Protel 8000 spyware

[MaximRecoil]

Over the past several days I've come to the conclusion that Protel put spyware on their model 8000 chassis, and probably other models as well.

For as long as I've owned my payphone (since 2012) it has autonomously called a number at a little past midnight. When I asked someone at Payphone.com about it (they programmed it for me when I first got it), they denied that it was even happening. "They don't do that," they said. Well, it's certainly not my WE 500 or 554 rotary phones that are doing it.

I figured that once I had the means to program the Protel chassis myself then it would be easy to make it stop, but as it turns out, there's apparently no way to make it stop, which means it's spyware, because it's calling a number every night that the payphone owner never told it to call, and doesn't even have the option to make it stop. In fact, the number that it dials (1-800-644-5551) appears nowhere in ExpressNet. There is a "reporting number" in the Options & Registers section that you can fill out, which is supposed to be the number that the payphone calls to report back to the computer, but it still calls that 1-800-644-5551 number no matter what you put in for the reporting number, and even if you leave the reporting number blank (it's blank by default).

Furthermore, I added 1-800-644-5551 to the restricted numbers list in ExpressNet, then programmed it into the payphone, then tried to call that number from the payphone to confirm that it was now blocked. I got an "Error 49" which means:

Call Denied - Phone is set up to deny calls placed to this destination number.

So the programming of the restricted number was successful, but guess what: the payphone ignored the fact that it was a blocked number and successfully dialed that number again tonight, yet it's still blocked if I try to dial it manually. So it has all of the hallmarks of spyware, including evading attempts to block its activities.

The only way to make it [temporarily] stop is by picking up its handset while it's dialing, but of course, it will just do it again the next night. And it's something that can easily go unnoticed, because there's nothing to indicate that it's doing it. You have to have another phone connected to the same phone line and happen to pick up its handset while it's doing it, at a time when most people are sleeping.

That 1-800-644-5551 number leads to some shady place that presents you with offers for various things, such as car insurance and pest control services, but at one time it must have been owned by Protel.

Protel hasn't replied to the two emails I've sent them about it, which doesn't surprise me, because they wouldn't answer any questions I asked them a dozen years ago when I called them on the phone either. They said they were trying to get away from payphones (even though they still mention payphones on their website to this day).

If anyone wants to hear what it's doing, I've attached a recording of it, which I made through a WE 500 that's connected to the same phone line as the payphone. For some strange reason it always dials that 1-800-644-5551 number very slowly (even though it's perfectly capable of speed dialing), so it takes it 53 seconds to dial the number, so you can skip the first 53 seconds to just hear the call.

[ka1axy]

That number has likely been reassigned, but was once a Protel number. I suspect there may be no one at Protel who remembers what that number did, which is why you're not getting any answers.

Diagnostics and or statistics would be my guess. It might be interesting to "answer" the call with a 103-type (2225 Hz) modem, and see if the Protel phone sends a (1270 Hz) modem tone. That would only get you so far, though, because the phone is probably looking for a login prompt to the (now defunct) Protel server.

I used to do communications engineering, and the above is my educated guess as to what's happening. I don't think there's anything devious going on, only that the code is still there for something that doesn't exist any more.

[MaximRecoil]

That number has likely been reassigned, but was once a Protel number. I suspect there may be no one at Protel who remembers what that number did, which is why you're not getting any answers.

I haven't asked them what the number did; I asked them how to make the phone stop calling it. After looking through every single page of ExpressNet forty-eleven times, I've come to the conclusion that there is no way to make it stop.

Diagnostics and or statistics would be my guess. It might be interesting to "answer" the call with a 103-type (2225 Hz) modem, and see if the Protel phone sends a (1270 Hz) modem tone. That would only get you so far, though, because the phone is probably looking for a login prompt to the (now defunct) Protel server.

I have no way of answering its call. All of the tones it sends are DTMF. First it dials 800-644-5551, which connects it to that shady place. Then it dials 800-644-5551 again, which makes no sense, and then it dials 800-644-5551 again, which also makes no sense (it doesn't hang up before dialing it again, it just dials it again while the recorded voice menu from that shady place is playing). Then you hear brief dialup modem sounds and it hangs up. It's all there on the recording that I attached.

I don't think there's anything devious going on, only that the code is still there for something that doesn't exist any more.

It is devious, because the phone belongs to its owner, not to Protel, and the owner should have full control over whether or not the payphone autonomously makes calls, and over what phone number it makes those calls to. It's spyware because it's trying to send data without any authorization whatsoever from the payphone's owner, and even explicitly against the payphone owner's wishes (only the fact that the number has been reassigned prevents it from successfully sending data). Protel has no logical right to access data without permission, from a payphone that they don't own. On top of that, it being able to successfully dial a number that's on its own blocked numbers list is devious in and of itself.

[G-Man]

I doubt that it is something nefarious on Protel's part.
 
Even it they did program the number to call into their maintenance center, permission was probably granted in the fine print in the sales contract, under terms and conditions.
 
And why would Protel want tens of thousands of payphones calling into their center each and every night to report their condition and usage?
 
The cost would have been horrendous, not to mention the logistics of the number of servers and related equipment and telephone lines!
 
If anyone would have this frequency of interest, it would have been the COCOT operator and not the manufacturer.
 
I have to wonder though if Expressnet is attempting to alert Protel that someone is using an unauthorized copy (now moot) of its programming software?
 
I know this will most likely fall on deaf ears, but if I was concerned about this matter, instead of casting what so far are unsubstantiated aspersions about Protel, instead, I would have a conversation with Jim Engle, a retired head of Cincinnati Bell's payphone division and since the operator of his own COCOT and an expert on Protel instruments.
As far as reaching "Emma" at station 12, I suspect that while continuing to dial after the call being answered, the IVR connected to "her" extension.
https://www.reddit.com/r/Payphone/comments/1bqh9zw/who_is_my_payphone_trying_to_call_after_midnight/
 

[MaximRecoil]

I doubt that it is something nefarious on Protel's part.

I don't. Stuff like this is pretty standard fare these days. Consider all the steps you have to take to make modern versions of Windows not autonomously "phone home" for example.

Even it they did program the number to call into their maintenance center, permission was probably granted in the fine print in the sales contract, under terms and conditions.

I'd like to see a copy of that.

And why would Protel want tens of thousands of payphones calling into their center each and every night to report their condition and usage?

I have no idea, only Protel could answer that, and they don't seem to want to talk about it.

If anyone would have this frequency of interest, it would have been the COCOT operator and not the manufacturer.

The COCOT operator couldn't have had anything to do with it, since it makes that call every night (or sometimes every other night; on some nights it only dials a zero and nothing else at 12:20 AM) even after the payphone has been initialized, which resets it to factory defaults. Also, the COCOT operator already has a place in ExpressNet to input a "reporting number" as well as a place to choose under which conditions the phone should call in to report (I've selected "no" on all of them, so it shouldn't be trying to report anything at all, ever), and those things make no difference whatsoever with regard to it calling the 800-644-5551 number at night.

I have to wonder though if Expressnet is attempting to alert Protel that someone is using an unauthorized copy (now moot) of its programming software?

No, because it does it even after initialization, i.e., with its factory default settings. It also did it with Payphone.com's programming, and presumably their copy of ExpressNet is authorized. Furthermore, ExpressNet isn't that sophisticated to begin with. It doesn't even have a security key that you have to input during installation, the same as a lot of, if not most, software from that era, including MS-DOS itself, which it runs on.

I know this will most likely fall on deaf ears, but if I was concerned about this matter, instead of casting what so far are unsubstantiated aspersions about Protel,

There's nothing unsubstantiated about it. It's a matter of deduction based on what I've observed from my payphone. It does it even with its factory default settings, and Protel gave it its factory default settings when they manufactured it. And even if there was some fine print about it somewhere (which hasn't been established), it is still shady to not allow it to be turned off, and for it to evade its own blocked numbers list. Even Windows allows their "phone home" "features" to be turned off, even though you have to dig deep to find some of them, such as setting certain group policies.

