, enabled reception of calls without incurring a charge to the caller.

History[edit]

In November 1954, the Bell System Technical Journal published an article entitled "In-Band Single-Frequency Signaling", which described the process used for routing telephone calls over trunk lines with the then-current signaling system, R1.[3] The article described the basics of the inter-office trunking system and the signals used to start, route, and end calls.[4]

In November 1960, further technical details were disclosed in the Bell System Technical Journal in an article entitled Signaling Systems for Control of Telephone Switching. This article identified the specific single frequency (SF) and multi-frequency (MF) tones used to start and end calls, and to transmit the called number, on a long-distance connection.[5]

This engineering design assumed that these signals would only originate in the automatic switching equipment. The designers were aware that the in-band signaling method was subject to false signals arising in the telephone handset from ambient sounds, and chose the frequency of 2600 Hz because it was not present in normal speech. This choice performed well in the normal use of telephones. It was not foreseen, that a telephone user could insert control signals into the switching system by sending the appropriate tones into the telephone handset.

Before the technical details were published, many users discovered unintentionally and to their annoyance that a 2600 Hz tone, used as a steady signal to mark currently unused long-distance telephone lines, or "trunk lines", would reset those lines. Joe Engressia, known as Joybubbles, accidentally discovered it at the age of seven by whistling (with his mouth).[6] He and other famous phone phreaks, such as "Bill from New York" and "The Glitch", trained themselves to whistle 2600 Hz to reset a trunk line. They also learned how to route telephone calls by causing trunks to flash in certain patterns[clarification needed]. At one point in the 1960s, packets of the Cap'n Crunch breakfast cereal included a free gift: a small whistle that, by coincidence, generated a 2600 Hz tone when one of the whistle's two holes was covered.[7] The phreaker John Draper adopted his nickname "Captain Crunch" from this whistle.[8]

The widespread ability to blue box, once limited to just a few isolated individuals exploring the telephone network, developed into a subculture.[9][10] Famous phone phreaks such as John "Captain Crunch" Draper, Mark Bernay,[11] and Al Bernay used blue boxes to explore the various 'hidden codes' that were not dialable with a standard telephone.[citation needed] Some of the more famous pranksters were Steve Wozniak and Steve Jobs, founders of Apple Computer.[12] On one occasion Wozniak dialed Vatican City and identified himself as Henry Kissinger (imitating Kissinger's German accent) and asked to speak to the Pope (who was sleeping at the time).[13][12] Wozniak said in 1986:[14]

I called only to explore the phone company as a system, to learn the codes and tricks. I'd talk to the London operator, and convince her I was a New York operator. When I called my parents and my friends, I paid. After six months I quit—I'd done everything that I could.

I was so pure. Now I realize others were not as pure, they were just trying to make money. But then I thought we were all pure.

Blue boxing hit the mainstream media when an article by Ron Rosenbaum titled Secrets of the Little Blue Box was published in the October 1971 issue of Esquire magazine.[6] Suddenly, many more people wanted to get into the phone phreaking culture spawned by the blue box, and it furthered the fame of Captain Crunch. Two major amateur radio magazines ('73' and "CQ') published articles on the telephone system in the mid-1970s. CQ Magazine published details on phone phreaking, including the tone frequencies and several working blue box schematics in 1974.[citation needed] The June 1975 issue of '73' featured an article describing the rudiments of the long-distance signaling network, how to construct red and blue boxes, and put them into operation.[15] Around the same time, do-it-yourself kits were available to build one's own blue box.[16][17]

In November 1988, the CCITT (now known as ITU-T) published recommendation Q.140 for the Signaling System No. 5, which caused a resurgence of blue boxing incidents in a new generation of users.[citation needed]

During the early 1990s, blue boxing became popular with the international warez scene, especially in Europe. Software was made to facilitate blue boxing using a computer to generate the signalling tones and play them into the phone. For the PC there were BlueBEEP, TLO, and others, and blue boxes for other platforms such as Amiga were available as well.[citation needed]

Theory[edit]

Local plain old telephone service works by watching the voltage on the telephone lines between the telephone company's exchange office and the customer's telephone. When the phone is on-hook ("hung up") the approximately 48 volt electricity from the exchange flows to the phone and is looped back without passing through the handset. When the user picks up the handset, the current has to flow through the speaker and microphone in it, causing the voltage to drop to under 10 V. This sudden drop in voltage signals the user has picked up the phone. This system works well for short-distance lines on the order of a few kilometers, but as the distance grows the capacitance of the wires begins to filter out the sharp changes in voltage. So while the system is fine for local connections to the exchange, it is not useful for watching the status of lines on long-distance connections between exchanges.

