Three Blind Phreaks

How the phone-phreaking Badir brothers ran rings around Israel's
telcos for six scam-filled years.

By Michael Kaplan
www.wired.com/wired/archive/12.02/images/FF_84_phreaks_2.jpg

 Inside the chintz-filled living room of the Badir family's neat
and modest home, a feast of freshly roasted chicken, saffron
rice, and seasoned vegetable stew perfumes the air. Friends and
relatives pour through the front door to congratulate 27 year-old
Munther "Ramy" Badir. He's just been released from prison after
serving 47 months for computer-related crimes. Outside, Islamic
prayers resonate from speakers on a truck moving slowly down the
dusty streets of Kafr Kassem. Everyone in this Israeli village -
populated mostly by Arabs - appears ecstatic to have Ramy back.

Butt he does not see their smiles. Ramy, along with two of his
three brothers, has been blind since birth due to a genetic
defect. He and his sightless brothers have devoted their lives to
proving they can out-think, out-program, and out-hack anyone with
vision. (Their sighted brother, Ashraf, is a baker with no tech
leanings.) They've been remarkably successful. Ramy says dryly,
"A computer that is safe and protected is a computer stacked in a
warehouse and unplugged."

Israeli authorities agree. The 44 charges leveled against Ramy,
Muzher, and Shadde Badir in 1999 included telecommunications
fraud, theft of computer data, and impersonation of a police
officer. The brothers' six-year spree of hacking into phone
systems and hijacking telephone time ended when they were
convicted of stealing credit card numbers and breaking into the
Israeli army radio station's telephone system to set up an
illicit phone company. Unwitting customers - mostly Palestinians
on the West Bank and Gaza Strip - paid the fake telco for long
distance calls that were billed to the radio station. A lawyer
close to the case said that the Badirs' scams pulled in more than
$2 million.

Ramy, the leader and most technologically savvy of the brothers,
was the only one sentenced to prison. Muzher, 28, was ordered to
perform community service for six months; Shadde, 22, received a
suspended sentence - not because he was innocent, the judge made
clear, but because of his age.


Those targeted by the Badirs feel less charitable. Yekutiel
"Kuty" Lavi, a security specialist at Bezeq International,
Israel's largest telco and a frequent victim of the Badirs,
angrily complains, "Every day people try to steal from us, but
nobody has ever stolen from us the way the Badirs did. When they
dial, they use the middle finger."



The Badirs pulled off Mamet-worthy phone cons, employing cell
phones, Braille-display computers, ace code-writing skills, and
an uncanny ability to impersonate anyone from corporate suits to
sex-starved females. On the phone, the brothers morph into verbal
007s, intimidating men, seducing women, and wheedling classified
information from steely-voiced security personnel. The phone
phreakers' term for this is "social engineering": using a
combination of brains and guile to obtain codes for trespassing
into systems to rejigger them via strings of touch-tone code.
Combine this talent with supersensitive hearing - the brothers
can dissect an international connection the way wine experts pull
notes from a glass of Bordeaux - and you have What Bernies, a
legendary phreaker and contributor to the hacking journal, calls
"a formidable skill set."



At one point during my visit with the Badirs, I pull out my cell
phone and make a call. Before it even connects, Shadde, who is
sitting across the room, recites all 12 digits perfectly.



Ramy smiles at the parlor trick. "It used to be disgusting to be
blind," he says. "Today, you scare people. You possess skills
that those with sight cannot possibly understand."



Two hours into an afternoon-long interview with the
Hebrew-speaking Badirs, my translator's lips lock. He shrugs and
tells me that the Badirs have shifted into a secret code. Ramy
later explains that as kids he and Muzher developed their own
language - reordering letters in mathematically complex ways -
after they discovered that other boys were snooping on their
conversations. "People said that God cursed our mother by giving
her three blind sons," recalls Ramy. "Children beat us on the
backs of our legs. Those abuses left scars on our hearts. But
they also forced us to grow stronger."



The young Badirs closed ranks and vowed that their blindness
would never be an impediment. They taught themselves to take
apart telephones, to mimic voices and verbal tics, and to get
around Tel Aviv without canes or guide dogs. They became obsessed
with technology and telephones. After encountering their first
computer, in 1989, at Tel Aviv's Center for the Blind, Ramy and
Muzher became enchanted with the IBM clones. They hung around Tel
Aviv University while working, with little success, as software
and telephone consultants; their early crimes were the phreaker
equivalent of shoplifting a Hershey bar.



But Ramy was too ambitious to stop there. "I taught myself to
program in all the languages: C, C++, Basic, Java, HTML, PHP,
CGI. I built my own black boxes, blue boxes, and red boxes,"
which, respectively, circumvent billing, generate tones to place
free calls, and simulate pulses triggered by money dropped into a
pay phone. "I used those boxes to get into and decode phone
systems."



