In Risks 21.51, Alexandre Pechtchanski wrote of receiving a phone call with
"hacked" Caller ID information. In fact, it is likely no such "hack"
occurred, nor is a hack necessary.
Caller ID, (actually CNID, Calling Number ID), is based on data that is sent
on trunk lines along with other SS7 signalling data in a phone system. For
home users, this information is normally the originating phone number for
the call, as that is how your local telco has their switches set up.
Things are a bit different for PBX (Private Branch Exchange) systems,
typically found in businesses. They feed directly into telco trunk lines,
and the systems are responsible for feeding their own CNID information into
the telephone network.
Most newer PBXs can be programmed to either send along the originating phone
number of a call or to send a single pre-programmed piece of information. As
an example, a company may want the same information sent (say the company
name and their main incoming phone number) on all outgoing lines so those
receiving calls from the company see the company name and number rather than
the number corresponding to the actual outgoing phone line used to place the
call.
This is all perfectly OK, as CNID data is not and was never designed to be
secure, and is not used for anything but caller ID services.
In Alexandre's case, it's likely a telemarketer either just programmed a
nonsense number into their PBX, or perhaps their PBX came preprogrammed from
the vendor with a "sample" phone number in place (e.g. "John Doe (212)
555-1212".)
Note that there is a completely different system, ANI (Automatic Number
Identification), that is used when it is important a caller be properly
identified. It is ANI information that is used to generate phone
billing records and to provide calling number identification for 911 services.
(For the security conscious, ANI information is also NOT blockable, and
most phone companies offer real-time ANI to their toll-free customers. This
means that even if you have "Caller ID blocking," if you call a company
using their toll-free number, they will have your phone number pop up
on their screen when the phone rings on their end or will receive it in their
end-of-month statement. This has been ruled fair, as THEY are paying for the
phone call, thus they have a right to know who is calling them.)
The real RISK here is trusting a system that was never designed to be even
remotely secure as a source of accurate information as to the identity of a
caller...
William Kucharski ["William Kucharski" via risks-digest Volume 21, Issue 59]
0:00
#
G!
