'Telus Call Management Assistant Exploitation' BY: The Clone DATE: March 13, 2002 URL: www.nettwerked.net EMAIL: theclone@hackcanada.com Disclaimer: This document was written for information and entertainment purposes only. If you choose to mess with other people's Telus accounts, you have to deal with the consequences, not me. - Introduction: Telus has recently come out with a neat service for its Alberta and British Columbia customers (residential and business) called "Anonymous Caller ID". Through a special activation number, the subscriber has the ability to create a numerical password which allows them to access the Telus Call Management Assistant system. From there, the subscriber can add "special" ring features to their line, so that only certain phone numbers that have been manually added by the subscriber will give that ring when they call their line. They also have the ability to modify the "Private" number Priority Caller Authorization List, create a PIN Authorization Code to give to Priority Callers, Send Anonymous calls to Voice Mail, and Turn the Telus Call Management service OFF or ON. However there exists a rather intriguing exploitable authentication vulnerability with the Telus Call Management Assistant system. This paper will delve a little bit into how the Anonymous Caller ID system works, a simple navigation guide, and of course the authentication vulnerability and a couple ways one can exploit it. For a detailed paper on another (and similar) exploitable Telus self-serve system, check out this file I wrote on June 30, 1999: http://www.hackcanada.com/canadian/phreaking/self_serve.txt - How It Works... Dial 310-TOUCH (8682) toll-free using a touch-tone phone. For your "protection" your first call must be from the line on which Anonymous Caller ID has been installed. The first time you access this service you will hear: "Welcome to the TELUS Call Management Assistant. To set up your services, please create a password that is between 6 and 10 digits in length." Now what you need to do is enter your new password, then press #. Press * to exit. Once you have created your password, you will be able to dial the Call Management Assistant from *any* touch-tone phone in any location. If you are a phreak calling from outside Alberta, go ahead and dial 1-403-263-6981 (for Southern Alberta) or 1-780-428-6824 (for Northern Alberta). If you're outside British Columbia, you'll need to dial 1-604-520-3212. -- Simple Navigation Guide... * Setting up your "Private" # Priority Caller Authorization List * This allows you to create a list of priority callers with "Private" numbers whose calls will bypass the service and ring directly through to your phone. Unfortunately International long distance numbers cannot be added to the Priority Caller List. Dial 310-TOUCH (8682) toll-free from anywhere in BC or Alberta. Enter your password, then press #. At the Main Menu, listen to the voice prompt and press 4 for Anonymous Caller ID. Press 3 to Create, Play Back, Edit or Delete your Priority Caller Authorization List. To create a list: Enter the phone number you would like to add to the list, exactly as you would dial it, followed by #. For Long Distance callers: Area code + 7 digits. Repeat the above process to continue adding numbers. Press # when your list is complete. * To Play Back the list press 1. * To Edit the list press 2. * To Delete the entire list press 3. * To confirm deletion, press #. * Press * to EXIT the system when you are finished. Note: If you hear the password prompt, press * if you want to enter a phone number other than the phone you are using. For cellular callers who are prompted to "Press 1 to unblock" their number, you will be able to enter their number into your Priority Caller Authorization List. * Creating a PIN Authorization Code to give to Priority Callers * This PIN Authorization Code allows designated callers to bypass the service. Give it to overseas callers, friends and family members... any callers with "Unknown" numbers whose calls you always want to receive. Dial 310-TOUCH (8682) toll-free from anywhere in BC or Alberta. Enter your password, then press #. At the Main Menu, listen to the voice prompt and press 4 for Anonymous Caller ID. Press 9 to set up your Anonymous Caller ID PIN Authorization Code which must be between 3 and 10 digits long. * Callers using your PIN Authorization Code * Once they hear the Anonymous Caller ID announcement, have them proceed as follows: 'Private' callers: Press the '#' key; enter your PIN code, Press the '#' key again. 'Unknown' callers: Enter the PIN code immediately, then press the '#' key. The call will then proceed displaying on your set as "Authorized Call". * Use SMART Ring with Anonymous Caller ID * SMART Ring subscribers can choose the option of having calls to their SMART Ring number bypass the Anonymous Caller ID service. This works will fo those who receive faxes or international calls on their SMART Ring number. Dial 310-TOUCH (8682) toll-free from anywhere in BC or Alberta. Enter your password, then press #. At the Main Menu, listen to the voice prompts and press 9 for Additional Options. Press 6 to change your SMART Ring options. Press 4 for Anonymous Caller ID and SMART Ring. Follow the spoken instructions. * Send Anonymous calls to Voice Mail * Voice Mail subscribers have the option of sending anonymous calls to Voice Mail. To turn your Anonymous Caller ID Voice Mail option ON or OFF: Dial 310-TOUCH (8682) toll-free from anywhere in BC or Alberta. Enter your password, then press #. At the Main Menu, listen to the voice prompts and press 9 for Additional Options. Press 5 to change your Voice Mail option. Follow the spoken instructions. * Turn the service OFF or ON * Dial 310-TOUCH (8682) toll-free from anywhere in BC or Alberta. (If you are calling from outside BC or Alberta, dial 1-604-520-3212, 1-403-263-6981, or 1-780-428-6824.) Enter your password, then press #. At the Main Menu, listen to the voice prompt and press 4 for Anonymous Caller ID. Press 1 to turn Anonymous Caller ID ON. Press 2 to turn Anonymous Caller ID OFF. Press * to EXIT the system when you are finished. Here's a helpful Graphical Flow Chart: http://www.nettwerked.net/telus/flow_chart.pdf - The Exploit... Because the Anonymous Caller ID activation system (310-TOUCH) only requires your caller id information for authentication, one would only need to be located at the residents line in order to call it up and set their own 6-10 digit password. You need to either be using the subscribers phone, or better yet "beige boxing" the subscribers line, to be able to pull off the actual activation. After you have successfully activated your account by setting the password, you can then access the system from anywhere in Canada (see: "How It Works"). If you wanted to be a little bit adventurous, you could simply use the methods spoken about in a file I wrote called 'The Mobile Phone ANI-Diversion Technique' which is available at: http://www.hackcanada.com/canadian/phreaking/cell-ani-diversion.txt In this case you would need have a cellular phone with a local carrier - Telus, Rogers AT&T, or FIDO will do - and then you call up a toll-free operator at Telus. Social Engineer the operator by saying something like: "Yes, hello there. I have just subscribed to the Telus Anonymous Caller ID package, but my telephone is not working. When I try to access the 310-TOUCH number from anywhere but my line, I get an error message. I guess I need to be calling it from my line to activate it properly. Would you be a dear and transfer me through to 310-TOUCH, and pass my caller ID information to it so it knows who I am? My name is [say subscribers name]. Thanks." Now this trick isn't 100% fool proof, and may require the account number belonging to the subscriber. But sometimes, you'll be lucky enough to get an operator who will do what you say and transfer your call and the subscribers ANI info to 310-TOUCH. Remember to be creative, and don't blow it. If you make the operator suspicious, he or she will think you're trying to trick them, and immediately assume you're not who you say you are. If this happens, you should pretty much give up because the operator may write a report and display it on the account - so that when the next operator brings it up, they'll see it and clue into what you're up to. That's bad... that's indictable too. :-( - Conclusion... I hope this opened up the window of opportunity for you to have fun with individuals or corporations you hate. =] - eof.