The High Tech Hoods Presents...



               *&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*

               *                                           *

               * PAGER, FAX, AND DATA INTERCEPT TECHNIQUES *

               *                                           *

               *&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*



One can only imagine the intemal trauma of being a paging company owner-it

would be sort of like owning a company that made lime glass vials, hell,

business has just suddenly shot through the roof over the last few years

making enormous profits for everyone lucky enough to be in the business of

manufacturing little glass vials, but sometimes, late at night, the owners

must wonder exactly why people are buying millions of little glass vials... So

it goes with pagers, the popularity of the common pager has exploded

concurrently with the drug trade. Pagers are so popular that in America 7.2%

of the entlre population carries a pager. In the good old days, wearing a pager

meant you were a doctor or maybe a car thief, but certainly nothing more

disreputable than that. Today doctors, and let's face it, even car thieves,

like to hide their pagers under jackets or tend towards those new little

pagers that masquer- ade as ballpoint pens so people don't assume they're drug

dealers. At this writing, one state (Virginia) actually has a law prohibiting

pager use on school grounds and several other states have tried to pass bills

(unsuccessfully) de- manding licensing of pagerized individuals.



Not to say that pager companies don't have some kind of conscience, they do.

In fact, have formed a group known as TELOCATOR, the Mobile Communications

Industry Association. Telocator promotes paging/police cooperation and

attempts to keep their individual members informed on the latest laws and

procedures as they apply to pagers. However, to be frank, their primary

success seems to be cute little stickers they say "MOBILEized" for the war on

drugs for pager companies to stick on their doors along with nice little

laser-written posters that remind perspective pager renters that the "use of a

pager in a commission of a felony is prohibited by federal law and carries a

penalty of up to four years imprisonment and/or a fine of up to $30,000 for

each offense.



  One can only wonder exactly how effective these efforts are in shaping the

morals of the pager industry, especially since the subscriber base is expected

to continue growing and is estimated to reach 21 million users by the

mid-1990's. Pagers operate in the clear on radio frequen- cies that can be

received with any standard receiver or a scanner. The information trans-

mitted on pagers can be of interest to anyone from law enforcement to business

competitor groups. There are several interesting ways of extracting said

information.



TYPES OF PAGERS

Although numeric display pagers constitute more than half of the pagers in use

today other types are also in use. Here's a list ordered by popularity:



NUMERIC DISPLAY_ This service lets one receive numbers sent from any

touch-tone telephone. The pager beeps and shows tele- phone numbers,

previously agreed-upon codes, parts numbers, stock prices, purchase orders,

and so on. Limited information may be sent along in the form of numbers that

stand for initials, or simple codes.



TONE_ The tone pager emits a beep telling the user to call back a

predetermined location such as an office, home, voice mailbox, or telephone

answering machine.



TONE AND VOICE_ This paging service gives an audible tone

followed by the message in the caller's own voice. There is no operator, and

no need for the user to call in. The pager delivers the complete message.



ALPHANUMERIC DISPLAY_ This latest develop- ment is actually a miniature

message center that beeps and displays messages in words and numbers. Messages

are sent through an input device or dispatched by a live operator.



PRIVACY LAWS AND PAGERS For each type of pager, different legal require- ments

must be met for intercepts. On the federal level, the easiest pager to deal

with is the simple tone-only device. The U.S. Justice Department had long held

that interception of a tone-only pager was not a search, since there is no

expectation of privacy in a device that only beeps or vibrates. Therefore, the

Depart- ment has maintained, interceptions raise no Fourth Amendment issues

and require neither a warrant nor a court order. This policy was certified by

Congress when it passed the Electronic Communications Privacy Act of 1986

(ECPA), which excludes tone-only pagers from its provisions. Although the

information conveyed by intercepting a tone-only pager is limited, such

intercepts can be helpful in documenting patterns of behavior by suspected

criminals. Since they are the cheapest and easiest to use of all pagers,

tone-only units may be most commonly encountered in connection with drug

activity, at least among lower echelon criminals. Federal and state laws treat

privacy interests in display and tone-and-voice paging commu- nications. Under

ECPA, for example, the police generally cannot intercept a tone and voice or a

display pager without first securing an appro- priate court order. This

restriction stems from Congress' conclusion that subscribers using such pagers

have a reasonable expectation of privacy in the paging communications they

send and receive. A similar conclusion is also reflected in state privacy

statutes, which often impose stricter requirements on carriers and law

enforcement officials than does the ECPA. As requirements for legal

protections increase, so do the rewards for intercepting display pagers. A

numeric display pager dis- plays a 10- or 12-digit number, usually the phone

number of a person who desires a retum call. More sophisticated drug dealers,

however, use the digits as code, with, for example, a "1" at the end of a

phone number meaning "the cocaine is not in."



