Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security Communications The Internet

Clever Caller ID Tricks With VoIP 259

Posted by timothy from the making-the-most-of-the-line dept.
An anonymous reader writes "securityfocus.com has an interesting article collecting some clever exploits for VoIP. According to the article, using 'the open-source Linux-based PBX software Asterisk, used in combination with a permissive VoIP provider' can be used to fool caller id, and even get caller numbers that are supposed to be private."
This discussion has been archived. No new comments can be posted.

Clever Caller ID Tricks With VoIP More

Clever Caller ID Tricks With VoIP

Comments Filter:

  • Freaks! (Score:5, Insightful)

    by krumms ( 613921 ) on Wednesday July 07, 2004 @11:29AM (#9632363) Journal
    Return of the phreak? :P

  • Countdown (Score:3, Insightful)

    by UberOogie ( 464002 ) on Wednesday July 07, 2004 @11:30AM (#9632378)
    ... until this is used in another "Open Source is evil" argument by MS, the government, the phone company, or all of the above in 5, 4, 3...

    • Re:Countdown (Score:5, Informative)

      by LostCluster ( 625375 ) * on Wednesday July 07, 2004 @11:40AM (#9632493)
      This isn't an open source issue at all. It's a "trusting user provided equipment" mistake... a closed source program can violate the standard just as badly.

      It's a matter of equipment being given info it's not supposed to share and a flag telling it not to share. But, if the customer provides the software...
      • Well sure I know that, and you know that, but the headlines will read "Insecure Open Source Software Used By Hackers to Aid Telemarketers."
        • Telemarketers ALREADY provide their own outgoing caller-ID and I'm sure there are backdoors to the PBX software which allow them to ignore the private flag on the CID info. If you have a trunk line and are willing to ignore standards there is all sorts of info you can glean from the phone system.

      • Re:Countdown (Score:5, Informative)

        by bareminimum ( 456719 ) on Wednesday July 07, 2004 @12:47PM (#9633188)
        This isn't about violating standards. We've been faking caller ids for fun with Asterisk for a while. It does work, however my local (Bell) provider will not let me put one of its own numbers in the bogus CID I pass.

        This is a normal "feature" of CID. That's how you can go through a third-party LD provider yet still have your own phone number show up on the recipient's display. Voicepulse or other VOIP providers are not being overly permissive here. If you get a T1 bank you will have the same capability. That's what makes it possible for huge corporations to have thousands of phone lines in hundreds of offices yet display only their main incoming number on your caller id capable phone when someone from their office calls you.

        The difference is that now average Joe can fake CID like the big boys used to do with a mere $7/month investment, vs the couple hundred dollars it would cost (plus install fees) if you went with a standard channel bank.

        CID is for information purposes only. The problem is that people have grown to trust it as being 100% accurate, but they definitely shouldn't.

    • Re:Countdown (Score:3, Interesting)

      by Anonymous Coward
      Yet, it is another way spammers might decide to intrude on peoples lives. You don't know how many times I get "unknown" from my caller id when it is some salesperson. And I am on the Do Not Call List, but they call and it is "unknown", and worse a recording to call some 800 number for a free satelite dish, from some company in Canada. No way to make them accountable for violating the law.

      • Re:Countdown (Score:2, Funny)

        by Anonymous Coward
        It should be legal to burn places like that to the ground. You know the greatest good for the greatest number and all.

        That would make the problem self-regulating.

      • Re:Countdown (Score:3, Insightful)

        by SiO2 ( 124860 )
        The phone companies have been trying to sell me caller ID for years. I don't need it, because I have an answering machine. I just never answer my phone and screen all of my calls. That would solve your "unknown" caller problem.

        SiO2

      • Re:Countdown (Score:5, Informative)

        by Idarubicin ( 579475 ) on Wednesday July 07, 2004 @12:47PM (#9633182) Journal
        And I am on the Do Not Call List, but they call and it is "unknown", and worse a recording to call some 800 number for a free satelite dish, from some company in Canada. No way to make them accountable for violating the law.

        Interesting. You might actually look at their violations of Canadian law, then. Using an auto-dialler (an Automatic Dialling and Announcing Device, or ADAD) for solicitation--charitable donations, promotions, sales, etc.--is forbidden by the CRTC (Canadian Radio-television and Telecommunications Commission.) The CRTC can demand that a phone company suspend service to any company or individual who flagrantly violates these rules. Even if a company hires another company to make the calls, they can be held accountable. You might want to contact the CRTC [crtc.gc.ca] directly to see how the rules apply on international calls, however.

