▸ PHOTO // BLUE BOX // POWERHOUSE MUSEUM // CC
BELL_SYSTEM // TECHNICAL_JOURNAL
SIGNAL_OK VOL.1 — ISSUE 2600
▸ TRANSMISSION OPENED · 02:14 AM
⚠ UNDER CONSTRUCTION
PHONE
PHREAKING.
Before the internet existed, a massive network already connected the world: AT&T’s analog phone system. It used audible audio tones to control its own long-distance calls, and that turned out to be its greatest weakness.
A group of curious teenagers, blind kids and amateur engineers discovered that, with the right whistle, they could travel the network like ghosts. Five decades later, the ghosts changed instruments, but they’re still circulating.
▸ TL;DR
This report explores in depth both the classic phreaking techniques (blue, red, black boxes etc.) and modern threats against telephony and mobility networks (2018–2025). It also investigates cases where communities under authoritarian regimes built their own networks (homemade GSM, dial-up over PSTN, mesh, LoRaWAN, HF radio, satellite/Starlink) to bypass censorship.
Findings are organized by threat type and region, with tables of historical incidents, device comparisons, and detailed timelines. Recent Brazilian data and examples, including fraud rings dismantled in São Paulo (rogue antennas in apartments, SMS-spoofing antenna cars), are highlighted.
01 // ORIGINS · THE NETWORK THAT TALKED
When the network still spoke out loud
Until the 1990s, the global phone system was dominated by AT&T and its national counterparts. It was the largest engineering project of the 20th century before the internet: a network of electromechanical switches (later electronic, with the ESS, Electronic Switching Systems) covering entire continents over copper wire and relay-based central offices.
The defining feature, and the fatal flaw, was in-band signaling: the commands that controlled a call (set up, tear down, route) were audio tones transmitted on the same frequency band as the human voice. The switch had no separate control channel; it listened to the same wire that carried your conversation.
An idle long-distance trunk continuously emitted a 2600 Hz tone. When someone placed a call, the tone stopped, signaling “line in use”. When the call ended, the tone returned, signaling “trunk free, next customer please”. The consequence was simple and devastating: if you could generate 2600 Hz into the receiver, the switch believed your call had ended, without you hanging up.
AT&T published all the technical details in the Bell System Technical Journal (November 1960, “Signaling Systems for Control of Telephone Switching”). The assumption was naive but honest: no ordinary customer would own a calibrated tone generator, and Bell engineers were trustworthy men. It took one generation to turn that trust into a billion-dollar hole.
02 // JOYBUBBLES · THE PERFECT EAR
Joybubbles, the boy who talked to the network
Josef Carl Engressia Jr., born May 25, 1949 in Richmond, Virginia, was the first phreaker recorded by history. He was born blind and had absolute pitch.
▸ WHAT IS ABSOLUTE PITCH?
A rare ability (estimated at 1 in 10,000 people) to identify and reproduce any musical note without a reference. Someone with absolute pitch hears a sound and knows immediately whether it’s A-440Hz, E-330Hz or G#-415Hz, the same way most people recognize colors. Joybubbles’ gift was even rarer: he could whistle any specific frequency on demand, accurate to within a few hertz. For a phone system that controlled calls with calibrated tones, that was handing him the keys to the vault.
By age 4 he already spent hours on the phone. At 7, in 1956, he whistled by accident on a long-distance call; the line dropped, but the dial tone returned. He’d stumbled onto 2600 Hz, thirteen years before Captain Crunch and the cereal whistle. Even before the whistle, still a kid, Joe found he could replicate rotary-dial pulses with the hookswitch and bypass the lock his babysitter clamped on the phone: the first practical record of tap dialing.
In 1968, a student at the University of South Florida, Joe was the subject of a campus newspaper article that nicknamed him “The Whistler”. AT&T sued the university. In 1971, Ron Rosenbaum interviewed him for the Esquire piece “Secrets of the Little Blue Box”, the same text that would inspire Steve Wozniak to build the first Blue Box.
▸ HE NEVER WANTED THE MONEY
Joe never used his skills for fraud: he wanted to understand the network. In 1975,
after years of friction with the FBI, he was hired by Mountain Bell in
Denver as a network troubleshooter, a role he held for seven years until moving to
Minneapolis in 1982. In May 1988 he “reverted to childhood” as a way to process sexual
abuse he had suffered as a child, declaring himself permanently 5 years old. In 1991, he
formalized the change in court and legally adopted the name
“Joybubbles”. He died on August 8, 2007 in
Minneapolis of congestive heart failure.▸ Worth listening to NPR’s obituary: “Joe Engressia, Expert ‘Phone Phreak,’ Dies” (2007).