  Obviously, police and others intercepting such messages with monitoring

devices or cloned pagers can har~est considerable worth- while information.

The recent increase in the use of alphanu- meric paging is beneficial to law

enforcement due to the added bonus of text messages. Theoretically, exact

details of drug transactions could be made available to law enforcement if the

deal was conducted via alpha paging and an intercept was in progress. There

are several ways in which paging carriers aid law enforcement in preventing

illegal use of pagers for drug transactions including leasing pagers which are

cloned to police, assisting in intercepts of paging commu- nications and

providing the police with infor- mation about paging subscribers. Federal and

state privacy statutes, however, generally require law enforcement agencies to

secure appropriate authorization before enlist- ing the aid of paging

carriers. Specifically, most privacy laws prevent the police from using a

cloned pager or intercepting a paging commu- nication unless they have first

obtained a court order, a special emergehcy request or the subscriber's

consent. Similarly, law enforce- ment agencies may not gain access to informa-

tion about paging subscribers (such as transac- tional records) unless they

secure either a subpoena, a warrant, a court order, or the consent of the

customer.





INTERCEPTIONS AN OVERVIEW

Successful pager interception is dependent

upon several factors:



1. Frequency of the paging service. Law en-

   forcement agencies or detectives are advised

   to simply call local paging carriers and ask

   them for their frequencies. This is public

   information and usually will be given out

   without any problem. Books are also avail-

   able on this subject from CRB RESEARCH.



2. Paging number. Some intercept techniques

   require the actual phone number that

   activates a particular pager.



3. Cap code. A cap code is a seven or eight digit

   number that is the actual EIN, or Electronic

   Serial Number of the pager. This digital cap

   code is what the pager looks for in the

   stream of paging messages before it locks

   onto a message and notifies its wearer.



4. Some interception methods require the

   paging format. There are a number of

   proprietary formats engineered by pager

   manufacturers.



  Most paging systems operate in the FM band normally from 35 MHz to new

super-high microwave pagers in the 931-932 MHz area. These signals can be

received on any receiver but they will come in as frequenc,v shift data

signals, nothing that is intelligible to the normally equipped listener. Most

paging systems have a local coverage area determined by the number and

placement of their trans- mitters, the average area is probably 4(}60 miles in

size although many companies are now expanding their coverage by adding

additional transmitters or making deals with other companies to give statewide

coverage. A new paging system actually gives nation- wide coverage. The system

known as Wide Area Paging and is typified by CUE Paging Corpora- tion. The

user rents a "Cue Pager" which is actually not a fixed receiver but rather a

scanner that scans the FM commercial radio band. Cue (and other companies)

rent space on one or more commercial FM stations in most cities in the United

States. In fact, Cue boasts of over 200 FM stations in their nationwide

network. The paging signal is carried on a sub-carrier or, SCA portion of the

broadcast signal that is inaudible to standard receivers. No matter where the

subscriber finds him- self, his unit will scan until it finds the paging

sub-carrier signal and then lock on to that signal, waiting for its own cap

code to appear. To page a subscriber, the caller dials an 800 number and then

plugs in the specific pager identity code. This data is flashed by an uplink

by a satellite where it is transmitted across the country to various downlink

stations and then land lined or microwaved to FM radio transmit- ting towers.

In a Cue-type system, it is not necessary to know where the subscriber is,

simply the fact that he is in the United States gives a very high probability

of reaching him on his pager. The pager itself is no larger than a standard

Motorola-type paging unit. These wide area systems normally offer some sort of

echo back or voice mail system to let subscribers retrieve messages from an

800 number in case they happen to be between SCA stations when a message comes

in.



