"Private" Calls Not So Private, According to Digium CTO

July 24, 2008
By Michelle Robart, TMCnet Editor

In honor of Hacker Awareness Month, last weekend kicked off the seventh The Last HOPE (Hackers On Planet Earth) conference, where industry experts discussed network security awareness. Sponsored by 2600 Magazine, the conference brings the hacker community together from around the world, at the Hotel Pennsylvania in New York City.
The event presented three days and nights of speakers along with numerous activities to keep attendees entertained and enlightened. 
At the conference, Security Consultant, Kevin Mitnick and Digium Chief Technology Officer, Mark Spencer (News - Alert) demonstrated how Caller ID security is not 100 percent foolproof. Usually, people feel safe by typing *67 into their phones when trying to block their phone numbers from the receiving caller. But, as Mitnick and Spencer reveal, this security method cannot always be counted on.
 
During The Last HOPE conference, Mitnick demonstrated how a properly configured Asterisk (News - Alert) box and a suitable SIP trunking service can be used to provide Caller ID information even on inbound calls that have a "Private" flag set.
 
"There are legitimate reasons why you need to set the Caller ID to normal and carry that information forward," Spencer explained. "If, for example, I'm in an enterprise environment and I want to have calls forwarded from my office number to my cell phone, the PBX (News - Alert) needs that information."
 
In his demonstration, Mitnick used the "enterprise class" VoIP/SIP trunking provider FlowRoute to get a phone number (DID) and service that would supply all of the call information to an Asterisk server. Setup and scripted to pass along all Caller ID information for inbound calls, the Asterisk server works regardless of the setting of the privacy flag on a call.
 
Spencer revealed that when “private” callers make calls to toll free numbers, their Caller ID information is also carried along and recorded in order to properly bill them.
 
Spencer stated that he is not thrilled with the use of Asterisk for questionable uses, but since it is open source, there is not much he can do about it.
 
"I hate to say it, but the same reasons why Asterisk is attractive to a lot of businesses, it's low cost, it can be easily tweaked, it's more flexible, make it easy for using it for an illegitimate purpose," Spencer stated.
 
According to Spencer, "It's a very powerful platform. I'm not thrilled about it being used for fraud and I'm not thrilled with companies who build products on it in competition with Digium (News - Alert), but there's not a lot I can do about it.”
 
Michelle Robart is a Contributing Editor at TMCnet. To read more of her articles please visit her columnist page.
 
 

Article comments powered by Disqus

Related Asterisk Articles

Steps to Protecting the Asterisk IP PBX

Twilio Launches First SDK on Google's Platform: The Android Client

TMCnet Asterisk Week in Review

Sangoma Introduces B500 BRI for Asterisk Integration

Is Asterisk the Answer to Google Voice on the IP Phone?