03 // THE TAP · HOOKSWITCH DIALING
The tap: hookswitch dialing
The oldest phreaking technique used no special tones or whistles, just a well-trained finger. Called tapping or switch-hook dialing, it turned the phone’s hookswitch into an improvised dial. Joybubbles learned the trick as a kid, before he ever discovered the magic whistle.
To understand why the trick works, it helps to see what it was imitating: the rotary dial telephone (alongside). Each digit spun the disk to a finger stop; on its way back, an internal cam rotated and its teeth struck a copper pawl, generating the electrical pulses the switch counted.
ROTARY_DIAL_v1.0 ○ READY
click a digit
The disk and the cam spin together on the same shaft. On release, the cam returns and each tooth strikes the copper pawl, generating one electrical pulse to the switch.
How tapping beats the dial
Dialing “5” meant sending 5 pulses at a cadence of 10 pulses per second (60ms open / 40ms closed). Phreakers found the shortcut: tapping the hookswitch repeatedly opens and closes the same circuit. Same logic as the dial, no dial needed. Phones with a locked rotary? Bypass via hookswitch. Hotel payphones with no dial? Tap the hook. It was the most democratic trick in phreaking, any finger learned it in half an hour.
▸ HOW IT WORKED
- Pick up the phone (line closed → dial tone)
- To dial “3”, tap the hookswitch 3 times (~60ms each)
- Wait ~700ms, the switch registers “3”
- Repeat for the other digits. “0” is 10 taps.
▸ POP CULTURE
The classic scene of a prisoner who needs to make a forbidden call, hangs up the
prison payphone and taps the hookswitch to dial a number off the approved
list, is a direct reference to this technique. It shows up in
Hackers (1995),
in WarGames (1983),
and in a dozen prison thrillers from the 80s and 90s. It wasn’t a screenwriter’s
invention: it was the only thing that actually worked on a phone with a locked dial. PULSE_DIALER_v1.0 ○ STANDBY
DIALED
_
hookswitch prongs · drop on every tap, opening the circuit
CLOSED OPEN
PULSES 0
RATE — pps
1 tap = 1 • 5 taps = 5 • 10 taps = 0 • 700ms gap between digits
04 // THE 2600 Hz WHISTLE
The 2600 Hz whistle
Joybubbles was the first to notice, but not the only one. In 1968, engineer John Draper met a blind sailor who gave him the tip: the plastic toy whistle that came as a prize in Cap’n Crunch cereal played exactly 2600 Hz. Blow it into the mouthpiece and the long-distance trunk surrendered. The world got a Captain Crunch; AT&T lost control.
▸ ARTIFACT_001 · BOSUN_WHISTLE.glb QUAKER_OATS_CO. // 1964
▸ WAITING FOR SCROLL...
When the whistle hit the receiver, the switch believed the call had ended, but the line stayed open. You were still connected to a live long-distance trunk, only now as if you were the switch yourself, free to issue direct commands.
▸ HOW IT WORKED
- Dial a 0800 number (free, but uses a long-distance trunk)
- After connection, blow 2600 Hz into the mouthpiece
- The remote office disconnects the destination but keeps the trunk
- You now have direct access to the trunk network
OSCILLOSCOPE_v2.1 ○ STANDBY
FREQ_HZ 440 Hz
10020004000
CALL_ROUTE
HANDSET
LOCAL_OFFICE
TRUNK_2600
INTERNATIONAL
05 // BLUE BOX & CCITT5
The Blue Box and MF tones
Once the 2600 Hz whistle “opened” the trunk, you had to tell the network where to dial. AT&T used a signaling system called CCITT5 / Multi-Frequency (MF): each digit is represented by two simultaneous tones, picked from a matrix of 6 frequencies (700, 900, 1100, 1300, 1500, 1700 Hz).
The Blue Box, popularized by Steve Wozniak and Steve Jobs before they founded Apple, was a device that generated those tone pairs. Ron Rosenbaum’s article “Secrets of the Little Blue Box”, published in Esquire in 1971, exploded the popularity of the hobby.
▸ BEFORE YOU PLAY: KP AND ST
On top of the 10 digits, the MF protocol carries two control tones that tell
the remote switch when an address starts and ends. Without them, the digit sequence is
just noise.
• KP (Key Pulse, tones
1100 + 1700 Hz) opens the packet: it says
“heads up, digits are coming”. Always the first tone sent.
• ST (Start, tones
1500 + 1700 Hz) closes the packet: “I’m done, you
can route now”. Always the last.
The full sequence for a call is KP · digits · ST. In the
simulator below, start with KP, dial the destination digits, and finish with ST.
BLUE BOX // MOD-1971
AWAITING SEIZE_
▸ CCITT5_MATRIX.dat
| 700 | 900 | 1100 | 1300 | 1500 | |
|---|---|---|---|---|---|
| 900 | 1 | ||||
| 1100 | 2 | 3 | |||
| 1300 | 4 | 5 | 6 | ||
| 1500 | 7 | 8 | 9 | 0 | |
| 1700 | KP | ST |
■ digit ■ command
▸ SIGNAL_LOG.txt
Awaiting commands...
[1] Press "EMIT 2600 Hz" to seize trunk
[2] Use KP + digits + ST to route call
Example: KP 1 8 0 0 5 5 5 1 2 1 2 ST
(international route)
06 // THE ARSENAL OF COLOR BOXES
It wasn’t just the Blue Box
Between the 1960s and 1980s, phreakers built dozens of color boxes, each exploiting a different feature of unencrypted signaling protocols. Hardware was simple: tone generators, resistors, capacitors, modified handsets, or later PCs with sound cards. Each color attacked a different vector: billing, authentication, conferencing, coin signaling.
BOX_GALLERY.exe 1 / 9
▸ PHOTO // RED BOX // WIKIMEDIA COMMONS // CC
▸ target tech: payphone that received the emulated coin tones
Red Box
▸ PHOTO // BLACK BOX // TELEPHONE MUSEUM // CC
Black Box
▸ PHOTO // GREEN BOX // WIKIMEDIA COMMONS // CC
▸ target tech: payphone that responded to coin-control signals
Green Box
▸ PHOTO // CLEAR BOX // WIKIMEDIA COMMONS // CC
▸ target tech: payphone that muted the mouthpiece audio
Clear Box
▸ PHOTO // VIOLET BOX // WIKIMEDIA COMMONS // CC
▸ target tech: residential phone where the resistor was wired in series
Violet Box
▸ PHOTO // ORANGE BOX // WIKIMEDIA COMMONS // CC
▸ target tech: Caller ID receiver that displayed the spoofed ID
Orange Box
▸ PHOTO // BEIGE BOX // WIKIMEDIA COMMONS // CC
Beige Box
▸ PHOTO // WHITE BOX // WIKIMEDIA COMMONS // CC
▸ tool: the Amiga 500 was used to generate R2 signaling
White Box
| Box | Signal exploited | Function | Era / Context |
|---|---|---|---|
| Blue | 2600 Hz + MF (CCITT #5) | Seize a long-distance trunk and dial freely on premium routes. | 1970s · Draper / Wozniak / Jobs |
| Red | 1700 + 2200 Hz (coin) | Emulate coin-deposit signal in payphones, getting credit without paying. | 1970s–80s · US payphones |
| Black | Resistor + capacitor in series | Block the billing pulse on incoming calls; switch thinks the line is still ringing. | 1970s · electromechanical switches |
| Green | Coin-collect / coin-return tones | Remotely command international automated payphones (coin-control signaling). | 1970s–80s · long-distance payphones |
| Clear | Inductive mic + amp | Eavesdrop on the muted side of payphones that silenced audio until coin insertion. | 1970s · rare models |
| Violet | Series resistor | Hold the line in fake off-hook state, suppressing rings. | 1970s · domestic variant |
| Orange | FSK CallerID 1200 baud | Inject fake Caller ID into the recipient’s line before the ring. | 1980s–90s · social engineering |
| Beige | Test phone with alligator clips | Homemade lineman’s handset: tap directly into the street junction box. | 1980s · technical / clandestine |
| White | CCITT R2 via Amiga | Australian variant using a computer to generate international R2 signaling. | 1990s · Oceania |
All of them exploited the same original sin: in-band signaling without authentication. The audio that controlled the network was the same audio the user could inject.
07 // MODERN ATTACKS · 2018–2025
The ghosts changed instruments
Digital telephony killed analog phreaking, but traded one set of fragile protocols for another. SS7, Diameter, GTP, SIGTRAN, IMS: stacks designed in the 1970s–1990s, when the network was a closed club of trusted carriers. Today, any actor with access to a roaming hub or a US$ 500 SDR enters as an authorized peer.
