tvifafwawehes hsesoonvtlimaeloemtcagmen irnoerrldony
Imagine a trade-show floor with 2 million square feet of space, packed with 200,000 people crammed wall to wall, sounding like they’re all talking at once, mostly in Japanese, Taiwanese, and Mandarin. That’s what the Las Vegas Convention Center was like in 1991 during CES, the annual Consumer Electronics Show—a candy store, drawing one of the biggest crowds in the world.
I had traveled across town to be there one day during the show, but not just to visit the booths or see the new electronic gadgets that would dazzle buyers the next Christmas. I was there for the background noise. It was essential for an air of believability on the phone call I was about to place.
This was the challenge: I had a Novatel PTR-825 cell phone, which back then was one of the hottest phones on the market. I wanted to feel safe talking to my friends on it, and not have to wonder if somebody from the FBI or local law enforcement was listening in. I knew a way that might be possible. Now I was trying to find out if what I had in mind could really work.
My plan was based on a trick involving the phone’s electronic serial number, or “ESN.” As every phone hacker knows, each cell phone has a unique ESN, which gets transmitted along with the mobile phone number, or MIN, to the nearest cell tower. It’s part of how the cell phone company validates that a caller is a legitimate subscriber, and part of how it knows whom to charge calls to.
If I could keep changing my phone so it would transmit the MINs and ESNs of legitimate subscribers, then my calls would be completely safe: every attempt to trace a call would lead to some stranger, the person who owned the real phone associated with the ESN that I was using at the moment. (Okay, the customer would also have to explain to the phone company that he hadn’t made the extra calls he was being charged for, but he wouldn’t be responsible for paying the charges for those unauthorized calls.)
From a Convention Center pay phone, I dialed a number in Calgary, Alberta, Canada. “Novatel,” a lady’s voice came down the line.
“Hi,” I said. “I need to talk to someone in Engineering.”
“Where are you calling from?” she wanted to know.
As always, I had done my research. “I’m with Engineering in Fort Worth.”
“You should be speaking to the engineering manager, Fred Walker, but he’s not in today. Can I take your number and have Mr. Walker call you tomorrow?”
“It’s urgent,” I said. “Let me speak to whoever’s available in his department.”
Moments later, a man with a Japanese accent came on the line and gave his name as Kumamoto.
“Kumamoto-san, this is Mike Bishop, from Fort Worth,” I said, using a name I had read off a Consumer Electronics Show electronic message board only moments earlier. “I usually talk to Fred Walker, but he’s not in. I’m at CES in Vegas.” I was counting on the actual background noise to lend credence to the claim. “We’re doing some testing for a demonstration. Is there a way to change the ESN from the phone’s keypad?”
“Absolutely not. It’s against FCC regulations.”
That was a bummer. My great idea had just gotten shot down.
No, wait. Kumamoto-san was still talking.
“We do have a special version of the firmware, version 1.05. It lets you change the ESN from the phone keypad if you know the secret programming steps.”
Suddenly I was back in the game. A phone’s “firmware” is its operating system, embedded on a special kind of computer chip called an EPROM.
The trick at a moment like this is not to let your excitement come through in your voice. I asked a question that would sound like a challenge: “Why does it allow changing the ESN?”
“The FCC requires it for testing,” he said.
“How can I get a copy?” I thought maybe he’d say he would send me a phone with that version of the firmware.
“I can send a chip,” he said. “You can replace it in the phone.”
Fantastic. This might be even better than getting a whole new phone, if I could just push the guy a little further.
“Can you burn four or five of the EPROMs for me?”
“Yes.”
Excellent, but now I had hit a snag: how was I going to have them sent to me without giving my real name and a delivery address that could be tracked?
“Burn them for me,” I told him. “I’ll call you back.”
I was pretty sure those chips would make me the only person outside Novatel who could change the number of his Novatel cell phone just by pressing the buttons on his keypad. Not only would it let me talk for free, but it would give me a cloak of invisibility, guaranteeing my conversations would be private. And it would also give me a safe callback number anytime I wanted to social-engineer a target company.
But how was I going to get that package sent to me without being caught?
