Re: A Vonage VOIP 3-way call CID Spoofing Vulnerability

• Previous message: bugzilla_at_redhat.com: "[RHSA-2003:258-01] GDM allows local user to read any file."
• Maybe in reply to: Nathan Wosnack: "A Vonage VOIP 3-way call CID Spoofing Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 21 Aug 2003 06:32:25 -0000
To: bugtraq@securityfocus.com

Sorry but simply calling a phone number and then 3-waying another number
does not spoof caller id as the first number you called, at least not in
my experience, I do know however that if you call one phone number, flash
over and hit #90+1+npa+number# it will send that person off to the number
you dialed(known as a call transfer) and the first number will show up as
caller ID to the person you transfered them to, but since they are
essentially the people calling the person you call transfered them too
what's the difference? my only bitch about that would be privacy concerns
like if you called someone w/ complete blocking on their line and then
courtesy call transfered them to another # and now that other # has their
phone number, it also gets annoying when miliwatt test numbers start
calling your house at odd hours of the night. Another thing odd about
vonage is they only send your vonage number as caller ID and flex ANI, the
real time ANI seems to be a new york phone number in the 646 areacode, try
calling 800-444-4444 from a vonage fone to see this.

>Received: (qmail 14112 invoked from network); 18 Aug 2003 22:10:08 -0000
>Received: from outgoing2.securityfocus.com (205.206.231.26)
> by mail.securityfocus.com with SMTP; 18 Aug 2003 22:10:08 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 1ED128F39E; Mon, 18 Aug 2003 16:10:05 -0600 (MDT)
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Received: (qmail 25040 invoked from network); 13 Aug 2003 17:57:12 -0000
>Date: 14 Aug 2003 00:02:21 -0000
>Message-ID: <20030814000221.10408.qmail@www.securityfocus.com>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: Nathan Wosnack <nathan@hypervivid.com>
>To: bugtraq@securityfocus.com
>Subject: A Vonage VOIP 3-way call CID Spoofing Vulnerability
>
>
>
>Original Advisory: Wednesday, August 13, 2003
>
>Severity: Medium - High
>
>Description: An attacker using the VOIP (Voice Over IP) carrier Vonage,
>has the ability to spoof the caller ID of a called party through the
three-
>way calling feature. This trick essentially acts similar to a POTS-based
>diverter, as it allows the attacker to carry out illicit telephone
>activities while hiding his or her phone number.
>
>Version: This was tested using Cisco Systems' ATA 186 VOIP hardware on
the
>Vonage carrier.
>
>Author: Nathan Wosnack
>
>
>
>Vonage Background:
>
>"Using an existing high-speed Internet connection, Vonage technology
>enables anyone to make and receive phone calls - worldwide - with a touch-
>tone telephone. Offering quality phone service bundled with enhanced IP
>communications services, our interactive communications portal is a
>gateway to advanced features only available through digital telephone
>service. Utilizing our global network and advanced routing technologies,
>Vonage offers an innovative, feature-rich and cost effective alternative
>to traditional telephony services."
>
>
>Description of the problem:
>
>By using SIP-enabled voice over IP (VOIP) hardware such as the Cisco ATA
>186 Analog Telephone Adaptor, it's possible to spoof the caller
>identification that shows up on a call. The attacker only needs to call
up
>a regular phone line (POTS - plain old telephone service), place the
>caller on hold, flash over to a dial tone using the threeway call
feature,
>and then call a second party for this to work. The caller ID information
>that tends to show up is the first called party's telephone number with
>either their name listed or "unknown name" showing on a conventional
>caller-id enabled telephone. The opportunity for abuse is high and could
>allow the determined attacker to social engineer your telephone, cable,
or
>utility company into modifying your services. Since many companies only
>require the person's name, address, and caller id for account
>authentication, this vulnerability helps the attacker. The other
>opportunities this vulnerability gives the attacker is the ability to
>spoof anyone's caller id information for phone hacking (often
>called "phreaking"); such as breaking into voice mail accounts and PBX
>exploitation for the purpose of proprietary information gathering and
>telephone fraud.
>
>
>Solutions to the problem:
>
>This issue is something that Vonage will need to investigate on their
end.
>The proper routing of caller id information after a third-party call is
>initiated is the problem, and needs to be resolved by the Vonage IT staff
>figuring out why their VOIP switching equipment doesn't pass this data
>properly. The Hypervivid Solutions staff has contacted Vonage directly
>about this issue, so it can hopefully be resolved shortly.
>
>For everyone else, your best defense is to be aware of who is calling
you.
>If you happen to receive a phone call from an unknown party who wants to
>place you on hold, hang up immediately and then call them back.
>If you hear a recording telling you the number is not in service, then
>you've likely reached a Vonage gateway number, which mean you were likely
>called by someone attempting to exploit this Vonage VOIP vulnerability.
>
>
>Conclusion:
>
>In the past year, Voice over IP telephony has seen many security issues.
>The voip issues range from vendor implementations of the Session
>Initiation Protocol (SIP), problems with remote-accessible code which can
>be exploited to cause a denial of service, voip phones that are weak in
>ways that facilitate man-in-the-middle attacks directed at intercepting
>telephone traffic, and most recently 3-way caller ID spoofing on Vonage.
>
>When the information security community works closely with vendors and
>carriers, these problems can be resolved quickly and efficiently enough
to
>limit or even eliminate any abuse by phone phreaks and criminals.
>
>
>Related Links:
>
>
>http://www.hypervivid.com/ - Information, Telecom and Wireless Security
>Consulting Firm.
>
>
>Vendor Contact:
>
>http://www.cisco.com/ - Cisco Systems, Inc. Manufacturer.
>http://www.vonage.com/ - American Voip telecom carrier.
>
>Have any questions or comments?
>e-mail: advisories@hypervivid.com
>
>Copyright © 2003, Hypervivid Solutions Incorporated. All Rights Reserved.
>

• Previous message: bugzilla_at_redhat.com: "[RHSA-2003:258-01] GDM allows local user to read any file."
• Maybe in reply to: Nathan Wosnack: "A Vonage VOIP 3-way call CID Spoofing Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]