Title : Physical Access and Theft of PBX Systems
Author : Codec
==Phrack Magazine==
Volume Four, Issue Forty-Three, File 15 of 27
[** NOTE: The following file is presented for informational purposes
only. Phrack Magazine takes no responsibility for anyone
who attempts the actions described within. **]
***************************************************************************
Physical Access & Theft of PBX Systems
A DSR Tutorial by :
CO/der DEC/oder & Cablecast 0perator.
(K)opywronged 1993, by Dark Side Research
***************************************************************************
BACKGROUND
~~~~~~~~~~
July 1989, Mobil Oil Corporation Headquarters -- Fairfax, VA.
Abundant technology, late hours, and shadows between city lights
made up the typical environment CO/der DEC/oder repeatedly found
adventure in. On one such night in the summer of '89, a reconnaissance
outing landed him at the offices of Mobil Oil Corp. The door leading
from the multi-level parking garage into the foyer was equipped
with an access-request phone and a square black pad. The pad was flush
with the wall, and sported a red LED in its center -- a rather imposing
device used to read magnetic access cards. CODEC picked up the phone
and listened to a couple rings followed by the voice of a security
guard, "Good evening, security ..."
"Evenin', this is Dick Owens with CACI graphics. I don't have a
card, but just call upstairs and they'll verify."
"Hold on, sir ..."
Kastle Security's verification call registered as a sudden 90 VAC
spike on Cablecast 0perator's meter. Clipped on the blue and white pair
of CACI's incoming hunt group, Cable picked up on his TS-21:
"Hello?"
"This is Kastle Security. We've got a Dick Owens downstairs
requesting access."
"Yeah Sure. Let him in please."
The security man took Codec off hold, "Okay sir, what entrance are
you at?"
"Garage level one."
The door clicked, and in went the hacker-thief -- grinning.
Another lock at the end of a hallway also hindered access, but a
screwdriver, placed between door and frame, removed the obstruction with
a quickly applied force.
CACI was a graphics outfit sharing the same building with Mobil.
After a perusal through its desks and darkened corridors turned up a
cardkey for later use, Codec -- pausing casually along the way at the
drunking fountain -- made his way to the opposite end of the hallway and
into Mobil's mail receiving room. In contrast to elsewhere in the
building, this room was chilly -- as if heavy air conditioning was
nearby. There was also a faint roar of fans to enhance this notion.
And behind a countertop in the direction of the noise, a split door could
be seen through which mail and parcels were passed during business
hours. Hardly an obstacle, he was on the other side in an instant.
This "other side" was no less than a gateway to nirvana. At first he
began taking in the sight of a mini-computer, console, and mass storage
devices, but his eyes were virtually pulled to the giant on his left.
It was the largest and most impressive PBX he had yet seen; a label
above the five gargantuan, interconnected cabinets read, "AT&T SYSTEM
85." The hacker's heart raced -- he wanted to explore, control, and own
the switch all at once. Within seconds his gloved hands caressed the
cabinets while his hungry eyes scanned circuit pack descriptors, mouth
agape. Codec grabbed some manuals, jotted down numbers to a modem
stack, and reluctantly departed. A week later, he stole the switch.
To the Dark Side Research group, the System 85 would be worth
approximately $100,000 -- but to Mobil, the system was worth at least
six times that figure. In its entirety it was more valuable, but DSR
was only concerned with the guts; the digital circuitry of the system.
When Codec reentered the building the following week, he was wearing a
VOX headset attached to a hand-held 2-meter band (HAM) radio. This was
strapped to his chest except for the rubber-whip antenna which protruded
out of a hole in his jacket. His awestruck, gleeful countenance from
a week prior had been replaced by a more grave expression, and the
moisture now on his body was no longer from unconscious salivation
but due to the sweat of anticipation and rapid movement.
"Phase one complete," he spoke into the boom mic in front of his
face.
"Roger Nine-Two. Quit breathing on the VOX or adjust sensitivity,
over."
"Roger Nine-Three. Entering heavy EMI area," Codec acknowledged to
one of the lookouts.
Steps were retraced through the mail room, where several empty
boxes marked "U.S. Mail" and a dolly were conveniently stored. The
System 85 was shut down, cabinet by cabinet, as most of the circuit
boards were hastily removed and boxed. Seven boxes were filled,
requiring two trips with the dolly to a side door.
"All units: ready for docking."
"Roger Nine-Two. Standby. Nine-Three, okay for docking?"
"Step on it, over ..."
