How to Commandeer a Store PA System

If you call the proper phone extension, you have complete control over the public address system at a Target store.

EDITED TO ADD (11/15): This goes way back.

Posted on October 19, 2015 at 9:49 AM • 30 Comments

Comments

k14October 19, 2015 10:06 AM

What's the federal agency that deals with vulnerabilities? And do they offer a secure channel, for communicating with them?

Bob HigginsOctober 19, 2015 10:09 AM

Back in the 80s/90s when our new phone system was installed at work, it was a common prank to dial the intercom and another employee in a 3 way call, then disconnect, leaving the callee saying 'hello', and sometimes griping about the lack of response.

Intercom was eventually limited to select employees and required an extra pass code.

Former lifeOctober 19, 2015 10:25 AM

In a former life working at the law office, I was told that I could access the PA system at a certain extension. It was not close to the ones used for normal phone extensions. I just HAD to test accessing it from an outside phone. Yep, I could call in and dial that extension to get the PA. When I left there, I was soooo tempted to call in and play some Johnny Paycheck...

IvoOctober 19, 2015 10:37 AM

Do I need to log in to read the article? How do I do that? Also your Subscribe button is broken in Chrome.

paulOctober 19, 2015 10:56 AM

So this is just the inverse of the old "Transfer this call to 9,xxx..."?

There probably is a way to interrupt the call, but it would require giving local employees other powers that management would prefer they not have.

MeOctober 19, 2015 10:57 AM

Call in, play copyrighted works, have RIAA sue them for performance.

Bonus is you are already working for the RIAA.

AndyOctober 19, 2015 11:29 AM

This is an old hack, we used to do with Circuit City back in the early 90's. We'd asked to be pushed to extension 50 and you had intercom access.

Bob the BreakerOctober 19, 2015 11:29 AM

The concern here is that people will look at the PA system wrong. Its not a "Network of Things" convenience device; its a Public Safety implement, like the premises fire system. You don't, really, want it to have a killswitch that anyone can engage by dialing a phone number. This is the failure of an Administrative Security Control, only.

Bob PaddockOctober 19, 2015 11:38 AM

In the Old Days before the local phone company switched to SS7 dialing 115 would kill the line for a few minutes. Was always a fun thing to do, as a teenager, at a busy pay phone and watch the reaction of the next person to trying to use it, generally other teenagers.

albertOctober 19, 2015 12:06 PM

Funny.
Don't worry, those kids are gonna find out about those things eventually, hopefully from their parents, and not from their peers.
.
@Former life,
and that would have been Take This Job And Shove It, right?
.
@Bob Paddock,
Speaking of SS7, any thoughts on the hackability of PBX systems?
.
. .. . .. _ _ _

JasonOctober 19, 2015 12:32 PM

This reminds me of another story I saw years ago, probably on your blog, Bruce, about someone pranking a walmart (or was it a Fred Meyer?) the same way. Although in that case I believe the pranksters were more subtle (fake announcements, paging fake people, etc), so they got away with it for a while.

Plus ├ža change...

Acid BeretOctober 19, 2015 12:36 PM

@K14:

"What's the federal agency that deals with vulnerabilities?"
You probably want CERT.

" And do they offer a secure channel, for communicating with them?"
Yup: https://forms.cert.org/VulReport/ (100% guaranteed to be tapped by the NSA ... and the Russians, the Chinese, the North Koreans, the Israelis ... ).

The alternative is to try phoning them up and getting through tou their PA system.

Clive RobinsonOctober 19, 2015 2:41 PM

@ Albert,

Speaking of SS7, any thoughts on the hackability of PBX systems?

I don't know about modern PBXs but some older ones that allowed you to direct dial to an extension had a technical port extension that you could dial into and reconfigure / test the PBX. The down side is you could configure some such you could dial in and get an outgoing line to dial out anywhere in the world. A number of small NGOs like Charities got hit with huge bills for calling places like Nigeria.

James SutherlandOctober 19, 2015 3:28 PM

With the UK's absurd system of allowing premium rate numbers for almost everything except personal landlines until recently, I saw a vast amount of traffic probing Asterisk for ways to dial the various premium rate numbers to siphon off my money.

(It's a historical quirk of charging systems: for a long time, genuine local and long distance calls were hugely overpriced to subsidise other parts of BT. Businesses could get a premium rate number priced the same, where that large markup went to them instead of to BT. After call charges dropped to more sane levels, the premium rate ones remained expensive and excessively profitable, until they were banned last year for customer service lines. Unlike US 1-900 numbers, the 07, 08 and 09 number ranges all contain some premium rate numbers, as well as some freephone and mobile ones, making it much harder to configure your PBX to prevent premium rate calls being made.)

Ray DillingerOctober 19, 2015 4:28 PM


In the soi-distant past, I was Sysop of a BBS system. These were standalone systems where a computer answered a modem call and connected you to message boards, system-based email, games, etc. One person could be connected at a time, per phone line dedicated to operating the system. The Internet as we now know it was not involved.

Anyway, one of the things that (some) BBS systems did was to keep a BBS list - that is, a list of phone numbers and modem settings to use to connect to other BBS systems. For example, A BBS list entry might say you could connect to "Electric Labyrinth" by calling 555-555-1234 using 7 data bits, even parity, 2 stop bits, and ASCII encoding.

