Introduction
In this section, we'll take a look at how your telephone works and what actually happens when you call someone, or they call you. I'm limiting this section to a discussion on how things work with a standard BT connection, although I'll be putting up other sections in due course on ISDN, ADSL, Cable etc.The idea is to give you a breakdown of the possible weak links that can be exploited along the connection path ;)
Your telephone is a part of the Public Switched Telephone Network (PSTN). Think of it along the same lines as a computer network, but for telephones.
The Layout of the PSTN.
 |
Starting from your home phone, this is usually linked to a telegraph pole local to your street.
The telegraph pole collects lines from other houses in your vicinity, then feeds them on to
other telegraph poles.
This is the first point the phreaker can gain access to without using his own line. He can access his neighbours lines direct as they feed to the house, or he can use the connection box available at the top of each telegraph pole to use a line.
At some point, the last telegraph pole in the line feeds into a CAB (or PCP) box where all of the connections are then routed on towards the local BT telephone exchange. Once again, this is a weak link the phreaker can exploit, particularly for beige boxing. This is the point the average hacker usually stops at in his understanding of phreaking as he will use the easiest point available to break into the PSTN to make sure he can hack from a phone line that can't be traced back to himself.
The phreaker of course is more interested in what lies after the CAB box. After all, he wants to know how to manipulate the PSTN itself.
The CAB box output leads either directly to a local exchange, or to an RCU (Remote Concentrator Unit) which is a repository for many CAB box outputs in high density areas to feed all the lines to an Exchange.
The local exchange is known as a DLSU (Digital Local Switching Unit), and acts as either A DLE (Digital Local Exchange) or DCCE (Digital Cell Centre Exchange). All of the local DLSU's are linked and form what is called the Local Network.
The DCCE links to the Trunk Network (ie the whole of the UK) via DMSU's (Digital Main Switching Unit). There are 59 DMSU's in the UK, all fully interconnected.
RCU's, DLSU's and DMSU's are based primarily on two different types of digital exchange known as System X (developed by GEC Plessey) and System Y (The AXE10 system developed by Ericsson) although there are other types still in use, particularly in smaller rural areas.
The diagram only shows an example of each. Obviously your connection might not necessarily go through an RCU. Also, there may be several RCU's connecting to a DLSU etc.
This is the first point the phreaker can gain access to without using his own line. He can access his neighbours lines direct as they feed to the house, or he can use the connection box available at the top of each telegraph pole to use a line.
At some point, the last telegraph pole in the line feeds into a CAB (or PCP) box where all of the connections are then routed on towards the local BT telephone exchange. Once again, this is a weak link the phreaker can exploit, particularly for beige boxing. This is the point the average hacker usually stops at in his understanding of phreaking as he will use the easiest point available to break into the PSTN to make sure he can hack from a phone line that can't be traced back to himself.
The phreaker of course is more interested in what lies after the CAB box. After all, he wants to know how to manipulate the PSTN itself.
The CAB box output leads either directly to a local exchange, or to an RCU (Remote Concentrator Unit) which is a repository for many CAB box outputs in high density areas to feed all the lines to an Exchange.
The local exchange is known as a DLSU (Digital Local Switching Unit), and acts as either A DLE (Digital Local Exchange) or DCCE (Digital Cell Centre Exchange). All of the local DLSU's are linked and form what is called the Local Network.
The DCCE links to the Trunk Network (ie the whole of the UK) via DMSU's (Digital Main Switching Unit). There are 59 DMSU's in the UK, all fully interconnected.
RCU's, DLSU's and DMSU's are based primarily on two different types of digital exchange known as System X (developed by GEC Plessey) and System Y (The AXE10 system developed by Ericsson) although there are other types still in use, particularly in smaller rural areas.
The diagram only shows an example of each. Obviously your connection might not necessarily go through an RCU. Also, there may be several RCU's connecting to a DLSU etc.
So how does the phone system actually work ?
The UK network is based on the CCITT7 standard. It uses CCS (Common Channel Signalling)
to allow both control tones and speech to be present between exchanges, whilst limiting
the signalling to the speech band only between the user's phone and his local exchange.
The old CCITT5 standard (discussed in the Blue Boxing
section) also used CCS, however, the signal tones used to control the switches were present
in the speech band. This enabled the phreaker to take control over switching by simply
playing tones into the telephone.
CCITT7 uses two different bandwidth ranges. A lower range is used for speech and a higher range for control codes. So for example, when you pick up the phone, your local exchange has a low pass (actually a bandpass) filter so if the phreaker tries to play control frequencies down the line, they are automatically attenuated and have no effect. The exchange to exchange lines however carry both ranges, thus allowing each exchange to send speech and control tones at the same time. The sending of control codes at the higher frequency is called Out of Band Signalling. The speech part is known as In Band Signalling.
For those who want the gory details, the following graph shows the bands. These were measured myself by connecting two computers across the PSTN and performing a frequency sweep whereby I injected a signal from 0Hz up to 5kHz into the PSTN from one of the computers. The second computer on the PSTN was set up to record amplitude versus frequency from the incoming signal. I'll be putting up the circuit schematics and details as to how you can do this on this site in due course should you want to try this yourself. But be warned, don't do it from line connections that can be traced back to yourself ;)
CCITT7 uses two different bandwidth ranges. A lower range is used for speech and a higher range for control codes. So for example, when you pick up the phone, your local exchange has a low pass (actually a bandpass) filter so if the phreaker tries to play control frequencies down the line, they are automatically attenuated and have no effect. The exchange to exchange lines however carry both ranges, thus allowing each exchange to send speech and control tones at the same time. The sending of control codes at the higher frequency is called Out of Band Signalling. The speech part is known as In Band Signalling.
For those who want the gory details, the following graph shows the bands. These were measured myself by connecting two computers across the PSTN and performing a frequency sweep whereby I injected a signal from 0Hz up to 5kHz into the PSTN from one of the computers. The second computer on the PSTN was set up to record amplitude versus frequency from the incoming signal. I'll be putting up the circuit schematics and details as to how you can do this on this site in due course should you want to try this yourself. But be warned, don't do it from line connections that can be traced back to yourself ;)
 |
OK Mr BT security man, before you take this as evidence and decide to prosecute, let me point
out I have a hardware based PSTN simulator which I bought to ensure I have a rock solid defence unless
you actually catch me in the act of doing naughty things on your network :)))
BTW. To all of you electronics guru's out there, you might like to go back to filter theory and take a look at how the phreaker could theoretically inject control signals into the PSTN directly from a home/payphone/cab box connection depending upon the type of Linecard used at the PSTN local first point of filtering. A filter is never perfect :)))
Hint...take a look at the converse and see if you can pick up the control frequencies at your own connection ;)
Anyone who needs to ask what this means isn't ready for this type of investigation into the inadequacies of the Telco's current primary hardware. Trying anything like this without knowing Exactly what you are doing is asking for a Jail sentence.
I will be putting up a section soon on electronics for phreaking which will include all of the circuits I have developed to explore the workings of the PSTN.
BTW. To all of you electronics guru's out there, you might like to go back to filter theory and take a look at how the phreaker could theoretically inject control signals into the PSTN directly from a home/payphone/cab box connection depending upon the type of Linecard used at the PSTN local first point of filtering. A filter is never perfect :)))
Hint...take a look at the converse and see if you can pick up the control frequencies at your own connection ;)
Anyone who needs to ask what this means isn't ready for this type of investigation into the inadequacies of the Telco's current primary hardware. Trying anything like this without knowing Exactly what you are doing is asking for a Jail sentence.
I will be putting up a section soon on electronics for phreaking which will include all of the circuits I have developed to explore the workings of the PSTN.
How Your Phone is Connected to the Exchange.
 |
OK. Let's start from the Exchange end and work our way to your phone.
The Linecard is the first point of contact your phone has with the exchange. This is responsible for handling everything to do with your phone. It will give you a dial tone when you pick your phone up, ring your phone when you get a call etc.
The -48V DC power supply is derived from the mains and is backed up by a massive set of batteries to ensure power is available for the PSTN should the mains fail at the exchange (or in your own home).
Your Master Socket has three components - the Spark Gap (SG) which protects your phone should the exchange develop a problem and produce a line pair voltage greater than about 90V. It also protects the wiring from your phone to the exchange should your phone develop a fault and try to inject mains voltage (for those who have mains powered phones) down the line pair.
The resistor/capacitor pair have two functions. The capacitor stops any current being drawn from the exchange if you don't have a phone connected (a capacitor won't conduct DC current), but allows AC signals to flow through the resistor back to the exchange. BT use this to perform routine line checks remotely from the exchange. These usually happen every couple of days or so during the small hours of the morning when you are least likely to be using your phone.
Finally, on to your phone. There are literally dozens of different designs for phones. All I've shown here is the bridge rectifier (allowing the phone to work regardless of the polarity of the incoming line pair) and the hook switch which is controlled by your picking the phone up.
The Linecard is the first point of contact your phone has with the exchange. This is responsible for handling everything to do with your phone. It will give you a dial tone when you pick your phone up, ring your phone when you get a call etc.
The -48V DC power supply is derived from the mains and is backed up by a massive set of batteries to ensure power is available for the PSTN should the mains fail at the exchange (or in your own home).
Your Master Socket has three components - the Spark Gap (SG) which protects your phone should the exchange develop a problem and produce a line pair voltage greater than about 90V. It also protects the wiring from your phone to the exchange should your phone develop a fault and try to inject mains voltage (for those who have mains powered phones) down the line pair.
The resistor/capacitor pair have two functions. The capacitor stops any current being drawn from the exchange if you don't have a phone connected (a capacitor won't conduct DC current), but allows AC signals to flow through the resistor back to the exchange. BT use this to perform routine line checks remotely from the exchange. These usually happen every couple of days or so during the small hours of the morning when you are least likely to be using your phone.
Finally, on to your phone. There are literally dozens of different designs for phones. All I've shown here is the bridge rectifier (allowing the phone to work regardless of the polarity of the incoming line pair) and the hook switch which is controlled by your picking the phone up.
An Example.
So, let's take a look at an example of how your phone interacts with your
local exchange.
Let's assume you want to call someone. You pick up the phone. This switches the hook switch to on and the exchange can sense the loop current, thus knowing you have picked up the phone. The Linecard at the exchange then places a dialing tone across the line pair and waits for DTMF tone's from your phone. If it doesn't get any DTMF it times out and sends the timeout signal/message. Assuming you dial a number after you hear the dial tone, your phone sends DTMF tones to the Exchange every time you press a digit on the phone. The Exchange interprets these, and then routes your call through the PSTN. If at any point it can't connect, the Exchange sends you a suitable message and waits for you to hang up.
Let's assume you want to call someone. You pick up the phone. This switches the hook switch to on and the exchange can sense the loop current, thus knowing you have picked up the phone. The Linecard at the exchange then places a dialing tone across the line pair and waits for DTMF tone's from your phone. If it doesn't get any DTMF it times out and sends the timeout signal/message. Assuming you dial a number after you hear the dial tone, your phone sends DTMF tones to the Exchange every time you press a digit on the phone. The Exchange interprets these, and then routes your call through the PSTN. If at any point it can't connect, the Exchange sends you a suitable message and waits for you to hang up.
Conspiracy Theory Anyone ?
This brings us to an interesting aside for all you paranoid people out there. No doubt
you have all heard of Echelon, and GCHQ's ability to record any telephone conversations
you make. If you haven't heard about this, you should definitely find out more.
There are plenty of articles on the web covering Echelon and how it works.
Want a double dose of paranoia ? ...Then read on ;)
I've read a few articles (in the press and on web sites) discussing the possibility of your home phone being used by the Authorities to enable them to hear everything you say in your own home, regardless of whether or not you are actually using the phone.
All of the articles are pretty vague when it comes down to technicalities of how this could be achieved. Most mention the telephone speaker and how it may be possible to use this as a listening device when your phone is placed on hook. A couple of articles I have read state the line pair needs to be reversed for this to happen.
Whilst this is theoretically possible, it would require the cooperation of all the telephone manufacturers to enable this to happen. I decided to take a closer look at the internals of the telephone to see if this is a real threat to the paranoid.
