Chapter 2 Multipath Routing Maximizing End-to-End Availability
3.3 Caller ID Spoofing Attacks
Caller ID spoofing is defined in the US legislation act titled Truth in Caller ID Act of 2009 [33] as follows:
“A caller ID spoofing attack is a malicious action that causes any caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value.”
Figure 3.3 An illustration of how existing fake caller ID service provider spoofs a caller ID leveraging the loophole in network interconnection protocols.
we first discuss spoofing attacks that can be carried out in different telephone setups, and then discuss scenarios that should not be identified as spoofing attacks.
Spoofing During Call Signalling
As mentioned before, caller ID spoofing attacks are possible because VoIP protocols and network interconnection protocols lack caller ID validation mechanisms. While it takes an extra endeavor to establish an SS7 or VoIP connection with a telephone carrier for spoofing attacks, adversaries could carry out spoofing attacks with little effort in several ways. We discuss three such attacks in the following.
Spoofing via Fake ID Providers.
A special service provider, which we refer to as Fake ID Provider, provides caller ID spoofing services by exploiting the lack of authentication in caller ID protocols. A Fake ID Provider establishes SS7/VoIP connections with various telephone carriers. Such interconnection options are supported by all the leading carriers in the US for business customers (e.g., AVOICS [10]). Then, the Fake ID Provider acts as the middle man between attackers and victims to relay caller IDs specified by its cus- tomers (attackers in this case). Figure 3.3 illustrates an example, where an attacker (Eve) tries to call the victim (Bob) faking Alice’s caller ID. First, Eve calls a Fake
ID Provider, and supplies Bob’s phone number as the destination number and Alice’s phone number as the desired spoofed caller ID. Then, the Fake ID Provider estab- lishes a call to Bob with Alice’s caller ID, and finally connects Eve with Bob once the call is answered. Since the Fake ID Provider is connected to the callee’s carrier
via an SS7/VoIP link, the callee’s carrier simply accepts and forwards the caller ID of the incoming call to Bob, making spoofing attacks simple and effective.
An attacker can subscribe to a Fake ID Provider and carry out spoofing attacks towards any victim from any type of phone, provided that the Fake ID Provider is connected to the victim’s network.
Spoofing via VoIP Services.
Many VoIP carriers allow their customers to specify their own caller ID, and will forward the caller ID to the callee’s carrier without modifications. To launch an attack, an adversary can subscribe to a VoIP carrier that allows caller ID manipulation and can either use VoIP client software or a VoIP phone to claim arbitrary caller IDs.
Spoofing via Automated Phone Systems.
An increasing number of businesses use automated phone systems to provide Inter- active Voice Response (IVR) services, so that they can computerize phone calls for purposes of marketing, survey collection, appointment reminders, etc. To simplify the development of automated phone systems, a group of emerging service providers (e.g., Voxeo [118], Nuance Cafe [15]) allow their subscribers to customize automated phone systems by using a scripting language, such as VoiceXML [119] and select their own caller IDs. These providers connect to major telephone carriers via SS7 or VoIP pro- tocols so that their customers can call their target callee [39]. Such providers allows
the loophole of the network interconnection protocols (Section 3.2), the downstream telephone carriers will simply accept any caller IDs, including the spoofed ones. An adversary can subscribe to such a service to launch caller ID spoofing attacks.
Summary
Regardless of which types of the aforementioned spoofing attack is being launched, our proposed solution is capable of detecting all of them. In this work, we only evaluate our caller ID spoofing detection schemes utilizing Fake ID Provider, and we believe that our experimental results will provide important insight to other types of spoofing attacks since our detection scheme is independent of how caller ID spoofing attacks are launched.
Spoofing After Call Establishment
When a caller and a callee belong to the same PSTN carrier, it is virtually impossible to spoof a caller ID during signalling processes, as we discussed in Section 3.2. It is, however, feasible to spoof the caller ID after a call is established: An attacker can transmit a fake caller ID for a second call (call waiting). After the first call is answered, an end-to-end voice channel is established between the calling parties, and if there is a new call, the caller ID of that call is transmitted over this voice channel. The attacker has no access to the control channel during the call setup, but can manipulate information transmitted over the voice channel. To launch such an attack, the adversary makes a phone call to the victim and once the call is answered, she transmits a packet according to the caller ID protocol of the carrier, e.g., Bellcore FSK, with the desired fake caller ID. Immediately after receiving the caller ID packet, the displayed caller ID in the victim’s phone will change to the fake one. An adversary can install already available software, e.g., the Software Orange Box, to launch such an attack.
A disadvantage of this technique is that the spoofed ID can only be transmitted once the call is answered. As a result, unless the call is answered right after the first ring3, the callee would observe the original caller ID until the call is answered and the
FSK packet with the spoofed caller ID is received. Additionally, the callee will also hear a call waiting beep when the spoofed ID appears on the phone. Although this attack may not always be practical, we included it in the discussion for completeness, and our detection scheme can detect such an attack anyway.
A Mismatched Caller ID but not Spoofing
The caller ID blocking services and Primary Rate Interface (PRI) lines generate a mismatched caller ID, but should not be classified as caller ID spoofing. For caller ID blocking service, a carrier will transmit the text BLOCKED or UNAVAILABLE instead of the real caller ID to the callee.
PRI lines are designed for business organizations that want to support multiple simultaneous calls (i.e., 32 channels for an E1 line [111]) while sharing one single caller ID for all their phone lines. In a PRI system, each phone line inside an organization is connected to the PRI line through a Private Branch Exchange (PBX), which assigns the same caller ID to all outgoing calls. The mismatched caller IDs in PRI lines are different from caller ID spoofing because the caller ID associated with a PRI line is officially owned by the business organization and once assigned, the caller ID cannot be changed without the permission from telephone carriers. Our CallerDec will mechanism will recognize both scenarios as non-spoofing cases.
3
The caller ID is transmitted between first and second ring; thus if an incoming call is answered before the caller ID is received, the caller ID cannot be shown in the display.