Exploding the Phone : The Untold Story of the Teenagers and Outlaws Who Hacked Ma Bell (9780802193759)
Page 7
By the time Barclay finished reading it, the vulnerability in AT&T’s network had crystallized in his mind: “I thought, this is a better way than using a pay phone . . . this is a way to get around all that other stuff and do it directly.”
“It,” of course, was making free calls.
The ability to absorb sixty-four pages of dry, technical mumbo jumbo and spot the vulnerability is a rare one. The engineers from Bell Labs who designed the system and wrote the article didn’t see it. Thousands of engineers in the future would read that article and not see it. But eighteen-year-old Ralph Barclay did. The funny thing about it is, once the hole is explained to you, it’s obvious. But until it’s explained to you, most people would never think of it. Certain people have minds that are tuned in a particular way to see things like that. Ralph Barclay was one of those people.
To understand Barclay’s insight we have to think back to the things that made up AT&T’s automated long-distance network, things like the spectacularly named #4A crossbar switching system that was the brains of the long-distance telephone network and how the machines talked to each other by speaking in tones. Because that’s what the Bell System Technical Journal described and that’s where Ralph Barclay spotted the flaw. Here’s what he came up with.
Say you’re in Seattle and, as always, you want to call your friend Bill in Denver. With Barclay’s hack, your first step is to pick up the phone and dial directory assistance in any city—let’s say New York just for fun: 212-555-1212. Unlike today, calls to directory assistance were free back then.
Seattle and New York are both big cities and have direct trunk lines between them. On a given long-distance trunk line between Seattle and New York, the switching machine in Seattle sends a 2,600 cycle per second tone—seventh octave E—to New York to indicate that the line is idle. New York sends the same tone back to Seattle to indicate that the line is not in use on its end either. Remember how in a flight of fancy an AT&T manager described the switching machines as “singing” to one another? This is the boring part of that song; you can think of it as the machines monotonously whistling this single note back and forth. It’s almost like they’re keeping each other company, reassuring each other that they’re both still there.
As you dial the last digit of the number for New York directory assistance, the fancy switching machines and their signaling systems spring to life to get your call through. Seattle finds an idle trunk to New York and stops whistling 2,600 Hz on it. New York hears the trunk go silent, indicating that Seattle wants to make a call. New York sends back a “wink” signal—really just a moment of silence, of no 2,600 Hz tone, for about a quarter of a second. This wink tells Seattle that New York is ready and waiting for Seattle to tell it a phone number to call. Using either the SF or MF signaling language, Seattle sends New York the digits 555-1212. In SF-speak, this is a series of beeps of 2,600 Hz. In MF-speak, it consists of nine quick little pairs of tones that sound like brief musical notes: KP, 555 1212, and ST. The special signal called KP (“key pulse”) at the beginning tells New York to get ready, and the final note, ST (“start”), tells New York that it has all the digits and can start dialing.
Now that New York knows the number you want to call, it makes the local connection and the directory assistance operator’s telephone starts to ring. Up until now everything that has happened has been perfectly normal, just like Ma Bell intended. But now you, using Barclay’s hack, insert yourself into the process. Before the operator can answer, you—naughty you—hold a speaker up to your phone’s mouthpiece and play your own 2,600 Hz tone down the line for a second.
It is loud and pure and it sounds like this: bleeeeeeep.
Seattle isn’t paying any attention to this, but the switching machine in New York sure is. New York hears your 2,600 Hz tone loud and clear and thinks that the Seattle switching machine sent it. And since this tone indicates the trunk line is idle, New York figures that Seattle is done using that trunk line, probably because you hung up. New York disconnects the call to the directory assistance operator—maybe before she’s even answered.
But now you stop sending your tone. When you stop sending 2,600 Hz, the long-distance switching equipment in New York City thinks that Seattle wants to make another call. Just as before, New York sends a wink back to Seattle to say it’s ready for a new call. Due to the nature of the circuitry involved, the wink has a bright, metallic ringing quality to it. It sounds like this: kerchink!
The noise tells you that you have just fooled New York into thinking that a new long-distance call is coming in. Once again, the switching machine in New York is waiting for Seattle to tell it what digits to dial. But Seattle isn’t going to tell it anything, because Seattle is blissfully unaware of everything that has just transpired. The only thing Seattle knows is that you haven’t hung up—you’re still on the line, after all—and Seattle believes you can make only one call every time you pick up the phone. As far as Seattle is concerned, you’re still talking to New York’s directory assistance.
You, on the other hand, know better: you possess guilty knowledge. Using a simple electronic circuit, you can generate the same pairs of tones that Ma Bell’s telephone switches use to serenade each other. Once again holding up a speaker to your phone, you play the tones needed to send New York the digits KP + 303 722 7209 + ST—that is, the number of your friend Bill in Denver. Now, of course, area code 303 isn’t in New York City, but that’s okay. The telephone switch in New York is a brainy 4A and knows how to route calls from one place to another. After all, Bell Labs worked hard to give it the brains to be able to do that. New York happily finds a trunk line to Denver and puts your call through, sending out tones on your behalf to instruct Denver on what number to dial. Moments later Bill’s phone starts to ring.
