|
Subject: Caller ID Spoofing Date: 18 Feb 2004 On landlines, it depends on which switch you have. If you're on a 5ESS (AT&T) your chances are nil. But if you're on a DMS-100 (Nortel) it is a very real possibility. And, of course, that is a very popular switch. On DMS-100's there is a feature called SDNA (Setting Up DN Attributes). DN, of course, stands for Directory Number (the ANI). This is a legitimate feature for use by hotels, hospitals, and other large entities where they don't want the individual ANI's being sent out but rather only the main number. For example, if you were at a big hotel in Las Vegas with 4,000 rooms and you made a direct outgoing call from your room, the CallerID received by the person you were calling would be 702-855-8000, or something really nice like that. (I just made that up, it's not a real number.) That way, the person receiving the call does not receive the individual ANI of the exact line that was used for the call, but rather the number of the switchboard. A Very Nice Feature! If you stop and think you can probably remember when you experienced this yourself somewhere. Obviously, on large phone systems like that, there is provision by design for this capability. But, of course, they don't call it "spoofing CallerID" either! The DMS-100 can do it with SDNA, and I'm sure if you ask someone who works a lot with large PBX equipment that they could tell you how to do it on individual PBX's. And, as mentioned, it can also be done with ISDN. And with SDNA the spoofed number can be anything. It doesn't have to be the main switchboard's number (at least from a capability standpoint). Are you a medium-sized business? Perhaps you can ask for this feature! Expect to make a few phone calls though. And they may not be willing to do it, even though they know they can. They may tell you that you'll have to use your own equipment for that feature. So, if you don't have a PBX, you may want to deal with someone who works there instead. As long as you are asking them to change it to your main number they should be willing to do it for you. But the business office may stonewall you. As far as spoofing CallerID yourself directly over your line, I don't think that's possible because the CallerID signal originates in the Central Office just prior to call connect. You can't pass CallerID signals if you're not connected to the person's line you are calling. However, I have seen a program called an Orange Box which can spoof the Call-Waiting CallerID. I never tried it but it sounds like it would really work. Also, certain law enforcement agencies can spoof CallerID. Mostly DEA, FBI, CIA, etc. They use a small device hooked up to the phone, probably between the phone and the wall jack. But, I suspect it merely issues commands to the switch. And it's the switch which actually changes the CallerID. And, I also suspect that there is documentation, warrants, paperwork, etc., for every CallerID they spoof. If this were not provisioned for them in this way, they would have to call a technician at the phone company in every instance where they needed to call a suspect or someone under investigation and needed to protect their true CallerID. That would be too much work for the phone company, so they just let them do it themselves. There are certain very low-profile electronics companies which make super-cool stuff like that for law-enforcement. So, Can you spoof CallerID on your home phone? Well, I did. There's three ways of course: (1) Hack into the DMS-100 and do it yourself (unlikely, very risky, but admittedly possible). (2) Social engineer it over the phone through someone at the phone company with switch access, such as RCMAC. (3) Know someone at the phone company with switch access who will do it for you (again, unlikely, since almost no one with a good job these days wants to risk losing it over something silly like spoofing CallerID). The SDNA details involve a simple Service Order (SERVORD). I am not going to post them here. DMS-100 has its own Help system called Helmsman though. And instructions and examples for SDNA are there. When I did this on my home phone I social engineered it and changed it to a 345 number in the Cayman Islands of a resort hotel. It lasted for about two years until I got in trouble for some other stuff. And PacBell Security took it off, along with the incorrect CallerID's I had placed on various PacBell payphones around the area. Evidently, they did a network-wide scan of all the switches and even found a few of my favorite ones which I had HOPED would remain on there forever! Nothing lasts forever, I guess. But it was fun while it lasted. There is a feature offered in Canada by one of the phone companies there called Alternate Caller ID, which uses the SDNA feature to put a false Caller ID on your line. It is intended to get calls through to people who use Anonymous Call Rejection. If the person tries to call back the number, they get a message saying,"The person you are trying to call cannot be reached at this number." I don't remember which company and also don't know if they're still offering it. Also, please remember that spoofing CallerID will not deter phone company investigators much. They can look up not only the ANI/CallerID received on the called party's line, but also look up the NUMBER CALLED through toll records in the switch/network to see what number called that party. And, finally, don't forget about your voice. Calls can be recorded and your voice is evidence in court. In that scenario, it doesn't matter where the call came from. Bad boys, bad boys, whatcha gonna do when they come for you? Answer: go to jail. I say these things for the sake of anyone reading this who is contemplating spoofing CallerID for the purpose of hiding his true originating number. So, if you social engineer SDNA and change the CallerID on a quiet payphone somewhere, then go and have surgery on your vocal cords you should be safe! ;-) I don't know if there are any REALISTIC voice-changing electronic gadgets out there or not. Any comments on that? (emphasis on REALISTIC, i.e., BELIEVABLE) I must admit though that there are some guys who can sound just like a girl, and there are some girls who can sound just like a guy with a small amount of effort. The laws against hacking and phreaking are getting stricter and stricter and the penalties harsher and harsher every year that passes. And when several years go by and it's all behind you, you may find yourself with a felony on your record and find it is hard to get a job with a big company in IT. Just remember that. It's not worth it. But no one asked about all that, you just wanted to know about spoofing CallerID. Well, there's your answer. One last note: CallerID was invented by a WOMAN at BellLabs! ;-) So, all you girls out there, THERE'S HOPE for you in IT. ;-)