To address this need, the Bell System adopted a second system on the circuits that connected the exchanges together. These lines were switched by a system known as a "tandem", which the local exchange would switch to when it recognized the number was not local, typically by dialing a "1" at the beginning of the number. The tandem included the routing systems and long-distance trunk lines needed to talk to tandems at other exchanges, thereby linking the exchanges together. The tandems also faced the problem that the DC signals did not work over long distances, so instead, they used tones played into the lines to indicate status and dial numbers.[18]

The basic protocol worked by playing a 2600 Hz tone into the line whenever it was not being used. The tandems at both ends of a given trunk line did this. When a system received a call being routed to a remote system, it scanned the trunk lines between the two tandems looking for the tone. When it heard the tone on one of the lines, it knew it was free to use. They would then select that line and drop the 2600 Hz tone from their end. The remote tandem would hear the tone stop, drop their own tone, and then play a supervision flash, making a "ka-cheep" sound, to indicate they had noticed the signal. The line was now free on both ends to place a call.[18]

Dialing a POTS phone used the same voltage-drop system to indicate digits by rapidly cycling the hook, nine times to dial the digit 9 for instance. This was known as pulse dialing. As it also required rapid voltage changes, it too did not work over long-distance links. This is why long-distance calling required operator assistance well into the 20th century, long after local calling had been completely automated.

To address this problem and allow end-to-end user long-distance dialing, Bell introduced a second system that encoded digits as two tones, the multi-frequency signaling system, or "MF". Before the widespread use of end-user phones with touchpad dialing, the tone dialer was located in the tandem. When the user placed a long-distance call, the initial "1" connected the customer's line to the tandem, which then read the following digits, notably the area code, to find the target exchange. Once it had the target it scanned the trunk lines to that exchange looking for a free line, connected to it, and then relayed the rest of the phone number over the line using the tone dialing method. The remote tandem then decoded the tones and turned them back into pulses on the local exchange.[18]

When the call was complete and one of the parties hung up the phone, that end of the connection would indicate this by playing the 2600 Hz tone again. The other end of the connection would hear the tone and cause their local call to hang up as well.[18]

Operation[edit]

The operation of a blue box was simple: First, the user placed a long distance telephone call, often to a number that was in the target area. Usually this initial call would be to a toll-free number or some other non-supervising telephone number.[18] Using a toll-free number ensured that the phone being used for access would not be billed.

When the call began to ring, the caller would use the blue box to send a 2600 Hz tone (or 2600+2400 Hz on many international trunks followed by a 2400 Hz tone). Hearing this tone, the remote office believes the user hung up, and disconnects the call on their exchange and begins playing 2600 to mark the line free. However, this does not disconnect the call locally, only physically hanging up the phone will do that. So, in this case, the user is left on a live line, one that is connected via a long-distance trunk line to a target exchange.[18]

The user now stops playing the tone. The remote exchange interprets this loss of tone to mean the exchange's tandem is attempting to place another call. It responds by dropping its tone and then playing the flash to indicate it is ready to accept routing tones. Once the far end sends the supervision flash, the user uses the blue box to send a "Key Pulse" or "KP", the tone that starts a routing digit sequence, followed by either a telephone number or one of the numerous special codes that were used internally by the telephone company, then finished with an "Start" tone, "ST".[18] At this point, the far end of the connection would route the call the way it was told, while the user's local exchange would presume the call was still ringing at the original number. There were two KP tones, KP1 would generally be used for domestic dialing, and KP2 for international calls.

The blue box consisted of a set of audio oscillators, a telephone keypad, an audio amplifier and speaker. Its use relied, like much of the telephone hacking methods of the time, on the use of a constant tone of 2600 Hz to indicate an unused telephone line. A free long-distance telephone call (such as a 1-800 number or, less commonly, the information operator from another area code) was made using a regular telephone, and when the line was connected, a 2600 Hz tone from the blue box was fed into the mouthpiece of the telephone, causing the operator to be disconnected and a free long-distance line to be available to the blue box user. The keyboard was then used to place the desired call, using multi-frequency tones specific for telephone operators. These frequencies are different from the normal touch tone frequencies used by telephone subscribers, which is why the telephone keypad could not be used and the blue box was necessary.