There are a couple of ways of intercepting pager messages. One of the niftiest

is through the use of a clone. A cloned pager is simply a pager which operates

on the same frequency and has the same cap code as the target's pager, in

short, the paging system has no way of knowing how many receivers are actually

listening at any given time so any message that is transmitted will be

received simultaneously 'by all identical pagers. Traditionally this has been

the favorite method of law enforcement to intercept a suspect's messages,

paging companies will cooperate with departments who have authori- zation by

issuing them details on the owner of any pager or by physically manufacturing

a cloned pager and giving it to a detective. One narc I know uses the vaguely

dubious trick of "borrowing" a subject's pager during a body search, popping

out the EIN chip and replacing it with a non-programmed chip. When the pager

is retumed to its owner it will, of course, no longer work. Disgruntled owner

takes pager back to company and complains. With any luck the company will

program a new pager to the same cap code on the spot and give it back to the

suspect. The cop simply pops the EIN chip into his own pager and now owns a

non-registered clone that will duplicate the perp's messa es... A TRICK



  The second paging intercept option is to purchase one of several software

packages that work in conjunction with a scanner or a receiver and an IBM or a

Mac PC. These soft- ware packages "listen" to the scanner which is set up to

listen to a certain paging frequency. In this type of operation, the potential

inter- ceptor only needs to know either the cap code or the call

number-nothing else. Assuming one has the phone number to activate the target

pager, one simply tums on the receiver, initializes the software and then

dials the pager sending a unique code (for some reason 6666 seems to be in

vogue with most law enforcement agencies), and then watches a computer monitor

to see when the code is broadcast. The program will immediately display the

cap code of the pager and, if it is an alphanumeric pager, the text message.

Once this has transpired, the program will set up an automatic file in the

computer to grab any and all further messages to that pager, storing them as

to time, date, and phone number or text message to be called. Most systems

will take any of the paging formats including the POCSAG fommat. Case files

can be pAnted immediately or pAnted when reviewed or stored on floppy disks

and reviewed at any time. Most of these systems will monitor from 1-32,000

pagers at any given time and set up a file for each individual pager. These

systems began as propAetary systems to be used by paging companies to monitor

hacking attempts, traffic pattems, and system problems but have spread to law

enforcement and now civilian intercept markets. Do these systems work? Yes,

I've tested the INTERCEPTOR-LE system and it pretty much does what it says

it's going to do. The system grabs and displays incoming messages

simultaneously or in many cases faster than the pager receives them and works

with all existing paging formats as well as has the capability to use new

formats as they are introduced. The LE system sells in the $4,000 range at the

time of this wAting but, folks let's face it, it's just a little software

package and lower-pAced clones are going to appear on the market if they

haven't by this wAting. LE is available from SHERWOODCOMMUNICATIONS. A second

paging intercept program is avail- able from TGA Technologies in Dunwoody,

Georgia. Or you can get it from The New York Hack Exchange BBS.



What to do if you think your pages are being intercepted by some nameless

force? One gentleman I know (damn but I do know a lot of interesting people,

don't I?) got a "666" page on his pager in the middle of the night. He had

reason to suspect he was the target of a non-warranted police surveillance as

a close frend of his had just been popped on a weapons charge (later

dropped). My friend spent the next two days calling himself and entering 30 or

so "interesting" return numbers including CIA, NSA and FBI offices around the

country, plus intemational suppliers of anything interesting, phone numbers of

vaAous embassies and even a White House "inside" number he happened to have on

hand. It may not be a cure all, but the satisfaction of knowing he was dAving

several detectives crazy did provide a certain amount of satisfaction.



FAX INTERCEPTION

Alexander Graham Bell must be tuming over in his grave at the spread of the

ubiquitous fax machine. Fax machines are rapidly replacing telephones as the

pAmary method of commu- nication for many businesses and some individuals. I

personally know of at least two people who have impulsively Apped out their

telephones and replaced them with a fax machine, the implication being, of

course, that my time is too valuable to waste talking on the phone. Many

people who should know better think that faxes are a safer method of data

exchange than is the telephone because no words are transmitted, simply data.

As one might suspect, this data can be intercepted and logically regurgitated

to "bug" fax machines. There have been a couple of problems associated with

fax tapping that have just recently been solved; faxes trade data by means of

frequency- or phase-shift keying at speeds of 300 to 9600 baud. This type of

data transmission does not lend itself to recording and playback on most

audio tape recorders, as the speed is too high and the frequencies are too

close together. Any distortion renders the transmission unintelligible. Faxes

fall into several groups depending on what type of transmission peAmeters they

employ. The most common one at this time is called Group III. The particular

protocols for Groups I, II, III and IV, are set by something called CCITT and

are available in a $25.00 booklet.



Faxes trade setup information at the beginning of each call in something

known as the handshake period. During the handshake the sending fax will set

itself to the highest possible group protocol that the receiving fax will

accept before it begins transmitting data. The sending fax requires acceptance

and confimmation of this handshake before it will begin the actual

transmission. Some faxes offer limited secuAty by reading the phone number of

the receiving fax and compaAng it to an intemal list before sending the data,

but this should not concem anyone who is tapping into the line because if they

use a high impedience phone tap (just a simple .Olmfd capacitor in sences with

10k ohm resistor and perhaps a NE-2 neon lamp across the line between the two

components), the sending fax will not notice the "invisible" third party on

the phone line. Let's examine the handshake protocol of a typical fax machine.

