CallerID: Upclose and Personal by hatredonalog (hatredonalog@hotmail.com) 1 - Intro 1.1 What is CID? 1.2 Privacy Issues 1.3 Stuff Stolen from the alt.2600 faq 2 - How a message is sent (basically) 2.1 Basics 2.2 Figuring out the data & checksums 2.3 Differences between SDMF and MDMF 2.5 With CIDCW 3 - 0day Exploits 3.1 Defeating CID 3.2 Alternate CID info 4 - Apendix 4.a Glossary 4.b Resources Introduction to CallerID 1.1 - What is CID? CallerID is a low level knock off of ANI. It is a service from your LATA that allows youto see who is calling you. It gives you the Month, Day, Time and the number of the personcalling you (and optionally also the name). In this article i hope to explain just how it works and maybe you'll learn something. On with it, no? 1.2 - Privacy Issues When dealing with CallerID, some Privacy issues arise. What if you don't want the person your calling to get your inf0z? Well, when it first came out some privacy activist groups had a hernea over it. Great, eh? Anyways, now RBOC's are SUPPOSED to let you block CND info for free, but from what i've heard, they don't always let you. This is where *67 originates from, and it simply tells the CO to not send your info to the box. 1.3 - Stuff stolen from the alt.2600 faq Modem Requirements Although the data signalling interface parameters match those of a Bell 202 modem, the receiving CPE need not be a Bell 202 modem. A V.23 1200 bps modem receiver may be used to demodulate the Bell 202 signal. The ring indicate bit (RI) may be used on a modem to indicate when to monitor the phone line for CND information. After the RI bit sets, indicating the first ring burst, the host waits for the RI bit to reset. The host then configures the modem to monitor the phone line for CND information. Applications Once CND information is received the user may process the information in a number of ways. The date, time, and calling party's directory number can be displayed. Using a look-up table, the calling party's directory number can be correlated with his/her name and the number displayed. CND information can also be used in additional ways such as for: o Bulletin board applications o Black-listing applications o Keeping logs of system user calls o Implementing a telemarketing data base Technical information 2.1 - How CID information is sent (basiclly) The method of transport was invented by Carolyn Doughty and was first used by New Jersey Bell. Unlike What some people seem to think, The CID Info is sent from the CO handing the call to the CPE (Customer Premise Equipment) otherwise known as the box. Under SS7 the CPNM (Caller Party number message) CANNOT be blocked from the receiving CO, but can be blocked from the called party, when making a long distance call. The CallerID info is sent between the first and second ring (pretty much common knowledge) and is sent via Frequency Shift Keyed (FSK). The Data is sent at 1200bps and the CPE has a Bell 202 modem in it to receive the FSK. There are two formats in which the CND (Caller Number Delivery) is sent. These are SDMF (Single Data Message Format) and MDMF (Multipul Data Message Format), both of which i will go into later. The main difference between the two is simply, that the name of the calling party is also sent with MDMF. The modulation is a continuous phased-binary FSK. The Logical 1 is 1200hz give or take 12hz and the logic 0 is 2200hz for logical 0 give or take 22hz. These are the two binary states 1 and 0. They are sent asynchronously at -13dBm and are tested at the CO across at 900 ohm test termination. The data is sent after a minimum of 500ms (miliseconds) when the Channel seizure is sent. The channel seizure is 250ms in length and is 300bits of alternating 1's and 0's beginning with a 0 and ending with a 1. Immediately after the Channel Seizure is sent the Mark Signal is transmitted. It consists of 180 bits, and is 150ms in length. They prepare the CPE to receive the CND data. Then the Least Significant Bit (LSB) of the most significant character is sent. This is under both SDMF and MDMF. Each