A gentle introduction to caller ID spoofing
Last updated: Oct 24, 2020
Phone and real-time communications systems in general make use of caller ID to indicate who is calling when a phone is ringing. Caller ID is that little number that shows up on your phone telling you that it is your boss calling. The number is often matched against your phone book to show an actual name. This feature is not only available on PSTN (public switched telephone network) but also in the VoIP systems that have been replacing it in the past dozen or so years. And it is ripe for abuse!
In this series of posts on Communication Breakdown, we shall be looking at various ways that caller ID may be perverted. We will not focus on PSTN or how to use online services to abuse caller ID, as this is well covered by other public material. Instead, we will describe how VoIP and WebRTC systems may be affected by vulnerabilities related to caller ID. What we’re interested in is how some of these online services actually work, how to pull such attacks in lab environment, the related protocols and security solutions.
What is caller-id spoofing?
The caller ID is typically abused by adversaries, such as cyber-criminals, fraudsters and telemarketers, through caller ID spoofing; that is, faking the number or name that is supposed to originate an incoming call. It is a classic trick for the phone phreaks of the past but it is still alive and kicking. With caller ID spoofing techniques, attackers can fool their victims into thinking that their boss is calling, while it is actually a friendly social engineer trying to get them to reveal sensitive material (e.g. passwords or an upcoming acquisition) or perform certain actions (e.g. transfer funds to an offshore bank account). Or the attack target might not even be a human, but instead, lines of code forming a voicemail system.
How has it been abused in the past?
Caller ID spoofing is therefore quite a versatile technique that can be abused in various ways. The obvious way to abuse caller ID spoofing is to supplement social engineering techniques. And it can scale. It is often used by robocallers in telemarketing, spam calls and other automated techniques. With AI voice systems, please excuse the buzz words, this can get very interesting and scale pretty well. It may also be used to bypass authentication, typically to access someone else’s voicemail or (in the past?) say, Twitter account. It has been used in swatting in the past, where someone calls 911 spoofing the caller ID of a victim who ends up with a SWAT team breaking into their house. On a lighter note, it may even be used to target vulnerabilities more typical of Web applications such as cross-site scripting (XSS) and SQL injection.
With SIP user-agents, the caller ID is typically set by clients by looking at the
From header. So a header such as
From: "Emergency" <sip:firstname.lastname@example.org> will show the caller ID as Emergency and
email@example.com. Of course, such simple attacks are prevented or blocked on most RTC systems used by end users. On the other hand, there are various cases that might not be too obvious, where caller ID spoofing is a problem.
So, here are some topics that we would like to cover on the topic of caller ID spoofing:
- Technical details on how SIP UACs (user-agent clients) such as softphones and hardphones are affected.
- Technical details on how SIP proxies and PSTN gateways may be abused.
- How voicemail and similar systems that rely on caller ID for authentication are attacked.
- How spoofing the caller ID in SIP may allow for abuse of security flaws typical of Web applications, such as XSS and SQL injection.
- How non-SIP protocols, such as XMPP, used by certain video conferencing systems, may also be vulnerable.
- A technical and offensive look at STIR/SHAKEN which is meant to address caller ID spoofing in VoIP systems at phone company level on PSTN.
Being able to set the caller ID is often a legitimate feature of phone systems. Especially in VoIP, being able to set a name, surname and perhaps a phone number for an originating call, is part of the protocol definition. This makes such systems possibly vulnerable to caller ID spoofing. In the future, we plan on looking at the technical details behind how this is done on VoIP and WebRTC systems, and into the solutions that can prevent such vulnerabilities.