boottrax@csd4.milw.wisc.edu (Perry Victor Lea) (01/21/89)
Question: How is phase shifting actually involved in communications between the mobile unit and the switching office ? Question: Is it possible to access cellular setup channels and place fraudulent call with a ham radio? Thanks for your help .. Perry Reply here on this newsgroup or e-mail to boottrax@csd4.milw.wisc.edu (arpanet)
ron@ron.rutgers.edu (Ron Natalie) (01/25/89)
> Question: Is it possible to access cellular setup channels and place > fraudulent call with a ham radio? Technically no, because a radio operating on the appropriate freqencies would not be an amateur radio. The words "ham radio" is a synonym for amateur radio, a regulated radio service by the FCC that allows radio enthusiasts to construct and operate their own radios. The modes of operation and frequencies in use are well defined by the commissions rules. Use of the term to mean any person building his own radios (for degenerate purposes) is like the bastardization of the term hacker. Please avoid doing it. It is by far easier to defraud the phone company by modifying a legitimate cellular telephone. The thing already does most of the work (the radio part and most of the dialing). All you have to do is hack the roms a bit to make them operate with phony ID's. -Ron [Moderator's Note: It is far easier to go to the penitentiary that way also. Remind me to search my files for the newspaper story of the fellow here in Chicago last year who was convicted of operating a 'reprogramming for profit' cellular phone 'repair shop'. When IBT security representatives, Chicago police and FCC personnel raided his place, they found not only cellular phones being liberated from billing constraints. It seems the dude was also into freeking CB radios; getting them broadbanded and oscillating in the ten meter band. Six months in the custody of the Attorney General or his authorized representative followed by two years federal probation is not my idea of how to spend my summer vacation. P. Townson]
dave@rutgers.edu (Dave Levenson) (01/25/89)
In article <telecom-v09i0024m04@vector.UUCP>, boottrax@csd4.milw.wisc.edu (Perry Victor Lea) writes: > Question: Is it possible to access cellular setup channels and place fraudulent call with a ham radio? It is probably possible to place a fraudulent radio telephone call from an amateur radio station, but it's easier (and just as illegal) to use a cellular telephone set. When a valid call-attempt is made, the cellular telephone set transmits its phone number and its serial number (an electronic PIN), as well as the number dialed by the user. The local cellular carrier is supposed to validate the combination. A cellular telephone user who fiddles with the proms or other administerable memory can probably impersonate a valid subscriber. It may be high tech, but it's functionally equivalent to stealing and using another telephone subscribers calling card number. -- Dave Levenson Westmark, Inc. The Man in the Mooney Warren, NJ USA {rutgers | att}!westmark!dave
tim@Athena.UUCP (Tim Dawson) (01/26/89)
>X-TELECOM-Digest: volume 9, issue 24, message 4 > >Question: How is phase shifting actually involved in communications between the mobile unit and the switching office ? > >Question: Is it possible to access cellular setup channels and place fraudulent call with a ham radio? > >Thanks for your help .. > >Perry > >Reply here on this newsgroup or e-mail to boottrax@csd4.milw.wisc.edu (arpanet) To answer your questions as best as possible: 1) The "Phase Shifting" you refer to is in all probability referring to the modulation of the RF going from the mobile to the cell site. (I forget the actual emission designators) and is similar to FM. Typically communications from the cell site to the cellular switching office are via T-1 pcm carrier systems. 2) Extremly improbable. For the why, first let me describe the scenario of a modbile to land call set up. a) User enters phone number and hits send. b) Mobile listens to data stream on signalling channel, and checks busy/idle bits to see if another mobile has channel in use. If idle, mobile sends request containing mobile Electronic Serial Number (manufactured into the radio), the mobiles phone number, and the called number. c) System receives request and sends data burst back to mobile confirming that request is received, and assigning a voice channel. d) Mobile changes frequency to voice channel, verifies SAT (sub audible tone used to verify that mobile has reached correct channel) and returns same SAT to cell site. Mobile also verifies DCC (Digital Color Code - like SAT but in digital domain) to confirm channel. Mobile unmutes audio and call setup proceeds