Whistle While You Scam: Journey Into the History of Phreaking

Once, all it took was a whistle. But nowadays telephones and modern smartphones can also be hacked. Read our brief history of ‘phreaking’.

Apr 8, 2022 - 5 min.

Music is often cited as an art form that is not particularly lucrative. In most cases, you need to be exceptionally talented if you plan on earning a living from your tunes. Despite this, it was quite possible to save a little money a few years ago if you were musical. That’s because tones are not only used to make music but also provided the basis for analogue telecommunication for many years.

Joybubbles and the specific audio frequency

Joe Engressia (25/05/1919 – 08/08/2007), who officially changed his name to Joybubbles in 1991, was born blind. However, he possessed a different extraordinary skill: thanks to his absolute pitch, he could instantly reproduce audio frequencies with unerring accuracy. Fascinated by telephones from a very early age, he would amuse himself by calling up unassigned telephone numbers just to listen to the error message. He discovered quite by accident in 1957 that he could interrupt the call by whistling at a certain frequency. An AT&T engineer explained to him that tones at the frequency of 2600 Hz were used to control telephone exchanges. That was how Joybubbles learned to manipulate telephone networks. He discovered, for example, how to whistle at a specific pitch in order to make phone calls free of charge. This ability earned him the nickname ‘The Whistler’, and he is remembered to this day as one of the first ‘phreakers’. The word ‘phreaking’ is a combination of the words ‘phone’ and ‘freak’. It describes a method of hacking that aims to disable or manipulate the security mechanisms of telephone networks.

John Draper and the pirate breakfast

In 1969, 12 years after Joybubbles, software developer John Draper undoubtedly enjoyed eating the crispy cereal sold under the American brand Cap’n Crunch for breakfast. However, not only did the flakes have a special crunch. For a time, they also included a special whistle, a toy that the manufacturer put in the box as part of an advertising campaign. And by sheer coincidence, the whistle could be used to generate a sound with the frequency of 2600 Hz! Together with a couple of buddies, Draper figured out that the whistle could be used in conjunction with specific codes to make long-distance calls around the world free of charge. Draper, who from then on also called himself Captain Crunch, is now considered the true father of ‘phreaking’ – and spent several months behind bars because of his activities. While in confinement, he is also said to have listened in to the radio conversations between the prison wardens and shared his knowledge of telephone hacking with his fellow inmates.

The blue box turned telecommunications on its head

The realisation that simply whistling at a certain frequency made it possible to undermine an entire telecommunications system spread fast. Draper and other inventive individuals set about building what are known as ‘blue boxes’ that could reproduce these tones and the corresponding codes at the press of a button. Then, all they needed to do was to hook up the device to the telephone receiver. Later on, it was joined by further developments such as the ‘red box’, which was specially designed for use with public payphones, and the ‘aqua box’, which made it difficult to trace a phreaking attack.

This was precisely the vulnerability that Joybubbles and Draper exploited: in those days, the control signals were still transmitted using the same channel as the telephone conversations themselves (inband signalling). Nowadays, the control information is usually transmitted digitally using a data connection that is separate from the speech channel (outband signalling). That put an end to the practice of ‘blueboxing’. 

From phreaking to the birth of computer criminality

Nevertheless, blueboxing developed into a genuine subculture during the early 1970s, with even the underground newsletter T.A.P. – first known as Young International Party Line (YIPL) – published by political activists Abbie Hoffman and Al Bell providing readers with information about phreaking methods. They included instructions for building electronic circuits that could outwit the charging systems used by American telephone companies. When a special tax was levied on telephone calls during the Vietnam War, many people regarded the legally disputed practice of phreaking as a legitimate act of civil disobedience. The telephone companies had great difficulty cracking down on phreaking because it required upgrading the entire network infrastructure.

During the 1980s, the first acoustic couplers – the forerunners of modems – hit the market. These could also be combined with a computer to establish a data connection via the telephone line. This drove phreaking to new levels of popularity, and it became a veritable national pastime among Commodore C64 and Amiga users. Since then, the method has also evolved to enable access to external computer systems by the process of hacking.

Smartphones present a large target

With the advent of digital telephony and smartphones, telephone and computer technology started to increasingly merge with one another. From sending messages to online shopping, from finding information quickly all the way to planning the route for that next city break – the vast majority of everyday applications which we used to perform with a desktop PC, a laptop or a navigation device can now also be completed in a very similar way on a smartphone. The smartphone has also become our preferred conduit to the Internet. However, this makes smartphones popular targets for attack by resourceful hackers, who deploy similar methods to those used to attack PCs. Smartphones are also constantly infected by malware – harmful programs that gain access to external computers where they execute unwanted functions ranging from spam all the way to covertly introducing viruses and spying on personal data. Since smartphones generally contain ‘half our life’ and more personal information than any other device – from account details all the way to digital vaccination certificates – we should take very good care of them indeed.


Malware on smartphones: the invisible threat

Malware is usually downloaded onto your smartphone from channels that have not been checked and authorised by the official Google Play Store (Android) and Apple App Store (iOS). In many cases, chat services such as Discord and WhatsApp play a role in transmission.

Unusually large numbers of top ratings 

Once installed, apps known as LeifAccess/Shopper are not even recognisable by an icon. Instead, they set up accounts without the user’s knowledge and post fake ratings, for example, to boost the rankings of apps on Google Play or in the Apple Store. Sometimes, they also load other unwanted apps and install them on the phone without asking the user’s permission.

‘Stop! Your smartphone is infected!’

Fake security warnings that alert smartphone users to an alleged malware infection are also in widespread use. They recommend the installation of a supposed security software application that is in fact nothing of the kind and instead smuggles malware onto the smartphone. This malware is often only activated many hours later in order to disguise its source.

HiddenAds means hidden baddies

Other malware apps lull users into a false sense of security because their icon appears deceptively similar to the desired ‘official’ program. However, once these are installed, an error message appears. If the user tries to uninstall the app, the malware is secretly embedded in the device in the background so it’s very difficult for users to find. In many cases, the originally installed app only functions as a downloader for malware.

How to protect your smartphone against malware

  • Only install authorised and tested software from the official Google (Android) and Apple (iOS) app stores. 
  • Do not be tempted to download programs that are offered to you via chats in the different messenger programs (WhatsApp, Facebook Messenger, Discord, Skype, Threema, Telegram, etc.) or in a text message.
  • Before you install a program, do some research online about the app and its developer so that you can identify potentially harmful software in advance.
  • Read the app ratings in the app stores carefully to check for possible fakes.
  • Perform regular security updates for your smartphone and the programs installed on it.
  • Protect your smartphone as well as your PC with tested security software from reputable vendors.

Cybercrime: How to Protect Your Business