Randomly calling a phone inside an elevator contains the excitement of the unknown, but also the risks of security.
I picked up my iPhone, dialed the little world inside the elevator – in my contacts, this strange number was named the Crown Plaza Hotel, a hotel located in Chicago – right away. I immediately heard 2 beeps, a pre-recorded voice told me to press the “1” key to start chatting. I did so, and then I heard a strange sound, the engine running, the cable car straining to load the weight of the elevator. I raised my voice and asked into the unknown: “Hello, can anyone hear me? “Space refused to answer.
Hanging up, I tried another one: this time at the Hilton in Grand Rapids, Michigan. The other end of the line only rang one ring and I heard four successful connection signals, the phone rang the usual sounds inside the elevator. An alarm sounded, perhaps the elevator had stopped on one floor, the noise was probably the elevator door opening. I raised my voice and asked:
– Hello, is anyone there?
A few voices whispered, then a woman answered:
– Yes, someone is here.
Suppressing the excitement in my voice, I asked if anyone was in an emergency; It’s a strange question at first, but it’s the right question to make sure you don’t get in the way of anyone, just in case someone on the ladder really needs help. No one answered, then I heard the elevator doors open and close again.
I decided not to hang up the phone, continuing to listen to the noises from that strange world. A few seconds later, the bell rang again, and a new group of people entered. Once again I said hello, the same content as before, but after a few times, no one answered.
“ Turn it over ,” said the woman with an American Midwestern accent. “ The receptionist said that just holding up the light is fine ,” replied a man’s voice. I realized I was listening to the conversation of a couple trying to swipe their elevator card to get to the floor they wanted. A tinge of guilt filled my body, as if I was listening to a conversation I shouldn’t have been able to, shouldn’t have heard! Acting on instinct, I immediately hung up the phone.
I entered the world of illegal elevator phone hacking and was filled with such suspense. I just found out about this pastime, receiving a long list of callable hotels just days away from the time of writing; that’s when I met Will Caruana, a freelance security researcher.
In her spare time, Caruana conducts “phreaking”, the term for decades-old tricks to find backdoors, break in, track down special functions, even “bugs” of the global phone system. bridge. At Defcon, the Las Vegas hacker fair, Caruana talks about this pastime, as well as details very specifics of a little-known branch of “hacking”: Caruana introduces about the “phreak” of the elevator phone, the hobby of hacking the communication tool required in every elevator system in the United States, having an open line to anyone who gets this special phone number.
“I can call the elevator phone directly, listen to secret conversations, program the phone so that when the person in the elevator wants to call, it will be connected to any number I want,” explains Caruana. like to let me hear. He also warned that while the phone in the elevator usually makes a “beep” sound every time it connects successfully, if someone has already connected before you enter, the only way to find out is to Notice the red indicator light.
” If you don’t keep an eye on it, you won’t be able to see it ,” Caruana said.
Caruana spent the last year listing elevator phone numbers across the country; he plans to upload it to certain people, but doesn’t specify which platform he will post the list on. Now, he’s rolling out a list of more than 80 multi-area elevator phone numbers, not just because he wants to promote how interesting phreaks can potentially lead to memorable conversations, but also to warn about a little-known security vulnerability – a vulnerability that can affect organizations as well as individuals.
Connect to most elevator phones and then press “2”, you will be able to enter the password to proceed to reprogram the entire elevator phone system. It’s not uncommon for programmers to set a default password, it’s not difficult to guess a few default characters, so anyone can manually edit this system.
Just by reading the user manual of the elevator phone, searching for documents on Google or spending a little money to buy a similar phone model, Caruana has also written a long list of passwords to break into many system. Like other “phreakers” , he can change the number of the hotline that connects to the phone in the elevator to any number: to each phreaker’s private number, to a nearby pizza shop, even can call a line all day with just one Rick Astley’s “Never Gonna Give You Up” playing.
“ Nobody bothers to reset the passwords for these systems, and nobody manages them ,” Caruana said. “ I learned phreaking just because I was interested in it, but now I want to tell the whole community because this is a really difficult problem .”
Caruana repeatedly emphasized that the community of phreakers, made up of people he knew very well, was focused solely on uncovering the mystery and playing around for fun. He talked about the first time he joined the community about a year ago, when he was chatting in a voice chat group and someone added a new member to the group, a phone connected directly to the elevator.
“ You can hear the weird reverberations, and then the very recognizable push of a button. I was overwhelmed, didn’t understand what was going on and immediately wanted to know more about it .”
Since that person-changing moment, Caruana has learned to identify hidden phone numbers, only to find out that there are numbers that have been used by phreakers for 20 years. One way to ” eat snails” is to search the building’s database, find out the numbers that are not on the list of callable numbers listed by the building, and then guess which numbers are being dialed. used for elevators. Another way is to attach an alligator clip to the line, connect to your phone, call 1-800-444-4444 to have them read your number.
There is a much simpler way, which is to enter the elevator directly, press call and then pretend to be a repairman, asking the other end of the line to provide you with your phone number.
Caruana refused to tell me what method he used to get the list of phone numbers, but was willing to say that over the past year, he’d called more than 50 numbers. One of the pastimes he enjoyed most was communicating with his friends in the elevator, welcoming them to the event they were attending with him. Caruana asked me to make sure he didn’t do this phreak in the elevator of the Las Vegas hotel where Defcon was taking place because he didn’t want to be kicked out.
Caruana introduced me to another phreaker, using the name SLICThroat to email me. SLICThroat says he has made calls to elevators hundreds of times, the main purpose of which is to study the different electrical systems in different types of elevators, or simply want to hear the sound coming from a space. some distant mystery.
“Every complex in the world has that sound, a distinct soundtrack or a short conversation can become a window into places you can’t go,” SLICThroat wrote in an email. .
He also said that many phreakers use the elevator phone as a theater, where they adopt different identities, making fun of the person standing in the elevator.
According to Tor Ekeland, a famous hacker defense attorney, this phreak is not illegal. ” On the surface, it’s not illegal to call these numbers ,” Ekeland said. As for taking advantage of the default password to reprogram the phone system, which can be convicted, for example, computer fraud or breach of security policy, this action is really reckless.
Instructed to avoid a criminal reputation, including the list of possible elevator phone numbers that Caruana had given, I sat down and dialed dozens of elevator numbers scattered across the United States. I carefully phreaked every step, always raising my voice to ask if anyone was in an emergency and needed help.
Most of the elevators are empty. Sometimes it’s lucky to call someone in the elevator, but it’s also difficult to start a conversation with them. Someone at Georgetown University apologized to me because they thought they had pressed the wrong button, and quickly exited the ladder. Yes he works in a government building in Seattle no time to talk. An elderly man in Idaho told me he was busy and didn’t have time to chat; the elevator stopped, I thought someone had just entered so I tried to start a conversation again, it turned out that the same guy was standing there, an uncomfortable silence fell over the elevator, and before the uncle stepped out of the elevator , you scolded me a few words.
Then the horse got used to the old ways, I returned to the Grand Rapids Hotel, where I “started” and also the place with the most crowded elevator that I could call. Here, I was able to talk to a few people, but I was not good at talking, so it only confused them. ” I’m just a guest staying at this hotel, and why is the elevator talking to me? ” a worried woman’s voice said.
Eavesdropping on people talking clearly is easier than “interviewing them”. There was a group of people who didn’t hear me say hello immediately, because they were busy talking about the problem of homelessness that was a pain for a long time, and then laughed together when remembering the event that took place a long time ago, when a person throws a party and invites a homeless man to attend. They talked passionately, not paying attention to the red LED light, showing that the elevator phone is connected to the outside.
Caruana and several other phreakers warn, that every elevator has the potential to connect to the outside. Telephones on emergency stairs, emergency telephones at the swimming pool, public telephone booths in dormitories, any “click-to-talk” device are all indiscriminate. Caruana says he wouldn’t be giving a lecture on the phone phreak method if he hadn’t discovered the dangers behind it.
Howard Payne, elevator systems consultant and security researcher, confirmed to me that he has seen several times that elevator phones use default passwords to prevent outsiders from reprogramming the system.
“ I know of many emergency phone lines that still use default passwords, and I suspect many do, if not most, ” Payne wrote in an email to me. “ Tweaking the system and sabotaging public property, fixing the emergency communication system is a light crime of negligence, and at the same time, endangering others. But for security reasons, these devices need to be carefully protected to avoid the bad guys taking advantage of them .”
During his presentation at Defcon, Mr. Caruana intends to warn, and point out some methods to prevent phreak: “Don’t use default passwords. Don’t use easy-to-guess PINs. Prevent others from reprogramming the system remotely. Train employees in basic skills”.
But besides that, Caruana also gave a presentation for another reason: elevators are the ultimate playground for phreakers like him, the rare citadel that even owns an analog phone instead of a digital device. “ There aren’t many phones left for phreakers to mess with. This is literally the ultimate place to conduct phone phreaks ,” said Caruana.
The final reason for the presentation: he wanted to share the joy he had when he connected to his phone in an elevator, every time he connected to a metal box that could only go up and down but contained countless features. interesting hidden feature. “Covering it is still a veil of mystery. You approach a closed box over which you have no control. The feeling of poking around inside, taking back a little bit of control for myself, I think that’s what makes us phreakers excited.”
Based on an article posted on Wired by veteran reporter Andy Greenberg, the photo was taken by Roger Kisby.