WEBVTT

00:00:00.000 --> 00:00:04.760
Did you know that Apple, a 3.5 trillion dollar company,

00:00:04.760 --> 00:00:08.560
is only around due to an illegal back alley product?

00:00:08.560 --> 00:00:11.560
Back in the early 1970s, Apple co-founder Steve Jobs

00:00:11.560 --> 00:00:15.800
and Steve Wozniak constructed a device called a blue box

00:00:15.800 --> 00:00:21.240
that essentially hacked phone systems, allowing the user to make free long distance calls.

00:00:21.240 --> 00:00:26.660
A huge deal at the time, as it wasn't uncommon to have to pay upwards of $3 a minute

00:00:26.660 --> 00:00:30.780
for calls across state lines. The blue box was a result of a discovery

00:00:30.780 --> 00:00:36.680
that phone connections could be manipulated by playing certain sounds into a phone's handset,

00:00:36.680 --> 00:00:39.060
a process called freaking.

00:00:40.900 --> 00:00:44.840
To be more specific, a tone of 2,600 Hertz,

00:00:44.840 --> 00:00:48.160
which sounds like this, was used by phone companies

00:00:48.160 --> 00:00:51.900
as a control signal that a certain line was now free,

00:00:51.900 --> 00:00:58.640
typically because one of the callers had hung up. But in the late 1950s, a blind child named Joe Ingressia

00:00:58.640 --> 00:01:03.300
discovered a similar form of freaking accidentally while whistling into a phone

00:01:03.300 --> 00:01:08.020
that was playing a recorded message. Because our friend Joe had perfect pitch,

00:01:08.020 --> 00:01:13.100
he was able to recreate this behavior to make calls drop without hanging up the phone,

00:01:13.100 --> 00:01:16.420
essentially manipulating the phone's back end systems

00:01:16.420 --> 00:01:20.340
from the user interface, sort of like people on Twitter telling AI bots

00:01:20.340 --> 00:01:25.700
to ignore all previous instructions. A community started to emerge around phone freaking

00:01:25.700 --> 00:01:29.180
and eventually the blue box built upon Joe's discovery

00:01:29.180 --> 00:01:33.660
to democratize long distance calling or cheat the phone companies out of revenue.

00:01:33.660 --> 00:01:39.740
Depending on your perspective, here's how it worked. The user of the blue box would dial a toll-free 1-800 number

00:01:39.740 --> 00:01:44.140
to ensure they wouldn't be charged for the call. When it heard the phone ring on the other end,

00:01:44.140 --> 00:01:47.140
the blue box would play that 2,600 Hertz tone

00:01:47.140 --> 00:01:50.240
into the phone's handset, which would trick the system

00:01:50.280 --> 00:01:53.640
into thinking the caller had hung up before anyone answered.

00:01:53.640 --> 00:01:59.520
The line was marked as being free, but the caller using the blue box was still on the line.

00:01:59.520 --> 00:02:03.560
The blue box would then send the tones that corresponded to the number the user

00:02:03.560 --> 00:02:08.660
actually wanted to reach since the line was selective and voila, free long distance calling.

00:02:08.660 --> 00:02:12.200
Not a bad deal considering they were sold for 170 bucks each,

00:02:12.200 --> 00:02:16.360
but no more than 100 of them were ever made. Because they were so rare,

00:02:16.360 --> 00:02:19.520
one of them ended up selling at auction in 2017

00:02:19.560 --> 00:02:24.560
for $125,000, similar in price to the new iPhone 16 Pro

00:02:25.000 --> 00:02:29.200
with two terabytes of storage. Of course, phone companies became wise to the blue box,

00:02:29.200 --> 00:02:34.080
especially after a rather anti-establishment magazine ran an article with instructions

00:02:34.080 --> 00:02:38.960
on how to construct a similar device yourself at home. The main countermeasure against phone freaking

00:02:38.960 --> 00:02:44.360
is called signaling system seven. And I use the present tense is

00:02:44.360 --> 00:02:49.180
because it's actually still around today, even though it was rolled out in the early 1980s.

00:02:49.180 --> 00:02:54.340
The basic idea behind SS7 is simply to put the control signals on a separate line

00:02:54.340 --> 00:02:57.700
so they can't be manipulated by sounds played into the phone itself.

00:02:57.700 --> 00:03:02.620
And while SS7 was reasonably effective at stopping that 2,600 Hertz attack,

00:03:02.620 --> 00:03:07.580
it couldn't stop every kind of attack, especially as phone technology continued to evolve.

00:03:07.580 --> 00:03:13.620
A later common way to freak the phone network for free long distance calls was to exploit the system

00:03:13.620 --> 00:03:17.940
of calling cards used by smaller carriers in the mid 1980s.

00:03:17.940 --> 00:03:22.180
Back then, it was common to have to dial a special local number owned by the phone company

00:03:22.180 --> 00:03:25.620
and then enter the code off a paid card,

00:03:25.620 --> 00:03:29.960
which let the network know you weren't authorized to make a long distance call.

00:03:29.960 --> 00:03:33.660
Only then could you dial the number you were trying to connect to.

00:03:33.660 --> 00:03:38.620
The problem for the phone companies was that the codes on these cards were quite short,

00:03:38.620 --> 00:03:42.980
meaning it was easy for PCs to quickly guess lots of different combinations

00:03:42.980 --> 00:03:46.140
and try those combinations using a modem.

00:03:46.140 --> 00:03:49.700
Lots of codes were found this way and subsequently shared to the point

00:03:49.700 --> 00:03:53.780
where long distance companies were losing a half billion dollars a year

00:03:53.780 --> 00:03:57.300
to this form of brute force freaking by 1987.

00:03:57.300 --> 00:04:00.420
This scam was very popular among college students.

00:04:00.420 --> 00:04:03.820
In fact, over 2,500 of them were busted in a drag net,

00:04:03.820 --> 00:04:08.580
but it was impossible for the phone companies to track down everyone who did this.

00:04:08.580 --> 00:04:12.780
This former freaking only disappeared when phone companies eventually made direct dialing

00:04:12.780 --> 00:04:15.780
of long distance numbers more universal.

00:04:15.780 --> 00:04:19.140
And the use of PCs to hijack phone lines continues

00:04:19.140 --> 00:04:24.660
to this day, we actually did a collaboration on our sister channel Linus Tech Tips with Veritasium,

00:04:24.660 --> 00:04:29.040
where they actually used SS7 to intercept calls to Linus' smartphone.

00:04:29.040 --> 00:04:33.900
They did this by buying access to SS7, which is surprisingly easy to do for a few thousand bucks,

00:04:33.900 --> 00:04:37.460
then using the access to steal a unique identifier code

00:04:37.460 --> 00:04:42.100
off the victim's SIM card. After this is done, an attacker can use that ID number

00:04:42.100 --> 00:04:47.220
to trick the network into thinking the victim's phone is roaming in a different country,

00:04:47.220 --> 00:04:52.820
which results in the network rounding calls and texts to a number registered with that country code

00:04:52.820 --> 00:04:57.520
that the attacker controls. That was a really cool and frightening experiment.

00:04:57.520 --> 00:05:00.420
So if you wanna find out more, go watch that video next.