Beating Caller ID
by The Fixer
v.1.4 2000/04/30
(C) 1998-2000 Meester Feexer
For free distribution - you may freely repost & distribute this but not
for profit without permission of the author.
To start off with - 15 Ways to beat Caller ID
(0) This doesn't count as a way to beat CID, but there's a general
principle to consider when contemplating ways to beat CID.
Generally, the CID signal your target sees corresponds to the owner
of the dial tone you call him from. If you call direct, you dial
from your own dial tone and your line is identified. If you call a
third party, and by whatever means manage to acquire his dial tone,
and from there dial out, it is the number associated with that
second dial tone that your target sees. Some of the ideas following
this were developed with this basic idea in mind.
(0.5) This also doesn't count, but remember that beating Caller ID as
such is only the first layer of your protection. If your calling is
sufficiently annoying or criminal, there is *always* a paper trail
(ANI data, billing data, trouble reports, *57 traces, etc) leading
back to the phone you first called from. That trail is not always
easy or worthwhile to track you down with. Whether or not the trail
is followed depends entirely upon how pissed off your target is and
how much co-operation he can get from the phone company, law
enforcement, etc.
(1) Use *67. It will cause the called party's Caller ID unit to
display "Private" or "Blocked" or "Unavailable" depending on the
manufacturer. It is probably already available on your line, and if
it isn't, your local phone company will (most likely - please ask
them) set it up for free. This is the simplest method, it's 100
percent legal, and it works. But just remember you will not be
invisible to business customers with real time ANI (like on
corporate toll free lines), or to 911, or to the mechanism that *57
triggers.
(2) Use a pay phone. Not very convenient, costs 25 or 35 cents
depending, but it cannot be traced back to your house in any way,
not even by *57. Not even if the person who you call has Mulder and
Scully hanging over your shoulder trying to get an FBI trace (sic).
Janet Reno himself couldn't subpoena your identity. It's not your
phone, not your problem, AND it will get past "block the blocker"
services. So it's not a totally useless suggestion, even if you
have already thought of it.
(3) Go through an operator. This is a more expensive way of doing it
($1.25-$2.00 per call), you can still be traced, and the person
you're calling WILL be suspicious when the operator first asks for
them, if you have already tried other Caller ID suppression methods
on them.
(4) Use a prepaid calling card. This costs whatever the per-minute
charge on the card is, as they don't recognize local calls. A lot
of private investigators use these. A *57 trace will fail but you
could still be tracked down with an intensive investigation (read:
subpoena the card company). The Caller ID will show the outdial
number of the Card issuer.
(5) Go through a PBX or WATS extender. Getting a dial tone on a PBX is
fairly easy to social engineer, but beyond the scope of this file.
This is a well-known and well-loved way of charging phone calls to
someone else but it can also be used to hide your identity from a
Caller ID box, since the PBX's number is what appears. You can even
appear to be in a different city if the PBX you are using is! This
isn't very legal at all.
(6) I don't have proof of this, but I *think* that a teleconference
(Alliance teleconferencing, etc.) that lets you call out to the
participants will not send your number in Caller ID. In other
words, I am pretty sure the dial tone is not your own.
(7) Speaking of dial tones which aren't yours, if you are lucky enough
to live in an area with the GTD5 diverter bug, you can use that to
get someone else's dial tone and from thence their identity.
(8) Still on the subject of dial tones which aren't your own, you can
get the same protection as with a payphone, but at greater risk,
if you use someone else's line - either by just asking to use the
phone (if they'll co-operate after they hear what you're calling
about) or by the use of a Beige Box, a hardware diverter or bridge
such as a Gold Box, or some other technical marvel.
(9) This won't work with an intelligent human on the other end, it
leaves you exposed if the called party has a regular Caller ID box
with memory, and has many other technical problems which make it
tricky at best and unworkable for all but experts. A second Caller
ID data stream, transmitted from your line after the audio circuit
is complete, will overwrite the true data stream sent by the telco
during the ringing. If the line you are calling is a BBS, a VMB, or
some other automated system using a serial port Caller ID and
software, then you can place your call using *67 first, and then
immediately after the other end picks up, send the fake stream. The
second stream is what the Caller ID software processes, and you are
allowed in. See the technical FAQs below for an idea of the
problems behind this method; many can be solved. Since the first
version of this file was published, a concept called the Orange Box
was published. It exploits Call Waiting Caller ID boxes and has
some of the same problems as just sending a fake stream after
pickup, plus the added problem of only working against Call Waiting
Caller ID boxes. I suspect that eventually all new Caller ID phones
and adjunct boxes will be sold with the Call Waiting Caller ID
feature, so that problem will probably go away.
(10) Someone in alt.2600 (using a stolen AOL account, so I can't credit
him or her properly) suggested going through 10321 (now 10-10-321)
or 10288. Apparently using a 10xxx even for a local call causes
"Out of Area" to show up on the Caller ID display. I live in Canada
where we don't have 10xxx dialing so I can't verify nor disprove
this.
(11) There are 1-900 lines you can call that are designed to circumvent
Caller ID, ANI, traces, everything. These services are *very*
expensive, some as high as $5.00 a minute, but they include long
distance charges. This was first published in 1990 in 2600
magazine, and in 1993 the IIRG reported that 1-900-STOPPER still
works. Beware - even if you get a busy signal or no answer, you
will get charged at 1-900 rates! Another one published in 2600 in
1990: 1-900-RUN-WELL. That one supposedly allows international
calls. I'm not about to call either one to find out. Note that you
could still be caught if the operators of these services were to be
subpoenaed.
(12) Use an analog cellular phone. Most providers of plain old analog
service show up on Caller ID as "Private" or "Out of Area" or a main
switchboard number for the cell network. This is becoming less and
less true as cellular providers move to digital cellular and PCS,
which pass the phone's number on Caller ID. Corollary: Rent a
cellphone by the day. This might even be cheaper than using a
prepaid phone card.
(13) Get the co-operation of a third party with Three Way Calling. You
call your friend (who might be at work, school, or anywhere else
where there is a phone with either 3-Way Calling or a 2-line
conference mode) and he then places the call for you. You're then
connected to whoever you really want to talk to, but you're not
physically at the location the call is traced to. If you're doing
it this way because you expect a SWAT team to descend on the traced
location, then it should be a phone in a place where your friend can
get away and leave you and your target talking (which rules out
school and work but not, say, a courtesy phone in a store somewhere.)
(14) Voice mail! If your target has the voice mail service provided by
his local telephone company, you can leave a message on it directly
without having to call his line (thus avoiding Caller ID). Look
in his local phone book for the direct dial-in number.
(15) If you ever reach an intercept operator who asks you what number
you are calling from, oftentimes whatever you tell her will appear
on your target's Caller ID box! According to Rufus T. Firefly in
alt.phreaking, OCI/Wiltel and likely several other companies don't
pass ANI, so if you call their main 800 number through an operator,
and ask to place a card or collect call, you will sometimes be asked
for your phone number. Tell her some phony number, the number of
the White House, another number in the same building, a nearby
payphone, whatever.
How Caller ID Works
Caller ID is a data stream sent by the phone company to your line
between the first and second ring. The data stream conforms to Bell
202, which is a 1200 baud half-duplex FSK modulation. That is why
serial Caller ID boxes run at 1200 baud.
The data stream itself is pretty straightforward. Here's an example:
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU€'^D�032415122503806467x
The first thing of note is the 30 U's. Those are actually sync pulses.
A "U" is 55 hex, or 01010101 binary. This is called the "Channel
Siezure Signal."
After that comes 130 milliseconds of 1200 Hz (the Bell 202 "mark"
frequency) which usually shows up in the datastream as a character or
two of garbage.
That is followed by the "message type word", which is 04 hex for
standard Caller ID, 07 hex for Name & Number. A word, by the way, is 8
bits for our purposes.
That is followed by the "message length word" which tells us how many
bytes follow.
The next four bytes are the date, in ASCII. In the example above, the
date is 0324, or March 24th.
The next four bytes after the date are the time, also in ASCII. In the
example, the time is 1512, or 3:12pm.
The next 10 digits are the phone number that is calling. In the
example, the phone number is 250-380-6467. The number is also in ASCII
and doesn't contain the hyphens. Some phone companies will leave out
the area code and only transmit 7 digits for a local call, others will
always send the area code as well.
If this were a name-and-number Caller ID data stream, the number would
be followed by a delimiter (01h) and another message length byte to
indicate the number of bytes in the name. This would be followed by the
name itself, in ASCII.
If this call originated from an area that doesn't support Caller ID,
then instead of the phone number, a capital "O" is transmitted (4F hex).
If the call was marked "private" as a result of the caller using *67 or
having a permanent call blocking service, then instead of the phone
number, a capital "P" (50 hex) would be sent.
The very last byte of the data stream is a checksum. This is calculated
by adding the value of all the other bytes in the data message (the
message type, length, number and name data, and any delimiters) and
taking the two's complement of the low byte of the result (in other
words, the two's complement of the modulo-256 simple checksum of the CID
data).
Some Technical FAQ's
Q: When I block Caller ID with *67, does it send my number anyway and
just set a "private bit" so that the other person's Caller ID Display
unit won't display it?
A: No. The person you're calling doesn't get your phone number anywhere
in his data stream if you block your call that way. All he/she gets
is "P" and the date/time of the call.
I would like to refer to an experiment I performed in March, 1998
with a Serial Port Caller ID, which delivers the raw data stream to a
PC for software interpretation. The following Usenet message (edited
for this file) is the report I published on that experiment:
Newsgroups: alt.2600
From: The Fixer
Date: Tue, 24 Mar 98 16:12:58 -0800
Subject: Caller ID and *67 - The Facts
OK, it's time to shovel the bullshit which is piling up in this
newsgroup about Caller ID.
A few people are saying that when you block your Caller ID with
*67, the switch sends your number anyway along with a so-called
"private bit" that tells the Caller ID display unit to suppress
display of the number.
In order to squelch those who'd rather flame back with "show me
proof" than just read a FAQ, here is the proof. These are
actual raw data captures from a Bell 202 demodulator (better
known as a serial port Caller ID) which I captured myself today.
They prove conclusively that the "Private Bit" is a myth.
Here is what I got in my raw data stream when I called my voice
line from one of my BBS lines (which is unlisted, hence the
PRIVATE string in the name field):
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU€'^A^H03241512^A2503806467^G^OPRIVATE x
This is what I got when I did the same thing with *67:
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU€^P^A^H03241512^D^AO^H^AP(˙
The number I was calling from was 250-380-6467. That string is
clearly displayed in the first (non *67) call. In the number
field of the second call, only the letter "O" is transmitted.
In the name field, only the letter "P" is transmitted.
In both calls, the date and time (03/24, 15:12) is transmitted,
but transmission of the calling telephone number is suppressed
in the second call. There is no "private flag" suppressing
display of the number by the display unit; the calling number is
not transmitted at all!
For those of you unfamiliar with the CID raw data stream, the
U's are actually sync pulses (an ASCII "U" is 01010101 binary).
The control characters are field delimiters. The first 8-digit
number is the date and time in MMDDHHSS format. The second
number in the first call is the phone number, in NPANXXXXXX
format. That is followed by the name (for those of us with name
& number CID). The ^O (0Fh) just before the name indicates how
many characters are in the name - in this case "PRIVATE" is
padded out with 8 spaces (20h) to make 15 characters. At the
very end is an 8-bit checksum.
Believe me, if I were wrong about this, there would be a huge
marketing frenzy to sell "*67 proof Caller ID boxes" and I would be
making a fortune selling my Serial Caller ID software, which works
directly with the data streams illustrated above!
Q: Can't I just send noise down the line to scramble the Caller ID
signal between the rings?
A: No. Your phone line doesn't generate the Caller ID signal. It is
made by the switch on your calling party's line, and the audio
circuit between your line and his is not completed until after he
picks up the phone.
Q: Do 1-800 numbers have Caller ID? Can I hide my identity from them?
A: Some do have Caller ID, and the *67 block will work, but many more
have realtime ANI - Automatic Number Identification. This is an
older technology which uses a separate line to deliver your number,
and cannot be blocked. And all 800 subscribers get a list of
everyone who called them on their monthly bill, blocked or not.
Q: Can I hide my identity by sending a fake Caller ID signal down the
line before they answer?
