An Introduction to COCOTs (Summer, 1990) ---------------------------------------- By The Plague The COCOT, more precisely, the Customer Owned Coin Operated Telephone: good or evil? To the COCOT owner it's a godsend, a virtual legal slot machine for leeching the public, freeing the owner from the monopolies of the phone company. To the public it's a nightmare, a money-stealing machine providing poor service and insanely high rates, a virtual hotel-style phone in the guise of an innocent looking pay phone. To the telephone enthusiast, a COCOT is something else entirely. A treasure trove of tasty parts, perhaps, including microprocessors, coin identification mechanisms, tone dialers, tone and call progress detectors, a modem for remote connections, speech synthesis and recognition equipment, magnetic strip readers for credit cards, and other parts to be explored and tinkered with. For other phreaks, the COCOT represents an unrestricted phone line, which can be used for exploration of the phone system. Still, procedures. Others may see the neighborhood COCOT as a bunch of imprisoned coins and a future wall phone for their room. Many more treasures are to be found in a single COCOT, as you shall soon see. COCOT Basics To those of you unfamiliar with the COCOT, let me quickly fill you in on the basics. Firstly, most if not all, COCOTs operate on regular business or residential (depending on the greed of the owner) phone lines. There are exceptions to this rule in a few major cities where private pay phone lines are available directly from the local phone company; these allow the use of regular operators who are aware of the status of the line as being COCOT based. However, few, if any, COCOTs use this type of line, even when it is available. Almost all COCOTs are microprocessor-based devices, thereby making them smarter than your average phone company pay phone. A major function of the COCOT is to independently collect coins in return for time during a call. While the real pay phone uses the ACTS system on a remote phone company computer for coin request and collection functions, the COCOT performs these functions locally in its small computer. Naturally, red boxes do not work with COCOTs. However, since their coin detection mechanisms are not as advanced as those in real pay phones, it is much easier to trick them with slugs. The dial tone you hear when you pick up the handset to a COCOT is usually not the actual dial tone, but a synthesized one (more on the dial tone later). As you press the numbers on the keypad, the COCOT stores each number in memory. The keypad may or may not be DTMF, depending on the phone. Most COCOTs do not allow for incoming calls, since their primary purpose is to generate revenue, and incoming calls simply waste time, which could be used by paying COCOT customers (from the owner's point of view). If you obtain a number to a COCOT, it will usually pick up after several rings in remote mode (more on that later). After the COCOT has enough digits to dial your call, it will ask for the amount of money to deposit on an LCD screen or in a synthesized voice, unless you have placed the call collect or used a calling card, or if the call is toll free. It will then obtain an actual dial tone from the phone line, and dial your call through whichever method it is designed to use. During this time it may or may not mute out the handset earpiece and/or the mouthpiece. For local calls, it will usually dial the call directly, but for long-distance, calling card, and collect calls, it will usually use an independent hotel-style phone company or PBX. This is done so that you (or the called party in a collect call situation) will be charged up the wazoo for your call. If it detects a busy, reorder, or other progress tone other than a ring, it will refund your money and not charge you for the call, in theory. In actuality a lot of COCOTs will rip you off and charge you anyway, hence their reputation. Unless the call was placed collect or with a calling card or toll free, the phone will periodically ask you to deposit money. Since the small and sleazy long-distance companies used by most COCOTs are chosen on the basis of rates, rather than quality, you can be sure that most calls placed on COCOTs have an extremely large amount of static and bizarre echoing effects. Identifying COCOTs A lot of people (non-phreaks) seem to have trouble telling COCOTs from phone company pay phones. I can spot a COCOT a hundred yards away, but to the average person, it's pretty tough because they are made to look so much like the real thing. Actually, it s quite simple. Just look for your RBOC's (New York Telephone, Southwestern Bell, etc.) name and logo on the phone to be sure it's the real thing. Ninety-nine times out of a hundred, it's a real pay phone. The rare exceptions occur when it's a COCOT made and/or owned by your local phone company (in which case, not to worry, these won't rip you off as badly as the sleazy small-company made phones), or when it is in fact a sleazy small-company made phone, disguised by its owner, through the theft and reapplication of actual pay phone signs and markings, to be indistinguishable from the real thing. The latter case is illegal in most parts of the country, but it does happen. Nonetheless, a phreak will know a COCOT as soon as he dials a number, regardless of the outer appearance. The absence of the true ACTS always means you're using a COCOT. COCOT Varieties Let us discuss the various varieties of COCOTs. To be frank, there are actually too many different COCOT devices to discuss them individually, and their similarity in appearance to one another makes for difficult identification even to the advanced