charactor sent is 8 bits (1 octet) and for all displayable data they represent ASCII codes, and each string of 8 bits is preceded by a Start bit and proceded with a stop bit. This equals 10 bits per charactor. Finally, all the information sent, is followed by a checksum. This is to make sure that the data was sent and received properly. Here is a Basic CND signal: 1st ring : (500ms) Channel Seizure : Mark Signal : CID Info : Checksum (200ms) : 2nd ring 2.2 - Figuring out the Data & checksums ÚÄÄÄÄÄÄÄÄ¿ ³Figure 1³ ÃÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³Character ³ Decimal ³ ASCII ³ Actual ³ ³Description ³ Value ³ Value ³ Bits (LSB)³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³Message Type (SDMF) 4 0 0 0 0 0 1 0 0³ ³Message Length (18) 18 0 0 0 1 0 0 1 0³ ³Month (December) 49 1 0 0 1 1 0 0 0 1³ ³ 50 2 0 0 1 1 0 0 1 0³ ³Day (25) 50 2 0 0 1 1 0 0 1 0³ ³ 53 5 0 0 1 1 0 1 0 1³ ³Hour (3pm) 49 1 0 0 1 1 0 0 0 1³ ³ 53 5 0 0 1 1 0 1 0 1³ ³Minutes (30) 51 3 0 0 1 1 0 0 1 1³ ³ 48 0 0 0 1 1 0 0 0 0³ ³Number (6061234567) 54 6 0 0 1 1 0 1 1 0³ ³ 48 0 0 0 1 1 0 0 0 0³ ³ 54 6 0 0 1 1 0 1 1 0³ ³ 49 1 0 0 1 1 0 0 0 1³ ³ 50 2 0 0 1 1 0 0 1 0³ ³ 51 3 0 0 1 1 0 0 1 1³ ³ 52 4 0 0 1 1 0 1 0 0³ ³ 53 5 0 0 1 1 0 1 0 1³ ³ 54 6 0 0 1 1 0 1 1 0³ ³ 55 7 0 0 1 1 0 1 1 1³ ³Checksum 79 0 1 0 0 1 1 1 1³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ It is all simple conversion from binary to ASCII (and decimal). Here, we will tear it down octet by octet. The Message Type is Straight forward. It specifies one of two types, SDMF or MDMF. If it is SDMF the binary sent is 00000100 (4 bits), and if the type is MDMF, the binary sent is 10000000 (128 bits). The Message Length is also quite easy to figure out. The binary converted to decimal is the message length. 00010010 is 18, and 18 is the message length. Done, easy. The time is sent in military fashion. To get the normal time, put the two time bits together and less 12. (ei: 1+5 == 15 - 12 == 3pm). Figuring out the checksome is slightly more difficult, but not that much. Then you just add on the next two values to create the minutes. The numbers are figured out exactly like the Message length, so dont worry about that. The checksome word is the last data to be sent,and is a twos complement of the 256 modolo sum of each bit in the other words of the message. When the message is received by the CPE it checks for errors by taking the received checksum word and adding the modulo 256 sum of all of the other words received in the message. Figuring out the checksum is not difficult. The first step is to add up the values of all of the fields (not including the checksum). In this example the total would be 945. This total is then divided by 256. The quotient is discarded and the remainder (177) is the modulo 256 sum. The binary equivalent of 177 is 10110001. To get the twos compliment start with the ones compliment (01001110), which is obtained by inverting each bit, and add 1. The twos compliment of a binary 10110001 is 01001111 (decimal 79). This is the checksum that is sent at the end of the CID information. When the CPE receives the CID message it also does a modulo 256 sum of the fields, however it does not do a twos complement. If the twos complement of the modulo 256 sum (01001111) is added to just the modulo 256 sum (10110001) the result will be zero. 2.3 - Differences between SDMF and MDMF ÚÄÄÄÄÄÄÄÄ¿ ³Figure 2³ ÃÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³Character ³ Decimal ³ ASCII ³ Actual ³ ³Description ³ Value ³ Value ³ Bits (LSB) ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³Message Type (SDMF) 4 0 0 0 0 0 1 0 0³ ³Message Length (9) 9 0 0 0 0 1 0 0 1³ ³Month (December) 49 1 0 0 1 1 0 0 0 1³ ³ 50 2 0 0 1 1 0 0 1 0³ ³Day (25) 50 2 0 0 1 1 0 0 1 0³ ³ 53 5 0 0 1 1 0 1 0 1³ ³Hour (3pm) 49 1 0 0 1 1 0 0 0 1³ ³ 53 5 0 0 1 1 0 1 0 1³ ³Minutes (30) 51 3 0 0 1 1 0 0 1 1³ ³ 48 0 0 0 1 1 0 0 0 0³ ³Private 80 P 0 1 0 1 0 0 0 0³ ³Checksum 16 0 0 0 1 0 0 0 0³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ That is how a "Private" Call