Journal Journal: Ph33r my Ph0n3 Sk1llz
So here is a rant on flaws' latest greatest phone hack.
-DISCLAIMER-
This information is for educational or research purposes only. This
"hack" should not be attempted as it could be considered toll-fraud.
This research was conducted under controlled circumstances and is
intended to prove a vulnerability within Telecommunication, not to
commit telco fraud, or any other fraudulent activity in nature.
-DISCLAIMER END- <-- aka don't try this at home :)
A while ago, I wanted to make a (overly-complicated) device that I could
make calls on which would allow me to use "In Network" calling with my
cellphone for every call I made. (Ok, let's back up).
Anyone who knows me knows my verizon cellphone bill usually ranges
between 200-500 dollars per month, and somehow no matter what I do, I
can't get it to lower. So, we all know that verizon, and many other
carriers offer "In-Network" calling for free. That means, when another
verizon wireless subscriber calls my verizon cellphone, it doesn't cost
me a dime, or minutes off my phone, and it doesn't cost that person
anything either.
My wife and I both have fones with a family plan on it, so hence, if she
calls me or I call her, it's In Network (i want to call it
mobile-to-mobile, so we'll make an acronym m2m from this point on). So,
my original and overly complicated idea was to bug my friend Tony about
helping with this circuit board that would essentially sit in the middle
of a cellphone and a DTA (VOIP Desktop Terminal Adaptor) device. (DTA
device is what is used when your purchase a residential voip phone).
Quick variable definitions:
<--R--> = a phone call
[inet] = internet cloud
[lc] = lance's cell
[wc] = wife's cell
[dta] = voip dta device (has rj11 and rj45 connectors rj11 in, rj45 out,
it's a bridge between those two interfaces)
[drb] = d-raper box (the device that's overly-complicated).
<---> = a connector, usually either rj11 (11), rj45 (45),
or a spliced headset (sh) that connects to the cellphone
earjack.
A "|" represents the splice.
voip = Voice Over Internet Protocol.
The idea is that this device would do this:
[lc]<----R----->[wc]<------>|<-------->[dta]<---------->[inet]<------>
(sh) rj11 rj45 voip
Quickly described: this box would detect when a call comes in and tell
the dta device to pick the phone up to give me a dial tone so I could
make calls out through VOIP rather than cell. There were some possible
flaws in the theory, and it looked like it could get overly complicated,
since I'm not an EE nor do I try to be, this was probably going to go
nowhere fast.
The point of the box: I would call my wife's phone to get a dialtone
from the VOIP carrier, essentially allowing me to have m2m calls so that
the phone company would stop raping me. By the time I would have
finished this project though, the economics of the entire theory started
looking grim.
Onto software! Well, as some of you know, I spoke at Shmoocon
(www.shmoocon.org) with a topic titled "Ph0wned: Phreaking in the 21st
century" with Lucky225 (a known phone phreak). Some of you know that I
gained a sudden interest in the SIP protocol and VOIP in general,
particularly in the way that it can be used to manipulate our Plain Old
Telephone Service (POTS) into doing things that they probably never
would foresee, but none-the-less, it can be useful and fun. Thanks CP5
for introducing me to this stuff.
So, I'm at shmoocon and I get introduce by Lucky225 to some other phone
hackers, and it's just great because the more I learn, the better the
day I have ;) Anyway, point being, i make some friends that have
asterisk boxes setup, and have access to lots of fun pbx voip services
(since they run a voip service), (you can do it yourself with asterisk,
nuphone or voicepulse, etc).
So what this next exploit is demonstrating is that m2m calling uses CPN
to authenticate. The reason this is (in theory) is that the switches are
inter-integrated (I made that word up), meaning that if you have
t-mobile in california, there is a good chance most of your calls are
made off of the cingular/att network switch. A good example is when
you're roaming on another network and you call another "In network"
number that's not roaming: e.g. I am roaming in nevada desert somewhere,
but I call my wife in san diego, it's still a free call for her incoming
wise, but the roaming service will charge me because I'm on their
network. The free part, is because it sends my CPN to her phone and the
billing system says, ok, that's a mobile number on our network calling
her, don't bill for it. So that's how it works so far as we know it. (We
have tested this, our bills aren't billed when we spoof caller id from
an in-network number).
On to the project:
I'm complaining still because my first attempts at making a device never
surfaced, and it really wasn't worth it and my phone bill still sucks,
(Plus, if you noticed with the overly-complicated device, I would have
to take my wife's fone from her. I don't want to take my wife's fone
away from her, that's not very nice now is it?).
