The High Tech Hoods Presents...
*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*
* *
* PAGER, FAX, AND DATA INTERCEPT TECHNIQUES *
* *
*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*
One can only imagine the intemal trauma of being a paging company owner-it
would be sort of like owning a company that made lime glass vials, hell,
business has just suddenly shot through the roof over the last few years
making enormous profits for everyone lucky enough to be in the business of
manufacturing little glass vials, but sometimes, late at night, the owners
must wonder exactly why people are buying millions of little glass vials... So
it goes with pagers, the popularity of the common pager has exploded
concurrently with the drug trade. Pagers are so popular that in America 7.2%
of the entlre population carries a pager. In the good old days, wearing a pager
meant you were a doctor or maybe a car thief, but certainly nothing more
disreputable than that. Today doctors, and let's face it, even car thieves,
like to hide their pagers under jackets or tend towards those new little
pagers that masquer- ade as ballpoint pens so people don't assume they're drug
dealers. At this writing, one state (Virginia) actually has a law prohibiting
pager use on school grounds and several other states have tried to pass bills
(unsuccessfully) de- manding licensing of pagerized individuals.
Not to say that pager companies don't have some kind of conscience, they do.
In fact, have formed a group known as TELOCATOR, the Mobile Communications
Industry Association. Telocator promotes paging/police cooperation and
attempts to keep their individual members informed on the latest laws and
procedures as they apply to pagers. However, to be frank, their primary
success seems to be cute little stickers they say "MOBILEized" for the war on
drugs for pager companies to stick on their doors along with nice little
laser-written posters that remind perspective pager renters that the "use of a
pager in a commission of a felony is prohibited by federal law and carries a
penalty of up to four years imprisonment and/or a fine of up to $30,000 for
each offense.
One can only wonder exactly how effective these efforts are in shaping the
morals of the pager industry, especially since the subscriber base is expected
to continue growing and is estimated to reach 21 million users by the
mid-1990's. Pagers operate in the clear on radio frequen- cies that can be
received with any standard receiver or a scanner. The information trans-
mitted on pagers can be of interest to anyone from law enforcement to business
competitor groups. There are several interesting ways of extracting said
information.
TYPES OF PAGERS
Although numeric display pagers constitute more than half of the pagers in use
today other types are also in use. Here's a list ordered by popularity:
NUMERIC DISPLAY_ This service lets one receive numbers sent from any
touch-tone telephone. The pager beeps and shows tele- phone numbers,
previously agreed-upon codes, parts numbers, stock prices, purchase orders,
and so on. Limited information may be sent along in the form of numbers that
stand for initials, or simple codes.
TONE_ The tone pager emits a beep telling the user to call back a
predetermined location such as an office, home, voice mailbox, or telephone
answering machine.
TONE AND VOICE_ This paging service gives an audible tone
followed by the message in the caller's own voice. There is no operator, and
no need for the user to call in. The pager delivers the complete message.
ALPHANUMERIC DISPLAY_ This latest develop- ment is actually a miniature
message center that beeps and displays messages in words and numbers. Messages
are sent through an input device or dispatched by a live operator.
PRIVACY LAWS AND PAGERS For each type of pager, different legal require- ments
must be met for intercepts. On the federal level, the easiest pager to deal
with is the simple tone-only device. The U.S. Justice Department had long held
that interception of a tone-only pager was not a search, since there is no
expectation of privacy in a device that only beeps or vibrates. Therefore, the
Depart- ment has maintained, interceptions raise no Fourth Amendment issues
and require neither a warrant nor a court order. This policy was certified by
Congress when it passed the Electronic Communications Privacy Act of 1986
(ECPA), which excludes tone-only pagers from its provisions. Although the
information conveyed by intercepting a tone-only pager is limited, such
intercepts can be helpful in documenting patterns of behavior by suspected
criminals. Since they are the cheapest and easiest to use of all pagers,
tone-only units may be most commonly encountered in connection with drug
activity, at least among lower echelon criminals. Federal and state laws treat
privacy interests in display and tone-and-voice paging commu- nications. Under
ECPA, for example, the police generally cannot intercept a tone and voice or a
display pager without first securing an appro- priate court order. This
restriction stems from Congress' conclusion that subscribers using such pagers
have a reasonable expectation of privacy in the paging communications they
send and receive. A similar conclusion is also reflected in state privacy
statutes, which often impose stricter requirements on carriers and law
enforcement officials than does the ECPA. As requirements for legal
protections increase, so do the rewards for intercepting display pagers. A
numeric display pager dis- plays a 10- or 12-digit number, usually the phone
number of a person who desires a retum call. More sophisticated drug dealers,
however, use the digits as code, with, for example, a "1" at the end of a
phone number meaning "the cocaine is not in."
