Phreaking Australia, 1800's.
Valiant
Valiant@halcon.com.au
homelink, australian phreaking, phreaking, phreak, freak, phones, f0nes, fone

Introduction

It's well and truly time I wrote a text file on 
this topic. Just when you thought phreaking was 
dead in Australia, here's a four year old move I 
used to pull in phone boxes around Sydney, and from 
friends houses late at night. 


Young? Bored stupid? Like being an arsehole and making 
free calls to people while letting them pick up the bill? 
Couldn't be bothered brute forcing free calls using a 
crowbar or thermite? Well read on. About four years ago 
I discovered a networking flaw in the Telstra Homelink 
system that Telecom / Telstra were ever so proud of at 
the time. Well .. putting it bluntly, it's screwed. 


How the system works

Some intelligent young marketing manager at Telscum realised 
one day that many people are occasionally stuck in a bad 
situation without money, or paranoid of the idea of such, 
and thereby launched a scheme where they can overcharge 
your home phone account for that one call placed home to get 
your mother to pick you up from the train station when your 
broke coming home from school, or some other situation. So 
they devised a system of tracking these calls, it's now known 
as the Homelink system. 


The story of the bug

There was a lamer at my school who my small group of friends 
were mates with, however he was fun to pin things on. "Have 
you been smoking?" "No! It was Peter!" would be our instant 
reply. One day we found out he had homelink, and found a card 
in his wallet (we used to search his belongings while he 
wasn't looking) with his homelink number and PIN on it. 


That night I couldn't resist, I just had to try it out, only 
once. Yeah, right. I rang him up until my ear was raw, all 
hours of the night. I even went as far as to get a group of 
friends around and we'd take turns at ringing him. But soon 
his father got wise that we were using homelink when he realised 
that strange sound (which happens to be the default 
startup/shutdown sound for Windows 95) and the 75 cent 
homelink calls clocked up in the thousands. 


Boom, he changed the pin. Oh shit. I got so bored one night 
I dialed his homelink number again, and instead of using his 
fathers birth year (1959) I just moshed down on 1111. "Please 
hold while your call is being connected." Yes! Got it. But wait, 
it's an answering machine. The Henderson family? I've never 
known a Henderson .. 


After ringing that number a few times, and while on a 
conference call with Crusader and a mate, Lorin, we got 
a voice answer. We put on our best Indian accents and 
asked if they had any curry, then we asked them if we 
could eat Koala's or Kangaroo's and explained we were an 
Indian invasion force off the coast of Brisbane and we
wanted to know where their house was so we can eat their 
dog, for some reason they thought we were two friends of 
theirs, playing a joke. 


"You know where we live, don't play dumb." "No, I am very 
sorry, where you live?" "We're still in the same place you 
bloody left us, Fremantle." We gasped as we realised we'd 
placed a call to Western Australia from Sydney, New South 
Wales. We stopped calling them to save them the phone bill. 


Another late night, I tried dialing 5555 and got another 
answering machine, on further investigation I found out 
it was in Brisbane. 


The bug

The lamer didn't give individual phone numbers out, the 
end-user you are connected to depends on the pin number 
you enter. Ie: You place the call, get to homelink, and 
for every combination in use, you can get a different end 
user. It's that infinite. See the example below for a more 
illustrated approach. 



        Caller ------- homelink 
                                ^--- PIN 0001 ---- User1
                                ^--- PIN 0002 ---- User2
                                ^--- PIN 0003 ---- User3
                                ^--- PIN 0004 ---- User4

	  
What a major mistake. 

Summary

You can make your mates gasp, or just get free calls 
for entertainment purposes using the following number 
combinations, I have found these to be the most common 
PIN's. Given are example phone numbers on the Homelink 
system, plus generic PIN combinations: 


Example Number: 1800-91-0000 Example PIN's: 0000, 1111, 5555, 9999 
Example Number: 1800-90-1080 Example PIN's: 1080, 1111, 5555, 9999 
Example Number: 1800-91-7395 Example PIN's: 7395, 1111, 5555, 9999 

Starting to see how this works? When you hear "Thankyou, 
your call is being connected." it means you've got an end 
user. Each time you hear that for a different PIN, you've 
hit a completely different user, not even neccesarily in 
the same state. 


As far as I know, the homelink system inhabits 1800-90-???? 
through to 1800-91-????, but it may grow or shrink. But 
either way, instead of having to mess with the 1800 hostmask 
of network numbers, they instead made a major security flaw 
in the PIN by networking the end-user to the PIN instead of a 
variable PIN to each end user. So it's pretty much like guessing 
a telephone number in it's entirety, with a large chance of 
getting it right. 


You've got to love those morons at Telstra. 

"Telstra -- Making life easier!" 

Valiant. 

[EOF]