Hacker with modem in the 1990s

Bildquelle: Smithsonian Institution

Ah, the Sweet Sound of 56k: A Love Letter to Dial-Up

Picture this: It’s 1998. You’ve just gotten home from school, thrown your backpack on the floor, and the anticipation is real. You reach for your beloved 56k modem - that beautiful piece of hardware that took 30 seconds to scream and squawk its way onto the internet. Your parents are giving you the “we’re on the same phone line” look, but you don’t care. You need your fix of #hackers on Undernet. You need your AIM buddy list. You need to see what new warez dropped on your favorite BBS overnight.

Life was simpler then. Connection speeds were measured in kilobits. “Bandwidth” meant how fat your phone bill might get. And hackers? We were just curious kids with too much time, too many questions, and modems that happened to follow a command set invented by a guy named Hayes.

Little did we know that those same modems had a secret built right into their DNA - a feature so stupidly exploitable that it makes you wonder what the firmware engineers were smoking during their coffee breaks.

Enter: +++ATH0

The Hayes Command Set: Your Modem’s Brain

Before we get to the good stuff, let’s talk about how modems actually worked. Because to understand why +++ATH0 was so hilarious, you need to understand the Hayes Command Set - the lingua franca of modems from the early 80s onwards.

When you told your modem to dial a number, you were speaking Hayes. Something like:

ATDT 1-555-1234
  • AT - Attention! Wake up, modem!
  • D - Dial
  • T - Tone dialing (faster than pulse)
  • 1-555-1234 - The number

Once connected, your modem would dutifully ferry data back and forth between your computer and the internet. But what if you needed to give your modem a command while connected? Say, to drop the connection gracefully, or check signal strength?

That’s where the escape sequence came in.

The official Hayes protocol for switching from data mode to command mode was beautifully simple:

Type “+++” (three plus signs), wait one second, then type your command.

This “guard time” - the pause before and after the +++ - was patented by Hayes Microcomputer Products on October 22, 1985. It was their intellectual property, and they weren’t shy about it.

But here’s where the story gets spicy.

Patent Trolls, Chinese Ripoffs, and the Birth of a Vulnerability

Not all modem manufacturers wanted to pay Hayes their tribute. Some, particularly those making budget modems (looking at you, no-name 14.4k brands from Taiwan), decided to skip the whole “guard time” thing. Why bother with a patent fee when you could just implement the escape sequence without the timing requirement?

They called this elegant solution Time Independent Escape Sequence (TIES).

Instead of: +++ + wait 1 second + command

You could just do: +++ + command

No waiting. No timing. Just pure, instant modem chaos.

And this is where our problems begin.

What Does +++ATH0 Actually Do?

Let me break this down:

  • +++ - Hey modem, I’m trying to talk to you
  • ATH0 - Hang Up, you piece of garbage

So when your computer sends +++ATH0 to the modem, the modem says “Oh, you want me to hang up? Consider it done!” and immediately drops the connection.

Simple, right?

The problem was this: The modem couldn’t tell the difference between you intentionally telling it to hang up, and some random data on the wire that just happened to contain those bytes.

In a perfect Hayes-compliant modem, this wouldn’t be an issue. You’d have to intentionally type +++ followed by a full second of silence before the modem would even listen. But in those TIES modems? Any data passing through that looked like +++ATH0 would trigger an immediate disconnect.

And that’s where things got really fun.

The Exploit: How to Ruin Someone’s Evening in 3 Easy Steps

By 1998, the underground had figured out several elegant ways to weaponize this:

Method 1: FTP Injection

Connect to the victim’s FTP server (they had to be running one, but back then? Everyone and their grandmother had Wingate and Serv-U running). Then you’d just type:

USER +++ATH0

The FTP server, being the helpful little daemon it was, would echo your “username” back to the client. And if that client happened to be running a vulnerable TIES modem? BOOM. Disconnected.

Method 2: IRC CTCP PING

This was the community favorite. On IRC, you could send a CTCP (Client-to-Client Protocol) PING request to another user. The client was supposed to respond with whatever string you sent - typically a timestamp.

So someone would type:

/ctcp #windows PING +++ATH0

And roughly one-third of the channel would spontaneously drop their connections. Imagine being in the middle of a heated debate about why Linux was superior to Windows, only to hear your modem go click and realize you’re no longer connected.

Beautiful. Chaotic. Perfect.

