02/09/2004: Technologica
Three Blind Phreaks
How the phone-phreaking Badir brothers ran rings around Israel's telcos for six scam-filled years.
from Michael Kaplan @Wired Magazine
Inside the chintz-filled living room of the Badir family's neat and modest home, a feast of freshly roasted chicken, saffron rice, and seasoned vegetable stew perfumes the air. Friends and relatives pour through the front door to congratulate 27-year-old Munther "Ramy" Badir. He's just been released from prison after serving 47 months for computer-related crimes. Outside, Islamic prayers resonate from speakers on a truck moving slowly down the dusty streets of Kafr Kassem. Everyone in this Israeli village - populated mostly by Arabs - appears ecstatic to have Ramy back.
But he does not see their smiles. Ramy, along with two of his three brothers, has been blind since birth due to a genetic defect. He and his sightless brothers have devoted their lives to proving they can out-think, out-program, and out-hack anyone with vision. (Their sighted brother, Ashraf, is a baker with no tech leanings.) They've been remarkably successful. Ramy says dryly, "A computer that is safe and protected is a computer stacked in a warehouse and unplugged."
Israeli authorities agree. The 44 charges leveled against Ramy, Muzher, and Shadde Badir in 1999 included telecommunications fraud, theft of computer data, and impersonation of a police officer. The brothers' six-year spree of hacking into phone systems and hijacking telephone time ended when they were convicted of stealing credit card numbers and breaking into the Israeli army radio station's telephone system to set up an illicit phone company. Unwitting customers - mostly Palestinians on the West Bank and Gaza Strip - paid the fake telco for long distance calls that were billed to the radio station. A lawyer close to the case said that the Badirs' scams pulled in more than $2 million.
Ramy, the leader and most technologically savvy of the brothers, was the only one sentenced to prison. Muzher, 28, was ordered to perform community service for six months; Shadde, 22, received a suspended sentence - not because he was innocent, the judge made clear, but because of his age.
Those targeted by the Badirs feel less charitable. Yekutiel "Kuty" Lavi, a security specialist at Bezeq International, Israel's largest telco and a frequent victim of the Badirs, angrily complains, "Every day people try to steal from us, but nobody has ever stolen from us the way the Badirs did. When they dial, they use the middle finger."
I have heard a lot about these dudes, and their story is pretty phreaking radical. They have some style and flair, as compared to their hacker counterparts.
More
Three Blind PhreaksHow the phone-phreaking Badir brothers ran rings around Israel's telcos for six scam-filled years.
By Michael Kaplan
Inside the chintz-filled living room of the Badir family's neat and modest home, a feast of freshly roasted chicken, saffron rice, and seasoned vegetable stew perfumes the air. Friends and relatives pour through the front door to congratulate 27-year-old Munther "Ramy" Badir. He's just been released from prison after serving 47 months for computer-related crimes. Outside, Islamic prayers resonate from speakers on a truck moving slowly down the dusty streets of Kafr Kassem. Everyone in this Israeli village - populated mostly by Arabs - appears ecstatic to have Ramy back.
But he does not see their smiles. Ramy, along with two of his three brothers, has been blind since birth due to a genetic defect. He and his sightless brothers have devoted their lives to proving they can out-think, out-program, and out-hack anyone with vision. (Their sighted brother, Ashraf, is a baker with no tech leanings.) They've been remarkably successful. Ramy says dryly, "A computer that is safe and protected is a computer stacked in a warehouse and unplugged."
Israeli authorities agree. The 44 charges leveled against Ramy, Muzher, and Shadde Badir in 1999 included telecommunications fraud, theft of computer data, and impersonation of a police officer. The brothers' six-year spree of hacking into phone systems and hijacking telephone time ended when they were convicted of stealing credit card numbers and breaking into the Israeli army radio station's telephone system to set up an illicit phone company. Unwitting customers - mostly Palestinians on the West Bank and Gaza Strip - paid the fake telco for long distance calls that were billed to the radio station. A lawyer close to the case said that the Badirs' scams pulled in more than $2 million.