Countermeasures[edit]

The ultimate "solution" to the blue box was already being developed when phreaking first became popular in the early 1970s, as Bell Telephone was prototyping the No. 4 Electronic Switching System (4ESS). This system (and similar ones) handled all call routing in a computer, sending routing instructions over separate dedicated data-only lines. This offered far better utilization of the expensive long-distance trunk lines.

For instance, if a local caller placed a call to a remote number using the tandem system, the call would have to be placed all the way to the remote number via the voice lines. If that customer was busy, the user had to listen for the busy signal and then hang up. This process required the trunk line to be connected for many seconds. Using electronic signaling, the connection request was routed over data lines, which could immediately send back a "line busy" response. This did not require the trunk line to be used at all. Although this might save only a few seconds, with millions of such calls being placed every day, the advantages quickly added up.

At the time, phreakers felt there was nothing Bell Telephone could do to stop blue boxing because it would require Bell to upgrade all their hardware.[18] That was precisely what Bell was already planning to do, but as the network already included large numbers of existing switches that were susceptible to blue boxing, the switchover would take some time.

For the immediate term, Bell responded with a number of countermeasures. As existing electronic switching systems maintained logs of all calls made, including calls to toll-free telephone numbers, Bell began examining the logs looking for suspicious patterns of activity. For instance, lengthy repeated calls to information or national hotel reservation numbers might indicate the presence of a phreaker using a particular line. In this case, filters could be installed on those lines to block the blue box. Bell also would wiretap the affected lines. In one 1975 case, the Pacific Telephone Company targeted one defendant's line with the following equipment:

  • A CMC 2600, a device which registers on a counter the number of times a 2600 Hz tone is detected on the line;
  • A tape recorder, activated automatically by the CMC 2600 to record two minutes of telephone audio after each burst of 2600 Hz activity; and
  • A Hekemian 51A, which replicates the functions of the CMC 2600 and also produces a paper tape print-out of outgoing calls. Ordinary calls were recorded in black ink and destination numbers called via the blue box were recorded in red ink.[19]

Demise and legacy[edit]

In the 1970s and 1980s, some legacy trunks were modified to filter out single frequency tones arriving from a caller.

The development of digital switching equipment and out-of-band signaling systems with separate bearer and signaling channels (such as Common Channel Interoffice Signaling and Signaling System 7) prevented the use of blue boxes. The "blue box" terminology has since been recycled for other purposes. The hacking community evolved into other endeavors[original research?] and there currently exists a commercially published hacking magazine, titled 2600, a reference to the 2600 Hz tone that was once central to so much of telephone hacking.[20]

Frequencies and timings[edit]

Each multifrequency tone consists of two frequencies chosen from a set of six, shown in the table on the left. The Touch Tone encoding is shown by the table on the right:

Operator (blue box) dialed MF frequencies
Code 700 Hz 900 Hz 1100 Hz 1300 Hz 1500 Hz 1700 Hz
1 X X
2 X X
3 X X
4 X X
5 X X
6 X X
7 X X
8 X X
9 X X
0/10 X X
11/ST3 X X
12/ST2 X X
KP X X
KP2 X X
ST X X
Customer-dialed Touch-Tone (DTMF) frequencies
1209 Hz 1336 Hz 1477 Hz 1633 Hz
697 Hz 1 2 3 A
770 Hz 4 5 6 B
852 Hz 7 8 9 C
941 Hz * 0 # D

The rightmost column is not present on
consumer telephones.

Normally, the tone durations are on for 60ms, with 60ms of silence between digits. The 'KP' and 'KP2' tones are sent for 100ms. KP2 (ST2 in the R1 standard) was used for dialing internal Bell System telephone numbers. However, actual frequency durations can vary depending on location, switch type, and the machine status.

This set of MF tones was originally devised for Bell System long-distance operators placing calls manually, and predates the DTMF Touch-Tone system used by subscribers. The leading trunk prefix 1 was not dialed as the operator was already on a Long Lines trunk at this point.