If you were in my shoes at this point, how would you arrange to get hold of those chips? Think about it for a minute.
The answer wasn’t all that hard. It was in two parts, and it came to me in an instant. I called Novatel again and asked for the secretary to Kumamoto-san’s manager, Fred Walker. I told her, “Kumamoto-san from Engineering is going to drop off something for me. I’m working with our people at the booth at CES, but I’m here in Calgary for the day. I’ll come by and pick it up this afternoon.”
Kumamoto-san was already busy burning the chips for me when I got him back on the phone and asked him to pack them up when they were ready and drop them off with Walker’s secretary. After spending a couple of hours wandering the convention floor, soaking up what was new in the world of electronics and cell phones, I was ready for my next step.
About twenty minutes before quitting time (Calgary is an hour ahead of Las Vegas), I got the secretary on the phone again. “I’m at the airport on the way back to Las Vegas unexpectedly—they were having problems at the booth. That package Kumamoto-san left for me, can you FedEx it to my hotel there? I’m staying at Circus Circus.” I had already made a reservation for the next day at Circus Circus under the name “Mike Bishop”; the clerk hadn’t even asked for a credit card. I gave the secretary the address of the hotel and spelled the Mike Bishop name just to be sure she had it right.
One more phone call, again to Circus Circus. I explained I would be arriving late and needed to make sure the front desk would hold a FedEx that would be delivered before I checked in. “Certainly, Mr. Bishop. If it’s a large item, the bell captain will have it in the storage room. If it’s small, we’ll be holding it here at the registration desk.” No problem.
For the next call, I found my way to a quiet area and punched in the number for my favorite Circuit City store. When I reached a clerk in the cell phone department, I said, “This is Steve Walsh, LA Cellular. We’ve been having computer failures in our activation system. Have you activated any phones on LA Cellular in the last two hours?”
Yes, the store had sold four. “Well, look,” I said. “I need you to read me the mobile phone number and the ESN of each of those phones, so I can reactivate their numbers in the system. The last thing we need is unhappy customers, right?” I gave him a sarcastic chuckle, and he read off the numbers.
So now I had four ESNs and the phone numbers that went with them. For the rest of the afternoon, the wait was absolutely nerve-racking. I had no idea whether or not I would be able to pull this off. Would the Novatel people sense that something fishy was up, and never send the chips? Would there be FBI agents staked out in the hotel lobby, waiting to pick me up? Or would I, by the next afternoon, have the capability of changing the number of my cell phone as often as I wanted?
The next day, my longtime friend Alex Kasperavicius arrived. An intelligent, friendly guy, expert in IT and telephone systems, Alex liked the adventure of being included in some of my exploits, but he wasn’t really a hacking partner. I could doggedly stick to an effort for months and months until I finally succeeded. Alex wasn’t like that; he had other distractions. He kept busy working as a camp counselor in Griffith Park, playing classical music on his French horn, and looking for new girlfriends.
I filled him in on the situation. What a kick I got out of watching his reaction! At first not believing it would be possible to get the manufacturer to send us the chips, then imagining how great it would be if we could really make calls masking our identities.
Kumamoto-san had provided me with the programming instructions for giving the phone a new ESN, using the special version of the firmware. Today, almost twenty years later, I can still remember the exact code. It was:
Function-key
Function-key
#
39
#
Last eight digits of the new ESN
#
Function-key
(For the technically curious, the ESN is actually eleven decimal digits long, the first three of which designate the phone’s manufacturer. With the chip and the code, I would only be able to reprogram any Novatel ESN into my phone, but not one from another cell phone manufacturer—though later on, when I got Novatel’s source code, I would gain that capability as well.)
By 3:00 p.m., we were pretty sure Federal Express would have delivered to Circus Circus already, and we couldn’t keep our impatience under control any longer. Alex volunteered to do the pickup, understanding without conversation that if I went in and there were cops waiting, I’d be on my way back to prison. I told him to give the name Mike Bishop, say he had to get the package directly over to the Convention Center and would be back later to register. I stayed out front.
In a situation like this, there was always a chance that someone could’ve seen through the ruse and alerted the Feds. We both knew that Alex could be heading into a trap. From the moment he walked in, he’d have to be scoping out the place for people who could be plainclothes cops. But he couldn’t be looking up and down every man and every woman who seemed to be just passing the time; that would be too suspicious. He had to scan.
I knew Alex was too cool to look over his shoulder or show any sign that he was nervous. If there was anything that looked wrong, he’d walk right out—not in an obvious hurry, but not dawdling, either.
With every minute that ticked by, I got more anxious. How long could it take to pick up a small package? Okay, I thought, calm down, there are probably a lot of people in line at the registration desk, and he has to wait his turn.
More minutes ticked by. I was beginning to think I’d have to walk in myself and see if there was a crowd of cops, or maybe ask a casino guest if there had been some kind of police action a few minutes before.
But there he was, coming out the door, sauntering casually over to me with a huge grin on his face.
Filled with anticipation, heart pumping, we stood right there on the street and opened the package. Inside, a clear white case contained, as promised, five cell phone 27C512 EPROMs. I had been social-engineering for years, but this was probably my biggest prize ever up to that time. If, that is, the chips really worked. We crossed Las Vegas Boulevard to the Peppermill, avoiding the tourist-filled cocktail lounge with its sexy waitresses in favor of a booth in the restaurant area, where we would be less conspicuous.
Lewis De Payne joined us. Yes, the guy who was now my ex-wife’s lover.
I’m not sure I can explain why I kept in contact with Lewis after he stole my wife. Obviously I never trusted or respected him again. But frankly, there were so few people I dared to stay in touch with at all that I needed someone who understood my predicament. And who could understand it better than Lewis? He had been my hacking buddy from the start. We’d been through a lot together.
It would’ve been easy to think of him with bitterness, as my arch-enemy. He certainly qualified. But at the same time, he was also genuinely one of my best friends. And Bonnie was another. Eventually, I had moved past the pain and begun seeing them again. We gradually became friends, like those divorced couples with kids who end up having picnics together with their new spouses on family holidays.
We’re often advised to “forgive and forget.” In this case, “forgiveness” may be too strong a word. I had to let go of the resentment for my own sake, but I couldn’t afford to forget. Although Lewis was a good hacking partner and I valued his skill set, I hacked with him only when I had a failsafe—when we both stood to lose if he tried to turn me in.
Under these new conditions, Lewis and I had resumed our hacking together and created a new version of our old friendship that had changed forever.
Now, in our booth in the Peppermill, I thought Lewis’s eyes were going to pop out of his head when he saw those chips. He sat down without fanfare and started disassembling my phone, carefully arranging its parts on the table and jotting the details on a notepad so he’d know where each belonged when he was ready to put them all back together.
In less than five minutes, Lewis had the phone taken apart, down to the circuit board, revealing the chip held in place by a ZIF (“zero insertion force”) socket. I handed him one of the new chips. He slipped it into place and began his careful reassembly. I didn’t want to say anything that would throw him off, but I was growing antsy, wishing he’d work just a little faster so I could find out if we had hit a goldmine or not.
As soon as it was completely together, I snatched the phone from him and punched in the function code that Kumamoto-san had given me. For this test, I programmed the ESN and changed the phone number to match the ones for Lewis’s phone.
The phone turned itself off and rebooted. I could feel my every heartbeat at the front of my scalp. All three of our heads were bent over the table, focused on the phone’s little screen.
The display lit with the start-up screen. I punched in the function to display the phone’s ESN. The numbers that appeared were the ones for the ESN I had entered.
The three of us sent up a cheer, not caring that other customers were turning to stare.
It worked! It really worked!
Back then, some phone companies had a number you could call to get the accurate time. I punched in 213 853-1212 and put the phone down on the table. All three of us heard it together, that recorded lady’s voice saying, “At the tone the time will be…” My phone was now successfully making outgoing calls as a clone of Lewis’s—and the cell phone company would record these calls as having been made not by me but by Lewis from his own phone.
I had social-engineered Novatel and gained huge power. I could make phone calls that couldn’t be traced back to me.
But had I just fallen off the wagon for this one hack… or was I back into hacking all over again? At that moment, I could not have said for sure.
What I did know, though, was that I had achieved invisibility.