Clever Caller ID Tricks With VoIP 259
An anonymous reader writes "securityfocus.com has an interesting article collecting some clever exploits for VoIP. According to the article, using 'the open-source Linux-based PBX software Asterisk, used in combination with a permissive VoIP provider' can be used to fool caller id, and even get caller numbers that are supposed to be private."
Freaks! (Score:5, Insightful)
Re:Freaks! (Score:2, Insightful)
Re:Freaks! (Score:2)
Re:PHreaks! (Score:2)
That's PHreaks, thank you very much!
Countdown (Score:3, Insightful)
Re:Countdown (Score:5, Informative)
It's a matter of equipment being given info it's not supposed to share and a flag telling it not to share. But, if the customer provides the software...
Re:Countdown (Score:3, Funny)
Re:Countdown (Score:2)
Re:Countdown (Score:5, Informative)
This is a normal "feature" of CID. That's how you can go through a third-party LD provider yet still have your own phone number show up on the recipient's display. Voicepulse or other VOIP providers are not being overly permissive here. If you get a T1 bank you will have the same capability. That's what makes it possible for huge corporations to have thousands of phone lines in hundreds of offices yet display only their main incoming number on your caller id capable phone when someone from their office calls you.
The difference is that now average Joe can fake CID like the big boys used to do with a mere $7/month investment, vs the couple hundred dollars it would cost (plus install fees) if you went with a standard channel bank.
CID is for information purposes only. The problem is that people have grown to trust it as being 100% accurate, but they definitely shouldn't.
Re:Countdown (Score:3, Interesting)
Re:Countdown (Score:2, Funny)
That would make the problem self-regulating.
Re:Countdown (Score:3, Insightful)
SiO2
Re:Countdown (Score:5, Informative)
Interesting. You might actually look at their violations of Canadian law, then. Using an auto-dialler (an Automatic Dialling and Announcing Device, or ADAD) for solicitation--charitable donations, promotions, sales, etc.--is forbidden by the CRTC (Canadian Radio-television and Telecommunications Commission.) The CRTC can demand that a phone company suspend service to any company or individual who flagrantly violates these rules. Even if a company hires another company to make the calls, they can be held accountable. You might want to contact the CRTC [crtc.gc.ca] directly to see how the rules apply on international calls, however.
Even if a company is blocking call ID, your phone company can probably trace the call. For advice on how to handle this type of thing with an international call, again you might need to contact the FTC and the CRTC. It doesn't hurt to ask, and I'm pretty sure that the people at these organizations hate the spam callers as much as everyone else.
The "Open Source is Evil" argument... (Score:2)
However, those arguments are misleading. It is, in fact, over-regulation and closed technology that led to the situation in the first place. "Ma Bell" didn't have to worry about competitors and didn't have to worry about interoperability in a regulated monpoly environment, which I think led to
old news for me :) (Score:5, Interesting)
Re:old news for me :) (Score:5, Interesting)
A heck of a lot longer than that, as this "issue" isn't limited to VOIP. Ask anybody who installs/maintains standard PBX systems.
The privilege of setting your own outbound CID is simply another (business class) service and reading blocked inbound is actually your right if you have a toll-free number (because you're paying for the call).
(Dunno why cell-phones don't have the same right though, c'est la vie
from overseas (Score:5, Interesting)
Re:from overseas (Score:3, Informative)
The other part is being able to capture and display the caller ID of people who call you with numbers that show "Private" or "Blocked" on a normal line.
Re:from overseas (Score:2, Insightful)
Worse yet. Imagine if hackers could get your personal contact numbers, then use this to place calls from numbers you trust. They could make a program that calls just like a worm. Find your contacts, call them, find their contacts call them...
Gone Phishing (Score:5, Insightful)
Well this is nice. Once again the social engineering tricks will creep up on most once again. However, who's really that stupid to be giving away all of their personal info over the telephone anyway? Does this mean that it's going to start being like the phishing scams now?
Re:Gone Phishing (Score:5, Insightful)
Call-centers are using the CPN data as an authentication method to recognize customers. Call from somebody else's phone, or in this case appear to be doing so, and instantly that person's account will open on the operator's screen.
Banks and credit card companies seem to be smart enough to know that they have to ask some other challenge question to make themselves confident enough that they have the right person before discussing anything sensitve... but it just take one merchant willing to charge to an account and ship merchandise based on the the phone data alone and suddenly there's a way to get a charge onto somebody's credit account without even knowing their card number.
It's a matter of "trust", and a formerly trustworthy system no not so much.
Err... so what? (Score:5, Informative)
What you can't do, though, is set the ANI data (which is used by the telcos to find out who gets billed for the call and for call interception). And I can't see how that capability changes at all just because you're using a VoIP gateway either.
- mark
Re:Err... so what? (Score:5, Insightful)
Read the article. The interesting part isn't that this is some new feature. The interesting part is that you don't have to go out and get a lot of expensive telephone equipment to intercept blocked numbers and impersonate someone else's number.
And, as was said before, the biggest fear this creates is that someone will start grabbing the ready-to-activate credit cards out of the mail, look up the persons name in a phone book, program their voip with that persons number, and activate that card. And this is only a problem because credit card companies trust that Joe Shmoe was really him when he called from his home number.
Re:Err... so what? (Score:2)
A personal computer and a PBX are now in approximately the same price bracket.
Re:Err... so what? (Score:2, Informative)
AFAIK, you can't spoof ANI data, only deny it, and in that case my program transferred the call to a live operator who had a script of verification questions to ask.
So, not much to see here, move along...
Re:Err... so what? (Score:2)
For people interested in this topic I highly recommend comp.dcom.telecom [comp.dcom.telecom].
Re:Err... so what? (Score:4, Funny)
I should point out that it is possible to set your caller ID to 5318008. It was fun on an inverted calculator and I don't see how inverted caller ID is any different.
Re:Err... so what? (Score:3, Informative)
If the call doesn't enter the PSTN at an end office, there will BE no ANI spill, other than whatever SE the VoIP gateway adds, which is under THEIR control. As far as The Network is concerned, identification and rating are end-office functions. Sure, logs are kept at the tandem level for billing access minutes, or inter-carrier settlement, but getting from that to "who was at the other end" can be a tremendous challenge requiring the cooperation of every carrier whose network the call passed through.
Re:Err... so what? (Score:2, Interesting)
IMO, being able to user-disable Call ID should be simply user configurable.
techniques used for ANI spoofing will be left as an exercise for the student.
Re:Err... so what? (Score:2)
Think of it like the 'from' address in your e-mails. As long as its an address that gets back to you, it
Re:Err... so what? (Score:5, Informative)
You misunderstand how caller ID works. On traditional PSTN lines, when you make an outbound call your callerID information is looked up in a database (maintained by your carrier) when it hits the callswitch in the Central Office (CO). This is tacked onto the call and is sent with the rest of the call routing information to the destination via the signalling lines of SS7 trunks (note: SS7 splits voice traffic and call signaling between physically seperate routes/lines, meaning voice traffic is not transmitted or routed until the call is established, eliminating the effectiveness of the old blue/black box dialers.). When it reaches the last CO and goes out to a Remote Terminal (RT), the RT sends the ring tones to your phone over the local loop copper (for PSTN, more on that in a sec). Mixed in with the ring tones is a modem-sounding signal that your Caller ID box intercepts and decodes to get the caller ID info. Since this data is stored by the phone company, it is hard to spoof.
With digital phone systems, the signaling goes all the way to the switch itself, allowing the PBX more control over the call. ISDN and CAS have provisions to inject CallerID information into the outbound calls. Whether or not this information is passed through the CO call switch or is replaced is up to the carrier. Generally since its less stuff for the carrier to deal with, they let it pass. I-VoIP (internet VoIP) carriers need the software to be able to route calls back to their switch, and in doing so, the software basically becomes a software based digital PBX. So along with routing information, the CallerID info can be passed into the signaling.
Another issue is that caller-ID can be any alpha-numeric string, with a few special characters thrown in as well. Because of this, you can have your CallerID Name set to show up as a random phone number (867-5309?), and unless someone actually checks the number portion of the CaID against what shows up in the display, they probably wont notice, and if it is noticed, it would look like 2 different phone numbers and probably just confuse the person receiving the call.
Tm
business opportunity (Score:4, Funny)
Alight! (Score:4, Funny)
Re:Alight! (Score:2)
VOIP does NOT change WHAT you can do (Score:4, Informative)
I'm not sure if you can get away with just a POTS line into your PBX, or if you need a T1 - but this kind of stuff is always accessible when you run the switch. Whether or not it's a land-line or VOIP, if you have a switch, you can do it.
(FWIW, I recently saw a Fujitsu 9600 - up to 9,600 lines, the unix of PBX's - on Ebay for $2000.)
Re:VOIP does NOT change WHAT you can do (Score:2)
What I'm unsure of is whether our switch's software is just braindead, or if its data that's only really provided with ISDN, but I do know that T1s don't automatically provide caller ID data if your switch doesn't support it.
Re:VOIP does NOT change WHAT you can do (Score:3, Informative)
Re:VOIP does NOT change WHAT you can do (Score:2)
Are you sure? On the 9600, I believe once you've configured your POTS trunk, it would behave the same as your T trunk.. The only thing I could see is the local telco blocking that outgoing Caller ID...Then again, it's been a while since I've really had my mits on that beauty :)
Details? (Score:3, Interesting)
Re:Details? (Score:5, Informative)
Re:Details? (Score:2)
-h-
Re:Details? (Score:5, Informative)
as someone pointed out, it's a part of the ISDN call setup protocol.
Re:Details? (Score:5, Interesting)
It all depends ... (Score:2)
Is this a surprise? (Score:5, Insightful)
Re:Is this a surprise? (Score:2)
The issue here is that some VoIP providers aren't doing that final step, and they pass the data along to you.
It's not as if you're normally getting this data.
Is there security protocol in place? (Score:2, Interesting)
This here is just proof positive that people skip the simplest security bugs, imagining that others will simply accept there bogus obfuscation and live with what they are given.
I feel that as consumers, we need to demand better from these corporations. This is a joke and a
from your local wikipedia whore (Score:2, Informative)
Useful part (Score:5, Interesting)
Re:Useful part (Score:5, Funny)
Re:Useful part (Score:5, Insightful)
First, its much less stressful to just pay your bills.
Also, I dispise the fact that there can be either "OUT OF AREA", or "Unavailable", or the worst, "Private Name/Private Number". The only reason I answer these on my phone, is because I do sometimes get legitimate business call from people hiding behind these things. I do not answer politely, and I'm ready to start bitching at someone.
I am required to have a license plate on my car, I have to show ID to do most anything. I certainly would never walk into a store or bank disguising my face, why is this acceptable with a phone call?
Re:Useful part (Score:2)
True, but some of us thrive on stress.
Re:Useful part (Score:2)
It's about as clever as using tcpdump... (Score:2, Interesting)
Re:It's about as clever as using tcpdump... (Score:3, Insightful)
Come on, people. This is cool to those who don't work in the field with this stuff day in and day out.
Re:It's about as clever as using tcpdump... (Score:3, Informative)
Re:It's about as clever as using tcpdump... (Score:2)
Calling FCC... (Score:2, Insightful)
As the summary and article point out, in order for any of these exploits to work, the VoIP carrier must be permissive... they have to be asleep at the switch enough to send data that is marked "private" to the end user's equipment or accept CPN data isn't a number the customer controls. That should be things
Re:Calling FCC... (Score:2)
Re:Calling FCC... (Score:3, Interesting)
Re:Calling FCC... (Score:5, Informative)
"The FCC would never tolerate an old-line phone company selling a service that lets people lie to caller ID"
It is done CONSTANTLY! Marketing companies send out the callerid of the companies they are calling on behalf of... Companies have multiple phone lines send out the callerid of their main phone line.... it is a normal business service.
As for getting the number of the remote caller, anyone with a PRI line can do that. This is mandated because otherwise on 1-8XX lines you would never be able to verify you were being correctly billed for their usage from your provider.
I hate to say this... but you obviously havn't worked with a real phone system before.
You got it (Score:2)
Yep- thats why anyone who THINKS they have my phone number when I call them don't realize they are wrong until they call back and hit the switch board.
Parallels to The Internet (Score:2)
As little as five years ago, getting connected to The Network (in the sense of telephone network, not internet) was difficult. It required substantial technical know-how, some regulatory hoops to jump through, and newcomers were carefully scrutinized for behavior consistent with Community Standards.
Sound like the internet we knew and loved pre-1995?
I fear The Network will become just as much a stinking sewer as The Internet has become, unless we do something Serious, and Now.
Re:Parallels to The Internet (Score:2)
Re:Calling FCC... (Score:2, Funny)
Wow... So that means every telemarketer that has called me in the last 12 years actually was physically and literally "out of area". That's mind boggling. They must all reside in some hidden dimension.
Re:Calling FCC... (Score:2)
The last time I set up a personal land line, the phone company asked me what text to display with caller ID. They didn't say anything about the information having to do with my name, or the info had to be factual, or anything.
Actually, I was going to put something amusing like "Your moma", or "Prank Call", or "Guess who" the next time I was going to set
a 21 year old 1337 h4X0r (Score:4, Funny)
Seriosly though, the only reason this is a problems is due to the fact that the VOIP providers are sending too much information to the end user and relying on the users' software to not reveal the caller's number.
Clearly Linux causes invasion of privacy.
Re:a 21 year old 1337 h4X0r (Score:2)
Linux does not cause invasion of privacy. This is no different than what happens when you send e-mail, and is exactly the same problem that happens with e-mail spoofers that claim to be somebody else. Not particuarly hard to do, but you need to use software that has been modified to get this to work. Regular e-mail browsers don't normally let you "spoof" your e-mail account, because there really isn't a point to doing so, but if you are a script kiddie it is no problem.
BTW, this isn't res
Re:a 21 year old 1337 h4X0r (Score:2)
Re:a 21 year old 1337 h4X0r (Score:2)
Re:a 21 year old 1337 h4X0r (Score:2)
LOL the users pays extortion to the phone company they make caller ID made you pay for it then made caller ID blocking and made you pay for it. Realy it's all them using there monopoly on the phone system to make new business. Nope it's not encrypted so I doubt the DCMA would apply more importantly
They may be changing ANI also (Score:2, Informative)
It just hasn't been so easy.
Amazing... (Score:5, Informative)
Re:Amazing... (Score:4, Informative)
Not New (Score:5, Interesting)
First off, any sort of digital phone line lets you set your own caller ID info, it's just that most home users can't afford bringing a T1 into their home just to mess with caller ID.
Secondly, there've always been ways around caller ID anyway. A common one is called 'op diverting,' where you route your call through an operator, who will, in many cases, manually key in your Caller ID info with no authentication at all.
There are real privacy concerns here, but my point is, for those alarmed by them... Be even more alarmed. This is entirely doable without VoIP.
I don't know about getting blocked caller ID, though 800 numbers (and, IIRC, almost all high-volume digital lines?) have full access to caller ID, even if you block it.
The point of the article, IMHO, is that VoIP providers are carelessly sending this data, not the exploits that can be done -- they already exist. And you can almost argue that VoIP providers aren't entirely wrong here -- if you got a PRI line to your home, you could do this type of stuff anyway.
The security "industry" is engageing in FUD (Score:4, Interesting)
ISDN (Score:4, Interesting)
I guess in the states the Telcos must trust the equipment that connects up to the line to set the MSN connectly, hence being able to fake the Caller ID.
As for the privicy bit for callerid, in the UK (as far as I am aware, but I'll test this) only telecos are passed the CallerId+Flag (by telecos I means those with an Interconnect with other telecos and an NX2 license, but the licenses are being phased out), It's then the telecos job to strip out the CallerID and Flag before passing on the data to the customers line.
Once again, this is not really a hack or exploit. (Score:4, Informative)
PBXs have always had the ability to set outgoing CID information - so, for example, all outgoing calls would appear on the receiver's CID box as coming from a company's main switchboard rather than whatever extension they were actually originating from.
It always frightens me to see press accounts of CID information being used as "proof" of something, say the violation of a restraining order or proof of harassment when it is absolutely trivial to spoof. Newer VOIP devices just make it easier to do without the need for a PBX and trunk line to do so.
ANI information, the calling number information provided when you call an 800 number, is an entirely different matter. Since it is used for billing information, it IS secure, the only way to spoof it to be to call a provider who then turns around and reroutes your calls from their exchange. But whether you have CID blocking or not, the ANI number is ALWAYS passed because, frankly, they're paying for the call and they have a right to see who's calling them.
Re:Once again, this is not really a hack or exploi (Score:3, Informative)
PBXs have always had the ability to set outgoing CID information - so, for example, all outgoing calls would appear on the receiver's CID box as coming from a company's main switchboard rather than whatever extension they were actually originating from.
When a PBX is connected to a line with multiple numbers (number block or MSN) it is only valud to present an outgoing number in this block. So yes, you can send a main switchboard nu
Junk Fax Broadcasters! (Score:3, Informative)
OVoIP? (Score:3, Insightful)
Encrypted VoIP (Score:2, Insightful)
Another trick (Score:5, Informative)
**Portion omitted**
Vonage has "fixed" their CID spoofing problem (at least in some switches), but in the process has created a new "feature". Try this:
1. Call a party. When they answer, flash over to a new dial-tone (as if to initiate a 3rd party call). Dial the new third party (who has been instructed not to answer the call coming from your phone number) and after a couple of rings hang up the phone. Rather than the initial call ringing back to you as it should, it will ring forward to the third party. A nifty way to put your friend in CA in touch with your friend in NY with no long-distance charges even when they don't use Vonage.
2. Let a party call you. Flash over to a new line and dial a 3rd party. Repeat process above and you can effectively "transfer" the call out of your phone system with no toll charges.
In both cases, your Vonage line is free to make and receive calls as soon as you hang up.
