The New VoIP Magazine

Digium CTO parses unblocked Caller ID hack

July 22, 2008 – 10:00 pm | by VoIP | 61 Views

If you're new here, you may want to subscribe to our RSS feed. So that you can read the latest updates about VoIP Technology, Providers, VoIP Hardware, our Reviews or Price Comparisons for You to save and many more. Thanks for visiting The New VoIP Magazine!

Normally, punching *67 should block Caller ID information
being passed through to a receiving caller. But, as security consultant Kevin Mitnick has demonstrated and Digium
CTO Mark Spencer explains, it’s not 100 percent foolproof.

At The Last HOPE hacker conference over the weekend, Mitnick
demonstrated how an appropriately configured Asterisk box and a suitable SIP
trunking service can be used to deliver Caller ID information even on inbound
calls that have a “Private” flag set.

“There are legitimate reasons why you need to set the Caller
ID to normal [and carry that information forward,]” said Digium CTO Mark
Spencer. “If, for example, I’m in an enterprise environment and I want to have
calls forwarded [from my office number] to my cell phone, [the PBX] needs that
information.”

Mitnick used the “enterprise class” VoIP/SIP trunking
provider FlowRoute to get a phone number (DID) and service that would deliver
all of the call information to an Asterisk server.  The Asterisk server is simply setup/scripted
to pass along all Caller ID information for inbound calls regardless of the
setting of the privacy flag on the call.

Spencer also noted that Caller ID information is also
carried along and recorded for “private” calls to toll free numbers; the
information is necessary for proper billing.

Mark is not happy with the use of Asterisk for questionable
uses, but since it is open source, there is little he can do about it. “I hate to say it, but the same reasons why
Asterisk is attractive to a lot of businesses, it’s low cost, it can be easily
tweaked, it’s more flexible, make it easy for using it for an illegitimate
purpose,” said Spencer. “It’s a very powerful platform. I’m not thrilled about
it being used for fraud and I’m not thrilled with companies who build products
on it in competition with Digium, but there’s not a lot I can do about it.”

For more:
- Engadget snags Mitnick
demo video from The Last HOPE conference

Related articles:
Last Hope Launches Security
Season
VoIP Security and the Circle
of Trust

Related Post

  • Digium Pushes into the Carrier Space
  • Digium Pushes into the Carrier Space
  • Asterisk–Threatening or Boring?
  • Asterisk–Threatening or Boring?
  • Digium’s Mid-Sized IP PBX Appliance

    • You must be logged in to post a comment.