The hack starts with a VoIP telephone number. Mitnick uses Flowroute as his provider, but he told me afterwards that the same thing can also be accomplished with a few other VoIP providers.
He starts by forwarding calls to an Asterisk server that he maintains.
According to Wikipedia, "Asterisk is an open source/free software implementation of a telephone private branch exchange (PBX)". The Asterisk website says it runs on GNU/Linux, OpenBSD, FreeBSD, and Mac OS X. On the hardware side, all you need is a computer to use Asterisk with VoIP calls (to interface with the public telephone network requires additional hardware). In other words, it's not an expensive thing to set up.
Asterisk has its own scripting language. Once a phone call hits Mitnick's Asterisk server, a script that he demonstrated analyzes information in the SIP header. The script can see the originating phone number and can also tell that the caller wanted their number hidden. But, just because you ask for something doesn't mean you'll always get it.
Mitnick's script forwards all calls to his cellphone. But, calls that requested privacy have an arbitrary three digit code pre-pended to the phone number. The net effect is that, when Mitnick's cellphone rings, he not only sees the callers' phone number, he can also tell that they tried to hide it.
The basic issue, as I see it, is that once telephone calls become computer data, they can be manipulated like any other type of data.
Caller ID can be hacked in other ways too. In June 2007, Good Morning America did a story on Caller ID spoofing. That is, calling from one phone number but making it appear that you called from another number. Mitnick briefly appeared in that story which is available on YouTube.
No comments:
Post a Comment