Cellular phone firms lost millions to ingenuity of two hackers


Robert Dewayne Sutton wants to help stop the tide of fraud sweeping the cellular telephone industry. The 35-year-old clearly knows plenty about fraud. After all, he helped spark the crime wave in the first place.

Mr. Sutton is a computer hacker, a technical whiz who used an acquaintance's home-grown computer chip to alter cellular phones so that they dial for free. Mr. Sutton went into business selling the chips, authorities say, and soon fraudulent cellular phone calls were soaring nationwide.

In February 1989, federal agents finally nabbed Mr. Sutton in his pickup truck at a small Van Nuys, Calif., gas station. He was about to sell five more of the custom chips to a middleman. But by then it was too late. The wave of fraud Mr. Sutton had helped launch was rolling on without him.

All those free calls are adding up: Experts say the industry is out about $200 million a year -- more than 4 percent of annual U.S.revenue -- because of fraud involving cellular phones, which transmit calls via high-frequency radio waves. Cellular industry investigators and the U.S. Secret Service, which handles phone crime, have uncovered numerous scams along with Mr. Sutton's, including instances where access numbers of legitimate customers have been stolen from phone company offices.

"Our fear is that cellular fraud could reach $600 million next year ,, and that there are no security departments at the cellular companies to deal with it," says Earl Devaney, who is in charge of the Secret Service's fraud division. "Managers are just waking up to the problem."

Mr. Sutton, on the other hand, spotted the opportunity some time back. About seven years ago, the soft-spoken chain smoker, who liked to tinker with motorcycles, took a used computer as partial payment for a car he sold. It proved a watershed event in his life. Soon Mr. Sutton was programming the thing like an expert. "I knew I wasn't an idiot; anything I do I'm pretty good at," he says in an interview.

His foray into computers soon led to the soul of the machine itself: the memory chips that produce the programs. Mr. Sutton, who lives in Saugus, Calif., taught himself to "burn," or reprogram, a chip, a complicated process that involves electronically altering the chip's software. It also led to swapping tips with other hackers, such as Kenneth Steven Bailey, an acquaintance who lived in Laguna Niguel, Calif.

It was Mr. Bailey, investigators say, who actually cracked the cellular system. In early 1987, Mr. Bailey allegedly took apart a Mitsubishi cellular phone and discovered that he could use a personal computer to rewrite the software in the phone's memory chip. Authorities say his new program made it possible to change the phone's unique electronic serial number, which tells a cellular phone company's computers to accept a phone call and let it pass. By replacing the factory's chip with one of Mr. Bailey's homemade devices, a user could gain free access to the phone system.

Keen to control his new market, Mr. Bailey allegedly included a security check in his program that forced users to return to him each time they wanted to transfer the program to a new phone, investigators say. That way, the program couldn't be copied.

But fate worked against Mr. Bailey, investigators say. One night, during a party, he allegedly asked Mr. Sutton's help in rebuilding a portion of his computer. In the course of his tinkering, Mr. Sutton ran across Mr. Bailey's special program, investigators say. He decided to copy the program but made one crucial omission: He left out the electronic security check.

Now Mr. Sutton had a much-in-demand program, which authorities say he eventually sold for several hundred dollars a copy. (Mr. Sutton denies he sold the chips, though he admits to making them.) But he also had no control over its spread: Anyone who had a copy could now duplicate it at will. Soon, the program was spreading like wildfire across the country.

Pirate phone operations sprang up from Queens County, N.Y., to Southern California. Simply give a few dollars to the guy in the parked car with the blacked out windows, police say, and he'll let you hop into his back seat and call anywhere in the world for 15 minutes.

"Top-level cocaine traffickers and money launderers have these phones," says Patrick McCurry, a lieutenant in the San Bernardino, Calif., Sheriff's Office. "In fact, we haven't arrested anyone recently with a legitimate cellular phone."And all of the altered chips can be traced back to the basic Bailey-Sutton design, the police say.