through switch. At this point, all progress tones, etc heard from the mobile are coming from the land office, not the mobile switch. e) Call is now in progress. While call is up, Cell sites constantly are scanning mobile signal strength. If dips below threshhold for a certain (variable from system to system) number of scans, a handoff request is made. Adjacent cells scan the mobile, and if signal is ABOVE threshold, the system initiates handoff. A request is sent digitally to the mobile to mute audio, and change to the new frequency (also sent). The mobile mutes, changes frequency, verifies SAT and DCC on the new channel and unmutes (all in about 50 ms or so, typically). This handoff is generally inaudible to the user, but is what makes using cellular with modems a pain - no audio/data can be sent during this handoff. f) For call termination, mobile sends disconnect request to switch, and all facilities are idled. As can be seen, this is not a trivial process. The primary problem with trying to defraud a Mobile system is that you have to know a valid mobiles Electronic Serial Number/Mobile Number Combination or the system will deny service. You also have to be ablo to transmit and receive 9600 baud FSK (to the best of my memory - my spec isn't handy) to the system in order to determine what voice channel assignment has been made. And you have to do it FAST! Most all call setup items described above must occur within very closely difined time windows, or the system will fail the call. Also, as soon as the guy who gets stuck with the bill bitches, they will most likely change his mobile number, or start tracing the calls and can determine who is the fraudulent user based on who is being called quite easily. This is one of the big plusses of cellular telephony - if somebody steals a phone, their ESN can be denied nationally, and they can't use it. It is not impossible to change ESN in a phone, but is extremely difficult since it is manufactured physically into the unit, and is not generally documented by the manufacturer is public domain documnets for security reasons. So what you would end up doing is basically redesigning a cellular mobile, and seriously doubt whether many people have the skill and knowledge to even come close to being able to do so. Also, with the security provisions in cellular systems, even if you could manage the hardware, the system software would still make it highly unlikely that you could use it. -- ================================================================================ Tim Dawson (...!killer!mcsd!Athena!tim) Motorola Computer Systems, Dallas, TX. "The opinions expressed above do not relect those of my employer - often even I cannot figure out what I am talking about."
boottrax@csd4.milw.wisc.edu (Perry Victor Lea) (01/27/89)
You mentioned that there are set guidlines to the frequenciest that cellular phone services are allowed to use, however; when I had been futzing with my police scanner I had been able to hear cellular phone conversations. I am familiar with the laws that allow anyone to be able to listen to radio waves via radio sets. But why would they allow phone conversations to be set in these bands where anyone with a police scanner can eavesdrop? boottrax@csd4.milw.wisc.edu
dave@uunet.UU.NET (Dave Horsfall) (01/27/89)
In article <telecom-v09i0024m04@vector.UUCP>, boottrax@csd4.milw.wisc.edu (Perry Victor Lea) writes: | | Question: Is it possible to access cellular setup channels and place fraudulent call with a ham radio? Unlikely - amateur radio equipment doesn't cover the 800MHz cellular band without heavy modification. Then you'd have to spoof the ESN's etc. -- Dave Horsfall (VK2KFU), Alcatel-STC Australia, dave@stcns3.stc.oz dave%stcns3.stc.oz.AU@uunet.UU.NET, ...munnari!stcns3.stc.oz.AU!dave PCs haven't changed computing history - merely repeated it
rsj@gatech.edu (Randy Jarrett WA4MEI) (01/28/89)
In article <telecom-v09i0024m04@vector.UUCP> boottrax@csd4.milw.wisc.edu (Perry Victor Lea) writes: >X-TELECOM-Digest: volume 9, issue 24, message 4 > >Question: How is phase shifting actually involved in communications between >the mobile unit and the switching office ? > >Question: Is it possible to access cellular setup channels and place a >fraudulent call with a ham radio? > >Thanks for your help .. > >Perry I can't be much help in answering your first question but I would like to say something about your second question. There are authorized Amateur Radio (ham) frequencies that are near to the cellular phone channels but the equipment required to access cellular telephone services are very specialized and very different from ham radio equipment. It is probably not possible for a ham to use his equipment to access the cellular services but it would be possible for anyone with the proper knowledge to make changes to cellular phone equipment and make it look (respond with the proper digital codes) like someone elses. So I guess that the bottom line is that no, it is not possible to access cellular channels and place fraudulent calls with ham radio. -- Randy Jarrett WA4MEI UUCP ...!gatech!wa4mei!rsj | US SNAIL: P.O. Box 941217 PHONE +1 404 493 9017 | Atlanta, GA 30341-0217
