Orange Boxing / Caller ID Hacking FAQ (Frequently Asked Questions)
by dethme0w and AOH Staff
Revision 1 - June 3, 2004
The current version of this file can always be found at
http://www.artofhacking.com/files/ob-faq.htm .
-------------------------------------------------------------------------
(0) About this FAQ Document
The purpose of this document is to address as many of the questions we
have received about Orange Boxing as we can (not just the most frequently asked
ones!), so that hopefully we will not have to answer the same questions
personally over and over and over...
This FAQ should not be construed as a replacement manual for S.O.B.,
CIDMage, or any other Caller ID generator. Nor, in fact, should it be
considered as containing useable legal advice. We are not lawyers, and
while we may conceitedly think we understand a few things about
telecommunicatons-related law, we still have to repeat that we are not
lawyers. So, there you have it, we are not lawyers. Go see a real one
if you are thinking of doing something with an Orange Box that you are
not sure is legal.
If you would like to add to this FAQ or correct any errors, please see
our contact information at the end of the document.
(1) What is an Orange Box?
An Orange Box is defined as a device that emulates the Caller ID signal
that is transmitted to a telephone line from its Central Office
following the beep of an incoming Call Waiting call. Basically, it's a
Call Waiting Caller ID spoofer. There are many ways to accomplish
this, including something as simple as a tape recording of a real Call
Waiting Caller ID signal, or a software program to generate the signal
such as S.O.B., or even something as elaborate as a hardware device with
a keypad and LCD display designed to generate the signal on a standalone
basis. Although only the latter would be a proper Orange Box, we have
yet to see any specimens and suspect that none may exist.
(2) How do I use it?
Since the Orange Box emulates Call Waiting Caller ID, it follows that it
works best during a call that is already established. You call the
number you are calling as you usually would, wait for someone (or
something!) on the other end to answer, and then send the signal. In
S.O.B., CIDPad and CIDMage this is done by simply clicking the Play
button. When this is done, if all other factors are correct your
falsified name and number (and even a falsified date and time, if you
want) appear on the Caller ID box on the other end.
(3) So does this mean I can totally hide my real Caller ID info and the
person on the other end only sees the fake one?
No. The Orange Box talks directly to the Caller ID box on the other
end. It can only do this when the telephone company has an open
connection between you and the other line, and this connection only
exists after the call has been answered. Your real Caller ID
information (or PRIVATE if you dialed with *67) would appear on the
Caller ID box on the other end before they answer, and the fake info
would appear after you send it, which can only be after they answer.
(4) When do I send the signal?
Any time *after* the call has been answered. Not before. Nothing in
the phone system is listening for your signal until the phone company
establishes an audio connection between your line and the far end, and
that connection only exists after the call has been answered.
(5) Isn't that kind of useless?
The fact that spoofing can only occur on an open connection is the chief
limitation of the Orange Box.
However, while this limits the usefulness of the Orange Box, it does not
eliminate it. No, you can't flawlessly spoof Caller ID from before they
answer, and you can't replace the Caller ID signal generated by the
telephone company with one of your own creation. But this only presents
a problem if you are trying to call a live, human target on the intial
call. If you call a fax line or a line on which the call is answered by
an answering machine, then no one is likely to see the initial, real
Caller ID data. If you call someone who has Call Waiting under a
pretext, you may be able to convince them that your false Caller ID
signal is a real incoming call, and then have an accomplice (someone
with a different voice, for obvious reasons) proceed to converse under
the identity of the spoofed data.
(6) Can I use the Orange Box on a toll-free number?
Yes and no. All toll free numbers have access to the real numbers that
called them sooner or later. Residential and small business toll-free
customers get a list of all incoming calls on their bill and this
information would not agree with your faked Caller ID information. Such
lines also may have Caller ID so as long as your spoofing needs are
short term, this should not be a problem. However, larger companies
(and they don't need to be major corporations anymore) have Real Time
ANI (Automatic Number Identification), which is a service offered by the
phone company that cannot be blocked by *67 or per-line Caller ID
blocking because it is not Caller ID. The realtime ANI equipment gets
its Caller ID data from a completely different channel than Caller ID
and thus would never "hear" your faked signal, even if it were
compatible (it isn't).
(7) Can I use the Orange Box on calls to a Cellular Telephone?
No. All cellular phones which have Caller ID get it through a separate
digital channel. The cellphone doesn't listen for nor understand the
landline-compatible Caller ID signals generated by the Orange Box, and
even if you had a device that could generate a compatible Caller ID
signal for cellphones, you as the caller would still not have access to
that separate channel.
