A blue box is an electronic device that generates the in-band signaling audio tones formerly used to control long-distance telephone exchanges. By generating the same tones employed by a telephone operator's dialing console, a blue box user could route their own calls and bypass the normal toll collection by the telephone company. Developed in the 1960s, the most typical use of a blue box was to place free long-distance telephone calls. A related device, the black box, enabled one to receive calls which were free to the caller. The blue box no longer works in most Western nations, as modern switching systems do not use in-band signaling to prevent this form of theft. Instead, signaling occurs on an out-of-band channel that cannot be accessed from the line the caller is using, a system called Common Channel Interoffice Signaling or CCIS.
Maps, Directions, and Place Reviews
History
In November 1954, the Bell System Technical Journal published an article entitled "In-Band Single-Frequency Signaling", which described the process used for routing telephone calls over trunk lines with the then-current signaling system, R1. The article described the basics of the inter-office trunking system and the signals used to start, route, and end calls.
In November 1960, further technical details were disclosed by the Bell System Technical Journal in an article entitled "Signaling Systems for Control of Telephone Switching". This article identified the specific SF (single frequency) and MF (multi-frequency) tones used to start and end a call, and to transmit the called number, on a long-distance connection.
This engineering design assumed that these signals would only originate in the automatic switching equipment. The designers were aware that the in-band signaling method was subject to false signals arising in the telephone handset from ambient sounds, and chose the 2600 Hz frequency because it was not present in normal speech. This choice performed well in the normal use of telephones. This success did not forsee the possibility that a telephone user could insert control signals into the switching system by sending unusual tones into the telephone handset. This possibility was discovered accidentally, and eventually became widely known.
Before the technical details were published in the Bell System Technical Journal it was discovered by many, some very unintentionally and to their annoyance, that a 2600 Hz tone, used by AT&T Corporation as a steady signal to mark currently unused long-distance telephone lines, or "trunk lines", would reset those lines. Joe Engressia (known as Joybubbles) accidentally discovered it at the age of 7 by whistling (with his mouth). He and other famous phone phreaks, such as "Bill from New York" and "The Glitch", trained themselves to whistle 2600 Hz to reset a trunk line. They also learned how to route phone calls by causing trunks to flash in certain patterns. At one point in the 1960s, packets of the Cap'n Crunch breakfast cereal included a free gift: a small whistle that, by coincidence, generated a 2600 Hz tone when one of the whistle's two holes was covered. The phreaker John Draper adopted his nickname "Captain Crunch" from this whistle. Others would utilize exotic birds such as canaries, which are able to hit the 2600 Hz tone with the same effect.
With the ability to blue box, what was once just a few isolated individuals exploring the telephone network started to develop into a whole sub-culture. Famous phone phreaks such as John "Captain Crunch" Draper, Mark Bernay, and Al Bernay used blue boxes to explore the various 'hidden codes' that were not dialable from a regular phone line.
Some of the more famous pranksters were Steve Wozniak and Steve Jobs, founders of Apple Computer. On one occasion Wozniak dialed Vatican City and identified himself as Henry Kissinger (imitating Kissinger's German accent) and asked to speak to the Pope (who was sleeping at the time). Wozniak said in 1986:
I called only to explore the phone company as a system, to learn the codes and tricks. I'd talk to the London operator, and convince her I was a New York operator. When I called my parents and my friends, I paid. After six months I quit--I'd done everything that I could.
I was so pure. Now I realize others were not as pure, they were just trying to make money. But then I thought we were all pure.
Blue boxes were primarily the domain of "pranksters" and "explorers", but others used blue boxes solely to make free phone calls. They were also popular with drug dealers and other criminals, because calls were not only free, but were virtually impossible to trace with the technology available at the time.
Blue boxing hit the mainstream media when an article by Ron Rosenbaum titled Secrets of the Little Blue Box was published in the October 1971 issue of Esquire magazine. Suddenly, many more people wanted to get into the phone phreaking culture spawned by the blue box, and it furthered the fame of Captain Crunch. Two major amateur radio magazines ('73' and "CQ') published articles on the telephone system in the mid-1970s. CQ Magazine published details on phone phreaking, including the tone frequencies and several working blue box schematics in 1974. The June 1975 issue of '73' featured an article describing the rudiments of the long distance signaling network, how to construct red and blue boxes, and put them into operation.
In November 1988, the CCITT (now known as ITU-T) published recommendation Q.140, which goes over Signaling System No. 5's international functions, once again giving away the 'secret' frequencies of the system. This caused a resurgence of blue boxing incidents with a new generation.
During the early 1990s, blue boxing became popular with the international warez scene, especially in Europe. Software was made to facilitate blue boxing using a computer to generate the signalling tones and play them into the phone. For the PC there were BlueBEEP, TLO, and others, and blue boxes for other platforms such as Amiga were available as well.