In 1993, Bezeq technicians caught the Badirs snagging telephone
time for their own use. Things quickly escalated when the
brothers obtained the codes to break into PBXs - private branch
exchanges - belonging to Bezeq and to the Israeli headquarters of
Comverse, Intel, Nortel, and others. PBXs are the computerized
nerve centers that operate phone systems; they are designed to be
repaired, updated, and altered remotely by technicians using
touch-tone codes.



"The Badirs regularly called Bezeq, pretending to be engineers in
the field," recalls Eyal Raz, who worked in the telco's
international anti-fraud unit from 1994 to 1999. "They called
secretaries and said,  I need to get in to do a repair. You need
to give me the number and password.' Sometimes they succeeded, or
else they'd get only the number and try to break the password by
using proprietary programs." At other times, a secretary would
simply key in the code, providing what seemed like onetime access
but actually enabling the brothers to hear touch tones and
translate them into numbers they could then use whenever they
pleased.



The three used their access to devise an elaborate moneymaking
scheme. According to Raz, during the mid-1990s the brothers made
a deal with a phone sex outfit based in the Dominican Republic.
They would be paid for driving calls to the service. The Badirs
made the calls themselves, but the lines were rigged so that
Comverse and Nortel were billed by the phone sex service.



At the time there were no computer crime laws in Israel, so Bezeq
took it upon itself to try to short-circuit the Badirs. "At one
point I asked an engineer to block three lines that the Badirs
had opened up for themselves," recalls Raz. "They knew that I had
put the blocks on. So a couple days later, one of them phoned the
engineer and said, 'This is Eyal Raz. Please unblock those three
lines.' The engineer, who knew my voice, believed it was me. He
unblocked the lines." Raz shakes his head, showing grudging
admiration. "These are very clever boys."

In 1995, the Badirs turned their attention to a business closer
to home. Their target was Israeli phone sex mogul Ben Zion
"Bency" Levy, who maintained a database of thousands of customer
credit card numbers. Ramy and his brothers went to work on Levy's
secretary, patiently convincing her to provide the information
that would allow them to unlock the credit card numbers and PINs.

"We knew to approach her gently and break through her
psychological barrier," says Muzher. " We had her tell us clues
that would lead to the password of her boss's computer."

"I figured out the personality of her boss, learned the numbers
that were meaningful to him, and used those numbers to get into
his system remotely," says Ramy. In the end, the Badirs seized
some 20,000 credit card numbers - and, after being confronted by
Levy, caused all of his telephones to ring continuously with no
caller on the other end of the line.

In 1996, Levy reported the scam to Israel's National Fraud Unit.
The following year, a file of Badir-related complaints -
including Levy's - landed on the desk of David Osmo, an
investigator with Israel's national police force. Osmo met with
Ramy and recalls being amazed at the speed of the young man's
fingers on a phone keypad when he made a call. "I told him he is
a smart person who should use his intelligence for good things,"
Osmo says. "Return back to society," he urged.

Ramy remembers his response to Osmo: "You can chase me for 20
years and you will not find anything to convict me on."

The Israeli Army Radio Station is guarded as if it were a
military base. Occupying four floors of a dirty white building on
a busy two-lane street in Jaffa, the station is protected 24/7 by
a half-dozen armed recruits. In 1998, the brothers joined forces
with a group of Jewish and Arab scam artists, and targeted the
station, intending to hijack phone lines and sell call time on
them.

Although they were convicted of participating in the scheme, the
brothers deny they were involved. Ramy is nonetheless willing to
speak knowledgeably about the con. "These were among the most
protected lines in the Middle East," says Ramy. "They had a lot
of scrambling, and big technology is required in order to get
in."

Why an army outpost? "Those lines cannot be tapped by the police,
so there is no monitoring," explains Ramy. "These are the safest
lines on which to do something like this."


Authorities maintain that Ramy broke into the army radio
station's phone system and activated a dormant function called
direct inward systems access, which allows long distance calls to
be placed remotely and charged to that particular phone account.
He structured the DISA so that as many as 281 people would be
able to make telephone calls simultaneously on that single line.



Once the long distance access was in place, the Badirs' partners
set up a switchboard inside a shack in an orange grove in Jaffa.
Voila, instant phone company. Customers placed calls from kiosks
along the Gaza Strip, from cloned cell phones, or directly from
their homes; these were routed from the switchboard to the radio
station's DISA. The Badirs and their partners billed customers
for the calls, while the actual costs were absorbed by the radio
station.



It wasn't long before the station realized its bills were
excessive and contacted Bezeq. The company's security specialists
joined with the Israeli national police in an investigation. They
raided the orange grove, arresting several low-level workers at
the shack. Only after one of them mentioned that the lines had
been set up by blind technicians, says one source close to
police, did the probe turn to the Badirs.



