#`; 'Telus Call Director; Unsupervised Line Exploit' -[Date: 11/07/00]- -[Handle: The Clone]- -[Type: Telus Advisory]- -[EMAIL: theclone@hackcanada.com]- -[URL: http://www.nettwerked.net]- (notes: This particular exploit has been verified several times by the Canadian Phreakers Union [#cpu/haxordogs.net]; it has worked on many occasions however we've found that sometimes it doesn't work which completely boggles the mind. We've had greater success when the TCD subscriber picks up after the first or second ring.) Enter the phone number of someone who is subscribed to TCD (Telus Call Director) who you know will be on the Internet at the same time you place the call. 1. Call up a phone number and be sure you're connected. 2. Do a quick Flash hang-up or push the Link/3-way button on your CID display phone... this will initiate the 3-way chain and will drop you to a dial-tone. 3. Now enter the phone number of someone who is subscribed to TCD who you know will be on the Internet at the same time you call them. 4. When the TCD subscriber picks up the telephone you will then be connected to both parties. The 'sploit? -- On Telus (Mobility) cellular/landline $20 a month plans, the phone bills give a specific list of every long-distance number you called (including duration) from the time after you received your previous months' last bill. Right, so that direct/3-way call you made to the TCD subscriber was not logged, meaning Telus' billing-equipment didn't recognize that particular call essentially giving you direct access to an unsupervised line. [ed note; looks as if Telus' recent upgrade to (former) BCTEL's "newer" billing system is not without its share of serious glitches... so Telus, was that multi-billion dollar merger with BC-TEL simply because they had more advanced equipment really worth it? ;-] The Possibilities -- 1. Chatting on an unrestricted line that completely ignores all Telus Call Director subscribers via a direct call or three-way chain can be used as a virtual "get out of jail free card" for both parties who may be suspected of criminal activity (drug dealing, extortion, etc.), and therefore have their calls logged and put into a "suspect database" run by Telus - police accessible. The 3-way-to-TCD billing-exploit will be completely feasible in this particular situation making customer monitoring a little more difficult to perform and subject to countless inaccuracies. -- Emergency Interrupt Avoidance; Q: "Okay, just what is Emergency Interrupt?" A: Lets say you have an appointment with a friend and you call her only to find that her phone is busy and you get blasted with an annoying busy signal. No use in complaining about why she isn't subscribed to call-waiting; so you call up the operator and ask them to test the line, which they do by using a process called BLV (Busy Line Verification) to check if the line is busy. From there the operator will ask you if you'd like to send a message to the particular subscriber, which of course you do and the operator sends the message through to your friend. This is where the BLV process becomes a bit more complex; with the line busy how is she going to break into the call and send the message? Using the Emergency Interrupt option she will automatically utilize the NTT (No Test Trunk) which basically tests a line without breaking into it like Emergency Interrupt is programmed to do. At this point you're probably thinking that the operator just breaks into the line and alerts your friend... wrong. See, what telephony companies did was added an encryption feature into the TSPS/OSPS (the operators) console which made it impossible for an operator to be able to just tap into a conversation without firstly causing the subscribers line to beep before coming on to the line; a nice implementation if I do say so myself. -- 2. By performing the Telus Call Director exploit, you could avoid all attempts by the Telus operator to perform Emergency Interrupt because on their TSPS/OSPS screen they will see that your line is not even in use. From there they will alert the person that is trying to contact you that your line is free and there is no need for them to bother initializing the Emergency Interrupt command. You will be an invisible void within those copper veins of Mah-Bell. ;) --- Conclusion; As you can see, the growing telecommunications-industry is not without its share of security vulnerabilities. Before I finish this paper, I would personally like to thank two other people who have helped me with the testing of this exploit; Alan and Phlux - thanks a lot for your help guys. For further information on other Telus Call Director exploits, please refer to Phlux's 'Owning Telus Internet Call Director' http://www.nettwerked.net/icd.zip ;`#