Slashdot Mirror
Clever Caller ID Tricks With VoIP
An anonymous reader writes "securityfocus.com has an interesting article collecting some clever exploits for VoIP. According to the article, using 'the open-source Linux-based PBX software Asterisk, used in combination with a permissive VoIP provider' can be used to fool caller id, and even get caller numbers that are supposed to be private."
Back in 2001 or so I found this out when talking to my local ISP/VoIP provider IPOnly. Then me and some of my friends thought about setting up some kind of SMS-style service that was free, since it apparently works sending ascii as caller ID :)
Does this mean that I could get a call on a private line with with my number on the do not call list from overseas? Kind of like spam for my phone.
Evolution or ID?
It would be nice to see a detailed explaination of how to do this. In the past when I had a blocked number I noticed a credit card company authenticated my ID via caller ID even though I had a blocked number. If I'm paying for a service, such as blocking my number I expect it to always work.
This here is just proof positive that people skip the simplest security bugs, imagining that others will simply accept there bogus obfuscation and live with what they are given.
I feel that as consumers, we need to demand better from these corporations. This is a joke and a slight security risk that we shouldn't have to deal with, and corporations inability to supply a quality product in software terms is so shoddy, I can't believe that we go for it anymore.
Oh well. I'm too peeved to go on.
You know those idiots (read: bill collectors) who call with "OUT OF AREA" tags on their Caller ID data? Yeah. I wonder if you can reset those to figure out who those are. The possibilities are good here. =^_^=
This sig no verb.
It's not clever...it's 100% obvious. Anyone who knows anything about phone systems knew this was possible and just going to take someone with burning desire to do. The fact that there is "hidden" stuff inside of the signalling messages for phone systems is a real yawner. And the fact that the "reporter" had to have this demonstrated means, he is another tech lightweight. Oh, and didn't phone phreakers do this 20 years ago? Phone switches are after all only specialized computers.
Yet, it is another way spammers might decide to intrude on peoples lives. You don't know how many times I get "unknown" from my caller id when it is some salesperson. And I am on the Do Not Call List, but they call and it is "unknown", and worse a recording to call some 800 number for a free satelite dish, from some company in Canada. No way to make them accountable for violating the law.
Well, if VoIP is supposed to replace POTS, it stands to reason caller-id spoofing would be included...
You can spoof POTS caller-ID as it is with an Orange Box, as well as many other ways, including from a Nokia Cellphone.
"I'm a karate man. Karate mans bleed on the inside."
This is a very well known "security breach" that not only applies to VoIP. For example, you can retrieve a CID from a PBX or an access server (PPP server) that has a T1 link.
Funny the phone company currently does this with anything digital aka ISDN and above. It's actualy required to work if you want dial back to function, this is a standard business feature why shouldent smarter than average home users be able to do it?
No sir I dont like it.
The fact that this is happening is interesting, but this sort of thing's always been possible.
First off, any sort of digital phone line lets you set your own caller ID info, it's just that most home users can't afford bringing a T1 into their home just to mess with caller ID.
Secondly, there've always been ways around caller ID anyway. A common one is called 'op diverting,' where you route your call through an operator, who will, in many cases, manually key in your Caller ID info with no authentication at all.
There are real privacy concerns here, but my point is, for those alarmed by them... Be even more alarmed. This is entirely doable without VoIP.
I don't know about getting blocked caller ID, though 800 numbers (and, IIRC, almost all high-volume digital lines?) have full access to caller ID, even if you block it.
The point of the article, IMHO, is that VoIP providers are carelessly sending this data, not the exploits that can be done -- they already exist. And you can almost argue that VoIP providers aren't entirely wrong here -- if you got a PRI line to your home, you could do this type of stuff anyway.
________________________________________________
suwain_2
This isn't a hack. The telco interconnect company (in this case nuphone) sends the info to Ma Bell. The fact that they don't validate it is NOT a hack. It may be a risk, but feeding incorrect info to mother is not a hack or a manipulation. In general the telco themselves require information be provided... It's a little sad that some interconnect companies don't treat it more seriously. I know my company does.
ANI spoofing is also doable, so I don't see what the big deal is. It may not be user settable, but there are fairly trivial techniques which can be used to provide faulty or NO ANI so what's the big deal.
IMO, being able to user-disable Call ID should be simply user configurable.
techniques used for ANI spoofing will be left as an exercise for the student.
Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
Having tried to set my MSN (the outbound number) to an invalid number here in the UK (on a primary rate with 100 phone number mapped to it), the invaild caller ID simply got reset by the telco to the billing number of the line.
I guess in the states the Telcos must trust the equipment that connects up to the line to set the MSN connectly, hence being able to fake the Caller ID.
As for the privicy bit for callerid, in the UK (as far as I am aware, but I'll test this) only telecos are passed the CallerId+Flag (by telecos I means those with an Interconnect with other telecos and an NX2 license, but the licenses are being phased out), It's then the telecos job to strip out the CallerID and Flag before passing on the data to the customers line.
Because of some good laws (telephone cunsumer protection act of 1991; 47 usc 227), consumers have tools to go after those that use illegal telemarketing practices such as prerecorded solicitations, junk faxes, etc. However finding the people responsible is often the hard part. It is very common for these people to intentionall make as unavailable or private their numbers so that they cannot easily be traced. Most people that would complain about such calls (if they are on a state or national DNC list) now cannot since they won't make the extended effort to ID the perps. Thus without some serious legwork, perps gets fewer complaints.
Another trick (though not new) is to cause the caller ID to display some message and a number. The message can be "Great offers", "National Prize Line", or some other enticement. The systems will simply dial a number just long enough to be displayed on the CID. Someone curious about the strange looking display will call and will get hit by some prerecorded ad. The problem is that FCC regulations now require automatic dialers to not have naything more than 3% dropped calls (when not transferred to a live marketer) and in any case must ID the company placing the call. I'm not aware, however, of any previous actions regarding this, but it is coming.
I don't want to necessarily spoof a number, but I definitely want to be able to track these kind of numbers used by illegal telemarketers. The biggest complaint about Vonage is that they do not offer some kind of call tracing, so if a call comes in that I cannot ID based on info in the call or legit CID info, then I cannot enforce my rights and seek damages against the company as allowed by law.
Cave, wreck, and deep diver.
"Well sure I know that, and you know that, but the headlines will read "Insecure Open Source Software Used By Hackers to Aid Telemarketers.""
We ought to publish a different headline first: "Insecure Microsoft Software Used By Criminals to Aid Spammers."
Not that I've tried it or anything, but in some circumstances using Cisco's CallManager, you can impersonate any number for long distance purposes. You set the calling party information on a given line. If the local telco doesn't do any checking, which I know of at least one that doesn't, you can make long distance calls as anyone. An example, again not that I've done this, a call placed from place of business X where the calling party info has been set to Y, where Y is the phone number of some random guy in the same area. Check the long distance bill of some random guy and there it is! This might be limited to people being billed by the same company, though in some cases it is not limited by CO, dialing prefix, or even city.
This is not a problem with Cisco's product, it's poor security practices of a backwards local telco. Why? They've never had any intellectual competition.
Correct me if I'm wrong but you can set up your caller id display number in most VOIP equipment including Cisco gear like call manager. I used to work for a VOIP company and we would routinely change peoples Caller IDs to a specific number so they could call someone on their secondary line and have it display the CID of their primary line. Granted, we owned all the DIDs we were using and we were on PRIs but still. I think the access provider should be checking to make sure your CID is either a DID you own or it is not present.
Nope, it isn't possible anywhere, US or otherwise. The reason is, that your CID box is showing exactly what is sent to it. The correct information is blocked at the switch level, before your line even rings.
Now if you want to get as many numbers as is possible, like this article is stating, get yourself a toll-free number and use it instead of your local number. Anyone calling it (that has CID information available) will have it show up, regardless as to whether or not they try to block it.
That article was very misleading, making it seem as though this is a flaw that the information was displayed when it was blocked. In reality, it is just how the network operates. Nufone provides a toll-free number, since the person being called is the one paying, they have a right to know the number. This is how it has always worked.
Jeremy
Just so everyone knows, my account has since been terminated by NuFone for apparently somehow breaking the TAC's on their website, due to this artcile.