Telecom Informer (February, 1987) 
---------------------------------
By Dan Foley

Cellular Phreaking

The future hinted in the December issue of 2600 is already here. Cellular fraud
is becoming a concern of the CPCs (Cellular Phone Companies). Much fraud is
from the same old source - the theft of cellular phones or even the entire car,
resulting with the new "owner" making calls on the victim's cellular ID (and
phone bill). Another form of fraud is from roamers (cellular users using their
phones in a different city from where they signed up) who don't bother to let
the CPC in the new city know their billing info. Roaming will become more
prevalent as more people buy cellular phones and use them while they travel.
However, this form of fraud will soon become a thing of the past, as the CPCs
are creating a national billing data clearinghouse that will ensure that bills
will reach the right user. This clearinghouse will also (further in the future)
allow someone to call a cellular telephone, and the call will be correctly
routed to wherever in the United States the phone happens to be.

Of more interest to the readers of 2600 is something that is quickly growing
and represents the most dangerous threat to CPC's billing. Spoofing another
cellular user's ID isn't as hard as it seemed. Some of the more exotic schemes
involve reading cellular IDs off of the airwaves as calls are being placed.
Most CPCs don't even bother to encrypt the ID signals (and you don't even need
to decrypt if the encryption algorithm doesn't include time and date stamping).
But there is even a simpler method than using an "ether" box (so called because
the box snatches IDs out of the "ether").

The easiest method by far needs the complicity of a cellular phone repair or
installation shop. For many brands of phone the cellular ID is not in a ROM
like "they" tell you, but instead is programmable. Motorola, for one, is
supposed to have easy-to-follow instructions on programming their phone's
cellular IDs inside the repair manual. And even if the ID is encoded in a ROM,
you can just burn a copy. Rumor has it that cellular ROMs are already available
on the black market. Perfect for your local terrorist to call in death threats
and be untraceable, as the authorities would accuse the wrong person.

The Largest Cellular Companies

The largest cellular system in the world encompasses almost the entire Gulf of
Mexico. On July 15 Coastel (sic) Communications began serving from Brownsville,
Texas, to Mobile, Alabama, with a switching office in Lafayette, Louisiana, and
cell sites on offshore platforms out to about 160 miles from the coast. Coastel
plans to target the oil business, fishing and other commercial marine
operations. Airtime averages $1 a minute; rather expensive, but they do provide
a specialized service. Cellular rates average about 60 cents a minute peak.

The largest cellular telephone company is now Southwestern Bell Corp. It bought
out Metromedia s nonwireline rights for $1.65 billion. The FCC originally broke
the cellular frequencies into three bands, giving one to the local telephone
company (the wireline carrier), one to a non-wireline carrier, and saved one
for the future. However the distinction has become academic as more RBOCs
(Regional Bell Operating Companies) purchase cellular rights in other cities
(with our local phone revenues we subsidize their investment in real estate,
manufacturing, and all sorts of things having nothing to do with our dial
tone). Southwestern Bell now competes against NYNEX in Boston and New York,
Bell Atlantic in Philadelphia and Baltimore/Washington, and Ameritech in
Chicago and Dallas. It also got about 500,000 paging customers in nineteen
cities. U.S. West also competes against a fellow RBOC, PacTel, in San Diego.

800 Number Allocation

It used to be that you could tell the geographical location of an 800-NXX
number by the NXX part. XX2s were intrastate, XX7s were in Canada, and every
prefix represented an area code. However, about five years ago AT&T introduced
"Advanced 800 Service," which permitted any INWATS (Inward Wide Area Telephone
Service) call to be routed anywhere in the US, and even to different
destinations depending on both the time of day and where the caller placed the
call. Thus, 800-DIALITT would reach the nearest ITT billing complaint center
during the day, and at night the call could instead reach a main office left
open. The company has to pay for the normal 800 INWATS lines and then an extra
couple of hundred a month for the "vanity" number and a few cents for each
translation of end phone line by time or location.

Until Fall 1986, if your CO was switched over to equal access your 800 call was
routed to AT&T no matter what your default carrier. But now your CO must route
all 800 calls to MCI, which have any of these  exchanges : 234, 283, 284, 288,
289, 274, 333, 365, 444, 456, 627, 666, 678, 727, 759, 777, 825, 876, 888, 937,
950, 955, and 999. U.S. Sprint gets 728 and WUD Metrofone gets those to 988.
The individual BOCs get the XX2 exchanges (as these are filled with intrastate
WATS lines). More exchanges will undoubtedly be grabbed by other carriers as
they begin to offer 800 service. I don't know what happens if your company's
800 number s exchange gets taken over by Bargin Bob's Telefone Kompany.
Hopefully you get to keep the old provider, but this would really make it tough
to route. Don't know what happens either if your clever little phone number
"word" belongs to Bargin Bob; guess you gotta suffer. If your CO isn't equal
access yet, it just kicks the call onto the nearest intra-LATA tandem site for
the proper routing.

However, don't bother to remember this. When Bellcore finally finishes the new
Advanced 800 service the INWATS buyer can route his or her incoming call
through a different carrier depending on the originating point or the time of
call, as well as sending it to a different company office. When this happens,
all 800 calls will have to be sent to the nearest tandem switch and get routed
based on all this info. The local Telco will get the money for providing the
routing service.

As far as I know, only AT&T gets your 900 calls, which were never grouped
according to geography. Trivia fact number 1: INWATS numbers in England (to the
US. International INWATS further confuses the geographical determination) are
of the form 0800-XX-XX-XX. Only AT&T provides this. Trivia fact 2: INWATS was
not introduced in 1967 as stated in the December 2600, pages 3-95. The first
interstate INWATS lines were in 1967, but intrastate INWATS started in 1966.

Airfone Update

The future of Airfone, the pay telephone for use on airline flights, is in
limbo. Airfone's experimental license expires at the end of 1987, and the FCC
will not reconsider its January 1985 decision refusing permanent frequencies.
Airfone expects to continue with over 300 plane phones and the 65 ground
stations even though there is no provision for frequency allocation. Airfone
hopes to be allowed to use cellular frequencies.