Cryptanalysis of phone numbers stations

Over the past month or so, a person or persons unknown have posted three messages on the popular Craigslist web site with telephone numbers which, when called, played automated recordings of long strings of numbers reminiscent of numbers stations which had been heard on shortwave radio for decades.

Many amateur cryptanalysts have tried their hand at cracking the code in these messages, and since they seem to be stumbling all over each other and missing things, I’m going to try to gather what I think is the best available information here.

First, I should note that the professional cryptanalysts have been here and downloaded the three messages as well. I’m also fairly sure that the cipher in use is simple enough that they would have cracked the messages days ago. Unfortunately, they can’t really tell us what’s in the messages, even if it did turn out to be a prank or viral marketing scheme, which I rate as highly unlikely.

If you haven’t seen or heard the actual messages yet, much of this won’t make sense, so you should probably go get copies of all three before reading: 212-796-0735, 415-704-0402, 678-248-2352.

Note also that none of the numbers are in service anymore. Each message pointed to a pre-paid VoIP account with an apparently different provider each time, and the curiosity generated by the publication of the numbers quickly overwhelmed the fairly small balance on each of the accounts. This is why I’ve preserved an archival recording of each number as it was heard. The message on each remained the same throughout the short lifetime of each number.

Some people think that waveform analysis would be useful in finding any hidden data streams in the message, but I personally think this is a waste of time, as each message has been transcoded several times from its original recording by whoever sent the message, through its transmission across the Internet, and its recording here. I used the asterisk softswitch to record the calls, and it recorded them in 8KHz GSM format. They have been upsampled to 22KHz MP3 as a transcoded 8KHz MP3 was completely unintelligible. This is why I think no useful information will be found by this method: it would be completely trashed by numerous transcodings before it ever hit my PBX, and garbled again when I transcoded it to archive it here. (Feel free to keep at it, though; those lines are pretty to look at.)

There was initial speculation, after the second message appeared, that the “Group” number in the message referred to the area code of the city in which the next message would appear, as the first two matched such a pattern. However, the third message did not follow this pattern. It also has some differences from the first two, which are noted below. The actual significance of the Group number, if any, is not yet known.

The numbers themselves were read in groups of five digits, twice for clarity, as is customary with this type of message delivery. Several people noticed, however, that a clear pattern emerged when the numbers were broken into groups of three: They all fell within the range of 0 through 125. This range can be represented within seven bits. Many numbers within that range appear to be entirely unused in any of the three messages, and across the three, only 73 unique numbers appear.

To date, however, people’s attempts to apply such ciphers to these messages have not taken this into account. If the messages use a weak cipher, such as a Vignère, four-square or straddling checkerboard cipher, then it would likely be a variant of such a cipher which uses a range of 0 through 125 (or 127), rather than a range of A through Z, or whatever other range. Further work along these lines should take this into account.

Most people are convinced that the number 0 (or 000) is a terminator of some kind (e.g. a full stop). I am not at all convinced of this, and I believe analysis should take into account the possibility that it is not a terminator. If there are such terminators in the messages, they could be any of the numbers.

Several people have suggested that the messages might use some sort of stream cipher. This seems fairly unlikely due to the frequency of the numbers seen, but it could be possible.

Frequency analysis of each of the messages suggests that the cipher being used is not at all strong by today’s standards, and is probably in fact very simple. However, the frequencies are somewhat different for each of the three messages, suggesting that each has a different key. What the key is and how it is applied remains unknown.

It’s not solved yet, but it looks like progress is being made. I personally think the best line of attack for now is to create variants of known classical ciphers which operate in the range of 0-127 rather than A-Z, apply attacks appropriate for each type of cipher, and see if anything comes up.

On a somewhat related note, both 2600 Magazine/Off The Hook/Hackers On Planet Earth and Blinkenlights have denied any knowledge of or involvement in these messages.

While I’d love to get deeper into this mystery myself, time constraints prohibit me from doing so. However, I am monitoring every single city on Craigslist, and if another valid message appears, I will post again. Several fake messages have appeared, with numbers ranging from the Fremont (Calif.) Police Department to the Federal Reserve Bank of Boston to some guy’s cell phone. And he’s going to have one hell of a bill next month. If you see another message on Craigslist, you should assume it is fake and not call the number. Unless, of course, you know how to verify that it’s a pre-paid VoIP account without calling the number and possibly running some other person’s cell phone bill into the stratosphere. (After spending years working for various phone companies, and years more before that doing things I can’t tell you about, I do know how to do this.) If a real message appears, I’ll post it within 24 hours.

If you solve one or more of the messages, and they appear to contain sensitive information that should not be immediately made public, do not post the solution here. Instead, forward the solution along with your cryptanalysis to your nearest Federal Bureau of Investigation field office. (If you are outside the U.S., contact the Legal Attaché at your nearest American embassy or consulate instead.) Or just use their nice online form. If you post a decrypted message that appears to contain sensitive information, it will be removed and forwarded to the FBI anyway.

On the other hand, if the message shows cryptographers writing love notes to each other, Congressmen arranging for prostitutes, a promotion for a television show, or the location of the buried Volvo, then by all means post it here for everyone to enjoy.

One thought on “Cryptanalysis of phone numbers stations

Comments are closed.