Slashdot Mirror

← Back to Stories (view on slashdot.org)

Clever Caller ID Tricks With VoIP

Posted by timothy on from the making-the-most-of-the-line dept.

An anonymous reader writes "securityfocus.com has an interesting article collecting some clever exploits for VoIP. According to the article, using 'the open-source Linux-based PBX software Asterisk, used in combination with a permissive VoIP provider' can be used to fool caller id, and even get caller numbers that are supposed to be private."

18 of 259 comments (clear)

  1. Freaks! by krumms · · Score: 5, Insightful

    Return of the phreak? :P

    1. Re:Freaks! by yootje · · Score: 2, Insightful

      Yeah, but this time without the whistle, and with Linux.

      --
      My photo's.
  2. Countdown by UberOogie · · Score: 3, Insightful

    ... until this is used in another "Open Source is evil" argument by MS, the government, the phone company, or all of the above in 5, 4, 3...

    --
    "Enough of this wretched, whining monkey life." -- Marcus Aurelius, _Meditations_, Book 9, 37
    1. Re:Countdown by SiO2 · · Score: 2, Insightful

      The phone companies have been trying to sell me caller ID for years. I don't need it, because I have an answering machine. I just never answer my phone and screen all of my calls. That would solve your "unknown" caller problem.

      SiO2

  3. Gone Phishing by Mz6 · · Score: 4, Insightful
    "Callers with life-or-death anonymity concerns might consider spoofing just to get a little privacy. For now, Lucky says pranks among friends are the most common use that he's seen of VoIP spoofing, but he believes that identity thieves and other swindlers could have a field day. "I've used it myself to activate my own credit cards, because I never give credit card companies my real number," he says. "One simple spoof, and it's like saying, if you have the guy's phone number, that piece of information is more important than his mother's maiden name and date of birth. If you have the phone number, you don't need anything else."

    Well this is nice. Once again the social engineering tricks will creep up on most once again. However, who's really that stupid to be giving away all of their personal info over the telephone anyway? Does this mean that it's going to start being like the phishing scams now?

    --
    Hmmm.
    1. Re:Gone Phishing by LostCluster · · Score: 5, Insightful

      Who's really that stupid? Big business.

      Call-centers are using the CPN data as an authentication method to recognize customers. Call from somebody else's phone, or in this case appear to be doing so, and instantly that person's account will open on the operator's screen.

      Banks and credit card companies seem to be smart enough to know that they have to ask some other challenge question to make themselves confident enough that they have the right person before discussing anything sensitve... but it just take one merchant willing to charge to an account and ship merchandise based on the the phone data alone and suddenly there's a way to get a charge onto somebody's credit account without even knowing their card number.

      It's a matter of "trust", and a formerly trustworthy system no not so much.

  4. Is this a surprise? by insensitive_clod · · Score: 5, Insightful

    Is this a surprise? From the article, it says that the calling party number is always sent, and there's just a flag set saying "don't look here." If you tell someone they can't or shouldn't do something... that's the best way to insure that they will.

  5. Calling FCC... by LostCluster · · Score: 2, Insightful

    Our current PTSN works as well as it does because it's regulated... and this is just more one example of how VoIP companies won't implement correctly things they aren't required to implement correctly.

    As the summary and article point out, in order for any of these exploits to work, the VoIP carrier must be permissive... they have to be asleep at the switch enough to send data that is marked "private" to the end user's equipment or accept CPN data isn't a number the customer controls. That should be things handled at the VoIP service side rather than anything on customer equipment that can't be trusted.

    The FCC would never tolerate an old-line phone company selling a service that lets people lie to caller ID... why are they letting VoIP companies do it?

  6. Re:from overseas by marnargulus · · Score: 2, Insightful

    He still had a point. Could a spam group find your number from a large database (great example with the DNCL) and start using public numbers from that area code?

    Worse yet. Imagine if hackers could get your personal contact numbers, then use this to place calls from numbers you trust. They could make a program that calls just like a worm. Find your contacts, call them, find their contacts call them...

  7. Re:Err... so what? by bhmit1 · · Score: 4, Insightful

    This isn't new. You can do exactly the same thing with a PABX with ISDN ports.

    Read the article. The interesting part isn't that this is some new feature. The interesting part is that you don't have to go out and get a lot of expensive telephone equipment to intercept blocked numbers and impersonate someone else's number.

    And, as was said before, the biggest fear this creates is that someone will start grabbing the ready-to-activate credit cards out of the mail, look up the persons name in a phone book, program their voip with that persons number, and activate that card. And this is only a problem because credit card companies trust that Joe Shmoe was really him when he called from his home number.

  8. Re:It's about as clever as using tcpdump... by karnal · · Score: 2, Insightful

    And just because I'm a techie doesn't mean I know everything about everything.

    Come on, people. This is cool to those who don't work in the field with this stuff day in and day out.

    --
    Karnal
  9. OVoIP? by Doc+Ruby · · Score: 2, Insightful

    Where's the compilable source to a SIP softphone for PalmOS, that is a useful Asterix client and, like SJPhone and Xten, also work with Vonage's softphone accounts?

    --

    --
    make install -not war

  10. Re:Useful part by hackstraw · · Score: 4, Insightful

    You know those idiots (read: bill collectors) who call with "OUT OF AREA" tags on their Caller ID data? Yeah. I wonder if you can reset those to figure out who those are. The possibilities are good here. =^_^=

    First, its much less stressful to just pay your bills.

    Also, I dispise the fact that there can be either "OUT OF AREA", or "Unavailable", or the worst, "Private Name/Private Number". The only reason I answer these on my phone, is because I do sometimes get legitimate business call from people hiding behind these things. I do not answer politely, and I'm ready to start bitching at someone.

    I am required to have a license plate on my car, I have to show ID to do most anything. I certainly would never walk into a store or bank disguising my face, why is this acceptable with a phone call?

  11. Encrypted VoIP by SumoFanAgain · · Score: 2, Insightful

    Why doesn't someone simply put in, at a minimum, a digital signature on the caller ID packets. Sooner or later one could extend this to an encryption system for the conversation itself. Which, to my mind, is necessary in any case.

  12. Stupid quote by Aumaden · · Score: 3, Insightful
    "A worse case scenario is if you have a blocked number, and you're a victim of stalking, and you're duped into calling a number the stalker set up that was routed through a VoIP line," says Jordana Beebe of the San Diego-based Privacy Right's Clearinghouse. "It could put their life in danger."

    This is so over the top.

    You have a stalker who knows enough about you and/or has enough access to you to trick you into calling this number that allows them to get your phone number. And that endangers your life? I could see it opening the way to harassing phone calls, but endangering your life?

    Isn't the real problem that you have a stalker in the first place?

  13. Feature, not a Bug by cfoster611 · · Score: 2, Insightful

    The ability to set outgoing CallerID data is one of Asterisk's more useful features.

    Most DID (Direct Inward Dialing) providers do not let you set outgoing CallerID manually, though if you have any kind of digital phone connection, such as PRI,T1 or ISDN, you can. I say lets celebrate that NuFone allows you to fully control the service you pay for, rather then vilifying them for something that most Asterisk admins want.

    --
    --- Kicking the Cheat since late 2002
    1. Re:Feature, not a Bug by Scott+Laird · · Score: 2, Insightful

      Exactly. There are a *ton* of perfectly legitimate uses for this.

      Simple example: a "follow-me" phone number that will automatically forward calls to my home phone, cell phone, office phone, or wherever I am. It's trivial to set up Asterisk to take incoming calls and then dial back out to some other number and tie the two calls together. It's like 2 config lines. If you can set your own caller ID, then you'll see who's actually calling on the forwarded call. If you can't set the caller ID, then you'll see the number of your forwarding service, which is kind of useless.

      In corporate contexts, it's sometimes useful to have outgoing calls set the caller ID to the user's DID number. That's essentially the same thing, although *sometimes* telcos will filter the allowed caller ID numbers and only let you use valid DID numbers. If you want unfiltered caller ID, then you generally have to negotiate for it, or you'll probably be screwed in the end. I mean, that's what telcos do, right?

      One final point, you can usually only set the caller ID number. The caller ID name comes from a central database and is produced via a database lookup over SS7.

  14. Re:Err... so what? by Anonymous Coward · · Score: 1, Insightful
    And, as was said before, the biggest fear this creates is that someone will start grabbing the ready-to-activate credit cards out of the mail, look up the persons name in a phone book, program their voip with that persons number, and activate that card.
    Many phone companies provide an outside jack for testing purposes (in case inside wiring fails). If you're already at their house snatching credit cards out of their mailbox, what keeps you from using their (outside) phone jack to activate the card? All the right information gets sent, and no VoIP required. Planning and forethought, however, are required.

    Besides, getting the SSN out of their mail isn't hard when everybody uses it as your account number (insurance, banking, yearly SS mailing). Or, just offer them a piece of chocolate for their SSN.

    (hmm, better click that anonymous checkbox)