Hacking Mircom Technologies Telephone Access Systems  Written by: The Clone  Date: Tuesday October 19, 2004  Updated: Saturday, December 11, 2004  Web-Site: http://www.nettwerked.net  E-mail: theclone@hackcanada.com Blending Hacking, Phreaking, Lock Picking, and Urban Exploration into one phile. Dedicated to: Hack Canada and Nettwerked. Representing the Canadian hack / phreak scene for over 5 years, and to represent forevermore. Written for: The Fall 2004 Issue of K-1ine Magazine.  Table of Contents: Introduction / Disclaimer Mircom System Features Exploiting Mircom Systems Conclusion to this Document Introduction / Disclaimer: This document is dedicated to subverting the physical and remote security of the Mircom Telephone Access System, supposedly "uncrackable" machines widely used across Canada / the United States. Mircom Technologies, the company that invented these bitches, manufactures a full range of other security products which include fire control and communication products dedicated to life safety in the telephone access markets. In this document you will: learn what the Mircom Telephone Access Systems are, learn how to administrate the systems, and learn how to use a few "tricks" I have discovered in order to gain both building access, elevator control, free long distance telephone calls, and to cause general mayhem in your community. Now this is your warning; none of the knowledge you pick up from this article should EVER be used in practice. Unauthorized access to the administration functions of a computer controlled system of any kind, including building security systems is against the law. This file was simply written as a resource for individuals who want to learn about the unknown such as what big business and government agencies wish to keep from the public. This file is written for people sick of ignorance. If you do not want to use this knowledge as anything but a resource for your criminal activities, I advise you to STOP reading. Hell, don't stop reading... I'm not responsible for your behavior and could really care less that you want to spend the rest of your life rotting in a prison. Mircom System Features: The Mircom Technology Building systems range in size, in cost, and of course in features. Since I didn't feel it absolutely necessary to list off every single feature of each model, I simply linked to their data sheet PDF files. Make use of the resources linked off the images. There's a lot to learn about the models that I could not have possibly put better myself. Exploiting Mircom Systems: Lets face it; every physical and remote computer controlled infrastructure on earth, whether it be some guy's personal computer or some lonely mainframe in a downtown office is vulnerable in one way or another. Don't be fooled by the marketing gimmicks being thrown your way by big business conglomerates out to make a buck on your ignorance. Every single Mircom Physical Security System around the planet is secured by a company that happened to have leaked it out to the wrong person. Now you're probably thinking to yourself "Yeah right, Clone. You're pulling my leg. You can't be telling me Mircom was that stupid!" Well they were. Now before you get too excited; I'm going to be straight with you; I will not be publishing the passwords. Don't bother asking me for the codes, because for all you know I don't even have them - and never have. But don't fret, my pet, I will let you in on a few interesting secrets anyways. Physical Administration: Mircom Technologies decided the best way to keep landlords and building owners from permanently getting locked out of administrating their security systems when they decide to forget their password, was to implement a 10 or 12 digit override password (factory default) that could work on every model. That way Joe Nobody has to pay Mircom a nice fat consulting fee every time he gets piss-drunk and loses the cigarette package he wrote the administration password on. The fucking hillbilly should have gotten the password tattooed on his ass. For this particular article I will be using the Mircom TAS-2000 Telephone Access System (MUS-3140K) as Physical Administration "subject matter". Now before you jump into finger hacking this system to death, you must, and I repeat must, *always* check for one of two things; people and cameras. People are less of a threat, because most of the time they will figure you're just calling someone you know in the building, and at times will even offer to let you in the building. External cameras watching the doorway and, depending on the model and the hardware implementation, a hidden camera (model #: CAM-1) located inside of the Mircom telephone access system itself may be watching your every move. If you notice a camera is possibly built into the model of Mircom you're about to hack, walk away. Come back a few days later and wear some kind of disguise; such as a head scarf that covers your entire face, or better yet a balaclava for a more phearsome "I'm gonna 0wn this b1tch!" look. As you approach the Mircom Telephone Access System you will notice a screen (unless altered by the administrator) that says: "Mircom - Enter Dial Code" To enter the Administration Menu, enter the following code: 9999. Some older models use 0000. Enter Dial Code [99__] You will be prompted for the password. Enter that 10 or 12 digit pin code. (Don't worry the password is asterisked ************ for your "security".)   