Slashdot Mirror
Clever Caller ID Tricks With VoIP
An anonymous reader writes "securityfocus.com has an interesting article collecting some clever exploits for VoIP. According to the article, using 'the open-source Linux-based PBX software Asterisk, used in combination with a permissive VoIP provider' can be used to fool caller id, and even get caller numbers that are supposed to be private."
Return of the phreak? :P
... until this is used in another "Open Source is evil" argument by MS, the government, the phone company, or all of the above in 5, 4, 3...
"Enough of this wretched, whining monkey life." -- Marcus Aurelius, _Meditations_, Book 9, 37
Back in 2001 or so I found this out when talking to my local ISP/VoIP provider IPOnly. Then me and some of my friends thought about setting up some kind of SMS-style service that was free, since it apparently works sending ascii as caller ID :)
Does this mean that I could get a call on a private line with with my number on the do not call list from overseas? Kind of like spam for my phone.
Evolution or ID?
Well this is nice. Once again the social engineering tricks will creep up on most once again. However, who's really that stupid to be giving away all of their personal info over the telephone anyway? Does this mean that it's going to start being like the phishing scams now?
Hmmm.
This isn't new. You can do exactly the same thing with a PABX with ISDN ports. The ability to set your own caller-ID is part of the ISDN call setup protocol.
What you can't do, though, is set the ANI data (which is used by the telcos to find out who gets billed for the call and for call interception). And I can't see how that capability changes at all just because you're using a VoIP gateway either.
- mark
-----
I tried an internal modem, but it hurt when I walked.
so is voip going to turn into something like the email spam mess once the peddlers of Mydixaflopin and their cronies start figuring out how to use it?
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Thanks to this exploit, I can do crank calls again without getting caught!
Red Bull gave me wings and I flew into the ceiling fan.
I'm not sure if you can get away with just a POTS line into your PBX, or if you need a T1 - but this kind of stuff is always accessible when you run the switch. Whether or not it's a land-line or VOIP, if you have a switch, you can do it.
(FWIW, I recently saw a Fujitsu 9600 - up to 9,600 lines, the unix of PBX's - on Ebay for $2000.)
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
You know *67 is free :)
Hmmm.
It would be nice to see a detailed explaination of how to do this. In the past when I had a blocked number I noticed a credit card company authenticated my ID via caller ID even though I had a blocked number. If I'm paying for a service, such as blocking my number I expect it to always work.
Is this a surprise? From the article, it says that the calling party number is always sent, and there's just a flag set saying "don't look here." If you tell someone they can't or shouldn't do something... that's the best way to insure that they will.
This here is just proof positive that people skip the simplest security bugs, imagining that others will simply accept there bogus obfuscation and live with what they are given.
I feel that as consumers, we need to demand better from these corporations. This is a joke and a slight security risk that we shouldn't have to deal with, and corporations inability to supply a quality product in software terms is so shoddy, I can't believe that we go for it anymore.
Oh well. I'm too peeved to go on.
linux users are as much evil hax0rs as windows users... likely more so.
Let's face it, we know more about the network and systems, and can more easily manipulate it...
the ever badass wiki link for voip info
yes we are! ok, maybe not evil (all the time).
bash: rtfm: command not found
why I keep getting all these prank calls from a person listed as "Cowboy Neal" with the phone number 666-867-5309...
You know those idiots (read: bill collectors) who call with "OUT OF AREA" tags on their Caller ID data? Yeah. I wonder if you can reset those to figure out who those are. The possibilities are good here. =^_^=
This sig no verb.
It's not clever...it's 100% obvious. Anyone who knows anything about phone systems knew this was possible and just going to take someone with burning desire to do. The fact that there is "hidden" stuff inside of the signalling messages for phone systems is a real yawner. And the fact that the "reporter" had to have this demonstrated means, he is another tech lightweight. Oh, and didn't phone phreakers do this 20 years ago? Phone switches are after all only specialized computers.
Our current PTSN works as well as it does because it's regulated... and this is just more one example of how VoIP companies won't implement correctly things they aren't required to implement correctly.
