------------------------------------------------------------------------------- -- Bell Canada VMB Insecurity = by: Prez -- ------------------------------------------------------------------------------- Written by Prez (prez@lfx.org) Well, since the beginning, I've been obsessed with telecommunications exploits.. And I'm a canuck (Laugh it up guys, Loonies and Toonies;), so who better to bring you the latest exploits for Canadian based systems than me?:) I kinda made this document more of a story that explains to you how to do it at the same time, because stories are just so much more fun. Today, I'll teach you young canadian phreaks how you can score yourself some free, anonymous, telephone communication. Since a lot of us communicate.. both with our local scene, and the entire of it.. via telephone, a VMB (voice mail box) is an extremely safe and anonymous way to keep in touch with people. If you're wondering what a voice mail box is, you can think of it as a remote answering machice. You can call up and check your messages from anywhere, making it extremely convenient. Now, I first signed up for Bell Call Answering (the VMB service Bell Canada offers, for only 4.99$ a month or so) when I had thought out a quick social engineering mind exploit that would score me some VMB action for a month or so, too bad they didn't notice, and I've been getting it ever since. (Sorry,I have a few secrets only I know for now:). When I was first given the information to setup my voice mail, I was given a phone number I call to check it (or, you can just hit *98) and a "temporary password". The temporary password, however, was my phone number. Being the UNIX goon that I am, I made a mental note of how damn insecure this was, and just made another point for the "Boy, When will Bell ever learn." list. So that's just dope, I call up the number, and using ANI it automatically knows who I am. "Welcome to Bell Home Answering Service, this service can help you blah in touch balah friends blah blah and blah blah blah blah blah the SYSTEM ADMINISTRATOR has assigned you a temporary password, please enter that password now...." I enter my phone number. Now, I have a good memory when it comes to automated systems, and I remembered a few things about setting up my VMB: - I was REQUIRED to say a name for the system. - I was REQUIRED to choose a message, the ONLY two options were to have that was automated with my NAME, or a custom message that I could record. I chose name, for lack of something cool to record.. My message sounds like following: "You call has been forwarded to an Automatic Voice Message Service, 'Prez' is not available. Please leave...", Prez being the name I recorded. Months, perhaps more passed. One day, I was talking to a good friend at the time, MaXmOuSe (this would later lead me to meeting the infamous orez;) who had found a rather interesting number. In fact, it was a dial-in node for DMS100 switch (all Canadian baby!).. while this was interesting, and I won't go into it;).. what's important was, the number was xxx-0000.. and after this number died, I decided to just check the '0000's in other exchanges, until I hit the famous 52x-0000 VMB. I call the number, and recieved the message: You call has been forwarded to an Automatic Voice Message Serivice, 9 0 5 - 5 2 [x] - 0 0 0 0 is not available. Please leave a...." "Whoa, shit...." It came to my mind that, WHY THE HELL did it give me the phone number? I never had that option in my VMB. Then I remembered, if the person hasn't recorded a name, they mustn't have setup the mail box yet. Well, that's just cool :) because guess who remembered the secret to Bell Canada's temporary passwords?:) ha ha ha.. I dial up the number again, and hit "*" to drop to a menu (I remember this from using it at home). It says: "Welcome to Bell Call Answering Service.. to identify yourself as a subscriber, please press '#'", I hit '#', "Please enter your phone number." I dial 905-52x-0000 "Welcome to Bell Home Answering Service, this service can help you......the System Administrator has assigned you a temporary password, please enter that password now...." I enter 52x-0000 I continue setting up the mail box.. and use it for personal communications for the next couple of months. A few notes for you ambitious phreaks who want to go do this, you will often find these unsetup numbers (for whatever reason they are there:/) when scanning, you can easily identify them as a number that gives the phone number instead of the recorded name. Also, I suggest you turn of "Message Waiting Indicator" after you setup your mail box, as if it is someones house, they will hear beeping on their line when YOU have a message waiting. Shouts for the ehchapee boys: orez, heretik, admin, fflewddur, fonejack, ronaldx.. and to those I missed, you know who you are;) Peace out, Prez email: prez@lfx.org irc: #znosr/prez_ on efnet 2000