Panasonic Phreaking In the New Age

by Anthony

Some Notes Before I Start

I'm not a "blackhat."  I have never written a file before.  I'm not from the "golden ages" of phreaking.  Simply, I found this just through exploration.  Please treat it with respect, think twice before you do something stupid.  Maybe later I'll release a white paper as to how Panasonic PBXs work and how to just hack insecure voicemails.

Info About Me

At the time of writing this, I'm 17 years old, born 1992.  I read and look at some of the old-school phreaking things and say, "I wish this stuff still worked.  I wish someone would do something new."  Maybe phreaking has moved past POTS lines and analog things and onto cellphones and VoIP, but I think that technology should never be forgotten.

How a Panasonic VMbox Works

First of all, the most basic Panasonic VMbox has at least two pairs running to it.

They can be used to treat two user actions with the voicemail at once.

For example, a user may be calling in from the outside PSTN while another can be listening to his VMbox.  Naturally, this would become very busy, very soon, so to help with the congestion the phone system then handles the call once a destination is made and the lines to the VMbox are free again.  More info on this is out of the scope of this paper, but I may write it into my other on how the PBX works.

When a user calls in (after hours, if programmed, etc.) - I guess, to be more clear, I should say when a user reaches the main greeting of the PBX - he has the option to use its auto-attendant like a Direct Inward System Access (DISA), to dial a three-digit internal extension.  The Panasonic doesn't have any "error control" to see if what you dialed is valid because... see next paragraph.

How does the VMbox know to tell you if the line is busy, not available, or on-hook/ready?  Well, it dials that extension and "listens."  This VMbox is actually pretty smart.  It will dial what you dialed for you and listen.  If the phone system echos a busy signal, the VM comes back to you and tells you the line is busy and drops you back to the main menu or asks to leave a message.  If the line is on-hook/good, it will connect you to it.

Let's say the user dials a number like 900.

The VM will grab its other pair and dial 9, so it will grab an outside line, and then 00, feeding 00 into the PSTN.  Well if you think about it, this would connect you to the operator.

However, Panasonic did think of this and - if the line is empty or there is too much time before there is a connection/answer - the VM will say busy, dropping us back to the main menu.

Now for the thought.

In the U.S., Ma Bell has given us this wonderful thing for impatient people, the # sign.

When we are done punching in our digits, we hit the # and Ma Bell know to directly connect us to our calling party - no waits, no delays.  What does this mean for us?  Well, it means that we can tell the VM what to dial with the 90 part, grab an outside line and dial a 0 (operator), and a # afterwards.

So, our little trick would be... we call the VM, and dial 90# as the extension we want to reach.

Of course, the VMbox will comply with us (why wouldn't it?  It's the default) and will "drop" us to the operator on their CO line.  The pairs on the VM will free up again because, again, the PBX is smart, too.  Isn't Panasonic awesome?  Seriously, I'm a big fan.

Now What?

Well, now that you have the operator, this is the part where you say, "Hello, I'm blind, can you dial a number for me?"

Naturally, even with the "advancements" in phreaking, some of the most basic things will not fade.

How to Secure It/Fix It

In the Panasonic programming area, there is a location which sets the VMbox's Class of Service (COS).

Setting this to a five or eight will secure this and still allow normal operation of reaching outside numbers and pre-programmed dial-out destinations.

"Well that's great Anthony, but how am I supposed to find some Pansonic VMboxes?"

Well Mr. (or Mrs.) phile reader, Panasonic makes it easy for us.

Because they're a corporate product, they have this thing called a Dealer Locator.  If you were a dealer, wouldn't you have a Panasonic VM along with your PBX?

I have come across some that are not Panasonic, but most are.  Listen to the default voice of the auto-attendant.  For the Panasonic VMbox, she has a very distinct English accent.  The Panasonic dealer locator is available at: btsdealer.com/locator

Limitations

This does not work with the old Panasonic voicemails, KX-TVS50 (notice A and S).

"How did you figure this out?"

My dad worked (and still works) as an Interconnect, installing Panasonic phone systems (along with the other low-voltage things he does).

As a little child, perhaps as young as four or five, I remember going on job sites with him and installing Panasonic's PBX.  (At the time, a 616, pronounced six-sixteen.  Six incoming lines, 16 extensions.)

They evolved into the 624 (my favorite system ever) and now the KX-TDA50/100 series.  Also, to keep the people who are "old-school analog," they released an 824, which is an enhanced version of the 624 with built-in DISA.

Seeing that someone else's system had been hacked and used to call the Philippines, I wondered how they had done it.  I sat down at the customer's place, called into the voicemail, and dialed 902 as the extension I wanted it to reach.

I then noticed that the red line indicating a line was busy kicked on, went off and, right when it went off, the VM told me the extension was busy.  I knew I was close.  Then the # came along and voilà!