As the summary and article point out, in order for any of these exploits to work, the VoIP carrier must be permissive... they have to be asleep at the switch enough to send data that is marked "private" to the end user's equipment or accept CPN data isn't a number the customer controls. That should be things handled at the VoIP service side rather than anything on customer equipment that can't be trusted.
The FCC would never tolerate an old-line phone company selling a service that lets people lie to caller ID... why are they letting VoIP companies do it?
Wow. There's endless possibilities to fool people with this. And the average Joe really trusts the info he gets from the Caller ID.
This sounds good, now i can get the pesky telemarketing numbers, many of which, in my experiance, still are blocked from caller ID, never mind the FTC and the no call list legislation...
It means that for the first time, JENNY calls YOU!
And this is capitalist America!
friends don't let friends use linearly dependent row vectors.
The article states something of this kind: a 21 year old 'hacker' (quotes are mine) used VOIP line and a Linux based program named Asterisk to unveil blocked phone numbers and spoof his number. - well, that proves it, Linux is evil.
Seriosly though, the only reason this is a problems is due to the fact that the VOIP providers are sending too much information to the end user and relying on the users' software to not reveal the caller's number.
Clearly Linux causes invasion of privacy.
You can't handle the truth.
Well, I would suppose that most crackers are linux users, because Linux lets them do whatever the hell they want, but I was thinking that this would only serve to let the media pretend that Linux is an evil OS.
:-(
Someone else beat me to saying that by a few seconds, and an idiot moderator thought this is redundant
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Well, if VoIP is supposed to replace POTS, it stands to reason caller-id spoofing would be included...
You can spoof POTS caller-ID as it is with an Orange Box, as well as many other ways, including from a Nokia Cellphone.
"I'm a karate man. Karate mans bleed on the inside."
My understanding of card activation is that it is based on ANI, not caller ID. If the author could get this technique to allow card activation, that would seem to imply that ANI is being spoofed. Of course there were reports that this could be done with an ISDN hookup some years back. It isn't much of a surprise that something that is a software PBX can fake either.
It just hasn't been so easy.
This is a very well known "security breach" that not only applies to VoIP. For example, you can retrieve a CID from a PBX or an access server (PPP server) that has a T1 link.
...that this type of spoofing is so easy. I work for a small ILEC. We got an Asterisk box almost a year ago to play a bit with VoIP. The caller ID spoofing was easy to do, and fun for awhile. Out of curiosity, I tried to figure out how to secure the switch enough to prevent this type of spoofing from happening. With less than a year of experience in circuit switching, the manual, and about 30 minutes, I managed to limit the spoofable numbers to the range of DID numbers actually assigned to that PRI. In other words, no more spoofing. It amazes me that more providers don't implement this type of security.
Abstainer: a weak person who yields to the temptation of denying himself a pleasure.
--Ambrose Bierce
The fact that this is happening is interesting, but this sort of thing's always been possible.
First off, any sort of digital phone line lets you set your own caller ID info, it's just that most home users can't afford bringing a T1 into their home just to mess with caller ID.
Secondly, there've always been ways around caller ID anyway. A common one is called 'op diverting,' where you route your call through an operator, who will, in many cases, manually key in your Caller ID info with no authentication at all.
There are real privacy concerns here, but my point is, for those alarmed by them... Be even more alarmed. This is entirely doable without VoIP.
I don't know about getting blocked caller ID, though 800 numbers (and, IIRC, almost all high-volume digital lines?) have full access to caller ID, even if you block it.
The point of the article, IMHO, is that VoIP providers are carelessly sending this data, not the exploits that can be done -- they already exist. And you can almost argue that VoIP providers aren't entirely wrong here -- if you got a PRI line to your home, you could do this type of stuff anyway.
________________________________________________
suwain_2
Besides, those boiler-room operations can rename themselves so fast that the FTC's enforcement probably can't keep up. What you really need is anti-fly-by-night laws, so that you can confiscate the bond of such scum or make claims against their insurance (and make them uninsurable because of all the claims, etc).
