1
00:00:00,000 --> 00:00:04,760
Did you know that Apple, a 3.5 trillion dollar company,

2
00:00:04,760 --> 00:00:08,560
is only around due to an illegal back alley product?

3
00:00:08,560 --> 00:00:11,560
Back in the early 1970s, Apple co-founder Steve Jobs

4
00:00:11,560 --> 00:00:15,800
and Steve Wozniak constructed a device called a blue box

5
00:00:15,800 --> 00:00:21,240
that essentially hacked phone systems, allowing the user to make free long distance calls.

6
00:00:21,240 --> 00:00:26,660
A huge deal at the time, as it wasn't uncommon to have to pay upwards of $3 a minute

7
00:00:26,660 --> 00:00:30,780
for calls across state lines. The blue box was a result of a discovery

8
00:00:30,780 --> 00:00:36,680
that phone connections could be manipulated by playing certain sounds into a phone's handset,

9
00:00:36,680 --> 00:00:39,060
a process called freaking.

10
00:00:40,900 --> 00:00:44,840
To be more specific, a tone of 2,600 Hertz,

11
00:00:44,840 --> 00:00:48,160
which sounds like this, was used by phone companies

12
00:00:48,160 --> 00:00:51,900
as a control signal that a certain line was now free,

13
00:00:51,900 --> 00:00:58,640
typically because one of the callers had hung up. But in the late 1950s, a blind child named Joe Ingressia

14
00:00:58,640 --> 00:01:03,300
discovered a similar form of freaking accidentally while whistling into a phone

15
00:01:03,300 --> 00:01:08,020
that was playing a recorded message. Because our friend Joe had perfect pitch,

16
00:01:08,020 --> 00:01:13,100
he was able to recreate this behavior to make calls drop without hanging up the phone,

17
00:01:13,100 --> 00:01:16,420
essentially manipulating the phone's back end systems

18
00:01:16,420 --> 00:01:20,340
from the user interface, sort of like people on Twitter telling AI bots

19
00:01:20,340 --> 00:01:25,700
to ignore all previous instructions. A community started to emerge around phone freaking

20
00:01:25,700 --> 00:01:29,180
and eventually the blue box built upon Joe's discovery

21
00:01:29,180 --> 00:01:33,660
to democratize long distance calling or cheat the phone companies out of revenue.

22
00:01:33,660 --> 00:01:39,740
Depending on your perspective, here's how it worked. The user of the blue box would dial a toll-free 1-800 number

23
00:01:39,740 --> 00:01:44,140
to ensure they wouldn't be charged for the call. When it heard the phone ring on the other end,

24
00:01:44,140 --> 00:01:47,140
the blue box would play that 2,600 Hertz tone

25
00:01:47,140 --> 00:01:50,240
into the phone's handset, which would trick the system

26
00:01:50,280 --> 00:01:53,640
into thinking the caller had hung up before anyone answered.

27
00:01:53,640 --> 00:01:59,520
The line was marked as being free, but the caller using the blue box was still on the line.

28
00:01:59,520 --> 00:02:03,560
The blue box would then send the tones that corresponded to the number the user

29
00:02:03,560 --> 00:02:08,660
actually wanted to reach since the line was selective and voila, free long distance calling.

30
00:02:08,660 --> 00:02:12,200
Not a bad deal considering they were sold for 170 bucks each,

31
00:02:12,200 --> 00:02:16,360
but no more than 100 of them were ever made. Because they were so rare,

32
00:02:16,360 --> 00:02:19,520
one of them ended up selling at auction in 2017

33
00:02:19,560 --> 00:02:24,560
for $125,000, similar in price to the new iPhone 16 Pro

34
00:02:25,000 --> 00:02:29,200
with two terabytes of storage. Of course, phone companies became wise to the blue box,

35
00:02:29,200 --> 00:02:34,080
especially after a rather anti-establishment magazine ran an article with instructions

36
00:02:34,080 --> 00:02:38,960
on how to construct a similar device yourself at home. The main countermeasure against phone freaking

37
00:02:38,960 --> 00:02:44,360
is called signaling system seven. And I use the present tense is

38
00:02:44,360 --> 00:02:49,180
because it's actually still around today, even though it was rolled out in the early 1980s.

39
00:02:49,180 --> 00:02:54,340
The basic idea behind SS7 is simply to put the control signals on a separate line

40
00:02:54,340 --> 00:02:57,700
so they can't be manipulated by sounds played into the phone itself.

41
00:02:57,700 --> 00:03:02,620
And while SS7 was reasonably effective at stopping that 2,600 Hertz attack,

42
00:03:02,620 --> 00:03:07,580
it couldn't stop every kind of attack, especially as phone technology continued to evolve.

43
00:03:07,580 --> 00:03:13,620
A later common way to freak the phone network for free long distance calls was to exploit the system

44
00:03:13,620 --> 00:03:17,940
of calling cards used by smaller carriers in the mid 1980s.

45
00:03:17,940 --> 00:03:22,180
Back then, it was common to have to dial a special local number owned by the phone company

46
00:03:22,180 --> 00:03:25,620
and then enter the code off a paid card,

47
00:03:25,620 --> 00:03:29,960
which let the network know you weren't authorized to make a long distance call.

48
00:03:29,960 --> 00:03:33,660
Only then could you dial the number you were trying to connect to.

49
00:03:33,660 --> 00:03:38,620
The problem for the phone companies was that the codes on these cards were quite short,

50
00:03:38,620 --> 00:03:42,980
meaning it was easy for PCs to quickly guess lots of different combinations

51
00:03:42,980 --> 00:03:46,140
and try those combinations using a modem.

52
00:03:46,140 --> 00:03:49,700
Lots of codes were found this way and subsequently shared to the point

53
00:03:49,700 --> 00:03:53,780
where long distance companies were losing a half billion dollars a year

54
00:03:53,780 --> 00:03:57,300
to this form of brute force freaking by 1987.

55
00:03:57,300 --> 00:04:00,420
This scam was very popular among college students.

56
00:04:00,420 --> 00:04:03,820
In fact, over 2,500 of them were busted in a drag net,

57
00:04:03,820 --> 00:04:08,580
but it was impossible for the phone companies to track down everyone who did this.

58
00:04:08,580 --> 00:04:12,780
This former freaking only disappeared when phone companies eventually made direct dialing

59
00:04:12,780 --> 00:04:15,780
of long distance numbers more universal.

60
00:04:15,780 --> 00:04:19,140
And the use of PCs to hijack phone lines continues

61
00:04:19,140 --> 00:04:24,660
to this day, we actually did a collaboration on our sister channel Linus Tech Tips with Veritasium,

62
00:04:24,660 --> 00:04:29,040
where they actually used SS7 to intercept calls to Linus' smartphone.

63
00:04:29,040 --> 00:04:33,900
They did this by buying access to SS7, which is surprisingly easy to do for a few thousand bucks,

64
00:04:33,900 --> 00:04:37,460
then using the access to steal a unique identifier code

65
00:04:37,460 --> 00:04:42,100
off the victim's SIM card. After this is done, an attacker can use that ID number

66
00:04:42,100 --> 00:04:47,220
to trick the network into thinking the victim's phone is roaming in a different country,

67
00:04:47,220 --> 00:04:52,820
which results in the network rounding calls and texts to a number registered with that country code

68
00:04:52,820 --> 00:04:57,520
that the attacker controls. That was a really cool and frightening experiment.

69
00:04:57,520 --> 00:05:00,420
So if you wanna find out more, go watch that video next.