[IP] VoIP hacks gut Caller I.D.
Begin forwarded message:
From: Monty Solomon <monty@xxxxxxxxxx>
Date: July 7, 2004 1:27:35 PM EDT
To: undisclosed-recipient: ;
Subject: VoIP hacks gut Caller I.D.
VoIP hacks gut Caller I.D.
Implementation quirks in Voice over IP are making it easy for hackers
to spoof Caller I.D., and to unmask blocked numbers.
By Kevin Poulsen, SecurityFocus Jul 6 2004 1:54PM
Caller I.D. isn't what it used to be.
Hackers have discovered that the handy feature that tells you who's
calling before you answer the phone is easily manipulated through
weaknesses in Voice over IP (VoIP) programs and networks. They can
make their phone calls appear to be from any number they want, and
even pierce the veil of Caller I.D. blocking to unmask an anonymous
phoner's unlisted number.
At root, the issue is one of what happens to a nugget of
authentication data when it leaves the tightly-regulated realm of
traditional telephony, and passes into the unregulated domain of the
Internet.
On the old-fashioned phone network, Caller I.D. works this way: your
local phone company or cell phone carrier sends your "Calling Party
Number" (CPN) with every call, like a return address on an envelope.
Transmitted along with your CPN is a privacy flag that tells the
telephone switch at the receiving end of the call whether or not to
share your number with the recipient: if you have blocking on your
line, the phone company you're dialing into knows your number, but
won't share it with the person you're calling.
This arrangement relies on telephone equipment at both ends of the
call being trusted: the phone switch providing you with dial tone
promises not to lie about your number to other switches, and the
switch on the receiving end promises not to reveal your number if
you've asked that it be blocked. In the U.S. that trust is backed by
FCC regulations that dictate precisely how telephone carriers handle
CPNs, Caller I.D. and blocking. Most subscribers have come to take
Caller I.D. for granted, and some financial institutions even use
Caller I.D. to authenticate customers over the phone.
...
http://securityfocus.com/news/9061
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/