Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker

owned the real phone associated with the ESN that I was using at the
moment. (Okay, the customer would also have to explain to the phone
company that he hadn’t made the extra calls he was being charged for, but
he wouldn’t be responsible for paying the charges for those unauthorized
calls.)
From a Convention Center pay phone, I dialed a number in Calgary,
Alberta, Canada. “Novatel,” a lady’s voice came down the line.
“Hi,” I said. “I need to talk to someone in Engineering.”
“Where are you calling from?” she wanted to know.
As always, I had done my research. “I’m with Engineering in Fort
Worth.”
“You should be speaking to the engineering manager, Fred Walker, but
he’s not in today. Can I take your number and have Mr. Walker call you
tomorrow?”
“It’s urgent,” I said. “Let me speak to whoever’s available in his
department.”
Moments later, a man with a Japanese accent came on the line and gave
his name as Kumamoto.
“Kumamoto-san, this is Mike Bishop, from Fort Worth,” I said, using a
name I had read off a Consumer Electronics Show electronic message board
only moments earlier. “I usually talk to Fred Walker, but he’s not in. I’m at
CES in Vegas.” I was counting on the actual background noise to lend
credence to the claim. “We’re doing some testing for a demonstration. Is
there a way to change the ESN from the phone’s keypad?”
“Absolutely not. It’s against FCC regulations.”
That was a bummer. My great idea had just gotten shot down.
No, wait. Kumamoto-san was still talking.
“We do have a special version of the firmware, version 1.05. It lets you
change the ESN from the phone keypad if you know the secret
programming steps.”
Suddenly I was back in the game. A phone’s “firmware” is its operating
system, embedded on a special kind of computer chip called an EPROM.
The trick at a moment like this is not to let your excitement come
through in your voice. I asked a question that would sound like a challenge:
“Why does it allow changing the ESN?”
“The FCC requires it for testing,” he said.

“How can I get a copy?” I thought maybe he’d say he would send me a
phone with that version of the firmware.
“I can send a chip,” he said. “You can replace it in the phone.”
Fantastic. This might be even better than getting a whole new phone, if I
could just push the guy a little further.
“Can you burn four or five of the EPROMs for me?”
“Yes.”
Excellent, but now I had hit a snag: how was I going to have them sent
to me without giving my real name and a delivery address that could be
tracked?
“Burn them for me,” I told him. “I’ll call you back.”
I was pretty sure those chips would make me the only person outside
Novatel who could change the number of his Novatel cell phone just by
pressing the buttons on his keypad. Not only would it let me talk for free,
but it would give me a cloak of invisibility, guaranteeing my conversations
would be private. And it would also give me a safe callback number
anytime I wanted to social-engineer a target company.
But how was I going to get that package sent to me without being
caught?
If you were in my shoes at this point, how would you arrange to get hold
of those chips? Think about it for a minute.
The answer wasn’t all that hard. It was in two parts, and it came to me in an
instant. I called Novatel again and asked for the secretary to Kumamoto-
san’s manager, Fred Walker. I told her, “Kumamoto-san from Engineering is
going to drop off something for me. I’m working with our people at the
booth at CES, but I’m here in Calgary for the day. I’ll come by and pick it
up this afternoon.”
Kumamoto-san was already busy burning the chips for me when I got
him back on the phone and asked him to pack them up when they were
ready and drop them off with Walker’s secretary. After spending a couple of
hours wandering the convention floor, soaking up what was new in the
world of electronics and cell phones, I was ready for my next step.
About twenty minutes before quitting time (Calgary is an hour ahead of
Las Vegas), I got the secretary on the phone again. “I’m at the airport on the

way back to Las Vegas unexpectedly—they were having problems at the
booth. That package Kumamoto-san left for me, can you FedEx it to my
hotel there? I’m staying at Circus Circus.” I had already made a reservation
for the next day at Circus Circus under the name “Mike Bishop”; the clerk
hadn’t even asked for a credit card. I gave the secretary the address of the
hotel and spelled the Mike Bishop name just to be sure she had it right.
One more phone call, again to Circus Circus. I explained I would be
arriving late and needed to make sure the front desk would hold a FedEx
that would be delivered before I checked in. “Certainly, Mr. Bishop. If it’s a
large item, the bell captain will have it in the storage room. If it’s small,
we’ll be holding it here at the registration desk.” No problem.
For the next call, I found my way to a quiet area and punched in the
number for my favorite Circuit City store. When I reached a clerk in the cell
phone department, I said, “This is Steve Walsh, LA Cellular. We’ve been
having computer failures in our activation system. Have you activated any
phones on LA Cellular in the last two hours?”
Yes, the store had sold four. “Well, look,” I said. “I need you to read me
the mobile phone number and the ESN of each of those phones, so I can
reactivate their numbers in the system. The last thing we need is unhappy
customers, right?” I gave him a sarcastic chuckle, and he read off the
numbers.
So now I had four ESNs and the phone numbers that went with them.
For the rest of the afternoon, the wait was absolutely nerve-racking. I had
no idea whether or not I would be able to pull this off. Would the Novatel
people sense that something fishy was up, and never send the chips? Would
there be FBI agents staked out in the hotel lobby, waiting to pick me up? Or
would I, by the next afternoon, have the capability of changing the number
of my cell phone as often as I wanted?
The next day, my longtime friend Alex Kasperavicius arrived. An
intelligent, friendly guy, expert in IT and telephone systems, Alex liked the
adventure of being included in some of my exploits, but he wasn’t really a
hacking partner. I could doggedly stick to an effort for months and months
until I finally succeeded. Alex wasn’t like that; he had other distractions. He
kept busy working as a camp counselor in Griffith Park, playing classical
music on his French horn, and looking for new girlfriends.
I filled him in on the situation. What a kick I got out of watching his
reaction! At first not believing it would be possible to get the manufacturer

to send us the chips, then imagining how great it would be if we could
really make calls masking our identities.
Kumamoto-san had provided me with the programming instructions for
giving the phone a new ESN, using the special version of the firmware.
Today, almost twenty years later, I can still remember the exact code. It
was:
Function-key
Function-key
#
39
#
Last eight digits of the new ESN
#
Function-key
(For the technically curious, the ESN is actually eleven decimal digits
long, the first three of which designate the phone’s manufacturer. With the
chip and the code, I would only be able to reprogram any Novatel ESN into
my phone, but not one from another cell phone manufacturer—though later
on, when I got Novatel’s source code, I would gain that capability as well.)
By 3:00 p.m., we were pretty sure Federal Express would have delivered
to Circus Circus already, and we couldn’t keep our impatience under control
any longer. Alex volunteered to do the pickup, understanding without
conversation that if I went in and there were cops waiting, I’d be on my
way back to prison. I told him to give the name Mike Bishop, say he had to
get the package directly over to the Convention Center and would be back
later to register. I stayed out front.
In a situation like this, there was always a chance that someone could’ve
seen through the ruse and alerted the Feds. We both knew that Alex could
be heading into a trap. From the moment he walked in, he’d have to be
scoping out the place for people who could be plainclothes cops. But he
couldn’t be looking up and down every man and every woman who seemed
to be just passing the time; that would be too suspicious. He had to scan.
I knew Alex was too cool to look over his shoulder or show any sign
that he was nervous. If there was anything that looked wrong, he’d walk

right out—not in an obvious hurry, but not dawdling, either.
With every minute that ticked by, I got more anxious. How long could it
take to pick up a small package? 

Download 2,97 Mb.

Do'stlaringiz bilan baham: