Hacking Autodialer Telephone Access Systems
by Wrangler
The following article is for informational and educational purposes only.
For years, I have suspected that the telephone intercom systems in apartment and office buildings were nothing more than cleverly disguised free public telephones. Well, now I know how to use them to make convenient public telephone calls, domestic and international, without the inconvenience of paying.
For this discussion, I focus on commercial telephone access systems manufactured and distributed by a Canadian company named Mircom. These systems are installed at the entrances to many residential and commercial buildings in North America and elsewhere. Mircom systems sport a distinctive brushed aluminum panel with 12-key DTMF dialer pads. Some models even come with an auxiliary heater for installations in colder climates.
What will those Canadians think of next?
The Mircom line consists of several models, all of which are programmable. Programming can be accomplished either using the 12-key DTMF keypad or remotely via the telephone line. As I suspected, these things are a POTS line with a secured telephone attached.
One day I found myself outside the building where a friend's computer security company is located. Staring me in the face was one of these brushed aluminum intercoms. Since no one was answering upstairs, I decided that I could not help but play with it. I already had started by dialing my friend's office. Since he already had left, and since I did not want anything that I did to be traced back to him, I next dialed the code for the office adjacent to his.
The Mircom units provide a menu of 4-digit codes.
Each code is associated with an internal office or apartment unit. Therefore, when a user dials that 4-digit code, what happens behind the scenes is that a line on the device goes off-hook and a carrier exchange number is dialed.
The tip off is that when the user presses the 4-digit code, you can hear the DTMF tones dialing a telephone number. It is a bit confusing because it dials 8-digits, not seven. However, it definitely is dialing an outside line.
Here is what I knew about it when I started.
All of the access codes are 4-digits long, and they all start with a zero.
In addition, its instructions tell the user to press "pound pound" (or "hash hash") in order to hang up, so the hash key ( # ) must be a control character. That also suggests that the star key ( * ) also is a control character.
When I called that office upstairs, I got a voice mailbox.
Now, says I, is a good time to start playing with this thing. I started mashing key combinations.
After I pressed *2, I heard a dial tone. I quickly dialed my cell phone number, no country code or anything, and - surprise - my phone rang.
I repeated the process and called my house (which required an area code) and bragged that I just had successfully compromised an on-street intercom. Then I started telling people overseas.
The star key is your gateway to excitement.
After I called the number upstairs and was connected to voice mail, I pressed *2, and violà, I had a dial tone.
From here I could place outbound telephone calls and converse with people in both the local LATA, or in far away countries. Other control key combinations exist, but they are not documented (yes, there are manuals for these things), and some key combinations are not supported on some models. The best strategy is to find one of these little gems and test drive it to see what it will and will not allow you to do.
The microphone quality is crap, but it is good enough to be heard and understood. It helps if you try this when there are not garbage trucks and busses plowing by on the street ten feet away from your personal not-for-pay telephone.
In addition, there is a timer on the line that restricts the length of the connection, which I later found out is programmable. This makes sense, since the thing is supposed to be an intercom system. I found that pressing the star key when it beeps at you would allot you another sixty seconds to talk.
The default online timeout is 60 seconds, but you can reprogram it to a maximum of 250 seconds - long enough to arrange for the 2612 meeting.
As I mentioned, the units are programmable.
The programming mode is accessible either via the keypad or remotely by dialing the telephone number of the unit. The default code to change to programming mode is *999.
There also are keyless entry codes and other features that these devices support. RTFM on these things because there are all sorts of neat things that you can do, from the malicious (erasing all the programmed entries) to the discrete (adding a keyless entry code so you can enter and roam the entire building at your leisure).
The units are remotely programmable using a telephone.
To find out the telephone number of the intercom POTS line will require use of the coveted ring back numbers (also known as "ANAC numbers").
These allow you to call your local telephone switch and have it read back the ANI of the number for your POTS line. Call someone, get him or her to pick up, press *2, wait for the dial tone, and then enter your ring back number.
The switch will read back the number of the POTS line. Now you can hang up, go somewhere else, dial the intercom and program the unit remotely.
With the advent of new telecommunications security devices and the death of tried and true technological hacks like boxing, I find that it is a nice, nostalgic reminder of the days long gone to be able to gain unfettered access to a POTS line.
Enjoy.