Special codes[edit]

Some of the special codes a person could get onto are in the chart below. "NPA" is a telephone company term for 'area code'.

Many of these appear to have been originally three-digit codes, dialed without the leading area code, and the format of destination numbers dialled to the international senders has changed at various points as ability to call additional nations was added.[21]

  • NPA+100 – Plant Test – Balance termination
  • NPA+101 – Plant Test – Toll Testing Board
  • NPA+102 – Plant Test – Milliwatt tone (1004 Hz)
  • NPA+103 – Plant Test – Signaling test termination
  • NPA+104 – Plant Test – 2-way transmission and noise test
  • NPA+105 – Plant Test – Automatic Transmission Measuring System
  • NPA+106 – Plant Test – CCSA loop transmission test
  • NPA+107 – Plant Test – Par meter generator
  • NPA+108 – Plant Test – CCSA loop echo support maintenance
  • NPA+109 – Plant Test – Echo canceler test line
  • NPA+121 – Inward Operator
  • NPA+131 – Operator Directory assistance
  • NPA+141 – Rate and Route Information
  • 914+151 – Overseas incoming (White Plains, NY)
  • 212+151 – Overseas incoming (New York, NY)
  • NPA+161 – trouble reporting operator (defunct)
  • NPA+181 – Coin Refund Operator
  • 914+182 – International Sender (White Plains, NY)
  • 212+183 – International Sender (New York, NY)
  • 412+184 – International Sender (Pittsburgh, PA)
  • 407+185 – International Sender (Orlando, FL)
  • 415+186 – International Sender (Oakland, CA – in this era, 510 was TWX)
  • 303+187 – International Sender (Denver, CO)
  • 212+188 – International Sender (New York, NY)

Not all NPAs had all functions. As some NPAs contained multiple cities, an additional routing code was sometimes placed after the area code. For instance, 519+044+121 may reach the Windsor inward operator and 519+034+121 the London inward operator 175 km distant, but in the same area code.[22]

Blue boxes in other countries[edit]

Another signaling system widely used on international circuits (except those terminating in North America) was CCITT Signaling System No. 4 (friendly named 'SS4').

Technical definitions are specified in formerly CCITT (now ITU-T) Recommendations Q.120 to Q.139.[23]

This was also an in-band system but, instead of using multifrequency signals for digits, it used four 35 ms pulses of tone, separated by 35 ms of silence, to represent digits in four-bit binary code, with 2400 Hz as a '0' and 2040 Hz as a '1'. The supervisory signals used the same two frequencies, but each supervisory signal started with both tones together (for 150 ms) followed, without a gap, by a long (350 ms) or short (100 ms) period of a single tone of 2400 Hz or 2040 Hz. Phreaks in Europe built System 4 blue boxes that generated these signals. Because System 4 was used only on international circuits, the use of these blue boxes was more specialized.

Typically, a phreak would gain access to international dialing at low or zero cost by some other means, make a dialed call to a country that was available via direct dialing, and then use the System 4 blue box to clear down the international connection and make a call to a destination that was available only via operator service. Thus, the System 4 blue box was used primarily as a way of setting up calls to hard-to-reach operator-only destinations.[citation needed]

A typical System 4 blue box had a keypad (for sending four-bit digit signals) plus four buttons for the four supervisory signals (clear-forward, seize-terminal, seize-transit, and transfer-to-operator). After some experimentation, nimble-fingered phreaks found that all they really needed was two buttons, one for each frequency. With practice, it was possible to manually generate all the signals with sufficient timing precision, including the digit signals. This made it possible to make the blue box quite small.

A refinement added to some System 4 blue boxes was an anti-acknowledgement-echo guard tone. Because the connection between the telephone and the telephone network is two-wire, but the signalling on the international circuit operates on a four-wire basis (totally separate send and receive paths), signal-acknowledgement tones (single pulses of one of the two frequencies from the far end of the circuit after receipt of each digit) tended to be reflected back at the four-wire/two-wire conversion point. Although these reflected signals were relatively faint, they were sometimes loud enough for the digit-receiving circuits at the far end to treat them as the first bit of the next digit, messing up the phreak's transmitted digits.

