Home > Guides > Security > General Security and Privacy

Security Reference Guide

Hosted by

Toggle Open Guide Table of ContentsGuide Contents

Close Table of ContentsGuide Contents

Close Table of Contents

Caller ID Security: Hacking like Paris Hilton

Last updated May 23, 2003.

For many phone users, the first thing we do upon hearing the ring is to check who is calling. In some ways, that number that appears on your phone serves as a basic authentication feature. If the number is known and you want to talk to the caller you answer; otherwise, you ignore the call and continue on with your life. This is a very handy way to filter your calls, but what if the calling party was able to spoof, or fake, their caller ID value?

In this section we are going to look at caller ID security in some detail. We will first look at what caller ID really is and how it works, then we will demonstrate how it can be spoofed. Finally, we will examine several major security threats that everyone needs to understand. As you will see, caller ID can be dangerous, misleading, and a very valuable tool for a malicious person.

Caller ID

Before caller ID was implemented, the phone companies used to use something call Automatic Number Identification to keep track of calls for billing purposes. The ANI value was also provided to emergency services, operators, and law enforcement to help them locate the address of a caller. This ANI number is still in use today, but is not necessarily tied to the caller ID value you see on your phone. We only bring this up to differentiate between the two number systems that are often discussed with relation to this subject.

During the mid-90's, a new signaling technology, called Signaling System Seven (SS7) was implemented by most telephone companies. This new technology allowed for out-of-band signaling, which meant that a carrier could send information in the frequencies surrounding the normal voice frequency. One of the biggest benefits of this new signaling was the creation of the Calling Party Number (CPN); however, as each carrier implemented this service a bit differently, interstate CPN was not always possible. The government saw this and said that because CPN was good for the public, they were going to govern its implementation. The following outlines the seven major principles:

  1. When a carrier uses SS7 to set up a call, it must transmit CPN and its associated privacy indicator for that call to connecting carriers;
  2. Calling parties can be able to conceal their number on an interstate call by dialing *67
  3. Carriers in the transmission chain must honor the calling party’s privacy election
  4. Carriers may not charge connecting carriers for passage of CPN
  5. Carriers may not charge calling parties for providing them the ability to conceal CPN by using *67, and must educate subscribers how to maintain confidentiality
  6. Customers of charge number services such as 800 generally may not reuse charge number information without the permission of the calling party
  7. States are preempted from having policies that interfere with the federal policy.

So, in summary, the caller ID data has to be honestly and accurately passed between carriers. This data will not cost you anything, and you can block it using *67 or #31#.

On the technical side, the caller ID value is actually nothing more than formatted data that is passed as a packet between carriers and then converted to a string of characters when it is passed to the subscriber. This stream of characters is sent to the subscriber BEFORE the phone line rings, and then between the first and second ring. If it is interrupted, the number is lost. The following is an example of a string, which would also contain a checksum appended to the end for integrity.

103016007175551212 

This would end up being translated as:

Date:            10/30
Time:            16:00 (4pm)
Number:          (717) 555-1212 (AKA information)

Caller ID Spoofing

Caller ID has been spoofable since its inception; however, the requirements to perform a spoof were beyond the normal person’s reach. First, a spoofer has to own and operate a telephone switch. Since the hardware costs tens or hundreds of thousands of dollars, only large institutions generally own them. In addition to the hardware, the switch had to be connected to a carrier through which they would have access to the nation's telephone network.

Obviously, these obstacles are going to keep all but the wealthy from spoofing their number, at least until voice over IP (VoIP) hit the mainstream. Thanks to this technology, now anyone can operate their own switch for free, and connecting to a carrier is as easy as changing of a few lines in a configuration file.

In order to perform your own caller ID spoofing, you will want to download and install a program called Asterisk. There are tutorials for this online, and in general the install process is smooth. Once installed, you will need to subscribe to a VoIP carrier that supports Caller ID forwarding. Nu-Fone is the one that we will be using for this demonstration.

At this point you will need to configure your Asterisk program with your caller information, the Nu-Fone account data, and any other specific rules you want to include. All the configuration files are stored in the /etc/asterisk directory by default. Figure 1 shows a screen shot of this directory and its contents.