would be displayed, if the Caller didn't use *67, it would look like figure 1. ÚÄÄÄÄÄÄÄÄ¿ ³Figure 3³ ÃÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³Character ³ Decimal ³ ASCII ³ Actual ³ ³Description ³ Value ³ Value ³ Bits (LSB)³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³Message Type (MDMF) 128 1 0 0 0 0 0 0 0³ ³Message Length (33) 33 0 0 1 0 0 0 0 1³ ³Parameter Type (Date/Time) 1 0 0 0 0 0 0 0 1³ ³Parameter Length (8) 8 0 0 0 0 1 0 0 0³ ³Month (November) 49 1 0 0 1 1 0 0 0 1³ ³ 49 1 0 0 1 1 0 0 0 1³ ³Day (28) 50 2 0 0 1 1 0 0 1 0³ ³ 56 8 0 0 1 1 1 0 0 0³ ³Hour (3pm) 49 1 0 0 1 1 0 0 0 1³ ³ 53 5 0 0 1 1 0 1 0 1³ ³Minutes (43) 52 4 0 0 1 1 0 1 0 0³ ³ 51 3 0 0 1 1 0 0 1 1³ ³Parameter Type (Number) 2 0 0 0 0 0 0 1 0³ ³Parameter Length (10) 10 0 0 0 0 1 0 1 0³ ³Number (6062241359) 54 6 0 0 1 1 0 1 1 0³ ³ 48 0 0 0 1 1 0 0 0 0³ ³ 54 6 0 0 1 1 0 1 1 0³ ³ 50 2 0 0 1 1 0 0 1 0³ ³ 50 2 0 0 1 1 0 0 1 0³ ³ 52 4 0 0 1 1 0 1 0 0³ ³ 49 1 0 0 1 1 0 0 0 1³ ³ 51 3 0 0 1 1 0 0 1 1³ ³ 53 5 0 0 1 1 0 1 0 1³ ³ 57 9 0 0 1 1 1 0 0 1³ ³Parameter Type (Name) 7 0 0 0 0 0 1 1 1³ ³Parameter Length (9) 9 0 0 0 0 1 0 0 1³ ³Name (Joe Smith) 74 J 0 1 0 0 1 0 1 0³ ³ 111 o 0 1 1 0 1 1 1 1³ ³ 101 e 0 1 1 0 0 1 0 1³ ³ 32 0 0 1 0 0 0 0 0³ ³ 83 S 0 1 0 1 0 0 1 1³ ³ 109 m 0 1 1 0 1 1 0 1³ ³ 105 i 0 1 1 0 1 0 0 1³ ³ 116 t 0 1 1 1 0 1 0 0³ ³ 104 h 0 1 1 0 1 0 0 0³ ³Checksum 88 0 1 0 1 1 0 0 0³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ The only Differences between SDMF and MDMF is that MDMF is slightly more advanced and has more features. It Displays the Calling party's name along with the number. It also has the Message type and length paramaters. The Message type is defined as either 00000100 (SDMF) or 10000000 (MDMF). With SDMF the Minimum message length can be 9 octets, whereas with MDMF the minimum length can be 13. When the minimum is sent, neither the CND or the CNAM (Caller Name) is displayed. In they're place, either an "O" (out of area) or a "P" (Private) is sent (as in the case of Figure 2). 2.4 - With CIDCW CIDCW stands for CallerID on Call Waiting. It's so you know who is calling, even when your already on the phone. It runs *only* under MDMF (which i think is standard). It varies a bit from normal CID. It doesn't send any kind of Channel Seizure and the Mark signal is only 80 bits. Instead of a Channel Seizure, it sends a CAS (CPE Alert Signal) along with the SAS (Subscriber Alert Signal) and the box responds with a ACK signal, during which time it mutes the handset. Then it receives the FSK data, at which point it unmutes your phone after the data is received. Here is the sequence: SAS/CAS : CPE returns ACK : CO sends FSK : info displayed handset muted --^ handset unmuted --^ Tone freqencies: SAS == 440mhz (300ms in length CAS == 2030+2750 (DTMF) ACK == "A" or "D"; A == 941+1633hz D == 697+1633Hz Surprisingly enough (to me at least), the ACK response is either the "A" or "D" tones from a Silver Box. So ha, they are still used for something other than PBX's or ham radio. 0day Exploits 3.1 Defeating CID Okay, I did steal this from the Fixer's Beating CallerID File. But, I really couldn't say it any better, so i included it. But mad cred's to the fixer for being so elite. =) (1) Use *67. It will cause the called party's Caller ID unit to display "Private" or "Blocked" or "Unavailable" depending on the manufacturer. It is probably already available on your line, and if it isn't, your local phone company will (most likely - please ask them) set it up for free. This is the simplest method, it's 100 percent legal, and it works. (2) Use a pay phone. Not very convenient, costs 25 or 35 cents depending, but it cannot be traced back to your house in any way, not even by *57. Not even if the person who you call has Mulder and Scully hanging over your shoulder trying to get an FBI trace (sic). Janet Reno himself couldn't subpoena your identity. It's not your phone, not your problem, AND it will get past "block the blocker" services. So it's not a totally useless suggestion, even if you have already thought of it. (3) Go through an operator. This is a more expensive way of doing it ($1.25-$2.00 per call), you can still be traced, and the person you're calling WILL be suspicious when the operator first asks for them, if you have already tried other Caller ID suppression methods on them.