Click for homepage
ATF-1 car telephone

Castor was a mobile telephone set (car phone), manufactured by AEG Telefunken in Germany, and rented by the Dutch telecom monopolist PTT (now: KPN) between 1980 and 1995, for use on the first Dutch automatically-switched mobile phone network ATF-1 and on the German B-Netz [1].

ATF-1 was the successor the manually-switched OLN network which had been in use since 1949. Castor was the first mobile telephone set that became available for the Dutch ATF-1 network.

Customers could not buy it, but had to rent it from PTT on a subscription base, to which the cost of the calls was added. As the network had a capacity of just 2500 subscribers, the call tariff was very high. Castor consisted of a handset, a control unit with buttons and LED display, and a transceiver that was so large and heavy that it had to be fitted in the trunk of the user's car.
Clandestine Castor car phone (AEG 4015C) in Samsonite briefcase

A few years after the introduction of the ATF-1 network, hackers discovered that apart from eavesdropping, the network was also susceptible to phone phreaking, which allowed them to make phone calls on someone else's expense, or even completely free of charge, by spoofing the device's own number. The image above shows an original Castor car phone that was converted for clandestine use around 1985. It was powered by an internal rechargeable battery, or by an external power source, such as the cigarette lighter socket of a car. At the left (just behind the controls) is a set of five thumbwheels that can be used to alter the device's subscriber number.

Castor was the Dutch variant of the AEG 4015C – made by AEG Telefunken – that was also used on the German B-Netz. It was the first car telephone that was available in the Netherlands for use on the ATF-1 network, soon complemented by Pollux, a similar car telephone made by Motorola in the USA. Unlike Castor, Pollux had the controls and the display integrated with the handset.

Samsonite briefcase with clandestine Castor car phone Clandestine Castor car phone (AEG 4015C) in Samsonite briefcase Controls and display Castor car phone with handset off-hook Thumbwheels for setting the subscriber number Interior of a hacked Castor car phone Codeplug replace by a break-out box
1 / 7
Samsonite briefcase with clandestine Castor car phone
2 / 7
Clandestine Castor car phone (AEG 4015C) in Samsonite briefcase
3 / 7
Controls and display
4 / 7
Castor car phone with handset off-hook
5 / 7
Thumbwheels for setting the subscriber number
6 / 7
Interior of a hacked Castor car phone
7 / 7
Codeplug replace by a break-out box

ATF-1 network
ATF-1 was the first automatically-switched mobile telephone network in the Netherlands. It was introduced on 1 March 1980 as the successor to the manually-switch OLN — Openbaar Landelijk Net (Public National Network). Based on the German B-Netz, it operated in the 150 MHz band [1].

ATF-1 was interoperable with the networks in Germany, Austria and Luxemburg, and had a maximum capacity of 2500 subscribers, that were served by 30 base stations throughout the country, as shown in the map on the right.

For outgoing calls, the mobile subscriber no longer had to to be patched by an operator, but could simply enter the number on the numeric keypad of the car phone. For incoming calls the situation was slightly more complicated, as the country was divided into three regions – north, south and west – and a caller had to know in which region the mobile user was located.

Apart from business users, ATF-1 also became very popular amoung inland navigation skippers, as it could be used throughout a large part of western Europe, along the entire trajectory of the river Rhine. For a long time however, the use of mobile phones aboard ships was prohibited in the Netherlands, and skippers risked a fine when they were caught. The ban was lifted in 1988.
Map of the Netherlands with ATF-1 base stations in 1980.

In 1985 and 1986 it became clear that the ATF-1 network was hacked by so-called phreakers, who managed to make phone calls on someone else's expence, or even free of charge, by using number spoofing (see below). When this was discovered, PTT decided to upgrade all existing mobile stations with a BEMOTEL authentication unit. Although this was reasonably successful, it was a one-way authentication, that worked on outgoing calls only. After a while, the phreakers discovered that it was still possible to call free-of-charge by making collect calls [2].

The maximum capacity of 2500 users was reached in 1983, just three years after the launch of the network, which prompted PTT to add a new network that had to be ready within a few years. In 1985, ATF-1 was succeeded by ATF-2 which worked in the 450 MHz band and was based on the NMT-450 standard of the Nordic countries. The ATF-1 service was terminated in 1995.

 More about ATF-1

Clandestine use
ATF-1 was a fully analogue FM system with in-band signalling, and no form of encryption or authentication whatsoever. Speech conversations were sent over the air in clear, and could be picked up by anyone with a suitable receiver or scanner that covered the 150 MHz band (2m).