A Ford Escort with its hatch open raced up to where Codec and the
boxes stood. Within fifteen minutes the circuit packs were unloaded in
a public storage unit. Within half an hour, CO/dec DEC/oder, Cablecast
0perator, and the remainder of the night's crew were filling up with
doughnuts of the nearby 7-11, observing local law enforcement doing the
same.
APRIL 1993: Security memorandum broadcast from wrq.com -- Internet
"We've all heard of toll fraud as a way to steal telecommunications
resources. Now the ante has been escalated. I've heard of a
company on the East Coast that was having some minor troubles with their
PBX. A technician showed up at the door and asked directions to the PBX
closet. The company showed this person the way without checking any
credentials, and about five minutes later the phones went completely
dead. They went up to the PBX closet and found that several boards from
the PBX had been removed and that the 'repairman' had departed."
The theft of PBX circuit boards is a novel idea and seldom heard
of, but -- as made apparent above -- it does occur. In the used PBX
scene, often referred to as the "secondary" or "grey" market, there is
always a demand for circuit packs from a wide variety of PBXs. The
secondhand PBX industry grew from $285 million in 1990 to $469 million
in 1992 -- despite the recession.
The essence of any PBX is a rack or multiple racks of circuit
cards/boards/packs, with an average grey market value of anywhere from
$50 to $2000 each. The cards are lightweight, small in size, and can
even withstand a moderate dose of abuse. Transport of misappropriated
circuit boards is done without risk -- under and police scrutiny, a box
of these looks like a mere pile of junk (or senior engineering project)
in the trunk of your car. Furthermore, the serial numbers on the boards
are seldom, if ever, kept track of individually, and these can be
removed or "replaced" in any case. Unlike computer equipment or
peripherals, PBX cards are extremely safe, simple, and non-proprietary
components to handle -- even in quantity.
Although you may wish to physically access PBXs for reasons other
than theft, it will be assumed here that monetary gain is your motive.
In either case, this introductory file makes it clear that access can be
achieved with varying levels of ease. A PBX theft should be thought of
in terms of two phases: reconnaissance and extraction. Recon involves
finding and selecting prime targets. Extraction is the actual theft of
the system. Both phases can be completed through "office building
hacking," a wide variety of deception, breaking and entering, social
engineering, and technical skills.
Phase I : Reconnaissance
PBXs are found where people's communications needs warrant the
capabilities of such a system -- offices, schools, hotels, convention
centers, etc. The PBXs we will concert ourselves with in this discourse
however are those located in shared or multiple-leased office
structures; the "typical" office buildings. The typical office building
has enough floors to require an elevator, some parking space, a lobby,
and a company directory (Because it is shared by more than one
business). Companies that occupy an entire building by themselves are
generally too secure to be worthwhile targets.
Tenant companies in the typical building lease all different size
office space -- some rent only 300 sq. ft., others take up entire
floors. Those that use half a floor or more usually meet the criteria
for PBX ownership. Obviously, the larger the firm's office at that
site, the greater its PBX will be, so those business spread out over
several floors will have the most valuable systems. This is not always
an overwhelming factor in determining a target however. The smaller
systems are often easier to get at -- and ultimately to remove --
because they tend to be located in utility closets off publicly
accessible hallways as opposed to within a room inside an office space.
Those closets, sometimes labeled "telephone" and even unlocked, will be
found one or two per floor! Other closets may exist for electrical
equipment, HVAC, plumbing, janitorial supplies, or for a combination of
these uses in addition to telephone service.
A phone closet is easily distinguishable whether or not a switch or
key system is present. A web of low-voltage (22 AWG), multi-colored
wiring will be channelled and terminated on a series of white "66"
blocks mounted on the wall. These blocks are a few inches wide, and
roughly a foot long, with rows of metallic pins that the wiring is
punched into with a special tool. As a general rule, if the system is
fastened to the wall and doesn't have at least one muffin fan built-in
and running, it's either a measly key system or a PBX too small to
deserve your attention. Those worthy of your time will stand alone as a
cabinet with a hinged door, contain shelves of circuit cards, and
emanate the harmonious hum of cooling fans. As an example, Mitel PBXs
commonly fit cozily in closets -- sometimes even one of the newer ROLMs
or a voice mail system. On the other hand, an NT SL-100 should
not be an expected closet find.
Wandering through office buildings in search of phone closets
during business hours is easy, so long as you dress and act the part.