05.1 SS7 / SIGTRAN
The SS7 protocol (1975) and its IP version, SIGTRAN, are the baseline signaling for 2G/3G worldwide. No authentication, no encryption. Anyone inside the network can query a subscriber’s location, redirect SMS, or intercept calls. In 2019, fraudsters exploited SS7 in the UK to intercept 2FA codes and drain Metro Bank accounts. In Brazil, similar fraud was already documented since 2016. The 2018 ENISA report formally acknowledges the technical debt: 2G/3G rely on SS7 with no “modern security considerations”, and 4G (Diameter) inherited the problem.
05.2 Femtocells and rogue base stations
In 2013, Doug DePerry and Tom Ritter showed at DEF CON 21 how to modify a Verizon femtocell (US$ 250) plus a Raspberry Pi (US$ 50) to listen to every call and SMS from nearby phones. The whole rig fit in a backpack. Twelve years later, the same technique came back at scale: commercial gear like StingRay (Harris Corp.) and homemade variants with USRP + OpenBTS / Osmocom are used by states, gangs and researchers. Phones connect to the strongest signal, and when the strongest signal is hostile, hostile wins.
05.3 SIM Swap and number portability
A telco support agent talked into transferring a victim’s line to an attacker-controlled SIM. Within seconds, every 2FA SMS, bank, email, exchange, goes to the wrong phone. SIM swap doesn’t exploit a protocol: it exploits people. But the metrics climb with SMS-based 2FA. The FBI and Brazil’s ANATEL issued public warnings in the early 2020s.
05.4 VoLTE / IMS / SMS Blasting
Voice over LTE (VoLTE) brought IMS, a full SIP stack inside the carrier. Researchers demonstrated downgrade and interception attacks on VoLTE calls in 2021. In parallel, SIM Boxes, racks with hundreds of SIM cards running in parallel, fire tens of thousands of SMS per hour for financial fraud. Same idea as the Blue Box, industrialized (see Section 08).
05.5 PBX and VoIP fraud
Misconfigured corporate PBXs keep dialing premium-rate international numbers overnight. Hacked ATA adapters, weak SIP credentials, exposed VoIP gateways, each one is a modern blue box, generating five-figure invoices for the victim and dividends for the attacker.
08 // CLASSIC vs MODERN
| Axis | Classic phreaking | Modern phreaking |
|---|---|---|
| Medium | Analog in-band signaling, electrical pulses | SS7 / Diameter / GTP, IP infra, software bugs |
| Target | Billing, free long-distance | Personal data, banking 2FA, surveillance |
| Tool | Discrete hardware (whistle, resistor, tone generator) | SDR (USRP, HackRF), modified femtocells, scripts |
| Actor | Independent enthusiast, counterculture hacker | Organized crime, states, corporate espionage |
| Scale | One call at a time | Millions of subscribers via roaming hub |
| Entry cost | US$ 5 (whistle) · US$ 200 (Blue Box) | US$ 500 (HackRF) · US$ 50,000 (StingRay) |
09 // ABANDONED FORUMS · 2000–2015
The underground goes digital
Between 2000 and 2015, what was left of analog phreaking merged with the nascent “digital phreaking” on forums like alt.phone.phreaking, private Telnet lists, abandoned FTPs and researcher blogs. Primary sources from that era are fragile: many archives only survive today on the Internet Archive or community mirrors like Hack Canada and 2600 Magazine.
Projects like Project MF (Arduino-based Blue Box reconstruction with an Asterisk server simulating a 1970s Class 4 toll switch), OpenBTS (software GSM base station) and Osmocom show how knowledge migrated from “audio hacking” to protocol reverse engineering. Talks at DEF CON, ToorCon, CCC and HOPE documented the transition on video. Most of the academic literature only arrives after 2015, before that, the data lived in forums that closed, one by one.
10 // RESISTANCE UNDER AUTHORITARIAN REGIMES
When the state switches off the network
When governments cut mobile or fixed internet to silence protests, communities improvise. The result is an unlikely catalog: amateur radio, V.92 modems crossing a border, mesh networks, LoRaWAN, satellite. The official network falls; others emerge.
Modems crossing borders
During the protests against Lukashenko, the government cut internet and mobile for 61 hours. Activists and journalists fell back on V.92 modems over international landlines, dialing into foreign ISPs as emergency gateways. 56 kbps is infinitely better than 0 kbps.
