Kevin Lee Poulsen and the KIIS-FM Heist: The Greatest Phone Phreaking Caper

On May 1st, 1990, Kevin Lee Poulsen was 26 years old and wanted a Porsche 944.

Not metaphorically. Not as a distant goal. He wanted one specific Porsche 944 that KIIS-FM, a Los Angeles radio station, was giving away to the 102nd person who could call the station and say the correct phrase.

KIIS-FM had been running the contest all morning. Call in, get through, be the 102nd caller, win the car. Simple. The phones were packed. Thousands of people trying to dial in, hitting busy signals, getting through to the queue, waiting to see if they were the lucky number.

Kevin Poulsen had a different approach. He was going to hack the phone system.

Specifically, he was going to hack the telephone exchange that served Los Angeles and find the phone lines that KIIS-FM used to receive calls. Then he was going to exploit those lines so that his call would go through every time, while everyone else's calls would hit nothing but busy signals.

The method was elegant in its brutality. Phone systems in 1990 were still largely based on electromechanical switches and computer-controlled systems that had been designed in the 1970s, before anyone had imagined a serious threat from hackers. The systems had security vulnerabilities that phone phreakers had been quietly documenting for years.

What Kevin did was find a way to access the switch configuration. Once inside, he could redirect traffic. He could make it so that specific phone numbers tried to connect to KIIS-FM, they would get through automatically, while everyone else calling the same number would hit a trunk line that was sending a busy signal.

He wasn't hacking KIIS-FM itself. He was hacking the telephone network infrastructure that KIIS-FM depended on.

The technical details are worth understanding because they show the vulnerability of systems that nobody thought needed to be defended against hackers. Phone switches had maintenance and administrative ports. Those ports had passwords, but the passwords were often weak or documented in places that were more accessible than they should have been. Once Kevin had access, he could issue commands to the switch through that administrative interface.

Then he'd issue the specific commands that would make the phone lines behave the way he wanted. Connections that should have gone to the busy signal trunk would instead be routed to the KIIS-FM queue. His number, calling in, would have clear passage. Everyone else would hit the wall.

On the morning of May 1st, Kevin started making calls.

His call went through. No busy signal. No waiting. Direct connection. He said the phrase. He was the 102nd caller.

He won the Porsche 944.

The radio station had no idea what had just happened. The contest seemed legitimate. Some lucky listener had gotten through. They gave him the car. Nobody suspected that the entire telephone system for Los Angeles had been bent to serve the whims of a phone phreaker who wanted a specific sports car.

Kevin drove the Porsche for three days.

Then the FBI knocked on his door.

The investigation that followed revealed what he'd done. It also revealed that Kevin Poulsen had been doing this kind of thing for a long time. He'd hacked into phone systems before. He'd accessed classified defense networks. He'd committed fraud. He'd been breaking federal law extensively and skillfully for years.

The fact that he'd chosen to prove his capabilities by hacking the phone system to win a Porsche on a radio station was almost comically audacious. But it was also characteristic of the phone phreaking culture. The point wasn't always practical gain. The point was the demonstration of capability. The art of exploiting systems that were supposedly secure. The thrill of proving that the infrastructure people took for granted was actually fragile and exploitable.

Kevin Poulsen got arrested. He became the first person ever prosecuted under the Computer Fraud and Abuse Act for breaking into telephone networks. He spent five years in prison.

What's important about the KIIS-FM hack isn't just the technical cleverness of it, though it was clever. It's what it represented. In 1990, the telephone system was a sacred thing. The infrastructure of American communication. Protected by law, guarded by the phone company, treated as essentially un-hackable by anyone outside the telecom industry.

Kevin Poulsen hacked it to win a car.

The message was clear: none of this infrastructure is as secure as you think it is. The systems you trust with your communications, your financial transactions, your secrets, they have vulnerabilities. And there are people out there smart enough to find those vulnerabilities and exploit them.

In the decades that followed, that became the central tension of digital security. The KIIS-FM hack was a preview of things to come. The idea that critical infrastructure could be compromised. That hackers could operate at a scale and sophistication that most people didn't realize was possible.

Kevin Poulsen got out of prison and became a journalist, ironically enough. He's covered security issues for major publications. He knows the landscape in a way that few people do.

But his legacy in hacker culture belongs to 1990 and that Porsche. The moment when somebody proved that you could manipulate the entire phone system of Los Angeles to serve a personal goal. The moment when the vulnerability of infrastructure became undeniable.

The 102nd caller. The man who hacked the phone switch for a sports car. The greatest phone phreaking caper ever pulled.

And when you think about what's possible now, with networked systems infinitely more complex, with nation-states and criminal organizations all learning the lessons that Kevin Poulsen proved in 1990, you realize that the KIIS-FM hack was just the beginning.

It was the proof of concept.

Everything that followed was just scaling.