You'll also want to look confident that you know what you're doing and
where you're going. Remember, these buildings are open to the public
and an employee of one company can't tell whether or not you're a client
of another. When going in and out of the phone closets, who's to know
you're not a technician or maintenance man?
Apart from searching the closets, you can approach the secretaries.
Feign being lost and ask to use the telephone. Steal a glance at the
console and you'll know (with a little practice) what type of PBX
they've got. This is very valuable information, for it may save you
from unsuccessfully breaking into the closet (should it be locked) or
the company itself. Secretaries are cute, courteous, and dumb. You
shouldn't have a problem convincing her to give you the key to the phone
closet if you're posing as a technician. If you're feeling as confident
as you should be, you may even get a date with the bitch. And should
you ever raise suspicion, you always have the option of bailing out and
making a break for the stairwell. No business exec is going to chase
you down.
Some additional methods can be employed in conjunction with
visiting the buildings, or as a precursor to such :
-- Classified ads. A company with job openings is all the more
vulnerable to your dark motives. Using the help-wanted section of your
newspaper, look for receptionist and secretarial positions. Call and
ask, "What type of phone system will I be required to handle?" You may
also want to go in and apply for the job -- any job at a large firm will
do. You'll learn the type of system installed, some details about
security, etc; this is a very sophisticated way of "casin' the joint."
-- Scanning for RMATS. Using your preferred wardialer (such as
ToneLoc), scan business districts for PBX remote maintenance modems then
CNA your finds.
-- Targeting interconnects. Interconnects are PBX dealers that sell,
install, and maintain the systems on contract. Capture a database of
clients and you'll have a windfall of leads and pertinent info. AT&T
allegedly sells its database by region. Also, intercept voice mail or
company e-mail. Interconnects make decent targets themselves.
-- Users groups and newsletters. Some of the extremely large PBX owners
join users groups. Though this is abstract, owners will discuss their
systems openly at the meetings. Newsletters are mailed out to members,
often discussing special applications of specific locations in detail.
Great for making sales contacts.
Phase II : Extraction
Removing the PBX calls for an assessment of obstacles versus
available means and methods. The optimum plan incorporates a late
afternoon entry with a nighttime departure. This means entering the
building during business hours and hiding, either in the PBX closet
itself or any room or empty space where you can wait until after hours
to re-emerge. This is the most safest and effective of methods. You
need not worry about alarms or breaking in from outside, and you can
take advantage of one of the greatest weaknesses in corporate office
security -- janitors. The janitorial staff, if you act and dress
properly, will allow you to walk right into an office while they're
cleaning. If you're already in an office and they enter, just act like
you own the place and it'll be assumed you work there. If you prefer
not to be seen, keep hidden until the cleaning is done on your floor.
(Be sure not to make the idiotic mistake of hiding in the janitor's
closet). Although the custodians will lock the doors behind them, any
alarms in the building will remain off until cleaning for the entire
structure is complete.
There is simply nothing so elegant as entering the building during
the daytime hours, hiding, and re-emerging to wreak havoc when
everyone's gone. (A patient wait is required -- take along a Phrack to
read). Unfortunately, entry will not always be so easy. The phone
closet may have a dead-bolt lock. There may be no feasible hiding
place. People may constantly be working late. Because of all the
potential variables, you should acquire a repertoire of means and
methods. Use of these methods, though easy to learn, is not so quickly
mastered. There is a certain "fluidity of technique" gained only
through experience. Deciding which to use for a given situation will
eventually come naturally.
-- Use of tools. You can easily get around almost any office building
using only screwdrivers. With practice, prying doors will be quick and
silent. Although some doors have pry-guards or dead-bolts, about every
other phone closet you'll encounter can be opened with a screwdriver.
Before forcing the gap between door and frame, try sliding back the
locking mechanism. For best results, work it both ways with a pair of
screwdrivers; a short one for leverage, a longer one for manipulation.
For dead-bolts, a pipe wrench (a wrench with parallel grips) can
turn the entire lock 90 degrees. Interior doors are cheaply
constructed; if you can wrench the lock, it'll turn and the bolt will be
pulled back into the door. Quality dead-bolts have an inclined exterior
to prevent it from being gripped. For these, diamond-cutting string can
be applied. This is available at select plumbing supply houses for $150
upwards.
-- Ceilings and adjacent offices. Not only are the doors cheap inside
office buildings, so are the walls. If you're having trouble with a
door or lock, push up a ceiling tile with your screwdriver and see if
the wall stops or is continuous. If it stops, you may choose to climb
over. If you're already inside an office and find a particular room
locked, climbing is always an option because walls are never continuous
between rooms. Walls are seldom continuous between business either; if
you can't get into a particular office space, try through adjacent
space.
