Telecom Informer

by Dan Foley

Cellular Fraud Bust

As some of you may know by now, the first cellular phreaking bust in the U.S.
happened last month. On Friday, March 27, the FBI and Secret Service arrested
18 New Yorkers for making cellular phone calls on altered cellular phones. They
also arrested seven others for altering and selling these phones. The method
that was used is exactly the one described in our February column. A cellular
phone transmits two numbers whenever a call is placed. The first is the ESN
(Electronic Serial Number). The cellular MTSO (Mobile Telephone Switching
Office) then checks whether this number is valid. Then the cellular phone
transmits an MIN (Mobile Identification Number), which identifies the party to
be billed for the call. By reprogramming the MIN one can make a multitude of
calls ending up on the MIN owner s bill (much like using a stolen calling card
or extender code). Any cellular repair shop can do the reprogramming on the
side, and seven of them in Brooklyn actually did. It makes you wonder how many
others are also doing this on the side. According to the FBI, organized crime
wasn't involved in this case. Estimates claim that cellular fraud costs the New
York cellular companies $40,000 a month, and about $3 million is lost per year
to cellular fraud in the U.S. This is the first of a series of ongoing
investigations by the FBI and Secret Service, so expect a bust near you soon.

Electronic Communications Privacy Act

With the passage of the Electronic Communications Privacy Act (Public Law
99-508) earlier this year (effective January 19, 1987) there's now a new breed
of cellular criminals. Now anyone who listens to the "forbidden frequencies" of
cellular telephony is committing a federal crime. The law is questionable in
many aspects. The act makes it illegal to manufacture, sell, advertise, or own
any device or kit "primarily useful for the surreptitious interception of
electronic communications." Nowhere is it stated what "surreptitious" means in
this case, and attempts to have this clarified have been ignored.
"Surreptitious interception" is not limited to electronic communication that is
illegal to receive. One could interpret any receiver that monitors between 15
and 30 MHz or between 50 and 500 MHz as illegal, even though they are widely
available. One could even go so far as to claim that any radio primarily for
indoor use (and, thus, not readily observable from the outside) or AM-FM radios
within stuffed animals are "surreptitious receivers."

Another problem is that if one is receiving interference from a source that was
illegal to receive, and knew this, then one would be in violation of this act.
So if your TV or stereo was getting noise from a cellular phone, and you knew
this, you would be a federal criminal, even though your TV or stereo was
listening to the proper frequencies. Previously it would have been the fault of
the cellular phone company for transmitting such a dirty signal that one could
receive on other frequencies not allocated for cellular phones.

The premise behind this law is that cellular phone calls are "not readily
accessible to the public" anyway, so why not make it illegal to receive them?
However, as many readers of 2600 and scanner users know, this is false.
Cellular uses old TV channels, so an old TV set tuned to channels above 80 will
receive listenable calls. Also, many videocassette recorders, service monitors,
and scanners receive these frequencies, totally unmodified and out of the box.
Cellular is in fact more vulnerable to interception than cordless phones, as
there are millions of old TV sets in the U.S., and comparatively few radio
scanners that receive cordless frequencies. Cellular phone calls are much more
modulation-compatible with TVs, and their range is many miles, as opposed to
cordless ranges of hundreds of feet.

Instead of dealing with the problem of scanner users listening in to cellular
calls by encrypting the calls, the cellular phone companies and suppliers
instead decided to legislate away a serious problem. Now cellular users can use
their phones in communicating business deals and personal conversations
believing that no one is listening. This false sense of security is misleading.
Cellular phone companies don't want to deal with the problem logically. And
this brings up the final problem, enforceability. This law is totally
unenforceable. All it is good for is to tell customers not to worry about the
confidentiality of their calls. The FCC was against the bill, along with the
Electronic Industries Association and other cellular industry organizations and
companies. However, many powerful companies lobbied for this bill, as they saw
it as a quick fix to the very serious problem of cellular eavesdropping. The
Justice Department at the time of the hearings on this bill clearly stated that
they "have no intention of enforcing that part of the bill," referring to the
privacy sections of the Electronic Privacy Act. There basically is no way they
could attempt to enforce the law, considering that England has outlawed pirate
radio, and millions still listen to the offshore stations. The Soviet Union has
to jam Western broadcasts that they don't want their citizens to receive.