COCOT (ab)user. They range from simple Western Electric look-alikes to more advanced varieties, which may include LCD or CRT displays, credit card readers, and voice recognition dialing. The range is very wide with perhaps 1000 different pay phones in between. In reality, you should approach each new COCOT with no predispositions, and no expectations. Experiment with it, play around with it, see what kind of COCOT security measures (more on that later) it implements, attempt to gain an unrestricted dial tone, see how well the beast is fastened to its place of inhabitance, attempt to decipher its long-distance access methods, and so on. In general, just play with it. Getting the Dial Tone I started research for this article with the intent of explaining which techniques for obtaining actual unrestricted dial tones work with what phones. In my exploration, I have learned many tricks for achieving this, but have also found that there are too many different COCOTs out there, and devoting an article to defeating a dozen or so brands that can be found in the NYC area would be a waste of my time and yours. Instead, I have focused on general techniques and methods that can be applied to any new, unknown, or future variety of COCOT. I have decided to break this down into the various COCOT security measures used by COCOTs and how to defeat each one. In actuality, each COCOT seldom uses more than one of these COCOT security measures. When a single COCOT security (anti-phreaking) measure is used, it is quite easy for the phone phreak to obtain a dial tone. In more secure COCOTs, you should experiment with various combinations of these techniques, and attempt to come up with some techniques of your own. To begin with, the most basic attempt to get a real dial tone requires you to dial a toll free or 1-800 number, wait for them to hang up, and wait for the real dial tone to come back. At which time, you would dial your free call on an unrestricted line, or better yet, dial 0 for an actual operator and have her place the call for you. The following are methods used by COCOTs in order to stop you from doing this. Like I said, it is rare for any specific COCOT to implement more than one of these. COCOT Security Measures and How to Defeat Them 1. Locking Out the Keypad: If the keypad is DTMF, the COCOT will lock it out after your original call is placed. This can be defeated with the use of a portable DTMF dialer provided that other measures are not in place to prevent this (muting, DTMF detection, and automatic reset). 2. The Use of a Non-DTMF Keypad: Here, again, the purpose is the same, to prevent further dialing after the call is completed. Again, this can be defeated with a portable dialer, provided other measures are not in place. Most COCOTs dial out using DTMF anyway, and hence DTMF dialing should be enabled for that line. 3. DTMF Detection and Automatic Reset: Here, a different approach is taken to prevent unauthorized dialing. The phone will reset (hang up and give you back the fake dial tone) when it detects DTMF tones on the line after the COCOT dials your call. Most COCOTs do not implement this measure because it interferes with legitimate applications (beeper calls, VMB calls, etc.). To defeat this measure, modify your portable dialer to use shorter tones (less than 50 ms). Since the central office (CO) can usually detect very short tones, whereas the COCOT may be sensitive only to longer tones, you should be able to dial out. Another way to defeat this is to mask your tones in synthetic static generated by blowing a "shhhhhhh" sound into the mouthpiece as you dial the first digit on the unrestricted dial tone. This should throw off most DTMF detection circuits used in COCOTs, and tones should be received quite fine at the CO because their circuits are more advanced and provide greater sensitivity and/or noise suppression. 4. Dial Tone Detection and Automatic Reset: This measure is similar to the above measure, except resetting will take place if a dial tone (the unrestricted dial tone) is detected by the COCOT during the call. Since most COCOTs do not use the "hang-up pulse" from the CO to detect the other party hanging up, they rely heavily on detecting the dial tone that comes afterward, in order to detect when the other party hung up. This is a clever measure that is easily defeated by blowing a "shhhhhhh" sound (synthetic static) into the mouthpiece during the time at which you expect the real dial tone to come back. As you keep "shhh"ing, you will hear the dial tone come back, then dial the 1st digit (usually a 1), the dial tone will be gone, and you dial the rest of the number. If the keypad is locked out, use your portable dialer. 5. Number Restriction: Most COCOTs will restrict the user from dialing certain numbers, area codes, and exchanges. Usually these include 0 for obvious reasons, 976- and 1-900-type numbers, ANAC (number identification), and others. On rare occasions, COCOTs will restrict you from dialing 1-800 numbers. Although this is illegal in most parts, it is done nonetheless, because most COCOT owners don't like people using their phone without paying them. In practice this brings in more revenue, because the phone is available to more paying users. Your best bet here is to call any toll free number that the phone will accept instead of the 800 number. These may include 411, 911, 611, 211, or the repair or customer service number for the company that handles that COCOT. (This is usually toll free and is printed somewhere on the phone.) 