As far as reaching "Emma" at station 12, I suspect that while continuing to dial after the call being answered, the IVR connected to "her" extension.
https://www.reddit.com/r/Payphone/comments/1bqh9zw/who_is_my_payphone_trying_to_call_after_midnight/

Yes, that became apparent after I was able to record the call, decode the DTMF tones to find out the phone number, and call that 800-644-5551 number myself to listen to the recorded voice menu without the payphone's tones interfering with it. The recording of "Emma" comes on when you don't make any valid selections in their voice menu, to "assist" you. When I started that thread on Reddit, I hadn't yet recorded the payphone's call and didn't know what number it was dialing.

[TelePlay]

A very interesting topic.

[FABphones]

Does any other member have this same model phone, and able to check if their phone has this same dial out.

I am wondering if perhaps it may have been the phones location which made it of particular interest as opposed to all of this model.

A comparison test on a few others of this model would be interesting.

[MaximRecoil]

Does any other member have this same model phone, and able to check if their phone has this same dial out.

I am wondering if perhaps it may have been the phones location which made it of particular interest as opposed to all of this model.

A comparison test on a few others of this model would be interesting.

I would like to know the same thing. I figure it's happening with others and going unnoticed, because it's easy for it to go unnoticed.

At one point I was wondering if perhaps my payphone has hacked firmware that is causing it, so I pulled its socketed EPROM chip and dumped it, then I did a binary file comparison between it and an EPROM dump of the same firmware revision that I have, which can be found online here:

http://telesfor.org/payphones/doku.php?id=smart:protel:docu (under the "EPROM dumps" category near the bottom of the page; the file named Protel_4000_8000-M27C2001-DD8822-00-000.BIN)

My own EPROM dump is bit-for-bit identical to the one on that site, so that eliminates the possibility that my firmware is hacked (unless the dump on that site just so happens to be hacked in exactly the same way, which seems very unlikely).

[TelePlay]

Any chance of a small, hard to spot ROM chip being soldered into the circuit board? If so, all 8000's would have the exact same "call home" chip, I would guess.

[MaximRecoil]

Any chance of a small, hard to spot ROM chip being soldered into the circuit board? If so, all 8000's would have the exact same "call home" chip, I would guess.

The 8000 chassis (and 4000 chassis, which is apparently practically identical), has its factory-stock firmware in a socketed EPROM chip (Fujitsu MBM27C2001) that the chassis itself can't alter, because it can only be erased by exposing its "window" to the right amount and wavelength of UV light. You would either need to build or buy an "EPROM eraser," or leave the EPROM out in direct sunlight for quite a while, to erase it (it can't be reprogrammed without first erasing it). And of course you'd also have to remove the factory UV-blocking sticker that covers its "window" first.

It also has a pair of EEPROM chips (the "EE" part stands for "electronically erasable," as opposed to UV erasable) soldered directly to the PCB. The chassis can erase and reprogram those (Protel refers to them simply as "download chip"), which are programmed if you select one of Protel's firmware update files when programming the chassis via ExpressNet. ExpressNet will instruct the chassis to erase the "download chip" if you want to revert back to the stock firmware located on the socketed EPROM.

You can tell what the chassis is using for firmware by pressing *#62 on the payphone's keypad. If it's using the stock firmware in the EPROM chip, then the voice says "one" after it reads out the revision number, and if it's using updated firmware in the EEPROM ("download chip") the voice will say "two" instead of "one." See attached screenshot from the Protel "Pocket Reference Express 8000 Series" manual.

Currently mine says "two" at the end because I recently updated to DD883200.290 firmware using a firmware update file from an official Protel floppy disk, in hopes that it might make it stop "phoning home," but it had no effect on that. Before I did the firmware update, the voice said "one" at the end, meaning it was using the factory-stock firmware located in the socketed EPROM chip (which is the one I dumped and compared to the dump found online).

So even if by some bizarre coincidence, my stock firmware and the EPROM dump I found online are both hacked, and hacked in exactly the same way, the firmware in the "download chip" that I'm using now definitely isn't hacked, because it came from an official Protel floppy disk.

[G-Man]

Is your payphone connected directly to the telephone line or is it routed through your Panasonic key system?
 
What type of telephone service is used, traditional copper or VoIP?

