Blueboxing and the Original Phone Phreaks

Named for the color of the first one found in 1961, blueboxing was the name
given to the first automated toll fraud technique to be employed by U.S. “phone
phreaks.” Author Ron Rosenbaum gave critical mass to the budding movement in
October 1971 through a sensational article in Esquire magazine that attracted the
attention other hobbyists, including Steve Wozniak and Steve Jobs (who for a
short time produced and sold a blue box of their own before moving on to found
Apple Computer). Prior to that point, independent phreaks who would later form
the Internet hacking community consisted of a handful of disconnected hobbyists
that had independently stumbled onto the fact that sending a 2600 Hertz tone
down a long-distance trunk of that era (i.e., one using in-band ITU-T 5 signaling)
would terminate the call, then seize a trunk for reuse once the tone was removed,
allowing free long-distance calling and more. Ironically, the movement might
never have started save for a tiny whistle included in boxes of Cap’n Crunch cereal
during the 1960s that could reproduce a perfect 2600 Hertz tone.
Starring in the Esquire article were John Draper (known as “Cap’n Crunch”
and technical mentor to Steve Wozniak and hundreds of other phreakers), Joe
Engressia (a.k.a. “Joybubbles,” the most prominent of a group of blind
phreakers—and one who could whistle a 2600 Hertz tone thanks to perfect
pitch), and Mark Bernay (another pseudonym for “The Midnight Skulker,” a tireless
missionary of phreaking who spread the word to hundreds along the West
coast but has never been publicly identified to this day). Within a few years, the
community had amassed an enormous knowledge of the phone network and
gathered regularly over voice conferences to share that knowledge.
Furthergrowth and sophistication followed the advent of the personal computer,
the modem-based Bulletin-Board Service (BBS), dedicated hack/phreak magazines
like 2600 and Phrack, and annual conferences like DefCon, each founded in the
early 1980s by the phreaking community.
At its height, the phreaking community had developed dozens of specialized
electronic gizmos designed to defeat PSTN billing or security mechanisms.
Here are the most commonly used “colored boxes’ of that era:
■ Black Box—applies extra voltage to the line to enable free incoming
calls (billing equipment thinks the phone was never answered,
though it does look to the CO like someone was ringing the line for
a long time).■ Beige Box—Lineman’s handset for eavesdropping and all blueboxing
functionality.
■ Blue Box—2600 Hz tone generator with full Multi-Frequency Code
(MFC) generator to generate dialing strings used by an operator.
MFC is like Dual Tone Multi-Frequency (DTMF, a.k.a. “Touch-Tones”)
but uses different frequencies and includes several keys (codes) not
available to DTMF.
■ Red Box—Generates tones corresponding to those used by AT&T’s
Automated Coin Toll System (ACTS) payphones that send specific
tones used when a coin is accepted (still works in many areas).
■ Gold Box—Placed across two phone lines to allow call out on the
other line when one is dialed (makes tracing more difficult).
Among the most notorious phreakers was Kevin Poulsen, who in 1990
decided that he wanted the Porsche 944 S2 being given away by KIIS-FM in Los
Angeles to the 102nd caller on a particular Friday. Taking control of the radio station’s
25 trunks through Pacific Bell’s maintenance system, he blocked out all
calls but his own (a stunt he’s suspected of repeating to block calls into the
Unsolved Mysteries tip line after he was profiled for other cybercrimes, though in
the end it wasn’t enough to prevent his arrest). Kevin apparently became the first
person banned by the U.S. Government from using the Internet (a sentence also
imposed on notorious hacker Kevin Mitnick, who was skilled in PSTN manipulation
as well).
Today the in-band Channel Associated Signaling (CAS) analog switching
equipment loved by phreakers has been replaced by digital switching with out-ofband
Common Channel Interface Signaling (CCIS) in most of the world, and a given
instance of toll fraud is more likely to occur by other means (typically through an
enterprise PBX or voicemail system) and with less risk to the perpetrator.
Electromechanical automated switching equipment first appeared in 1891 following
Almon Strowger’s patented Step by Step (SXS) system, although Bell System
resistance to it would postpone its adoption for decades.The classic rotary dial phone
was another Strowger invention that was finally adopted by the Bell System in 1919
along with SXS switches.Yet it would take until 1938 for Western Electric (the
equipment R&D arm of the Bell system) to develop a superior automatic switching
system, namely the crossbar switch. And not until the 1950s did Bell Labs embark on
a computer-controlled switch project, but the 101 ESS PBX that resulted in 1963
was only partially digital. Also introduced that year was the T1 circuit and Touch
Tones, the Dual-Tone Multi-Frequency (DTMF) dialing scheme that is still with us
today. Despite the fact that switching itself was analog, digital T1 circuits quickly
replaced analog backbone toll circuits and most analog CO interconnect trunks. By
1965 Bell had released the first central office switch with computerized stored