ron@ron.rutgers.edu (Ron Natalie) (02/01/89)
Because the EPCA is a crock, that's why. Just because they pass a law doesn't mean people will stop doing it. Actually, in all likely hood if you are probing the police bands what you probably detected is the cheapo cordless phone frequencies in the 46 and 49 MHz range. Real Cellular calls are in the 800 MHz range. Very few scanners actually cover this. A few have had this range specifically blanked out (like the Radio Shack, but it's just a matter of pulling a diode out to get them back). You don't even need a scanner, just tune an old UHF TV set up to Channel 81-83. -Ron [Moderator's Note: An old UHF TV with those channels won't work as well as one of the radios which play television audio only. In this country you can buy them for the VHF channels, but I beleive they are illegal per FCC rules where UHF is concerned. A company in Toronto makes the kind which cover the UHF band, and specifically covering channels 80-83 or thereabouts. But their mail order advertising clearly states 'not for sale in the United States. We cannot fill orders to the USA'. They were selling them here like hotcakes for awhile, until Uncle Sugar put the heat on the Canadian govern- ment to help enforce FCC rules down here. PT]
boottrax@csd4.milw.wisc.edu (Perry Victor Lea) (02/02/89)
In article <telecom-v09i0040m04@vector.UUCP> ron@ron.rutgers.edu (Ron Natalie) writes: >X-TELECOM-Digest: volume 9, issue 40, message 4 > >Because the EPCA is a crock, that's why. Just because they pass a law >doesn't mean people will stop doing it. Actually, in all likely hood >if you are probing the police bands what you probably detected is the >cheapo cordless phone frequencies in the 46 and 49 MHz range. Real >Cellular calls are in the 800 MHz range. Very few scanners actually >cover this. A few have had this range specifically blanked out (like >the Radio Shack, but it's just a matter of pulling a diode out to >get them back). > Actually, when I picked up phone conversations over the police scanner before the call was initiated I heard a series of tones, beeps, and rings. The call was made and I heard the conversations. I know it was from mobile phones, nothing can convince me other wise. I know all this since particular conversations said theat they were in their car, or wherever. if this is all true? then there is a possible dangers that these tones could be recorded and broadcasted over the same band width with a little electronic experience and high quality recording equipment. That can't be right that would be too simple.
ron@ron.rutgers.edu (Ron Natalie) (02/02/89)
> [Moderator's Note: An old UHF TV with those channels won't work as well as > one of the radios which play television audio only. In this country you > can buy them for the VHF channels, but I beleive they are illegal per FCC > rules where UHF is concerned. This comment tacked on to my posting is wrong. Those radios usually have the same piece of crap receiver for the audio that most TV's have. Receivers covering that band are not illegal. The main reason is that it is expensive to add the expanded UHF feature to these cheap radios. However, many manufacturers shy away from putting the cellular bands in their radios now either fearing law suits or that they are manufacturers of cellular equipment. Calling the EPCA an FCC rule is a bit inaccurate. It's congressional tomfoolery. POSTERS NOTE: It would be much nicer if Pat had something that it would be enclosed as a seperate "message" in the digest rather than tacking on comments to other people's messages. [Moderator's Note: Your suggestion is well taken. It is not the 'piece of crap audio' that mattes so much as it is that the circuitry in televisions is different that the circuitry in radios. Yes, EPCA is one thing, and FCC rules are another. The telcos have repeatedly complained to the FCC about people listening to cellular phone calls. PT]
davef@brspyr1.brs.com (Dave Fiske) (02/02/89)