I am assuming that you called the credit card company using a toll free number. Calling party ID blocking NEVER blocks the calling party ID when you call a toll free number. If somebody else is paying for the call, they have a right to know who is calling them. There are other exceptions where calling party ID block does not work. Every time I hear (or read) some luser say "...I'm paying for a service...I expect it to always work." hits a raw nerve. Expect in one hand, shit in the other, see which one fills up faster.
This isn't a hack. The telco interconnect company (in this case nuphone) sends the info to Ma Bell. The fact that they don't validate it is NOT a hack. It may be a risk, but feeding incorrect info to mother is not a hack or a manipulation. In general the telco themselves require information be provided... It's a little sad that some interconnect companies don't treat it more seriously. I know my company does.
Having tried to set my MSN (the outbound number) to an invalid number here in the UK (on a primary rate with 100 phone number mapped to it), the invaild caller ID simply got reset by the telco to the billing number of the line.
I guess in the states the Telcos must trust the equipment that connects up to the line to set the MSN connectly, hence being able to fake the Caller ID.
As for the privicy bit for callerid, in the UK (as far as I am aware, but I'll test this) only telecos are passed the CallerId+Flag (by telecos I means those with an Interconnect with other telecos and an NX2 license, but the licenses are being phased out), It's then the telecos job to strip out the CallerID and Flag before passing on the data to the customers line.
CID information was never designed nor intended to be in any way secure.
PBXs have always had the ability to set outgoing CID information - so, for example, all outgoing calls would appear on the receiver's CID box as coming from a company's main switchboard rather than whatever extension they were actually originating from.
It always frightens me to see press accounts of CID information being used as "proof" of something, say the violation of a restraining order or proof of harassment when it is absolutely trivial to spoof. Newer VOIP devices just make it easier to do without the need for a PBX and trunk line to do so.
ANI information, the calling number information provided when you call an 800 number, is an entirely different matter. Since it is used for billing information, it IS secure, the only way to spoof it to be to call a provider who then turns around and reroutes your calls from their exchange. But whether you have CID blocking or not, the ANI number is ALWAYS passed because, frankly, they're paying for the call and they have a right to see who's calling them.
Maybe I can use this to track down the scumbags who send junk faxes to me at all hours of the night and morning, but whose numbers are listed only as "Out of Area". In fact, I bet this would be a handy tool for those who are trying to stop these asshats.
There is no gravity...the earth just sucks.
Where's the compilable source to a SIP softphone for PalmOS, that is a useful Asterix client and, like SJPhone and Xten, also work with Vonage's softphone accounts?
--
make install -not war
Why doesn't someone simply put in, at a minimum, a digital signature on the caller ID packets. Sooner or later one could extend this to an encryption system for the conversation itself. Which, to my mind, is necessary in any case.
I just sent Kevin an e-mail to this effect, but for anyone else interested here's more info:
**Portion omitted**
Vonage has "fixed" their CID spoofing problem (at least in some switches), but in the process has created a new "feature". Try this:
1. Call a party. When they answer, flash over to a new dial-tone (as if to initiate a 3rd party call). Dial the new third party (who has been instructed not to answer the call coming from your phone number) and after a couple of rings hang up the phone. Rather than the initial call ringing back to you as it should, it will ring forward to the third party. A nifty way to put your friend in CA in touch with your friend in NY with no long-distance charges even when they don't use Vonage.
2. Let a party call you. Flash over to a new line and dial a 3rd party. Repeat process above and you can effectively "transfer" the call out of your phone system with no toll charges.
In both cases, your Vonage line is free to make and receive calls as soon as you hang up.
Thanks, and keep up the great writing!!!
Egon Rinderer
Let me echo the statements of others that said "This has been possible forever" by saying that I was doing this with a Pacific Bell ISDN line six years ago. I discovered that they weren't authenticating any of the data I sent out on the D-channel, they were just passing it along.
Also, the reason why many VoIP providers are passing along Caller ID data without verification is legitimate. VoIP has no concept of "numbers" tied to hard physical "lines". Many VoIP providers sell outgoing service that is not tied to any physical telephone number. This is nothing new: conventional telcos have been doing that for years (it used to be called OutWATS) over T1s. If my VoIP gateway provider has no physical phone number to set my calls to, what are they supposed to do? This is the #1 reason all those telemarketer calls are labelled "OUT OF AREA", BTW.
In my case, I set the Caller ID to the POTS line that terminates into the same phone system. However, it would be trivial for me to set it to something like 714-853-1212, and it would get passed.
The problem is not that I can set Caller ID to any arbitrary number, but that idiots are actually depending upon an in-band signalling system which depends upon third parties (private PABXs) for the data as a secure authentication method.
I don't personally see any easy fix to this, nor should there be. The telecom business is increasingly having small players in it, and it will be difficult to fix this alleged "problem" without locking out these same small players.
As little as five years ago, getting connected to The Network (in the sense of telephone network, not internet) was difficult. It required substantial technical know-how, some regulatory hoops to jump through, and newcomers were carefully scrutinized for behavior consistent with Community Standards.
Sound like the internet we knew and loved pre-1995?
I fear The Network will become just as much a stinking sewer as The Internet has become, unless we do something Serious, and Now.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
New on Judge Judy, Mr. POTS takes Ms. VOIP to court, for phreaking with some fone-geeks. -- Osi -- Militant Agnosticism -- I don't know and you don't either.
Osi Osi Osi Osi Osi
I wonder if the caller ID can appear on the phone bill . . . *thinks about friend's wife finding "porn-are-us"*
We get a few laughs out of it, but I suppose we could run a pretty good scam if we wanted to.
Companies have multiple phone lines send out the callerid of their main phone line.... it is a normal business service.
Yep- thats why anyone who THINKS they have my phone number when I call them don't realize they are wrong until they call back and hit the switch board.
In the future, I would want to not be isolated from my friends in the Space Station.
If you have T-Mobile cell service try calling your cell phone with a spoofed Caller-ID of it's own phone number. What a wonderful surprise - instant voicemail. Don't feel bad for them - they were notified a year ago. :) Kudos to Sprint for fixing the same problem immediately after notification.
This is so over the top.
You have a stalker who knows enough about you and/or has enough access to you to trick you into calling this number that allows them to get your phone number. And that endangers your life? I could see it opening the way to harassing phone calls, but endangering your life?
Isn't the real problem that you have a stalker in the first place?
My number is private and whenever I call Dish Network their system already knows my number - before I have identified myself, my account or anything.
I do not fear computers. I fear the lack of them. Isaac Asimov (1920 - 1992)
Rest assured, whatever the fix is, Cisco or some other company will patent it and then charge us all for using it.
The patent will probobly be so ambiguously worded, that ALL workarounds to the problem will be covered by it.
May the Maths Be with you!
That's PHreaks, thank you very much!
www.wavefront-av.com
The ability to set outgoing CallerID data is one of Asterisk's more useful features.
Most DID (Direct Inward Dialing) providers do not let you set outgoing CallerID manually, though if you have any kind of digital phone connection, such as PRI,T1 or ISDN, you can. I say lets celebrate that NuFone allows you to fully control the service you pay for, rather then vilifying them for something that most Asterisk admins want.
--- Kicking the Cheat since late 2002
Kevin Mitnick actually demonstrated this a while back during the March 2004 InfoSec conference in orlando. He was talking about how we focus so much on implementing the nifty security plans and yet in the end, exploits of these trusted systems (called ID has never been secure anyway) seem to take us by surprise when in fact, TRUST was placed on a system that was never secure in the first place.
...might be used by the old-guard phone companies, and this case could be used by them to lobby for FCC regulation of VoIP (although the real reson to regulate it is to protect their market share from new startups).
However, those arguments are misleading. It is, in fact, over-regulation and closed technology that led to the situation in the first place. "Ma Bell" didn't have to worry about competitors and didn't have to worry about interoperability in a regulated monpoly environment, which I think led to a philosophy of designing in a vacuum. They didn't need to disclose their implementations to anyone for independent review or standards compliance--they alone set the standards. Functionality could be designed to implicitly trust equipment on both ends of a connection because "Ma Bell" made (or at least issued) all the equipment.
Times and technology change however. The Telecoms industry is no longer a regulated monopoly, and standards and new technology are much more open (this is a must in order to allow interoperability). However, old methods and designs take a long time to change, especially in a culture resistant to change.
In hindsight, telecoms were regulated too much and for too long and a differnet approach should have been taken from the start. However, nobody can really predict where technology will go. The system has been vulnerable to crackers for decades, but the culture of a regulated monopoly set the stage for it LONG before Steve and Steve were up to their shenanigans prior to building computers in their garage.
whoa im slashdotted! jock myself!
Welp, as many have pointed out ANI != CID. I'm a big, big fan of VoIP and is anything but knew. Whoopy. If you're interested in what you can do with VoIP and asterisk, check out: http://www.telephreak.org and of course a wonderful reference is http://www.voip-info.org . Normal DID lines usually aren't lax enought to let outbound CID go through. However, DS1, etc. circuits, it's not completely uncommon. I think it's sort of cool the Nuphone does this (though, I will have to check it out for myself). When a call via SIP, for example, is made, the CID information is sent - just as normal data. So, it shouldn't be terribly supprising that if your machine is sending the data, you can alter the outbound data. This isn't exactly something ground breaking with asterisk.
Because of some good laws (telephone cunsumer protection act of 1991; 47 usc 227), consumers have tools to go after those that use illegal telemarketing practices such as prerecorded solicitations, junk faxes, etc. However finding the people responsible is often the hard part. It is very common for these people to intentionall make as unavailable or private their numbers so that they cannot easily be traced. Most people that would complain about such calls (if they are on a state or national DNC list) now cannot since they won't make the extended effort to ID the perps. Thus without some serious legwork, perps gets fewer complaints.
Another trick (though not new) is to cause the caller ID to display some message and a number. The message can be "Great offers", "National Prize Line", or some other enticement. The systems will simply dial a number just long enough to be displayed on the CID. Someone curious about the strange looking display will call and will get hit by some prerecorded ad. The problem is that FCC regulations now require automatic dialers to not have naything more than 3% dropped calls (when not transferred to a live marketer) and in any case must ID the company placing the call. I'm not aware, however, of any previous actions regarding this, but it is coming.
I don't want to necessarily spoof a number, but I definitely want to be able to track these kind of numbers used by illegal telemarketers. The biggest complaint about Vonage is that they do not offer some kind of call tracing, so if a call comes in that I cannot ID based on info in the call or legit CID info, then I cannot enforce my rights and seek damages against the company as allowed by law.
Cave, wreck, and deep diver.
The change from hardware to software switching was a huge step for the telephone industry, but they didn't go out and throw away all that reliable (and not completely depreciated) hardware either. Your telephone company has to send out a signal that Aunt Lucy's phone in East, NoWhere (don't forget she has one of the only phone lines in town) can read. The digital 'signature' will have to get stripped off at some point because the signal will most definitely be analog by the time it gets to large portion of the United States.
[Fuck Beta]
o0t!
All you doomsayers who are saying who bad this is, how credit card companies use CID for activating cards, etc....
Please realize that CID was *never* a secure protocol and has *always* been easily spoofable.
This is not something new, it's just eaiser to do now. It was never illegal or shady.
How your CC Company decides to verify your new card is NOT something you should be really worried about! WHY? BEcause in the end, if your signature isn't there, YOU ARE NOT RESPONSIBLE FOR A PENNY.
Second: This lets you spoof callerID, not ANI. How do you know your credit card company is relying on caller-id, and not ANI?
CID information was never designed nor intended to be in any way secure.
PBXs have always had the ability to set outgoing CID information - so, for example, all outgoing calls would appear on the receiver's CID box as coming from a company's main switchboard rather than whatever extension they were actually originating from.
When a PBX is connected to a line with multiple numbers (number block or MSN) it is only valud to present an outgoing number in this block. So yes, you can send a main switchboard number, but you cannot send someone else's number.
The system was reasonably secure as long as reputable telephone companies managed the public exchanges and made sure every line was correctly configured w.r.t. incoming and outgoing CID info.
But now, just about anyone can start a phone company and offer the routing of phone traffic without the sensible management of security etc. VoIP carriers are just one example of that, other mishaps have occurred with alternative carriers etc.
"This is a tool used by and only useful to terrorists"
-- John Ashcroft
That's PHreaks, thank you very much!
I don't know about you, but in my estimation it should be Super PHreak, thank you very much.
Not that I've tried it or anything, but in some circumstances using Cisco's CallManager, you can impersonate any number for long distance purposes. You set the calling party information on a given line. If the local telco doesn't do any checking, which I know of at least one that doesn't, you can make long distance calls as anyone. An example, again not that I've done this, a call placed from place of business X where the calling party info has been set to Y, where Y is the phone number of some random guy in the same area. Check the long distance bill of some random guy and there it is! This might be limited to people being billed by the same company, though in some cases it is not limited by CO, dialing prefix, or even city.
This is not a problem with Cisco's product, it's poor security practices of a backwards local telco. Why? They've never had any intellectual competition.
Correct me if I'm wrong but you can set up your caller id display number in most VOIP equipment including Cisco gear like call manager. I used to work for a VOIP company and we would routinely change peoples Caller IDs to a specific number so they could call someone on their secondary line and have it display the CID of their primary line. Granted, we owned all the DIDs we were using and we were on PRIs but still. I think the access provider should be checking to make sure your CID is either a DID you own or it is not present.
I hope that this does not let some scum out there turn telephone calls in to the equivolent of spoofed address email spam. Yuck! Scum.
Can't you do the same thing using ISDN? It is my understanding that ISDN service just passes through the caller ID defined in the customer equipment...
I'd really like to hack my caller ID hardware to display unlisted or caller-ID-blocked numbers. Is this possible to do in the US? If so, how?
Mathematics is not a crime.
I think its time we review how Caller-Id works all-together.
First of all, the ANI everyone is referring to is automatically added at the first trunk entry point.
For example here at my business we have a trunk line and my PBX adds the ANI to outgoing calls, this is just a number. The name I add to this has been pre-registered to a central database somewhere.
Now when I make a call, my ANI is sent through all the switches, when it arrives at the remote switch the remote switch is responsible for blocking or allowing the display. This remote switch goes out to the central DB and grabs the name for the reported number, throws it together with your number date time and other information and displays it in whatever local format is used, in the case of most consumer lines you have the caller id boxes we all know and love/hate. In alot of proprietary PBX systems where the system is digital and has LCD's its a completely different format, the only universal here is ANI.
Here is where that trust issue comes in. Since I have a trunk line, the first entry point is MY PBX, my pbx is responsible for generating the ANI and sending it out. I can make this whatever I want, but dont get any evil ideas as the trunk ID can still be found by the telco that provides me the trunk. They can tell which trunk the call they are switching came from and went to. And then the next company down the line will see that it came from a trunk from my company etc.... Trace anyone?
When I receive calls, my PBX gets the number, and is supposed to block blocked calls, however I can turn this option on and off. Some PBX's cannot control this and comply with the rules.
Essentially my digital wonder-system is it's own switch. They trust that most people do not know what they are doing with these devices enough to spoof, and that even if they did they are hoping you are a trustworthy person.
In the case of VOIP the first entry point would be your VOIP PBX / Switch, you dont have to use Asterisk, you could use the CISCO hardware solutions to do the same thing because thats where they are concentrated into the trunk system. Therefore LINUX in itself is NOT evil, all phones are evil.
Just something to think about.
A free service that has a much higher cost is Deaf Relay Service - in the past you could use a TDD to call the relay operator, who'd make a voice phone call to a hearing person, but now they support Internet-based relaying as well - so they've been getting a huge amount of abuse from Nigerian 419 spammers and other scams. (You can find the Slashdot discussions about it yourself.)