In the 1970s and 1980s, some trunks were modified to filter out single frequency tones arriving from a caller. The death of blue boxing came in the mid-to-late 1990s when telephone companies, becoming aware of the problem, eventually moved to out-of-band signaling systems with separate data and signalling channels (such as CCIS and SS7). These systems separated the voice and signaling channels, making it impossible to generate signalling signals from an ordinary voice phone line. It is rumored that some international trunk lines still utilize in-band signaling and are susceptible to tones, although often it is 2600+2400 Hz then 2400 Hz to seize. Sometimes the initial tone is a composition of three frequencies. A given country may have in-band signalling on trunks from a specific country, but not from others.
Operation
The operation of a blue box is simple: First, the user would place a long distance telephone call, usually to an 800 number or some other non-supervising phone number. For the most part, anything going beyond 50 miles would go over a trunk type susceptible to this technique.
When the call began to ring, the caller would use the blue box to send a 2600 Hz tone (or 2600+2400 Hz on many international trunks followed by a 2400 Hz tone). The 2600 Hz is a supervisory signal, because it indicates the status of a trunk; on-hook (tone) or off-hook (no tone). By playing this tone, the user would convince the far end of the connection that they'd hung up and it should wait. When the tone stops, the trunk would go off-hook and on-hook (known as a supervision flash), making a "Ka-Cheep" noise, followed by silence. This would be the far end of the connection signalling to the near end that it was now waiting for routing digits.
Once the far end sent the supervision flash, the user would use the blue box to dial a "Key Pulse" or "KP", the tone that starts a routing digit sequence, followed by either a telephone number or one of the numerous special codes that were used internally by the telephone company, then finished up with a "Start" or "ST" tone. At this point, the far end of the connection would route the call the way it was told, while the user's local exchange would presume the call was still ringing at the original number. KP1 would generally be used for domestic dialing, and KP2 for international calls.
The blue box consisted of a set of audio oscillators, a telephone keypad, an audio amplifier and speaker. Its use relied, like much of the telephone hacking methodology of the time, on the use of a constant tone of 2600 Hz to indicate an unused telephone line. A free long-distance telephone call (such as a 1-800 number or, less commonly, the information operator from another area code) was made using a regular telephone, and when the line was connected, a 2600 Hz tone from the blue box was fed into the mouthpiece of the telephone, causing the operator to be disconnected and a free long-distance line to be available to the blue box user. The keyboard was then used to place the desired call, using multi-frequency tones specific for telephone operators. These frequencies are different from the normal touch tone frequencies used by telephone subscribers, which is why the telephone keypad could not be used and the blue box was necessary.
Countermeasures
Development and use of the blue box was largely enabled by Bell Telephone's policy of publishing all technical documentation regarding its equipment. In response to the development of this and other means of telephone hacking, the company began to develop other means of securing its system, without publicly disclosing the details. These included modifying telephone central offices to listen for the 2600 Hz tone coming from a subscriber telephone. This, plus the investigation and prosecution of several hackers by the FBI, led to a decrease in phone phreaking and displaced much of the remaining activity to coin phones.
Electronic switching systems maintained logs of all calls made, including calls to free numbers. This earned the nickname "electronic surveillance system" as telephone company personnel would use this data to locate unusual patterns (such as lengthy, repeated calls to information or national hotel reservation numbers) and wiretap the affected lines. In one 1975 case, the Pacific Telephone Company targeted one defendant's line with the following equipment:
- A CMC 2600, a device which registers on a counter the number of times a 2600 Hz tone is detected on the line;
- A tape recorder, activated automatically by the CMC 2600 to record two minutes of telephone audio after each burst of 2600 Hz activity; and
- A Hekemian 51A, which replicates the functions of the CMC 2600 and also produces a tape print-out of outgoing calls. Ordinary calls were recorded in black ink and destination numbers called via the blue box were recorded in red ink.
Demise and legacy
The development of digital switching equipment and out-of-band signaling prevented the use of blue boxes. The "blue box" terminology has therefore been recycled for other purposes. The hacking community evolved into other endeavors and there currently exists a commercially published hacking magazine, titled 2600, a reference to the 2600 Hz tone that was once central to so much of telephone hacking.
Frequencies and timings
Each MF tone consists of two frequencies, shown in the table on the left. The Touch Tone encoding is shown by the table on the right:
Normally, the tone durations are on for 60ms, with 60ms of silence between digits. The 'KP' and 'KP2' tones are sent for 100ms. KP2 (ST2 in the R1 standard) was used for dialing internal Bell System telephone numbers. However, actual frequency durations can vary depending on location, switch type, and the machine status.