So I'm talking to friend of Lucky's about some idea I had to exploit the
m2m calling feature within cell carriers, and since he has the equipment
to handle that, we decided to get to work. So, our first software piece
was a perl aimbot (use net::aim perl module and net::telnet for
asterisk). This aimbot pretty much gets to sit there with a username
like veriz0wned, and takes in two commands.
veriz0wned: <mycellnumber> <verizonnumberyourspoofing>. Then my phone
rings. Then the pbx asks me to login and I can make a call. Essentially,
the phone network thinks I have received a call from my wife (an
in-network call) and I am not billed any minutes for the call, and then
the pbx lets me make outgoing calls through VOIP which is
next-to-nothing in cost.
Pros: We have accomplished the m2m calling exploit so now we have
unlimited (no billed airtime) cellphone calls out using IM as the call
control.
Cons: Stuck at keyboard since it's on aim, great for hotspots, and at
home, but has limitations.
Now for the fun part - mobility :)
So we want to make calls from my phone while we're not sitting at a
computer. So we play with asterisk and a little more perl (2 lines of
perl, that's the cool part).
What we investigated was the airtime billing policies for verizon
(specifically for verizon wireless, other carriers may vary). A helpdesk
faq (the standard verizon faq is so out of date) revealed that airtime
was only billed and applied to what is known as "answer supervision".
Essentially this means if a caller picks up, the answer detection
process activates and performs "answer supervision", so busy signals or
continuous ringing is known as "unsupervised". This is good news for us,
since this specific carrier doesn't bill us for just hitting the send
button. So we decide to set up asterisk in a way that we use CPN (a
synonymous term for Caller ID that means Calling Party Number)
verification. What CPN verification is, is just what it means, we read
the CPN number to obtain information about the calling party. This is
important because we use this for the call-back feature in asterisk. So
to review, there are three important steps taking place - we are calling
a number that is unsupervised (in our case, the DID number we are using
will just ring with no answer), and then we are utilizing CPN
verification for it to retrieve the number (Caller-ID), and then
asterisk will call us back at the CPN that it received from an
"In-Network" number (aka my wife's cell).
In conclusion, we demonstrate that with CPN Spoofing we can successfully
exploit and abuse the "In-Network" calling feature of multiple carriers
(tested mainly with verizon) to make "no airtime" calls.
Props to Lucky225, Natas, CP5, h1kari, cathedral-of-hate and anyone I
missed, but you know you should be in here.
Next rant: Social engineering the cellphone tech to obtain unbillable
numbers.
Thank you all for the patience to read this, and if it upsets you, or
you feel that you are receiving unwanted email, just tell me and I'll be
glad to break into your voicemai...er, I'll be glad to take you off my
address list.
_PEACE_
-DISCLAIMER-
This information is for educational or research purposes only. This
"hack" should not be attempted as it could be considered toll-fraud.
This research was conducted under controlled circumstances and is
intended to prove a vulnerability within Telecommunication, not to
commit telco fraud, or any other fraudulent activity in nature.
-DISCLAIMER END- <-- aka don't try this at home
A while ago, I wanted to make a (overly-complicated) device that I could
make calls on which would allow me to use "In Network" calling with my
cellphone for every call I made. (Ok, let's back up).
Anyone who knows me knows my verizon cellphone bill usually ranges
between 200-500 dollars per month, and somehow no matter what I do, I
can't get it to lower. So, we all know that verizon, and many other
carriers offer "In-Network" calling for free. That means, when another
verizon wireless subscriber calls my verizon cellphone, it doesn't cost
me a dime, or minutes off my phone, and it doesn't cost that person
anything either.
My wife and I both have fones with a family plan on it, so hence, if she
calls me or I call her, it's In Network (i want to call it
mobile-to-mobile, so we'll make an acronym m2m from this point on). So,
my original and overly complicated idea was to bug my friend Tony about
helping with this circuit board that would essentially sit in the middle
of a cellphone and a DTA (VOIP Desktop Terminal Adaptor) device. (DTA
device is what is used when your purchase a residential voip phone).
Quick variable definitions:
<--R--> = a phone call
[inet] = internet cloud
[lc] = lance's cell
[wc] = wife's cell
[dta] = voip dta device (has rj11 and rj45 connectors rj11 in, rj45 out,
it's a bridge between those two interfaces)
[drb] = d-raper box (the device that's overly-complicated).
<---> = a connector, usually either rj11 (11), rj45 (45),
or a spliced headset (sh) that connects to the cellphone
earjack.
A "|" represents the splice.
voip = Voice Over Internet Protocol.
The idea is that this device would do this:
[lc]<----R----->[wc]<------>|<-------->[dta]<---------->[inet]<------>
(sh) rj11 rj45 voip
Quickly described: this box would detect when a call comes in and tell
the dta device to pick the phone up to give me a dial tone so I could
make calls out through VOIP rather than cell. There were some possible
flaws in the theory, and it looked like it could get overly complicated,
since I'm not an EE nor do I try to be, this was probably going to go
nowhere fast.
The point of the box: I would call my wife's phone to get a dialtone
from the VOIP carrier, essentially allowing me to have m2m calls so that
the phone company would stop raping me. By the time I would have
finished this project though, the economics of the entire theory started
looking grim.
Onto software! Well, as some of you know, I spoke at Shmoocon
(www.shmoocon.org) with a topic titled "Ph0wned: Phreaking in the 21st
century" with Lucky225 (a known phone phreak). Some of you know that I
gained a sudden interest in the SIP protocol and VOIP in general,
particularly in the way that it can be used to manipulate our Plain Old
Telephone Service (POTS) into doing things that they probably never
would foresee, but none-the-less, it can be useful and fun. Thanks CP5
for introducing me to this stuff.
So, I'm at shmoocon and I get introduce by Lucky225 to some other phone
hackers, and it's just great because the more I learn, the better the
day I have
asterisk boxes setup, and have access to lots of fun pbx voip services
(since they run a voip service), (you can do it yourself with asterisk,
nuphone or voicepulse, etc).
So what this next exploit is demonstrating is that m2m calling uses CPN
to authenticate. The reason this is (in theory) is that the switches are
inter-integrated (I made that word up), meaning that if you have
t-mobile in california, there is a good chance most of your calls are
made off of the cingular/att network switch. A good example is when
you're roaming on another network and you call another "In network"
number that's not roaming: e.g. I am roaming in nevada desert somewhere,
but I call my wife in san diego, it's still a free call for her incoming
wise, but the roaming service will charge me because I'm on their
network. The free part, is because it sends my CPN to her phone and the
billing system says, ok, that's a mobile number on our network calling
her, don't bill for it. So that's how it works so far as we know it. (We
have tested this, our bills aren't billed when we spoof caller id from
an in-network number).
On to the project:
I'm complaining still because my first attempts at making a device never
surfaced, and it really wasn't worth it and my phone bill still sucks,
(Plus, if you noticed with the overly-complicated device, I would have
to take my wife's fone from her. I don't want to take my wife's fone
away from her, that's not very nice now is it?).
So I'm talking to friend of Lucky's about some idea I had to exploit the
m2m calling feature within cell carriers, and since he has the equipment
to handle that, we decided to get to work. So, our first software piece
was a perl aimbot (use net::aim perl module and net::telnet for
asterisk). This aimbot pretty much gets to sit there with a username
like veriz0wned, and takes in two commands.
veriz0wned: <mycellnumber> <verizonnumberyourspoofing>. Then my phone
rings. Then the pbx asks me to login and I can make a call. Essentially,
the phone network thinks I have received a call from my wife (an
in-network call) and I am not billed any minutes for the call, and then
the pbx lets me make outgoing calls through VOIP which is
next-to-nothing in cost.
Pros: We have accomplished the m2m calling exploit so now we have
unlimited (no billed airtime) cellphone calls out using IM as the call
control.
Cons: Stuck at keyboard since it's on aim, great for hotspots, and at
home, but has limitations.
Now for the fun part - mobility
So we want to make calls from my phone while we're not sitting at a
computer. So we play with asterisk and a little more perl (2 lines of
perl, that's the cool part).
What we investigated was the airtime billing policies for verizon
(specifically for verizon wireless, other carriers may vary). A helpdesk
faq (the standard verizon faq is so out of date) revealed that airtime
was only billed and applied to what is known as "answer supervision".
Essentially this means if a caller picks up, the answer detection
process activates and performs "answer supervision", so busy signals or
continuous ringing is known as "unsupervised". This is good news for us,
since this specific carrier doesn't bill us for just hitting the send
button. So we decide to set up asterisk in a way that we use CPN (a
synonymous term for Caller ID that means Calling Party Number)
verification. What CPN verification is, is just what it means, we read
the CPN number to obtain information about the calling party. This is
important because we use this for the call-back feature in asterisk. So
to review, there are three important steps taking place - we are calling
a number that is unsupervised (in our case, the DID number we are using
will just ring with no answer), and then we are utilizing CPN
verification for it to retrieve the number (Caller-ID), and then
asterisk will call us back at the CPN that it received from an
"In-Network" number (aka my wife's cell).
In conclusion, we demonstrate that with CPN Spoofing we can successfully
exploit and abuse the "In-Network" calling feature of multiple carriers
(tested mainly with verizon) to make "no airtime" calls.
Props to Lucky225, Natas, CP5, h1kari, cathedral-of-hate and anyone I
missed, but you know you should be in here.
Next rant: Social engineering the cellphone tech to obtain unbillable
numbers.
Thank you all for the patience to read this, and if it upsets you, or
you feel that you are receiving unwanted email, just tell me and I'll be
glad to break into your voicemai...er, I'll be glad to take you off my
address list.
_PEACE_
