A Canadian Pager Carrier Billing Flaw Monday, October 7, 2002 Written by: The Clone Contribution by: Colt45 Shouts: Hack Canada, Nettwerked666, PacketNinja.ca - Disclaimer: This documentation is for entertainment and informational purposes only. In no way do I recommend you try any of these things, because it may get you in trouble with your phone company. However, if you do choose to attempt to exploit this little Canadian pager vulnerability; use a payphone, an automated divertor, op divert, use an outdial, or beige box someone's phone line. Oh yeah, and I'm not responsible for anything you do with this information. If you get caught defrauding the telco, it is because you're a fucking idiot who didn't take the precautions to stay anonymous. - Introduction: Pagers have brought many people together through a variety of signaling format protocols - POCSAG, FLEX, GOLAY - transmission speeds of 512, 1200, 2400 bps?! Standard Numeric, Alpha-Numeric, Tone Pagers? Oh the variety, oh the fun! Word on the street says that American and Canadian carriers are looking into phasing out pagers in the next couple of years. Hell, I even received some promotional material from Telus Mobility offering me cheap CDMA service if I cancelled my pager service through them! Apparently pager systems cost a lot to maintain, and over the last few years, less people even bother to use pagers due to the simple fact that wireless phones offer so many great features - Two Way Communication, Voice Mail, Short Message Service, Games, High Speed Data Transfers (GPRS and 1X), E-mail, Internet, and more. No freaking wonder pagers are on their way out, and cell phones continue to grow in popularity. However, until pagers are completely wiped out, this paper will still be very relevant. FACT: Wireless Carriers in Canada do not want customers to know the low-tech and high-tech tricks / exploits that let people abuse their service and use it to make free calls. - The Canadian Pager Carrier Billing Flaw: As you may or may not be aware, Bell Mobility and Telus Mobility do not have any type of billing system set up that logs direct or third party billing to their residential / business customers -- I have verified this claim with over 5 different customer service agents for both wireless carriers. Since Bell and Telus do not log any billing, they have come up with a simple and effective way to stop people from billing pagers; all major carriers in Canada share an "access list" of exchanges, prefixes and suffixes that block all Canadian long distance carriers from billing to any Canadian pagers. To test this flaw out for yourself, call up Telus' "Canada Direct" number at 1-800-646-0000 and enter any random pager number; you'll likely hear a message saying something to the effect of: "The number you have dialed cannot accept direct/3rd party billing." However with a little experimenting, I noticed that many American long distance carriers do not block a Canadian pager from receiving a direct or third-party charge. The reason for this is because these companies don't have any of our updated access lists. ! An unrelated note to Bell Mobility and Telus Mobility: Duh, stay outta Riverdale! - How to set this up: Before you do anything, you need to set yourself up a pager that allows you to record a voice-greeting. There are a few ways in which you can do this... 1. Use your own pager or a friends pager. In understandable English, set the voice greeting to say "yes" for approximately 25 to 30 seconds. Speak slowly and pause for about half a second between each "yes". 2. Hack into a pager. Most users have their remote admin pager pins set as "1234", "9999", "5555", the current year (2002), or the last four digits of their pager phone number. For most Telus Mobility pagers, the default password is the last four digits of the customer's unique 'capcode'. The capcode is a series of numbers at the bottom of the label, below the Model, Serial Number, Country Code, and ISC code. The "Fun" part: Once you have successfully set up the pager greeting, you'll need to test out this billing flaw. Make sure you don't get a live operator to authorize your billing. Instead, use a service that has an automated billing operator. A good resource to utilize is Yahoo!'s 'Business and Economy' web-page which has a great alphabetical listing of various American long-distance carriers that you can exploit. The address for that listing is: http://dir.yahoo.com/Business_and_Economy/Business_to_Business/Communications_and_Networking/Telecommunications/Long_Distance_Telephone/ -- Conclusion: Although this trick was fairly simple and this file wasn't the most technical of articles I've ever written, the fact of the matter is: everyone assumes that pagers (like cellular phones) are never vulnerable to fraud, or that pager billing systems are not without their major billing flaws. This file certainly changed all of that, now didn't it? :) -- Decent Pager Research Web-sites: Here are some URL's for all the technology enthusiasts out there who might want to learn a thing or two about pagers: * Black Crawling Systems Archives: Pager Programming, Monitoring, & Applications http://www.hackcanada.com/blackcrawl/cell/pager/pager.html * Nettwerked - FLEX Technology: Paging Protocol http://www.nettwerked.net/FLEX_Technologies.html [dot-e-0h-eph]