At the time, Ramy and his brothers were already in the cross
hairs. Suspects in numerous telecommunication crimes, their home
phone was frequently tapped by the national police. They reviewed
the tap transcripts and spent a year investigating the brothers,
hoping to find incontrovertible links between them and the pirate
phone company. An intense cat-and-mouse game developed: the
Badirs on one side, with fraud investigator David Osmo and
prosecutor Doron Porat on the other.


While Porat was working on the case, his car's GPS system and
email were repeatedly hacked. "There was a message waiting for
him with his password in it," says Ramy, sounding quite pleased.
"After that, he changed his password every hour before giving up
on email altogether and using a typewriter." The brothers
reportedly contacted Israel's DMV and registered Osmo's car under
another name, causing embarrassing problems for the investigator
when he tried to sell his vehicle.



"The police experienced bad luck," notes Ramy. "Their telephone
systems went down, their computers developed bugs. Osmo got big
bills for calls that he hadn't made. He believed we were always
listening in on him. Sometimes Osmo spoke on the telephone and
other calls came across the line as he tried to talk." Ramy
smiles devilishly. "He found that to be very annoying."



Ironically, even as they knew the degree to which they were being
pursued, the Badirs did not show a lot of restraint over the
telephone. "This was our mistake," admits Ramy, who believed that
some of his phone lines were secure. "We knew the police were
chasing us and trying to catch us. Our overconfidence led us to
think they would never do it."


On June 14, 1999, 14 police officers raided the brothers' home in
Kafr Kassem. Though they found a safe containing more than
$14,000 worth of Jordanian dinars, investigators did not uncover
an expected treasure trove of hardware, software, and notes in
Braille. "It's all in our heads," asserts Ramy. "The police took
my laptop, which contained programs for running through thousands
of numbers very quickly, but I had it designed to erase
everything on the hard drive if it was opened by somebody other
than me. They lost all the material."

Ramy, Muzher, and Shadde were arrested on a variety of charges
relating to computer fraud in connection with their hacks of the
radio station and Bency Levy's phone sex operation. Police took
them from their home in wrist and leg cuffs, but even in custody,
they could not help but show off by conversing in their secret
language and announcing telephone numbers that were being keyed
in by law enforcers. "When Doron Porat stood next to me," adds
Ramy, "he took the battery out of his cell phone."

Ramy was jailed throughout the trial, which dragged on for 27
months and took the prosecutors way beyond their depth of
technological expertise. Porat and his team eventually quit
trying to explain how the Badirs did what they'd been charged
with and focused instead on simply proving they did commit acts
like breaking into a phone company switchboard.

In her November 2001 ruling, judge Saviona Rotlevi went easy on
Muzher and Shadde but found Ramy guilty of 20 counts concerning
Israeli cyberlaw, 4 counts of telecom law violation, and 15
counts of other crimes. The judge sentenced him to 65 months in
prison. Among his restrictions: All of his calls were to be made
with the assistance of a guard so that he would never touch a
telephone keypad.

After nearly four years behind bars, Ramy was released when a
judge ruled he'd served enough time. He marks his second day of
freedom by repairing with Muzher and Shadde to a small cafe on
the edge of Kafr Kassem. Inside, the brothers order bottles of
orange juice and three water pipes. They puff deeply, releasing
plumes of fruity-smelling tobacco smoke.

Despite his years in prison, Ramy appears to have no financial
worries. Upon arriving home, he promptly ordered a $20,000
Braille-display computer from Germany. He also spent a couple of
hours checking on the construction of his new four-story house.
Workers broke ground on it while he was still in prison;
completion was scheduled to coincide with his original release
date. It's a sprawling, solid-looking place, situated on a prime
corner lot in the center of Kafr Kassem. The top floor will be a
high tech penthouse where Ramy can hatch his next move.

And what will that be? Ramy claims a couple of juicy software
programs that he began developing in prison are in the pipeline.
"I am inventing a PBX firewall," he says. "I know all the weakest
spots of a telephone system. I can protect any system from
infiltration."

Ramy says there are major companies interested in his new
software. He talks about big money and big meetings. But he
refuses to show what he's working on and won't name anybody who's
backing him. One person who sounds perfectly game to be involved
is the brothers' old nemesis Eyal Raz. "If he can build that,
he'll become a billionaire," predicts Raz, who now works for a
Tel Aviv-based phone security firm called ECtel. "The Badirs know
so much and are so talented that I would happily use them as
consultants."

Ramy insists he has outgrown the scams: "I am going to the other
side, coming up with devices that will keep the phreakers out."

You want to believe him, you really do. Maybe it's the truth. Or
maybe it's a sweet bit of social engineering designed to generate
positive press and position the Badir brothers for their next
spree.


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html