(8) Can I use the Orange Box on calls from a Cellular Telephone?
Maybe. The microphones in cellular phones aren't very good and the
technique of playing a Caller ID signal through a microphone is fraught
with pitfalls that cause distortion and result in a signal that is
unusable before it ever hits the phone line. However, if your phone has
a headset jack, with the right interface you might just be able to get a
clean signal into the voice channel. Since it is the receiving end that
has to have a compatible Caller ID box and not the transmitting end, it
is possible in theory for any phone, cellular or landline, anywhere in
the world, to transmit an Orange Box signal successfully. The critical
factor is the presence of compatible receiving equipment on the far end.
(9) Can I use the Orange Box on calls to the USA from [Insert Country Here]?
Yes, if the line you are calling has a Call Waiting Caller ID device.
As with calls from cell phones (see above), it doesn't matter what
Caller ID system the originating phone line uses, since the Orange Box
talks directly to the remote Caller ID device and not the phone system
itself.
(10) So can I use the Orange Box on calls to [Insert Country Here] from the USA?
It depends on the country you are calling. If the line you are calling
has a Call Waiting Caller ID box that is compatible with the Orange Box
you are using, then the answer is yes.
(11) What countries have phones that I can Orange Box?
That, of course, depends on which country's Caller ID system your Orange
Box was designed to work with. S.O.B., CIDPad and CIDMage were designed
to work with North American (USA and Canada) Caller ID, which uses the
Bell 202 FSK signaling system. This system is used in Australia,
Canada, China (including Hong Kong), New Zealand, Singapore and the
United States. Other countries use different standards, and may not be
able to be Orange Boxed depending on whether those standards include
Call Waiting Caller ID.
(12) Do I need to have Caller ID myself to use an Orange Box?
No, for the same reason that you can Orange Box from any line in any
country or from a cellular telephone.
(13) Does the person at the other end need to have Call Waiting?
He does if you're using a technique that involves fooling him into
thinking a Call Waiting Call is coming in. If he doesn't have Call
Waiting, he may not even know what to do when he hears the fake Call
Waiting beep. If you're calling a non-Call-Waiting customer, then you
are probably going to have to send the signal immediately after answer
and hope it fools him (or, hope that an answering machine or fax takes
the call). In this case, the only requirement is that a Caller ID
device that is compatible with Call Waiting Caller ID is present on the
far end. The good news is that just about every Caller ID Box, Caller
ID phone and answering machine on the market today supports Call Waiting
Caller ID even if its owner doesn't have Call Waiting.
(14) What about VOIP? Can I spoof Caller ID to a VOIP phone?
That depends. If the VOIP phone you are calling gets its Caller ID
information from a separate internet source, then it won't be listening
for landline Caller ID. However, some VOIP terminals attempt to
completely emulate a real phone line, allowing you to plug in a "normal"
phone, answering machine and, yes, Caller ID box. The determining
factor is whether there is a Call Waiting Caller ID box connected to the
same line, whether it be VOIP or otherwise.
(15) What is the best way to connect my Orange Box to the phone line?
Use an FCC Part 68 Interface, or a tape recorder interface that allows
playback into the line. These will give you a direct audio connection
to the line that is free of outside noise and distortion. This is very
important because Caller ID receiving devices have a fairly tight signal
tolerance. And why not: the signal normally comes from the central
office down the road, not from you across the country. Real Caller ID
signals are of excellent quality and yours needs to be too.
(16) What about just holding the speaker of my (PC/Hardware Orange
Box/tape recorder) up to the handset of my phone? Won't that work?
When we were developing CIDMage we tried a number of interfacing
methods, and the one that was least satisfactory was the acoustic
coupling method, or holding the phone's mouthpiece up to our PC speaker
when we hit play. We were only able to successfully spoof that way one
time in 20 tries, and that was with the Caller ID box in the same room,
not miles away as would be the case in the real world. This problem is
due to the inevitable distortion that results from playing a sound
through crappy speakers into a much crappier mouthpiece through noisy
air. It can't be helped that the signal that makes it to the line after
going through all that no longer has enough signal quality to be
understood at the far end.
(17) I have an Orange Box (or Orange Box program like S.O.B.) connected to
the phone line but I can't get my fake information to appear on the
far end! Why not?
Because of the signal quality requirements we mentioned above, even if
you have a good clean line interface you may need to experiment until
you have the right sound level before your Caller ID signal will get
through. It's best to set this up with an assistant on the other end of
the line, adjusting the volume of your Orange Box (or sound card) each
time you try sending a signal, until your assistant sees a good fake
number on his Caller ID box. You should do this until you can reliably
send fake caller ID to your assistant before you attempt Orange Box use
with a "live" target.