Ramy, the leader and most technologically savvy of the brothers, was the only one sentenced to prison. Muzher, 28, was ordered to perform community service for six months; Shadde, 22, received a suspended sentence - not because he was innocent, the judge made clear, but because of his age.
Those targeted by the Badirs feel less charitable. Yekutiel "Kuty" Lavi, a security specialist at Bezeq International, Israel's largest telco and a frequent victim of the Badirs, angrily complains, "Every day people try to steal from us, but nobody has ever stolen from us the way the Badirs did. When they dial, they use the middle finger."
The Badirs pulled off Mamet-worthy phone cons, employing cell phones, Braille-display computers, ace code-writing skills, and an uncanny ability to impersonate anyone from corporate suits to sex-starved females. On the phone, the brothers morph into verbal 007s, intimidating men, seducing women, and wheedling classified information from steely-voiced security personnel. The phone phreakers' term for this is social engineering: using a combination of brains and guile to obtain codes for trespassing into systems to rejigger them via strings of touch-tone code. Combine this talent with supersensitive hearing - the brothers can dissect an international connection the way wine expert Robert Parker pulls notes from a glass of Bordeaux - and you have what BernieS, a legendary phreaker and contributor to the hacking journal 2600, calls "a formidable skill set."
At one point during my visit with the Badirs, I pull out my cell phone and make a call. Before it even connects, Shadde, who is sitting across the room, recites all 12 digits perfectly.
Ramy smiles at the parlor trick. "It used to be disgusting to be blind," he says. "Today, you scare people. You possess skills that those with sight cannot possibly understand."
Two hours into an afternoon-long interview with the Hebrew-speaking Badirs, my translator's lips lock. He shrugs and tells me that the Badirs have shifted into a secret code. Ramy later explains that as kids he and Muzher developed their own language - reordering letters in mathematically complex ways - after they discovered that other boys were snooping on their conversations. "People said that God cursed our mother by giving her three blind sons," recalls Ramy. "Children beat us on the backs of our legs. Those abuses left scars on our hearts. But they also forced us to grow stronger."
The young Badirs closed ranks and vowed that their blindness would never be an impediment. They taught themselves to take apart telephones, to mimic voices and verbal tics, and to get around Tel Aviv without canes or guide dogs. They became obsessed with technology and telephones. After encountering their first computer, in 1989, at Tel Aviv's Center for the Blind, Ramy and Muzher became enchanted with the IBM clones. They hung around Tel Aviv University while working, with little success, as software and telephone consultants; their early crimes were the phreaker equivalent of shoplifting a Hershey bar.
But Ramy was too ambitious to stop there. "I taught myself to program in all the languages: C, C++, Basic, Java, HTML, PHP, CGI. I built my own black boxes, blue boxes, and red boxes," which, respectively, circumvent billing, generate tones to place free calls, and simulate pulses triggered by money dropped into a pay phone. "I used those boxes to get into and decode phone systems."
In 1993, Bezeq technicians caught the Badirs snagging telephone time for their own use. Things quickly escalated when the brothers obtained the codes to break into PBXs - private branch exchanges - belonging to Bezeq and to the Israeli headquarters of Comverse, Intel, Nortel, and others. PBXs are the computerized nerve centers that operate phone systems; they are designed to be repaired, updated, and altered remotely by technicians using touch-tone codes.
"The Badirs regularly called Bezeq, pretending to be engineers in the field," recalls Eyal Raz, who worked in the telco's international antifraud unit from 1994 to 1999. "They called secretaries and said,
'I need to get in to do a repair. You need to give me the number and password.' Sometimes they succeeded, or else they'd get only the number and try to break the password by using proprietary programs." At other times, a secretary would simply key in the code, providing what seemed like onetime access but actually enabling the brothers to hear touch tones and translate them into numbers they could then use whenever they pleased.
The three used their access to devise an elaborate moneymaking scheme. According to Raz, during the mid-1990s the brothers made a deal with a phone sex outfit based in the Dominican Republic. They would be paid for driving calls to the service. The Badirs made the calls themselves, but the lines were rigged so that Comverse and Nortel were billed by the phone sex service.
At the time there were no computer crime laws in Israel, so Bezeq took it upon itself to try to short-circuit the Badirs. "At one point I asked an engineer to block three lines that the Badirs had opened up for themselves," recalls Raz. "They knew that I had put the blocks on. So a couple days later, one of them phoned the engineer and said, 'This is Eyal Raz. Please unblock those three lines.' The engineer, who knew my voice, believed it was me. He unblocked the lines." Raz shakes his head, showing grudging admiration. "These are very clever boys."
In 1995, the Badirs turned their attention to a business closer to home. Their target was Israeli phone sex mogul Ben Zion "Bency" Levy, who maintained a database of thousands of customer credit card numbers. Ramy and his brothers went to work on Levy's secretary, patiently convincing her to provide the information that would allow them to unlock the credit card numbers and PINs.
"We knew to approach her gently and break through her psychological barrier," says Muzher. " We had her tell us clues that would lead to the password of her boss's computer."
"I figured out the personality of her boss, learned the numbers that were meaningful to him, and used those numbers to get into his system remotely," says Ramy. In the end, the Badirs seized some 20,000 credit card numbers - and, after being confronted by Levy, caused all of his telephones to ring continuously with no caller on the other end of the line.
Ziv Koren/Polaris
During the chase, investigator David Osmo began to get huge bills for calls he never made. In 1996, Levy reported the scam to Israel's National Fraud Unit. The following year, a file of Badir-related complaints - including Levy's - landed on the desk of David Osmo, an investigator with Israel's national police force. Osmo met with Ramy and recalls being amazed at the speed of the young man's fingers on a phone keypad when he made a call. "I told him he is a smart person who should use his intelligence for good things," Osmo says. "Return back to society," he urged.
Ramy remembers his response to Osmo: "You can chase me for 20 years and you will not find anything to convict me on."
The Israeli Army Radio Station is guarded as if it were a military base. Occupying four floors of a dirty white building on a busy two-lane street in Jaffa, the station is protected 24/7 by a half-dozen armed recruits. In 1998, the brothers joined forces with a group of Jewish and Arab scam artists and targeted the station, intending to hijack phone lines and sell call time on them.
Though they were convicted of participating in the scheme, the brothers deny they were involved. Ramy is nonetheless willing to speak knowledgeably about the con. "These were among the most protected lines in the Middle East," says Ramy. "They had a lot of scrambling, and big technology is required in order to get in."
Why an army outpost? "Those lines cannot be tapped by the police, so there is no monitoring," explains Ramy. "These are the safest lines on which to do something like this."
Authorities maintain that Ramy broke into the army radio station's phone system and activated a dormant function called direct inward systems access, which allows long distance calls to be placed remotely and charged to that particular phone account. He structured the DISA so that as many as 281 people would be able to make telephone calls simultaneously on that single line.
Once the long distance access was in place, the Badirs' partners set up a switchboard inside a shack in an orange grove in Jaffa. Voilà, instant phone company. Customers placed calls from kiosks along the Gaza Strip, from cloned cell phones, or directly from their homes; these were routed from the switchboard to the radio station's DISA. The Badirs and their partners billed customers for the calls, while the actual costs were absorbed by the radio station.
It wasn't long before the station realized its bills were excessive and contacted Bezeq. The company's security specialists joined with the Israeli national police in an investigation. They raided the orange grove, arresting several low-level workers at the shack. Only after one of them mentioned that the lines had been set up by blind technicians, says one source close to police, did the probe turn to the Badirs.
At the time, Ramy and his brothers were already in the crosshairs. Suspects in numerous telecommunication crimes, their home phone was frequently tapped by the national police. They reviewed the tap transcripts and spent a year investigating the brothers, hoping to find incontrovertible links between them and the pirate phone company. An intense cat-and-mouse game developed: the Badirs on one side, with fraud investigator David Osmo and prosecutor Doron Porat on the other.
While Porat was working on the case, his car's GPS system and email were repeatedly hacked. "There was a message waiting for him with his password in it," says Ramy, sounding quite pleased. "After that, he changed his password every hour before giving up on email altogether and using a typewriter." The brothers reportedly contacted Israel's DMV and registered Osmo's car under another name, causing embarrassing problems for the investigator when he tried to sell his vehicle.
"The police experienced bad luck," notes Ramy. "Their telephone systems went down, their computers developed bugs. Osmo got big bills for calls that he hadn't made. He believed we were always listening in on him. Sometimes Osmo spoke on the telephone and other calls came across the line as he tried to talk." Ramy smiles devilishly. "He found that to be very annoying."
Ironically, even as they knew the degree to which they were being pursued, the Badirs did not show a lot of restraint over the telephone. "This was our mistake," admits Ramy, who believed that some of his phone lines were secure. "We knew the police were chasing us and trying to catch us. Our overconfidence led us to think they would never do it."
On June 14, 1999, 14 police officers raided the brothers' home in Kafr Kassem. Though they found a safe containing more than $14,000 worth of Jordanian dinars, investigators did not uncover an expected treasure trove of hardware, software, and notes in Braille. "It's all in our heads," asserts Ramy. "The police took my laptop, which contained programs for running through thousands of numbers very quickly, but I had it designed to erase everything on the hard drive if it was opened by somebody other than me. They lost all the material."
Ramy, Muzher, and Shadde were arrested on a variety of charges relating to computer fraud in connection with their hacks of the radio station and Bency Levy's phone sex operation. Police took them from their home in wrist and leg cuffs, but even in custody, they could not help but show off by conversing in their secret language and announcing telephone numbers that were being keyed in by law enforcers. "When Doron Porat stood next to me," adds Ramy, "he took the battery out of his cell phone."
Ramy was jailed throughout the trial, which dragged on for 27 months and took the prosecutors way beyond their depth of technological expertise. Porat and his team eventually quit trying to explain how the Badirs did what they'd been charged with and focused instead on simply proving they did commit acts like breaking into a phone company switchboard.
In her November 2001 ruling, judge Saviona Rotlevi went easy on Muzher and Shadde but found Ramy guilty of 20 counts concerning Israeli cyberlaw, 4 counts of telecom law violation, and 15 counts of other crimes. The judge sentenced him to 65 months in prison. Among his restrictions: All of his calls were to be made with the assistance of a guard so that he would never touch a telephone keypad.
After nearly four years behind bars, Ramy was released when a judge ruled he'd served enough time. He marks his second day of freedom by repairing with Muzher and Shadde to a small café on the edge of Kafr Kassem. Inside, the brothers order bottles of orange juice and three water pipes. They puff deeply, releasing plumes of fruity-smelling tobacco smoke.
Despite his years in prison, Ramy appears to have no financial worries. Upon arriving home, he promptly ordered a $20,000 Braille-display computer from Germany. He also spent a couple of hours checking on the construction of his new four-story house. Workers broke ground on it while he was still in prison; completion was scheduled to coincide with his original release date. It's a sprawling, solid-looking place, situated on a prime corner lot in the center of Kafr Kassem. The top floor will be a high tech penthouse where Ramy can hatch his next move.
And what will that be? Ramy claims a couple of juicy software programs that he began developing in prison are in the pipeline. "I am inventing a PBX firewall," he says. "I know all the weakest spots of a telephone system. I can protect any system from infiltration."
Ramy insists there are major companies interested in his new software. He talks about big money and big meetings. But he refuses to show what he's working on and won't name anybody who's backing him. One person who sounds perfectly game to be involved is the brothers' old nemesis Eyal Raz. "If he can build that, he'll become a billionaire," predicts Raz, who now works for a Tel Aviv-based phone security firm called ECtel. "The Badirs know so much and are so talented that I would happily use them as consultants."
Ramy insists he has outgrown the scams: "I am going to the other side, coming up with devices that will keep the phreakers out."
You want to believe him, you really do. Maybe it's the truth. Or maybe it's a sweet bit of social engineering designed to generate positive press and position the Badir brothers for their next spree.
------------------------------------------------------------------------
Michael Kaplan (mkaplan2000@aol.com) wrote about gambling machines in Wired 11.09.