Kevin Poulsen, SecurityFocus 2004-07-06
Implementation quirks in Voice over IP are making it easy for hackers to spoof Caller I.D., and to unmask blocked numbers.
Colapse all |
Post comment
VoIP hacks gut Caller I.D.
2004-07-07
Anonymous (9 replies)
Anonymous (9 replies)
VoIP hacks gut Caller I.D.
2004-07-07
Anonymous
Anonymous
Yes; he used a digital PBX to change the caller id and spoof the whitehouse's phone number and call someone's cell phone. This isn't really new information. And just as a reminder, there are still the old methods of spoofing caller ID (op diverting, calling cards, calling exchanges which don't servi...
[ more ] [ reply ]
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-12
Anonymous
Anonymous
Yes, he did. An audience member at HOPE also brought it up during the Off The Hook live broadcast and Kevin responded, but didn't go in to a lot of details.
After this ability was discovered, some people (whom will remain nameless [look in the article]) have attempted to take credit and build up...
[ more ] [ reply ]
After this ability was discovered, some people (whom will remain nameless [look in the article]) have attempted to take credit and build up...
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-07
Anonymous (12 replies)
Anonymous (12 replies)
This makes it sound like someone is actually hacking, or there is some (prospectively illegitimate) tool like this 'Asterisk' that allows you to do this. This is all false, its the responsibility of the PSTN carrier, I.e. nufone, vonage, voicepulse, etc to set and confirm the data. They leave it u...
[ more ] [ reply ]
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-07
Anonymous
Anonymous
This "hack" is about on par with forging an email. VoIP standards (e.g. RFC 3261, or SIP) provide for end-to-end and hop-by-hop authentication methods which eliminate this problem if those methods are enabled. I think it's safe to say we'll see this kind of security turned on in typical deployment...
[ more ] [ reply ]
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-07
Anonymous
Anonymous
Asterisk is legitimate. It's probably the most powerful open-source PBX around. Runs on linux. You can buy a $15 PCI card, download the software, and run your own PBX from your house (make SIP calls from the internet out of your house line, create your own voicemail system, send calls from your home...
[ more ] [ reply ]
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-07
Anonymous
Anonymous
Or course there are legitimate reasons for 'spoofing' your own phone number. For example, when I dial home from my work, my caller-id shows our corporate 1-800 number, not my direct dial number.
Mitnick did talk about this in his book as well... Spoofing caller ID is nothing new.
Bottom lin...
[ more ] [ reply ]
Mitnick did talk about this in his book as well... Spoofing caller ID is nothing new.
Bottom lin...
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-07
Anonymous
Anonymous
This reply relates to both of the replies.
Mitnick didn't do that on The Screen Savers, he did a trick where you spoof caller ID (look through your old copies of 2600 quarterly). This is done through the "big boys". It isn't just Vonage and the little guys on the VoIP front. As for caller ID, th...
[ more ] [ reply ]
Mitnick didn't do that on The Screen Savers, he did a trick where you spoof caller ID (look through your old copies of 2600 quarterly). This is done through the "big boys". It isn't just Vonage and the little guys on the VoIP front. As for caller ID, th...
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-08
Anonymous
Anonymous
VoicePulse and many other providers choose to do business by administratively locking down the configuration of the device used to get onto their network. The subscriber does not get to see the credentials; only pieces of it may be determined by doing a packet sniff, but digest authentication is us...
[ more ] [ reply ]
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-12
Anonymous
Anonymous
not necessarily true, the controllers are the VOIP companies right now, they need to be able to forward caller-id out and this will always cause questionable flaws if not implemented properly by the VOIP vendors. E.G. their auth software isn't properly secured from localhost hackery....
[ more ] [ reply ]
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-13
Anonymous
Anonymous
I agree, this has been possible from the local side for years with traditional PBX's. It was always regulated by the CO or provider. It's the VoIP providers, not the technology that is at fault. I'm sure some executive saw a possible revenue stream or competetive advantage and wanted to leave this...
[ more ] [ reply ]
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-07
Anonymous
Anonymous
I'm sorry,but, caller-id manipulation has always been available to anyone to tout with.
Reason why we're just hearing it now, is the fact that the accessibility of altering the CID data is getting closer to the end user.
CID altering is used constantly by various carriers to represent one sing...