6. Muting the Mouthpiece: This is not really a measure in itself, but is sometimes used in combination with other measures to prevent dialing out. Muting is usually done when the COCOT itself is dialing out, which prevents you from grabbing the dial tone before it does. This is a rather lame and futile technique since we typically obtain the unrestricted dial tone after the call is completed. Thus, there is no need to defeat this. I suppose the designers of the COCOT were really paranoid about security during the start of the call, but completely ignored dial tone penetration attempts after the call was dialed and connected. Just goes to show you what happens with those guys who wear pocket protectors and graduate with a 4.0 average. In theory their designs are perfect; in reality they never match up to the abuse which we subject them to. 7. Other Measures: Although I have discussed all measures currently known to me, in defeating new measures or measures not discussed here my best advice would be to use a combination of techniques mentioned above to obtain an unrestricted dial tone or a "real operator" (local, AT&T, or any operator that can complete a call for you and thinks you are calling from a regular line, not a COCOT). Secret Numbers Actually, there's not much to say about secret numbers. Most COCOTs have secret numbers that the owner can punch into the COCOT keypad in order to activate administrative functions or menus locally. These functions provide information regarding the status of the unit, the money in the coin box, the owner's approximate phone bill, and various diagnostic and test functions. They also allow a certain amount of reprogramming, usually limited to changing rates and restricted numbers. For more information about these, I would suggest obtaining the engineering, design, or owner's manuals for the unit. Since engineering and design manuals are closely guarded company secrets, mostly to prevent the competition from cloning, it would be very difficult to obtain them. Owner's manuals can be obtained rather easily with a minimal amount of social engineering, but they are sadly lacking in information and primarily written for the average COCOT owner. Remote Connections Remote connections provide the same functions as described in the previous section, except they can be accessed remotely by calling the COCOT. Remote connections are usually reserved for authorized users (the company in charge of maintaining the proper operation of the COCOT). Thus, the COCOT can be diagnosed remotely, even before a person is sent down to repair it. A typical COCOT will pick up in remote mode after someone calls it and lets it ring for a while (between 4 and 10 rings usually). At that time it will communicate with the remote site using whatever method it was designed to use. This is usually a 300 baud mode, or a DTMF/synthesized voice connection. An access code is usually required, which may be a 3- or 4-digit number in the DTMF connection, or anything for a password in the modem connection. Some DTMF based COCOTs are simply activated with a single silver box tone (see Winter 1989-90 issue of 2600). I've run into a couple of these. To play around with the remote functions of a COCOT, if they exist in the particular model, it is necessary to obtain the phone number of the unit. See the next section on that. Once you have the number, simply call it and experiment from then on. If you have trouble hacking the formats for the remote mode, it may be necessary to call the makers of the COCOT and social engineer them for the information. Getting the COCOT's Number This is incredibly trivial, but is included here because it is such an important function in the exploration/abuse of any COCOT, and because advanced COCOT exploration/ abuse techniques will require you to have this information. It is also included here for the novice reader. There are several ways to obtain the phone number, the simplest being dialing your local ANAC number, plus dummy digits if necessary. A lot of COCOTs will restrict this, so you should get an unrestricted dial tone and then dial ANAC. Some COCOTs will not restrict you, but will ask for money in order to do this. Here in NYC, dropping $.25 and dialing 958-1111 will get you the ANAC readout on this type of COCOT. A small price to pay for such valuable information. Another way to obtain the number is to get it from the operator. Any operator that has it will have no problem releasing it to you; just say you re calling from a pay phone and you need someone to call you back, but there is no phone number written on the pay phone. Yet another choice is to call one of the various ANI Demo 800 numbers, which will read back your number. This choice is particularly useful for people who don t have or don t know the ANAC for their area. If in desperation, social engineer the information out of the COCOT owner, call him up as the phone company, and take it from there. Hijacking the Bastard Besides using the COCOT to make calls, the typical phone phreak will usually want a COCOT for himself. Granted, this is stealing, but so is not paying for calls. And while we re at it, stealing for experimentation and the pursuit of knowledge is not the same as stealing for money. Oh well, I won't get into morals here, it's up to you to decide. Personally, I'm devoid of all ethics and morals anyway, so I'd steal one if the opportunity was there. What the heck, it can't be any worse than exercising your freedom of speech and being dragged off to jail by the fascist stooges of the imperialistic American police state. Ahem, sorry about that, I got a little carried away, but I just had to comment on events of the past several months. Anyway, the reasons for abducting a COCOT range from simple experimentation ("I'd like to see what is in there,") to purely materialistic reasons ("Hmmm, I bet that coin box