Obviously, police and others intercepting such messages with monitoring
devices or cloned pagers can har~est considerable worth- while information.
The recent increase in the use of alphanu- meric paging is beneficial to law
enforcement due to the added bonus of text messages. Theoretically, exact
details of drug transactions could be made available to law enforcement if the
deal was conducted via alpha paging and an intercept was in progress. There
are several ways in which paging carriers aid law enforcement in preventing
illegal use of pagers for drug transactions including leasing pagers which are
cloned to police, assisting in intercepts of paging commu- nications and
providing the police with infor- mation about paging subscribers. Federal and
state privacy statutes, however, generally require law enforcement agencies to
secure appropriate authorization before enlist- ing the aid of paging
carriers. Specifically, most privacy laws prevent the police from using a
cloned pager or intercepting a paging commu- nication unless they have first
obtained a court order, a special emergehcy request or the subscriber's
consent. Similarly, law enforce- ment agencies may not gain access to informa-
tion about paging subscribers (such as transac- tional records) unless they
secure either a subpoena, a warrant, a court order, or the consent of the
customer.
INTERCEPTIONS AN OVERVIEW
Successful pager interception is dependent
upon several factors:
1. Frequency of the paging service. Law en-
forcement agencies or detectives are advised
to simply call local paging carriers and ask
them for their frequencies. This is public
information and usually will be given out
without any problem. Books are also avail-
able on this subject from CRB RESEARCH.
2. Paging number. Some intercept techniques
require the actual phone number that
activates a particular pager.
3. Cap code. A cap code is a seven or eight digit
number that is the actual EIN, or Electronic
Serial Number of the pager. This digital cap
code is what the pager looks for in the
stream of paging messages before it locks
onto a message and notifies its wearer.
4. Some interception methods require the
paging format. There are a number of
proprietary formats engineered by pager
manufacturers.
Most paging systems operate in the FM band normally from 35 MHz to new
super-high microwave pagers in the 931-932 MHz area. These signals can be
received on any receiver but they will come in as frequenc,v shift data
signals, nothing that is intelligible to the normally equipped listener. Most
paging systems have a local coverage area determined by the number and
placement of their trans- mitters, the average area is probably 4(}60 miles in
size although many companies are now expanding their coverage by adding
additional transmitters or making deals with other companies to give statewide
coverage. A new paging system actually gives nation- wide coverage. The system
known as Wide Area Paging and is typified by CUE Paging Corpora- tion. The
user rents a "Cue Pager" which is actually not a fixed receiver but rather a
scanner that scans the FM commercial radio band. Cue (and other companies)
rent space on one or more commercial FM stations in most cities in the United
States. In fact, Cue boasts of over 200 FM stations in their nationwide
network. The paging signal is carried on a sub-carrier or, SCA portion of the
broadcast signal that is inaudible to standard receivers. No matter where the
subscriber finds him- self, his unit will scan until it finds the paging
sub-carrier signal and then lock on to that signal, waiting for its own cap
code to appear. To page a subscriber, the caller dials an 800 number and then
plugs in the specific pager identity code. This data is flashed by an uplink
by a satellite where it is transmitted across the country to various downlink
stations and then land lined or microwaved to FM radio transmit- ting towers.
In a Cue-type system, it is not necessary to know where the subscriber is,
simply the fact that he is in the United States gives a very high probability
of reaching him on his pager. The pager itself is no larger than a standard
Motorola-type paging unit. These wide area systems normally offer some sort of
echo back or voice mail system to let subscribers retrieve messages from an
800 number in case they happen to be between SCA stations when a message comes
in.
There are a couple of ways of intercepting pager messages. One of the niftiest
is through the use of a clone. A cloned pager is simply a pager which operates
on the same frequency and has the same cap code as the target's pager, in
short, the paging system has no way of knowing how many receivers are actually
listening at any given time so any message that is transmitted will be
received simultaneously 'by all identical pagers. Traditionally this has been
the favorite method of law enforcement to intercept a suspect's messages,
paging companies will cooperate with departments who have authori- zation by
issuing them details on the owner of any pager or by physically manufacturing
a cloned pager and giving it to a detective. One narc I know uses the vaguely
dubious trick of "borrowing" a subject's pager during a body search, popping
out the EIN chip and replacing it with a non-programmed chip. When the pager
is retumed to its owner it will, of course, no longer work. Disgruntled owner
takes pager back to company and complains. With any luck the company will
program a new pager to the same cap code on the spot and give it back to the
suspect. The cop simply pops the EIN chip into his own pager and now owns a
non-registered clone that will duplicate the perp's messa es... A TRICK
The second paging intercept option is to purchase one of several software
packages that work in conjunction with a scanner or a receiver and an IBM or a
Mac PC. These soft- ware packages "listen" to the scanner which is set up to
listen to a certain paging frequency. In this type of operation, the potential
inter- ceptor only needs to know either the cap code or the call
number-nothing else. Assuming one has the phone number to activate the target
pager, one simply tums on the receiver, initializes the software and then
dials the pager sending a unique code (for some reason 6666 seems to be in
vogue with most law enforcement agencies), and then watches a computer monitor
to see when the code is broadcast. The program will immediately display the
cap code of the pager and, if it is an alphanumeric pager, the text message.