Thanks, and keep up the great writing!!!
Egon Rinderer
"It's not a bug, it's a feature." (Score:5, Informative)
Also, the reason why many VoIP providers are passing along Caller ID data without verification is legitimate. VoIP has no concept of "numbers" tied to hard physical "lines". Many VoIP providers sell outgoing service that is not tied to any physical telephone number. This is nothing new: conventional telcos have been doing that for years (it used to be called OutWATS) over T1s. If my VoIP gateway provider has no physical phone number to set my calls to, what are they supposed to do? This is the #1 reason all those telemarketer calls are labelled "OUT OF AREA", BTW.
In my case, I set the Caller ID to the POTS line that terminates into the same phone system. However, it would be trivial for me to set it to something like 714-853-1212, and it would get passed.
The problem is not that I can set Caller ID to any arbitrary number, but that idiots are actually depending upon an in-band signalling system which depends upon third parties (private PABXs) for the data as a secure authentication method.
I don't personally see any easy fix to this, nor should there be. The telecom business is increasingly having small players in it, and it will be difficult to fix this alleged "problem" without locking out these same small players.
Never trust Caller ID anyway. (Score:2)
We get a few laughs out of it, but I suppose we could run a pretty good scam if we wanted to.
Oh, it get's worse.. (Score:2, Informative)
Stupid quote (Score:4, Insightful)
This is so over the top.
You have a stalker who knows enough about you and/or has enough access to you to trick you into calling this number that allows them to get your phone number. And that endangers your life? I could see it opening the way to harassing phone calls, but endangering your life?
Isn't the real problem that you have a stalker in the first place?
Cisco (Score:2)
The patent will probobly be so ambiguously worded, that ALL workarounds to the problem will be covered by it.
Feature, not a Bug (Score:2, Insightful)
Most DID (Direct Inward Dialing) providers do not let you set outgoing CallerID manually, though if you have any kind of digital phone connection, such as PRI,T1 or ISDN, you can. I say lets celebrate that NuFone allows you to fully control the service you pay for, rather then vilifying them for something that most Asterisk admins want.
Boring.... (Score:2, Informative)
This is an old trick used by telemarketers (Score:3, Interesting)
Another trick (though not new) is to cause the caller ID to display some message and a number. The message can be "Great offers", "National Prize Line", or some other enticement. The systems will simply dial a number just long enough to be displayed on the CID. Someone curious about the strange looking display will call and will get hit by some prerecorded ad. The problem is that FCC regulations now require automatic dialers to not have naything more than 3% dropped calls (when not transferred to a live marketer) and in any case must ID the company placing the call. I'm not aware, however, of any previous actions regarding this, but it is coming.
I don't want to necessarily spoof a number, but I definitely want to be able to track these kind of numbers used by illegal telemarketers. The biggest complaint about Vonage is that they do not offer some kind of call tracing, so if a call comes in that I cannot ID based on info in the call or legit CID info, then I cannot enforce my rights and seek damages against the company as allowed by law.
Oh PLEASE... (Score:3, Informative)
Please realize that CID was *never* a secure protocol and has *always* been easily spoofable.
This is not something new, it's just eaiser to do now. It was never illegal or shady.
How your CC Company decides to verify your new card is NOT something you should be really worried about! WHY? BEcause in the end, if your signature isn't there, YOU ARE NOT RESPONSIBLE FOR A PENNY.
Second: This lets you spoof callerID, not ANI. How do you know your credit card company is relying on caller-id, and not ANI?
Account Terminated (Score:3, Interesting)
Re:So I guess . . . (Score:2)
You know *67 is free :)
Re:So I guess . . . (Score:2, Interesting)
This is a very well known "security breach" that not only applies to VoIP. For example, you can retrieve a CID from a PBX or an access server (PPP server) that has a T1 link.
Re:Linux (Score:3, Funny)
Re:Linux (Score:2)
Someone else beat me to saying that by a few seconds, and an idiot moderator thought this is redundant
Re:Wouldn't help you (Score:2)
I think his theory is you can use them to avoid anwering when they next call you...
Re:Dish network uses this (Score:2)
Re:Reading unlisted numbers (Score:4, Interesting)
Now if you want to get as many numbers as is possible, like this article is stating, get yourself a toll-free number and use it instead of your local number. Anyone calling it (that has CID information available) will have it show up, regardless as to whether or not they try to block it.
That article was very misleading, making it seem as though this is a flaw that the information was displayed when it was blocked. In reality, it is just how the network operates. Nufone provides a toll-free number, since the person being called is the one paying, they have a right to know the number. This is how it has always worked.
Jeremy