Method 3: ICMP Ping of Death

But the真正的大招 (the real nuclear option) was discovered by a hacker going by MrPhoenix. Instead of relying on the victim to connect to a service you controlled, you could simply send them an ICMP echo request (a ping) with the payload +++ATH0.

ping -c 5 -p 2B2B2B415448300D <target IP>

(Where 2B2B2B415448300D is the hex for +++ATH0\r)

The victim’s computer would dutifully try to respond to the ping with the same payload - because that’s what computers do, they’re helpful like that - and their modem would hang up on them.

No authentication required. No connection needed. Just raw, beautiful packet-fu.

The Golden Age: How Much Chaos Could One String Cause?

According to research from the underground in 1998:

  • 30-40% of modems tested were vulnerable
  • Acer 56k modems were particularly susceptible (3 out of 6 tested in one study)
  • IRC was the wild west - entire channels would randomly empty as users got knocked offline
  • Some creative individuals figured out you could do more than just disconnect people…

The Prank That Could Get You Arrested

Imagine this scenario: It’s 1999. You’re on a populated IRC channel. Someone mentions that your modem can be tricked into dialing arbitrary phone numbers. Your eyes light up. Your fingers itch.

You fire up your ICMP pinger. You craft a special payload: +++ATH0ATDT911.

The victim disconnects, and their modem - responding to the embedded commands - hangs up… and then dials 911.

Congratulations, you’ve just committed a felony while committing a prank. Some things never change.

The Fix: S2=255 (The Modem Equivalent of Duct Tape)

The solution was almost embarrassingly simple. In your modem initialization string - that magic sequence of AT commands that ran when your modem woke up - you just needed to add:

ATS2=255

What does this do? It changes the escape character to something that won’t appear in normal traffic (ASCII 255, which doesn’t exist in standard character sets). So even if someone sends you +++ATH0, your modem will no longer recognize the escape sequence.

ISP administrators eventually figured this out too, and started shipping modems pre-configured to ignore the +++ sequence entirely. By the late 90s, the exploit was becoming less common - though it never fully died.

The Legacy: What 56k Taught Us

The +++ATH0 vulnerability is a fascinating case study in how a design decision made for legitimate reasons (patent compliance vs. cheap modems) created a security nightmare. It taught us several valuable lessons:

  1. Timing matters. The Hayes engineers weren’t being paranoid with that one-second guard time - they were solving a real problem.

  2. Default configurations matter. Most users never touched their modem’s S-registers. They ran whatever came factory-default, which often meant “vulnerable.”

  3. Network protocols echo back user input. This lesson would be revisited spectacularly in the 2000s with SQL injection, XSS, and a hundred other injection attacks. We just keep learning it, over and over, in new contexts.

  4. Hackers in the 90s had too much time and too few parental supervision. (This one is less of a lesson and more of an observation.)

Epilogue: Where Are They Now?

If you’ve got a working dial-up modem from the 90s gathering dust in your closet, try this experiment (please don’t, actually - just kidding, I’m sure your phone line is digital now anyway).

The +++ATH0 exploit lives on in hacker folklore, in the archives of Bugtraq, and in the nostalgic memories of anyone who spent their teenage years building static with their parents’ phone line.

The modems are gone. The BBSes are gone. The phone lines are mostly gone.

But the lesson remains: sometimes the most devastating vulnerabilities aren’t the ones built by malicious coders - they’re the ones born from a single design decision made by someone trying to save $2 on a patent license.

References

  1. Schau, Max (Noc-Wage). “1+2=3, +++ATH0=Old school DoS.” Bugtraq, September 27, 1998.

  2. Glass, Brett. “Re: 1+2=3, +++ATH0=Old school DoS.” Bugtraq, September 27, 1998.

  3. Day, Kevin. “Re: 1+2=3, +++ATH0=Old school DoS.” Bugtraq, September 28, 1998.

  4. Tenable. “+++ATH0 Modem Hang Up String Remote DoS.” Nessus Plugin 10020.

  5. Wikipedia. “Hayes AT command set.” https://en.wikipedia.org/wiki/Hayes_AT_command_set

  6. Radke, David. “The Hidden World of 90s Networks: Wardialing, PBX Hacks, and Forgotten Glory.” LinkedIn, February 2025.

  7. Reddit. “(Dial Up) Celebrating 40 years of the infamous Hayes modem…” r/vintagecomputing, July 2025.