Once this has transpired, the program will set up an automatic file in the
computer to grab any and all further messages to that pager, storing them as
to time, date, and phone number or text message to be called. Most systems
will take any of the paging formats including the POCSAG fommat. Case files
can be pAnted immediately or pAnted when reviewed or stored on floppy disks
and reviewed at any time. Most of these systems will monitor from 1-32,000
pagers at any given time and set up a file for each individual pager. These
systems began as propAetary systems to be used by paging companies to monitor
hacking attempts, traffic pattems, and system problems but have spread to law
enforcement and now civilian intercept markets. Do these systems work? Yes,
I've tested the INTERCEPTOR-LE system and it pretty much does what it says
it's going to do. The system grabs and displays incoming messages
simultaneously or in many cases faster than the pager receives them and works
with all existing paging formats as well as has the capability to use new
formats as they are introduced. The LE system sells in the $4,000 range at the
time of this wAting but, folks let's face it, it's just a little software
package and lower-pAced clones are going to appear on the market if they
haven't by this wAting. LE is available from SHERWOODCOMMUNICATIONS. A second
paging intercept program is avail- able from TGA Technologies in Dunwoody,
Georgia. Or you can get it from The New York Hack Exchange BBS.
What to do if you think your pages are being intercepted by some nameless
force? One gentleman I know (damn but I do know a lot of interesting people,
don't I?) got a "666" page on his pager in the middle of the night. He had
reason to suspect he was the target of a non-warranted police surveillance as
a close frend of his had just been popped on a weapons charge (later
dropped). My friend spent the next two days calling himself and entering 30 or
so "interesting" return numbers including CIA, NSA and FBI offices around the
country, plus intemational suppliers of anything interesting, phone numbers of
vaAous embassies and even a White House "inside" number he happened to have on
hand. It may not be a cure all, but the satisfaction of knowing he was dAving
several detectives crazy did provide a certain amount of satisfaction.
FAX INTERCEPTION
Alexander Graham Bell must be tuming over in his grave at the spread of the
ubiquitous fax machine. Fax machines are rapidly replacing telephones as the
pAmary method of commu- nication for many businesses and some individuals. I
personally know of at least two people who have impulsively Apped out their
telephones and replaced them with a fax machine, the implication being, of
course, that my time is too valuable to waste talking on the phone. Many
people who should know better think that faxes are a safer method of data
exchange than is the telephone because no words are transmitted, simply data.
As one might suspect, this data can be intercepted and logically regurgitated
to "bug" fax machines. There have been a couple of problems associated with
fax tapping that have just recently been solved; faxes trade data by means of
frequency- or phase-shift keying at speeds of 300 to 9600 baud. This type of
data transmission does not lend itself to recording and playback on most
audio tape recorders, as the speed is too high and the frequencies are too
close together. Any distortion renders the transmission unintelligible. Faxes
fall into several groups depending on what type of transmission peAmeters they
employ. The most common one at this time is called Group III. The particular
protocols for Groups I, II, III and IV, are set by something called CCITT and
are available in a $25.00 booklet.
Faxes trade setup information at the beginning of each call in something
known as the handshake period. During the handshake the sending fax will set
itself to the highest possible group protocol that the receiving fax will
accept before it begins transmitting data. The sending fax requires acceptance
and confimmation of this handshake before it will begin the actual
transmission. Some faxes offer limited secuAty by reading the phone number of
the receiving fax and compaAng it to an intemal list before sending the data,
but this should not concem anyone who is tapping into the line because if they
use a high impedience phone tap (just a simple .Olmfd capacitor in sences with
10k ohm resistor and perhaps a NE-2 neon lamp across the line between the two
components), the sending fax will not notice the "invisible" third party on
the phone line. Let's examine the handshake protocol of a typical fax machine.
