On the topic of phreaking, does anyone know if modern condo entryphone systems are vulnerable? The fact that pressing a button on my phone unlocks the front door to the building makes me wonder how it could possibly not be vulnerable to having the right pitches played, but I would hope that the dangers of in-band signalling have been widely understood for long enough that systems would be protected...
I realise the thread is phone phreaking related and that was kind of the point of your post; but in the spirit of the talk below to think more outside the box...
This is a good related talk - goes outside the box on all the ways you can often get into commercial buildings without picking (or even in many cases, interacting with) the lock
"The Search for the Perfect Door" by Deviant Ollam
https://www.youtube.com/watch?v=4YYvBLAF4T8
I would be shocked if there are not vulnerabilities in the form of default codes and factory resets. As far as phreaking there's probably something to it. The fact that my building's call box picks up when I dial the front door number seems like a bad sign.
The building next to mine has what appears to be an Android tablet as the keypad, I can only imagine the vulnerabilities there.
I assume this is one of those systems where a potential entrant types a code, and the systems calls a pre-provided number for the occupant of the unit who provided the code to the entrant?
The common denominator on the PSTN is listening for inband DTMF within a G.711 "encoded" stream.
The "security" in this system is the condo entry phone device dialing out to the PSTN (via some mechanism) to the destination number, which is routed via SS7 to the proper owner.
This security mechanism is somewhat similar to those used by two-factor systems that send SMS via SS7 to destination numbers. It's not without fault, there have been many demonstrated attacks against the SS7 network.
Sorry, I should have specified more. This is a "potential entrant selects the person they're trying to visit; system phones the pre-programmed number for that occupant; occupant talks to the visitor and presses a button to let them in". In my building, I have to press 6 to make the door unlock.
Could a vistor play a very loud "touchtone phone 6" into the microphone and make the system think that the occupant pressed that number?
That would require the audio signal to be a single channel right? That or the residents phone would have to be very loud. I'm not sure but I think phones operate on a dual channel (tx/rx) setup which is what allows all participants to talk simultaneously.
To be clear, it uses a similar mechanism to 2FA messages to place the call but there is only one authentication factor in this case.
My question is what kind of trouble can I cause by calling the inbound number from my call box? It picks up so presumably it is listening to something.
Also, how is the physical security of these devices? Are they managed from the keypad or is the control inside the building in a secure area? How does the FD get in?
This is essentially trainspotting for telephony nerds. Most of this hobby is exploring and mapping telephone exchanges just by dialing random numbers and listening, and sometimes discovering interesting unlisted phone numbers. The jargon is mostly referring to identifying telephony switching equipment based on dialing a lot of phone numbers in a given area code then listening for the subtle audio clues that hint at the type of switching used by that exchange. Lookup Step by Step switches on YouTube for to see what old timey telephone exchange equipment was like.
I very much enjoy the "Dom Tuffy" series (though I highly recommend all of Mr. Doorbell's recordings-- his voice is pleasing and hearing how it has changed over his life is amusing, if nothing else).
The August, 2001 tapes in Nantes, Quebec are especially poignant to me. I grew up in a rural small town that had the analog phone switch replaced with a digital switch (a DMS-10) in the late 1980's. A couple of other little towns around still had analog switches into the early 90's. I "played around" with them a little bit but really didn't understand the technology. Now I wish I'd had more time with them.
Phreakers were/are telephone system hackers. Back in the day it was possible to hack telephone systems using simple electronics and some technical knowledge. The page being linked to seems to go into some of the history of phone phreaking.
Incidentally, the following clip contains the most impressive demonstration of phreaking I've ever seen, showing a blind phreaker with perfect pitch called Joe Engressia who was able to hack the phone system just by whistling:
A fair amount of the hacker culture of the 80s and early 90s (hacker in terms of what the common perception of a hacker is) seems to owe its debt to the trail blazed by phreakers.
My understanding is that this guy was a telephone "phreaker" (hacker enthusiast) and I gather he traveled a lot and would use pay phones and record them as he did.
The "tapes" are him narrating over these old tapes many years later explaining what he was doing. Much of it is him dialing various numbers and listening to the beeps/boops/kachunks and explaining exactly what is happening technically to route the call.
