Spoofing Caller-ID

Back in February, I read Confessions of a Caller-ID Spoofer by Paul McNamara over at Network World. Caller-ID spoofing is a "feature" in many telephony platforms. Let me explain further. Showing the main billing number or master directory number listing on digital trunks for outbound calls is an old practice but substituting the number for someone else isn't. This is what McNamara points out in his article and this substitution is perfectly legal today, probably because it wasn't given any thought.

Back in February, I read Confessions of a Caller-ID Spoofer by Paul McNamara over at Network World.

Caller-ID spoofing is a "feature" in many telephony platforms.

Let me explain further. Showing the main billing number or master directory number listing on digital trunks for outbound calls is an old practice but substituting the number for someone else isn't. This is what McNamara points out in his article and this substitution is perfectly legal today, probably because it wasn't given any thought.So, in a few minutes time, I was able to easily spoof the: WHITE HOUSE 202-456-1414 and thus began my mischief. I did all this not on our system but on another system that I agreed to test.

First on my list was Eric and his Norstar isn't caller-ID enabled. So, I grabbed Fred's cell number and not all cell companies will pass the name but at least he got the number and only wondered "who's calling me from DC." Next, I hit my electrician's cell and then a landline, and of course his Cisco IP phone only showed the number 202-456-1414, as did his cell phone. Unhappy that I couldn't get results, I called on a distributor and he said "you're funny"- and did a conference call to the number on his display (from my call) and after hearing the double ring cadence and the operator answering "White House" he promptly hung-up. He said, "you weren't kidding!" Then, I called on a sales guy and again, no name was shown, just the number.

I'm not trying to terrorize anyone and I did test with our system and my home phones before I started calling on others. My HYBRID IP system and home phones showed WHITE HOUSE 202-456-1414 (caller-ID Name & Number) each and every time. Next, I tried my iPhone and surprise- only the number was shown. This is a limitation on Apple's part- names are only displayed if they are currently in your contacts directory. I'm not one to give up easy, so as it approached 3:30 (School's Out) I called my wife's AT&T cell phone, and let it ring until I was forwarded to voice mail and then I hung up. She previously explained to me the younger person attitude about caller-ID. "If you see a person's caller-ID as a missed call on your cell phone then that's enough of an indication that you are expected to call that person back." Okay honey (speaking of my wife), now let's see if you abide by that rule. So I waited knowing that she was in a staff meeting. Would she call the White House? Did the call even show the White House or just the number? My electrician said to call his home and leave a message and he'd check later to see if the name and number showed up.

Later in the day, I replaced the WHITE HOUSE number with some other numbers including un-listed numbers. The names and numbers did show up on my HYBRID IP-PBX every time.

So- what does this mean?

With enough patience, the bad guys- whoever they are, can plug numbers in and call themselves all daylong, documenting names with numbers that are unlisted. They can also virtually identify any telephone number. I'm sure some programmer savvy enough could create a dialing script (war dialer), and the call data found in the system used, would act as the log collecting all those call records. Impersonation is easy with caller-ID spoofing. For the record, I stopped here and only called people that I know. With ease, someone that is bad or diabolical could easily disrupt many lives by using the telephone as a cloaked weapon. The system I'm testing allows me to export this log as an Adobe file.

McNamara is right that this is a security threat and it's one not to be taken lightly since it can easily cause havoc on 911 centers, first responders and many, many others. For the number of times that I've entered the main billing telephone number into the data field so the caller-ID would display the customer's company listed number instead of other company numbers, I never gave it any thought. This is hole in many telephony systems was well intended but the carrier networks are seemingly wide open to what's more than mischief and they need to pony up and close this open door. I'm puzzled that the US Senate hasn't acted with immediacy on this. Maybe I should try calling the WHITE HOUSE.