The Theory of Blue Boxing

Their History, How They're Used, and Their Future

After most neophyte phreaks overcome their fascination with Metrocodes and WATS extenders, they will usually seek to explore other avenues in the vast phone network.  Often they will come across references such as "simply dial KP + 2130801050 + ST for the ALLIANCE Teleconference system in LA."  Numbers such as the one above were intended to be used with a Blue Box.  This article will explain the fundamental principles of the fine art of Blue Boxing.

Genesis

In the beginning, all long-distance calls were connected manually by operators who passed on the called number verbally to other operators in series.  This is because pulse (a.k.a. rotary) digits are created by causing breaks in the DC current.  Since long-distance calls require routing through various switching equipment and AC voice amplifiers, pulse dialing cannot be used to send the destination number to the end local office (CO).

Eventually, the demand for faster and more efficient long-distance (LD) service caused Bell to make a multi-billion dollar decision.  They had to create a signaling system that could be used on the LD Network.  Basically, they had two options:

1.)  To send all the signaling and supervisory information (i.e., on- and off-hook) over separate data links.  This type of signaling is referred to as out-of-band signaling.

2.)  To send all the signaling information along with the conversation using tones to represent digits.  This type of signaling is referred to as in-band signaling.

Being the cheap bastard that they naturally are, Bell chose the latter (and cheaper) method - in-band signaling.  They eventually regretted this, though (heh, heh)...

In-Band Signaling Principles

When a subscriber dials a telephone number, whether in rotary or Touch-Tone (a.k.a. DTMF), the equipment in the CO interprets the digits and looks for a convenient trunk line to send the call on its way.  In the case of a local call, it will probably be sent via an inter-office trunk; otherwise, it will be sent to a toll office (Class 4 or higher) to be processed.

When trunks are not being used there is a 2600 Hz tone on the line; thus, to find a free trunk, the CO equipment simply checks for the presence of 2600 Hz.  If it doesn't find a free trunk the customer will receive a re-order signal (120 IPM busy signal) or the "All circuits are busy..." message.  If it does find a free trunk it "seizes" it - removing the 2600 Hz.  It then sends the called number or a special routing code to the other end or toll office.

The tones it uses to send this information are called multi-frequency (MF) tones.  An MF tone consists of two tones from a set of six master tones which are combined to produce twelve separate tones.  You can sometimes hear these tones in the background when you make a call but they are usually filtered out so your delicate ears cannot hear them.  These are not the same as Touch-Tones.

To notify the equipment at the far end of the trunk that it is about to receive routing information, the originating end first sends a Key Pulse (KP) tone.  At the end of sending the digits, the originating end then sends a STart (ST) tone.  Thus to call 914-359-1517, the equipment would send KP + 9143591517 + ST in MF tones.  When the customer hangs up, 2600 Hz is once again sent to signify a disconnect to the distant end.

History

In the November 1960 issue of The Bell System Technical Journal, an article entitled "Signaling Systems for Control of Telephone Switching" was published.  This journal, which was sent to most university libraries, happened to contain the actual MF tones used in signaling.  They appeared as follows:

Digit Tones (Hz) 1 700 + 900 2 700 + 1100 3 900 + 1100 4 700 + 1300 5 900 + 1300 6 1100 + 1300 7 700 + 1500 8 900 + 1500 9 1100 + 1500 0 1300 + 1500 KP 1100 + 1700 ST 1500 + 1700 11 (*) 700 + 1700 12 (*) 900 + 1700 KP2 (*) 1300 + 1700 (*) Used only on CCITT System 5 for special international calling.

Bell caught wind of Blue Boxing in 1961 when it caught a Washington state college student using one.  They originally found out about Blue Boxes through police raids and informants.  In 1964, Bell Labs came up with scanning equipment, which recorded all suspicious calls, to detect Blue Box usage.  These units were installed in COs where major toll fraud existed.  AT&T Security would then listen to the tapes to see if any toll fraud was actually committed.  Over 200 convictions resulted from the project.  Surprisingly enough, Blue Boxing is not solely limited to the electronics enthusiast; AT&T has caught businessmen, film stars, doctors, lawyers, college students, high school students and even a millionaire financier (((Bernard Cornfeld))) using the device.  AT&T also said that nearly half of those that they catch are businessmen.

To use a Blue Box, one would usually make a free call to any 800 number or distant directory assistance (NPA-555-1212).  This, of course, is legitimate.  When the call is answered, one would then swiftly press the button that would send 2600 Hz down the line.  This has the effect of making the distant CO equipment think that the call was terminated and it leaves the trunk hanging.  Now, the user has about 10 seconds to enter in the telephone number he wished to dial - in MF, that is.  The CO equipment merely assumes that this came from another office and it will happily process the call.  Since there are no records (except on toll fraud detection devices!) of these MF tones, the user is not billed for the call.  When the user hangs up, the CO equipment simply records that he hung up on a free call.

Detection

Bell has had 20 years to work on detection devices; therefore, in this day and age, they are rather well refined.  Basically, the detection device will look for the presence of 2600 Hz where it does not belong.  It then records the calling number and all activity after the 2600 Hz.  If you happen to be at a fortress fone, though, and you make the call short, your chances of getting caught are significantly reduced).  Incidentally, there have been rumors of certain test numbers that hook directly into trunks thus avoiding the need for 2600 Hz and detection!

Another way that Bell catches boxers is to examine the Centralized Automatic Message Accounting (CAMA) tapes.  When you make a call, your number, the called number, and time of day are all recorded.  The same thing happens when you hang up.  This tape is then processed for billing purposes.  Normally, all free calls are ignored.  But Bell can program the billing equipment to make note of lengthy calls to directory assistance.  They can then put a pen register (a.k.a. DNR) on the line or an actual full-blown tap.  This detection can be avoided by making short-haul (a.k.a. local) calls to box off of.

It is interesting to note that NPA+555-1212 originally did not return answer supervision.  Thus the calls were not recorded on the AMA/CAMA tapes.  AT&T changed this though for "traffic studies!"

CCIS

Besides detection devices, Bell has begun to gradually redesign the network using out-of-band signaling.  This is known as Common Channel Interoffice Signaling (CCIS).  Since this signaling method sends all the signaling information over separate data lines, Blue Boxing is impossible under it.

While being implemented gradually, this multi-billion dollar project is still strangling the fine art of Blue Boxing.  Of course until the project is totally complete, boxing will still be possible.  It will become progressively harder to find places to box off of, though.  In areas with CCIS, one must find a directory assistance office that doesn't have CCIS yet.  Area codes in Canada and predominately rural states are the best bets.  WATS numbers terminating in non-CCIS cities are also good prospects.

Pink Noise

Another way that may help to avoid detection is too add some "pink noise" to the 2600 Hz tone.

Since 2600 Hz tones can be simulated in speech, the detection equipment must be careful not to misinterpret speech as a disconnect signal.  Thus a virtually pure 2600 Hz tone is required for disconnect.

Keeping this in mind, the 2600 Hz detection equipment is also probably looking for pure 2600 Hz or else is would be triggered every time someone hit that note (highest E on a piano = 2637 Hz).  This is also the reason that the 2600 Hz tone must be sent rapidly; sometimes, it won't work when the operator is saying "Hello, hello."  It is feasible to send some "pink noise" along with the 2600 Hz.  Most of this energy should be above 3000 Hz.  The pink noise won't make it into the toll network (where we want our pure 2600 Hz to hit) but it should make it past the local CO and thus the fraud detectors.

The above was taken from Basic Telecommunications - Part VII, written by BIOC Agent 003.