[NEWS] Vonage VOIP 3-way call CID Spoofing Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 08/24/03

  • Next message: SecuriTeam: "[UNIX] vHost Denial of Service Attack (USER)" 
    To: list@securiteam.com
Date: 24 Aug 2003 18:13:14 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Vonage VOIP 3-way call CID Spoofing Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    An attacker using the VOIP (Voice over IP) carrier Vonage, has the ability
    to spoof the caller ID of a called party through the three-way calling
    feature. This trick essentially acts similar to a POTS-based diverter, as
    it allows the attacker to carry out illicit telephone activities while
    hiding his or her phone number.

    DETAILS

    Vulnerable systems:
    This was tested using Cisco Systems' ATA 186 VOIP hardware on the Vonage
    carrier.

    By using SIP-enabled voice over IP (VOIP) hardware such as the Cisco ATA
    186 Analog Telephone Adaptor, it is possible to spoof the caller
    identification that shows up on a call. The attacker only needs to call up
    a regular phone line (POTS - plain old telephone service), place the
    caller on hold, flash over to a dial tone using the three-way call
    feature, and then call a second party for this to work. The caller ID
    information that tends to show up is the first called party's telephone
    number with either their name listed or "unknown name" showing on a
    conventional caller-id enabled telephone. The opportunity for abuse is
    high and could allow the determined attacker to social engineer your
    telephone, cable, or utility company into modifying your services. Since
    many companies only require the person's name, address, and caller id for
    account authentication, this vulnerability helps the attacker. The other
    opportunities this vulnerability gives the attacker is the ability to
    spoof anyone's caller id information for phone hacking (often called
    "Phreaking"); such as breaking into voice mail accounts and PBX
    exploitation for the purpose of proprietary information gathering and
    telephone fraud.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:nathan@hypervivid.com>
    Nathan Wosnack.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] vHost Denial of Service Attack (USER)"

    Relevant Pages