In article <telecom-v09i0034m01@vector.UUCP>, boottrax@csd4.milw.wisc.edu (Perry Victor Lea) writes: > > You mentioned that there are set guidlines to the frequenciest that > cellular phone services are allowed to use, however; when I had been > futzing with my police scanner I had been able to hear cellular phone Chances are you were hearing conversations being made with a CORDLESS phone, as opposed to cellular. The cordless phones use frequencies in the 40-50 MHz range, which most scanners cover. > conversations. I am familiar with the laws that allow anyone to be able > to listen to radio waves via radio sets. But why would they allow > phone conversations to be set in these bands where anyone with a police > scanner can eavesdrop? There was a court case which decided the issue of privacy of cordless phone conversations. These guys were arrested, having been overheard by police arranging a drug deal using a cordless phone. Their attorney argued that this constituted eavesdropping by the police, but the judge ruled that they should have known they could be overheard. Cordless phone conversations are not considered confidential. Since this case, there has been a bit more publicity and manufacturers' warnings about the lack of privacy when using cordless phones. When I lived in an apartment complex, I was setting up the frequencies for my scanner, and found someone talking on the phone once. (I don't recall the precise frequencies right now, but all you have to do is look in the descriptions of the cordless phones in the Radio Shack catalog.) Once in a while I would check to see if anybody was talking on the phone, but most of the time it was just teenagers chatting, until, inevitably one of them would say they were coming right over to the other's apartment. If they had done that first, they could have saved a phone call! In reality, most people's phone calls are pretty boring, so the novelty of listening in wears off quickly, and this is probably as effective as any regulation would be in keeping eavesdropping to a minimum. :^) Also, keep in mind that it hasn't been all that long since people had party lines, where eavesdropping is as simple as lifting the receiver. -- "FLYING ELEPHANTS DROP COW Dave Fiske (davef@brspyr1.BRS.COM) PIES ON HORRIFIED CROWD!" Home: David_A_Fiske@cup.portal.com Headline from Weekly World News CIS: 75415,163 GEnie: davef
woolsey@nsc.NSC.COM (Jeff Woolsey) (02/02/89)
In article <telecom-v09i0040m04@vector.UUCP> ron@ron.rutgers.edu (Ron Natalie) writes: >You don't even need a scanner, just tune an old UHF TV set up to >Channel 81-83. >[Moderator's Note: An old UHF TV with those channels won't work as >well as one of the radios which play television audio only. In this >country you can buy them for the VHF channels, but I believe they are >illegal per FCC rules where UHF is concerned. A company in Toronto >makes the kind which cover the UHF band, and specifically covering >channels 80-83 or thereabouts. I have an old Pioneer TVX-9500 TV Sound Tuner that gets those channels. At first I didn't know what I was listening to up there, but it was interesting. This same tuner also gets NOAA weather stations when channels 7, 8, 9, and 10 are all selected at the same time. -- -- When it comes to humility, I'm the greatest. -- Bullwinkle J. Moose Jeff Woolsey woolsey@nsc.NSC.COM -or- woolsey@umn-cs.cs.umn.EDU
judice%kyoa.DEC@decwrl.dec.com (L Judice / 201-562-4103 / DTN 323-4103) (02/02/89)
In regards to the write who found mobile telephone calls in the VHF-HI band, these are probably IMTS calls (Improved Mobile Telephone Service, the pre-cursor to cellular). IMTS operates in the 152 Mhz band, and I believe in one or two UHF and VHF-LO bands. /ljj
tim@Athena.UUCP (Tim Dawson) (02/08/89)
In article <telecom-v09i0041m02@vector.UUCP> boottrax@csd4.milw.wisc.edu (Perry Victor Lea) writes: > Actually, when I picked up phone conversations over the police scanner >before the call was initiated I heard a series of tones, beeps, and rings. >The call was made and I heard the conversations. I know it was from mobile >phones, nothing can convince me other wise. I know all this since particular >conversations said theat they were in their car, or wherever. What you undoubtably heard was a call placed on an IMTS mobile phone system (the predecessor to cellular) which used a log of in-band tones for signalling and runs typically in the 150 MHz or 400 MHz bands along with the police. IMTS call set up in no resembles cellular call set up, and probably would be easier to defraud, but I cannot say specifically since the details of IMTS setup are not something that I am intimately familiar with. -- ================================================================================ Tim Dawson (...!killer!mcsd!Athena!tim) Motorola Computer Systems, Dallas, TX. "The opinions expressed above do not relect those of my employer - often even I cannot figure out what I am talking about."