Figure 1

Figure 1: Listing of /etc/asterisk

The two files you will probably be spending the most time with are the sip.conf and iax.conf. There are many options available in these files; however, for the purpose of this demonstration we are going to create a user named 100. You can see from Figure 2, user 100 has a few options associated with their account. The key ones you will want to focus on are the "secret" value (password) and the "callerid" value. It is here you place the value you want your phone call to appear to come from. Figure 3 provides a shot of the account information you will need to connect to Nu-Fone (minus my password).

Figure 2

Figure 2: sip.conf

Figure 3

Figure 3: iax.conf

Next, you will need to download a soft phone. There are many available, but for this illustration we will be using X-Lite. You will need to configure the softphone to connect to your Asterisk server. This is accomplished by clicking on the menu icon on the phone (Figure 4), select System Settings, SIP Proxy, Default, and then enter in your information (Figure 5).

Figure 4

Figure 4: X-Lite interface

Figure 5

Figure 5: Configuring X-Lite

Once everything is setup correctly, you will need to execute Asterisk via the following command: asterisk –cvv. This will give you command access to the program and provide you with very verbose output as to what is, or is not happening (Figure 6). If all is correctly configured, your X-Lite softphone should locate, and log into the Asterisk server. Upon connection, dial up your closest caller ID enabled phone and pretend to be someone you aren't! Figures 7-9 show some spoofed numbers for your enjoyment.

Figure 6

Figure 6: Asterisk running

Figure 7

Figure 7: Information

Figure 8

Figure 8: The Whitehouse Switchboard (President calling anyone?)

Figure 9

Figure 9: Great for Halloween

You should get the point by now that caller ID can be spoofed. But what can a person do with this tool?

Exploiting Caller ID

Since the mid-90's, caller ID has grown to become almost a standard feature on most land lines, and all cell phones. While most people use the technology to screen their calls, the ability to read the number of the caller has been incorporated in many other ways. For example, modems can be configured to only answer if a valid caller ID value is detected. Banks will request that a new credit card holder call from their home phone to enable an account. Voicemail programs will authenticate a user based on the number they are dialing from.

Now combine the above examples with the fact that someone can spoof ANY valid phone number and you have a big problem. For example, I am able to dial into my cell phones voicemail account and gain full access to it by spoofing my cell phones caller ID. This means that anyone using the Cingular network is potentially at risk of having their voicemail account hacked. It is possible to secure the account, but the subscriber has to know they need to enable the security mechanism, and most do not.

Another aspect to this is that many phones automatically display a name when the incoming number is in the phones address book. Just imagine how easy it would be to trick someone into believing they are talking to a trusted person.

Caller ID Spoofing Services

If you are not interested in setting up your own caller ID system, then there are other ways to spoof you number. Companies like Spoofcard.com provide a service that not only lets you change you caller ID number on the fly, but also changes your voice and record the call. For the $10/60 minute price tag, this makes caller ID spoofing easy and affordable.

Ironically, this very company was at the middle of a caller ID spoofing voicemail box scandal that included Paris Hilton and Lindsay Lohan. In short, Paris was allegedly using a spoofed caller ID value to bypass the authentication mechanisms to gain access to Lindsay's T-Mobile voicemail account, much like I outlined above using my Cingular account. SpoofCard detected the abuse and cancel Paris's account, along with 50 others. The point is, spoofing your caller ID is obviously not too challenging.

Summary

Caller ID spoofing is easy, cheap, and fun — but it is dangerous in the wrong hands. So, the next time you pick up your phone, you might want to be sure you are talking to the person you think is on the other end. In addition to social engineering scams, caller ID spoofing can be used by a malicious person to gain unauthorized access to all sorts of services/resources. Companies that rely on that 10 digit value for authentication should reconsider and find another solution. We hope this has enlightened you to the world of caller ID spoofing and its potential — oh, I have to go... Paris appears to be calling on line two.

References:

Frequently Asked Questions About Caller-ID

Electronic Privacy Information Center: Caller Number Identification Service — Caller ID