R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Wednesday, 12th August 2009 @ 00:04:20 GMT 
Reports | Automated Caller ID / ANI Spoofing
{8th Jul 2004}
Is the White House calling your mobile?

What is Caller ID?
Caller ID is a service provided by most telephone companies (for a monthly cost) which will tell you the number / name of an incoming call. [Definition: Hack FAQ ]

What is ANI?
Automatic Number Identification is a system used by the telephone company to determine the number of the calling party. There are believed to be two types, "FLEX ANI" (used for e.g. verification services such as voicemail) which is relatively easy to spoof, and "Real Time ANI" (used only for billing purposes on e.g. 800 numbers) which is harder to spoof. [Definition: Hack FAQ ]

What is ANI / Caller ID spoofing?
ANI / Caller ID spoofing is setting the ANI / Caller ID on the outgoing call you are making to a 10 digit number of your own choosing. Traditionally it has been a complicated process either requiring the assistance of a cooperative phone company operator or an expensive company PBX system.

What is Automated ANI / Caller ID spoofing?
Automated ANI / Caller ID spoofing is setting the number you are calling from without the use of an operator / company PBX system. By far the easiest method thanks to the increasing take-up of internet telephony services are VoIP (Voice over Internet Protocol) service providers who allow you when using their service to set whatever caller ID you like (which is also used as ANI).

Which VoIP service providers support spoofing?
VoicePulse and Nufone both allow spoofing (verified February 16th 2004, 7th July 2004). IAXtel is understood not to support spoofing.

Is international calling / spoofing possible?
Both Nufone, and VoicePulse Connect support international calling, (dial 011+country code+number) however you may need to modify your extension file to recognise the international format e.g. exten => _011N.,1,Dial,IAX2/[email protected]/${EXTEN} Spoofing using VoicePulse to a UK Ericsson T610 mobile phone / landline with caller ID has been verified working, it displays the calling number (if the number is in the address book it will display the name / photo listed for it instead). The leading zero should be left off when spoofing, eg 20-1111-1111.
[Update: As of 5th June 2004 this no longer appears to work, caller id shows up as "unavailable"]

How can I spoof ANI / Caller ID
Requirements: A spare computer with a Linux compatible network card, basic Linux knowledge, Redhat 9.0 CDs, a broadband Internet connection, a VoIP hardware phone / compatible software phone, an account with a VoIP provider.

Overview of the process:
1. Follow the instructions in Andy Powell's, "Getting Started With Asterisk" guide for the initial Linux install.
2. Add the following lines to your extension config file in the same context as your SIP phone.
exten => 33,1,Answer
exten => 33,2,AGI(cidspoof.agi)
4. Sign up with a VoIP provider.
5. Add appropriate details into your IAX config file (as issued by your VoIP service provider).
6. Download the cidspoof.agi script changing line 77 to the correct username / hostname for your VoIP IAX service provider, and copy it to /var/lib/asterisk/agi-bin/.
7. Start Asterisk
8. Check your SIP phone has correctly registered / verify you are able to make a SIP to PSTN call.
9. Call extension 33, enter the 10 digit number you wish to spoof from, followed by the 10 digit number you wish to spoof to.

A simpler alternative is to use the command SetCallerID(2121111111) in the "extensions.conf" file direct however it will have to be manually edited and Asterisk reloaded for every call.

Is it possible to get a dial in number to enable remote spoofing?
DID (direct inward dial - USA) / DDI (direct dial inward - UK) numbers are available from both Voicepulse and Nufone with no minimum contract period.

Nufone only offer numbers in the state of Michigan for $7.50 per month. Voicepulse offer a wide variety of area codes / exchanges for $7.99 per month.

[2007-01-05 Update: NuFone have emailed to mention they can now provide DIDs in most States at $5.00 per month, and that while they do allow the setting of 'Calling Party Number' they also "reserve the right to suspend and/or terminate any account that abuses the privilege".]

What are the other advantages of a DDI / DID number?
1. It can act as an extra phone line.
2. It can run a conference / call centre service, since the line is never busy unless your Asterisk PBX server box says it is.

Is it legal?
It appears to be perfectly legal, as long as it is not used for fraudulent purposes.

What are the security implications of ANI / Caller ID spoofing?
  • Most of those relying on it do not realise how easy it is to spoof.
  • Automated / manual verification systems such as used by credit card companies can be sent false information.
  • Identity spoofing e.g. someone calls the mobile phone of a prominent employee in a company spoofing the caller id of a fellow worked who is in their address book. The name of the fellow worker shows up on the target's phone screen, and due to the limited bandwidth (reduced quality) of calls over the cellular / mobile network the target does not realise (would you question the identity of a colleague?) who they are actually talking to.
  • Most mobile / cellular phone providers offer an answer phone service which can be set to not require a pin when calling from the phone itsself. Some of these services verify using ANI and can therefore be accessed by anyone spoofing the phones own number when calling the message centre.
[2006-04-29 Update: Alternate spoofing scripts: extension verison, 2 Line extension verison, Perl AGI version from ntheory.]