Blackout in Zhanaozen
Total mobile internet blackout during the protests. DSL landlines and V.92 dial-up were the only route abroad. International NGOs documented the blackout, but local infrastructure couldn’t carry traffic at scale.
Lachin fiber cut
On 17/08/2023, Azerbaijani forces cut the fiber cable connecting Artsakh, leaving the region offline. Residual traffic survived over HF and amateur radio, under continuous jamming. Russian peacekeeper cameras tried to restore links via radio.
Ghost carriers in Donetsk and Luhansk
Separatist zones built their own mobile carriers with hardware seized from Lifecell and Kyivstar: Phoenix (Feniks) in Donetsk; Lugacom (later MCS) in Luhansk. They kept the Ukrainian MCC (255) until 2022, when they began migrating to Russian +7 prefixes.
SNET, the Street Network
Community Wi-Fi mesh with up to 100,000 nodes in Havana. No public internet dependency. It had games, forums, local voice, file repositories. Absorbed by the state in 2019, but it proved an entire city can run its own parallel network.
Post-coup: ham radio and Starlink
After the Feb/2021 military coup, the junta shut down mobile internet repeatedly. Resistance leaned on amateur radio, mesh networks with LoRaWAN, and smuggled Starlink terminals (some confiscated by the military).
11 // BRAZIL · 2024–2025
Antennas in apartments and ghost cars
Brazil entered the era of gang phreaking. Across 2024 and 2025, São Paulo state police dismantled three sophisticated operations using clandestine telecom hardware for large-scale banking fraud. The MO is industrial: knock victims off the legit signal, force them onto a rogue BTS controlled by the gang, blast SMS with phishing links.
The driver of a rented car caught red-handed after patrol. He was circling 8–12 hours a day along Av. Paulista and Av. Faria Lima with transmitters that knocked nearby phones off 4G. When the signal dropped, the rig fired SMS with a fake banking link. He confessed to police he was paid R$ 1,000/week just to drive.
Apartment on the 19th floor of a Morumbi (West Zone) building, with an antenna mounted on the balcony aimed at Marginal Pinheiros highway. The 2G rig jammed 3G/4G/5G in a 2 km radius. A single antenna can fire over 100,000 messages per day. ANATEL and Polícia Civil dismantled the operation after a 6-month investigation.
Another police operation, another antenna car. A 35-year-old firing ~40,000 SMS/hour from inside the vehicle in the East Zone, also targeting Av. Paulista and Pinheiros. Radio transmitters and directional antennas seized. Charged with criminal association and unauthorized access to computing devices.
The common denominator: carrier-grade hardware (femtocells originally sold as residential repeaters), patched firmware, directional antennas, and software derived from OpenBTS / YateBTS. The technical ecosystem researchers demoed in 2013 reached retail crime ten years later.
12 // TIMELINE
- 1930s–50s, PRE-PHREAKINGTap dialing becomes folklore
Phreakers discover that the phone hookswitch replicates the rotary’s pulses. Locks on dials become useless. A young Joybubbles learns to “tap-dial” in Virginia before he learns to read.
- 1957, DISCOVERYJoe Engressia whistles 2600 Hz at age 7
AT&T’s “trunk idle” tone fits inside a human whistle. Phreaking is born.
- 1971, POPULARIZATION”Secrets of the Little Blue Box” in Esquire
Ron Rosenbaum’s article introduces Captain Crunch to the world. Wozniak and Jobs read it.
- 1972–75Wozniak and Jobs sell Blue Boxes at Berkeley
US$ 150 a piece. Seed capital for Apple Computer Company.
- 1980sCCS7 kills analog phreaking
AT&T separates signaling from the audio channel. Audible tones stop working.
- 19842600 Magazine is founded
Named after the magic tone. Still circulating today.
- 2013, DEF CON 21Verizon femtocell hacked for US$ 300
Ritter and DePerry: voice and SMS from any nearby phone, in a backpack.
- 2016First documented SS7 attacks in Brazil
Fraudsters intercept 2FA SMS via roaming-hub vulnerabilities.
- FEB/2019Metro Bank (UK), 2FA interception via SS7
Bank accounts drained. Case becomes a regulatory reference.
- AUG/2020Belarus, modems via XS4ALL
Internet dies, dial-up via the Netherlands rises. 56 kbps is resistance.
