|
|
|
|
Phones ATF-1
ATF-1 was the successor the manually-switched
OLN network which
had been in use since 1949.
Pollux was the second mobile telephone,
after Castor,
that was available for the ATF-1 network.
Customers could not buy it, but had to rent it
from PTT on a subscription base, to which the cost of the calls was added.
As the network had a capacity of just 2500 subscribers, the call tariff was
very high. Pollux consisted of a handset with built-in controls and LED display,
fitted near the dashboard,
and a transceiver 1 that was so large that it had to be fitted in the trunk of the car.
|
|
|
The image above shows the transceiver (without cover) and the handset,
which was custom-made for PTT.
It was the Dutch variant of the VHF-version of the Motorola Pulsar II,
of the US MTS network [5]. It operated in the
150 MHz VHF band with a channel spacing of 20 kHz,
using analogue (FM) voice with in-band signalling. As there
was no form of encryption and/or authentication whatsoever, the system was
extremely susceptible to eavesdropping
and phone phreaking
[3].
|
-
Transceiver is the compound of the words transmitter and receiver.
|
ATF-1 was the first automatically-switched mobile telephone network in the
Netherlands, introduced on 1 March 1980 as the successor to the
manually-switched OLN — Openbaar Landelijk Net (Public National Network).
Based on the German B-Netz, it operated in the 150 MHz band [1].
|
ATF-1 was interoperable with the networks in Germany, Austria and Luxemburg,
and had a maximum capacity of 2500 subscribers, that were served by 30
base stations throughout the country, as shown in the map on the right.
For outgoing calls, the mobile subscriber no longer had to to be patched by
an operator, but could simply enter the number on the numeric keypad of
the car phone. For incoming calls the situation was slightly more complicated,
as the country was divided into three regions – north, south and west –
and a caller had to know in which region the mobile user was located.
Apart from business users, ATF-1 also became very popular amoung inland
navigation skippers, as it could be used throughout a large part of western
Europe, along the entire trajectory of the river Rhine. For a long time
however, the use of mobile phones aboard ships was prohibited in the
Netherlands, and skippers risked a fine when they were caught.
The ban was lifted in 1988.
|
|
|
In 1985 and 1986 it became clear that the ATF-1 network was vulnerable
to so-called phreakers, who managed to make phone calls on
someone else's expence, or even free of charge, by using
number spoofing (see below).
When this was discovered, PTT
decided to upgrade all existing mobile stations with a BEMOTEL
authentication unit. Although this was reasonably successful, it was
a one-way authentication, that worked on outgoing calls only. After a
while, the phreakers discovered that it was still possible
to call free-of-charge by making collect calls [2].
The maximum capacity of 2500 users was reached in 1983, just three
years after the launch of the network, which prompted PTT to add a
new network that had to be ready within a few years. In 1985,
ATF-1 was succeeded by ATF-2 which worked in the 450 MHz band and was
based on the NMT-450 standard of the Nordic countries.
The ATF-1 service was terminated in 1995.
➤ More about ATF-1
|
ATF-1 was a fully analogue FM system with in-band signalling, and no form
of encryption
or authentication whatsoever. Speech conversations were sent
over the air in clear, and could be picked up by anyone with a
suitable receiver
or scanner that covered the 150 MHz band (2m).
|
In the same vain, the telephone numbers of the calling party and the mobile
subscriber were sent over the air in clear, and it wasn't before long
that hackers discovered a way to
decode the data and display
it on a computer screen.
The weakest point in the system however, was the fact that the
telephone number of the mobile subscriber was only held inside the mobile
telephone, programmed in a so-called codeplug.
The codeplug was a small plug-in unit that was issued by a PTT
service engineer when the rented
telephone was installed in the user's car.
|
|
|
By altering the arrangment of the components inside the codeplug, it appeared
to be possible to change the telephone's subscriber number, after which it
was possible to make a call on someone else's expense. This led to complaints
from users who got huge bills for unmade phone calls.
|
Worse even: hackers also discovered that any phone number that had not yet
been issued by the PTT, was unblocked, allowing them to make phone calls for
which nobody could be charged.
This soon led to a growing illegal business, in which many carphones were
ripped from the cars of genuine subscribers, converted by the hackers, and put
to use for (criminal) activities. The stolen telephones were built inside
common briefcases,
so that they could be carried around inconspicuously.
An example of a Pollux phone housed inside a briefcase is shown on the right.
|
|
|
By adding a set of five thumbwheels,
the user of the stolen phone was able to select any possible subscriber number.
As there was no authentication, all that PTT could do once the malicious
use if its network was discovered, was block the number indefinitely.
It could never be issued again.
|
All the malicious user had to do, was 'invent' a new number, enter it on the
thumwheels, and continue. And this appeared to be easier than anticipated:
any telephone number that had not yet been issued to a legitimate subscriber,
was recognised by the ATF-1 network as a valid one.
Around 1985, PTT noticed an enormous rise in the clandestine use of its
network. At the same time, the number of car phones hat were stolen from the
vehicles of legitimate subscribers also increased.