-- Brute force. If making noise is not a serious concern, a crowbar
will pry any door open. For most situations requiring this level of
force, a sleek, miniature bar is all you need. You can also saw or
hammer your way through any interior wall. Once you've made a hole in
the sheetrock, you can practically break out the remainder of an opening
yourself using only your hands.
From the outside, windows can be broken or removed. Office
building glass is installed from the outside, so by removing the seal
and applying a suction device, you can pull the entire window out.
Breaking the glass is not too difficult, but frighteningly loud. Using
a screwdriver, push the blade between the edge and its frame and pry.
Eventually you'll have holes and cracks running across the window.
Building glass is typically double-paned; once through the exterior
layer, you'll have to break the next. Because the second layer isn't as
thick, you have the option of prying or smashing. This sounds extremely
primitive -- it is, but it may be the only method available to you.
Highly-alarmed office structures do not have the windows wired. When
there's a 5,000-port NEC NEAX 2400 in view and alarms everywhere else,
you'll break the fucking glass.
-- Alarm manipulation. Entire files could be written on this subject.
Some relevant facts will be touched on here; no MacGyver shit.
Our "typical" office building, if alarmed, has one of three types
of alarm plans. The alarm system is either externally-oriented,
internally-oriented, or both. More often than not, externally-oriented
alarm systems are encountered. These focus on keeping outside intruders
from entering the building -- interior offices are secured only by
locks. Alarm devices such as magnetic switches and motion detectors are
in place solely in lobby areas and on doors leading from outside. If
you know in advance that you can readily enter any of the offices, the
alarm is harmless. After entering, go directly into the office and look
out the window. Eventually, security or police will arrive, look
around, then reset the alarm and leave -- so long as you haven't left
any trace of your entry (damaged doors, ceiling tile fragments, etc).
Although common areas and corridors will be briefly scanned, no company
offices will be entered.
Internally-oriented alarm plans include alarms on individual
offices and are more difficult to reckon with. However, the sensors are
only on the doors; any method that avoids opening the door can still be
used.
Access controls like cardkeys are impressive in appearance but do
not automatically represent an alarm. If you open the door without
inserting a cardkey, the system must be equipped to know whether a
person entered the building or exited. Thus, only those systems with
motion detectors or a "push button to exit" sign and button can cause an
alarm at the cardkey-controlled door. Otherwise the door and cardkey
device is no more than a door with an electronic lock. There are always
exceptions to the rules, of course; never trust any alarm or access
control system. Sometimes a system will be programed to assume any
opened door is someone entering, not exiting. Check for sensors --
mounted flush on the door frame -- look carefully, they'll sometimes be
painted over. Check both sides and top of the frame. If a sensor is
found (or when in doubt) hold the door open for about ten seconds, then
wait and watch for up to an hour to see if there's a silent alarm.
For the "push button to exit" entrances, you can sometimes use a
coat hanger or electricians fish tape to push the button from outside
using cracks around the door. Where motion detectors automatically open
the entrance, similar devices can be employed to create enough commotion
to activate the detector (depending on detector type).
Disabling part of the alarm system may be a possibility during the
day. Chances are, if you can access the control CPU you've also got a
place to hide, and the control box is often alarmed against tampering
anyway. Many of the latest systems are continuously monitored from a
central station. If not, you can disconnect the alarm box from its
phone line. Your best approach however is to alter a door
sensor/magnetic switch circuit. You can use a piece of conductive hot
water duct tape to trick the sensor into thinking the door is always
closed. This tape looks like tin foil with an adhesive on one side.
Obtain a similar sensor and test at home before relying on this --
magnetic switches come in many shapes and forms. The better systems
don't even check for normally-open or normally-closed states, but for
changes in the loop's resistance. This means simply cutting or
shorting the lead wires won't suffice. But if the conductive tape won't
do, you can always just cut the leads and return in a couple days. If
the cut hasn't been repaired, then you have an entry point. Building
managers become lax with an alarm system after it's been installed for a
while and there haven't been any break-ins. Other loops are disabled
after late-working employees repeatedly off the alarm. One other option
is to cut and splice both parts of the sensor back into the loop so that
it remains unaffected by movement of the door. The throughways to
target for any of these alterations are minor side doors such as parking
garage or stairwell exits. You should be pleasantly surprised with the
results.
-- Locks and picks. (This could be another textfile in itself).
