Got 3 cents on your phone? That might be enough

Here’s an interesting case that most probably, in some compressed form, will go in my upcoming Boxless zine issue (the first one is ready but not published yet), but I never thought I’d talk about such things in 2020. Here it is: I found an abandoned SIM in one of my phones. The SIM is clean (I mean, the number hasn’t been exposed to spammers and scammers) and active well until middle of the next year but it only has around 3 US cents (if converted from our local currency) on the balance. The SIM is from a carrier I never use normally (for different reasons), but it just so happened I actually have plenty of free unopened SIMs from this carrier in my drawer. Obviously, all our GSM carriers now don’t allow making normal calls if the balance is lower than $0.3 or so, and there’s not much I could do, I thought. But the idea to refill the card I never use in the everyday life was not so pleasant for me, so I decided to start experimenting and remembered that there is one type of numbers that can be called for free in our country, even from GSM…

Yes, I’m talking about 0800 numbers. For ‘Muricans, that’s 1800 and so on. The idea is that the caller doesn’t pay anything (hence the term “toll-free”), and all expense is covered by the number owner. I know that where I live, 0800 numbers are quite expensive to own, so their pool (not so big in our country - you only have 6 digits left for the number itself after the 0800 code, so that’s just a million) is mostly occupied by large companies for their customer support services, as well as some governmental and state-owned organization hotlines. But there is another type of services to have toll-free numbers: conference calls.

Well, the only conference call services that can afford toll-free numbers in multiple countries are the paid ones. I guess you’ll never get 0800 number for such a service as Globafy in any country outside the “first world”. You know what this means? This means you either have to pay something for setting up such a conference (which destroys the whole purpose, as you can just top-up your mobile account), or find a way to tap into existing conference rooms on such premium services. This is what we’re going to talk about: classical phreaking with the aim to get free long-distance phone calls, but adapted to modern limits and possibilities.

So, basically, what do we need for this? First and most obviously, we need a conference service that provides a toll-free number in our country of interest. Second, we need to somehow obtain the list of room IDs (access codes/passwords/etc - each service calls them differently), and not every room may fit, since lots of services allow the hosts to customize the available countries to reduce maintenance costs. Third - and this may not seem so obvious - we need a burner SIM (where I live, there are no issues getting it, or, as I said, I even got dozens of them for free) and (preferably) a burner phone that allows changing IMEI (I hope I covered enough on this topic in this blog), just to make sure we don’t get into any trouble or, at least, we don’t get our main number blocked in the most unfortunate moment. And also, since we’re talking about conference calls at this point, we need other participants capable of doing the same AND some way to signal to them when to connect to the room. So, this is more akin to phone companies “bridges”/“party-lines” used by phreakers of the past, than traditional 2600-like long distance hacks.

But how do we find the suitable room IDs, you may ask? Well, there basically are two ways. One of them is called “war dialing” - just using a voice-enabled modem to brute-force all the IDs in the allowed range until you get the correct response, or, in the modern era, using the API mimicking the application response. For me, this way is just out of question. Having the ID open for the application does not mean this ID has an available toll-free number for your country, and repeatedly dialing thousands of codes on the 0800 number will surely raise huge suspicion from the carrier’s security service. And this suspicion may even lead them to the cyber-department of police. Who wants that? Another way is to find the exposed IDs on the Web itself. Hackers of the past used trash cans to find the paper with valuable information, but we can use Google or DuckDuckGo to find unprotected IDs. Again, it’s not the service companies’ fault that people expose the information that absolutely must not be exposed to the search engines.

And now, I’m going to cover only two paid services that just happen to be exploitable where I live. I mean, the basics of it can be surely applied to any other similar service, but you’re required to do your own research and take your own precautions before trying to apply any of this.

And the first one is, of course, Zoom. The Web is recently swarming with the articles on how some hackers “wardial” the rooms and hijack legit meetings. I don’t know who and why does this but they’re basically taking the easy path. I mean, they don’t have to filter out the rooms that don’t have the necessary toll-free access. And while you can just enter this query - "" - to find the conference IDs in the join link, you have to enter this query - "" to find the message “International numbers available”. And then, after copying the ID, you have to go to this link and manually check whether your toll-free number is in the list. Only then you can save the meeting ID as… plausible. Why? Because if the meeting is not set up as recurring, you may get a message that the meeting has ended or it hasn’t been started when you try to actually join. So you’re required to do this check before even trying to share the newly found vulnerable ID with your fellas.

The second one seems to be not a single service, but a group of services on the same engine (“Reservationless-Plus”): Unified Communications, TCC Online, Intercall Online, MeetingConnect etc. I don’t know who actually developed this (Intrado?) but searching for the available IDs is absolutely easy with this Google query: inurl:"/listNumbersByCode.action?confCode=" YourCountry (with “omitted results included”) - and then you click on any search result, click on the “Change Country” dropdown and select your country, or “All countries” to view all the numbers and find which of them are toll-free. I mean, FFS, this can even be easily automated and aggregated in no time with a simple shell script (you still have to collect the URLs manually though). See for yourself - this is how the single page can be processed:

# Usage: ./ URL CountryCode (US, AU etc)
echo "Fetching info..."
confId=$(echo $confUrl | cut -d '=' -f 2)
accessSearch="${ccDivId}.*?<li class=\"toll-free\"><label>Toll Free</label>\s+<span>\s+\d+"
accessNum=$(curl -s $confUrl|tr -d '\n'|tr -d '\r'|grep -Eo "$accessSearch" | grep -Eo "\d+$")
echo "Conference ID: $confId"
echo "Country access number: $accessNum"

As you can see, it’s really simple. This is just a POC but you can loop this over the massive URL pool. As soon as you encounter the available toll-free number for your country, you can write the number/ID pair somewhere and use it later.

All this, as you might imagine, is just a tip of the iceberg. There are some similar toll-free long-distance calling card providers where user PIN can also be bruteforced quite easily or there might be other loopholes. All I want to say here is that traditional phreaking is still not dead, and we can witness new hacks here and there. Just need to keep our eyes open in these trying times.