This prompted the Dutch National Police to initiate a criminal investigation.
|
|
|
Finally, in October 1986, after numerous observations throughout the entire
country, the police arrested 13 people in seven Dutch cities,
all of which were somehow related to the theft of the phones or their
conversion for clandestine use [4]. In 1987, PTT started a call-back
operation, in which all existing mobile telephones were upgraded with
a Bemotel authentication module.
This solved most of the problems, but could not avoid that phreakers
later successfully managed to circumvent the authentication and use the
network free of charge, by making collect calls [2].
➤ More about clandestine use of ATF-1
|
The main unit measures ~ 40 x 31 x 10 cm and weights more
that 10 kg. The reason for the size and weight is the fact that the distance
between a mobile subscriber and the nearest base station was relatively
large – typically in the range of 10 to 30 km – as a result of which
the transmitter had to produce a high output level of > 35W.
The image on the right shows a typical Pollux main unit, of which the
cover has been removed. At the front is a large black heatsink to which
the transistors of the Power Amplifier (PA) are mounted.
At the right is the duplex filter. 1
|
|
|
As the transceiver was so large, it was ususally mounted in the trunk of
the car. Likewise, when they were stolen and converted for clandestine use,
they were generally built inside a large travel suitcase – so that they
could be carried around – with a heavy PSU carried in an additional case.
|
In many cases though, a PSU was not needed, as the device was connected to
the cigarette-lighter socket that was present on each car's dashboard.
Sometimes, the main unit was
modified heavily,
so that it could be fitted
in a regular Samsonite executive-style briefcase
of the ara.
The image on the right shows an example of a Pollux main unit that has
been modified for this. Most of the large black
heatsink has been cut-off,
and the metal frame at the other end, has been grinded, cut, bended and shaped
in such a way that the Samsonite briefcase could be closed properly.
|
|
|
-
The input frequencies were in the range 148.410 to 149.130 MHz, whilst the
output was between 153.010 and 153.730 MHz. This means that input and
output were 4.6 MHz apart, with a channel spacing of 20 kHz. In total there
were 37 channels of which channel 19 was the calling channel at
153.370 MHz [6].
|
For number spoofing, hacked telephone sets were commonly equipped
with a set of five numeric thumbwheels,
which allowed the user to select any possible subscriber number at will.
For this to work, the existing codeplug was removed and replaced
by a ribbon cable, at the end of which
an electronic circuit with no less that 6 ICs
connected the set to the thumbwheels. In order to protect the design against
other hackers, the electronic circuit shown here, was cast in an opaque epoxy.
This way, the codeplug emulator literally became a
black box
that could not easily be copied.
The x-ray image above shows the contents of the black box as it was found
in one of the phones. The circuit appears to be hastily constructed, as
shown by the messy arrangement of the wiring. 1
|
-
Images made with Creative Electron TruView Prime.
➤ More
|
ATF
|
|
Autotelefoon
Literally translated: car phone. Also the
name for the Dutch 1G automatically-switched analogue carphone networks,
of which three generations have existed (nown as ATF-1,
ATF-2
and ATF-3.
Succeeded in 1994 by GSM.
|
B-Netz
|
|
B network
First automatically-switched analogue mobile telephone network in Germany,
compatible with ATF-1 in the Netherlands, and with the
networks in Austria and Luxemburg.
|
GSM
|
|
Global System for Mobile Communication
Digital mobile telephone network, with built-in encryption and authentication.
Introduced in 1991 and rolled-out in most European countries in 1992.
Also known as 2G.
In the Netherlands, GSM was introduced in 1994.
➤ More
|
KPN
|
|
Koninklijke PTT Nederland
Royal PTT of The Netherlands. This was the name of the former Dutch
state-owned telecom monopolist PTT after its privatisation in 1989.
|
OLN
|
|
Openbaar Landelijk Net
First Dutch public radio network for mobile telephony in the 80 MHz band,
introduced in 1949 and operated by the PTT (now: KPN). The network was
manually-switched, which means that the subscriber
had to be patched by an operator. Terminated in 1985.
➤ More
|
PTT
|
|
Staatsbedrijf der Posterijen, Telegrafie en Telefonie
Dutch state-owned telecommunications monopolist from 1881 until its
privatisation in 1989.
Responsible for the development and operation of the post, telegraph
and telephone networks in the Netherlands. Also responsible for monitoring
the radio spectrum and for enforcing the telecom laws.
➤ More
|
- Wikipedia, B-Netz
Retrieved May 2019.
- Wikipedia, Collect call
Retrieved May 2019.
- Wikipedia, Phreaking
Retrieved May 2019.
- Provinciale Zeeuwse Courant, Wijdvertakte zwendelzaak met autotelefoons ontdekt
28 October 1986, page 5.
➤ Direct download
- Geoffrey C. Fors, Motorola and GE mobile telephones, 1970-1983
The Mobile Telephone. Chapter 6. 2007.
Retrieved June 2019.
- Peter Poelman & The Key, Autotelefoonnet 1 gehackt
Hack-Tic Magazine, Issue 2, 1989. Page 7 (Dutch).
|
|
|
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Tuesday 28 May 2019. Last changed: Tuesday, 22 August 2023 - 19:36 CET.
|
 |
|
|
|