Congratulations, you’ve just hijacked a phone call to directory assistance in New York and rerouted it to Bill in Denver. But that’s only half the trick. The other half is this: your phone call to Denver is free. Why? Because Seattle is responsible for the billing of your phone call. As far as Seattle is concerned, you’re still connected to directory assistance in New York and directory assistance is a free call.
Barclay had three insights when he read that article in the Bell System Technical Journal. The first was that sending a 2,600 Hz tone down the telephone line resets the remote switch but doesn’t affect the local switch. The second was that you could then reroute a phone call from the remote switch to wherever you want. And the third was that the local switch is in charge of billing, so it continues to bill you for whatever call it thinks you originally made. With these three insights he now owned Ma Bell’s network.
A few weeks after reading the Bell System Technical Journal article Barclay made the three-hour drive west to his hometown of Soap Lake, Washington, population 1,200. Home may be where the heart is, but for Barclay home was also where his workbench, soldering iron, and electronic components were. “I was an electronic tinkerer for years and years and years,” he says. A curious one too; his older sister remembers Barclay plugging a bobby pin into an electrical outlet when he was four. His father, a truck driver in rural Washington, used to bring him broken TVs to fiddle with, and his bedroom was littered with electrical equipment, telephones, and radios. Barclay landed his first job—repairing broken radios—when he was in the fifth grade.
Barclay’s first box took a weekend to build. It was a simple affair, housed in an unpainted metal enclosure about four inches on a side and perhaps two inches deep. Inside was a nine-volt battery and a single transistor oscillator circuit. On the outside the box sported a surplus rotary telephone dial and a red push button. The red button would allow Barclay to disconnect a call in progress—to “seize a trunk,” in both telephone company and phone phreak parlance—by producing a 2,600 cycle tone for as long as he held it down. When spun, the rotary dial would make short blips of 2,600 Hz. If Barclay dialed the digit 6, for example, it m
ade six short beeps. In other words, it would allow him to send digits using the older single-frequency language.
“I was surprised!” Barclay recalls. “It worked fine the first time!”
As it happens, it also worked best the first time. Barclay quickly ran into a problem. By 1960 fewer and fewer trunk lines used SF signaling. In its push for progress and dialing speed, the Bell System was well on its way to converting most long-distance trunks to multifrequency signaling. And those trunks didn’t respond to Barclay’s single-frequency beeps. The red button still worked—he could disconnect a call in progress and hear the kerchink come back from the remote end—but dialing was often a problem. “It worked sometimes, not consistently,” he says—maybe one in four calls.
“That’s when I discovered I needed multifrequency,” he says— that is, he needed to generate pairs of tones for each digit as well as for the special “key pulse” and “start” signals. Barclay started work on his multifrequency box over Christmas break. It was more complicated than the first box, what with more transistor oscillators and associated wiring and all that, so it took a bit longer to build.
Barclay added a rotary dial for making blips of 2,600 Hz, but that was just for old time’s sake; the real way you’d dial with it, the modern way, was with push buttons. Touch-tone phones weren’t a commercial reality yet, so Barclay had to come up with his own telephone keypad. He ended up using keys from an old mechanical Burroughs adding machine. Each key was fastened to a push-button switch mounted underneath it. There were twelve keys in all: ten for the digits 0 through 9, one for the KP signal that needed to be sent before the digits, and one for the ST signal that needed to be sent after the digits.
He had it finished by Easter and it worked like a charm. He and his device became popular among a small circle of friends in his dorm, where he made calls home for them. But mostly, he says, he used it to play with the telephone network, “to see where we could call.” As Barclay remembers it, “There were very, very few calls I made that were actual phone calls”—that is, calls he made to somebody he knew and wanted to talk to.
His new device was housed in a metal box, twelve by seven by three inches, that happened to be painted a lovely shade of blue. Barclay did not know it at the time, but the color of his device’s enclosure would eventually become synonymous with the device itself. The blue box had just been born.
Back home for the summer, Barclay ran into another problem: his hometown, Soap Lake, was served by GTE—General Telephone and Electronics—one of the independent telephone companies separate from the Bell System. For whatever reason, GTE’s switching and signaling equipment just didn’t work with his blue box. Fortunately, Barclay’s summer job was at a television and radio repair shop in the town of Ephrata, some five miles down the road. Those five miles made all the difference for Ephrata was in Bell territory and his blue box worked like a champ there.
The shop where he worked was two blocks down the street from a friend’s photography studio. In exchange for a few free calls, his friend was happy to let Barclay’s blue box live in the rear of the studio. If Barclay felt like playing around he could pop over to the studio on his lunch hour, walking down the alleyway running behind the buildings so he could come in through the back door; no need to disturb customers at either business by going in and out the front door.
That summer was a fun and productive one for learning about the telephone network. Barclay made friends with a kid who lived in Seattle and whose dad worked for the telephone company. “He happened to furnish me with a copy of the ‘Rate and Route’ book,” Barclay says, the loose-leaf binder of telephone routing information that operators used to figure out how to get calls from here to there. “I was able to use that to access more areas. We actually tried it for overseas calls and were able to do some calls to England.” Unfortunately, Barclay reports, “I didn’t know anybody in England to call.”
