Leveraging Asterisk and a SIP Trunk to Unmask Private Calls

FierceVoIP has some coverage this morning of Kevin Mitnick’s presentation at the recent Last HOPE (Hackers on Planet Earth) conference where he utilized Asterisk and a SIP Trunk to “unmask” the CallerID of a private caller. If you don’t know who Kevin Mitnick is you can read more about him here. A video from YouTube detailing the exploit can be seen here.

Garrett Smith

Garrett is the former VoIP Supply CMO.

View Comments

  • Hey Cory, as the presentation shows, the calling number is provided by many SIP trunking and ISDN-PRI service providers, along with privacy flags to determine whether to display the number. Configuring Asterisk to disrespect the privacy flags and expose the calling number that's "hidden" in the call setup is an abuse of trust that service providers have in their customers, not a particularly clever hack.

    There are two quick security-related conclusions to draw from this demonstration: long term, service providers should adopt a security model that does not rely on the good behavior of their customers; short term, service providers that get burned by such abuses might respond by treating PBX endpoints as untrusted, which will limit their utility.

    Still, this is a good example of the unique power that Asterisk brings to telephony solutions -- and a big reason so many new products have Asterisk under the hood.

    BTW, thanks for the tour on Canada Day. I enjoyed visiting with you and Garrett.

    All the best,
    Rod Montgomery
    Director of Services, Digium, Inc.

  • True, many providers forward this information including my own. I came across this during unsuccessful privacy manager setups...Mitnick is not saying anything new, go back to "the well".

  • Anyone who sends me a call or a message has to identify themself. What needs to change is that Caller ID must be *required* and *accurate* from every caller. Fake or masked Caller ID is where the trust abuse is happening in that transaction you described.

    You invade my privacy with a call, you better at least identify yourself, whether or not you're welcome to connect to me. If you show up with a mask, don't expect me to respect your request that I not look under it.

  • @Matt:

    We weren't saying Mitnick was the first to discover, just the first to bring this "to the masses."

  • You guys are really behind the times. First let me admit that several years ago I discovered * while trying to find a way to spoof my callerid...my girlfriend at the time was a married woman...so you can guess the rest. Spoofing my callerid was kind of fun but it only worked when I used my IP phone through my VOIP provider. I would sometimes call her on my POTs line using *67. What I didn't know was even when using *67 before dialing her cell phone number, my real telephone # appeared on her cell phone display. Not my name, just my number. This didn't happen when I called her home phone. So apparently her cell phone company was doing this long before Mr. Mitnick's ploy.

  • @Bill:

    As I stated before, we didn't say Mitnick invented the wheel here, merely that he brought it to a public stage...there is a big difference between telephony guys knowing this stuff and say your average VoIP user...we felt it was newsworthy because it was one of, if not the, first public exposure for this sort of activity.

  • This is nothing new, CID privacy has never been something you can rely on. Between various cell phone providers never honoring the privacy flag, the fact that many VoIP providers also pass the info along during a SIP exchange, and the fact that my T1 trunks also get the info...I cant remember the last time someone called me, and I didn't "know" who the caller was well before answering the phone.

  • Hi Guys- I got a 'blocked' call into my iphone (att) that i really really need to get back to - but need to find the number behind ?
    how/where i can do this still?
    it still showing in my cell in the recent calls and the voicemail section of my phone
    please-thanks

Share
Published by
Garrett Smith

Recent Posts

Watch Now: 2024 December VoIP News Update

https://youtu.be/vV0BDOCGiKs?si=jFrelg8-ddbcLhTC In the December VoIP News Update, two exciting developments in the VoIP space were…

2 days ago

Fanvil H5 Hotel Phone Product Feature & How to SIP Register to 3CX | VoIP Supply

https://youtu.be/UHKuBq0Pvuk?si=zS3KlwIkJz2-6vaq At VoIP Supply, we’re always excited to explore new solutions for businesses and industries,…

2 weeks ago

Fanvil X4U IP Phone Product Feature Video & Technical Tutorial

https://youtu.be/Wun3AMh_T08?si=fG3-TgyzrGT2gNIc In our latest video, we dive deep into the Fanvil X4U IP phone. Whether…

4 weeks ago

How to Prepare Your VoIP Systems for 2025

Remember Back to the Future II? I loved that movie because they traveled into the…

1 month ago

SIP Chats: Sharath Abraham of Jabra – Panacast 50, BYOD Solutions, and More!

https://youtu.be/qsNO-fZdY3U?si=1A2biOpTwvHG-wiB In the latest episode of SIP Chats, host Brian Hyrek sits down with Sharath…

1 month ago

Watch Now: 2024 November VoIP News Update

https://youtu.be/a--L6ZF9iAw VoIP Supply’s November VoIP News Update: Exciting New Tools, Upcoming Releases, and Giving Back…

1 month ago