[asterisk-users] How to detect fake CallerID? (8xx?)

[J Montoya or A J Stiles]

On Wednesday 10 May 2017, Steve Edwards wrote:
> I have a 'time and attendance' application. Think janitorial or security
> kind of thing where an employee goes from location to location.
> 
> They're supposed to 'clock in' when they get to a site using a phone at
> that site to prove they're there.
> 
> Some employees have discovered 'fake caller ID' services can be used to
> say they're on site when they are not.

There are legitimate reasons for faking an ident.  For instance, if you are 
using multiple services in parallel to connect to the Outside World.  While we 
had such a setup, we arranged with our SIP provider to attach numbers 
associated with our ISDN-30 line to calls we were making.  And if you are 
providing something like a "transparent call recording" service, you need to 
lay the ident of the incoming call leg onto the outgoing call.

Unfortunately, as you've discovered, the service can be abused .....

> How can I detect a fake CallerID? The INVITE looks the same to me.

You can't.  Only the first telephone company through which the call passes can 
tell for sure where a call is coming from.  The next company through whose 
equipment it is passing can alter it, and nobody downstream be any the wiser.

Remember, even although it's now packet-switched and multiple-redundantly-
routed underneath, the whole telephone network is still basically emulating an 
old-fashioned, circuit-switched network; where calls get connected from the 
originator's local exchange onto a trunk to pass on to another exchange, and 
all the next exchange downstream knows for sure is which approximate direction 
it came in from and where it's going to.  Information that would once have 
been implied by which pair of wires the signal was travelling down, is now 
sent separately, and subject to modification en passant.

> If I have the employees call an 8xx number, can I ask my SIP provider to
> include more headers to show the real ANI? What would that service be
> called?

Not really.  You need to backtrack a little and rethink.  Caller ID is just 
not something that you can rely on anymore.

Presumably your staff carry mobile phones.  What about an app that gets the ID 
of the cell tower to which it is connected, and passes it and the SIM number 
in a HTTP request to a server you control?  You'll obviously need to do some 
sort of authentication dance, otherwise anyone could just manually craft a URL 
representing any location.  (But since it's your app, you can effectively embed 
a different key into every copy; so in the worst case, anyone trying anything 
naughty is only able to spoof one handset.  An .apk file is basically a .zip 
archive; so you should be able to unzip it into a folder structure, use your 
favourite scripting language to regenerate the keyfile and zip it back up.  
This might even scale.)

-- 
JM or AJS

Note:  Originating address only accepts e-mail from list!  If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .