Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Phreaking Voice Mail :: brkans.txt

Hacking Telephone Answering Machines




  	
Hacking Telephone Answering Machines

by Doctor Pizz and Cybersperm

******************************************************************************
DISCLAIMER: The following is for informational purposes only. All information
provided is simply to point out how easy it is to access such a system. The
author accepts no responsibility for irresponsible use of this knowledge, and
it is provided solely so people can be aware of the low security of such
systems. (Now that I'm off the hook in case you do something stupid...).
******************************************************************************

It seems that lately there is very little discussion of one of the most
simple but useful and rewarding forms of electronic information gathering,
hacking the telephone answering machine. Almost everyone has one of these
wonderful devices these days, to catch important messages while they are away
from their phones, or to screen important telephone calls. Nowadays, they
typically have the added advantage of being accessible from remote telephones,
so one needs to simply call his or her answering machine, enter their secret
code, and then either retrieve new messages, or listen to anything they had
previously recorded on the incoming messages tape, or perform any of a set of
additional functions determined by which key they press on their touch tone
phone. They also typically ignore the fact that virtually anyone else can
gain access to their messages by entering the appropriate code. Hence this is
a wonderful system to gather information from anyone without their knowledge,
especially if they are technologically illiterate.

For the most part, there are two main types of "electronic password"
used by these systems. They are amazingly simple to crack, as they are
typically only 2-digit or even 1-digit numbers!!!!!! On some machines, the
code must be entered before the outgoing message is over, on others, it must
be entered after the outgoing message, and on more sophisticated models, it
can be entered at any time.

MODERN 2-DIGIT PASSCODE SYSTEMS:

These are the most common systems in use today, typically made by
Panasonic, AT&T, etc. In these systems, the code can be entered before during
or after
the beep tone. For security reasons, we recommend BEFORE the beep tone, so
your intrusions are unnoticed... We will begin by discussing how to identify
the passcode.

Now, the question of how to hack their code. Well, this is so simple,
you don't even need a computer to do it. You can just enter all 2-digit
combinations until you get the right one (usually signalled by a series of
beeps on the other end). A relatively crude way was to enter each number in
sequence 01, 02, 03, 04,...,99. This works, but may take too long to enter
all numbers within the 20-30 second window we typically have before the beep
(The best time to play arounnd, as any tones entered after the beep will be
recorded on his incoming messages tape, and could let him know something is
up...). It is also important to stop as soon as you hit the right number, as
the additional entered numbers may be interpreted by the answering machine as
codes, and cause you to delete all their messages, or record a new greeting,
etc. That is really asking for trouble, and may cause them to try and change
their password (though it's usually only possible to choose from a range of
three consecutive numbers anyway...). Still, you need to be careful not to
let them catch on, eh?

A more sophisticated and fast way to do this is to take advantage of the
fact that such machines typically do not read two numbers at a time, and
discard them, but just look for the correct sequence, reading one at a time.
In other words, you can enter all 100 possible codes with roughly 1/2 the
number of keystrokes. Just enter as follows:

0 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 8 0 9 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9,etc.

By reading in one phase we get:

0 0,1 0,2 0,3 0,4 0,5 0,6 0,7 0,8 0,9 1,1 2,1 3,1 4,1 5,1 6,1 7,1 8,1 9,etc.

In the other phase we get:

0 1,0 2,0 3,0 4,0 5,0 6,0 7,0 8,0 9,1 1,2 1,3 1,4 1,5 1,6 1,7 1,8 1,etc.

So by proceeding as follows we enter the following matrix sequentially,
encompassing all possible 2 digit numbers:

0 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 8 0 9
1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9
2 2 3 2 4 2 5 2 6 2 7 2 8 2 9
3 3 4 3 5 3 6 3 7 3 8 3 9
4 4 5 4 6 4 7 4 8 4 9
5 5 6 5 7 5 8 5 9
6 6 7 6 8 6 9
7 7 8 7 9
8 8 9
9 0

The last zero is important, as it completes the cycle, and allows for the code
9 0, which is the only one not as yet allowed for. I must emphasize the
importance of quitting as soon as you get the correct code, and also do not
keep going after the beep, if you are on a modern 2-digit access code system.
This way, you can record the passcode for your future reference, and prevent
detection.

Now, we shall get on to the question of how to use their system, once
you've broken in. In general, it is recommended to obtain a copy of the
owners' manual for various machines, but I have summarized some of the basics
below.

PANASONIC

Here are the codes for a Panasonic Easa-phone KX-T1450. The KX-T2420 is
identical without Room Monitor function In this case, strange things happen
when you enter 5:

1 = Back Space (Rewind the OGM tape)
2 = Skip Forward (Fast forward the OGM tape)
3 = Reset (Go back to the beginning of the OGM tape. MAY CAUSE ERASURE!!!)
4 = Memory Playback (Listen to new messages)
5 = Room Monitor (!!!! Listen to what is going on in the room NOW !!!!)
(This is only available on some models... But, try it...)
7 = OGM-REC (Record a new greeting!!!)
9 = OGM-STOP (Stop recording the new greeting)
* = OGM Skip (Don't Listen to the OGM)
0 = Turn off the machine !!!!!

To set to the answer mode remotely,
1. Dial the phone number
2. Wait 15 rings and hang up

To turn off the unit remotely (!!),
1. Dial the phone number
2. Push the code number, wait for the beep, enter 0, and hang up. Panasonic answering machino respond to the user with a series of
codes which I will now outline. If you hear something different, you may not
be on a Panasonic system.

1 long beep : This is the "beep" after which people can leave their messages.

Also, this is sounded when the correct passcode is entered from

a remote telephone. (Same sound- Hint for software developpers)
It sounds when the tape has fully rewound, and after each

message is played back in entirety.
3 short bps : This sounds after the last message has been played back.

2 short bps : (10 seconds later) You are then being recorded - marker message

6 short bps : End of the incoming message tpe

6 short bps : (Quickly) Tape Broken (either incoming or outgoing)

Also, after entering the correct code, and after the one long beep, you will
hear n additional short beeps, where n is the number of new messages since the
last time the messages were retrieved. Remember, you can listen to earlier
ones on the same tape, by additionally backspacing from the first new message.

Anyway, that is a basic summary of the Panasonic answering machine system for
this machine. Many machines unfortunately do not have the Room monitor
function, so you can not see if you left your TV on, or anything like that...
Also, not all systems are identical, but on Panasonic machines, the numbers 1-
4 are the same, so this is the most important thing for you to remember
anyway...


AT&T

On AT&T machines, like the Answering System 1304, the passcode is again a 2-
digit number enterable before, during, or after the beep. Follow the same
guidelines as above.

After you enter the correct code on these machines, the system will
automatically begin to play back new messages. This is one key way to
distinguish these machines from the Panasonic ones discussed above.

To summarize the key functions for the AT&T system, look below:

2 Rewind tape (tape rewinds for as long as this key is depressed)
3 3 Clear messages (reset the tape to the beginning.)
5 Fast Forward (tape ffwds for as long as this key is depressed)
7 Replay messages from the beginning
8 8 Turn off the answering machine
* Record a memo (After listening to messages) OR
Skip the greeting (w/o entering code)
0 Turn on the machine (after hearing two beeps)
# Pause (for 5-7 seconds)

Basically this system is less sophisticated than the Panasonic. You cannot
change the OGM remotely (Damn!). As seen above, the codes are also quite
different, but fortunately they are easily distinguished by how they answer
after the security code is entered. The AT&T plays the messages, while the
Panasonic just beeps to tell you how many new messages are waiting. Here
also, the rewind and fast forward functions operate for the length of time you
depress the 2 and 5 keys respectively. On the Panasonic, they reewind or fast
forward for 15 seconds. Also, this system has a pause feature. By entering
the # sign, you can pause for a few seconds while listening to a message. One
extra safety (from your perspective...) feature is that on this system you
cannot erase messages until they have all played back, so you have less risk
of fucking up someone's system if it is an AT&T. You cannot change his
greeting, and it is difficult to accidentally erase his messages. If you wish
to do so, however, you must hit the 3 key twice after listening to the
messages in their entirety. To record a memo (why would you want to do
this???), you can press the * key after you hear 5 beeps (after listening to
the messages). Then begin to record. Also, the * key can be used before the
message is finished to skip listening to the OGM (useful for long distance
callers who are actually paying for the calls...) without the need for
entering a security code. To turn on the system from remote points, you need
to let it ring ten times, and after it answers with 2 "beeps", hit the 0 key.
It will subsequently be on. Similarly to turn it off, just enter 88. If the
machine answers the phone with no greeting, and just 2 beeps, it means the
tape is full. You can now enter the security code (without risk of them
recording the BEEPS!!!) and listen away for a long time!!! Basically, this
sums up the properties of the two most common systems I've encountered of the
2-digit passcode variety.SINGLE DIGIT PASSCODE MACHINES:

On some old model Panasonic and Phone Mate systems, the secret entry
passcode is only a one digit number(!!!). On these primitive systems, one
merely enters the correct number, during the message, and playback begins.
The other codes are simple to derive, and just for the sake of making this
hobby a sport, I will not give details for these systems. It is easy enough
to figure them out, and on these systems, it is hard to screw things up, as
there is little you can do anyway.

APPLICATIONS:

This can be a rewarding adventure if you decide to follow those
instructions (though far be it from me to suggest you to do this...). I will
point out some of the potentially entertaining, useful, and/or informative
applications of this technology.

As the true weirdos that we are, we shall begin with what we consider
the truly entertaining applications... If you have ever read the Village
Voice, Screw or other such newspaper, you will notice a large number of
advertisements for "unlicensed massage parlors", "Oriental relaxation spas",
"Escort services", etc. Call some of those numbers, preferrably at off-duty
hours (6-9 AM??) and try to hack their answering machine codes, listen to
their messages, and let the fun begin. You can hear lots of perverts, and
lowlifes making appointments for "services" about which they are sometimes
graphic. Also, they often leave telephone and credit card numbers (What
fun!!!). In case they are married, think of the blackmail potential...

Further, these "adult entertainment companies" also often run help
wanted ads in the Village Voice, and other such publications. Call these, and
you will get a plethora of phone numbers for nubile young women who might
believe you are the proprietor of the establishment in question. You might be
able to con some "free samples" as a sort of "job interview"... (hehehe)
Especially given the illegal activity they desire to become involved in, they
will be in no position to complain when they find out you are not for real...
Also, this way, the girls are often not so jaded as the old pros... They will
be trying to impress you if you get my drift, so you'll "hire" them.

Other similar companies can be hacked to get similar entertaining and
enjoyable results. In many cases, the outcomes can be QUITE LUCRATIVE in one
way or another... I do not advocate that you do these things, but I just want
to point out what COULD be done...

Let us move on to the informative espionnage type of application of this
technology. One could very easily use this technology to listen to the
messages of friends, and see what they are up to. If you are trying to call
your buddy Evan, and he isn't home, perhaps you can find out where he is by
going through some of his old answering messages. Say, Eric called him a
couple of hours ago and suggested that Evan come over to his place for some
beers. Well, you could then call Eric and voila, you may connect with Evan.

Now, let us assume you have a girlfriend, and you suspect she might be
cheating on you, yet you do not wish to confront her about it without any
evidence, or certainty of her cheating. Well, her new beau probably thinks
her answering machine is secure, and calls leaving messages about their
upcoming dates, or various discussions of their relationship. If you can hack
her machine {actually, you might even look at the bottom (where the passcode
is usually printed...) to save time and energy.} you will be afforded with a
plethora of potentially incriminating evidence. Hehehe.

A similar application can be when you have a new love interest. Suppose
there is some woman you are interested in, but you aren't sure if she is
available. A little phone answering machine surveillance can provide all of
the answers, and then some... In case she asks her friends about you, you'll
know everything she does. Also, you will learn details about her life, and
schedule, the better to run into her "accidentally", or strike up a
conversation about "common" interests...

Now, if you know someone in the same profession, say musicians, and you
call his answering machine, and hear someone offering him a gig. You could
call that person back, and accept the gig in your name, saying the originally
called musician was unavailable, but suggested that you call. Then be sure to
erase the original message on your buddy's machine. He'll never be the wiser,
and you'll get more work. Though he may wonder why he isn't getting much work
anymore...

Millions of applications exist, and if you have any additional
suggestions, please leave them with us. We can be reached on several BBS'es,
in 212, 718, and 914 area codes. Thanks. Also, if you have information on
other answering machine systems, please pass it along...

Again, in closing, we reiterate that the authors take no responsibility
for the misuse of this information. The ideas for applications were presented
for informational and entertainment purposes only, and we do not encourage you
to try any of the above suggestions. Remember, listening to the pass-code
protected messages of others constitutes an invasion of privacy, and may be in
violation of state and federal laws.

******************************************************************************

ANOTHER FINE PIZZ-SPERM T-FILE...

Please upload this file to other fine BBS'es, and give credit to the original
authors, Doctor Pizz and Cybersperm, of the TUBA crew.

******************************************************************************

***************************************************************
* *
* Another Fine File From the libraries of the TUBA crew. *
* *
***************************************************************

____ _______ *
/ \ ___ ___ ____ ___ ___ / / ___ ___
/ // // / / // / /______/ / / /
/ // // / / //-< / / / /
/_____//__//__ / /__// / / / /__ /__

-N-

CCCC Y Y BBB EEEE RRR SSSS PPP EEEE RRR M M
C Y Y B B E R R S P P E R R MM MM
C Y BBB EEE RRR SSSS PPP EEE RRR M M M
C Y B B E R R S P E R R M M M
CCCC Y BBB EEEE R R SSSS P EEEE R R M M M


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH