[VOIPSEC] Truths on "Truth in Caller ID Act"

Dustin D. Trammell dtrammell at tippingpoint.com
Mon Oct 9 11:46:38 CDT 2006 

On Fri, 2006-10-06 at 21:49 -0400, Mpierce1 at aol.com wrote:
> In a message dated 10/5/2006 3:47:25 PM Eastern Daylight Time,
> dtrammell at tippingpoint.com writes:

> > I can confirm that as recently as 2003, it was still possible to
> > spoof CLI through simple social engineering.

> Presuming that the reason that the long-distance carrrier asked for
> your number was to know who to bill the call to, I would find it hard
> to believe that any would accept your number verbally, much less let
> it be presented to the called party. Maybe some did since they lacked
> something better. I suspect they are out of business. So you did it in
> the mid 90's. Do you mean that you were able to place a call and get
> it charged to someone else, or do you really know that the spoofed CLI
> was delivered to the other end? I think we've advanced a lot in 10
> years so that what you described would no longer work.

No, the call was billed to a pre-paid calling card or credit card.  The
point of doing all the operator-assisted call placement was to first
null any ANI/CLI (I honestly admit I have no idea why this worked), and
then replace it with information that you verbally told the long
distance operator when (s)he asked for it.  This technique was used
regularly for assistance in social engineering and to pass
authentication that used CLI to authenticate users.  The last time that
I personally performed this hack was the mid 90's, however as I
mentioned above I can confirm that this worked as recently as 2003.
Also, they are not out of business, the long distance carrier used was
AT&T.

> You seem to argue that there are no valid uses of the CLI that exists
> today in the PSTN just because a few people figured out how to hack it
> sometime in the past.

No, I'm arguing that there have never been valid uses of CLI above and
beyond casually identifying the owner of the line that the call is being
placed from, and even that should be treated with skepticism because it
has always been spoofable in one way or another.  But regardless of how
it's broken now or broken then, we both agree that it needs to be fixed
in a technical manner because CLI /should/ serve a useful purpose.  I
just don't believe that it can be fixed in the VoIP world without a
strong way to identify users.  I also don't believe that legislating
against spoofing CLI in the U.S. will do much, especially when you're
dealing with a global telephony system, over IP or not.

-- 
Dustin D. Trammell
VoIP Security Research
TippingPoint, a division of 3Com

More information about the Voipsec mailing list