The Vermilion Box
 by El Oscuro
2003/09/07
The Vermilion Box
An Orange-Magenta-Beige Combo Box
by El Oscuro

Introduction

This article describes a way to get around the limitations of the Orange Box, and spoof not just the Caller ID but the entire call from the first ring. If you have used an Orange Box, or downloaded S.O.B. from www.artofhacking.com, then you know that its usefulness is limited by the fact that the signal cannot be sent to the target line until after they have answered the phone. But with this method, a daring phreak or operative can simulate every important facet of a phone call, including the apparent normal operation of the target Caller ID receiver! Your target hears the phone ring, looks at his Caller ID receiver and sees a name and number he trusts, and answers. But it is you on the other end!

This combination of tools and technique is named for a color that lies roughly between Orange and Magenta, the two main boxes that are combined to form this one. Vermilion is a slightly orange bright red.

Disclaimer

This article should be considered a work of fiction. Like the top-name spy-story writers, I have endeavored to include as much realistic detail as possible, and to increase the impact I have written much of this article in the second person. But, under no circumstances should this article be construed as a how-to manual for stalkers and other criminals. I would liken this to the episode of the TV series "The Lone Gunmen" which depicted a plot to crash a jetliner into the World Trade Center almost 6 months before 9/11! Likewise, if someone out there is actually jacking into peoples' phone lines to spoof incoming calls, it's not because of this article. Don't try this at home, kids!

What You Need

The basic elements of this method are the Orange Box, which generates a spoofed Caller ID signal, and the Magenta Box, which generates an AC ringing signal. A 12 volt DC source to power the target's phone may also be necessary. You may wish to substitute the Orange Box with a small portable computer running S.O.B. or CIDMage, or with an MP3 player containing pre-rendered Caller ID streams. The Magenta Box, likewise, could be substituted with a portable line simulator. And of course, you will need a Beige Box to conduct the call.

In addition, you will need a circuit to connect the Beige, Magenta and Orange Boxes to the target line and to each other. The diagram for a suitable circuit can be found at http://tucops.info/files/verm1.gif.

Preparation

Construction of the Magenta, Beige, and Orange Boxes will not be covered in this article. There are many other text files that will tell you how to do that. But in order for these three boxes to be a Vermilion Box, they must be connected in a way that facilitates simulating a call. The diagram mentioned above is such a connection. Basically, the switch S1 momentarily switches in the ringing voltage created by the Magenta Box. When you press it, the magenta box rings the line, and the Orange Box and Beige Box are disconnected from the line for their protection. When you release it, the Orange Box and Beige Box are reconnected and the magenta box is disconnected. In addition, a 12 volt DC power source is switched in only when S1 is released. This powers the lineman's handset and the target phone.

By pressing button S1 in the same cadence as the ringing signal from the phone company (two seconds on, four seconds off) you can simulate a call.

It is very important that your operation of S1 resembles as closely as possible the cadence of the telco ring signal. This takes practice. The target may become suspicious if the ringing cadence is not normal, and worse, his Caller ID receiver may not receive your Orange Box signal if it has not been "primed" by a proper ring. Not all Caller ID receivers have this limitation but you should assume that your target's does.

The Orange Box should be set to use normal MDMF on-hook signaling, instead of the Call Waiting signaling normally employed by an Orange Box. Since you are simulating an initial call, the Caller ID receiver will almost certainly not be listening for Call Waiting Caller ID. If you are using S.O.B., make sure the MDMF LED is on.

Although it is normally best practice to use an FCC Part 68 line interface when connecting to a phone line, in Vermilion Boxing the telco side of the phone line is disconnected, so that precaution is unnecessary. In fact, a Part 68 interface will not pass DC, so it is impossible to power the target phone through one. If you are paranoid about damaging your Orange Box (say, if it's a laptop computer running S.O.B.) then you may connect a Part 68 interface between the Orange Box's output and the rest of the Vermilion Box. S.O.B. comes with a diagram for a suitable circuit; simply connect the interface's TIP and RING lines to the +12V and -12V lines of the Vermilion Box respectively.

Because this technique is similar to Beige Boxing, you must also consider your physical security. Do not Vermilion Box in a location where you are likely to be observed, or in a location where you do not have at least two escape routes. Bring as little hardware as you need and keep it together - I would recommend building the Magenta Box into the same enclosure as the Vermilion Box and velcroing the Orange Box to the outside. Construct the box with a jack which you can plug the Alligator clips into, and unplug in one quick motion in case you have to escape on zero notice. In that case you should be prepared to abandon the clips.

You also need to be prepared with a script. Since you are faking a call, you are probably pretending to be someone else. You have to be prepared to convince your target that you are the person the Caller ID says you should be. You have to anticipate all the different ways the conversation can flow, and be convincing in your responses. If your mission is to acquire information, you have to know before you head out the door what questions will produce the answers you require. This is social engineering, another topic that is beyond the scope of this file. Social Engineering, of course, is the primary application of the Vermilion Box. If the information you need is likely to be too complex to remember, such as a lengthy password or directions, or if you need evidence of the conversation, bring a tape recorder and connect it to the audio output of the Orange Box where it will be safe from line spikes and rings. Don't count on being able to write anything down as you will likely have to hold onto the Vermilion Box and its accessories during the whole conversation.

Lastly, the most important part of successful Vermilion Boxing is practice. We have touched on this already in this file and will bring it up again, but this is important. Vermilion Boxing is a clandestine caper, a learned skill, not an instant magic bullet push-button solution for any script-kiddy. If you try it for the very first time against a live, unaware target, you will probably fail. You need to be sure that your magenta box will ring the phones on the line, that your ringing cadence is convincing, and that your Orange Box signal is interpreted correctly by the target Caller ID receiver. Practice doing this at home first, then on at least two trusted friends, until you can nearly do it in your sleep and succeed every time, before you attempt to do this with a live, unaware target.

The Technique

The technique is similar to that of Beige Boxing, in that you must find a physical access point to the target line and connect to it. Where it differs from Beige Boxing is that you are simulating an incoming call instead of stealing an outgoing one.

To Vermilion Box, you must access the target's physical phone line. This could be done using the techniques of the Beige Box, which involves connecting to an external demarcation point with alligator clips, or using variations such as the Mega Box, which involves climbing telephone poles to reroute the line to a spare pair somewhere else. You could even use a modified DX Box or Boronda Box to make this technque wireless, but the necessary modifications to these boxes are a subject for another text file.

Once you have acquired the target's dialtone by whatever means, you are ready to connect the Vermilion Box. See the diagram above.

First, disconnect the target's pair from the in-house circuit. The last thing we want is an unexpected *real* call to come in, and besides we don't have any protection for the orange box from random line spikes or actual ring signals. This is as simple as unscrewing two screws in the access box. Now, use your Beige Box to determine which side is the in-house side and which side is the telco side. If you get a dial tone, you're on the telco side, and you want to switch to the in-house side.

Connect the Vermilion Box's Ring and Tip lines to the in-house circuit Ring and Tip. The Red line is the Ring, the Green one is the Tip. Now, take your Beige Box "Off Hook" and make sure its ringer, if it has one, is off. Cradle it between your ear and shoulder because you will probably need both hands. Press the pushbutton switch (S1) for two seconds. The ringing voltage generated by the Magenta Box will be present on the line and any phones inside will ring. The instant you release the switch, press the "Play" button on your Orange Box. You may wish to practice this at home as the timing is important, and you want the cadence of the ringing signal to sound as realistic as possible. If the mark has not answered, press S1 again exactly four seconds after you released it the first time. Do not hit Play on the Orange Box again - the telco only sends Caller ID data once and so should you. Continue ringing the phone this way until the target answers. Now you can talk to him!

Don't forget to reconnect the target's line to the telco side before you leave. If you plan to return, it may help to install a DPDT switch inside the access box to switch the target's line in and out.

A difficulty that can arise (and which will probably be addressed in Vermilion Box 2.0) is what happens if the target answers during the ring. You will be unable to hear on the Beige Box that he has answered, and he will hear the very loud ticking noise of your ring signal for its duration. This is not normal and is a possible source of suspicion. Be prepared to explain it if questioned.

Vermilion Box 2.0

In 2004, I will design an improved Vermilion Box. It will automatically simulate the ringing cadence, automatically trigger the Orange Box at the right moment, will play a false ring tone in your Beige Box to indicate that it is still ringing, and will stop ringing the moment the target answers. If you substitute the Magenta Box and the Vermilion Box circuitry with a portable lime emulator, you will have much of this functionality already.

Look for Vermilion Box 2.0 on artofhacking.com and selected mirrors next summer!

- El Oscuro

References: The Fixer's 2003 Coloured Box Review