        Even if a company is blocking call ID, your phone company can probably trace the call. For advice on how to handle this type of thing with an international call, again you might need to contact the FTC and the CRTC. It doesn't hurt to ask, and I'm pretty sure that the people at these organizations hate the spam callers as much as everyone else.

    • ...might be used by the old-guard phone companies, and this case could be used by them to lobby for FCC regulation of VoIP (although the real reson to regulate it is to protect their market share from new startups).

      However, those arguments are misleading. It is, in fact, over-regulation and closed technology that led to the situation in the first place. "Ma Bell" didn't have to worry about competitors and didn't have to worry about interoperability in a regulated monpoly environment, which I think led to

  • old news for me :) (Score:5, Interesting)

    by Anonymous Coward on Wednesday July 07, 2004 @11:31AM (#9632384)
    Back in 2001 or so I found this out when talking to my local ISP/VoIP provider IPOnly. Then me and some of my friends thought about setting up some kind of SMS-style service that was free, since it apparently works sending ascii as caller ID :)

    • Re:old news for me :) (Score:5, Interesting)

      by itwerx ( 165526 ) on Wednesday July 07, 2004 @12:03PM (#9632729) Homepage
      Back in 2001 or so...
      A heck of a lot longer than that, as this "issue" isn't limited to VOIP. Ask anybody who installs/maintains standard PBX systems.
      The privilege of setting your own outbound CID is simply another (business class) service and reading blocked inbound is actually your right if you have a toll-free number (because you're paying for the call).
      (Dunno why cell-phones don't have the same right though, c'est la vie :).

  • from overseas (Score:5, Interesting)

    by millahtime ( 710421 ) on Wednesday July 07, 2004 @11:32AM (#9632392) Homepage Journal
    Does this mean that I could get a call on a private line with with my number on the do not call list from overseas? Kind of like spam for my phone.

    • Re:from overseas (Score:3, Informative)

      by Anonymous Coward
      Did you even RTFA? It's about caller ID expliots, one of which allows VoIP users on Linux to change the number that you see on your caller ID when they call you. They could make it look like their phone number was Domino's Pizza or the Pope.

      The other part is being able to capture and display the caller ID of people who call you with numbers that show "Private" or "Blocked" on a normal line.

      • Re:from overseas (Score:2, Insightful)

        by marnargulus ( 776948 )
        He still had a point. Could a spam group find your number from a large database (great example with the DNCL) and start using public numbers from that area code?

        Worse yet. Imagine if hackers could get your personal contact numbers, then use this to place calls from numbers you trust. They could make a program that calls just like a worm. Find your contacts, call them, find their contacts call them...

  • Gone Phishing (Score:5, Insightful)

    by Mz6 ( 741941 ) * on Wednesday July 07, 2004 @11:32AM (#9632393) Journal
    "Callers with life-or-death anonymity concerns might consider spoofing just to get a little privacy. For now, Lucky says pranks among friends are the most common use that he's seen of VoIP spoofing, but he believes that identity thieves and other swindlers could have a field day. "I've used it myself to activate my own credit cards, because I never give credit card companies my real number," he says. "One simple spoof, and it's like saying, if you have the guy's phone number, that piece of information is more important than his mother's maiden name and date of birth. If you have the phone number, you don't need anything else."

    Well this is nice. Once again the social engineering tricks will creep up on most once again. However, who's really that stupid to be giving away all of their personal info over the telephone anyway? Does this mean that it's going to start being like the phishing scams now?

    • Re:Gone Phishing (Score:5, Insightful)

      by LostCluster ( 625375 ) * on Wednesday July 07, 2004 @11:48AM (#9632569)
      Who's really that stupid? Big business.

      Call-centers are using the CPN data as an authentication method to recognize customers. Call from somebody else's phone, or in this case appear to be doing so, and instantly that person's account will open on the operator's screen.

      Banks and credit card companies seem to be smart enough to know that they have to ask some other challenge question to make themselves confident enough that they have the right person before discussing anything sensitve... but it just take one merchant willing to charge to an account and ship merchandise based on the the phone data alone and suddenly there's a way to get a charge onto somebody's credit account without even knowing their card number.

      It's a matter of "trust", and a formerly trustworthy system no not so much.

  • Err... so what? (Score:5, Informative)

    by newt ( 3978 ) on Wednesday July 07, 2004 @11:32AM (#9632396) Homepage
    This isn't new. You can do exactly the same thing with a PABX with ISDN ports. The ability to set your own caller-ID is part of the ISDN call setup protocol.

    What you can't do, though, is set the ANI data (which is used by the telcos to find out who gets billed for the call and for call interception). And I can't see how that capability changes at all just because you're using a VoIP gateway either.

    - mark

    • Re:Err... so what? (Score:5, Insightful)

      by bhmit1 ( 2270 ) on Wednesday July 07, 2004 @11:45AM (#9632535) Homepage
      This isn't new. You can do exactly the same thing with a PABX with ISDN ports.

      Read the article. The interesting part isn't that this is some new feature. The interesting part is that you don't have to go out and get a lot of expensive telephone equipment to intercept blocked numbers and impersonate someone else's number.

      And, as was said before, the biggest fear this creates is that someone will start grabbing the ready-to-activate credit cards out of the mail, look up the persons name in a phone book, program their voip with that persons number, and activate that card. And this is only a problem because credit card companies trust that Joe Shmoe was really him when he called from his home number.
      • The interesting part is that you don't have to go out and get a lot of expensive telephone equipment to intercept blocked numbers and impersonate someone else's number.

        A personal computer and a PBX are now in approximately the same price bracket.
      • I had a job from 1992-1994 programming those credit card activation numbers, and our service bureau operated entirely on ANI data and not caller ID.

        AFAIK, you can't spoof ANI data, only deny it, and in that case my program transferred the call to a live operator who had a script of verification questions to ask.

        So, not much to see here, move along...
      • Credit card companies typically uses the ANI, not the Caller ID. ANI is what the phone companies use to determine who to bill, and thus can't be blocked, and it much harder to spoof. On the other hand, you can't get it to point to a specific extension inside a PBX typically.

        For people interested in this topic I highly recommend comp.dcom.telecom [comp.dcom.telecom].

    • Re:Err... so what? (Score:4, Funny)

      by swordboy ( 472941 ) on Wednesday July 07, 2004 @11:49AM (#9632585) Journal
      So what?

      I should point out that it is possible to set your caller ID to 5318008. It was fun on an inverted calculator and I don't see how inverted caller ID is any different.

    • If the call doesn't enter the PSTN at an end office, there will BE no ANI spill, other than whatever SE the VoIP gateway adds, which is under THEIR control. As far as The Network is concerned, identification and rating are end-office functions. Sure, logs are kept at the tandem level for billing access minutes, or inter-carrier settlement, but getting from that to "who was at the other end" can be a tremendous challenge requiring the cooperation of every carrier whose network the call passed through.

    • Re:Err... so what? (Score:2, Interesting)

      by stanmann ( 602645 )
      ANI spoofing is also doable, so I don't see what the big deal is. It may not be user settable, but there are fairly trivial techniques which can be used to provide faulty or NO ANI so what's the big deal.

      IMO, being able to user-disable Call ID should be simply user configurable.

      techniques used for ANI spoofing will be left as an exercise for the student.

  • business opportunity (Score:4, Funny)

    by ch-chuck ( 9622 ) on Wednesday July 07, 2004 @11:32AM (#9632403) Homepage
    so is voip going to turn into something like the email spam mess once the peddlers of Mydixaflopin and their cronies start figuring out how to use it?

  • Alight! (Score:4, Funny)

    by theJerk242 ( 778433 ) on Wednesday July 07, 2004 @11:33AM (#9632411) Homepage Journal
    Thanks to this exploit, I can do crank calls again without getting caught!

  • VOIP does NOT change WHAT you can do (Score:4, Informative)

    by Havokmon ( 89874 ) <rick.havokmon@com> on Wednesday July 07, 2004 @11:33AM (#9632418) Homepage Journal
    IMHO, Anyone with a PBX can do these things.

    I'm not sure if you can get away with just a POTS line into your PBX, or if you need a T1 - but this kind of stuff is always accessible when you run the switch. Whether or not it's a land-line or VOIP, if you have a switch, you can do it.

    (FWIW, I recently saw a Fujitsu 9600 - up to 9,600 lines, the unix of PBX's - on Ebay for $2000.)

    • I think you might even need ISDN. We have a Meridian Option 61 with voice T1s, and we get no caller ID information on incoming calls, and outgoing caller ID is the number assigned to the outbound trunks or unavailable.

      What I'm unsure of is whether our switch's software is just braindead, or if its data that's only really provided with ISDN, but I do know that T1s don't automatically provide caller ID data if your switch doesn't support it.
    • What is needed is a PBX or other similar device that can play with call signaling, and phone service that allows you to control call signaling (ie: digital service). This can be CAS/PRI/whatever over ISDN/T1/T3/whatever. The callerID is injected into the call setup signaling. It is up to the carrier to validate this and reject it, replace it, or pass it along. It is a feature of digital lines, as customers with digital systems may have 24 channels (up to 24 lines active at any one time) but 2400 phone numbe

  • Details? (Score:3, Interesting)

    by Cheirdal ( 776541 ) on Wednesday July 07, 2004 @11:35AM (#9632437) Homepage
    It would be nice to see a detailed explaination of how to do this. In the past when I had a blocked number I noticed a credit card company authenticated my ID via caller ID even though I had a blocked number. If I'm paying for a service, such as blocking my number I expect it to always work.

    • Re:Details? (Score:5, Informative)

      by callipygian-showsyst ( 631222 ) on Wednesday July 07, 2004 @11:44AM (#9632526) Homepage
      800 numbers always have access to your number, regardless of your "Caller ID" preference.
      • Actually, it's a function of the PABX system that they are using - it's not that they have an 800 number (although plenty of places with 800 numbers have PABX's), it's that they are using a PABX that ignores the flag that suppresses the caller ID info. Or maybe it can read the ANI info.

        -h-

      • Re:Details? (Score:5, Informative)

        by Feyr ( 449684 ) * on Wednesday July 07, 2004 @12:06PM (#9632769) Journal
        i run a small ISP, and i have the callerid of everyone calling, no matter what their privacy setting says. it even gets logged in my cute little radius database

        as someone pointed out, it's a part of the ISDN call setup protocol.

      • Re:Details? (Score:5, Interesting)

        by cmburns69 ( 169686 ) on Wednesday July 07, 2004 @12:08PM (#9632793) Homepage Journal
        The theory behind it is that since the owner of the 800 number is paying for the call, he has the right to know who is calling.
    • I am assuming that you called the credit card company using a toll free number. Calling party ID blocking NEVER blocks the calling party ID when you call a toll free number. If somebody else is paying for the call, they have a right to know who is calling them. There are other exceptions where calling party ID block does not work. Every time I hear (or read) some luser say "...I'm paying for a service...I expect it to always work." hits a raw nerve. Expect in one hand, shit in the other, see which one

  • Is this a surprise? (Score:5, Insightful)

    by insensitive_clod ( 613304 ) on Wednesday July 07, 2004 @11:35AM (#9632440)
    Is this a surprise? From the article, it says that the calling party number is always sent, and there's just a flag set saying "don't look here." If you tell someone they can't or shouldn't do something... that's the best way to insure that they will.
    • The way it's supposed to work is that the "Don't look here" flag is sent along at every 'hop,' and the last one -- the one on the last switch, *before* it gets to you, will finally read it and omit the Caller ID info.

      The issue here is that some VoIP providers aren't doing that final step, and they pass the data along to you.

      It's not as if you're normally getting this data.
  • I'm a big Linux fan, which is all that I use at home, but my question is, if there is some form of security in place preventing you from getting the information out of private calls, then aren't you already breaking a rule of the DMCA?

    This here is just proof positive that people skip the simplest security bugs, imagining that others will simply accept there bogus obfuscation and live with what they are given.

    I feel that as consumers, we need to demand better from these corporations. This is a joke and a

  • from your local wikipedia whore (Score:2, Informative)

    by Anonymous Coward
    the ever badass wiki link [wikipedia.org] for voip info

  • Useful part (Score:5, Interesting)

    by dacarr ( 562277 ) on Wednesday July 07, 2004 @11:37AM (#9632462) Homepage Journal
    You know those idiots (read: bill collectors) who call with "OUT OF AREA" tags on their Caller ID data? Yeah. I wonder if you can reset those to figure out who those are. The possibilities are good here. =^_^=

    • Re:Useful part (Score:5, Funny)

      by machine of god ( 569301 ) on Wednesday July 07, 2004 @11:50AM (#9632595)
      Or, you could, you know, pay your bills.

    • Re:Useful part (Score:5, Insightful)

      by hackstraw ( 262471 ) * on Wednesday July 07, 2004 @12:01PM (#9632712)
      You know those idiots (read: bill collectors) who call with "OUT OF AREA" tags on their Caller ID data? Yeah. I wonder if you can reset those to figure out who those are. The possibilities are good here. =^_^=

      First, its much less stressful to just pay your bills.

      Also, I dispise the fact that there can be either "OUT OF AREA", or "Unavailable", or the worst, "Private Name/Private Number". The only reason I answer these on my phone, is because I do sometimes get legitimate business call from people hiding behind these things. I do not answer politely, and I'm ready to start bitching at someone.

      I am required to have a license plate on my car, I have to show ID to do most anything. I certainly would never walk into a store or bank disguising my face, why is this acceptable with a phone call?
    • Hiding from bill collectors is one thing, but telemarketers and commercial callers do this too, and I would LOVE to find out who they are.
  • It's not clever...it's 100% obvious. Anyone who knows anything about phone systems knew this was possible and just going to take someone with burning desire to do. The fact that there is "hidden" stuff inside of the signalling messages for phone systems is a real yawner. And the fact that the "reporter" had to have this demonstrated means, he is another tech lightweight. Oh, and didn't phone phreakers do this 20 years ago? Phone switches are after all only specialized computers.

  • Calling FCC... (Score:2, Insightful)

    by LostCluster ( 625375 ) *
    Our current PTSN works as well as it does because it's regulated... and this is just more one example of how VoIP companies won't implement correctly things they aren't required to implement correctly.

    As the summary and article point out, in order for any of these exploits to work, the VoIP carrier must be permissive... they have to be asleep at the switch enough to send data that is marked "private" to the end user's equipment or accept CPN data isn't a number the customer controls. That should be things
    • Funny the phone company currently does this with anything digital aka ISDN and above. It's actualy required to work if you want dial back to function, this is a standard business feature why shouldent smarter than average home users be able to do it?

    • Re:Calling FCC... (Score:5, Informative)

      by Gaewyn L Knight ( 16566 ) <vaewyn AT wwwrogue DOT com> on Wednesday July 07, 2004 @11:55AM (#9632648) Homepage Journal
      There is NOTHING about this that is any more permissive than a normal business with a digital PBX can already do...

      "The FCC would never tolerate an old-line phone company selling a service that lets people lie to caller ID"

      It is done CONSTANTLY! Marketing companies send out the callerid of the companies they are calling on behalf of... Companies have multiple phone lines send out the callerid of their main phone line.... it is a normal business service.

      As for getting the number of the remote caller, anyone with a PRI line can do that. This is mandated because otherwise on 1-8XX lines you would never be able to verify you were being correctly billed for their usage from your provider.

      I hate to say this... but you obviously havn't worked with a real phone system before.
      • Companies have multiple phone lines send out the callerid of their main phone line.... it is a normal business service.
        Yep- thats why anyone who THINKS they have my phone number when I call them don't realize they are wrong until they call back and hit the switch board.

    • As little as five years ago, getting connected to The Network (in the sense of telephone network, not internet) was difficult. It required substantial technical know-how, some regulatory hoops to jump through, and newcomers were carefully scrutinized for behavior consistent with Community Standards.

      Sound like the internet we knew and loved pre-1995?

      I fear The Network will become just as much a stinking sewer as The Internet has become, unless we do something Serious, and Now.

    • The FCC would never tolerate an old-line phone company selling a service that lets people lie to caller ID...

      Wow... So that means every telemarketer that has called me in the last 12 years actually was physically and literally "out of area". That's mind boggling. They must all reside in some hidden dimension.

    • The FCC would never tolerate an old-line phone company selling a service that lets people lie to caller ID... why are they letting VoIP companies do it?

      The last time I set up a personal land line, the phone company asked me what text to display with caller ID. They didn't say anything about the information having to do with my name, or the info had to be factual, or anything.

      Actually, I was going to put something amusing like "Your moma", or "Prank Call", or "Guess who" the next time I was going to set

  • a 21 year old 1337 h4X0r (Score:4, Funny)

    by roman_mir ( 125474 ) on Wednesday July 07, 2004 @11:41AM (#9632503) Homepage Journal
    The article states something of this kind: a 21 year old 'hacker' (quotes are mine) used VOIP line and a Linux based program named Asterisk to unveil blocked phone numbers and spoof his number. - well, that proves it, Linux is evil.

    Seriosly though, the only reason this is a problems is due to the fact that the VOIP providers are sending too much information to the end user and relying on the users' software to not reveal the caller's number.

    Clearly Linux causes invasion of privacy.

    • What utter BS.

      Linux does not cause invasion of privacy. This is no different than what happens when you send e-mail, and is exactly the same problem that happens with e-mail spoofers that claim to be somebody else. Not particuarly hard to do, but you need to use software that has been modified to get this to work. Regular e-mail browsers don't normally let you "spoof" your e-mail account, because there really isn't a point to doing so, but if you are a script kiddie it is no problem.