holds at least $10.") Whatever the reason, a COCOT is a good thing to have. Their retail value ranges from $900 to $2500, but since you can't really resell it, I wouldn't suggest taking one for purely materialistic reasons. Abducting a COCOT is usually much easier than trying to do the same to a real pay phone. Physical security can range widely and depends largely on the owner. I've seen security ranging from a couple of nails fastening the COCOT to a sheet of plywood, to double-cemented bolted down steel encasements. However, a crowbar will do the trick for about 50 percent of the COCOTs in my area. Expect the same wherever you are. Once obtained, your options vary. You could take it apart, you could hang it on your bedroom wall, you could hold it for ransom; it's up to you. Most people simply connect it up to their line, or hang it up as a trophy above the mantle. As you can tell from the introduction, dissecting the COCOT will yield you a plethora of interesting devices to keep you busy for a long time to come. If you do connect a COCOT to your line, be sure to tape up the coin slot, as placing money in the COCOT without an ability to remove the coin box will eventually choke the unit. Don't use it as a primary phone, since it demands money; it's neat to have it as an extension. Destruction If you can't steal it, and you can't (ab)use it, destroy it.... That's my motto with regard to COCOTs. These evil beasts have been ripping off the public for a long time, and they deserve to pay the price. Destruction can range from breaking off plastic forks in the coin slot, to removing the handset (for display as a trophy of course), to completely demolishing the unit with explosives, to squeezing off a few shotgun blasts at the COCOT. Since repair and/or refund is hard to come by and expensive when it comes to COCOTs (but is free for real pay phones), the COCOT owner will think twice before purchasing another COCOT. The Phone Line As mentioned earlier, the phone line used by the COCOT is just a regular line. It is usually exposed near the COCOT itself. For those of you with a lineman's handset, need I say more? For those without, let me just quickly say, get your hands on one. Advanced Techniques The next three sections are for the more experienced phone phreak, but most of this can be done by just about anyone. There are many more advanced techniques; the boundaries are limitless. Code Theft As mentioned earlier, most COCOTs use various small and sleazy long-distance companies and operator assistance services (ITI, Telesphere, Redneck Telecom, etc.) for long distance, collect, third party, and calling card calls. Many times these are accessed by the COCOT through a 1-800, 950, or 10XXX number. The COCOT dials the access number, its identification number or code; plus other information in order to use the service. The service then bills the COCOT owner (or the middleman reseller of COCOT services) for the services provided but not yet paid for. In the case of calling card calls or collect calls, the service bills the proper party through equal access billing and credits the COCOT owner s account a cut of the action. Needless to say, all the DTMF tones required to access the service can be taped and decoded (see the DTMF decoder article in the Spring 1990 issue of 2600), and used for our own purposes. Sometimes, you can tape the tones right from the handset earpiece. Other times, the handset is muted, and it is required for you to either access the wiring itself, or trick the phone into thinking that your called party hung up, and you re making another call, while having the party on the other end give a bogus dial tone to the COCOT and tape the forthcoming tones. Surprisingly the codes obtained from this type of activity last a very long time (usually 3 to 4 months). This is because, once the charge gets all the way down the chain, through the various middlemen and resellers to the COCOT owner, and by the time the COCOT owner realizes that the coins collected don't match the calls placed, and by the time he has to convince all the middlemen above him of possible fraud...well, you get the picture. Suffice to say, these codes last. Used in moderation, they can last for a long time, because the COCOT owner is raking in so much profit, he'll easily ignore the extra calls. Calling Card Verification With regard to messing around with calling card verification, I could write a whole separate article on this, but space does not allow it at this time. So, I'll just give you the basics. Much of the calling card verification that s being done by sleazy long distance and AOS services is very shabby. Since access to AT&T's calling card database for verification is expensive for these companies, they try to do without. Much of the time, they don't verify the card at all; they make sure it looks valid (a valid area code and exchange), and simply throw out the PIN, thus assuming the card is valid. A valid assumption, given that more than 95% percent of the calling cards being punched into COCOTs are valid, it's a worthwhile risk to take. However, the sh*t hits the fan when someone receives his bill and sees that he has a bunch of calling card calls on his bill, and he doesn't even have a calling card! Fraud is reported, the bureaucracy churns, until finally, the sleazy long-distance company ends up paying for the call. Given enough of these calls, these companies get hell from AT&T and the RBOCs for not properly verifying calling card numbers. The FCC gets into the act, and the company pays fines up the wazoo. A pretty good thing, if you ask me, and you get a free call out of it as well. Not a bad transaction, not bad at all.... Other long-distance