Enter the Password   [__________] What you get access to when you've bypassed the administration login screen:  >Add new record   Edit record (Navigation Tip: By pressing "0" on the menu, you enter the option your ">" cursor is pointed at. To scroll through the options press "#") You are now at the main menu. If you choose the "Add new record" option you will then have the ability to add extensions which dial any telephone number you want. If the building administrator did not set up a toll-block with the telecom carrier servicing the dedicated line, you can program long distance numbers including international and 1-900 pay telephone numbers into the system. So let's assume you have a need to enter into that menu, you will immediately be brought to this screen which says "Enter Dial Code [____]". At this point, dial any extension you want to program into the system for later use; such as 1234.   Enter Dial Code   [1234] After you have entered your extension of choice, you will be brought to a screen that says "Enter Telephone No. [____________]".   Enter Telephone No.   [______________] This is where you will obviously enter your telephone number of choice. The next option you have will be "Enter Elevator Code". After you enter that code, you will be prompted to "Enter Elevator ID". To be honest with you, I have not yet figured out what this option is for exactly, but I'm guessing it has something to do with telling the elevator what floor to bring you to after you've been let in by the extension you called. Or maybe it has to do with Mircom's "Elevator Restriction Capability". This option only matters if you have an elevator in the building, and probably won't be much use to you anyways.   Enter Elevator Code   [__]   Enter Elevator ID   [__] The next option on the table is "Edit Record". Scroll down to this menu and access it. This menu is one of the most interesting ones because it will give you the option of viewing what specific extension is bound to what particular telephone number. This is a great way for you to capture the private phone number of a certain cute tenant *wink wink* or hated tenant you might have wanted to harass for some time. You also have the ability with "Edit Record" to, of course, EDIT which number any extension calls. Pissed off at someone in your building? Well the next time a loved one comes to their door to visit, they won't be reached because you edited the telephone number so that it calls something funny like phone sex or your favorite pizza delivery company.   Add new record  >Edit record  1114>_______________   108 *************** Your next option is "Delete Record". This is pretty self-explanatory.   Edit record  >Delete Record   _22 ***************   127>*************** The next option on this menu is "Main Door DTMF". This is the code that is programmed into the Mircom system which, when triggered by a DTMF tone will open the door. When you call an extension and the person wants to let you in, they will (by default) press "9" on their telephone. You can piss off everyone in the building by changing it to another number. heh heh.   Delete Record  >Main Door DTMF   Main Door DTMF   [9] The next option on this menu is "AUX door DTMF". "Aux" means Auxiliary and is essentially the code for opening a secondary door in the building. If there is no secondary door for the building, then it is typically left at the default "9".   Main Door DTMF  >Aux Door DTMF Other options include: Online Timer programming   Aux Door DTMF  >Online Timer   Online Timer   [0060] Enter New Password. You can set a secondary, non-override password for entry into the Mircom Telecom Access System. If being anonymous is your game, I would suggest not modifying this menu if a password has already been set by the administrator. If you change the password, chances are the administrator is going to wonder why his password doesn't work.   Enter new password   XXCENSOREDXX The Set Time and Date on the next menu option. [MM/DD/YYYY][HH:MM] [__/__/____][__:__] Display the Time and Date on the next menu option.  0554.08/28/04 04:00  Code:2600K   Acc:Yes  Date : 08/28/2004  Time : 04:01:09 You can Sort the directory by Name, by Dial Code (extension), or you can use the Auto Sort feature.   Sort by name  >Sort by dial code   Auto Sort Order  >Select Language You can select the language you want the Mircom Telecom Access System to display. The options: 0=E (English), 1=F (French), 2=S (Spanish), 3=M (Mandarin).  Enter Language [0]  0=E,1=F,2=S,3=M Set and Enter NSL ID & SPA.   Select Language  >Set NSL ID and SP  Enter NSLA ID & SPA  [_9][99] Set and Enter NSLB ID & SPB/SPE.  Enter NSLB ID & SPB  [_9][99]  Enter NSLE ID & SPE  [23][33] Set and Enter the Elevator ID and Timer.   Set NSL ID and SP  >Set ELV ID and Time  Enter default ElevID  [__] Auto-Program the Mircom System.   Set ELV ID and Time  >Auto Program  Enter start dialcode  [____] Set the Mircom System to Tone or Pulse. 0=T (Tone), 1=P (Pulse). Stick with Tone. Pulse is essentially for rural areas still using rotary telephones.   Auto Program  >Set Tone/Pulse mode  Select tone/pulse  [0]   [0=T,1=P] Options Menu. Haven't figured out what this does yet. Maybe you can, and then give me some insight.   