10 April 2008

Caller ID Spoofing Your Digital Voice Account

Providing VOIP/digital voice is now common-place among ISPs. These ISPs also typically provide web interfaces to your digital voice account, which allow you to see your call logs, change your features, or check your voice mail. While perusing the website, I came across a feature that, assuming you had more than one phone line, would allow you choose which of your numbers your outgoing caller ID would display. This is a simple drop-down box with only one option, and because I only have one phone line, only one option is listed. To confirm your selection, there is a submit button.

Using Paros Proxy, a Java-based tool to intercept and modify http traffic, I trapped the submit request and modified the phone number by one digit. I then allowed Paros to send the modified data to the ISP’s digital voice web interface. The caller ID page reloaded, and I was greeted with the message that my caller ID would now be displayed as such, which was in fact one digit off. In other words, my modified submission appears to have worked. The final test was to have someone call me from my home phone number. And…it worked. My caller ID displayed my home phone number, modified by one simple digit. Of course, you could probably use any phone number you choose. The possibilities are almost endless…

Post a Comment