Barclay had some other friends whose parents worked for the telephone company and he mentioned to one of them that he was interested in learning more about how the phone system worked. Was there any way he might be able to get some surplus telephone equipment, he asked? “Oh, sure,” Barclay recalls his friend’s dad saying. Pacific Telephone turned out to be in the process of converting a nearby switching office from three-digit dialing to a more modern five-digit system. “If you want to drive over there, I’ll make arrangements,” his friend’s father told him.
Barclay recalls pulling up at the telephone company central office in his dad’s pickup truck and chatting with the switchman there.
“What are you interested in?” the switchman asked.
“What have you got?” Barclay replied.
As it happened, quite a lot. “I ended up taking home the whole three-digit telephone exchange,” Barclay says. It was soon set up in his garage.
Summer drew to a close. It was September 15 and Barclay was scheduled to return to Washington State College for his sophomore year. He dropped by the photography studio that morning to pick up his blue box. His friend the photographer asked if Barclay could leave it for a few more hours and come get it after lunch. There were some calls he needed to make, he said. No problem, Barclay replied. He returned to the TV repair shop.
About noon that day, two gentlemen entered the repair shop and asked for Barclay by name. This was unusual, since he was back-office help and not really known to the customers. The gentlemen then produced a warrant for his arrest on charges of bookmaking. This was even more unusual, given that he wasn’t a bookmaker. The utter bafflement is evident in his voice even forty years later: “I mean . . . bookmaking?”
Barclay accompanied the men down to the local courthouse where he was interrogated by an assortment of unhappy-looking people: a sheriff’s deputy, an FBI agent, a security agent from Pacific Telephone, a security agent from AT&T, and an engineer from Bell Laboratories.
Barclay recalls, “The first questions were, ‘Who are you working for? Who’s the head of this operation?’ I remember spending quite a while trying to convince them that I wasn’t working for anybody.” His interrogators weren’t buying. They knew that Barclay’s partner—the guy who owned the photography studio, who had also just been arrested—spent lots of time on the phone talking about horses. (As it turned out, he owned a horse and photographed horse shows.)
“Finally,” Barclay says, after several hours of grilling “they decided that maybe this wasn’t a bookmaking operation and they started asking different questions.” Questions like: where were you calling? “I repeatedly said, over and over and over again, to friends, to New York, to find out what time it was in New York.” The time in New York? C’mon kid, you don’t expect us to believe that, do you? Eventually the Bell Labs engineer cleared his throat and spoke up. The company had the details of all the calls Barclay made, he said, and he confirmed that very few of them were to actual people. Most were to test numbers, or recordings, or various oddball telephone company internal numbers.
The investigators threw up their hands. “We’re not going to get any further on this,” Barclay recalls the FBI agent saying. They turned to the Bell Labs engineer: “Find out where he got the information to make this stuff.”
Barclay told them about the Bell System Technical Journal. “I remember one of them looked at the guy from Bell Labs and said, ‘Could that be possible?’ The Bell Labs guy said, ‘Yeah, there was an article . . .’”
In the end the bookmaking charges were dropped, replaced with a misdemeanor: making a phone call without paying for it. It was a speedy trial, Barclay recalls.
The judge asked, “Did you actually do this?”
“Well . . . yeah,” Barclay said.
“Where did you get the information?”
“Out of a book,” Barclay replied.
The judge turned to the Pacific Telephone security agent and asked if indeed the phone compan
y had published this information. Yes, they had, he said.
The judge turned back to Barclay. “Where’s this blue box of yours?”
“The phone company took it,” Barclay said.
Back to the security agent. “Is this true?”
“Well, yes,” he said. “It’s been taken back to Bell Laboratories for analysis.”
“Will he get it back?” the judge asked.
“I don’t think it’s going to be returned,” said the security agent.
The judge rendered his verdict. “When I was a kid,” he said, “we used to freeze water into the shape of nickels to put into pay phones to make long-distance calls. This is nothing more than a new and ingenious way to do the same thing. I can’t see making a big case out of this. You pleaded guilty. I’m just going to give you a suspended sentence.”
“The [Pacific Telephone] investigator wasn’t too happy with that,” Barclay says.
An AT&T memo states that the Barclay investigation began when someone noticed “an unusual pattern of 555-1212 calls.” Barclay can pin it down further: calls he made to a nonworking directory assistance telephone number in Canada.
“Back then the Bell System was trying to give good service,” Barclay remembers. As part of that effort, directory assistance operators often answered on the first ring—sometimes, in fact, before the phone seemed to have rung at all. And that meant Barclay would have to whistle his 2,600 Hz when a live human being was on the other end of the call, something he didn’t like. “I always was a little bit nervous about disconnecting when there was a real person on the line,” he says. “I discovered in playing around that if you called information in the 407 area code, which was Alberta, Canada, you got a recording that said, ‘This number is not in service.’” That seemed perfect to Barclay because it was a free call but didn’t involve live human operators. 407-555-1212 became his go-to number.