A: *Generally*, no. The audio circuit between your phone line and their
line is not completed until the other party picks up. Once they do,
they would hear your fake signal and know what you were doing...
unless the person you're calling is very poorly informed or
untrained. Even so, most Caller ID devices have memory and so the
person you're calling could just as easily scroll back through the
box's memory and find your true number.
Once upon a time, the phone system worked differently, and the audio
circuit WAS connected even before the called party picked up. A
device called a "mute" or a "black box" was used to take advantage of
this fact and allow anyone calling a line with a black box to do so
toll-free. If the system still worked that way (and there's no
technical reason why it couldn't in these days of digital switching)
then yes, it would be very feasible to send a fake Bell 202 data
stream down the line; in fact you'd hear the real one every time you
called someone with Caller ID and you'd get a really good feel for
the timing involved. But if it worked that way, then black boxes
would also still work, and they don't.
Q: What about the Orange Box? Doesn't that spoof Caller ID?
A: Yes it does, but it's not very useful. Your target must have a Call
Waiting Caller ID compatible box. It's not necessary for the target
to actually subscribe to Call Waiting but since the Orange Box relies
partially on victim stupidity it will help if he already expects that
feature to activate occasionally. During the call (which can be as
early as a split second after pickup) you send an alert signal which
tells the Caller ID Box that a call is coming in. To simplify, after
that you send the fake Caller ID signal as an audio stream, and your
fake ID then shows on the target's Caller ID box as a "New Caller".
IF your target didn't look at the Caller ID before answering, and IF
he doesn't look back through his Caller ID memory, then he may be
fooled into believing that the fake information is your real info.
However one push of the "back" button will reveal your identity
(unless you used *67 first).
There has been some discussion in alt.phreaking of the possibility of
spoofing a large amount of Caller ID data at once - like a few
hundred calls' worth - with the idea of scrolling all the legitimate
calls in the Caller ID Box's memory out, including the data sent in
your call. However, that would take a fairly noticeable amount of
time - at 1200 bps (120 characters per second) that's not very fast.
I think most people would think something is up when they hear Caller
ID signal noise for 30 or 60 seconds after picking up the phone. Not
to mention that the spoofed data would be clobbered by the "Hello?
Who is this? What is that noise?" etc.
Q: How about *69? If I protect my call using *67, can they still call
me back?
A: Not in 604/250 anyway, and probably not most places.
Some interesting notes about this: When *69 was first introduced
here in 250, if you tried to *69 a blocked call, you would get a
recording telling you that the number could not be announced. And it
would then offer to connect you anyway! I guess it was business who
asked for the change because that meant a telemarketer using *67
would have people call back and their switchboard answer "Sleazebag
Marketing, how can I help you?". At that point the number was a
white pages lookup away. So Telus, and I would venture to guess its
part-owner company GTE and many others, changed it so that *69 won't
even call back.
If you find in your area that you CAN call back with *69 to a *67
protected number, you're a lucky sonofabitch! Why is that? Well,
with the "old" working of *69, you may still be able to get the
number of a blocked caller if you are (a) lucky and (b) patient. Take
your phone off the hook until midnight (if it's a business) or early
afternoon (if it's a person). THEN activate *69. No incoming calls
will have come into your line since it was off-hook, so your line's
*69 last-call register will still have their phone number in it, and
at those times you are far more likely to get an answering machine
which may spill the beans as to who called you... clever huh?
Final Word
Caller ID can be worked around in so many ways that it really offers no
value to its subscribers. I am not against the existence of Caller ID,
as I have been on the receiving end of harassing phone calls and slimy
telemarketers, all of whom I've been able to put in their place thanks
to this technology. There's no doubt that Caller ID can help bring
those who deserve it to justice. But at the same time, we all have the
right to privacy, and the option to not share your identity with someone
you're calling is, and always should be, available.
For this reason, I think that Caller ID should be available free on
every line as part of the basic service. It's worth nothing anyway!
---------------------------------------------------------------------------
That's it. This file may be updated as I receive more information.
Look for updates on my web site at
http://phreaking.iscool.net
---------------------------------------------------------------------------
This file is a freely-distributable copyrighted work. You may repost
this file free of charge without modifications, but no for-profit
distribution is allowed without prior arrangement with the author.
(C) Copyright 2000 The Fixer
|