Caller ID Spoofing for the Masses

lolly72 writes "SecurityFocus has a story on a new U.S. website offering a caller I.D. falsification service. It's called Camophone. It's being advertised in Google ads that appear with search results for Star38.com, which was the the last service to try and make money off caller I.D. hacking. But unlike Star38.com, Camophone isn't limited to collection agencies and private investigators, and it doesn't cost $125 to sign up. Anyone with a PayPal account can use it, and at five cents a minute, probably will. Who do you want to fake out today?"

Re:Somebody will figure it out

[SnowDeath]

Ever heard of Call-Back security? Any security that is based on Caller-ID is inherently flawed.

Did Camophone get advance notice?

[YetAnotherName]

Of the /. story, that is? Their website is currently up (this posting will probably be the 10th or so), but is surprisingly minimal. No images at all. Plain, unadorned HTML. Not even a CSS file.

I have a feeling they'll withstand the slashdotting.

Telemarketing

[Ambient_Developer]

This could make telemarketing nearly untraceable, a company just uses a call center that utilizes this technology, and people will never know where the phone call is coming from. Imagine getting a phone call from a telemarketer, and it says 911 on the caller ID.

Asterisk, Nufone and PHP...

[cuban321]

This company is probably nothing more than someone running Asterisk, using Nufone for the PSTN service.

A simple php script will dump a callfile into /var/spool/asterisk/outgoing and bridge the two calls together.

Then all you need to do is write something to manage user accounts, and accept paypal payments and bam. You've got camophone.com.

This whole configuration could probably be whipped up in a day.

Don't talk to strangers

[Doc+Ruby]

Why do we need the government, when our address books can authenticate the caller cryptographically? Unfamiliar callers should all be treated as untrustworthy until proven otherwise. That can be established through an automated web of trust, and callback, or shunted to voicemail or /dev/null. Distributed software is much better protection than the FBI, much cheaper, and doesn't come with dirty stormtrooper boots muddying up your foyer.

Spoof Caller ID From Home?

[diagnosis]

I know for a while there has been a phreaking tool called Orange Box, which supposedly lets you spoof caller ID. But my understanding is it only works *after* the other person has picked up the phone, so it's not really good for much, or at least it's a lot trickier to take advantage of.

Of course, there is a very cool software version of this tool: Software Orange Box, here. You enter in the caller ID details you want to spoof, and it generates the phone tones that transmit that data, which you can then play thru your speakers and to the phone, or connect directly to the phone for better results.

Again, it's not a great spoofer, but it is pretty cool to mess around with.

this is *the* faq on orange boxing.

-------------
Rate free iPod offers: RateTheOffers.com
(Flat screens and Desktop PCs too)

When this works ''for real'' CID will die

[davidwr]

When someone offers a reliable, professional version of this service that's affordable to everyone, people will stop trusting Caller-ID and stop paying for it.

You'll also see political pressure to regulate such services, mostly from the telcos who see revenue from CID drying up. Eventually, I think a compromise will be reached:
You'll be allowed to spoof your ID, provided it's from a non-existant # or a # you have permission to use. There will also be a legal requirement to keep logs so the police or civil courts can issue subpeonas.

Under such rules, people who want true anonymity will be forced to use international versions of this service which will show up as "out of area" or as an international #, or break the law.

When fancier technology doesn't do a better job

[bluesangria]

Sheesh, despite the fact that I work in the IT industry I have only the most minimal service for telephone. We have a crappy 6 years old answering machine which we leave on all the time. The important people in my life know to leave a message and if we want to talk to them we will actually pick up the phone. You can *69 your call (or whatever key combo it is) until you are blue in the face. It won't make a damn bit of difference to me until I hear your voice and decide if I want to speak to you or not.

Honestly, it's much simpler and cheaper than constantly trying to "one up" the next technological doohickey.

Just my Luddite $.02

blue

A horrible idea, real experience...

[bstarrfield]

Folks, I'm all for cool technology, and I realize one can spoof caller id information. But caller ID can be a very good thing. I know...

Three years ago I had the very unpleasant surprise of finding out my (ex) wife was having an affair. Unfortunately, she had also decided on using tactics designed to ensure her utter victory in the divorce. She'd actually purchased books (I saw them), giving her advice on dirty divorce tactics - "Divorce War! 50 Strategies Every Woman Needs to Know to Win." Apparently, one of the recommended strategies was to call your ex and try to drive him nuts - hopefully he'll say something nasty and you'll be able to bring it up in court, etc.

Well, I realized what she was doing once I started getting anonymous calls at 2:00 - 3:00 AM. Strange, nasty stuff, weird messages. Technology was actually useful - the caller ID information allowed me to get a pretty damn good idea of who was calling. (Hint would-be-nasty-callers: remember to hit *69 before you call!). The police thought it was fun, too. Caller ID and outright stupidity saved the day.

Look, in my case I wasn't directly threatened. it was cruel, it was viscous, it was nasty. But I was never in any danger. However, what if it had been something dangerous? When one's depressed, your willing to listen to anything - and when you see the ID comes out as "Police" or "Crisis Center" - you could be lured into a bad situation. This is real folks - stalkers are out there, I've seen and heard it.

All technology can be abused, I know that. But in this case, let's try to prevent a service which provides fundamental identification information from being turned into something potentially dangerous.

Incidentally, she pretty much wiped me out. Bummer. But all in all, it was for the best...

Re:A horrible idea, real experience...

[AnalogDiehard]

I also was in danger of getting screwed bad by a vindictive STBX. Excellent tips given here, to which I'll add my own:

#5 - Know your enemy.