      BTW, this isn't res

  • They may be changing ANI also (Score:2, Informative)

    by Anonymous Coward
    My understanding of card activation is that it is based on ANI, not caller ID. If the author could get this technique to allow card activation, that would seem to imply that ANI is being spoofed. Of course there were reports that this could be done with an ISDN hookup some years back. It isn't much of a surprise that something that is a software PBX can fake either.

    It just hasn't been so easy.

  • Amazing... (Score:5, Informative)

    by yogensha ( 181588 ) on Wednesday July 07, 2004 @11:49AM (#9632583) Homepage
    ...that this type of spoofing is so easy. I work for a small ILEC. We got an Asterisk box almost a year ago to play a bit with VoIP. The caller ID spoofing was easy to do, and fun for awhile. Out of curiosity, I tried to figure out how to secure the switch enough to prevent this type of spoofing from happening. With less than a year of experience in circuit switching, the manual, and about 30 minutes, I managed to limit the spoofable numbers to the range of DID numbers actually assigned to that PRI. In other words, no more spoofing. It amazes me that more providers don't implement this type of security.

  • Not New (Score:5, Interesting)

    by suwain_2 ( 260792 ) on Wednesday July 07, 2004 @11:56AM (#9632659) Journal
    The fact that this is happening is interesting, but this sort of thing's always been possible.

    First off, any sort of digital phone line lets you set your own caller ID info, it's just that most home users can't afford bringing a T1 into their home just to mess with caller ID.

    Secondly, there've always been ways around caller ID anyway. A common one is called 'op diverting,' where you route your call through an operator, who will, in many cases, manually key in your Caller ID info with no authentication at all.

    There are real privacy concerns here, but my point is, for those alarmed by them... Be even more alarmed. This is entirely doable without VoIP.

    I don't know about getting blocked caller ID, though 800 numbers (and, IIRC, almost all high-volume digital lines?) have full access to caller ID, even if you block it.

    The point of the article, IMHO, is that VoIP providers are carelessly sending this data, not the exploits that can be done -- they already exist. And you can almost argue that VoIP providers aren't entirely wrong here -- if you got a PRI line to your home, you could do this type of stuff anyway.

  • The security "industry" is engageing in FUD (Score:4, Interesting)

    by bferrell ( 253291 ) on Wednesday July 07, 2004 @11:59AM (#9632691) Homepage Journal
    This isn't a hack. The telco interconnect company (in this case nuphone) sends the info to Ma Bell. The fact that they don't validate it is NOT a hack. It may be a risk, but feeding incorrect info to mother is not a hack or a manipulation. In general the telco themselves require information be provided... It's a little sad that some interconnect companies don't treat it more seriously. I know my company does.

  • ISDN (Score:4, Interesting)

    by jcrowly ( 559990 ) on Wednesday July 07, 2004 @12:00PM (#9632696)
    Having tried to set my MSN (the outbound number) to an invalid number here in the UK (on a primary rate with 100 phone number mapped to it), the invaild caller ID simply got reset by the telco to the billing number of the line.

    I guess in the states the Telcos must trust the equipment that connects up to the line to set the MSN connectly, hence being able to fake the Caller ID.

    As for the privicy bit for callerid, in the UK (as far as I am aware, but I'll test this) only telecos are passed the CallerId+Flag (by telecos I means those with an Interconnect with other telecos and an NX2 license, but the licenses are being phased out), It's then the telecos job to strip out the CallerID and Flag before passing on the data to the customers line.

  • Once again, this is not really a hack or exploit. (Score:4, Informative)

    by BlueTT ( 412818 ) on Wednesday July 07, 2004 @12:00PM (#9632699)
    CID information was never designed nor intended to be in any way secure.

    PBXs have always had the ability to set outgoing CID information - so, for example, all outgoing calls would appear on the receiver's CID box as coming from a company's main switchboard rather than whatever extension they were actually originating from.

    It always frightens me to see press accounts of CID information being used as "proof" of something, say the violation of a restraining order or proof of harassment when it is absolutely trivial to spoof. Newer VOIP devices just make it easier to do without the need for a PBX and trunk line to do so.

    ANI information, the calling number information provided when you call an 800 number, is an entirely different matter. Since it is used for billing information, it IS secure, the only way to spoof it to be to call a provider who then turns around and reroutes your calls from their exchange. But whether you have CID blocking or not, the ANI number is ALWAYS passed because, frankly, they're paying for the call and they have a right to see who's calling them.
    • CID information was never designed nor intended to be in any way secure.

