Slashdot Mirror
Clever Caller ID Tricks With VoIP
An anonymous reader writes "securityfocus.com has an interesting article collecting some clever exploits for VoIP. According to the article, using 'the open-source Linux-based PBX software Asterisk, used in combination with a permissive VoIP provider' can be used to fool caller id, and even get caller numbers that are supposed to be private."
Return of the phreak? :P
Back in 2001 or so I found this out when talking to my local ISP/VoIP provider IPOnly. Then me and some of my friends thought about setting up some kind of SMS-style service that was free, since it apparently works sending ascii as caller ID :)
Does this mean that I could get a call on a private line with with my number on the do not call list from overseas? Kind of like spam for my phone.
Evolution or ID?
Well this is nice. Once again the social engineering tricks will creep up on most once again. However, who's really that stupid to be giving away all of their personal info over the telephone anyway? Does this mean that it's going to start being like the phishing scams now?
Hmmm.
This isn't new. You can do exactly the same thing with a PABX with ISDN ports. The ability to set your own caller-ID is part of the ISDN call setup protocol.
What you can't do, though, is set the ANI data (which is used by the telcos to find out who gets billed for the call and for call interception). And I can't see how that capability changes at all just because you're using a VoIP gateway either.
- mark
-----
I tried an internal modem, but it hurt when I walked.
so is voip going to turn into something like the email spam mess once the peddlers of Mydixaflopin and their cronies start figuring out how to use it?
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Thanks to this exploit, I can do crank calls again without getting caught!
Red Bull gave me wings and I flew into the ceiling fan.
Is this a surprise? From the article, it says that the calling party number is always sent, and there's just a flag set saying "don't look here." If you tell someone they can't or shouldn't do something... that's the best way to insure that they will.
You know those idiots (read: bill collectors) who call with "OUT OF AREA" tags on their Caller ID data? Yeah. I wonder if you can reset those to figure out who those are. The possibilities are good here. =^_^=
This sig no verb.
This isn't an open source issue at all. It's a "trusting user provided equipment" mistake... a closed source program can violate the standard just as badly.
It's a matter of equipment being given info it's not supposed to share and a flag telling it not to share. But, if the customer provides the software...
800 numbers always have access to your number, regardless of your "Caller ID" preference.
Best Buy can have you arrested
...that this type of spoofing is so easy. I work for a small ILEC. We got an Asterisk box almost a year ago to play a bit with VoIP. The caller ID spoofing was easy to do, and fun for awhile. Out of curiosity, I tried to figure out how to secure the switch enough to prevent this type of spoofing from happening. With less than a year of experience in circuit switching, the manual, and about 30 minutes, I managed to limit the spoofable numbers to the range of DID numbers actually assigned to that PRI. In other words, no more spoofing. It amazes me that more providers don't implement this type of security.
Abstainer: a weak person who yields to the temptation of denying himself a pleasure.
--Ambrose Bierce
There is NOTHING about this that is any more permissive than a normal business with a digital PBX can already do...
"The FCC would never tolerate an old-line phone company selling a service that lets people lie to caller ID"
It is done CONSTANTLY! Marketing companies send out the callerid of the companies they are calling on behalf of... Companies have multiple phone lines send out the callerid of their main phone line.... it is a normal business service.
As for getting the number of the remote caller, anyone with a PRI line can do that. This is mandated because otherwise on 1-8XX lines you would never be able to verify you were being correctly billed for their usage from your provider.
I hate to say this... but you obviously havn't worked with a real phone system before.
Telcos have alot of dark fibre in the States. Most people assume that's optical fibre...but it's actually moral fibre.
The fact that this is happening is interesting, but this sort of thing's always been possible.
First off, any sort of digital phone line lets you set your own caller ID info, it's just that most home users can't afford bringing a T1 into their home just to mess with caller ID.
Secondly, there've always been ways around caller ID anyway. A common one is called 'op diverting,' where you route your call through an operator, who will, in many cases, manually key in your Caller ID info with no authentication at all.
There are real privacy concerns here, but my point is, for those alarmed by them... Be even more alarmed. This is entirely doable without VoIP.
I don't know about getting blocked caller ID, though 800 numbers (and, IIRC, almost all high-volume digital lines?) have full access to caller ID, even if you block it.
The point of the article, IMHO, is that VoIP providers are carelessly sending this data, not the exploits that can be done -- they already exist. And you can almost argue that VoIP providers aren't entirely wrong here -- if you got a PRI line to your home, you could do this type of stuff anyway.
________________________________________________
suwain_2
This isn't a hack. The telco interconnect company (in this case nuphone) sends the info to Ma Bell. The fact that they don't validate it is NOT a hack. It may be a risk, but feeding incorrect info to mother is not a hack or a manipulation. In general the telco themselves require information be provided... It's a little sad that some interconnect companies don't treat it more seriously. I know my company does.
Having tried to set my MSN (the outbound number) to an invalid number here in the UK (on a primary rate with 100 phone number mapped to it), the invaild caller ID simply got reset by the telco to the billing number of the line.
I guess in the states the Telcos must trust the equipment that connects up to the line to set the MSN connectly, hence being able to fake the Caller ID.
As for the privicy bit for callerid, in the UK (as far as I am aware, but I'll test this) only telecos are passed the CallerId+Flag (by telecos I means those with an Interconnect with other telecos and an NX2 license, but the licenses are being phased out), It's then the telecos job to strip out the CallerID and Flag before passing on the data to the customers line.
CID information was never designed nor intended to be in any way secure.
PBXs have always had the ability to set outgoing CID information - so, for example, all outgoing calls would appear on the receiver's CID box as coming from a company's main switchboard rather than whatever extension they were actually originating from.
It always frightens me to see press accounts of CID information being used as "proof" of something, say the violation of a restraining order or proof of harassment when it is absolutely trivial to spoof. Newer VOIP devices just make it easier to do without the need for a PBX and trunk line to do so.
ANI information, the calling number information provided when you call an 800 number, is an entirely different matter. Since it is used for billing information, it IS secure, the only way to spoof it to be to call a provider who then turns around and reroutes your calls from their exchange. But whether you have CID blocking or not, the ANI number is ALWAYS passed because, frankly, they're paying for the call and they have a right to see who's calling them.
I just sent Kevin an e-mail to this effect, but for anyone else interested here's more info:
**Portion omitted**
Vonage has "fixed" their CID spoofing problem (at least in some switches), but in the process has created a new "feature". Try this:
1. Call a party. When they answer, flash over to a new dial-tone (as if to initiate a 3rd party call). Dial the new third party (who has been instructed not to answer the call coming from your phone number) and after a couple of rings hang up the phone. Rather than the initial call ringing back to you as it should, it will ring forward to the third party. A nifty way to put your friend in CA in touch with your friend in NY with no long-distance charges even when they don't use Vonage.
2. Let a party call you. Flash over to a new line and dial a 3rd party. Repeat process above and you can effectively "transfer" the call out of your phone system with no toll charges.
In both cases, your Vonage line is free to make and receive calls as soon as you hang up.
Thanks, and keep up the great writing!!!
Egon Rinderer
i run a small ISP, and i have the callerid of everyone calling, no matter what their privacy setting says. it even gets logged in my cute little radius database
as someone pointed out, it's a part of the ISDN call setup protocol.
The theory behind it is that since the owner of the 800 number is paying for the call, he has the right to know who is calling.
Online Starcraft RPG? At
Dietary fiber is like asynchronous IO-- Non-blocking!
Let me echo the statements of others that said "This has been possible forever" by saying that I was doing this with a Pacific Bell ISDN line six years ago. I discovered that they weren't authenticating any of the data I sent out on the D-channel, they were just passing it along.
Also, the reason why many VoIP providers are passing along Caller ID data without verification is legitimate. VoIP has no concept of "numbers" tied to hard physical "lines". Many VoIP providers sell outgoing service that is not tied to any physical telephone number. This is nothing new: conventional telcos have been doing that for years (it used to be called OutWATS) over T1s. If my VoIP gateway provider has no physical phone number to set my calls to, what are they supposed to do? This is the #1 reason all those telemarketer calls are labelled "OUT OF AREA", BTW.
In my case, I set the Caller ID to the POTS line that terminates into the same phone system. However, it would be trivial for me to set it to something like 714-853-1212, and it would get passed.
The problem is not that I can set Caller ID to any arbitrary number, but that idiots are actually depending upon an in-band signalling system which depends upon third parties (private PABXs) for the data as a secure authentication method.
I don't personally see any easy fix to this, nor should there be. The telecom business is increasingly having small players in it, and it will be difficult to fix this alleged "problem" without locking out these same small players.
Interesting. You might actually look at their violations of Canadian law, then. Using an auto-dialler (an Automatic Dialling and Announcing Device, or ADAD) for solicitation--charitable donations, promotions, sales, etc.--is forbidden by the CRTC (Canadian Radio-television and Telecommunications Commission.) The CRTC can demand that a phone company suspend service to any company or individual who flagrantly violates these rules. Even if a company hires another company to make the calls, they can be held accountable. You might want to contact the CRTC directly to see how the rules apply on international calls, however.
Even if a company is blocking call ID, your phone company can probably trace the call. For advice on how to handle this type of thing with an international call, again you might need to contact the FTC and the CRTC. It doesn't hurt to ask, and I'm pretty sure that the people at these organizations hate the spam callers as much as everyone else.
~Idarubicin
This isn't about violating standards. We've been faking caller ids for fun with Asterisk for a while. It does work, however my local (Bell) provider will not let me put one of its own numbers in the bogus CID I pass.
This is a normal "feature" of CID. That's how you can go through a third-party LD provider yet still have your own phone number show up on the recipient's display. Voicepulse or other VOIP providers are not being overly permissive here. If you get a T1 bank you will have the same capability. That's what makes it possible for huge corporations to have thousands of phone lines in hundreds of offices yet display only their main incoming number on your caller id capable phone when someone from their office calls you.
The difference is that now average Joe can fake CID like the big boys used to do with a mere $7/month investment, vs the couple hundred dollars it would cost (plus install fees) if you went with a standard channel bank.
CID is for information purposes only. The problem is that people have grown to trust it as being 100% accurate, but they definitely shouldn't.
Nope, it isn't possible anywhere, US or otherwise. The reason is, that your CID box is showing exactly what is sent to it. The correct information is blocked at the switch level, before your line even rings.
Now if you want to get as many numbers as is possible, like this article is stating, get yourself a toll-free number and use it instead of your local number. Anyone calling it (that has CID information available) will have it show up, regardless as to whether or not they try to block it.
That article was very misleading, making it seem as though this is a flaw that the information was displayed when it was blocked. In reality, it is just how the network operates. Nufone provides a toll-free number, since the person being called is the one paying, they have a right to know the number. This is how it has always worked.
Jeremy