Elevator Phone Phreaking

In this Readers Platform, your author discusses the predecessor to computer hacking and how to safeguard your system.

by Jerry J. Davis

Everyone is aware there are computer hackers. But, before computer hacking, there were “phone phreaks.” These were usually mischievous, intelligent individuals who were simply curious about the inner workings of the phone system, specifically, back when AT&T held it as a secretive monopoly. There were enough of these “phreakers” to form an underground society — much like computer hackers today — but it was small and close knit. They even had an underground publication called, simply, 2600, named after the 2600 Hz audio tone used in “phreaking” to gain control of telephone networks.

Phone phreaking generally faded with the advent of personal computers, transitioning to the computer hacking we’re familiar with today. However, it has not gone away entirely. It experienced a resurgence after security researcher Will Caruana gave a talk at a 2019 hacking convention called “DEF CON 27” about how easy it is to hack (or “phreak”) emergency telephones — especially those found in elevators.

He demonstrated that, with the simplest of hacking techniques, you can gain access to most elevator phones, reprogram the outgoing number, listen in on conversations and — depending on the phone make and model — change numerous other settings. Dangers include programming banks of elevator phones to automatically dial 900 numbers to incur enormous charges and hackers listening in to Fortune 500 company conversations for purposes of industrial espionage. Even worse, the phones can be rendered useless for actual emergencies.

The phones most at risk are ones connected to standard phone lines, known as plain old telephone service (POTS) lines. The reason these are specifically vulnerable is because they have no built-in security. If you can gain the elevator phone’s number, you can dial right into it.

How does a phone phreaker get one of these numbers? Unfortunately, it can be as easy as searching Google. Many numbers are published or can be found on lists compiled by hackers and freely shared. Other ways of collecting numbers is through social engineering, which is how the majority of computer hacking is done today: hackers trick people into giving up information.

Once you have the number to call, you still need a passcode to get into the phone. Unfortunately, that is not a problem, as many phones in service have never had a custom passcode set; they still use the default passcode that came from the manufacturer. And these are easily available from. . . guess where? Phone installation manuals. Freely available as PDF downloads from manufacturer’s websites, they’re just a quick Google search away.

Dangers include programming banks of elevator phones to automatically dial 900 numbers to incur enormous charges or hackers listening in to Fortune 500 company conversations for purposes of industrial espionage.

Once dialed into the phone, the installation manual is all a phone phreaker needs to get in, change the password, change the phone settings, change the dial-out number or anything else they’re presented from the phone’s feature set. Also, they can dial in and just listen.

How many private conversations go on in an elevator? Lots, because people commonly assume they’ve entered a sealed room where no one else can hear.

How can we thwart this nefarious phone phreaking? The simplest and most effective way is to change the phone’s default passcode and refrain from using anything easy to guess, like “1234.” Also, make sure to use as many digits as the passcode will allow, preferably eight or more. If your phone doesn’t support at least an eight-digit passcode, consider replacing it with one that does. The more digits, the less likely the password can be hacked by what is termed “brute force.”

Without access to the phone or a default password, most phone phreakers will quickly move on to a more vulnerable target and leave yours alone. However, if there is some reason your phone is a specific target and requires higher security, one way to put a major firewall between the phone and potential hackers is to take it off a POTS system and convert it to use a wireless network. This should be one that will allow you to program in what’s known as a “whitelist,” which blocks all incoming phone calls, except from numbers you preauthorize during programming. In this way, only a designated call-center line can call into the phone.

Whether you implement both of these steps or, at the very least, change the default password, this should make your elevator phone much less easy to phreak, and enable it to perform its important intended function: to be used only for actual emergencies.