Now law enforcement authorities in other countries believe other hackers are programming knock-off chips of their own. Scotland Yard, the police and British Telecom, the telephone company, meanwhile, have been scouring England for thieves who are stealing close to 50,000 phones a year and altering many of them to filch free cellular calls. The revamped phones, which include altered chips of a different design, are turning up in other places, too, such as Ireland, Spain and Hong Kong.

Cellular companies are understandably loath to admit how deeply their systems have been penetrated, and generally play down the problem. A spokesman at the Cellular Telecommunications Industry Association in the U.S. says a special software "patch" designed last year by the Secret Service to cut off bogus calls has stopped most of the fraud. "Is there fraud? Absolutely," says Lee Kaywork, president of Metro One, Paramus, N.J., a cellular phone marketing company. "But the industry has responded quickly to stay on top of it. CTIA has done a nice job. We've responded with electronic fixes."

But Mr. Sutton just chuckles. If the patch were working, he says, "it would have taken effect immediately in the L.A. basin area and it hasn't." Tom Truesdale, director of revenue assurance at PacTel Cellular, a unit of Pacific Telesis Group, says that of eight different ways people are known to circumvent cellular security systems, the patch only stops three.

"That patch is just what the name implies -- a temporary remedy," adds fraud investigator Michael Guidry of Texas-based Guidry Associates. Mr. Guidry, a former Texas state trooper who was one of the first investigators to crack cellular scams, says the different cellular networks across the country are often incompatible, and that's hampered the installation of the patch nationwide.

Indeed, unlike the old Bell system, which was homogeneous, the cellular systems have no method of cross-checking data bases, which complicates matters further. Most cellular systems allow any electronic serial number to pass through when a call is initially dialed. If the security computer then finds that the number is bogus, it cuts off the call after a few seconds. But when a customer enters a calling territory beyond his regular service area -- goes "roaming," in industry parlance -- sometimes the security system can't react fast enough to kill the fraudulent call at the start.

It was that gaping hole in the cellular network that investigators say Mr. Bailey exploited. He simply fooled the security systems into thinking each initial call was a roaming call. Fitting the phones with the counterfeit chips is, moreover, so simple that investigators had a hard time cracking the Bailey and Sutton cases.

They began by tailing a cellular phone installer, Dennis Allen, who investigators say was distributing phones that had been fitted with Messrs. Bailey's and Sutton's pirate chips. Then in December 1988, the Secret Service and the Los Angeles Police Department set up a sting.

An undercover informant gave Mr. Allen some legitimate phones to be reprogrammed with the new devices. One of the phones, however, had been fitted with a tiny transmitter. The Secret Service and the police then followed Mr. Allen using a police helicopter as he took the phones to a meeting with Mr. Bailey at a Denny's restaurant near the Orange County airport. The agents watched as Mr. Allen later left the meeting, walked out to his motorcycle, fumbled around in his saddle bags and then left.

Mr. Allen later turned the phones over to an informant, who he thought was a customer, and investigators were shocked to find out the phones were already altered. "Obviously he altered the phones while they were in his saddle bags," said one official involved with the case.

Not long after, the informant gave Mr. Allen a phone secretly fitted to send out a signal when it was opened. The sting climaxed in February 1989 at the Van Nuys gas station, where the signal sounded and federal agents arrested Mr. Allen and Mr. Sutton. Mr. Bailey was picked up several weeks ago after spending time out of the country.

When the dust settled in U.S. District Court in Los Angeles this April, Mr. Sutton pleaded guilty to production of counterfeit access devices and, after agreeing to cooperate with investigators, was sentenced to three years' probation and a $2,500 fine. Mr. Allen got the same sentence after pleading guilty to conspiracy to produce counterfeit access devices. Mr. Bailey hasn't yet been tried. He couldn't be reached for comment, but his attorney says he has pleaded not guilty and that "there's a lot more to the case than meets the eye." She wouldn't elaborate.

But in adversity there is opportunity, or so believes Mr. Sutton. He says he's got a marketable expertise -- his knowledge of weaknesses in cellular phone security systems -- and he wants to help phone companies crack down on phone fraud. He'll do that, of course, for a fee.

Copyright © 2020, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad