I have cleaned up and commented a little hack i did for my home asterisk server - allowing a person to dial an extension and then be walked through spoofing caller id on a call. It is a ridiculously easy hack to engage. I was surprised and a bit concerned at what this means in regards to trust and telephony. I mean, if a hobbyist is able to spoof caller id on a phone call to anywhere with nothing more than asterisk@home and vmware.. what is to stop someone from setting something like this up and stealing credit cards or social security numbers using some crazy social engineering.. i guess nothing..

So anyway, i released my source code. It is really really simple and based entirely on one small block of code. The basic idea is:

  1. Prompt user for input (spoofed number)
  2. Grab 10 digits (spoofed number)
  3. Prompt user for input (number to call)
  4. Grab 10 digits (number to call)
  5. Set caller idea based on input in step 1 and 2
  6. Make call to number from input in step 3 and 4

As you can see the idea is pretty simple. get input. set callerid. make call. The code is just as simple:

//(step 1) Prompt user for input $agi->stream_file('enter_spoof'); //(step 2) Grab 10 digits $result = $agi->get_data('beep', 3000, 10); //set variables and output debug info $spoofnumber= $result['result']; $agi->verbose("Spoof Number:".$spoofnumber); //(step 3) Prompt user for input $agi->stream_file('call_spoof'); //(step 4) Grab 10 digits $result = $agi->get_data('beep', 3000, 10); //set variables and output debug info $callnumber= $result['result']; $agi->verbose("Number to call:".$callnumber); //(step 5) Set callerid to whatever the input was in step 2 $agi->set_callerid($spoofnumber); //(step 6) Make call to number from input in step 3 and 4 $agi->exec("Dial IAX2/yourpassword@provider/1".$callnumber);

The agi interface to asterisk obviously hides a lot of the complex stuff that asterisk does in the background - but still - the code is insanely simple. even with user interaction. A lot of features could be added - password; callerid checking to make sure only valid users are using the app; call back - so if you call it and set up your spoof, it calls back your number to make sure you who you say you are. or whatever ;) a lot of options are available. With a little bit of expansion - i think someone could easily make a robust callerid spoofing application for criminals and not criminals. it is easy enough for anyone to do.

Check out my code here: asterisk_callerspoof

What i have done is nothing new - there is a great article about all this: Automated Caller ID / ANI Spoofing asterisk and php rule.