Inside the Hidden World of Elevator Phone Phreaking
Credit to Author: Andy Greenberg| Date: Fri, 09 Aug 2019 19:00:00 +0000
The first time I called into an elevator, I picked up my iPhone and dialed the number—labeled on my list as the Crown Plaza Hotel in Chicago—and immediately heard two beeps, then a recording of a woman's voice, who told me to press one to talk. When I did, I was suddenly in aural space filled with the hum of motors and the muffled twanging of steel cables under tension. "Hello, can anyone hear me?" I asked the void. The void did not respond.
I hung up and tried another number on my list: A Hilton hotel in Grand Rapids, Michigan. After just one ring I heard a series of four tones and was immediately listening to the inside of another elevator. I heard a chime, perhaps a signal that it had reached a floor, followed by the rumble of what might have been a door opening. "Hi, is anyone in here?" I asked. This time I heard a few muffled voices, then a woman answered: "There are people in here, yes."
Sounding a little more excited than I intended, I asked if anyone was in an emergency situation, a strange question I felt compelled to lead with, to make sure I wasn't tying up the elevator's phone line when the occupants might need it. I got no answer except what sounded like the rumble of the door opening and closing again.
So I stayed on the line. A few seconds later, the elevator chimed, and I heard the noises of new people entering. I greeted them as I had the first passengers, but they didn't seem to hear me even after several attempts. "Turn it over," I heard a woman's voice say in a Midwestern accent. "The lady at the desk just said to hold it," a man said. I realized I was listening to a couple trying to figure out how to use their keycard to unlock the button for their floor of the hotel. I felt a transgressive excitement, a sense that I was eavesdropping on a conversation I shouldn't be hearing, and I instinctively hung up the phone.
This was my introduction to the illicit thrill of elevator phone phreaking. I had learned about this hobby—and received my list of working elevator phones—just a few days earlier from Will Caruana, a thirtysomething freelance security researcher. Caruana works a day job in airline customer service, mostly helping people find their lost luggage. But in his off hours, Caruana practices phreaking, a decades-old form of proto-hacking that explores the hidden features, bugs, and pathways of the global telephone system. At the Defcon hacker conference in Las Vegas today, Caruana will give a talk on a very specific subgenre of that pastime: phreaking elevator phones, the emergency call boxes legally mandated to be in every elevator in America, and largely left wide open to any caller who can determine their numbers.
"I can dial into an elevator phone, listen in on private conversations, reprogram the phone so that if someone hits it in an emergency it calls a number of my choosing," Caruana told me in our first conversation. Elevator phones typically emit audible beeps in the elevator when they connect. But if someone has dialed into the phone of the elevator you're riding before you enter it, Caruana warned me, the only indication might be a red light on the phone's panel. "It’s hard to notice if you're not looking for it," Caruana says.
Over the last year, Caruana has assembled what he believes is the largest public list of elevator phone numbers, which he plans to make available to a limited audience—although he declined to say where exactly he's publishing it. He says he's releasing the list of 80-plus numbers not just because he wants to foster more elevator phone phreaking as an opportunity for whimsy and chance encounters, but also to draw attention to the possibility that elevator phones could be abused for serious privacy invasion and even sabotage. Call up most elevator phones and press 2, and you'll be asked to enter a password to reprogram them. In far too many cases, Caruana says, phone installers and building managers don't change those passwords from easily guessable default codes, allowing anyone to tamper with their settings.
Caruana has figured out many of those passwords by hunting down elevator phone manuals, googling documentation, and buying a dozen elevator phones off Ebay over the last year. As a result, he or any other similarly equipped phreaker could change the number the phone calls when someone in the elevator presses the "help" or "call" button. Instead of dialing emergency responders, a reprogrammed phone can be set to call the phreaker's cell phone, or a pizza delivery place, or a number that plays a recording of Rick Astley's "Never Gonna Give You Up." Or a phreaker can reprogram the phone to change its location ID, Caruana says, so that it misrepresents the location of the people calling, potentially confusing responders.
"No one’s setting new passwords on these systems, and no one’s monitoring them," Caruana says. "I got into this from pure fascination, but I’m going public with it because it’s an actual problem."
Caruana takes pains to emphasize that the community of elevator phone phreakers he knows personally focuses entirely on exploration and harmless absurdity. He says he first became aware of that community when he was on a conference call with a group of half a dozen phreakers a year ago, and one of them added an elevator to the call. "You hear that weird echo, those odd menus," Caruana says. "I was blown away. I didn’t understand it, I had no idea what was going on, and I wanted to learn more."
Since then, Caruana has learned the tricks to identify those secret elevator phone numbers, some of which have been used by phreakers for at least 20 years: Call sequential numbers left out of a building's directory to guess the ones that might be elevators. Open an elevator phone cabinet, attach alligator clips to the phone line, connect your own phone, and call 1-800-444-4444, which reads your number back to you. Or simply ride in the elevator, hit the button, and impersonate an elevator technician who needs to know the line's number.
Caruana declined to say which of those techniques he's used himself, but he says he's called more than 50 elevators over the last year. One trick he enjoys is dialing up friends in a hotel elevator to surprise them when they're attending a hacker conference together. (He asked that I make clear he isn't using that trick during Defcon; he doesn't want to be kicked out of the hotel he's staying at in Las Vegas.)
Another phreaker Caruana introduced me to, who emailed with me under the name SLICThroat, says that he's called into elevators hundreds of times, most often to study the different behavior of their varied electronics, or just to listen in to a mysterious, faraway space. "Complexes all over the world have them, and the ambient noises or conversations can be a window into what goes on in a place you may never have the opportunity to set foot in," SLICThroat writes.
But he's also heard other phreakers dial in elevator phones on conference lines and stage elaborate prank calls he compares to "improv acting exercises" with unwitting elevator riders. "I've heard some people pose as lecherous members of the maintenance staff before," writes SLICThroat, "or usually better yet, a quick-talking, deep-voiced unscrupulous staff member trying to sell questionable goods to the elevator's passengers."
The act of dialing into an elevator phone, even unannounced, doesn't in itself break any laws, says Tor Ekeland, a well-known hacker defense attorney. "On its face calling these numbers is not a violation," Ekeland says. Taking advantage of default passwords to reprogram them, on the other hand, is likely a computer fraud and abuse violation and an extremely reckless move, he warns. "If I’m having a heart attack or I'm stuck between floors during a fire and I call out and it's Domino's Pizza, there’s real harm there."
With that legal advice in mind, and armed with the list of elevator phone numbers Caruana shared with me, I called into a couple dozen elevators across the country, carefully avoiding their reprogramming options and making sure to ask first if anyone inside was in an emergency situation. Most of the elevators were empty. When people were onboard, it turned out to be tough to start a conversation. A Georgetown University elevator occupant apologized, thinking they'd mistakenly pushed the button, and quickly exited. A man in a government building in Seattle didn't have time to talk. An older man in the elevator of a resort in Idaho told me he was too busy and said goodbye. When the elevator dinged, I introduced myself again, thinking a new rider had entered, but it turned out that it was still the same man, and that we'd been riding together in awkward silence. He scolded me for tying up the line and walked out.
Back at the Grand Rapids Hilton where I started—the busiest elevator I found—I managed to speak briefly with a few riders, but mostly just caused confusion. "I'm just a guest at this hotel, and the elevator is talking to me," one worried woman said.
Eavesdropping was unsurprisingly far easier than interviews. After one group of fratty-sounding men failed to hear me say hello a few times, I sat on the line while they discussed the homelessness problem in the area around the hotel, and laughed about how a friend had brought one homeless man into a party they'd thrown there on their last visit. None of them mentioned a suspiciously lit red LED.
Caruana warns that it’s not just elevator phones that are open to anyone who can determine their number: So are many stairwell phones, campus callboxes and other emergency phones.
Caruana and other phreakers warned me that it's not just elevator phones that are potentially open to unwelcome calls. Stairwell phones, emergency phones at swimming pools, callboxes on college campuses, and other push-to-call phones in random buildings across the country are similarly exposed. But Caruana says he wouldn't be revealing this telephonic playground in a Defcon talk if it weren't for the more serious issue of the harm reprogrammable phones could cause. "We enjoy these systems. We don’t want them to go away," Caruana says. "I personally would like them to become more secure."
One elevator consultant and security researcher, Howard Payne, confirmed that he has indeed seen elevator phones with default reprogramming passwords in the wild. "I am aware of specific emergency phones that still use their default remote access code, and I'd speculate that many if not most do," Payne wrote to me. "Tampering with, and vandalism to, emergency communications systems is negligent at best and downright dangerous at worst. But precisely for that reason, it's important for these devices to be properly secured against remote tampering by bad actors."
In his Defcon talk, Caruana plans to offer a set of recommendations for elevator phone installers, building managers, and emergency responders: "Don't use default passwords. Don’t allow the most common PINs. Don't allow remote reprogramming. And train your call centers for social engineering," he says.
But Caruana says that he was also drawn to speak at Defcon because elevators represent one of the last frontiers of phreaking in a world where the quirks of analog telephony have been largely replaced by digital equipment. "There's isn’t a lot left for phone phreakers today," he says. "This is one of the last true investigations of something that can be phreaked with."
Finally, he says, he wanted to share the simple joy of messing around with elevators, a prosaic piece of infrastructure whose slick, metallic panels mask a world of hidden features. "There's still a mystery that surrounds them," Caruana says. "You’re enclosed in this box you don’t have a lot of control over. To be able to poke at that, to take back some of that control, I think, is really appealing."