Unexpectedly Interesting Payphone Gives Up Its Secrets

Reverse engineering a payphone doesn’t sound like a very interesting project, at least in the United States, where payphones were little more than ruggedized versions of residential phones with a coin mechanism attached. Phones in other parts of the world were far more interesting, though, as this look at the mysteries of a payphone from Israel reveals (in Hebrew; English translation here.)

This is a project [Inbar Raz] worked on quite a while ago, but only got around to writing up recently. The payphone in question was sourced from the usual surplus market channels, and appears to have been removed from service by Israeli telecommunications company Bezeq only shortly before he found it. It was in pretty good shape, and was even still locked tight, making some amateur locksmithing the first order of the day. The internals of the phone are surprisingly complex, with a motherboard that looks more like something from a PC. Date codes on the chips and through-hole construction date the device to the early- to mid-1990s.

With physical access gained, [Inbar] turned to the firmware. An Atmel flash chip seemed a good place to look, and indeed he was able to pull code off the chip. That’s where things took a turn thanks to the CPU the code was written for — the CDP1806, a later version of the more popular but still fringe CDP1802. This required [Inbar] to fall down the rabbit hole of writing a new processor definition file for Ghidra so that the firmware could be reverse-engineered. This got him to the point of understanding 1806 assembly well enough that he was able to re-flash the phone to print debugging messages on the built-in 16×2 LCD screen, which allowed him to figure out which routines were being called under various error conditions.

It doesn’t appear that [Inbar] ever completed the reverse engineering project, but as he points out, what does that even mean? He got inside, took a look around, and made the phone do some cool things it couldn’t do before, and in the process made things easier for anyone working with 1806 processors in Ghidra. That’s a pretty complete win in our books.

Hackaday Links Column Banner

Hackaday Links: October 27, 2019

A year ago, we wrote about the discovery of treasure trove of original documentation from the development of the MOS 6502 by Jennifer Holdt-Winograd, daughter of the late Terry Holdt, the original program manager on the project. Now, Ms. Winograd has created a website to celebrate the 6502 and the team that built it. There’s an excellent introductory video with a few faces you might recognize, nostalgia galore with period photographs that show the improbable styles of the time, and of course the complete collection of lab notes, memos, and even resumes of the team members. If there were a microchip hall of fame – and there is – the 6502 would be a first-round pick, and it’s great to see the history from this time so lovingly preserved.

Speaking of the 6502, did you ever wonder what the pin labeled SO was for? Sure, the data sheets all say pin 38 of the original 40-pin DIP was the “Set Overflow” pin, an active low that set the overflow bit in the Processor Status Register. But Rod Orgill, one of the original design engineers on the 6502, told a different story: that “SO” was the initials of his beloved dog Sam Orgill. The story may be apocryphal, but it’s a Good Doggo story, so we don’t care.

You may recall a story we ran not too long ago about the shortage of plutonium-238 to power the radioisotope thermoelectric generators (RTGs) for deep-space missions. The Cold War-era stockpiles of Pu-238 were running out, but Oak Ridge National Laboratory scientists and engineers came up with a way to improve production. Now there’s a video showing off the new automated process from the Periodic Videos series, hosted by the improbably coiffed Sir Martyn Poliakoff. It’s fascinating stuff, especially seeing workers separated from the plutonium by hot-cells with windows that are 4-1/2 feet (1.4 meters) thick.

Dave Murray, better known as YouTube’s “The 8-Bit Guy”, can neither confirm nor deny the degree to which he participated in the golden age of phone phreaking. But this video of his phreaking presentation at the Portland Retro Gaming Expo reveals a lot of suspiciously detailed knowledge about the topic. The talk starts at 4:15 or so and is a nice summary of blue boxes, DTMF hacks, war dialing, and all the ways we curious kids may or may not have kept our idle hands busy before the Interwebz came along.

