Subject: Caller ID Spoofing
Date: 18 Feb 2004

On landlines, it depends on which switch you have. If you're on a 5ESS
(AT&T) your chances are nil. But if you're on a DMS-100 (Nortel) it is
a very real possibility. And, of course, that is a very popular
switch. On DMS-100's there is a feature called SDNA (Setting Up DN
Attributes). DN, of course, stands for Directory Number (the ANI).
This is a legitimate feature for use by hotels, hospitals, and other
large entities where they don't want the individual ANI's being sent
out but rather only the main number. For example, if you were at a big
hotel in Las Vegas with 4,000 rooms and you made a direct outgoing
call from your room, the CallerID received by the person you were
calling would be 702-855-8000, or something really nice like that. (I
just made that up, it's not a real number.) That way, the person
receiving the call does not receive the individual ANI of the exact
line that was used for the call, but rather the number of the
switchboard. A Very Nice Feature! If you stop and think you can
probably remember when you experienced this yourself somewhere.

Obviously, on large phone systems like that, there is provision by
design for this capability. But, of course, they don't call it
"spoofing CallerID" either! The DMS-100 can do it with SDNA, and I'm
sure if you ask someone who works a lot with large PBX equipment that
they could tell you how to do it on individual PBX's. And, as
mentioned, it can also be done with ISDN. And with SDNA the spoofed
number can be anything. It doesn't have to be the main switchboard's
number (at least from a capability standpoint).

Are you a medium-sized business? Perhaps you can ask for this feature!
Expect to make a few phone calls though. And they may not be willing
to do it, even though they know they can. They may tell you that
you'll have to use your own equipment for that feature. So, if you
don't have a PBX, you may want to deal with someone who works there
instead. As long as you are asking them to change it to your main
number they should be willing to do it for you. But the business
office may stonewall you.

As far as spoofing CallerID yourself directly over your line, I don't
think that's possible because the CallerID signal originates in the
Central Office just prior to call connect. You can't pass CallerID
signals if you're not connected to the person's line you are calling.
However, I have seen a program called an Orange Box which can spoof
the Call-Waiting CallerID. I never tried it but it sounds like it
would really work.

Also, certain law enforcement agencies can spoof CallerID. Mostly DEA,
FBI, CIA, etc. They use a small device hooked up to the phone,
probably between the phone and the wall jack. But, I suspect it merely
issues commands to the switch. And it's the switch which actually
changes the CallerID. And, I also suspect that there is documentation,
warrants, paperwork, etc., for every CallerID they spoof. If this were
not provisioned for them in this way, they would have to call a
technician at the phone company in every instance where they needed to
call a suspect or someone under investigation and needed to protect
their true CallerID. That would be too much work for the phone
company, so they just let them do it themselves. There are certain
very low-profile electronics companies which make super-cool stuff
like that for law-enforcement.

So, Can you spoof CallerID on your home phone? Well, I did. There's
three ways of course: (1) Hack into the DMS-100 and do it yourself
(unlikely, very risky, but admittedly possible). (2) Social engineer
it over the phone through someone at the phone company with switch
access, such as RCMAC. (3) Know someone at the phone company with
switch access who will do it for you (again, unlikely, since almost no
one with a good job these days wants to risk losing it over something
silly like spoofing CallerID).

The SDNA details involve a simple Service Order (SERVORD). I am not
going to post them here. DMS-100 has its own Help system called
Helmsman though. And instructions and examples for SDNA are there.

When I did this on my home phone I social engineered it and changed it
to a 345 number in the Cayman Islands of a resort hotel. It lasted for
about two years until I got in trouble for some other stuff. And
PacBell Security took it off, along with the incorrect CallerID's I
had placed on various PacBell payphones around the area. Evidently,
they did a network-wide scan of all the switches and even found a few
of my favorite ones which I had HOPED would remain on there forever!
Nothing lasts forever, I guess. But it was fun while it lasted.

There is a feature offered in Canada by one of the phone companies
there called Alternate Caller ID, which uses the SDNA feature to put a
false Caller ID on your line. It is intended to get calls through to
people who use Anonymous Call Rejection. If the person tries to call
back the number, they get a message saying,"The person you are trying
to call cannot be reached at this number." I don't remember which
company and also don't know if they're still offering it.

Also, please remember that spoofing CallerID will not deter phone
company investigators much. They can look up not only the ANI/CallerID
received on the called party's line, but also look up the NUMBER
CALLED through toll records in the switch/network to see what number
called that party. And, finally, don't forget about your voice. Calls
can be recorded and your voice is evidence in court. In that scenario,
it doesn't matter where the call came from. Bad boys, bad boys,
whatcha gonna do when they come for you? Answer: go to jail. I say
these things for the sake of anyone reading this who is contemplating
spoofing CallerID for the purpose of hiding his true originating
number. So, if you social engineer SDNA and change the CallerID on a
quiet payphone somewhere, then go and have surgery on your vocal cords
you should be safe! ;-) I don't know if there are any REALISTIC
voice-changing electronic gadgets out there or not. Any comments on
that? (emphasis on REALISTIC, i.e., BELIEVABLE) I must admit though
that there are some guys who can sound just like a girl, and there are
some girls who can sound just like a guy with a small amount of
effort.

The laws against hacking and phreaking are getting stricter and
stricter and the penalties harsher and harsher every year that passes.
And when several years go by and it's all behind you, you may find
yourself with a felony on your record and find it is hard to get a job
with a big company in IT. Just remember that. It's not worth it.

But no one asked about all that, you just wanted to know about
spoofing CallerID. Well, there's your answer.

One last note: CallerID was invented by a WOMAN at BellLabs! ;-) So,
all you girls out there, THERE'S HOPE for you in IT. ;-)