When AT&T filed a petition asking to merely label cellular phones with a
warning sticker saying that calls may be monitored, other cellular phone
companies reacted violently. AT&T's petition with the FCC states that "cellular
users have an unwarranted sensation of privacy, which a label would help
dispel....Customers buy cellular telephone sets with the expectation of
privacy. In due course, they learn that they lack the privacy they expected,
and may feel that their suppliers have misled them." Instead of dealing with
the problem by scrambling cellular signals or even merely placing a warning
label, the Cellular Telecommunications Industry Association instead replied
that the FCC "should not consider any labeling regulation, which would place
the burden on citizens to protect their privacy," and lobbied Congress for the
passage of the Cellular Privacy Act. Bell South Mobility went as far as to say
that "cellular users can expect a high degree of privacy," despite the fact
(which any scanner user knows) that all it takes is to tune in to the 800-890
megahertz band with a scanner (or even an old TV tuned to the UHF channels).
"Forbidden frequencies" include those in the February 2600. A penalty of up to
$10,000 would result from merely detecting the signal of one of the protected
frequencies, even as much as the hiss from an encrypted transmission.
Monitoring by scanner the VHF and UHF bands is illegal in the 153, 161,
450, and 455 MHz bands. Also, receiving radio common carriers in the 153, 158,
and 454 MHz band along with FM subcarrier service or voice or message paging
services is a crime, and certainly, receiving 800 to 890 MHz (that of cellular
telephony) would be a crime. Willful receiving of a cellular telephone call
results in up to six months in jail, plus a fine of up to $500. Receiving
manual and IMTS car telephone calls could result in up to a $10,000 fine plus
up to a year in jail. Cordless phones, amateur radio, CB, and General Mobile
Radio Service are not protected.

"Fixing" Your Radio Shack PRO-2004 Scanner

The release of the Radio Shack PRO-2004 scanner was delayed until the passing
of the Electronic Communications Privacy Act. Radio Shack is a major marketer
of cellular phones, and thus lobbied hard for the passage of the bill so
purchasers of their cellular phones could feel that the privacy of calls was
secure. Therefore the release of their PRO-2004 scanner was delayed for four
months in order to see if the bill would be passed. When the scanner was
finally released, the "forbidden" 800 megahertz region was unable to be
accessed. All Radio Shack did was connect an extra diode to the circuit board
to prevent reception of the "forbidden frequencies." Below are instructions
reprinted from page 48 of the March 1987 (Volume 6, Number 3) issue of
Monitoring Times on how to remedy the situation.

1. Remove the four cabinet screws and the cabinet.
2. Turn the receiver upside down and locate circuit board PC-3.
3. Remove seven screws holding board and plug CN-501.
4. Carefully lift up the board and locate diode soldered in place below the
   module.
5. Snip one lead of the diode carefully, leaving it suspended by the other lead
   for later reattachment if desired, such as warranty repair.
6. Reverse first four steps above for reassembly. Radio will now cover 825-845
   and 870-890 MHz and search in 30 kHz increments for no-gap 760-1300 MHz
   reception.

The "Forbidden Frequencies"

Now the more adventurous readers may want to go listen to these forbidden
frequencies. Check the February 1987 issue of 2600 for a common breakdown of
the cellular channels, which are between 800 and 890 megahertz. Not all
cellular networks have this number of channels, but they can be easily figured
out by careful listening to a scanner. Most cellular conversations can be
listened to in their entirety without losing them due to cell site switching
hand off. However, even when this occurs to the call you are listening to, you
can easily pick it up again by merely scanning the frequencies again for the
next cell. In this way and with a car one can follow a conversation in its
entirety. A few words of warning though. This use of a scanner clearly violates
the Electronic Communications Privacy Act. The use of a scanner (or often the
mere presence of a scanner) within a car violates laws in many states and
localities, so check this out before you let one into your car. Using any
information gathered off of the airwaves for personal gain violates federal
law. As this activity is clearly illegal, 2600 does not condone or encourage
listening to cellular calls.