(4) Use a prepaid calling card. This costs whatever the per-minute charge on the card is, as they don't recognize local calls. A lot of private investigators use these. A *57 trace will fail but you could still be tracked down with an intensive investigation (read: subpoena the card company). The Caller ID will show the outdial number of the Card issuer. (5) Go through a PBX or WATS extender. Getting a dial tone on a PBX is fairly easy to social engineer, but beyond the scope of this file. This is a well-known and well-loved way of charging phone calls to someone else but it can also be used to hide your identity from a Caller ID box, since the PBX's number is what appears. You can even appear to be in a different city if the PBX you are using is! This isn't very legal at all. But, if you have the talent, use it! (6) I don't have proof of this, but I *think* that a teleconference (Alliance teleconferencing, etc.) that lets you call out to the participants will not send your number in Caller ID. In other words, I am pretty sure the dial tone is not your own. (7) Speaking of dial tones which aren't yours, if you are lucky enough to live in an area with the GTD5 diverter bug, you can use that to get someone else's dial tone and from thence their identity. (8) Still on the subject of dial tones which aren't your own, you can get the same protection as with a payphone, but at greater risk, if you use someone else's line - either by just asking to use the phone (if they'll co-operate after they hear what you're calling about) or by the use of a Beige Box, a hardware diverter or bridge such as a Gold Box, or some other technical marvel. (9) This won't work with an intelligent human on the other end, it leaves you exposed if the called party has a regular Caller ID box with memory, and has many other technical problems which make it tricky at best and unworkable for all but experts. A second Caller ID data stream, transmitted from your line after the audio circuit is complete, will overwrite the true data stream sent by the telco during the ringing. If the line you are calling is a BBS, a VMB, or some other automated system using a serial port Caller ID and software, then you can place your call using *67 first, and then immediately after the other end picks up, send the fake stream. The second stream is what the Caller ID software processes, and you are allowed in. See the technical FAQs below for an idea of the problems behind this method; many can be solved. (10) Someone in alt.2600 (using a stolen AOL account, so I can't credit him or her properly) suggested going through 10321 (now 10-10-321) or 10288. Apparently using a 10xxx even for a local call causes "Out of Area" to show up on the Caller ID display. I live in Canada where we don't have 10xxx dialing so I can't verify nor disprove this. (11) There are 1-900 lines you can call that are designed to circumvent Caller ID, ANI, traces, everything. These services are *very* expensive, some as high as $5.00 a minute, but they include long distance charges. This was first published in 1990 in 2600 magazine, and in 1993 the IIRG reported that 1-900-STOPPER still works. Beware - even if you get a busy signal or no answer, you will get charged at 1-900 rates! Another one published in 2600 in 1990: 1-900-RUN-WELL. That one supposedly allows international calls. I'm not about to call either one to find out. Note that you could still be caught if the operators of these services were to be subpoenaed. (12) Use an analog cellular phone. Most providers of plain old analog service show up on Caller ID as "Private" or "Out of Area" or a main switchboard number for the cell network. This is becoming less and less true as cellular providers move to digital cellular and PCS, which pass the