I've had a Nigerian 419 spammer call my cell phone using deaf relay; really annoying.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Just so everyone knows, my account has since been terminated by NuFone for apparently somehow breaking the TAC's on their website, due to this artcile.
Well it was bound to happen. We use Asterisk and it has some interesting features. Atleast it's open-source :-) Now let's crack open that source code and get to the bottom of this!
Isn't this just a hackers toy??
Now we can expect the script kiddy zeelots to increase our VoIP cost.
Isn't this the sort of thing that hurts the public opinion of linux??? That it is used for illegal activity (virus writers, hackers, now pheakers...).
Some of the problems society has, is dealing with things that have no benifit, and only cause harm to others. Why do programers create harmful tools and release them to the public with instructions of how to abuse them.
karma, hah...
frankly, they're paying for the call and they have a right to see who's calling them. You mean 'paying' like I do for my cell phone? Hrmm How come no one wants to fight for my rights? Sigh.
One of our devs reprogrammed the outgoing caller-ID to look like it was coming from a 900 number. Then he sent repeated pages to our PM's Blackberry.
Yipeee!
... just dont whine like dumbass crybabies when the government steps in a regulates VoIP even more harshly than regular phone lines thanks to your inconsiderate and pathetic hacking Caller ID's.
Now you too can intentionally destroy the privacy of others using your very own linux system!
Horrayyy! Lets all help slashdot promote the idea of stealing people's privacy in this wonderful thread, contradicting half the other stories posted here that deride the thought of lost privacy!
Yaaaaay!! do your part! use your linux system now to screw others!
VoIP security is ripe to be exploited. No one is going to create a "bluebox" for VoIP. But hacking techniques that are common to Unix and Internet will work well when applied to VoIP signalling, particularly SIP, but H.323, and potentially even MGCP could be exploited.
It is very important to recognize that some VoIP signalling (yes, two "l"s) is done in plain text, particularly MGCP which won't help you much for spoofing your identity, and SIP which will. In fact, a SIP endpoint is acting in effect as a class 5 switch. This means that if you roll your own SIP client (or wait for someone else to do it for you, you script kiddie) you can send whatever kind of data you like in the various fields associated with identity.
A couple of useful things in the SIP protocol could be spoofed this way.
1. Run Ethereal on your neigbors open WLAN, grab his registration information, and you now have a free SIP account. Since most SIP accounts (Vonage) are flat rate billing, your calls won't even be noticed.
2. Call a compromised SIP line from your PSTN phone, send a spoofed SIP redirect message at the right moment and you are calling pay numbers from your phone for free. This will get noticed, but its between your neighbor and his Telco, right.
3. A SIP provider might have a pool of provisioned, but unused accounts/numbers sitting on its system with trivial login/password. This makes for quick turnaround when people buy a new account. Find out the phone numbers of two or three friends who just got the service in the same area and find out what their initial username and password were. You may have a goldmine of never ending free accounts. Just keep incrementing the values as the passwords change on the older numbers.
4. Now for the fun stuff. We need to send a few spoofed messages to get an unbilled SIP call. Begin with a normal call from your SIP phone in New York to your friend on the PSTN in Mexico City. First make a good call and capture all the SIP information. You are looking for the IP information for your Phone, the Proxy Server, and the media gateway that will handle the converstion from VoIP to PSTN. With this information you can create a "shadow proxy" which sends SIP messages just before or after the real proxy to effectively cut-through a call which the actual proxy thinks has been released due to "Busy Here" or some other good reason. If the media gateway uses MGCP instead of SIP this gets harder, but it is still possible. Your "shadow proxy" will have to become a "shadow media gateway controller" and you'll need a lot more information about your providers network. Still a strategic DLCX that appears to come from the gateway could work wonders.
So, in short, a lot of free phone calls will be made until the SPs get this security thing right. SIP will probably have to go through major revision, and providers will have to carefully guard their networks. Also, your neighbor should really use encryption on his WLAN.