Caller id spoofing with PHP and asterisk
Posted on Feb 14, 2006
I have cleaned up and commented a little hack i did for my home asterisk server - allowing a person to dial an extension and then be walked through spoofing caller id on a call. It is a ridiculously easy hack to engage. I was surprised and a bit concerned at what this means in regards to trust and telephony. I mean, if a hobbyist is able to spoof caller id on a phone call to anywhere with nothing more than asterisk@home and vmware.. what is to stop someone from setting something like this up and stealing credit cards or social security numbers using some crazy social engineering.. i guess nothing..
So anyway, i released my source code. It is really really simple and based entirely on one small block of code. The basic idea is:
- Prompt user for input (spoofed number)
- Grab 10 digits (spoofed number)
- Prompt user for input (number to call)
- Grab 10 digits (number to call)
- Set caller idea based on input in step 1 and 2
- Make call to number from input in step 3 and 4
As you can see the idea is pretty simple. get input. set callerid. make call. The code is just as simple:
//(step 1) Prompt user for input $agi->stream_file('enter_spoof'); //(step 2) Grab 10 digits $result = $agi->get_data('beep', 3000, 10); //set variables and output debug info $spoofnumber= $result['result']; $agi->verbose("Spoof Number:".$spoofnumber); //(step 3) Prompt user for input $agi->stream_file('call_spoof'); //(step 4) Grab 10 digits $result = $agi->get_data('beep', 3000, 10); //set variables and output debug info $callnumber= $result['result']; $agi->verbose("Number to call:".$callnumber); //(step 5) Set callerid to whatever the input was in step 2 $agi->set_callerid($spoofnumber); //(step 6) Make call to number from input in step 3 and 4 $agi->exec("Dial IAX2/yourpassword@provider/1".$callnumber);
The agi interface to asterisk obviously hides a lot of the complex stuff that asterisk does in the background - but still - the code is insanely simple. even with user interaction. A lot of features could be added - password; callerid checking to make sure only valid users are using the app; call back - so if you call it and set up your spoof, it calls back your number to make sure you who you say you are. or whatever ;) a lot of options are available. With a little bit of expansion - i think someone could easily make a robust callerid spoofing application for criminals and not criminals. it is easy enough for anyone to do.
Check out my code here: asterisk_callerspoof
What i have done is nothing new - there is a great article about all this: Automated Caller ID / ANI Spoofing asterisk and php rule.