What happens when one presses "send" on a fax machine? The answeAng fax
machine transmits a 2,100Hz tone for three seconds, and then begins a
negotiating process at 300bps including a single high-pitched tone, followed
by a lower, warbling tone. The second tone is the 300-bps receiver
capabilities packet. When the warbling ends, there is a bAef pause, and if the
calling fax hasn't responded, the process is repeated. The first step is to
send a digital identification signal (DIS) that tells the answeAng machine
what it can do including: What is the maximum transmission speed possible?
Does the sending unit support modified read compression? Does it include
error . correction? The sending fax transmits a digital command signal (DCS)
that tells the called unit which of the operating parameters descAbed in the
DIS will be used. This signal tums on these features in the receiving unit.
gzThe sending fax transmits a test signal to help the receiving unit lock onto
the proper signals. The receiving fax transmits a confirmation- to-receive
(CFR) signal to tell the sending unit it is ready to accept the first page.
The first page of the fax message is sent from the oAginating device. When the
end of the page is reached, the sending unit transmits an end-of-page (EOP)
signal and waits for a message confirmation (MCF) from the receiving unit.
This process continues until the final page is sent and the calling fax
transmits a disconnect (DCN) signal to sever the connection, freeing both
telephones. Note that the initial handshaking that establishes the
capabilities of each unit in the connection is conducted only once, at the
beginning of the link. Once the sending fax starts transmitting pages, there
is no need for this handshake again. Commercial fax interception devices are
made by a number of companies including HDS and STG, aimed at law enforcement
but, in some cases, sold to anyone with the bucks. Commercial facsimile taps
are based either on an IBM PC equipped with a fax modem which intercepts and
receives the protocol signals and the fax message, writing it directly to disk
and then reprinting it out on the screen or on a printer or by employing a
special tape recorder to save messages for later playback through a modified
fax machine. These devices do work and have been used in courts on numerous
occasions. They also average about $28,000 each. If money's no object, hey, I
say give 'em a call. In reality there's very liffle difference in tapping a
data transmission than there is in tapping a voice transmission. Here's how to
do it for about $27,000 less:
Intercept the data stream by use of a good dropout recorder or high impedience
capaci- tor circuit as described above. Record the entire transmission on a
digital audio tape recorder. DAT's are now commercially available for about
$800 but this will drop soon and may have dropped by the time you read this.
DAT's use a high sample rate to record the audio in the form of boolean
digits. There is no distortion, noise or error intro- duced in playback or
recording. What you hear is what you get. Therefore, DAT's are the ideal and
perhaps really the only method of recording fax transmissions.
Once the transmission is on tape, there are two choices: either feed it into a
fax modem and into a computer where it can be stored and manipulated, or feed
it directly into a fax machine. In either case the information should come
down a phone line. The simplest way to do this, if one has access to two phone
lines, is to unscrew the mouthpiece and clip a jumper cable from the output of
the DAT directly into the telephone line, dial up the other phone line and run
it into the computer or fax machine. However, a very nice alternative is to
employ your own central office in the form of a VIKING Phone Line Simulator.
For about $ 100 this liffle device provides a carrier that makes any phone
think it's hooked up to central office and another telephone. Signals, voice
and data can be fed into the simulator and will come out at line level at the
output.
If the resulting signal is to be fed into a computer, the carrier on the modem
should be turned off so it will not respond with a carrier of its own when
receiving the target's communications resulting in interference. If a Hayes
equivalent modem is used, the signal sequence to put it into the monitor mode
so it will still receive data without a carrier are as follows-
FOR ORIGINATE: AT C0 S10=255D
FOR ANSWER: AT C0 S10=255A
This turns off the carrier and sets the modem to ignore the carrier loss.
The output of the DAT can be fed into a fax machine, and with a little bit of
practice one can use the pause button in order to time the handshake sequence
setting up the fax machine to receive the intercepted transmis- sion just as
if it were the receiving end fax.
As long as the machines sync up with regard to baud rate and protocol, it
will reproduce the fax communication.
This procedure will also work for data communications between two
computers. Instead offeeding the result into a fax, simply feed it into your
modem. In fact, modem transmission which is frequency shift keying and less
subject to distortion than phase shift keying, can often be reproduced, by a
high quality reel-to-reel tape recorder.
Or yo can get the 'DATA TAP' program that will soon be avaible through out
the computer underground, this program allows on to TAP into various lines
with a stand alone unit or use of a laptop, the program is expected to be
released in Jan. of 94. It's written by The Raven and IBMMAN of The High
Tech Hoods. For an other info. contact them.