[MaximRecoil]

Is your payphone connected directly to the telephone line or is it routed through your Panasonic key system?
What type of telephone service is used, traditional copper or VoIP?

It's connected directly to my telephone line, which is traditional copper.

By the way, if I dial *#65 on the payphone's keypad, the voice reads out my own phone number, because that's the reporting number I put into ExpressNet, so that's the only number it should ever try to autonomously call (and even then it shouldn't ever have a reason to call it, because I selected "no" for every one of the reporting conditions). I've also tried leaving the reporting number blank, which is the default, and when you do that and press *#65, it doesn't read back anything.

[5415551212]

Surely others would notice if their payphone was attempting to make a outgoing call? Has anyone else reported this behavior? Surely someone on the forum here has one of these payphones and can check?

[MaximRecoil]

Before last night, the only way I could ever tell it was sending DTMF tones was by hearing it through an extension phone connected to the same phone line. The first time I ever heard it dialing was by pure chance, as I happened to be talking on the phone (an extension phone) at the time. I heard the tones, but it couldn't complete a call because I was already on a call. DTMF tones sent while you're already on a call do nothing at the central office.

For years I never knew if it was actually completing a call or calls every night or what it was doing. It wasn't until recently that I happened to pick up the handset of an extension phone just as the payphone had started sending tones, so that was the first time I heard it complete a call (which it was able to do because I wasn't already on a call).

Yesterday, a slick telephone recording interface device arrived in the mail (JK Audio Inline Patch). I've had a device for recording calls for years (which I connected to an extension phone to record the call that I attached to my first post in this thread), but it's a modular device that connects to the handset cord, so it's useless for trying to record directly from the payphone. Even if I built a couple 4P4C-to-spade adapters, it still wouldn't work in this case, because it makes that call every night with its handset still on the hook. If you take its handset off the hook while it's doing it, it stops dialing.

So I looked for a device that is placed inline between the line cord and the wall jack, and the JK Audio Inline Patch does just that.

I connected the JK Audio device to my payphone and to my PC, and set up Audacity for sound-activated recording, so I could find out what it does when I'm not listening in on an extension phone, and also to see if it makes any calls at other times of the day.

It's been about 24 hours now, and so far it has only made its usual call at 12:20 AM, but what it did is bizarre. Unlike when I listen in on an extension phone, it never actually completed a call, nor did it ever dial the complete number. Instead, it dialed 1-800-644-555 (leaving out the final digit [1]), dropped the line, immediately reseized the line, dialed 1-800-644-555 again, and so on, six times in a row, and then hung up for good. I've attached the recording of it, though there's not much to listen to. It just slowly dials the same incomplete number 6 times in a row and stops.

My theory is that it never truly dials the complete number even when I'm listening in on an extension, but because I'm listening in, it can't actually drop the line after dialing 1-800-644-555 because my extension phone being off-hook is keeping the line seized, so when it dials 1-800-644-555 again, the "1" gets added to the end of 1-800-644-555, becoming 1-800-644-5551, a complete number.

That doesn't explain why it only repeats 3 times when I'm listening in, and ends with dialup modem sounds, though (as opposed to 6 times and no dialup modem sounds). It also doesn't explain what possible purpose could be served by dialing an incomplete number at all, let alone 6 times in a row.

It's good to know that it's not actually completing a call (or at least it didn't last night; I'm going to record again tonight to see if it does the same thing), but I still don't like it playing with the phone line for no good reason, and with no apparent way of making it stop. Speaking of which, one of my earliest memories is being reprimanded by a New England Telephone operator for playing with the phone, when I was about 3½ or 4 years old (1978 or 1979).

instead, I would have a conversation with Jim Engle, a retired head of Cincinnati Bell's payphone division and since the operator of his own COCOT and an expert on Protel instruments.

He said:

Jim Engle
Moderator
Group expert
Long story the instructions are on this page do a search.

I asked for clarification 3 days ago ("What instructions? What search terms?"), but he hasn't replied. At this point I doubt there even is any official way to make it behave. Hacking the firmware would work, but I don't know how to do that. Of course, I could open it in a hex editor and make random changes, which would technically be considered hacking the firmware, but that would have about a 1 in a "zillion" chance of being correct.