      PBXs have always had the ability to set outgoing CID information - so, for example, all outgoing calls would appear on the receiver's CID box as coming from a company's main switchboard rather than whatever extension they were actually originating from.

      When a PBX is connected to a line with multiple numbers (number block or MSN) it is only valud to present an outgoing number in this block. So yes, you can send a main switchboard nu

  • Junk Fax Broadcasters! (Score:3, Informative)

    by clmensch ( 92222 ) on Wednesday July 07, 2004 @12:00PM (#9632704) Homepage Journal
    Maybe I can use this to track down the scumbags who send junk faxes to me at all hours of the night and morning, but whose numbers are listed only as "Out of Area". In fact, I bet this would be a handy tool for those who are trying to stop these asshats. [junkfax.org]

  • OVoIP? (Score:3, Insightful)

    by Doc Ruby ( 173196 ) on Wednesday July 07, 2004 @12:01PM (#9632706) Homepage Journal
    Where's the compilable source to a SIP softphone for PalmOS, that is a useful Asterix client and, like SJPhone and Xten, also work with Vonage's softphone accounts [vonage.com]?

  • Encrypted VoIP (Score:2, Insightful)

    by SumoFanAgain ( 766391 )
    Why doesn't someone simply put in, at a minimum, a digital signature on the caller ID packets. Sooner or later one could extend this to an encryption system for the conversation itself. Which, to my mind, is necessary in any case.

  • Another trick (Score:5, Informative)

    by rindeee ( 530084 ) on Wednesday July 07, 2004 @12:06PM (#9632766)
    I just sent Kevin an e-mail to this effect, but for anyone else interested here's more info:

    **Portion omitted**

    Vonage has "fixed" their CID spoofing problem (at least in some switches), but in the process has created a new "feature". Try this:

    1. Call a party. When they answer, flash over to a new dial-tone (as if to initiate a 3rd party call). Dial the new third party (who has been instructed not to answer the call coming from your phone number) and after a couple of rings hang up the phone. Rather than the initial call ringing back to you as it should, it will ring forward to the third party. A nifty way to put your friend in CA in touch with your friend in NY with no long-distance charges even when they don't use Vonage.

    2. Let a party call you. Flash over to a new line and dial a 3rd party. Repeat process above and you can effectively "transfer" the call out of your phone system with no toll charges.

    In both cases, your Vonage line is free to make and receive calls as soon as you hang up.

    Thanks, and keep up the great writing!!!

    Egon Rinderer

  • "It's not a bug, it's a feature." (Score:5, Informative)

    by faedle ( 114018 ) on Wednesday July 07, 2004 @12:09PM (#9632796) Homepage Journal
    Let me echo the statements of others that said "This has been possible forever" by saying that I was doing this with a Pacific Bell ISDN line six years ago. I discovered that they weren't authenticating any of the data I sent out on the D-channel, they were just passing it along.

    Also, the reason why many VoIP providers are passing along Caller ID data without verification is legitimate. VoIP has no concept of "numbers" tied to hard physical "lines". Many VoIP providers sell outgoing service that is not tied to any physical telephone number. This is nothing new: conventional telcos have been doing that for years (it used to be called OutWATS) over T1s. If my VoIP gateway provider has no physical phone number to set my calls to, what are they supposed to do? This is the #1 reason all those telemarketer calls are labelled "OUT OF AREA", BTW.

    In my case, I set the Caller ID to the POTS line that terminates into the same phone system. However, it would be trivial for me to set it to something like 714-853-1212, and it would get passed.

    The problem is not that I can set Caller ID to any arbitrary number, but that idiots are actually depending upon an in-band signalling system which depends upon third parties (private PABXs) for the data as a secure authentication method.

    I don't personally see any easy fix to this, nor should there be. The telecom business is increasingly having small players in it, and it will be difficult to fix this alleged "problem" without locking out these same small players.
  • For example, whenever we phone someone from home, it comes up "U.S. GOVERNMENT". No kidding.


    We get a few laughs out of it, but I suppose we could run a pretty good scam if we wanted to.

  • Oh, it get's worse.. (Score:2, Informative)

    by Anonymous Coward
    If you have T-Mobile cell service try calling your cell phone with a spoofed Caller-ID of it's own phone number. What a wonderful surprise - instant voicemail. Don't feel bad for them - they were notified a year ago. :) Kudos to Sprint for fixing the same problem immediately after notification.