Lockpicking is an extremely useful skill for PBX appropriation but
requires quite a bit of practice. If you aren't willing to invest the
time and patience necessary to become effective with this skill,
screwdrivers are the next best thing. Furthermore, with all the
different types and brands of locks in existence, you'll never be able
to solely rely on your lockpicking skills. Acquire this ability if your
involvement in underworld activities is more than just a brief stint...
You can more readily take advantage of the skills possessed by
locksmiths. Because the offices within a typical building all use the
same brand lock with a common keying system, any of the locks can yield
the pattern for a master key to the whole system. Obtain a spare lock
from the basement, maintenance room, or anywhere extra doors and
hardware are stored, and take it to a locksmith. Request a key for that
lock and a master. Many of the offices should now be open to you.
Some keys are labeled with numbers -- if the sequence on the key
equals the number of pins in the lock, you can write down the number and
lock brand, and get a duplicate of the key cut.
There is also a little locksmithing you can do on your own. With a
#3 triangular "rat tail" file and a key blank to the brand lock you are
targeting, you can make your own key. Blanks are either aluminum or
brass and scratch easily -- this is no accident. By inserting a key
blank in the lock and moving it from side to side, you'll create
slate-colored scratch lines on the blank from the lock's pins. The
lines will indicate where to begin filing a valley -- there'll be one
for each pin. Move the file back and forth a few times and re-insert
the key to make new lines. Use the point of the file only when
beginning the valley; successive passes should not create a point at the
bottom of the cut but leave a flat gap. When no new scratch appears on
the bottom of a particular valley, don't file the valley any deeper --
it's complete. Eventually, all the valleys will be cut and you'll have
a key to open the lock.
Last but certainly not least, you can drill most locks where a
little noise can be afforded. Using a 1/4 inch Milwaukee cordless drill
with about a 1/8 inch carbide-tipped bit, you can drill a hole the
length of the lock's cylinder. Drill approximately 1/8 inch directly
above the keyhole. This destroys the lock's pins in its path, and
allows others above to fall down into the hole. Now the cylinder will
turn with any small screwdriver placed in the keyhole and open the lock.
Little practice is demanded of this technique, and it's a hell of a lot
of fun.
-- Elevator manipulation. Elevators can be stubborn at times in
rejecting your floor requests. Companies that occupy entire floors must
prevent an after-hours elevator from opening up on their unattended
office. If there's a small lock corresponding or next to that floor's
selection button, unscrew the panel and short out the two electrical
leads on the other end of the lock. Continue to short the contacts
until you press the button and it stays lit -- you'll then arrive at
your desired floor.
The elevator motor and control room is located either on the roof
or penthouse level and can be frequently found accessible. Besides
being a place to hide, sometimes you can find a bank of switches that
override the elevator's control panel (if for some reason you can't open
it or it's cardkey-controlled) and get to your floor that way. Two
people with radios are needed to do this -- one in the equipment room,
one in the elevator. Watch for high voltage and getting your coat
caught in a drive belt ...
Operation Integrity
By taking advantage of daytime access, hiding places, and some of
the more sophisticated methods, there's no need to become an alarm
connoisseur or full-blown locksmith to liberate PBX equipment. When
you can't avoid nighttime activity or an activated alarm system, then be
sure to take extra precautions. Have lookouts, two-way radios, even a
police scanner. Don't use CB radios, but rather HAM transceivers or
anything that operates on proprietary frequencies. This will require a
small investment, but there's no price on your safety.
Office buildings in downtown areas tend to be more secure than
those in the suburbs or outlying areas. Location and surroundings are
important considerations when your operation takes place at night. It
should also be noted that a building without a security guard (typically
the norm) may still subscribe to sporadic security checks where
rent-a-cops drive around the building at some regular interval.
With regard to transportation and storage, rent vehicles and
facilities in alias names where appropriate. Use taxis to pick you up
when you're departing with only a briefcase or single box of cards. No
matter what the time may be, anyone seeing you enter a taxi in front of
the office will assume you're legit.
It is our sincere wish that you apply this information to the
fullest extent in order to free yourself from becoming a mere tool of
capitalism, and use this freedom to pursue those things in life that
truly interest you. We have tried to summarize and convey enough
basic information here to provide you with a complete underground
operation possibility. All material in this file is based on actual
experience of the authors and their associates.
For information on the sale of PBX or other telecommunications
equipment, or for any other inquiry, contact the Dark Side Research
group at the following Internet address :
codec@cypher.com
***************************************************************************