Telecom Informer (April, 1987) ------------------------------ By Dan Foley Cellular Fraud Bust As some of you may know by now, the first cellular phreaking bust in the U.S. happened last month. On Friday, March 27, the FBI and Secret Service arrested 18 New Yorkers for making cellular phone calls on altered cellular phones. They also arrested seven others for altering and selling these phones. The method that was used is exactly the one described in our February column. A cellular phone transmits two numbers whenever a call is placed. The first is the ESN (Electronic Serial Number). The cellular MTSO (Mobile Telephone Switching Office) then checks whether this number is valid. Then the cellular phone transmits an MIN (Mobile Identification Number), which identifies the party to be billed for the call. By reprogramming the MIN one can make a multitude of calls ending up on the MIN owner s bill (much like using a stolen calling card or extender code). Any cellular repair shop can do the reprogramming on the side, and seven of them in Brooklyn actually did. It makes you wonder how many others are also doing this on the side. According to the FBI, organized crime wasn't involved in this case. Estimates claim that cellular fraud costs the New York cellular companies $40,000 a month, and about $3 million is lost per year to cellular fraud in the U.S. This is the first of a series of ongoing investigations by the FBI and Secret Service, so expect a bust near you soon. Electronic Communications Privacy Act With the passage of the Electronic Communications Privacy Act (Public Law 99-508) earlier this year (effective January 19, 1987) there's now a new breed of cellular criminals. Now anyone who listens to the "forbidden frequencies" of cellular telephony is committing a federal crime. The law is questionable in many aspects. The act makes it illegal to manufacture, sell, advertise, or own any device or kit "primarily useful for the surreptitious interception of electronic communications." Nowhere is it stated what "surreptitious" means in this case, and attempts to have this clarified have been ignored. "Surreptitious interception" is not limited to electronic communication that is illegal to receive. One could interpret any receiver that monitors between 15 and 30 MHz or between 50 and 500 MHz as illegal, even though they are widely available. One could even go so far as to claim that any radio primarily for indoor use (and, thus, not readily observable from the outside) or AM-FM radios within stuffed animals are "surreptitious receivers." Another problem is that if one is receiving interference from a source that was illegal to receive, and knew this, then one would be in violation of this act. So if your TV or stereo was getting noise from a cellular phone, and you knew this, you would be a federal criminal, even though your TV or stereo was listening to the proper frequencies. Previously it would have been the fault of the cellular phone company for transmitting such a dirty signal that one could receive on other frequencies not allocated for cellular phones. The premise behind this law is that cellular phone calls are "not readily accessible to the public" anyway, so why not make it illegal to receive them? However, as many readers of 2600 and scanner users know, this is false. Cellular uses old TV channels, so an old TV set tuned to channels above 80 will receive listenable calls. Also, many videocassette recorders, service monitors, and scanners receive these frequencies, totally unmodified and out of the box. Cellular is in fact more vulnerable to interception than cordless phones, as there are millions of old TV sets in the U.S., and comparatively few radio scanners that receive cordless frequencies. Cellular phone calls are much more modulation-compatible with TVs, and their range is many miles, as opposed to cordless ranges of hundreds of feet. Instead of dealing with the problem of scanner users listening in to cellular calls by encrypting the calls, the cellular phone companies and suppliers instead decided to legislate away a serious problem. Now cellular users can use their phones in communicating business deals and personal conversations believing that no one is listening. This false sense of security is misleading. Cellular phone companies don't want to deal with the problem logically. And this brings up the final problem, enforceability. This law is totally unenforceable. All it is good for is to tell customers not to worry about the confidentiality of their calls. The FCC was against the bill, along with the Electronic Industries Association and other cellular industry organizations and companies. However, many powerful companies lobbied for this bill, as they saw it as a quick fix to the very serious problem of cellular eavesdropping. The Justice Department at the time of the hearings on this bill clearly stated that they "have no intention of enforcing that part of the bill," referring to the privacy sections of the Electronic Privacy Act. There basically is no way they could attempt to enforce the law, considering that England has outlawed pirate radio, and millions still listen to the offshore stations. The Soviet Union has to jam Western broadcasts that they don't want their citizens to receive. When AT&T filed a petition asking to merely label cellular phones with a warning sticker saying that calls may be monitored, other cellular phone companies reacted violently. AT&T's petition with the FCC states that "cellular users have an unwarranted sensation of privacy, which a label would help dispel....Customers buy cellular telephone sets with the expectation of privacy. In due course, they learn that they lack the privacy they expected, and may feel that their suppliers have misled them." Instead of dealing with the problem by scrambling cellular signals or even merely placing a warning label, the Cellular Telecommunications Industry Association instead replied that the FCC "should not consider any labeling regulation, which would place the burden on citizens to protect their privacy," and lobbied Congress for the passage of the Cellular Privacy Act. Bell South Mobility went as far as to say that "cellular users can expect a high degree of privacy," despite the fact (which any scanner user knows) that all it takes is to tune in to the 800-890 megahertz band with a scanner (or even an old TV tuned to the UHF channels). "Forbidden frequencies" include those in the February 2600. A penalty of up to $10,000 would result from merely detecting the signal of one of the protected frequencies, even as much as the hiss from an encrypted transmission. Monitoring by scanner the VHF and UHF bands is illegal in the 153, 161, 450, and 455 MHz bands. Also, receiving radio common carriers in the 153, 158, and 454 MHz band along with FM subcarrier service or voice or message paging services is a crime, and certainly, receiving 800 to 890 MHz (that of cellular telephony) would be a crime. Willful receiving of a cellular telephone call results in up to six months in jail, plus a fine of up to $500. Receiving manual and IMTS car telephone calls could result in up to a $10,000 fine plus up to a year in jail. Cordless phones, amateur radio, CB, and General Mobile Radio Service are not protected. "Fixing" Your Radio Shack PRO-2004 Scanner The release of the Radio Shack PRO-2004 scanner was delayed until the passing of the Electronic Communications Privacy Act. Radio Shack is a major marketer of cellular phones, and thus lobbied hard for the passage of the bill so purchasers of their cellular phones could feel that the privacy of calls was secure. Therefore the release of their PRO-2004 scanner was delayed for four months in order to see if the bill would be passed. When the scanner was finally released, the "forbidden" 800 megahertz region was unable to be accessed. All Radio Shack did was connect an extra diode to the circuit board to prevent reception of the "forbidden frequencies." Below are instructions reprinted from page 48 of the March 1987 (Volume 6, Number 3) issue of Monitoring Times on how to remedy the situation. 1. Remove the four cabinet screws and the cabinet. 2. Turn the receiver upside down and locate circuit board PC-3. 3. Remove seven screws holding board and plug CN-501. 4. Carefully lift up the board and locate diode soldered in place below the module. 5. Snip one lead of the diode carefully, leaving it suspended by the other lead for later reattachment if desired, such as warranty repair. 6. Reverse first four steps above for reassembly. Radio will now cover 825-845 and 870-890 MHz and search in 30 kHz increments for no-gap 760-1300 MHz reception. The "Forbidden Frequencies" Now the more adventurous readers may want to go listen to these forbidden frequencies. Check the February 1987 issue of 2600 for a common breakdown of the cellular channels, which are between 800 and 890 megahertz. Not all cellular networks have this number of channels, but they can be easily figured out by careful listening to a scanner. Most cellular conversations can be listened to in their entirety without losing them due to cell site switching hand off. However, even when this occurs to the call you are listening to, you can easily pick it up again by merely scanning the frequencies again for the next cell. In this way and with a car one can follow a conversation in its entirety. A few words of warning though. This use of a scanner clearly violates the Electronic Communications Privacy Act. The use of a scanner (or often the mere presence of a scanner) within a car violates laws in many states and localities, so check this out before you let one into your car. Using any information gathered off of the airwaves for personal gain violates federal law. As this activity is clearly illegal, 2600 does not condone or encourage listening to cellular calls.