25th - 26th SEPTEMBER 2019  |  OLYMPIA

Inside the Hidden World of Elevator Phone Phreaking

Wired 09 Aug 2019 07:00

Caruana declined to say which of those techniques he's used himself, but he says he's called more than 50 elevators over the last year. One trick he enjoys is dialing up friends in a hotel elevator to surprise them when they're attending a hacker conference together. (He asked that I make clear he isn't using that trick during Defcon; he doesn't want to be kicked out of the hotel he's staying at in Las Vegas.)

Another phreaker Caruana introduced me to, who emailed with me under the name SLICThroat, says that he's called into elevators hundreds of times, most often to study the different behavior of their varied electronics, or just to listen in to a mysterious, faraway space. "Complexes all over the world have them, and the ambient noises or conversations can be a window into what goes on in a place you may never have the opportunity to set foot in," SLICThroat writes.

But he's also heard other phreakers dial in elevator phones on conference lines and stage elaborate prank calls he compares to "improv acting exercises" with unwitting elevator riders. "I've heard some people pose as lecherous members of the maintenance staff before," writes SLICThroat, "or usually better yet, a quick-talking, deep-voiced unscrupulous staff member trying to sell questionable goods to the elevator's passengers."

"The Elevator Is Talking to Me"

The act of dialing into an elevator phone, even unannounced, doesn't in itself break any laws, says Tor Ekeland, a well-known hacker defense attorney. "On its face calling these numbers is not a violation," Ekeland says. Taking advantage of default passwords to reprogram them, on the other hand, is likely a computer fraud and abuse violation and an extremely reckless move, he warns. "If I’m having a heart attack or I'm stuck between floors during a fire and I call out and it's Domino's Pizza, there’s real harm there."

With that legal advice in mind, and armed with the list of elevator phone numbers Caruana shared with me, I called into a couple dozen elevators across the country, carefully avoiding their reprogramming options and making sure to ask first if anyone inside was in an emergency situation. Most of the elevators were empty. When people were onboard, it turned out to be tough to start a conversation. A Georgetown University elevator occupant apologized, thinking they'd mistakenly pushed the button, and quickly exited. A man in a government building in Seattle didn't have time to talk. An older man in the elevator of a resort in Idaho told me he was too busy and said goodbye. When the elevator dinged, I introduced myself again, thinking a new rider had entered, but it turned out that it was still the same man, and that we'd been riding together in awkward silence. He scolded me for tying up the line and walked out.

Back at the Grand Rapids Hilton where I started—the busiest elevator I found—I managed to speak briefly with a few riders, but mostly just caused confusion. "I'm just a guest at this hotel, and the elevator is talking to me," one worried woman said.

Eavesdropping was unsurprisingly far easier than interviews. After one group of fratty-sounding men failed to hear me say hello a few times, I sat on the line while they discussed the homelessness problem in the area around the hotel, and laughed about how a friend had brought one homeless man into a party they'd thrown there on their last visit. None of them mentioned a suspiciously lit red LED.

Caruana warns that it’s not just elevator phones that are open to anyone who can determine their number: So are many stairwell phones, campus callboxes and other emergency phones.

Roger Kisby

Secrets of the Big Metal Box

Caruana and other phreakers warned me that it's not just elevator phones that are potentially open to unwelcome calls. Stairwell phones, emergency phones at swimming pools, callboxes on college campuses, and other push-to-call phones in random buildings across the country are similarly exposed. But Caruana says he wouldn't be revealing this telephonic playground in a Defcon talk if it weren't for the more serious issue of the harm reprogrammable phones could cause. "We enjoy these systems. We don’t want them to go away," Caruana says. "I personally would like them to become more secure."

Continue reading original article...