phone's number on Caller ID. Corollary: Rent a cellphone by the day. This might even be cheaper than using a prepaid phone card. 3.2 - Alternate CallerID Information If your under a DMS-100 switch, you can change your Caller ID information to anything that you would like it to be. Not your ANI, just your CND (and your CNAM). You can do it 1 of 3 ways. Hack the switch, Social Engineer, or have a friend on the inside do it. This also is stolen, from usenet. It also is really well written. SDNA (Setting Up DN Attributes) plenty of examples in HELMSMAN (DMS on-line help) The following is accomplished in SERVORD: SDNA [return] [prompt] SNPA: [prompt] OFFICE CODE: [prompt] FROM DIGITS: [prompt] TO DIGITS: [prompt] NET NAME: [prompt] FUNCTION: [prompt] OPTION: [prompt] NPA: [prompt] OFFICE CODE: [prompt] DIGITS: YES to confirm .. updating (does so immediately) SNPA is the area code of the line this is being done on. OFFICE CODE is the exchange/prefix of the line this is being done on. FROM DIGITS is the last four digits of the line this is being done on. TO DIGITS is also the last four digits of the line this is being done on. (It can be done to a series of lines.) NET NAME is PUBLIC FUNCTION - there are three legit functions ADD add. CHA change. DEL delete (self-explanatory) OPTION is ADDRESS (phone number) NPA is area code you want your new Caller ID to be OFFICE CODE is the new exchange/prefix you want to have DIGITS are the last four digits of the new Caller ID to be! YES to confirm ...updating Now you can call anyone who has Caller ID and they will think you are calling from the number you changed it to. Please note the following effects and ramifications: ANI still passes normally. It is only the Caller ID signal which changes. So anyone doing serious investigating at the phone company can still pull Last Incoming Call, etc., correctly. Billing is not affected. That is, you cannot bill to the virtual (artificial number). Call Return will call back the Caller ID, so if it's in the same area, it will call back the number. If the Caller ID you chose is from a different area, Call Return won't work. This is one of my favorites. Since having a non-pub number doesn't stop people from Call Returning you. Now it does!! 800 numbers: AT&T 800's will always get your ANI. MCI tends to usually grab your ANI. Operator 800's will definitely get your ANI. (800-225-5288). Sprint 800's can be configured either way. For example, AOL (America On Line) 800's get ANI. (yes, they resporg to Sprint). However, Western Union, and other Sprint 800's read the Caller ID. Most newer 800's read the Caller ID, but one must test to know for sure. The above method of altering Caller ID on a line is the only legitimate way I have ever found to do so that really works. Can the same thing be done on 5ESS? Not that I am aware of, and I have researched it pretty thoroughly. I have not researched Siemens switches, or others. Tchau for now. Have phun. 4.a - Glossary Glossary ACK -- Acknowledgment ANI -- Automatic Number Identification ASCII -- American Standard Code for Information Interchange BFSK -- Binary Frequency Shift Keying CAS -- CPE Alerting Signal CID -- Caller Identification or Caller ID CIDCW -- Calling Identity Delivery on Call Waiting or Caller ID on Call Waiting CNAM -- Calling Name Delivery CND -- Calling Number Delivery CPE -- Customer Premise Equipment CPNM -- Calling Party Number Message DTMF -- Dual-Tone Multifrequency FCC -- Federal Communications Commission FSK -- Frequency Shift Keying ID -- Identification LATA -- Local Access and Transport Area LSB -- Least Significant Bit LSSGR -- LATA Switching Systems Generic Requirements MDMF -- Multiple Data Message Format OSI -- Open Switch Interval PC -- Personal Computer SAS -- Subscriber Alerting Signal SDMF -- Single Data Message Format SPCS -- Stored Program Control Switching System SS7 -- Signaling System 7 4.b - Resources on the internet http://www.markwelch.com/callerid.htm http://members.xoom.com/hoal/cpid-ani.txt http://bc1.com/users/fixer/files/BEATCID.TXT -hatredonalog