What happens when one presses "send" on a fax machine? The answeAng fax

machine transmits a 2,100Hz tone for three seconds, and then begins a

negotiating process at 300bps including a single high-pitched tone, followed

by a lower, warbling tone. The second tone is the 300-bps receiver

capabilities packet. When the warbling ends, there is a bAef pause, and if the

calling fax hasn't responded, the process is repeated. The first step is to

send a digital identification signal (DIS) that tells the answeAng machine

what it can do including: What is the maximum transmission speed possible?

Does the sending unit support modified read compression? Does it include

error . correction? The sending fax transmits a digital command signal (DCS)

that tells the called unit which of the operating parameters descAbed in the

DIS will be used. This signal tums on these features in the receiving unit.





gzThe sending fax transmits a test signal to help the receiving unit lock onto

the proper signals. The receiving fax transmits a confirmation- to-receive

(CFR) signal to tell the sending unit it is ready to accept the first page.

The first page of the fax message is sent from the oAginating device. When the

end of the page is reached, the sending unit transmits an end-of-page (EOP)

signal and waits for a message confirmation (MCF) from the receiving unit.

This process continues until the final page is sent and the calling fax

transmits a disconnect (DCN) signal to sever the connection, freeing both

telephones. Note that the initial handshaking that establishes the

capabilities of each unit in the connection is conducted only once, at the

beginning of the link. Once the sending fax starts transmitting pages, there

is no need for this handshake again. Commercial fax interception devices are

made by a number of companies including HDS and STG, aimed at law enforcement

but, in some cases, sold to anyone with the bucks. Commercial facsimile taps

are based either on an IBM PC equipped with a fax modem which intercepts and

receives the protocol signals and the fax message, writing it directly to disk

and then reprinting it out on the screen or on a printer or by employing a

special tape recorder to save messages for later playback through a modified

fax machine. These devices do work and have been used in courts on numerous

occasions. They also average about $28,000 each. If money's no object, hey, I

say give 'em a call. In reality there's very liffle difference in tapping a

data transmission than there is in tapping a voice transmission. Here's how to

do it for about $27,000 less:





Intercept the data stream by use of a good dropout recorder or high impedience

capaci- tor circuit as described above. Record the entire transmission on a

digital audio tape recorder. DAT's are now commercially available for about

$800 but this will drop soon and may have dropped by the time you read this.

DAT's use a high sample rate to record the audio in the form of boolean

digits. There is no distortion, noise or error intro- duced in playback or

recording. What you hear is what you get. Therefore, DAT's are the ideal and

perhaps really the only method of recording fax transmissions.



Once the transmission is on tape, there are two choices: either feed it into a

fax modem and into a computer where it can be stored and manipulated, or feed

it directly into a fax machine. In either case the information should come

down a phone line. The simplest way to do this, if one has access to two phone

lines, is to unscrew the mouthpiece and clip a jumper cable from the output of

the DAT directly into the telephone line, dial up the other phone line and run

it into the computer or fax machine. However, a very nice alternative is to

employ your own central office in the form of a VIKING Phone Line Simulator.

For about $ 100 this liffle device provides a carrier that makes any phone

think it's hooked up to central office and another telephone. Signals, voice

and data can be fed into the simulator and will come out at line level at the

output.



If the resulting signal is to be fed into a computer, the carrier on the modem

should be turned off so it will not respond with a carrier of its own when

receiving the target's communications resulting in interference. If a Hayes

equivalent modem is used, the signal sequence to put it into the monitor mode

so it will still receive data without a carrier are as follows-



FOR ORIGINATE: AT C0 S10=255D

FOR ANSWER: AT C0 S10=255A



This turns off the carrier and sets the modem to ignore the carrier loss.



The output of the DAT can be fed into a fax machine, and with a little bit of

practice one can use the pause button in order to time the handshake sequence

setting up the fax machine to receive the intercepted transmis- sion just as

if it were the receiving end fax.



   As long as the machines sync up with regard to baud rate and protocol, it

will reproduce the fax communication.



  This procedure will also work for data communications between two

computers. Instead offeeding the result into a fax, simply feed it into your

modem. In fact, modem transmission which is frequency shift keying and less

subject to distortion than phase shift keying, can often be reproduced, by a

high quality reel-to-reel tape recorder.



 Or yo can get the 'DATA TAP' program that will soon be avaible through out 

the computer underground, this program allows on to TAP into various lines

with a stand alone unit or use of a laptop, the program is expected to be 

released in Jan. of 94. It's written by The Raven and IBMMAN of The High

Tech Hoods. For an other info. contact them.