  • Stupid quote (Score:4, Insightful)

    by Aumaden ( 598628 ) <Devon.C.Miller@nOsPaM.gmail.com> on Wednesday July 07, 2004 @12:19PM (#9632894) Journal
    "A worse case scenario is if you have a blocked number, and you're a victim of stalking, and you're duped into calling a number the stalker set up that was routed through a VoIP line," says Jordana Beebe of the San Diego-based Privacy Right's Clearinghouse. "It could put their life in danger."

    This is so over the top.

    You have a stalker who knows enough about you and/or has enough access to you to trick you into calling this number that allows them to get your phone number. And that endangers your life? I could see it opening the way to harassing phone calls, but endangering your life?

    Isn't the real problem that you have a stalker in the first place?

  • Rest assured, whatever the fix is, Cisco or some other company will patent it and then charge us all for using it.

    The patent will probobly be so ambiguously worded, that ALL workarounds to the problem will be covered by it.

  • Feature, not a Bug (Score:2, Insightful)

    by cfoster611 ( 219409 )
    The ability to set outgoing CallerID data is one of Asterisk's more useful features.

    Most DID (Direct Inward Dialing) providers do not let you set outgoing CallerID manually, though if you have any kind of digital phone connection, such as PRI,T1 or ISDN, you can. I say lets celebrate that NuFone allows you to fully control the service you pay for, rather then vilifying them for something that most Asterisk admins want.

  • Boring.... (Score:2, Informative)

    by Beave ( 519067 )
    Welp, as many have pointed out ANI != CID. I'm a big, big fan of VoIP and is anything but knew. Whoopy. If you're interested in what you can do with VoIP and asterisk, check out: http://www.telephreak.org [telephreak.org] and of course a wonderful reference is http://www.voip-info.org [voip-info.org] . Normal DID lines usually aren't lax enought to let outbound CID go through. However, DS1, etc. circuits, it's not completely uncommon. I think it's sort of cool the Nuphone does this (though, I will have to check it out for myse
  • Because of some good laws (telephone cunsumer protection act of 1991; 47 usc 227), consumers have tools to go after those that use illegal telemarketing practices such as prerecorded solicitations, junk faxes, etc. However finding the people responsible is often the hard part. It is very common for these people to intentionall make as unavailable or private their numbers so that they cannot easily be traced. Most people that would complain about such calls (if they are on a state or national DNC list) now cannot since they won't make the extended effort to ID the perps. Thus without some serious legwork, perps gets fewer complaints.

    Another trick (though not new) is to cause the caller ID to display some message and a number. The message can be "Great offers", "National Prize Line", or some other enticement. The systems will simply dial a number just long enough to be displayed on the CID. Someone curious about the strange looking display will call and will get hit by some prerecorded ad. The problem is that FCC regulations now require automatic dialers to not have naything more than 3% dropped calls (when not transferred to a live marketer) and in any case must ID the company placing the call. I'm not aware, however, of any previous actions regarding this, but it is coming.

    I don't want to necessarily spoof a number, but I definitely want to be able to track these kind of numbers used by illegal telemarketers. The biggest complaint about Vonage is that they do not offer some kind of call tracing, so if a call comes in that I cannot ID based on info in the call or legit CID info, then I cannot enforce my rights and seek damages against the company as allowed by law.

  • Oh PLEASE... (Score:3, Informative)

    by mindstrm ( 20013 ) on Wednesday July 07, 2004 @01:20PM (#9633500)
    All you doomsayers who are saying who bad this is, how credit card companies use CID for activating cards, etc....

    Please realize that CID was *never* a secure protocol and has *always* been easily spoofable.

    This is not something new, it's just eaiser to do now. It was never illegal or shady.

    How your CC Company decides to verify your new card is NOT something you should be really worried about! WHY? BEcause in the end, if your signature isn't there, YOU ARE NOT RESPONSIBLE FOR A PENNY.

    Second: This lets you spoof callerID, not ANI. How do you know your credit card company is relying on caller-id, and not ANI?

  • Account Terminated (Score:3, Interesting)

    by natas802 ( 773145 ) * on Wednesday July 07, 2004 @03:48PM (#9634934)
    Just so everyone knows, my account has since been terminated by NuFone for apparently somehow breaking the TAC's on their website, due to this artcile.

Slashdot Top Deals

"More software projects have gone awry for lack of calendar time than for all other causes combined." -- Fred Brooks, Jr., _The Mythical Man Month_

Close