Russell Handorf

Real VoIPsploits: Helping to Introduce Your Local SWAT Team

Voice over IP is one of the many fast growing IT products and services field, as such this has laid the seeds for a new security industry. And as predicted, attackers are one step ahead of us in exploiting the vulnerabilities that are easily abused with this new infrastructure. We’re not going to cover sniffing your packets as not too many people are interested in listening to your private phone calls… most of the time. The real threat is with the integration of VoIP into the rest of the telecommunications infrastructure.

In particular, we’re interested in Caller ID spoofing. This isn’t new stuff; traditional PBX’s have been spoofing phone numbers for a very long time. This is evident in when you get a phone call from most organizations and the number comes up as a 1800, or the like. However, there are services out on the Internet that sell caller ID spoofing to anyone who is willing to pay.

So what? What’s the worse that can happen? You can ask the people who were victimized by the latest mischievous pranks, often called SWATing. If you guess that this social engineering hack involves law enforcement, you’re right. Recently, a ring of phone hackers (phreakers) used services that allow you change your caller ID over the Internet to terrorize some of their peers and total strangers. They would call the police and emergency communications centers with a spoofed caller ID pretending to be a crazed person who has hostages. As you can imagine the result is the local SWAT team ready to siege and apprehend the suspect. Fortunately, no one seems to have been hurt and the most of the perpetrators were apprehended, but this is still ongoing.

What else can be done with Caller ID spoofing? Lots of businesses trust Caller ID information for their call centers and customer interaction based systems. Financial Services, Telecommunications (ironic?), Emergency Services, and many more all blindly trust Caller ID information. So, if an attacker were to call your bank or alarm system service provider they can bypass a lot of authentication steps needed for social engineering. A quick test is to call your service provider from a phone number they have on file, and then to call them on another number that they don’t have on file. Pay attention to the questions they ask to authenticate you.

The fundamental problem is that this is a feature, not a bug of the telecommunications infrastructure. As explained previously, this is a function used by many legitimate PBX’s in the world; the difference is that the barrier that previously prevented this abuse has been removed with the integration of VoIP into the legacy telecom infrastructure. An old solution, the call back, has started showing up in various call centers as an option opposed to staying on hold.

Further Reading:

Don’t Make the Call : http://www.fbi.gov/page2/feb08/swatting020408.html

Couple Swarmed by SWAT Team After 911 ‘Hack’ : http://www.pcworld.com/article/id,138591-c,hackers/article.html

Guilty please from SWAT prank Callers : http://www.cleburnetimesreview.com/local/local_story_348181522.html

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*