- AUG/2023Artsakh, Lachin cable cut
Nagorno-Karabakh goes offline. HF and amateur radio absorb residual traffic.
- JUL/2024Brazil, antenna car on Faria Lima
4G knocked out, phishing SMS, arrest in flagrante in Parque São Lucas.
- JAN/2025Brazil, apartment BTS in Morumbi
Balcony antenna, 19th floor, aimed at Marginal Pinheiros. 100,000 SMS/day.
- SEP/2025Brazil, mobile femtocell in Itaquera
Same technique, same MO, third case in 14 months.
13 // MODERN ARSENAL
| Tool | Typical use | Cost | Access |
|---|---|---|---|
| USRP / HackRF / bladeRF | General-purpose SDR; homemade IMSI catcher; SS7 sniffer | US$ 300–2,000 | Open store |
| Modified femtocell | Voice/SMS eavesdrop in short range | US$ 100–300 | Commercial gear + firmware patch |
| StingRay (Harris) | Commercial IMSI catcher; mass surveillance | US$ 50,000+ | Restricted to states |
| SIM Box | Interconnect fraud; bulk SMS blasting | US$ 500–2,000 | E-commerce |
| OpenBTS / YateBTS / srsRAN | Software 2G/3G/LTE base station | US$ 100 + SDR | Open source |
| Osmocom suite | Full GSM stack (BSC, MSC, HLR) in software | free | Open source |
| Scapy / Python SS7 | Crafting and analysis of SS7 / Diameter messages | free | Requires SS7 carrier access |
14 // LEGACY AND FINAL THOUGHTS
In the 1980s, AT&T began migrating to the CCS7 (Common Channel Signaling) system, which separates signaling from the audio channel. From that point on, no audible tone could control the network anymore, analog phreaking was dead.
But its legacy is immense. Wozniak and Jobs sold blue boxes in UC Berkeley dorms before founding Apple. Joybubbles became folklore. The magazine 2600: The Hacker Quarterly, founded in 1984, takes its name from the magical tone. And the ethos, radical curiosity, reverse engineering closed systems, became the DNA of hacker culture.
Five decades on, the cast has changed. The actors are now organized crime, intelligence services, cyber-mercenaries. The targets are personal data, banking authentication, political surveillance. And on the other side of the table, activists and entire communities rebuild infrastructure, mesh, LoRa, dial-up, HF, satellite, to punch through state blockades.
In every context, the lack of native security in legacy protocols (SS7, Diameter, SIP) and the ubiquity of mobile phones drive both the modernization of defenses (signaling firewalls, end-to-end encryption) and the sophistication of offenses. The phreaking cycle didn’t close; it just changed octave.
⚠ DISCLAIMER
This article is strictly educational and historical. The analog techniques described haven’t
worked on modern networks for nearly 40 years. The modern techniques involve serious crimes:
fraud, interception, unauthorized access, in every jurisdiction mentioned here. Reproducing,
selling or operating IMSI catchers, modified femtocells or SIM boxes is a crime in Brazil
(Lei 9.472/97, Lei 12.737/12 and successors) and in most countries. This text exists to help
you understand the problem, not reproduce it.▸ SOURCES
- [classic] Rosenbaum, R., “Secrets of the Little Blue Box”, Esquire, 1971
- [classic] Sterling, B., “The Hacker Crackdown”, 1992
- [classic] Lapsley, P., “Exploding the Phone”, 2013
- [ENISA] “Signalling Security in Telecom SS7/Diameter/5G”, ENISA, 2018
- [SS7] Kaspersky, “SS7 vulnerabilities and attacks”, 2019
- [SS7] Metro Bank UK case, Motherboard / ITPro, Feb/2019
- [femtocell] Ritter & DePerry, “I Can Hear You Now”, DEF CON 21, 2013 (video)
- [Belarus] Human Rights Watch / NetBlocks, Belarus blackout, Aug/2020
- [Brazil] CNN Brasil, “Carro do golpe”, Faria Lima, Jul/2024
- [Brazil] SBT News, Morumbi apartment, Jan/2025
- [Brazil] Metrópoles, Itaquera mobile rig, Sep/2025
- [Brazil] Tecnoblog, “ERB Fake”: how clandestine antennas work
- [DIY] OpenBTS · Osmocom · srsRAN · Project MF (Arduino Blue Box)
- [archives] 2600 Magazine · Internet Archive · alt.phone.phreaking · Hack Canada