This set of MF tones was originally devised for Bell System long-distance operators placing calls manually, and predates the DTMF Touch-Tone system used by subscribers. The leading trunk prefix 1 was not dialed as the operator was already on a Long Lines trunk at this point.
Special codes
Some of the special codes a person could get onto are in the chart below. "NPA" is a telephone company term for 'area code'.
Many of these appear to have been originally three-digit codes, dialled without the leading area code, and the format of destination numbers dialled to the international senders has changed at various points as ability to call additional nations was added.
- NPA+100 - Plant Test - Balance termination
- NPA+101 - Plant Test - Toll Testing Board
- NPA+102 - Plant Test - Milliwatt tone (1004 Hz)
- NPA+103 - Plant Test - Signaling test termination
- NPA+104 - Plant Test - 2-way transmission and noise test
- NPA+105 - Plant Test - Automatic Transmission Measuring System
- NPA+106 - Plant Test - CCSA loop transmission test
- NPA+107 - Plant Test - Par meter generator
- NPA+108 - Plant Test - CCSA loop echo support maintenance
- NPA+109 - Plant Test - Echo canceler test line
- NPA+121 - Inward Operator
- NPA+131 - Operator Directory assistance
- NPA+141 - Rate and Route Information
- 914+151 - Overseas incoming (White Plains, NY)
- 212+151 - Overseas incoming (New York, NY)
- NPA+161 - trouble reporting operator (defunct)
- NPA+181 - Coin Refund Operator
- 914+182 - International Sender (White Plains, NY)
- 212+183 - International Sender (New York, NY)
- 412+184 - International Sender (Pittsburgh, PA)
- 407+185 - International Sender (Orlando, FL)
- 415+186 - International Sender (Oakland, CA - in this era, 510 was TWX)
- 303+187 - International Sender (Denver, CO)
- 212+188 - International Sender (New York, NY)
Not all NPAs had all functions. As some NPAs contained multiple cities, an additional routing code was sometimes placed after the area code. For instance, 519+044+121 may reach the Windsor inward operator and 519+034+121 the London inward operator 175 km distant, but in the same area code.
Blue boxes in other countries
Another signaling system widely used on international circuits (except those terminating in North America) was CCITT Signaling System No. 4 (friendly named 'SS4').
Technical definitions are specified in formerly CCITT (now ITU-T) Recommendations Q.120 to Q.139.
This was also an in-band system but, instead of using multifrequency signals for digits, it used four 35 ms pulses of tone, separated by 35 ms of silence, to represent digits in four-bit binary code, with 2400 Hz as a '0' and 2040 Hz as a '1'. The supervisory signals used the same two frequencies, but each supervisory signal started with both tones together (for 150 ms) followed, without a gap, by a long (350 ms) or short (100 ms) period of a single tone of 2400 Hz or 2040 Hz. Phreaks in Europe built System 4 blue boxes that generated these signals. Because System 4 was used only on international circuits, the use of these blue boxes was more specialized.
Typically, a phreak would gain access to international dialing at low or zero cost by some other means, make a dialed call to a country that was available via direct dialing, and then use the System 4 blue box to clear down the international connection and make a call to a destination that was available only via operator service.
Thus, the System 4 blue box was used primarily as a way of setting up calls to hard-to-reach operator-only destinations, in order to impress other phreaks, rather than as a way of making free or cheap calls.
A typical System 4 blue box had a keypad (for sending four-bit digit signals) plus four buttons for the four supervisory signals (clear-forward, seize-terminal, seize-transit, and transfer-to-operator). After some experimentation, nimble-fingered phreaks found that all they really needed was two buttons, one for each frequency. With practice, it was possible to manually generate all the signals with sufficient timing precision, including the digit signals. This made it possible to make the blue box quite small.
A refinement added to some System 4 blue boxes was an anti-acknowledgement-echo guard tone. Because the connection between the telephone and the telephone network is two-wire, but the signalling on the international circuit operates on a four-wire basis (totally separate send and receive paths), signal-acknowledgement tones (single pulses of one of the two frequencies from the far end of the circuit after receipt of each digit) tended to be reflected back at the four-wire/two-wire conversion point. Although these reflected signals were relatively faint, they were sometimes loud enough for the digit-receiving circuits at the far end to treat them as the first bit of the next digit, messing up the phreak's transmitted digits.
What the improved blue box did was to continuously transmit a tone of some other frequency (e.g., 600 Hz) as a guard tone whenever it was not sending a System 4 signal. This guard tone drowned out the echoed acknowledgement signals, so that only the blue box-transmitted digits were heard by the digit-receiving circuits at the far end.
Source of the article : Wikipedia
EmoticonEmoticon