Do you enjoy a puzzle? We sure do, and one was just laid before us by a tipster who prefers to stay anonymous, but for whom we can vouch as a solid member of the hacker community. So no malfeasance will befall you by checking out the first clue, a somewhat creepy found footage-esque video with freaky sound effects, whirling clocks, and a masked figure reading off strings of numbers in a synthesized voice. Apparently, these clues will let you into a companion website. We worked on it for a bit and have a few ideas about how to crack this code, but we don’t want to give anything away. Or more likely, mislead anyone.

And finally, if there’s a better way to celebrate the Spooky Season than to model predictions on how humanity would fare against a vampire uprising, we can’t think of one. Dominik Czernia developed the Vampire Apocalypse Calculator to help you decide when and if to panic in the face of an uprising of the undead metabolically ambiguous. It supports several models of vampiric transmission, taken from the canons of popular genres from literature, film, and television. The Stoker-King model makes it highly likely that vampires would replace humans in short order, while the Harris-Meyer-Kostova model of sexy, young vampires is humanity’s best bet except for having to live alongside sparkly, lovesick vampires. Sadly, the calculator is silent on the Whedon model, but you can set up your own parameters to model a world with Buffy-type slayers at your leisure. Or even model the universe of The Walking Dead to see if it’s plausible that humans are still alive 3599 days into the zombie outbreak.

Manhattan Mystery Of Creepy Jingles And Random Noises Solved

Here’s a puzzler for you: If you’re phreaking something that’s not exactly a phone, are you still a phreak?

That question probably never crossed the minds of New Yorkers who were acoustically assaulted on the normally peaceful sidewalks of Manhattan over the summer by creepy sounds emanating from streetside WiFi kiosks. The auditory attacks caused quite a stir locally, leading to wild theories that Russian hackers were behind it all. Luckily, the mystery has been solved, and it turns out to have been part prank, part protest, and part performance art piece.

To understand the exploit, realize that New York City has removed thousands of traditional pay phones from city sidewalks recently and replaced them with LinkNYC kiosks, which are basically WiFi hotspots with giant HDTV displays built into them. For the price of being blitzed with advertisements while strolling by, anyone can make a free phone call using the built-in VOIP app. That was the key that allowed [Mark Thomas], an old-school phreak and die-hard fan of the pay telephones that these platforms supplanted, to launch his attack. It’s not exactly rocket surgery; [Mark] dials one of the dozens of conference call numbers he has set up with pre-recorded audio snippets. A one-minute delay lets him crank the speakerphone volume up to 11 and abscond. The recordings vary, but everyone seemed most creeped out by the familiar jingle of the [Mr. Softee] ice cream truck franchise, slowed down and distorted to make it sound like something from a fever dream.

Yes, it’s a minimal hack, and normally we don’t condone the misuse of public facilities, even ones as obnoxious as LinkNYC appears to be. But it does make a statement about the commercialization of the public square, and honestly, we’re glad to see something that at least approaches phreaking again. It’s a little less childish than blasting porn audio from a Target PA system, and far less dangerous than activating a public safety siren remotely.

Continue reading “Manhattan Mystery Of Creepy Jingles And Random Noises Solved”

Automatic Phone Dialer Illuminates Inner Workings

The invention of the transistor ushered in a lot of technologies that we now take for granted, and one of the less-thought-about areas that it improved living conditions worldwide was by making the touch-tone phone possible. No longer would the world have to fuss with dials to make phone calls, they could simply push some buttons. This technology is still in use today, and it is possible to build external phone dialers that use these tones to make phone calls, as [SunFounder] demonstrates with his latest project.

The tones that a phone makes when a button is pressed correlate with specific frequencies for each number. Automatic dialers like this one help when there are multiple carriers (like different long-distance carriers, for example) where different prefixes can be used to make calls cheaper depending on the destination of the call. A preprogrammed dialer can take all of this complication out of making phone calls. [SunFounder] is able to make a simple dialer from scratch, using an Arduino, its “tone” library, and a speaker that is simply held up to the phone that the call will be placed on.

[SunFounder] points out that he built this more because he’s interested in the inner workings of phones, and not because he needed a purpose-built dialer. It’s a good demonstration of how phones continue to use DTMF though, and how easy it is to interface with such a system. It might also suit a beginner as an introduction to the world of phreaking.

TEMPEST In A Software Defined Radio

In 1985, [Wim van Eck] published several technical reports on obtaining information the electromagnetic emissions of computer systems. In one analysis, [van Eck] reliably obtained data from a computer system over hundreds of meters using just a handful of components and a TV set. There were obvious security implications, and now computer systems handling highly classified data are TEMPEST shielded – an NSA specification for protection from this van Eck phreaking.

Methods of van Eck phreaking are as numerous as they are awesome. [Craig Ramsay] at Fox It has demonstrated a new method of this interesting side-channel analysis using readily available hardware (PDF warning) that includes the ubiquitous RTL-SDR USB dongle.

The experimental setup for this research involved implementing AES encryption on two FPGA boards, a SmartFusion 2 SOC and a Xilinx Pynq board. After signaling the board to run its encryption routine, analog measurement was performed on various SDRs, recorded, processed, and each byte of the key recovered.

The results from different tests show the AES key can be extracted reliably in any environment, provided the antenna is in direct contact with the device under test. Using an improvised Faraday cage constructed out of mylar space blankets, the key can be reliably extracted at a distance of 30 centimeters. In an anechoic chamber, the key can be extracted over a distance of one meter. While this is a proof of concept, if this attack requires direct, physical access to the device, the attacker is an idiot for using this method; physical access is root access.

However, this is a novel use of software defined radio. As far as the experiment itself is concerned, the same result could be obtained much more quickly with a more relevant side-channel analysis device. The ChipWhisperer, for example, can extract AES keys using power signal analysis. The ChipWhisperer does require a direct, physical access to a device, but if the alternative doesn’t work beyond one meter that shouldn’t be a problem.

Social Engineering Is On The Rise: Protect Yourself Now

As Internet security has evolved it has gotten easier to lock your systems down. Many products come out of the box pre-configured to include decent security practices, and most of the popular online services have wised up about encryption and password storage. That’s not to say that things are perfect, but as the computer systems get tougher to crack, the bad guys will focus more on the unpatchable system in the mix — the human element.

History Repeats Itself

Ever since the days of the ancient Greeks, and probably before that, social engineering has been one option to get around your enemy’s defences. We all know the old tale of Ulysses using a giant wooden horse to trick the Trojans into allowing a small army into the city of Troy. They left the horse outside the city walls after a failed five-year siege, and the Trojans brought it in. Once inside the city walls a small army climbed out in the dead of night and captured the city.

How different is it to leave a USB flash drive loaded with malware around a large company’s car park, waiting for human curiosity to take over and an employee to plug the device into a computer hooked up to the corporate network? Both the wooden horse and the USB drive trick have one thing in common, humans are not perfect and make decisions which can be irrational. Continue reading “Social Engineering Is On The Rise: Protect Yourself Now”

Social Engineering Your Way To The Target PA System

If we were to express an official view of the what these guys did once they hacked into a Target store’s PA system, we’d have to go with definitely uncool. However, it’s good to know that phone phreaking and good ol’ social engineering isn’t dead yet. Many of us got our start by playing with the systems around us.

Anyone could call into a Target store and request to be transferred to the PA’s extension code, which was the same everywhere. If the person transferring the call wasn’t quick on their feet, the caller would then be patched directly into the stores PA system. The kicker? Target had no way of stopping the PA until the caller hung-up. It’s the way the system was designed.

The hack itself is embarrassingly simple. The PA is attached to the in-store phone network. This is pretty standard. We’ve all seen a sales associate go up to phone in a store, dial a number, and make an announcement throughout the store. Where Target went wrong is improper separation of systems, and poorly thought out standardization.

The weakest link in security is always the people it’s designed for, not the one’s it’s designed to keep out. It’s a fun little prank, and hopefully Target has it sorted out now.

Continue reading “Social Engineering Your Way To The Target PA System”