A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


The Phony Pony: Phreaks Blazed The Way - Patrick McNeil Owen Derbycon 2015 (Hacking Illustrated Series InfoSec Tutorial Videos)

The Phony Pony: Phreaks Blazed The Way
Patrick McNeil Owen
Derbycon 2015

Exploring the phone system was once the new and exciting realm of ‰ÛÏphone phreaks,‰Û an ancestor of today's computer ‰ÛÏhackers.‰Û The first phreaks ‰ÛÏowned‰Û and explored the vague mysteries of the telephone network for a time until their activities drew too much attention from the phone companies and law enforcement. The phone system evolved, somewhat, in an attempt to shut them out, and phreaking became both difficult and legally dangerous. Such events paralleled a new personal computer ‰ÛÏrevolution‰Û wherein phone phreaks made the transition from the secret subtleties of telephony to the new and mystical frontier of personal computing. Private BBS(s) and, eventually, the Internet was not only the next logical step forward, but also provided ‰ÛÏsafer‰Û alternatives that still allowed for the thrill of exploring the mysteries of a new modern age. Telephony, and voice security in general, became, as the years passed, something of a lost art to all but those who remember... In this presentation we begin our adventure with a journey back in time, when users required an operator at the switchboard to make a call. We will briefly take a look at the weaknesses of early telephone systems and the emergence of the original phreaks in the 50's and 60's who found and exploited them. Our journey will also allow us to demonstrate how some of the same basic phreaking approaches are still applicable to today's "advanced" VoIP systems. Certainly the initial creation and emergence of VoIP opened a variety of attack vectors that were covered at security conferences at the time. Commercial VoIP adoption, however, remained stagnant until standards and carriers caught up. Some VoIP hacking tools were left unmaintained, and VoIP wasn't the sexy and mysterious attack vector it once was with the exception of tricksters who found old or insecure systems to be easy targets. Due to increased VoIP adoption over the last few years, however, telephony attacks are provocative once again. We'll unravel the mysteries of the curious world of phreaks, tricksters, and VoIP hackers. We'll compare and contrast old school phreaking with new advances in VoIP hacking. We'll explain how voice systems are targeted, how they are attacked using old and new methods, and how to secure them - with demonstrations along with practical and actionable tips along the way. We'll even be providing an update to ‰ÛÏPhreakme‰Û - our new VoIP telephony phishing tool that fuses the past and the present

Patrick has spoken about telephony fraud at a number of conferences, including last year's DEF CON Skytalks (‰ÛÏHow To Make Money Fast Using A Pwned PBX‰Û), and is a #telephreak at heart. He has over twenty years of experience, mostly with telecom manufacturers, and spent time in charge of product security for the communications security business of a fortune 100 company. When not working you can find him practicing Kung Fu, brewing beer, or picking locks with Oak City Locksport. Owen used to be a professional developer code monkey. He's worked in various IT fields including Server Administration, DevOps, Application Security and most recently as a penetration tester. He enjoys tinkering with various technologies, and has experimented for prolonged periods with PBX's and the obscure side of VoIP.


Back to Derbycon 2015 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast