Clever Caller ID Tricks With VoIP

← Back to Stories (view on slashdot.org)

Clever Caller ID Tricks With VoIP

Posted by timothy on Wednesday July 7, 2004 @03:28AM from the making-the-most-of-the-line dept.

An anonymous reader writes "securityfocus.com has an interesting article collecting some clever exploits for VoIP. According to the article, using 'the open-source Linux-based PBX software Asterisk, used in combination with a permissive VoIP provider' can be used to fool caller id, and even get caller numbers that are supposed to be private."

3 of 259 comments (clear)

Min score:

Reason:

Sort:

Err... so what? by newt · 2004-07-07 03:32 · Score: 5, Informative

This isn't new. You can do exactly the same thing with a PABX with ISDN ports. The ability to set your own caller-ID is part of the ISDN call setup protocol.

What you can't do, though, is set the ANI data (which is used by the telcos to find out who gets billed for the call and for call interception). And I can't see how that capability changes at all just because you're using a VoIP gateway either.

- mark

--
-----
I tried an internal modem, but it hurt when I walked.
Amazing... by yogensha · 2004-07-07 03:49 · Score: 5, Informative

...that this type of spoofing is so easy. I work for a small ILEC. We got an Asterisk box almost a year ago to play a bit with VoIP. The caller ID spoofing was easy to do, and fun for awhile. Out of curiosity, I tried to figure out how to secure the switch enough to prevent this type of spoofing from happening. With less than a year of experience in circuit switching, the manual, and about 30 minutes, I managed to limit the spoofable numbers to the range of DID numbers actually assigned to that PRI. In other words, no more spoofing. It amazes me that more providers don't implement this type of security.

--

Abstainer: a weak person who yields to the temptation of denying himself a pleasure.
--Ambrose Bierce
Re:Countdown by bareminimum · 2004-07-07 04:47 · Score: 5, Informative

This isn't about violating standards. We've been faking caller ids for fun with Asterisk for a while. It does work, however my local (Bell) provider will not let me put one of its own numbers in the bogus CID I pass.

This is a normal "feature" of CID. That's how you can go through a third-party LD provider yet still have your own phone number show up on the recipient's display. Voicepulse or other VOIP providers are not being overly permissive here. If you get a T1 bank you will have the same capability. That's what makes it possible for huge corporations to have thousands of phone lines in hundreds of offices yet display only their main incoming number on your caller id capable phone when someone from their office calls you.

The difference is that now average Joe can fake CID like the big boys used to do with a mere $7/month investment, vs the couple hundred dollars it would cost (plus install fees) if you went with a standard channel bank.

CID is for information purposes only. The problem is that people have grown to trust it as being 100% accurate, but they definitely shouldn't.