[asterisk-users] How to detect fake CallerID? (8xx?)
J Montoya or A J Stiles
asterisk_list at earthshod.co.uk
Wed May 10 11:26:26 CDT 2017
On Wednesday 10 May 2017, Steve Edwards wrote:
> I have a 'time and attendance' application. Think janitorial or security
> kind of thing where an employee goes from location to location.
> They're supposed to 'clock in' when they get to a site using a phone at
> that site to prove they're there.
> Some employees have discovered 'fake caller ID' services can be used to
> say they're on site when they are not.
There are legitimate reasons for faking an ident. For instance, if you are
using multiple services in parallel to connect to the Outside World. While we
had such a setup, we arranged with our SIP provider to attach numbers
associated with our ISDN-30 line to calls we were making. And if you are
providing something like a "transparent call recording" service, you need to
lay the ident of the incoming call leg onto the outgoing call.
Unfortunately, as you've discovered, the service can be abused .....
> How can I detect a fake CallerID? The INVITE looks the same to me.
You can't. Only the first telephone company through which the call passes can
tell for sure where a call is coming from. The next company through whose
equipment it is passing can alter it, and nobody downstream be any the wiser.
Remember, even although it's now packet-switched and multiple-redundantly-
routed underneath, the whole telephone network is still basically emulating an
old-fashioned, circuit-switched network; where calls get connected from the
originator's local exchange onto a trunk to pass on to another exchange, and
all the next exchange downstream knows for sure is which approximate direction
it came in from and where it's going to. Information that would once have
been implied by which pair of wires the signal was travelling down, is now
sent separately, and subject to modification en passant.
> If I have the employees call an 8xx number, can I ask my SIP provider to
> include more headers to show the real ANI? What would that service be
Not really. You need to backtrack a little and rethink. Caller ID is just
not something that you can rely on anymore.
Presumably your staff carry mobile phones. What about an app that gets the ID
of the cell tower to which it is connected, and passes it and the SIM number
in a HTTP request to a server you control? You'll obviously need to do some
sort of authentication dance, otherwise anyone could just manually craft a URL
representing any location. (But since it's your app, you can effectively embed
a different key into every copy; so in the worst case, anyone trying anything
naughty is only able to spoof one handset. An .apk file is basically a .zip
archive; so you should be able to unzip it into a folder structure, use your
favourite scripting language to regenerate the keyfile and zip it back up.
This might even scale.)
JM or AJS
Note: Originating address only accepts e-mail from list! If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .
More information about the asterisk-users