In the same vain, the telephone numbers of the calling party and the mobile subscriber were sent over the air in clear, and it wasn't before long that hackers discovered a way to decode the data and display it on a computer screen.

The weakest point in the system however, was the fact that the telephone number of the mobile subscriber was only held inside the mobile tele­phone, programmed in a so-called codeplug. The codeplug was a small plug-in unit that was issued by the PTT service engineer when the rented telephone was installed in the user's car.
ATF-1 codeplug (unprogrammed)

By altering the arrangment of the components inside the codeplug, it appeared to be possible to change the telephone's subscriber number, after which it was possible to make a call on someone else's expense. This led to complaints from users who got huge bills for unmade phone calls.

Worse even: hackers also discovered that any phone number that had not yet been issued by the PTT, was unblocked, allowing them to make phone calls for which nobody could be charged.

This soon led to a growing illegal business, in which many carphones were ripped from the cars of genuine subscribers, converted by the hackers, and put to use for (criminal) activities. The stolen telephones were built inside common briefcases, so that they could be carried around inconspicuously. An example of a Castor phone housed inside a briefcase is shown on the right.
Codeplug replace by a break-out box

By adding a set of five thumbwheels, the user of the stolen phone was able to select any possible subscriber number. As there was no authentication, all that PTT could do once the malicious use if its net­work was discovered, was block the number indefinitely. It could never be issued again.

All the malicious user had to do, was 'invent' a new number, enter it on the thumwheels, and continue. And this appeared to be easier than anticipated: any telephone number that had not yet been issued to a legitimate subscriber, was recognised by the ATF-1 network as a valid one.

Around 1985, PTT noticed an enormous rise in the clandestine use of its network and – at the same time – an increase in the number of car phones that were stolen from the vehicles of legitimate subscribers. This prompted the Dutch National Police to start a criminal investigation.
Thumbwheels for selecting the subscriber number

Finally, in October 1986, after numerous observations throughout the entire country, the police arrested 13 people in seven Dutch cities, all of which were somehow related to the theft of the phones or their conversion for clandestine use [4]. In 1987, the PTT started a call-back operation, in which all existing mobile telephones were upgraded with a Bemotel authentication module. This solved most of the problems, but could not avoid that phreakers later successfully managed to circumvent the authentication and use the network free of charge, by making collect calls [2].

 More about clandestine use of ATF-1

ATF   Autotelefoon
Name for the Dutch automatically-switched analogue carphone networks, of which three generations have existed (nown as ATF-1, ATF-2 and ATF-3. Succeeded in 1994 by GSM.
B-Netz   B network
First automatically-switched analogue mobile telephone network in Germany, compatible with ATF-1 in the Netherlands, and with the networks in Austria and Luxemburg.
GSM   Global System for Mobile Communication
Digital mobile telephone network, with built-in encryption and authentication. Introduced in 1991 and rolled-out in most European countries in 1992. In the Netherlands, GSM was introduced in 1994.  More
KPN   Koninklijke PTT Nederland
Royal PTT of The Netherlands. This was the name of the former Dutch state-owned telecom monopolist PTT after its privatisation in 1989.
OLN   Openbaar Landelijk Net
First Dutch public radio network for mobile telephony in the 80 MHz band, introduced in 1949 and operated by the PTT (now: KPN). The network was manually-switched, which means that the subscriber had to be patched by an operator. Terminated in 1985.  More
PTT   Staatsbedrijf der Posterijen, Telegrafie en Telefonie
Dutch state-owned telecommunications monopolist from 1881 until its privatisation in 1989. Responsible for the development and operation of the post, telegraph and telephone networks in the Netherlands. Also responsible for monitoring the radio spectrum and for enforcing the telecom laws.
  1. Wikipedia, B-Netz
    Retrieved May 2019.

  2. Wikipedia, Collect call
    Retrieved May 2019.

  3. Wikipedia, Phreaking
    Retrieved May 2019.

  4. Provinciale Zeeuwse Courant, Wijdvertakte zwendelzaak met autotelefoons ontdekt
    28 October 1986, page 5.
     Direct download

  5. Peter Poelman & The Key, Autotelefoonnet 1 gehackt
    Hack-Tic Magazine, Issue 2, 1989. Page 7 (Dutch).
Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
Crypto Museum. Created: Sunday 02 June 2019. Last changed: Sunday, 02 June 2019 - 16:06 CET.
Click for homepage