Pay attention to your ex behavior towards you, towards friends, towards business entities. This goes a long way to predicting her tactics. While we were married my ex used to brag of manipulating public welfare - it was a foreshadowing to her manipulating the divorce system. She used to take joy in "getting even" with friends who stiffed her, then she predictably returned the behavior to me. Divorce is war, so take the approach of a West Point graduate - KNOW YOUR ENEMY.

#6 - get a PO Box and change ALL your mail there.

This is for security reasons. My ex stole my mail and attempted to open a credit card without my consent. I caught it just in time and put fraud alerts on all my credit histories.

With a PO Box no one can access your mail except you, and the USPS clerks cannot retrieve your PO Box mail they will insist that you use your key.

I went through a painful drawn out divorce (no kids, simple assets) and reluctantly followed all the tips given here. THEY WORK, GUYS! In the end the judge slammed my vindictive ex and totally vindicated me - thanks to my hotshot lawyer who provided evidence in court that she was delaying the divorce process.

Re:Doesn't Work

[matth]

Didn't work? Really.. worked great for me.. I just made about 4 calls testing.

Re:Can't wait..

[Red+Weasel]

That is the actual name of a DJ here in Colorado Springs. His parents were from Europe( Hungary I think) and his name is really pronounced like "jock".

Needless to say the radio contests like "Beat Mehoff!" and "Can you jack Mehoff?" where widely considered rude until they found out that that was his real name and to get a life.

It was still nice to see "Mehoff the intern" become Jack Mehoff the DJ.

Service DOES NOT WORK

[daveschroeder]

So, I decided to see if a credit card paypal transaction would be any "faster".

It did indeed show my account credited with 100 minutes.

But the service did not work.

I *really* *don't care* about the $10 I've now wasted; just wanted to see if it worked or not. :-)

Anyway, there ya go.

Login

You can login to check out the interface with their unguarded testing account:

user: test
pass: test

No cash on the account, but fyi.

How to circumvent ANI

[yetanothermike]

Call the local operator and ask them to place your call to the toll-free number. Obviously this doesn't work with toll calls, but they'll do it for you on toll free calls. It's been a while since I tried it, since I have little reason to hide when placing calls, but it's surprising how often they have no trouble doing it for you. I was never even asked why I wanted them to place the call.

Re:do this for free

[jerde]

> Some providers allow you to set CID/ANI to anything

CID, yes. ANI? Are you sure?

Since ANI is used for billing purposes, including 900 numbers, I highly doubt any telco allows it to be modified.

Camophone sets CID, but the ANI is the number of the line that belongs to Camophone. (Or whomever their telco provider is)

Given that, it really really surprises me that anyone bases security on CallerID. I just successfully broke into my own t-mobile voicemail box using camophone, since I have the feature set so i don't have to dial my password if i'm calling from "my own phone."

I also have a sprint phone, and I haven't been able to get in there, yet, but I don't know their voicemail system direct number, so I can't be sure. (I had to use the direct access number for tmobile to get the hack to work on them)

I would HOPE that creditcard activation systems use ANI, not CID.

How soon before ordinary plebes will be able to get ANI on their incoming calls? Or a new service that lets you forward your calls to an ANI-detection center that then places ANI on CID and sends the call back to you!

I see some Sneetches whose bellies have stars...

Re:Until a few years ago, it pretty much WAS good

[Monkeyman334]

The system that 1-800 numbers and 911 calls is different than caller id. And yes, you could use a PBX and pick any random number. Kevin Mitnick (hypothetically) used it in his book to give a number like "x213" to make it look like a call was internal.

Re:It's not that simple...

[fatcatman]

How long until someone puts all that in a cheap appliance (say a cordless phone base) so that the base screens calls and only rings the handsets if the caller is authorized? Or do they have that now?

They did have it now. Microsoft made a 900Mhz cordless phone with this feature. It relied on computer software (the phone base had an RS232 port), but worked very well. I still have it laying around, but don't use it anymore as the software doesn't run on anything later than Windows 98.

Microsoft should really concentrate on what they're good at: Hardware.

Does anyone else think this is lame?

[ctime]

Maybe I'm just getting old, but doesn't this seem lame as hell? Sure it's fun calling up your buddies T-Mobile cell phone # and getting into his VM, changing his greeting to something ubscene..but..

Doesn't this just seem rather weak? It's only fun for about 5 minutes and has been around forever. For me, it's like the equivilent of spoofing smtp headers. MAN, THAT WAS FUN IN 1994...

I guess I'm just getting old and bitter.

Re:Somebody will figure it out

[AK+Marc]

It would be a no-brainer for the phone company itself to to block the problem.

It may be harder than you think. If I have a T1 between offices and use toll bypass, I may want 713-555-1212 coming out of 214-123-4567 so that they can reach me back properly. I may want to have different numbers for outgoing call centers from incoming call centers, and they may be in different parts of the country.

It would be technically trivial for phone companies to fix the problem, but many large companies would be very annoyed, and you don't want to piss off your bigest customers.

Tried the server, here's the results

[KnightMB]

Ok, I tried the service, basically cost $5.00 Results:

1) Payment by paypal only (no problem for me)

2) Service then lets you log in, but it's not secure (no encryption, wth!) so choose a temp password that you wouldn't mind someone stealing

3) You enter the "target" number, your number then 10 digit caller ID string

4) As soon as you hit submit, it does call you, calls the other number and bridge them together.

5) But!! The caller ID string does not work. I've tested this with several land line phones, cell phones, etc. I always show up as "unknown".

Conclusion:

Allows bridge calls but does not produce the caller ID string you put in. So this service is a bust in my opinion.

Case closed