Security Advisory

Posts: 3 · New Forum Member Joined: Jun 18, 2003 Posts: 3

Has anyone seen this? Can't find a response from Vonage. Should I be worried?
Shocked

---------
Original Advisory: Wednesday, August 13, 2003

Severity: Medium - High

Description: An attacker using the Voip (Voice Over IP) carrier Vonage,
has the ability to spoof the caller ID of a called party through the three-
way calling feature. This trick essentially acts similar to a POTS-based
diverter, as it allows the attacker to carry out illicit telephone
activities while hiding his or her phone number.

Version: This was tested using Cisco Systems' ATA 186 Voip hardware on the
Vonage carrier.

Author: Nathan Wosnack

Vonage Background:

"Using an existing high-speed Internet connection, Vonage technology
enables anyone to make and receive phone calls - worldwide - with a touch-
tone telephone. Offering quality phone service bundled with enhanced IP
communications services, our interactive communications portal is a
gateway to advanced features only available through digital telephone
service. Utilizing our global network and advanced routing technologies,
Vonage offers an innovative, feature-rich and cost effective alternative
to traditional telephony services."

Description of the problem:

By using SIP-enabled voice over IP (VOIP) hardware such as the Cisco ATA
186 Analog Telephone Adaptor, it's possible to spoof the caller
identification that shows up on a call. The attacker only needs to call up
a regular phone line (POTS - plain old telephone service), place the
caller on hold, flash over to a dial tone using the threeway call feature,
and then call a second party for this to work. The caller ID information
that tends to show up is the first called party's telephone number with
either their name listed or "unknown name" showing on a conventional
caller-id enabled telephone. The opportunity for abuse is high and could
allow the determined attacker to social engineer your telephone, cable, or
utility company into modifying your services. Since many companies only
require the person's name, address, and caller id for account
authentication, this vulnerability helps the attacker. The other
opportunities this vulnerability gives the attacker is the ability to
spoof anyone's caller id information for phone hacking (often
called "phreaking"); such as breaking into voice mail accounts and PBX
exploitation for the purpose of proprietary information gathering and
telephone fraud.

Solutions to the problem:

This issue is something that Vonage will need to investigate on their end.
The proper routing of caller id information after a third-party call is
initiated is the problem, and needs to be resolved by the Vonage IT staff
figuring out why their Voip switching equipment doesn't pass this data
properly. The Hypervivid Solutions staff has contacted Vonage directly
about this issue, so it can hopefully be resolved shortly.

For everyone else, your best defense is to be aware of who is calling you.
If you happen to receive a phone call from an unknown party who wants to
place you on hold, hang up immediately and then call them back.
If you hear a recording telling you the number is not in service, then
you've likely reached a Vonage gateway number, which mean you were likely
called by someone attempting to exploit this Vonage Voip vulnerability.

Conclusion:

In the past year, Voice over IP telephony has seen many security issues.
The Voip issues range from vendor implementations of the Session
Initiation Protocol (SIP), problems with remote-accessible code which can
be exploited to cause a denial of service, Voip phones that are weak in
ways that facilitate man-in-the-middle attacks directed at intercepting
telephone traffic, and most recently 3-way caller ID spoofing on Vonage.

When the information security community works closely with vendors and
carriers, these problems can be resolved quickly and efficiently enough to
limit or even eliminate any abuse by phone phreaks and criminals.

Related Links:

http://www.hypervivid.com/ - Information, Telecom and Wireless Security
Consulting Firm.

Vendor Contact:

http://www.cisco.com/ - Cisco Systems, Inc. Manufacturer.
http://www.vonage.com/ - American Voip telecom carrier.

Guest

don't have the service but thought this was fixed in the next firmware upgrade for the cisco ata

Posts: 2 · New Forum Member Joined: Feb 05, 2005 Posts: 2

Go to www.covertcall.com/6133

this site offers caller id spoofing.

check it out. only 5 cents a minute...

there is a free test you can do.

so goto the link, register your phone number and call your self off the test to see different numbers come up on your caller id.

when you register though, know that your using your phone number, and u wont be able to register that # again.

Posts: 336 · Posted: Sun Feb 06, 2005 1:28 am Post subject:

The Caller Id spoofing was happening with Call Transfer (announcement). The feature was activated using #91. It was not the 3-way calling feature that was causing the spoofing.

Over the past couple of months, Vonage has disabled #91 from doing this. So we all have nothing to worry about.

Posts: 281 · Posted: Sun Feb 06, 2005 8:50 pm Post subject:

Yeah you can do this with camophone.com too. This is nothing new. Infact you can do it with most any PBX system. BUT remember... you are spoofing CID... ANI is what the phone company uses for things such as call tracking and 800 numbers... so you really aren't spoofing anything that hasn't been done before.. and this is not a huge deal.

Posts: 1 · New Forum Member Joined: Mar 09, 2005 Posts: 1

I have personally used the service www.highvolumetraffic.com to spoof my caller id, and get into other cellphone voicemail accounts with ease...

Its not about the fact that this technology has been around, its about how easy it is for anyone who doesnt want to buy their own pbx system and pay through the nose to the phone company for the dedicated line. Or mess with their Voip hardware, etc... Easy end user access...