[ more ] [ reply ]
Reason why we're just hearing it now, is the fact that the accessibility of altering the CID data is getting closer to the end user.
CID altering is used constantly by various carriers to represent one sing...
[ more ] [ reply ]
Carrier's Fault
2004-07-07
B Vincent (1 replies)
B Vincent (1 replies)
This is clearly the fault of the carrier. The problem is occuring at the IP/PSTN interface and it appears the VOIP carriers are letting caller ID be set by the PBX (in this case Asterisk VOIP.) No one could reasonably do this in their home because they'd be using a regular 1FB line that can't set ...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Carrier's Fault
2006-04-19
Anonymous
Anonymous
I work at a inbound ACD, we have several customers that connect to us via VoIP. We have run into issues where the end user may be blocking the call ID, this also blocks the inbound ANI. This is a difficult issue to work with, as we rely on ANI to determine services available.
We also have an issu...
[ more ] [ reply ]
We also have an issu...
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-07
Anonymous
Anonymous
Life or death, someone possibly a stalker, having your phone number? Give me a break, how could life be at risk by someone learning your phone number. This is all hoopla bull shit. It's a number, it's about as bad as someone having your email address. At worst, maybe someone would know what part of ...
[ more ] [ reply ]
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-07
Anonymous
Anonymous
This has nothing to do with VOIP despite the obvious attempt to label this a VOIP security issue. This is an issue brought on by bringing advanced PBX functions to the masses. All PBX's worth their salt can mask or change caller ID whether they are on a TDM (traditional telecom) or VOIP network. T...
[ more ] [ reply ]
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-08
Anonymous
Anonymous
To the previous comment, yes he did show this trick off on Tech TV a few months ago.
Secondly, this finger pointing at VoIP and Asterisk is totally irrelevant. Businesses (or individuals) with access to PRI/ISDN circuits have been able to override their own caller ID for years. It has nothing t...
[ more ] [ reply ]
Secondly, this finger pointing at VoIP and Asterisk is totally irrelevant. Businesses (or individuals) with access to PRI/ISDN circuits have been able to override their own caller ID for years. It has nothing t...
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-08
Anonymous
Anonymous
I've been a 5ESS Systems Engineer at a large operator and there are a number of mistakes in the article:
1. Local Exchange switches do contain screening software to block spoofing, even from digital PRI links. If they detect a wrong A-number they inject the default CLID of the PBX.
2. Internationa...
[ more ] [ reply ]
1. Local Exchange switches do contain screening software to block spoofing, even from digital PRI links. If they detect a wrong A-number they inject the default CLID of the PBX.
2. Internationa...
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-09
Anonymous
Anonymous
Acording to nuphone's chief they never called to ask! It would be nice if securityfocus (and the register which this appears to be a copy of) whould verify information before posting it as absolute truth.
also this problem is NOT unique to VoIP. Technically astute persons have been able to spoo...
[ more ] [ reply ]
also this problem is NOT unique to VoIP. Technically astute persons have been able to spoo...
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-09
Anonymous
Anonymous
The failure occurs at the VOIP to PTSN gateways. The CPN should be filtered in both directions at these gateways with the current VOIP implementation.
The PSTN protocols require a CPN in some call classes. In that case some of the reserved unassigned numbers could be used to clearly indicate the...
[ more ] [ reply ]
The PSTN protocols require a CPN in some call classes. In that case some of the reserved unassigned numbers could be used to clearly indicate the...
[ more ] [ reply ]
Asterisk
2004-07-09
Anonymous
Anonymous
Asterisk is an open source, Linux (tm) based, VoIP and PSTN telephone switch. That is, with the proper cards, it can handle VoIP phones and internet connection, conventional trunks, and single line (POTS) telephones.
Some companies (i.e., dial tone providers) check the equipment you are using bef...
[ more ] [ reply ]
Some companies (i.e., dial tone providers) check the equipment you are using bef...
[ more ] [ reply ]
VoIP hacks gut Caller I.D.
2004-07-13
Anonymous
Anonymous
I dont know exactly how Mitnik did it, but I dont believe he used V/IP. The most widely accept answer for how he did it was he called into his PBX and out over a PRI (its kind of like a Local T1). When you have a PRI your PBX can define its ANI (Automatic Number Identification). Normally on a call y...
[ more ] [ reply ]
[ more ] [ reply ]
[ more ] [ reply ]