LAS VEGAS--Since adult entertainment operator Eddie Munoz first told state
regulators in 1994 that mercenary hackers were crippling his business by
diverting, monitoring and blocking his phone calls, officials at local
telephone company Sprint of Nevada have maintained that, as far as they
know, their systems have never suffered a single intrusion.
The Sprint subsidiary lost that innocence Monday when convicted hacker Kevin
Mitnick shook up a hearing on the call-tampering allegations by detailing
years of his own illicit control of the company's Las Vegas switching
systems, and the workings of a computerized testing system that he says
allows silent monitoring of any phone line served by the incumbent telco.
"I had access to most, if not all, of the switches in Las Vegas," testified
Mitnick, at a hearing of Nevada's Public Utilities Commission (PUC). "I had
the same privileges as a Northern Telecom technician."
Mitnick's testimony played out like a surreal Lewis Carroll version of a
hacker trial -- with Mitnick calmly and methodically explaining under oath
how he illegally cracked Sprint of Nevada's network, while the attorney for
the victim company attacked his testimony, effectively accusing the
ex-hacker of being innocent.
The plaintiff in the case, Munoz, 43, is accusing Sprint of negligence in
allegedly allowing hackers to control their network to the benefit of a few
crooked businesses. Munoz is the publisher of an adult advertising paper
that sells the services of a bevy of in-room entertainers, whose phone
numbers are supposed to ring to Munoz's switchboard. Instead, callers
frequently get false busy signals, or reach silence, Munoz claims.
Occasionally calls appear to be rerouted directly to a competitor. Munoz's
complaints have been echoed by other outcall service operators, bail
bondsmen and private investigators -- some of whom appeared at two days of
hearings in March to
testify for Munoz against Sprint.
Munoz hired Mitnick as a technical consultant in his case last year, after
SecurityFocus Online reported that the
ex-hacker -- a onetime Las Vegas resident -- claimed he had substantial
access to Sprint's network up until his 1995 arrest. After running some
preliminary tests, Mitnick withdrew from the case when Munoz fell behind in
paying his consulting fees. On the last day of the March hearings,
commissioner Adriana Escobar Chanos adjourned the matter to allow Munoz time
to persuade Mitnick to testify, a feat Munoz pulled-off just in time for
Mitnick admitted that his testing produced no evidence that Munoz is
experiencing call diversion or blocking. But his testimony casts doubt on
Sprint's contention that such tampering is unlikely, or impossible. With the
five year statute of limitations long expired, Mitnick appeared comfortable
describing with great specificity how he first gained access to Sprint's
systems while living in Las Vegas in late 1992 or early 1993, and then
maintained that access while a fugitive.
Mitnick testified that he could connect to the control consoles -- quaintly
called "visual display units" -- on each of Vegas' DMS-100 switching systems
through dial-up modems intended to allow the switches to be serviced
remotely by the company that makes them, Ontario-based Northern Telecom,
renamed in 1999 to Nortel Networks.
Each switch had a secret phone number, and a default username and password,
he said. He obtained the phone numbers and passwords from Sprint employees
by posing as a Nortel technician, and used the same ploy every time he
needed to use the dial-ups, which were inaccessible by default.
With access to the switches, Mitnick could establish, change, redirect or
disconnect phone lines at will, he said.
That's a far cry from the unassailable system portrayed at the March
hearings, when former company security investigator Larry Hill -- who
retired from Sprint in 2000 -- testified "to my knowledge there's no way
that a computer hacker could get into our systems." Similarly, a May 2001
filing by Scott Collins of Sprint's regulatory affairs department said that
to the company's knowledge Sprint's network had "never been penetrated or
compromised by so-called computer hackers."
Under cross examination Monday by PUC staff attorney Louise Uttinger,
Collins admitted that Sprint maintains dial-up modems to allow Nortel remote
access to their switches, but insisted that Sprint had improved security on
those lines since 1995, even without knowing they'd been compromised before.
But Mitnick had more than just switches up his sleeve Monday.
The ex-hacker also discussed a testing system called CALRS (pronounced
"callers"), the Centralized Automated Loop Reporting System. Mitnick first
described CALRS to SecurityFocus Online last year as a system that allows
Las Vegas phone company workers to run tests on customer lines from a
central location. It consists of a handful of client computers, and remote
servers attached to each of Sprint's DMS-100 switches.
Mitnick testified Monday that the remote servers were accessible through 300
baud dial-up modems, guarded by a technique only slightly more secure than
simple password protection: the server required the client -- normally a
computer program -- to give the proper response to any of 100 randomly
chosen challenges. The ex-hacker said he was able to learn the Las Vegas
dial-up numbers by conning Sprint workers, and he obtained the "seed list"
of challenges and responses by using his social engineering skills on
Nortel, which manufactures and sells the system.
The system allows users to silently monitor phone lines, or originate calls
on other people's lines, Mitnick said.
Mitnick's claims seemed to inspire skepticism in the PUC's technical
advisor, who asked the ex-hacker, shortly before the hearing was to break
for lunch, if he could prove that he had cracked Sprint's network. Mitnick
said he would try.
Two hours later, Mitnick returned to the hearing room clutching a
crumpled, dog-eared and torn sheet of paper, and a small stack of copies for
the commissioner, lawyers, and staff.
At the top of the paper was printed "3703-03 Remote Access Password List." A
column listed 100 "seeds", numbered "00" through "99," corresponding to a
column of four digit hexadecimal "passwords," like "d4d5" and "1554."
Commissioner Escobar Chanos accepted the list as an exhibit over the
objections of Sprint attorney Patrick Riley, who complained that it hadn't
been provided to the company in discovery. Mitnick retook the stand and
explained that he used the lunch break to visit a nearby storage locker that
he'd rented on a long-term basis years ago, before his arrest. "I wasn't
sure if I had it in that storage locker," said Mitnick. "I hadn't been there
in seven years."
"If the system is still in place, and they haven't changed the seed list,
you could use this to get access to CALRS," Mitnick testified. "The system
would allow you to wiretap a line, or seize dial tone."
Mitnick's return to the hearing room with the list generated a flurry of
activity at Sprint's table; Ann Pongracz, the company's general counsel, and
another Sprint employee strode quickly from the room -- Pongracz already
dialing on a cell phone while she walked. Riley continued his cross
examination of Mitnick, suggesting, again, that the ex-hacker may have made
the whole thing up. "The only way I know that this is a Nortel document is
to take you at your word, correct?," asked Riley. "How do we know that
you're not social engineering us now?"
Mitnick suggested calmly that Sprint try the list out, or check it with
Nortel. Nortel could not be reached for comment after hours Monday.
The PUC hearing is expected to run through Tuesday. By Kevin Poulsen