If we were to express an official view of the what these guys did once they hacked into a Target store’s PA system, we’d have to go with definitely uncool. However, it’s good to know that phone phreaking and good ol’ social engineering isn’t dead yet. Many of us got our start by playing with the systems around us.
Anyone could call into a Target store and request to be transferred to the PA’s extension code, which was the same everywhere. If the person transferring the call wasn’t quick on their feet, the caller would then be patched directly into the stores PA system. The kicker? Target had no way of stopping the PA until the caller hung-up. It’s the way the system was designed.
The hack itself is embarrassingly simple. The PA is attached to the in-store phone network. This is pretty standard. We’ve all seen a sales associate go up to phone in a store, dial a number, and make an announcement throughout the store. Where Target went wrong is improper separation of systems, and poorly thought out standardization.
The weakest link in security is always the people it’s designed for, not the one’s it’s designed to keep out. It’s a fun little prank, and hopefully Target has it sorted out now.
Thanks for the tip [Koray]!
Photo Mike Mozart, CC
In Walmart, you dial 4444 to gain access to the PA system.
Yep. The stupid thing is that they don’t tell new employees this for awhile for fear of the information spreading… but it’s basically already common knowledge.
It’s like led road traffic signs :D
Reeeeeeeally. That’s fascinating.
Back in the day it was #96, then #961. If you want current info, call in as an angry customer, get the managers name and employee number, call corporate with those creds and tell them you need a new copy of the new hire training packets faxed to you.
Do you dial this number on your regular phone? Or do you use a device sorta like the flipper zero
It’s an extension which is dialed on a store phone (or from outside, if the caller manages to trick the calltaker into transferring the call to the extension.)
Great laugh!
“According to local media, it’s at least the fourth time this prank has happened since April.”
That’s what got me laughing.
Excellent. Err, I mean *irresponsible*.
Reminds me of the early 1990s when my college roommate worked at Rite Aid and their “Muzak” system was on 4 track cassettes. The tapes actually had recordings like “Security please report to the front counter” as well as advertisements, etc. When he decided he was leaving we doctored one of the tapes on his Yamaha 4 track to slowly get stranger and stranger…Dance of the Sugarplum Fairies backwards, Velvet Underground’s “Sister Ray”, etc. It got uglier. Wish we had been there when it was played!
I also worked in a pharmacy many years ago, back when Muzak was the number one choice. I made some cassette tapes reversed and would bring in my own music. We would also call other stores and dial into their computer backend and send reports to the printer.
With great power comes great responsibility…
Speaking of nameless orchestras playing standards without vocals, I would like to complement Target for not having any music in the store. The last time in our Kroger chain I was affronted with a female singer almost solo at way above background levels (can’t sing-no melody). Then they play the “let’s go Krogering” jingle for way too long (ear worm), and no voice over. We are extant on your premises! I am wearing phones next time, keeps ear worms out.
Here’s hacking in… she is wailing away gags, vomits, and a burst of static, then soothing strings playing……and the trombone solo…. I long for real old fashioned Muzak in a store or public space. Words get in the way of thinking what to buy, talking with friends or on the phone. H. Faltermeyer and Kenny G. were the last of any hits allowed without vocals.
This reads like a spam email.
Poor security design, but 15 minutes of porn audio? Come on, try something more original.
It was probably a 12 year old that had just discovered boobies.
Hunting down PA systems vulnerable to this attack was a bit of a specialty with a certain number of phone phreakers back in the day.
I’ll never forget the look that I got from the clerk at RadioShack when I went in to buy my tone dialer and replacement crystal. He didn’t say anything or refuse the sale, but the look of disdain was priceless. One of my fondest teenage memories and likely the first serious purpose-built hacks I undertook with my soldering iron.
I took that transaction oh, so, many times.
Wow. Even if phones still worked that way.. can you imagine the person behind the counter making the connection today?
Years ago at a (then) local Safeway, I noticed the button the cashiers would press on their phone to get the PA.
Late one night while working a 90+ hour week, I was the only customer in the store, the two employees were playing “Catch” with some canned goods near the rear of the store. When it came time for me to check out, there was no one at the tills. So I picked up the receiver, pressed the button and called for “Checkout!) and hung it back up.
Both employees were there in a moment, wondering who made the page….
Seriously, nobody just powered down the PA?
Right? I’m guessing regular staff aren’t trained on how those systems work and are just told not to touch any of it.
Or just a simple cut-off switch on the connection between the PBX and the amplifier for speaker network…
What makes you think it’s not in a locked cabinet only IT people touch?
it’s most likely an EWIS system designed for evacuations, and turning it off would not be taken lightly.
