Inside the Hidden World of Elevator Phone Phreaking

At the Defcon hacker conference in Las Vegas today, Caruana will give a talk on a very specific subgenre of that pastime: phreaking elevator phones, the emergency call boxes legally mandated to be in every elevator in America, and largely left wide open to any caller who can determine their numbers."I can dial into an elevator phone, listen in on private conversations, reprogram the phone so that if someone hits it in an emergency it calls a number of my choosing," Caruana told me in our first conversation. In far too many cases, Caruana says, phone installers and building managers don't change those passwords from easily guessable default codes, allowing anyone to tamper with their settings.Caruana has figured out many of those passwords by hunting down elevator phone manuals, googling documentation, and buying a dozen elevator phones off Ebay over the last year. Instead of dialing emergency responders, a reprogrammed phone can be set to call the phreaker's cell phone, or a pizza delivery place, or a number that plays a recording of Rick Astley's "Never Gonna Give You Up." Or a phreaker can reprogram the phone to change its location ID, Caruana says, so that it misrepresents the location of the people calling, potentially confusing responders."No one’s setting new passwords on these systems, and no one’s monitoring them," Caruana says. (He asked that I make clear he isn't using that trick during Defcon; he doesn't want to be kicked out of the hotel he's staying at in Las Vegas.)Another phreaker Caruana introduced me to, who emailed with me under the name SLICThroat, says that he's called into elevators hundreds of times, most often to study the different behavior of their varied electronics, or just to listen in to a mysterious, faraway space. "If I’m having a heart attack or I'm stuck between floors during a fire and I call out and it's Domino's Pizza, there’s real harm there."With that legal advice in mind, and armed with the list of elevator phone numbers Caruana shared with me, I called into a couple dozen elevators across the country, carefully avoiding their reprogramming options and making sure to ask first if anyone inside was in an emergency situation. None of them mentioned a suspiciously lit red LED.Caruana warns that it’s not just elevator phones that are open to anyone who can determine their number: So are many stairwell phones, campus callboxes and other emergency phones.Caruana and other phreakers warned me that it's not just elevator phones that are potentially open to unwelcome calls. But precisely for that reason, it's important for these devices to be properly secured against remote tampering by bad actors."In his Defcon talk, Caruana plans to offer a set of recommendations for elevator phone installers, building managers, and emergency responders: "Don't use default passwords.