Published on FierceEnterpriseCommunications (http://www.fierceenterprisecommunications.com)

Digium CTO parses unblocked Caller ID hack

By doug
Created 07/22/2008 - 11:05am

Normally, punching *67 should block Caller ID information being passed through to a receiving caller. But, as security consultant Kevin Mitnick has demonstrated and Digium CTO Mark Spencer explains, it's not 100 percent foolproof.

At The Last HOPE hacker conference over the weekend, Mitnick demonstrated how an appropriately configured Asterisk box and a suitable SIP trunking service can be used to deliver Caller ID information even on inbound calls that have a "Private" flag set.

"There are legitimate reasons why you need to set the Caller ID to normal [and carry that information forward,]" said Digium CTO Mark Spencer. "If, for example, I'm in an enterprise environment and I want to have calls forwarded [from my office number] to my cell phone, [the PBX] needs that information."

Mitnick used the "enterprise class" VoIP/SIP trunking provider FlowRoute to get a phone number (DID) and service that would deliver all of the call information to an Asterisk server.  The Asterisk server is simply setup/scripted to pass along all Caller ID information for inbound calls regardless of the setting of the privacy flag on the call.

Spencer also noted that Caller ID information is also carried along and recorded for "private" calls to toll free numbers; the information is necessary for proper billing.

Mark is not happy with the use of Asterisk for questionable uses, but since it is open source, there is little he can do about it. "I hate to say it, but the same reasons why Asterisk is attractive to a lot of businesses, it's low cost, it can be easily tweaked, it's more flexible, make it easy for using it for an illegitimate purpose," said Spencer. "It's a very powerful platform. I'm not thrilled about it being used for fraud and I'm not thrilled with companies who build products on it in competition with Digium, but there's not a lot I can do about it."

For more:
- Engadget snags Mitnick demo video [1] from The Last HOPE conference

Related articles:
Last Hope Launches Security Season [2]
VoIP Security and the Circle of Trust [3]

Source URL: http://www.fierceenterprisecommunications.com/story/digium-cto-parses-unblocked-caller-id-hack/2008-07-22

Links:
[1] http://www.engadget.com/2008/07/21/how-to-reveal-blocked-caller-id-info-a-video-guide-to-risky-beh/
[2] http://www.fierceenterprisecommunications.com/story/last-hope-launches-security-season/2008-07-20?utm_medium=rss&utm_source=rss&cmp-id=OTC-RSS-FV0
[3] http://www.fierceenterprisecommunications.com/story/voip-security-and-circle-trust/2008-05-06