Reminds me of the social engineering trick played on announcers at British airports many years ago.
https://www.netjeff.com/humor/audio/AirportPrank.html
Example: Makollig Jezvahted and Levdaroum DeBahzted
Butagaht Miohanbak and Pizstenh Izteigh. ????
Hehe, brilliant.
Maileg Zacrost and Aineed Apiz
Ayev bin Fayed and Babayev Rhibody…
Hm, I wonder why they designed their system like that? In case of emergencies or something?
So that it can be accessed from the internal phone network instead of a few specialized outlets…(flexibility)
Someone was probably lazy and didn’t bother to think about why they should set the PBX so that it doesn’t allow patching into the PA from outside or at least have an access code, and since standardization and all, this flaw was copied over to other installations…
In B&Q (a large chain of large DIY sheds) a “code 900” on the tannoy used to mean that there was a visitor from head office in the store. It was an excellent way of getting faster service at the checkout, since all management would straighten their ties and rush to the checkout.
For reference: PA = Public Announcement, for HAD editors: see the ASS or “Acronyms Seriously Suck” rule.
Lauging Out Loud… :-)
Everyone knows what a pa system is. Acronyms are awesome.
Public Address.
HAD?
H(ack) A D(ay)
ETLA == Extended Three Letter Acronym.
Or the IBM version, the EETLA (extended, enhanced TLA).
Careful, otherwise you may be reported to the AAAAA (American Association Against Acronym Abuse) for confusing acronyms with initialisms.
Back in my days at Best Buy during highschool we broke new employees in this way. We’d hit them on the radio and say “New guy, you’ve got a call on #44” (#60-70 were parked calls). You’d promptly here new guy on the intercom going “hello? Hellow?” before realizing he was hearing his voice on the PA and hanging up ;-). We also had a pretty “jockish with small brain” security guy for a while. We’d call from our cell phones and ask him to page “Stew Pidass” and all sorts of other crazy names and he’d do it….
“Chasers War on Everything – BEST OF OPEN MIC” one youtube.
That one is funny!
It’s sad that there wasn’t one single person in the store (Management? Maintenance?) that knew how to flip the stupid breaker on the store’s audio system. Very sad indeed.
either it wasn’t labeled, or was probably tied in with the same circuit as the POS system. which would kill all the registers
Possibly, but I’ve never seen a PA system that couldn’t be shut off in a hurry, even if that meant cutting a wire or two.
http://firewize.com/ewis
https://www.youtube.com/watch?v=3bX05d3PwhI
It’s not the way the PA system works.
It’s the way the PBX system works.
I worked in commercial sound for a few years. In some cases the PA system is an additional feature that reuses the same speakers, amplifiers, audio splitters and cabling that the fire annunciation system uses. This opens up a required piece of hardware for use with background music or paging.
The audio system is just a supervised amplifier with a prioritized input front end. Emergency audio over rides background music or telephone. Telephone over rides background music.
What is played through the telephone and when that can be terminated is a function of the PBX. The PBX also sets the all call password, etc.
At least that’s how it was approx 12 years ago.
Haha yes! This brings back old memories from the 90’s it was always fun to do it in store from a cell phone and watch the the employees scramble around trying to find the culprit. One of my favorites was to page for customer assistants to plus size woman’s lingerie.
Back in the day… McDonald’s outdoor order system was done over a 154.6 MHz FM radio system. Just get you ham radio modified to transmit on that frequency… sit across the parking lot and watch the drive up line… “Welcome to McDonalds, would you like a blow job?” The manager came running out after a bit and started looking around for the car with the antenna…
While working at Home Depot (10 years ago) – I was often called upon to kill the PA system from a dial tone that would get stuck on the PA line. In the computer room is was fairly obvious which phone line was fed into the audio system. I would simply disconnect it for several minutes and reconnect it.
Back in the early 1980’s, some friends discovered a local business that had an alarm system with a big “megaphone” style speaker outside the store. It was VERY sensitive to CB radio signals… so guess what we did (only twice) at about 2AM? ;) Yup… drive down what was normally a very busy street during the day, but was now very quiet… key the mic, say weird things… and hear it echoing all over the neighborhood! ;) I only did it twice, because I didn’t want to get caught. I don’t know how long it stayed that way, either. ;) I also had a small FM radio transmitter and receiver combo that I used to “take control” of the in-store music system in a local Dunkin Donuts that was a hangout for me and a few others who worked the late shift. (Early 80’s again) From the counter or a table, I could change the station ,adjust the volume, bass, and treble. My friends LOVED IT!! (The normal audio was a local (now defucnt) elevator music station. Yeah, we had rock & roll playing. ;) The radio system was in a locked box in the back… but that was irrelevant. ;) Hehe… So much fun could be had back then, when one knows electronics! ;) Nowadays, with so many things being digital and encrypted… such exploits are now WAY beyond my pay grade. ;)