Video Screencast Help
Security Response

Phreaking is Back—21st Century Style!

Created: 16 Jun 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:59:14 GMT
Ollie  Whitehouse's picture
0 0 Votes
Login to vote

Phreaking ("analog style") emerged in the1960s and was around for over 30 years until it started to die out inthe mid-1990s. In my opinion the term is best described by Wikipedia: "Phreakingis a slang term coined to describe the activity of a subculture ofpeople who study, experiment with, or exploit telephones, the telephonecompany, and systems connected to or composing the Public SwitchedTelephone Network (PSTN) for the purposes of hobby or utility. The term‘phreak’ is a portmanteau of the words ‘phone’ and ‘freak’.”

We'vestarted to see a number of documented cases that point to a resurgencein phreaking, but this time it's not analog networks that are beingexploited; instead, it’s 21st century VoIP networks. I remember when Ifirst started playing with VoIP in 2002, entrenched in the lab with an AsteriskPBX and one analog line. I thought it was very cool that I could routetraffic all over the world. With a bit of research and a littleinvestment, I also thought it was really cool that I could build quitea complex phone system with incoming and outgoing ISDN lines, trunksbetween PBXs, voice mail, and DTMF/text-to-speech driven applications(my phone to NMAP interface rocked!). However, at the back of my mind Icould see this technology was going to spur the new era of phreaking,21st century style.

In the early days people attempted to exploit the telephone networkin order to obtain free telephone calls, among other things. Well, fastforward over forty years and we are back to where we started. Exceptnow instead of analog it's digital, and instead of copper connecting usto the telephone switch it's an IP network. "The Grugq" has been givingpresentations on “VoIPhreaking” at security conferences since 2005(Hacking in the Box, 22C3 among others) and this year is giving anupdated talk on "VoIPhreaking: SIPhallis Unveiled" as well as training entitled "Tactical VoIP : Applied VoIPhreaking" at several security conferences.

With all of this knowledge one could argue that we can (and should)expect people to start exploiting VoIP infrastructures, similar to whathappened in the analog world. As I write this, I remember reading an article last yearabout some VoIPhreakers in New Zealand who were causing havoc by usinga spoofed caller ID when dialing up cellular network voice mailsystems. The trick was that if the calling number ID matched thesubscriber’s telephone number there wouldn’t be a prompt for a PIN toaccess the voice mail box. This memory was compounded by an article Iread more recently by Robert McMillan of IDG News Service entitled "Man charged with selling hacked VoIP services".Basically the article describes how one man paid another to break intoa number of VoIP services in order to obtain minutes for free, andthese minutes would then be sold onto unsuspecting people through theirown "wholesale" service.

What is clear from both incidents is that neither the cellularnetwork provider (in the first case) nor the VoIP service providers (inthe second case) were using very sophisticated authenticationtechniques; and as such their subscribers were easy targets. What thisalso demonstrates is that even though the technology is fairly new tomainstream users, there are attackers out there who understand thetechnology very well. These attackers can use their knowledge to damageVoIP infrastructures, which will cause direct fiscal loss to the ownersof the infrastructure. The attackers will also use VoIP infrastructuresand technology to target legacy analog telecommunications services. Oh,and of course we need to remember that attacks that apply to onetechnology can apply to another. I demonstrated this back in 2003 whenI found an example of SQL injection via Caller ID.

In short, we need to understand the technologies we're implementingand be aware of the security implications, attack vectors, andmitigation techniques. It is also important to keep abreast of newattacks against the technologies involved, and follow yourvendor-specific product implementations.