It is also important to make sure that the other requirements for Orange
Boxing are present: a Call Waiting Caller ID box on the other end, the
timing of when you send your Caller ID Signal (after they answer!), and
of course valid fake information prepared in your Orange Box. Caller ID
spoofing programs normally will always generate a valid signal,
computing the checksum and building the frame structure automatically,
but it is possible to mis-adjust the program's settings so that it no
longer generates a compatible signal. Consult the software docs for
more about that.
Lastly, it is very important to understand what Orange Boxing's
limitations are. We are asked this question very often by would-be
Orange Boxers who did not understand that you can't send the signal
before the other end answers. If you're attempting Orange Boxing with
the expectation that it is some kind of telephonic invisibility cloak
that lets you be anyone with no effort, you're setting yourself up for
disappointment.
(18) I want to be able to enter a name longer than 15 characters, can I
do that?
The Telcordia specification for Caller ID allows no more than 15
characters for the name field of name-and-number Caller ID. CIDMage
will allow you to enter longer names, and even to enter special
characters that the remote Caller ID receiver might not be able to
decipher. You can do these things to the number and date/time
parameters too. However this functionality is intended strictly for
experimentation and for learning the capabilities of your own Caller ID
box. If you try to send a Caller ID signal that has been expanded
beyond the limits of the Telcordia spec, different Caller ID devices
will handle the signal differently: some will reject the entire call
information and just display "Error"; others will truncate the name or
number at the limit, others might even crash. But it wouldn't make
sense to expect a Caller ID box that only has 15 characters for a name
to be able to display more than that just because an off-spec signal
came in.
(19) Can an Orange Box fool an automated system that uses Caller ID for
authentication?
Possibly, yes. We ourselves once ran a system that may have been
vulnerable to this (although no one ever, to our knowledge, attempted to
attack it).
Years ago, the AOH staff ran a dialup BBS which used Caller ID to decide
how to handle certain callers. This was accomplished using a
serial-port Caller ID box (a device which got Caller ID information from
the line and sent it directly to the computer the BBS was running on)
and a program we wrote called Caller ID Gestapo, which received the
Caller ID data from the device and filtered that data against a set of
rules to determine whether the caller should be allowed to logon or not.
Although the initial data came in between the first and second rings of
the incoming call, as is normally the case, the serial device was rather
dumb, and would always send the computer whatever Caller ID information
came in as it came in. Likewise, Gestapo didn't have a useable way to
ascertain the line status, and so processed any Caller ID data as it
came in, before or during a call.
What this meant was that if a Caller ID spoofer had existed when we were
using this arrangement, a fake Caller ID signal might possibly have been
sent at the instant the BBS modem answered (and before the data carrier
started!) that would have been processed by Gestapo which would in turn
have overwritten its just-previously-written semaphore which instructed
the BBS on how to deal with the call.
Of course, this kind of system cannot be defeated with an Orange Box if
the software makes the decision whether to answer the call at all or
not, because if the call is not answered, no spoofing can occur.
Our BBS and our use of Gestapo are long gone now, but there were likely
many other automated systems (voice response, data lines, protected fax
etc) that used a system with the same flaw as ours, and who knows, maybe
some of them are still operating. We really don't know if this flaw is
widely considered by designers of Caller ID authenticating systems. So
the proper answer to this question probably should be "Yes, but your
mileage may vary!"
(20) Give me the technical goods. Exactly how does the Orange Box work?
As we have repeated several times in this document, the Orange Box
spoofs Call Waiting Caller ID. The best way to explain how an Orange
Box spoofs Call Waiting Caller ID is to first explain how the phone
company sends real Call Waiting Caller ID.
There are a few differences between regular Caller ID and Call Waiting
Caller ID. Most obvious is that regular Caller ID comes in before a
call is answered, and Call Waiting Caller ID come in when Call Waiting
is activated, which of course is always during an existing call.
Before Call Waiting Caller ID, Call Waiting alerted the subscriber that
another call was coming in by sounding a beep on the line. That beep
is called the Subscriber Alert Signal or SAS. The SAS was (and still
is) a 440 Hz tone that sounds for about 300 milliseconds. The
subscriber would then "flash" over to the new incoming call, or ignore
the SAS and let the caller hear only ringing.
Call Waiting Caller ID works the same way, but immediately after the SAS
tone is sounded, the phone company plays a CAS signal. CAS stands for
CPE Alert Signal. CPE stands for Customer Premises Equipment. So the
CAS is a Customer Premises Equipment Alert Signal, or for those of you
who dislike acronyms, a special tone that wakes up the Caller ID box.
The CAS is actually two frequencies played at the same time, they are
2130 and 2750 Hz played simultaneously for about 80 to 100 milliseconds.
As soon as the Caller ID box detects the CAS, it cuts off the
subscriber's phone (if it can - the phone has to be plugged in through
the Caller ID box rather than plugged into another parallel jack for
this to happen). The silence lasts just long enough so that the
customer doesn't hear the Caller ID stream coming through, which sounds
a little like a bird squawking but more annoying.
After silencing the phone, the Caller ID box sends an ACK tone back to
the phone company to indicate that it is ready to receive Caller ID. If
the phone company doesn't get the ACK signal, it doesn't send a Caller
ID signal. If it does get the ACK signal, then the Caller ID signal
follows immediately after. The ACK signal is usually a DTMF "A" or "D",
although some telephone companies may accept any DTMF (touch tone)
digit.
After this, the telephone company sends the Caller ID box a Caller ID
signal, which is an FSK data stream. The exact format of this data
stream is well covered in specifications and tutorials from numerous
sources, a few of which are mentioned hear the end of this FAQ Document.
There is a difference between this Caller ID Data Stream and the regular
(non-Call Waiting) stream. In regular Caller ID, the data stream
includes a series of sync pulses, which manifest as a bunch of ASCII U's
at the beginning of the data stream. This has the equivalent function,
in regular Caller ID, as the CAS tone you just read about - it alerts
the Caller ID box that a signal is coming in. The U's are not present
in Call Waiting Caller ID.
After the FSK Data Stream has been sent to the Caller ID device, the
phone is restored, the Caller ID box displays the number and name of the
new incoming call, and the customer has the same option to flash over to
the new call as he would have had if the call had not included Caller
ID.
None of these tones are audible to the first calling party, because the
telephone company also mutes the audio to the other end during this
exchange. Fortunately, this muting doesn't happen during Orange Boxing,
since the telephone company is not listening for SAS or CAS like the
Caller ID box is, nor is it listening for the unprompted ACKs that
Orange Boxing would generate.
The Orange Box works by generating the SAS and CAS signals. It then
waits briefly for the Caller ID box to send its ACK but is not listening
for the ACK, it just pauses. Then it sends either a manufactured
facsimile of a Caller ID data stream, or a recording of a real "live"
Caller ID data stream. If successful, the Caller ID box will detect the
CAS, send the ACK, receive the spoofed Caller ID Data Stream, and
display it for the subscriber as if it were a real incoming new call.
(21) Is Orange Boxing legal?
That depends entirely on why you are doing it.
Orange Boxing is probably completely legal for joke/gag purposes.
Also, if you're a telemarketer you are probably aware of new
telemarketing regulations that require you to transmit valid Caller ID
that indicates a real phone number where the called party can reach your
company. These regulations aren't specific on whether that Caller ID
must come before the call is answered or if afterwards is OK. If you
are doing telemarketing from home and don't want to give out your home
phone number to everyone you call, then the Orange Box may allow you to
comply with these regulations by letting you spoof your own company's
toll free number.
However, if you are planning to use an Orange Box to deceive or harass
someone, then perhaps it is for the best that its limitations make it
least useful for these highly illegal and unethical purposes.
We are not lawyers - ask one before you try doing something you think
might be illegal.
(22) There *must* be a way to completely spoof an incoming phone call,
with Caller ID between rings and all, isn't there?
There is, but it is not suitable for most people. The Vermilion Box is
an encapsulation of several techniques that involves getting physical
access to the target line, disconnecting it from the telephone company
network, and then reconnecting it to a line emulator that powers the
phones, rings the ringers, and sends a fake Caller ID message between
rings. When the called party answers this "call", he or she has seen
only your faked Caller ID before answering. This technique has numerous
possible complications but is not completely infeasible. For more
information, read about the Vermilion Box at
http://www.artofhacking.com/files/vermbox.htm .
(23) But I heard about a device used by the FBI that can fake Caller ID
before answering! Why can't the Orange Box do this?
Occasionally, we have heard the claim of the existence of a small device
that plugs into your wall jack, allows you to enter a phone number, and
then causes that number to be displayed before answer, on the Caller ID
device of any number you call. This device is supposedly only sold to
law enforcement agencies and works by sending a special tone sequence to
the phone network before or during dialing.
This claim gets posted to phreaking newsgroups and chat rooms from time
to time but no one has ever produced a working web link or literature
citation to back it up. If we ever find solid evidence of the existence
of this device, the following version of this FAQ document will be
updated with what we know.
(24) What Orange Boxing programs are out there?
CIDSIM was written for DOS and the PC Speaker way back in 1994 and as
such never really worked as anything more than a demo of what the data
stream sounds like. A somewhat updated 2001 version of it is still
available, along with a few other wacky DOS-era tone toys for the
obsessively curious, at http://artofhacking.com/files/index.htm , but
expect nothing and you won't be disappointed.
S.O.B. was the first successful Orange Box program. It's sort of our
seminal work on home-rolled Caller ID, but it is no longer actively
developed. It is still available to download at
http://artofhacking.com/orange.htm .
Spoob followed soon after, and is open source but works best on Linux.
Its Perl source can be found at http://lab.digitol.net/code/spoob.pl .
The commercial programs CIDPad and CIDMage are lightweight and
full-featured Caller ID signal generators, respectively. Each one can
perform all the functions of a proper Orange Box, and both have additional
capabilities (CIDMage has many more capabilities). Look for more
information and downloadable trials at http://codegods.net/cidmage .
(25) What other methods are available to defeat or spoof Caller ID?
Aside from Orange Boxing, there are two methods that can be used to
spoof Caller ID:
The first is - use a PRI ISDN line. You probably don't have one of these in your house
as this kind of line is used to connect the many phones of a large
corporation's PBX to the greater phone network. But the PBX attached to
this line has the capability of assigning any number you want to the
outgoing caller ID of any phone attached to it. If you work at such a
business, you might be in luck. See Lucky225's article in 2600
magazine, Spring 2003.
The other method is to procure an ANI failure when making a call. For
local calls this is mindblowingly unlikely to happen accidentally, but
there are ways of deliberately procuring ANI failures. Once you have an
ANI failure, your ANI will not be transmitted to the destination line,
even if it is a toll free line with realtime ANI. Now, if you can get
an ANI failure on your way to calling an operator who can complete the
call for you (Lucky225 described a method that was reliable for a while
of getting this to happen with Telus operators) then the operator will
ask for your number, you can answer with whatever number you like, and
it will appear on the target's Caller ID receiver. This technique is
sometimes called Op-Diverting.
In addition to these, several of the methods of defeating Caller ID
(without spoofing a fabricated one) in Fixer's Beating Caller ID text
file still work today.
(26) Where can I find more information about Caller ID and Orange Boxing?
http://www.ainslie.org.uk/callerid/cli_faq.htm
Alastair Ainslie's Caller ID FAQ. This is probably the most complete
reference on Caller ID available as it is the only one we have seen that
attempts to cover all the Caller ID standards of the world.
http://mirror.lcs.mit.edu/telecom-archives/archives/caller-id/bellcore.specs
A list of Bellcore specifications on Caller ID. May be incomplete.
http://mirror.lcs.mit.edu/telecom-archives/archives/caller-id/specifications
The basic SDMF specification.
http://www.verizonfears.com
Lucky225's site. Includes a brief on Orange Boxing and some other
techniques (of varying difficulty and practicality) for spoofing Caller
ID.
http://www.artofhacking.com/files/BEATCID.HTM
Fixer's Beating Caller ID FAQ was first written in 1998 and has been
updated little since then, but contains a description of the technical
spec for Caller ID and some ways that may or may not work today, to
defeat it.
http://www.artofhacking.com/boxrvw.htm
Fixer's Coloured Box Review includes descriptions of every known Caller
ID related phreaking device, among many others.
-------------------------------------------------------------------------
The Orange Boxing / Caller ID Hacking FAQ has been provided as a public
service by the staff of artofhacking.com .
Please do not modify this document and repost it. If you wish to make
additions or corrections, please email your contribution to
dethmeow@artofhacking.com . Your contribution will be included and
gratefully acknowledged in the next release of the FAQ.
This is a copyrighted document and must not be modified or redistributed
in any way not explicitly permitted here. You are permitted to post
this FAQ on any free public website (with or without advertising) as
long as a link to http://artofhacking.com is placed in close proximity
to and in equal prominence to the link to this document, and as long as
the FAQ is not modified in any way.
We reserve the exclusive right to publish this document on paid
electronic or tangible media.
You may contact us by email at dethmeow@artofhacking.com or
webmaster@artofhacking.com, or by snailmail at:
Whirlwind Software
PO Box 8619
Victoria BC V8W 3S2
Canada
© 2004 Whirlwind Software. All Rights Reserved.
|
[an error occurred while processing this directive]
[an error occurred while processing this directive]