Thursday, September 20, 2012

Steve Wozniak and Steve Jobs hacked the Telephone Network with their Blue Box. Is it still possible with the existence of SS7

Hacking with Blue Box the History
The operation of a blue box is simple: First, the user places a long distance telephone call, usually to an 800 number or some other non-supervising phone number. For the most part, anything going beyond 50 miles would go over a trunk type susceptible to this technique.
When the call starts to ring, the caller uses the blue box to send a 2600 Hz tone (or 2600+2400 Hz on many international trunks followed by a 2400 Hz tone). The 2600 Hz is a supervisory signal, because it indicates the status of a trunk; on hook (tone) or off-hook (no tone). By playing this tone, you are convincing the far end of the connection that you've hung up and it should wait. When the tone stops, the trunk will go off-hook and on-hook (known as a supervision flash), making a "Ka-Cheep" noise, followed by silence. This is the far end of the connection signalling to the near end that it is now waiting for routing digits.
Once the far end sends the supervision flash, the user would use the blue box to dial a "Key Pulse" or "KP", the tone that starts a routing digit sequence, followed by either a telephone number or one of the numerous special codes that were used internally by the telephone company, then finished up with a "Start" or "ST" tone. At this point, the far end of the connection would route the call the way you told it, while the users end would think you were still ringing at the original number. KP1 is generally used for domestic dialing where KP2 would be for international calls. (wikipedia). The Fifteen Greatest Hacking Exploits

 SCCP hacking, attacking the SS7 and SIGTRAN applications

Introduction to Switching systems
Stored Program Controlled (SPC) Telephone Exchanges
Mobicents SS7 Stack
Introduction to BSS (Business Support Subsystem)

No comments:

Post a Comment