Set Tone/Pulse mode  >Options  Enter Option Code  [0128] Reset - this resets the entire Mircom Telecom Access System. This is essentially a restart of the software. It will ask you "Are you sure?" Press * to Cancel, and # to Accept the reset.   Options  >Reset     Are you sure!  [*=Cancel]    [#=Ok] Initialize Logging. This starts logging of all keys pressed, including extensions and keyless entry codes. If you managed to purchase a Modem Module (model number: MDM-1000) you could "capture" this data and use it for whatever you wanted; like market research! =)  >Initialize Logging   Init/Erase all data Luckily for you there is the next option; Init/Erase all data. This essentially "clears" the logs.  >Init/Erase all data   Exit Exit - This exits the Mircom Menu System and thus wraps up my explanation of the menu options.   Init/Erase all data  >Exit (For high resolution panel images please go to: http://www.nettwerked.net/mircom-pics.zip) Mircom Keyless Entry: One of the coolest features available on the various Mircom panel models is the ability to set a keyless entry code for access to the building. Are you into Urban Exploration? Want to gain access to a building for a little break and enter? Hate when you lose the keys to your building and get stuck waiting for someone to enter the building to let you in? All of these reasons are good enough reasons to set a keyless entry code. To enter the Keyless Entry Login Menu, enter the following code: 9998. Some older models use 0001. If you have not managed to successfully bypass the administration menu in all its 10 to 12 digit hard-to-hack glory, then you will not be able to set your own keyless code. The next best thing is the ever time consuming Brute Force Attack! With a 4 digit keyless entry code, you have 10,000 possible combinations to try. When you enter the login ID (9998 or 0001) you will be asked for a pin code. When you get the pin code wrong, there will be a 3-5 second delay before you are brought back to the main menu which shows "Enter the dial code" on the screen.  Try obvious combinations first: 0000, 1234, 2004, 9999, etc. If those don't work, work your way up; there is a high probability you will get the correct keyless entry code before trying all 10,000 combinations - unless of course the administrator didn't set a keyless entry code. Those silly bastards. Other ways to open the door for keyless entry: I've thought of two other ways to get access without physically breaking the door open or waiting for someone else to let you in. The first way: I noticed that in some cases misconfigured or inactive extensions for all of the Mircom Panel models will give you a 0+ operator. In my case Telus is the telco. If you social engineer a 0+ TOPS/TSPS operator into transferring you to a number (tell them your telephone keypad is jammed and it's urgent), such as a cell phone, you could then answer that cell phone and press '9'. The DTMF "9" key triggers the Mircom box which in turn opens the door when pressed. The other way to gain access for keyless entry is by blasting DTMF "9" into the voice mail message of your cell phone or landline beforehand and then when the time is right, social engineer a 0+ operator and have them transfer you to that telephone number. The problem with the second trick is that you might have problems with remote-controlled voice mail systems, such as most versions of Audix/Octel/Meridian Voice Mail System which stops recording when you hit any DTMF key on the telephone. Old-school tape recorders which allow you to record anything (including DTMF) will work fine enough indeed. Even MORE ways to open the door for keyless entry: (Added 12/11/04, suggested by CYB0RG/ASM) Tried tested and true. This trick requires either a cell phone that can generate loud and accurate DTMF, or a tone dialer with a fresh set of batteries. In order to make this trick work, you have to call up any random extension available on the Telephone Access Panel. When the call rings through you may either press DTMF "9" before the call is completed, or after someone or something (voice mail) picks up. Be sure to place the cell phone or tone dialer against the speaker of the access panel for the best results. If the door opens, you will hear a short echo of the DTMF 9 emitting from the panel, then a short buzzing sound for up to 5 seconds. This means the door has opened! A successful door entry hack is shown below in this photograph: Conclusion to this Document: This completes another article by yours truly. I expect this document opened up your eyes to another aspect of hacking and phreaking you might not have otherwise thought to research and exploit had you not sat down read this fine piece of modern literature. In conclusion to this article, I just want to say one thing; don't stop exploring. Don't stop your desire to explore beyond the boundaries set forth by the powers that be. Get out, play with technology and make it do something it wasn't intended to do. And don't ever stop sharing that knowledge with other like-minded individuals. Hackers and phreakers need to stick together like shit to stink! Peace. .eof This document is Copyright © 2004 by Nettwerked Incorporated. All Rights Reserved.