-= [ Canadian COCOT Unrestricted Line Exploit ] =- The Clone / 06.03.01 (updated: 07.07.01) -= [ index ] - disclaimer - - intro - - documentation - - research - - outro - - credit - - contact info - -= disclaimer: Do not attempt following exploit. Having telco security after you isn't a fun experience. If you attempt this exploit and do get caught, I am in no way responsible. intro: This document has been written to point out another payphone vulnerability that I recently discovered while experimenting with two types of COCOTs: the Canada Payphone Corporation / AT&T 'Elcotel Eclipse', and the Paytel Canada 'Protel'. documentation; For over two decades, payphone companies have been working ways to make their payphones more profitable, user-friendly, and secure both in the area of physical security (to protect from vandals) and line-security (to protect from phone phreakers). Starting in the late nineteen-eighties, payphone companies have started to be successful in stopping the exploitation of their phones by people using blueboxes, redboxes, beige boxes, and more recently NOS (not in service) INWATS numbers for unrestricted line dropping. In western Canada, where Telus has a monopoly over the payphone market, Telus has successfully been able to patch the unrestricted line problem. For example: you pick up the receiver on a Telus payphone, dial a toll free number (800) and the number you dialed happens to be out of service and hangs up on you; the payphone will automatically recognize this and seize the phone line. However, I've found that in the last two years that certain COCOTs have been vulnerable to line seizing exploitation. In March of 2000, I found that a large portion of the older AT&T Elcotel model 9520c's tend to have a lot of problems with seizing not-in-service calls. Line seizing exploitation on Elcotel 9520C's now looks as though it is virtually extinct because a majority of the older and all of the newer 9520C's have now been fixed by Canada Payphone Corporation (Elcotel's Canadian distributor). "Just when AT&T, Elcotel, Canada Payphone Corporation, and Paytel Canada thought the days of line seizing exploitation was over..." 1. In order to make this particular exploit work, you need to call an out-of-service/hanging number such as this one: 1-800-909-0261. 2. After the call connects, you will hear the line hang for approximately 15 seconds. 3. Now wait for another 5-10 seconds, and the line you called will hang and supervise. 4. At this point the vulnerable phone you are on will try to seize the line and make you redial the number. Instead, you will get a normal dial tone. 5. Immediately after getting the dialtone on the phone, enter any area code and any number you wish to call; local or long distance. 6. Your call will connect as if you had placed 25 cents into the payphone, and directly dialed the number. Q: "What does my caller identification information show on the received party's CID display?" A: If you called from any Paytel Canada COCOT, your CID info will show "Paytel Canada" and its assigned phone number. If you call from an Elcotel Eclipse COCOT, your CID information will show "Unknown Name" and its assigned phone number. - research: -Recommended COCOT research sites- (H/P) www.nettwerked.net www.hackcanada.com www.ghu.ca (Corporate) www.elcotel.com www.paytel.ca (.com) www.protel.com -Relevant COCOT images- Elcotel Eclipse image: www.nettwerked.net/eclipse.jpg Paytel 'Protel' image: www.nettwerked.net/paytel.jpg - outro: This file just goes to prove that one of the many exploits that worked on the payphones of yesterday DO still work on newer payphones of today, and likely tomorrow if COCOT manu- facturing and distribution companies don't get a clue as to how their own payphone equipment works. How long is it going to be before these telecom companies start adopting some sort of a standard for properly securing POTS-copper lines? Until then, phreaks around the nation will continue to exploit this ancient form of toll-fraud that hurts these companies revenues by millions of dollars each fookin' year! -- credit: Alan (780); thanks for the additional info. =] contact info: e-mail: theclone@hackcanada.com irc: irc.2600.net #cpu (key), #hackcanada, #teamphreak urls: www.nettwerked.net | www.2600sucks.com/teamphreak -endz-