What the improved blue box did was to continuously transmit a tone of some other frequency (e.g., 600 Hz) as a guard tone whenever it was not sending a System 4 signal. This guard tone drowned out the echoed acknowledgement signals, so that only the blue box-transmitted digits were heard by the digit-receiving circuits at the far end.

See also[edit]

References[edit]

  1. ^ "Steve Jobs' First Business was Selling Blue Boxes that Allowed Users to Get Free Phone Service Illegally". 2012-10-06.
  2. ^ Sterling, Bruce. "2". The Hacker Crackdown.
  3. ^ Weaver, A.; Newell, N. A., "In-Band Single-Frequency Signaling" (PDF), Bell System Technical Journal
  4. ^ Wilson, E. Jan (December 6, 1998). Telecom and Network Security: Toll Fraud & Telabuse Update. TRI-Telecommunications Reports International, Incorporated. ISBN 9780938866091 – via Google Books.
  5. ^ Breen, C.; Dahlbom, C. A. (1960), "Signaling Systems for Control of Telephone Switching" (PDF), Bell System Technical Journal, XXXIX (6): 1381–1444, doi:10.1002/j.1538-7305.1960.tb01611.x, The keyer relay M operates and releases from signals on the M lead and alternately removes or applies 2600 cycles to the transmit line of the facility. ... Table IV—Frequencies and Digit Codes for MF Pulsing: Digit 1: Frequencies 700 + 900 ...
  6. ^ a b Price, David (June 30, 2008), "Blind Whistling Phreaks and the FBI's Historical Reliance on Phone Tap Criminality", CounterPunch, archived from the original on July 1, 2008
  7. ^ Gitlin, Martin; Goldstein, Margaret J. (December 6, 2015). Cyber Attack. Twenty-First Century Books. ISBN 9781467725125 – via Google Books.
  8. ^ Yan, Laura (October 22, 2019). "An Early Hacker Used a Cereal Box Whistle to Take Over Phone Lines". Popular Mechanics.
  9. ^ Shinder, Debra Littlejohn; Cross, Michael (July 21, 2008). Scene of the Cybercrime. Elsevier. ISBN 9780080486994 – via Google Books.
  10. ^ Wozniak, Steve (October 17, 2007). iWoz: Computer Geek to Cult Icon. W. W. Norton & Company. p. 110. ISBN 9780393066869 – via Internet Archive. bluebox subculture.
  11. ^ "Esquire". Esquire, Incorporated. July 6, 1971 – via Google Books.
  12. ^ a b Lapsley, Phil (February 20, 2013). "The Definitive Story of Steve Wozniak, Steve Jobs, and Phone Phreaking". The Atlantic.
  13. ^ Wozniak, S. G.; Smith, G. (2006), iWoz: From Computer Geek to Cult Icon: How I Invented the Personal Computer, Co-Founded Apple, and Had Fun Doing It, New York: W. W. Norton & Company, ISBN 0-393-06143-4
  14. ^ Stix, Harriet (1986-05-14). "A UC Berkeley Degree Is Now the Apple of Steve Wozniak's Eye". Los Angeles Times. Retrieved 2015-01-05.
  15. ^ "73 Magazine (June 1975)". 1 June 1975. Retrieved 9 May 2019 – via Internet Archive.
  16. ^ LLC, New York Media (June 6, 1977). "New York Magazine". New York Media, LLC – via Google Books.
  17. ^ Pursell, Carroll W. (December 6, 2007). Technology in Postwar America: A History. Columbia University Press. ISBN 9780231123044 – via Google Books.
  18. ^ a b c d e f g h Rosenbaum 1971.
  19. ^ UNITED STATES of America vs. Bernard CORNFELD, dba Grayhall Inc, No. 76-3391, United States Court of Appeals, Ninth Circuit. Oct. 27, 1977.
  20. ^ "Archived copy". Archived from the original on 2016-06-02. Retrieved 2016-05-31.CS1 maint: archived copy as title (link)
  21. ^ Phil Lapsley (2013). Exploding The Phone – Extra Goodies – Overseas Dialing. ISBN 978-0-8021-2061-8.
  22. ^ Traffic Routing Guide, AT&T, 1977
  23. ^ CCITT SS4 / ITU-T Q.120-139 https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-Q.120-Q.139-198811-I!!PDF-E&type=items

Bibliography[edit]

External links[edit]