New 'victim' of CID spoofing...

[SteveB]

Have had VoIP off-and-on for years and recently purchased the Obi200 for personal use. But today I had two calls within one hour, both were within the Minneapolis/St. Paul area like I am, and each guy was asking why I called them!

Turns out my easy-to-remember GV number, used with my Obi200, had its CID spoofed. Since I'm kind of a security geek and know my way in-and-around most systems, about the only thing I was *not* sure about was the default "admin" user and the password on my Obi200. So even though my router's firewall is very secure, I changed the PW on my Obi200 to a random, 40-character one. Just in case I was port-scanned or something.

Also, GV is secure since I use 2 step authentication and also have 35-40 bits of entropy in my process of creating passwords for each-and-every account or device I have...so am I just being paranoid? Is CID spoofing that simple once a number is discovered to be voip? Or is there some sort of voip-security best practice I'm not following?

Thanks. Great forum, BTW, and I've been lurking here for awhile.

[BigJim_McD]

.... But today I had two calls within one hour, both were within the Minneapolis/St. Paul area like I am, and each guy was asking why I called them!
.....

Is CID spoofing that simple once a number is discovered to be voip? Or is there some sort of voip-security best practice I'm not following?

Thanks. Great forum, BTW, and I've been lurking here for awhile.

Yes, CID spoofing is that simple.  Some Service Providers attempt to verify that a user has the rights to use a DID number, others do not, allowing the spoofing of numbers that may belong to someone else.

[Tango]

...
Yes, CID spoofing is that simple.  Some Service Providers attempt to verify that a user has the rights to use a DID number, others do not, allowing the spoofing of numbers that may belong to someone else.

Can you elaborate on "Some Service Providers attempt to verify that a user has the rights to use a DID number, others do not"? How would a SP verify a user has the rights to use a DID number?

In configuring the ATA device, would a password associated with a DID number help? Note that this PW is given by the SP. And would this be sufficient?

Otherwise, what other steps that can be done to avoid CID spoofing?

Would the original post suggest GV is more "prone" to CID spoofing?

Thanks!

[202Owner]

>>Can you elaborate on "Some Service Providers attempt to verify that a user has the rights to use a DID number, others do not"? How would a SP verify a user has the rights to use a DID number?

They could call your DID and request a PIN entry.

>>In configuring the ATA device, would a password associated with a DID number help? Note that this PW is given by the SP. And would this be sufficient?

Nothing can prohibit someone from using your DID number as their CallerID number... it's just a string of numbers displayed.

>>Otherwise, what other steps that can be done to avoid CID spoofing?

Nothing.

>>Would the original post suggest GV is more "prone" to CID spoofing?

No.  I can call your GV number and display a fake CallerID number.  Note that GV does not permit spoofing/faking your CallerID number on outbound calls.

[Tango]

I am still learning about the nature of this problem, not sure if it is that serious to warrant further investigation. However I found this interesting read:

http://www.cse.sc.edu/~mustafah/download/cid_USC_CSE_TR-2013-001.pdf

"It is difficult to spoof caller IDs by directly exploiting the Public Switched Telephone Network (PSTN, landlines) or cellular network protocols because caller IDs are automatically generated by landlines or cellular carriers, and control channels are not easily accessible to customers.

However, it is easy to spoof caller IDs in VoIP, since VoIP transmits both voice and control data in IP packets, and a caller can often set up any caller ID for an outgoing call. In addition, the protocols that interconnect carriers, which include Signaling System No. 7 (SS7) [9] and VoIP, do not contain any caller ID verification mechanisms, and a carrier will simply accept and forward the claimed caller IDs. Thus, spoofing attacks require little effort in several ways."

That's my minimum take away from this paper, in addition to a few other illustrations on how a fake ID provider spoofss a caller ID (Figure 1) and telephone network architecture (Figure 10).

[202Owner]

>>I am still learning about the nature of this problem, not sure if it is that serious to warrant further investigation.

It's only serious for anyone using CallerID for authentication, which they should not.  For you and me, the problem is blocking telemarketers that change their CallerID number.  Fortunately, my experience has shown this to be a non-problem so far... blacklisting has been very effective.

>>"However, it is easy to spoof caller IDs in VoIP, since VoIP transmits both voice and control data in IP packets, and a caller can often set up any caller ID for an outgoing call. In addition, the protocols that interconnect carriers, which include Signaling System No. 7 (SS7) [9] and VoIP, do not contain any caller ID verification mechanisms, and a carrier will simply accept and forward the claimed caller IDs. Thus, spoofing attacks require little effort in several ways."

And you can simply set a fake CallerID number on your VoIP account.