I had been allowing users to update the BBS list, but I'd been getting bogus entries from time to time - numbers that didn't actually connect to anything except an angry person who'd gotten really annoyed with getting modem calls at 3 AM (presumably having annoyed the user who had then gone to update the BBS list), so I'd disabled that feature.

The guy who wrote the BBS software I was using, after I'd discussed the issue with him, came out with an update - from now on, when someone submitted an update for the BBS list, my system would actually call the new number and make sure it was real before displaying it to any users.

I wasn't entirely sure that as the right thing, so I sort of dragged my feet on installing it. But some other sysops were very enthusiastic, and installed it immediately. And of course, it wasn't even three days before they started getting new BBS list entries in the 911 area code...... And I decided that maybe it would be a better thing to just skip that feature entirely.

FakeEmailAddressOctober 19, 2015 5:44 PM

Somewhere, the PA system will plug into the PBX and into the electrical system. While preventing this attack will require administrative changes, shutting someone down who has taken over the PA system should require nothing more complicated than unplugging something or pulling a breaker. And surely store employees have access to the breaker box.

SimonOctober 19, 2015 9:23 PM

This is a classic phone prank.

There was an incidence, that... OK, let's just say, some friends of mine, for educational purposes only--insert disclaimer here--um...

Most department stores' phone systems have the intercom as an extension, which means that if you're dialling in from an outside line, you can get transferred to the intercom. By having that done, on certain systems it's very very hard for them to hang up on you... once you are talking to the intercom they can't drop it from any single point, normally they will have to bring down the PBX or the switch and bring it back up.

So, some friends of mine, for educational purposes only, were um, playing around with uh... some things and we--uh, they--happened to get a hold of a K-Mart in the middle of Wisconsin--or Kansas, or Ohio, or wherever it was... and uh, ended up getting, you know, bounced around to a couple different people. This case, with this specific system, as we later found with several K-Marts, the extension is 50. So we end up finally getting transferred to the extension, at which point, obviously, all hell broke loose.
The Joker, Beyond HOPE Social Engineering Panel, 1997, 11:25

Eric R.October 19, 2015 10:03 PM

I was a regular on a particular party line where every once in a while, pranksters would three-way in live calls exactly like the one described in the article for everybody to listen to. I have to admit, it was quite a bit of fun to be around for and I felt a bit jealous that these guys had figured out how to do this stuff (they'd never tell anybody, although most of us knew it had to do with dialing a specific extension. We just didn't know which one).

This was more than 10 years ago.

The fact that we're first hearing about this now boggles my mind. Has Target really been having their intercom systems taken over by pranksters for over 10 years? It feels a bit nostalgic and surreal.

Nick POctober 19, 2015 10:51 PM

@ Eric R.

The few I know do it in person using the store's own phones lol... They just do it once every few months when the store is extra busy or slow. Then disappear. Never busted that I know of. Quite a low bar.

paranoia destroys yaOctober 20, 2015 12:24 AM

Back in the 1970s I worked at a Truck Stop. One of the guys got bored an hid a cassette player spliced into the intercom so it played a tape of children's music for the truck drivers.

A different prank was a one of the guys had an overpowered CB that would some over the speaker on a pinball machine. He taunted a trucker playing it eventually saying the machine was going to self-destruct. Giving a countdown, another guy behind the counter quickly flipped the circuit breaker off then back on so he lost his game.

Bobby Robert McBobbersonOctober 20, 2015 9:42 AM

Best Buy's store intercoms worked the same way in the mid-2000s. It wouldn't surprise me if it still worked like that today. Even if it didn't work from an outside line, all you would have to do is dial the right extension from a phone inside the store and you have intercom access - granted it would be much easier to locate within the store vs an outside caller.

Gerald EdwardsOctober 20, 2015 1:47 PM

A lot of office buildings built in the 1980s and 1990s installed lighting systems that could be telephone controlled. Employers would often give out usage instructions to employees who sometimes worked off-hours so they could turn on and off different sections of lights.

kingsnakeOctober 20, 2015 2:53 PM

When cordless phones were still a thing -- about 20 years ago -- I could stand at a certain place in my apartment (door frame seemed to work best) and monitor other calls in my building, no hacks necessary ...

EricOctober 20, 2015 4:37 PM


There was a story about Los Alamos during the Manhattan Project. At one point they installed some sort of loudspeaker system over which various people could be paged.

Then there was one (or more) wiseacres who started paging Werner Heisenberg. Who at the time was believed to be working on the A-Bomb for the Germans.

MikeAOctober 21, 2015 11:14 AM

This stuff was not always intentional. Our workplace (Mid 1980s) had the usual pranks like paging someone to call an "extension" that started with the (shorter) PA extension. Typically this would connect them to the PA in a _different_ building, so the occupants of that building could have more time to enjoy the show.

But there was apparently a way (Bug? Feature) that someone could accidentally conference an outside call to the PA, and if that PA was in another building they would not even know. One day there was a very interesting call broadcast in the engineering building, where a purchasing agent in another building was negotiating a vendor kickback.

The PBX manufacturer steadfastly maintained that this could not happen. Even when one of our guys, who was dating one of their employees, had some spare time while waiting for her, and conferenced "Dial A Prayer" into their own PA, from their lobby phone. OK, _that_ one was intentional.

BTW: These were folks who got their start building ruggedized minicomputers for the military et al.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.