Slashdot Mirror
Clever Caller ID Tricks With VoIP
An anonymous reader writes "securityfocus.com has an interesting article collecting some clever exploits for VoIP. According to the article, using 'the open-source Linux-based PBX software Asterisk, used in combination with a permissive VoIP provider' can be used to fool caller id, and even get caller numbers that are supposed to be private."
This isn't new. You can do exactly the same thing with a PABX with ISDN ports. The ability to set your own caller-ID is part of the ISDN call setup protocol.
What you can't do, though, is set the ANI data (which is used by the telcos to find out who gets billed for the call and for call interception). And I can't see how that capability changes at all just because you're using a VoIP gateway either.
- mark
-----
I tried an internal modem, but it hurt when I walked.
I'm not sure if you can get away with just a POTS line into your PBX, or if you need a T1 - but this kind of stuff is always accessible when you run the switch. Whether or not it's a land-line or VOIP, if you have a switch, you can do it.
(FWIW, I recently saw a Fujitsu 9600 - up to 9,600 lines, the unix of PBX's - on Ebay for $2000.)
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
Did you even RTFA? It's about caller ID expliots, one of which allows VoIP users on Linux to change the number that you see on your caller ID when they call you. They could make it look like their phone number was Domino's Pizza or the Pope.
The other part is being able to capture and display the caller ID of people who call you with numbers that show "Private" or "Blocked" on a normal line.
the ever badass wiki link for voip info
This isn't an open source issue at all. It's a "trusting user provided equipment" mistake... a closed source program can violate the standard just as badly.
It's a matter of equipment being given info it's not supposed to share and a flag telling it not to share. But, if the customer provides the software...
800 numbers always have access to your number, regardless of your "Caller ID" preference.
Best Buy can have you arrested
My understanding of card activation is that it is based on ANI, not caller ID. If the author could get this technique to allow card activation, that would seem to imply that ANI is being spoofed. Of course there were reports that this could be done with an ISDN hookup some years back. It isn't much of a surprise that something that is a software PBX can fake either.
It just hasn't been so easy.
...that this type of spoofing is so easy. I work for a small ILEC. We got an Asterisk box almost a year ago to play a bit with VoIP. The caller ID spoofing was easy to do, and fun for awhile. Out of curiosity, I tried to figure out how to secure the switch enough to prevent this type of spoofing from happening. With less than a year of experience in circuit switching, the manual, and about 30 minutes, I managed to limit the spoofable numbers to the range of DID numbers actually assigned to that PRI. In other words, no more spoofing. It amazes me that more providers don't implement this type of security.
Abstainer: a weak person who yields to the temptation of denying himself a pleasure.
--Ambrose Bierce
Here is a quick tutorial on SS7 - Signaling System 7 - the root of the current phone systems. Just look at the ISUP page to see some of the secret fields.
There is NOTHING about this that is any more permissive than a normal business with a digital PBX can already do...
"The FCC would never tolerate an old-line phone company selling a service that lets people lie to caller ID"
It is done CONSTANTLY! Marketing companies send out the callerid of the companies they are calling on behalf of... Companies have multiple phone lines send out the callerid of their main phone line.... it is a normal business service.
As for getting the number of the remote caller, anyone with a PRI line can do that. This is mandated because otherwise on 1-8XX lines you would never be able to verify you were being correctly billed for their usage from your provider.
I hate to say this... but you obviously havn't worked with a real phone system before.
Telcos have alot of dark fibre in the States. Most people assume that's optical fibre...but it's actually moral fibre.
CID information was never designed nor intended to be in any way secure.
PBXs have always had the ability to set outgoing CID information - so, for example, all outgoing calls would appear on the receiver's CID box as coming from a company's main switchboard rather than whatever extension they were actually originating from.
It always frightens me to see press accounts of CID information being used as "proof" of something, say the violation of a restraining order or proof of harassment when it is absolutely trivial to spoof. Newer VOIP devices just make it easier to do without the need for a PBX and trunk line to do so.
ANI information, the calling number information provided when you call an 800 number, is an entirely different matter. Since it is used for billing information, it IS secure, the only way to spoof it to be to call a provider who then turns around and reroutes your calls from their exchange. But whether you have CID blocking or not, the ANI number is ALWAYS passed because, frankly, they're paying for the call and they have a right to see who's calling them.
Maybe I can use this to track down the scumbags who send junk faxes to me at all hours of the night and morning, but whose numbers are listed only as "Out of Area". In fact, I bet this would be a handy tool for those who are trying to stop these asshats.
There is no gravity...the earth just sucks.
I just sent Kevin an e-mail to this effect, but for anyone else interested here's more info:
**Portion omitted**
Vonage has "fixed" their CID spoofing problem (at least in some switches), but in the process has created a new "feature". Try this:
1. Call a party. When they answer, flash over to a new dial-tone (as if to initiate a 3rd party call). Dial the new third party (who has been instructed not to answer the call coming from your phone number) and after a couple of rings hang up the phone. Rather than the initial call ringing back to you as it should, it will ring forward to the third party. A nifty way to put your friend in CA in touch with your friend in NY with no long-distance charges even when they don't use Vonage.
2. Let a party call you. Flash over to a new line and dial a 3rd party. Repeat process above and you can effectively "transfer" the call out of your phone system with no toll charges.
In both cases, your Vonage line is free to make and receive calls as soon as you hang up.
Thanks, and keep up the great writing!!!
Egon Rinderer
i run a small ISP, and i have the callerid of everyone calling, no matter what their privacy setting says. it even gets logged in my cute little radius database
as someone pointed out, it's a part of the ISDN call setup protocol.
Let me echo the statements of others that said "This has been possible forever" by saying that I was doing this with a Pacific Bell ISDN line six years ago. I discovered that they weren't authenticating any of the data I sent out on the D-channel, they were just passing it along.
Also, the reason why many VoIP providers are passing along Caller ID data without verification is legitimate. VoIP has no concept of "numbers" tied to hard physical "lines". Many VoIP providers sell outgoing service that is not tied to any physical telephone number. This is nothing new: conventional telcos have been doing that for years (it used to be called OutWATS) over T1s. If my VoIP gateway provider has no physical phone number to set my calls to, what are they supposed to do? This is the #1 reason all those telemarketer calls are labelled "OUT OF AREA", BTW.
In my case, I set the Caller ID to the POTS line that terminates into the same phone system. However, it would be trivial for me to set it to something like 714-853-1212, and it would get passed.
The problem is not that I can set Caller ID to any arbitrary number, but that idiots are actually depending upon an in-band signalling system which depends upon third parties (private PABXs) for the data as a secure authentication method.
I don't personally see any easy fix to this, nor should there be. The telecom business is increasingly having small players in it, and it will be difficult to fix this alleged "problem" without locking out these same small players.
If you have T-Mobile cell service try calling your cell phone with a spoofed Caller-ID of it's own phone number. What a wonderful surprise - instant voicemail. Don't feel bad for them - they were notified a year ago. :) Kudos to Sprint for fixing the same problem immediately after notification.
Interesting. You might actually look at their violations of Canadian law, then. Using an auto-dialler (an Automatic Dialling and Announcing Device, or ADAD) for solicitation--charitable donations, promotions, sales, etc.--is forbidden by the CRTC (Canadian Radio-television and Telecommunications Commission.) The CRTC can demand that a phone company suspend service to any company or individual who flagrantly violates these rules. Even if a company hires another company to make the calls, they can be held accountable. You might want to contact the CRTC directly to see how the rules apply on international calls, however.
Even if a company is blocking call ID, your phone company can probably trace the call. For advice on how to handle this type of thing with an international call, again you might need to contact the FTC and the CRTC. It doesn't hurt to ask, and I'm pretty sure that the people at these organizations hate the spam callers as much as everyone else.
~Idarubicin
This isn't about violating standards. We've been faking caller ids for fun with Asterisk for a while. It does work, however my local (Bell) provider will not let me put one of its own numbers in the bogus CID I pass.
This is a normal "feature" of CID. That's how you can go through a third-party LD provider yet still have your own phone number show up on the recipient's display. Voicepulse or other VOIP providers are not being overly permissive here. If you get a T1 bank you will have the same capability. That's what makes it possible for huge corporations to have thousands of phone lines in hundreds of offices yet display only their main incoming number on your caller id capable phone when someone from their office calls you.
The difference is that now average Joe can fake CID like the big boys used to do with a mere $7/month investment, vs the couple hundred dollars it would cost (plus install fees) if you went with a standard channel bank.
CID is for information purposes only. The problem is that people have grown to trust it as being 100% accurate, but they definitely shouldn't.
Welp, as many have pointed out ANI != CID. I'm a big, big fan of VoIP and is anything but knew. Whoopy. If you're interested in what you can do with VoIP and asterisk, check out: http://www.telephreak.org and of course a wonderful reference is http://www.voip-info.org . Normal DID lines usually aren't lax enought to let outbound CID go through. However, DS1, etc. circuits, it's not completely uncommon. I think it's sort of cool the Nuphone does this (though, I will have to check it out for myself). When a call via SIP, for example, is made, the CID information is sent - just as normal data. So, it shouldn't be terribly supprising that if your machine is sending the data, you can alter the outbound data. This isn't exactly something ground breaking with asterisk.
All you doomsayers who are saying who bad this is, how credit card companies use CID for activating cards, etc....
Please realize that CID was *never* a secure protocol and has *always* been easily spoofable.
This is not something new, it's just eaiser to do now. It was never illegal or shady.
How your CC Company decides to verify your new card is NOT something you should be really worried about! WHY? BEcause in the end, if your signature isn't there, YOU ARE NOT RESPONSIBLE FOR A PENNY.
Second: This lets you spoof callerID, not ANI. How do you know your credit card company is relying on caller-id, and not ANI?
CID information was never designed nor intended to be in any way secure.
PBXs have always had the ability to set outgoing CID information - so, for example, all outgoing calls would appear on the receiver's CID box as coming from a company's main switchboard rather than whatever extension they were actually originating from.
When a PBX is connected to a line with multiple numbers (number block or MSN) it is only valud to present an outgoing number in this block. So yes, you can send a main switchboard number, but you cannot send someone else's number.
The system was reasonably secure as long as reputable telephone companies managed the public exchanges and made sure every line was correctly configured w.r.t. incoming and outgoing CID info.
But now, just about anyone can start a phone company and offer the routing of phone traffic without the sensible management of security etc. VoIP carriers are just one example of that, other mishaps have occurred with alternative carriers etc.
I'd tell you to RTFA, but then, unfortunately you did. The problem here, is that the reporter didn't put in all of the information, imagine that.
I personally use Nufone (the company that "doesn't have things configured correctly" according to the article.) Things are in fact configured correctly. The "hacker" in the article is no different than someone exploiting some other feature for the wrong reasons.
The reason the person could "magically" read the "hidden" nubers is because Nufone mostly provides toll-free numbers. As a holder of such a toll-free number, I have a right to know who is calling me, as I am paying for it. To my knowledge, it is a right that all toll-free numbers allow. The article failed to point out this information.
As for being able to spoof numbers, the article also failed to mention that most any business-class connection with a digital line can do this. It is set up this way so a company with 1000 extensions can have direct inbound dialing for each extension with only a few physical lines. This is not a flaw in the system. Nufone markets itself toward the business-class users, not the everyday joe.
Call your local phone company and ask them if they can give you a toll-free number. When they say yes, ask them if you will get Caller-ID info even if it is blocked when someone calls that line. Guess what the answer will be?
Now ask them if you can get 2 digital ISDN lines. Explain that you are going to have 10 phones, and you want each one to have its own number associated with it. Tell them your PBX will set the correct number when it sets up the outbound call. They will tell you "No problem."
These things are available, even though you may have to change over to a business customer instead of a home customer. Nothing is new here, only that the financial bar has been lowered to get these features. This is great for small and home office based businesses.
I for one will be writing a feedback to both the reporter and his editor explaining the mis-information the article is giving. I just hope the wrong people don't complain about this being available, and cause those of us who this is truely useful to, to lose it.
Jeremy
VoIP security is ripe to be exploited. No one is going to create a "bluebox" for VoIP. But hacking techniques that are common to Unix and Internet will work well when applied to VoIP signalling, particularly SIP, but H.323, and potentially even MGCP could be exploited.
It is very important to recognize that some VoIP signalling (yes, two "l"s) is done in plain text, particularly MGCP which won't help you much for spoofing your identity, and SIP which will. In fact, a SIP endpoint is acting in effect as a class 5 switch. This means that if you roll your own SIP client (or wait for someone else to do it for you, you script kiddie) you can send whatever kind of data you like in the various fields associated with identity.
A couple of useful things in the SIP protocol could be spoofed this way.
1. Run Ethereal on your neigbors open WLAN, grab his registration information, and you now have a free SIP account. Since most SIP accounts (Vonage) are flat rate billing, your calls won't even be noticed.
2. Call a compromised SIP line from your PSTN phone, send a spoofed SIP redirect message at the right moment and you are calling pay numbers from your phone for free. This will get noticed, but its between your neighbor and his Telco, right.
3. A SIP provider might have a pool of provisioned, but unused accounts/numbers sitting on its system with trivial login/password. This makes for quick turnaround when people buy a new account. Find out the phone numbers of two or three friends who just got the service in the same area and find out what their initial username and password were. You may have a goldmine of never ending free accounts. Just keep incrementing the values as the passwords change on the older numbers.
4. Now for the fun stuff. We need to send a few spoofed messages to get an unbilled SIP call. Begin with a normal call from your SIP phone in New York to your friend on the PSTN in Mexico City. First make a good call and capture all the SIP information. You are looking for the IP information for your Phone, the Proxy Server, and the media gateway that will handle the converstion from VoIP to PSTN. With this information you can create a "shadow proxy" which sends SIP messages just before or after the real proxy to effectively cut-through a call which the actual proxy thinks has been released due to "Busy Here" or some other good reason. If the media gateway uses MGCP instead of SIP this gets harder, but it is still possible. Your "shadow proxy" will have to become a "shadow media gateway controller" and you'll need a lot more information about your providers network. Still a strategic DLCX that appears to come from the gateway could work wonders.
So, in short, a lot of free phone calls will be made until the SPs get this security thing right. SIP will probably have to go through major revision, and providers will have to carefully guard their networks. Also, your neighbor should really use encryption on his WLAN.