companies and AOS services steal verification services from AT&T by dialing a 0+ call on another line to a busy number, using the calling card number you punched in. If it receives a busy signal, the card is good, otherwise it is not. In either case, the long-distance company eludes the charge for accessing the database. When it comes to slinging sleaze, these companies deserve an award. And that's why I urge all out there to abuse the crap out of them. Call Forwarding This is another of the many interesting things that can be done with your neighborhood COCOT. Simply put, you get the phone number to the COCOT, call up your local phone company, order call forwarding for that line, then go to the COCOT and forward it to your number. A lineman's handset may be required here if you can't get your hands on an unrestricted dial tone. Pulling a CN/A or doing some research may be required if your local phone company asks a lot of information before processing such requests as call forwarding. In most cases they don't, and in some areas there are automated facilities for processing such requests. Presto! You now have an alternate number you can use for whatever purpose you have in mind. It could be used for anything from getting verified on a BBS to selling drugs. Again, your ethics are your own; this is simply a tool for those who need it. Anyway, it's practically untraceable to you as far as conventional means are concerned (CN/A, criss-cross directory, etc.), and you should use it to your advantage. This is especially a good tool for people afraid to give out their home numbers. At any time, you can go to the COCOT and deactivate the call forwarding to your number. Since no one ever calls the COCOT (except for using the remote mode, and this is rare and mostly used when the phone is broken), you should have few if any calls intended for the COCOT. If you do get a call from a COCOT service bureau, simply say "wrong number," go to the COCOT, and deactivate call forwarding for a few days just to be safe. In any case, your real number cannot be obtained through any conventional means by those calling the COCOT, or even by those standing at the COCOT itself. However, if they really wanted to nail you, they could examine the memory at the COCOT s switch and pull your number out of its call forwarding memory. However, I have never heard of this being done, and it's very unlikely that they would do this. But I wouldn't recommend using the alternate number for anything more than an alternate number for yourself. If you sell drugs or card stuff or something like that, don't use such an alternate number for more than a few days. The Future of the COCOT We're definitely going to see many more COCOTs in the future. They will begin to saturate suburban and rural areas where they can rarely be found at this time. More COCOTs mean more headaches for the public, but it also means more of us will get a chance to experiment with them. Security, both physical and anti-phreak, will get better, especially after COCOT manufacturers read this article. But it will be a long time before we will see completely secure COCOTs. Which is not so bad really, because then they will actually be worth stealing. In the meantime, we can decrease their proliferation by destroying any COCOTs that rip people off. Having COCOTs around is a bittersweet proposition. In a way, they are an interesting use of technology and another frontier of exploration for the phone phreak. On the other hand, they are cybernetic money-leeching abuses of technology, which steal from and abuse the public they are meant to serve. Like 'em or not, they're here to stay. Getting More Info For those of you who wish to find out more about COCOTs, I would recommend hands-on exploration. I would also recommend getting some of the COCOT industry publications, and various telephone industry publications. You could also request more information from COCOT manufacturers themselves, Intellicall being one of the largest. Also, check out government and FCC regulations with regard to equal access and COCOTs. Fighting the Bastards Much of the stuff being perpetrated by COCOTs today is against the law, and the sleazy companies that handle calls for COCOTs are violating many laws. Unfortunately, few of these laws are being enforced. When you see such a violation of consumer rights, please report it to all relevant agencies. You ll know you re being taken advantage of when someone calls you collect from a COCOT and you get charged up the wazoo for the 10-minute local call. And they call us criminals. Give me a break.... The only way to control these cybernetic leeches is to do something about them. Also, if you have a grudge against a COCOT or a sleazy company, by all means take the law into your own hands. But also, write to your legislators, complaining of the abuses being perpetrated by COCOTs and the sleazy telephone companies. Also, it is important to educate the public about COCOTs and how to recognize and avoid them. Whenever possible try to inform your non-phreak friends about the dangers of using COCOTs. I am also in favor of strict regulation when it comes to the subject of COCOTs. If they must charge insane rates, these rates should be stated clearly, and they must provide quality service, clear connections, and free operator assistance. Anything less than this is unacceptable. In closing, I would just like to say that this article is as complete as my knowledge enables it to be. It by no means explains all there is to know about COCOTs, nor do I claim to know all there is to know. If you have any other information on COCOTs or any particularly tasty COCOT stories, please write to 2600 and tell us more.