I took a look at five different phones, all from different manufacturers, and of various years of age in terms of design. Unfortunately I don't have any BT phones, so I can't vouch for BT being involved one way or another.
The results were inconclusive. It is certainly not possible with three of the phone circuits I examined as the hook switch effectively broke the loop to the exchange completely. However, the other two phones did have the potential for misuse as the phone chip was supplied with power from the output of the bridge input, ie before the hook switch. The ability to listen in would depend on the internal layout of the phone chip used. This is a grey area as most manufacturers give a limited circuit diagram of the internals of their chips.
I'm not convinced one way or another at the moment, although from what I have seen, it is theoretically possible. I'll be taking a closer look at this in due course by testing out the two suspect phones to see if they can be used for remote monitoring.
Until then....let the paranoid beware ;)
Want a double dose of paranoia ? ...Then read on ;)
I've read a few articles (in the press and on web sites) discussing the possibility of your home phone being used by the Authorities to enable them to hear everything you say in your own home, regardless of whether or not you are actually using the phone.
All of the articles are pretty vague when it comes down to technicalities of how this could be achieved. Most mention the telephone speaker and how it may be possible to use this as a listening device when your phone is placed on hook. A couple of articles I have read state the line pair needs to be reversed for this to happen.
Whilst this is theoretically possible, it would require the cooperation of all the telephone manufacturers to enable this to happen. I decided to take a closer look at the internals of the telephone to see if this is a real threat to the paranoid.
I took a look at five different phones, all from different manufacturers, and of various years of age in terms of design. Unfortunately I don't have any BT phones, so I can't vouch for BT being involved one way or another.
The results were inconclusive. It is certainly not possible with three of the phone circuits I examined as the hook switch effectively broke the loop to the exchange completely. However, the other two phones did have the potential for misuse as the phone chip was supplied with power from the output of the bridge input, ie before the hook switch. The ability to listen in would depend on the internal layout of the phone chip used. This is a grey area as most manufacturers give a limited circuit diagram of the internals of their chips.
I'm not convinced one way or another at the moment, although from what I have seen, it is theoretically possible. I'll be taking a closer look at this in due course by testing out the two suspect phones to see if they can be used for remote monitoring.
Until then....let the paranoid beware ;)
How Can the Phreaker Manipulate the PSTN ?
OK. If you take a look at a typical phone number, it will be in the form of...
| area code, e.g. | 0191 |
| exchange code, e.g. | 222 |
| phone number, e.g. | 1111 |
Here's the first way a phreaker can access and gain control over his local Exchange. All
Exchanges have a dial up number so Engineers can call up the Exchange from any phone.
Once connected (to an automated response) they need to provide a PIN code. After that,
they can do virtually anything they want within that Exchange.
So what's the dial up number ?
It varies from Exchange to Exchange, but given the above example, there are only 10000 numbers to scan. A wardialler set to scan the local Exchange and record results would find any interesting numbers in a very short space of time ;)
Most Exchanges also have a data dial up line. Once again the wardialler will get this.
The biggest target for the phreaker has to be the complete area code scan via a wardialler as this will potentially give him connections to the nearest DCCE and DMSU. Once in (by voice or modem), the phreaker can manipulate ANY line he wants ;)
In addition to gaining access via dial up, the phreaker can also gain access via an Internet connection if he can find the reserved IP addresses, or from the PSDN (Public Switched Data Network) from a leased line.
So what's the dial up number ?
It varies from Exchange to Exchange, but given the above example, there are only 10000 numbers to scan. A wardialler set to scan the local Exchange and record results would find any interesting numbers in a very short space of time ;)
Most Exchanges also have a data dial up line. Once again the wardialler will get this.
The biggest target for the phreaker has to be the complete area code scan via a wardialler as this will potentially give him connections to the nearest DCCE and DMSU. Once in (by voice or modem), the phreaker can manipulate ANY line he wants ;)
In addition to gaining access via dial up, the phreaker can also gain access via an Internet connection if he can find the reserved IP addresses, or from the PSDN (Public Switched Data Network) from a leased line.