 Good afternoon. I'm Strom Carlson. This is Lucky235 and welcome to Phone Freaking in the Age of Voice over IP. We're having a little problem with Lucky's laptop. We're not getting video on it. So yeah, we had some slides prepared but hopefully Lucky will be able to get it working before, hopefully he'll be able to get it working but if not, I'll just try and explain everything to you as best I can. You always have to make up the diagrams in your head. So anyway, how many of you, let's start off, how many of you consider yourselves Phone Freaks? Show of hands. All right. How many of you work for a telephone company of some kind? Okay. Okay. How many of you know what Signaling System 7 is? I don't know if the hands have went up. Typically we're not the people who consider themselves Phone Freaks. So, let's start off. In the old days of course, during with the Bell system and Lesser Mechanical Switching, there was all the signalling was in-band obviously, multi-frequency, multi-frequency signalling in-band, dial pulsing, crossbar pulsing, revertive pulsing. Now, during the 1970s, the Bell lab has developed a thing called Signaling System 7, which is an out-of-band signalling protocol which is used to set up calls, tear down calls, and today it's pretty much ubiquitous, which is why things like blue boxing no longer work. Talk about it. We have, yeah, thank God, we have slides. So, while he sets this up, I'm going to talk about briefly, I'm going to introduce, you'll see all the stuff on the table, the pay phones are not part of this. So, but during the speech, what I'm going to be doing is I'm going to randomly ask questions related to what we spoke about, and if someone can answer them, you will win this stuff. So, free stuff. We have Western Electric Line cards, we have weird technical books I found at the used bookstore, and we have an actual phone that you can win. Yay. This one? Yeah, two of them. What's going on? Okay. Now I can see what I'm talking about. Okay, so, introduction to Signaling System 7. Now, typically, when you dial a call, this is an example call from here at the Alexis Park Hotel to a restaurant in Pacific Palisades, California called Gladstone for Fish, and the telephone number is 310 Gladstone for Fish. So, typically what you have here, this is Alexis Park Hotel, and this is South 7, which is the Sprint Local Telephone Office, which gives dial tone to the Alexis Park here. When you pick up the phone and you dial 310 GL4 FISH, the local end office analyzes the call, leads it to the DMS 200 tandem in downtown Las Vegas with the main tandem. That tandem analyzes, and let's assume, for example, that this call is going over AT&T's longest list network. So, this DMS 200 tandem will pick up a trunk to the newest number for ESS of AT&T's, which in this case is AT&T's San Bernardino 4SS, and then hand the call off to AT&T. The 4SS is Hamburg and Gino, picks up a trunk to the 4SS in Los Angeles, in downtown Los Angeles, and roots the culture there. That 4SS picks up a trunk to the 5SS tandem in Santa Monica, which then picks up a trunk to the GTD5, EAX End Office in Pacific Palisades, which then links the phone of Gladstone for Fish. Now, in the old days, what you would have is all the signaling would be over the same channels that the voice call is going over. So, you would have the trunks pick up, you would hear multiple frequency tones going over them, or in some cases, a word of pulsing. But today, you notice when you pick up the phone, you dial a long-distance call and it starts ringing almost immediately. This is due to signaling system 7. Lucky, someone's trying to hack you, Lucky. Why are you running Windows, Lucky? So, signaling system 7 has a network architecture, which uses switches which are not part of the voice traffic. Your voice call, your voice path is set up over one trunk, but the signaling occurs over different out trunks out of band. So, the SSPs in this diagram are switching SSPs for switching service points. And the SSP is the dial tone office, the office that rings your phone, the office that gives you your dial tone. Basically, it's your standard DMS 105, the SS office. The STP is the signal transfer point, which is a very fast, very efficient, high-volume packet switch. And SS7 is a packet switch network. It's all data, and it's, there are a number of packets. The most important of which for call setup is called the initial address message, the IAM. It's a huge packet with potentially hundreds of parameters in it. There are, but we'll get into that in a second. And then we have these things called the SCP, which is a switching control point. Now, the STPs are switches, but the switching control points are more like computers. Typically, one of the common uses for them is as databases. The switching control points contain things like the 800 number workup directory. So, when you dial a toll free call, the end office, your SSP, does a database dip into the SCP and finds out which carrier that toll free call is using, and then sort of routes the call to that carrier. Once the call gets to that carrier, then the carrier dips into their own SSP, finds the ring two number for that toll free call, and then routes the call to that number. The other use for the SCP is, for example, when you have called the ID with name. When the call routes to your end office, then, actually, I'm getting into that later, so let's move on to the next slide. This is a diagram of what happens for a successful ordinary call. This is just the call setup. This is between you dialing the call and the other party answering. This is what happens. You pick it, first here, you pick up the call, and you pick up the number. Your imaginary exchange completes the backward connection, the audio path, and then transmits the initial address message, which contains all the call setup information, all the way through the various tandems, all the way to the destination switch, and then that's what checks to see whether the called party is available. If the call party is available. That wasn't me. That wasn't me. All right. If the call party is available, then the switch results will be in that telephone, and we'll, we'll, we'll, it, it, it's, once the, basically, the turning switch, what's going on, like, with your phone? I don't know which phone is this. Like, he's finding out what his phone is. So, yeah, hang up. Okay, so what I'm going to do today, disconnect this until I need to use it. When the terminating end office has received the IAM packet, then it sends an address complete message, which is basically like an acknowledge all the way back to the originating switch. Then it starts ringing the telephone of the call party and sends call call progress all the way back to the originating switch, which in this case would be a ringback sound, an audible ringtone. And then once the call party answers, a connect message is sent all the way back to the originating exchange. The call path is completed in the backwards direction so that you can hear that you're called party speaking. And then billing starts, and charging begins. So now the initial address message for signal in system seven is equivalent if you how many of you are familiar with ISDN protocol? Okay, the F7 initial address message is equivalent to the ISDN setup message. There are dozens and dozens of parameters. If you look at the ITT specification for SS7, what's going on with the phones? If you look at the ITT specification for SS7, the initial address message can contain hundreds and hundreds of parameters, things like the geographic location of the calling party, and the billing number class of service. But the most important ones for the purpose of the speech are the called party number that has to be in there. The calling party number, which is optional, the billing telephone number, which I believe is not optional, and the class of service, which is referred to as the ANIII on the North American Number and Pan Administration's website. So it's time for the first question. For the Xilog Z8000 family gigabook, what is the equivalent of the ISDN setup message in SS7? In the back. That's right. I can't get it. So the billing telephone number is the charge number. This is what is traditionally referred to as ANII, automatic number identification. This is set at the switch level for both plain old telephone service and ISDN. This is used for called billing and accounting purposes, and it may be different from the calling party number. And the reason for this is because say for example, and okay, say for example, you are calling from a hotel from an office PDX, all the calls are built to one number, but you want to be able to identify which specific direct or dial line the call is coming from. So you have the billing telephone number set for the main number, but the calling party number is the number of the station you're calling from. So they can be different. ANIII is an extension ANI, and this is class of service, sometimes called flexible ANI by some of the telephone companies. But no one seems to agree what the II actually stands for. For why is it called an information indicator, request calls it information integers and NNA, which is the national emergency number association calls it identification indicators. Identification information. I should read my slides. And this is a summary of some of the digits that the ANIII can be. Most of you when you call from home from the home phone will have zero zero, which is noncoin service requiring no special treatment. Either zero two or two three can be used for ANI failure. Two sevens are typical, you know, Western electric one single slot coin phone with coin control signaling seven zero is a cocot 61 through 62 mobile phones and 30 through 32 or intercept 29 is prison service. Now the party number is an interesting thing because it's a regular telephone service and basically IST and it's at the switch level. However, if you have a primary IST online, what they do is they allow you to transmit your own party number into the network. And this is what is used to generate the caller ID, which is displayed on your own telephone. So again, this example I'm using of the situation where you need this if you have an office with, you know, 500 people and they're all directing more dial lines. If you all the calls are built to the main number, then the billing telephone number will be set at that main number. But if you need to display on the person you're calling is caller ID box, what the, what the directive or dial number you're calling from is then the switch can set this, the actual PBX will set this. Now, even if you block your caller ID by dialing star 67, this number is always sent to the terminating end office of the party you're dialing. It's, there's a bit set in the IAM which prevents presentation of this, of the number to the called party, but it is sent all the way to the far end of the switch. So there are many cases of lucky to talk about this, where actually even dialing star 67 may not prevent you from blocking your telephone number from the called party. But this doesn't have to be a valid number. It doesn't have to conform with the North America numbering plan at all. For example, a friend of mine was showing me his cell phone, he was troubleshooting something that was going on, and a customer said, well anytime I call a cell phone from my PBX, it displays this really weird long number, and he showed me the number, it was 14 digits long for North American numbering plan telephone call. And apparently the person who set up the PRI had actually programed that into the PBX mistakenly. And, but the calling party number doesn't actually have to exist in the IAM at all. Now, the way calling name delivery works is this, the calling name is not delivered to the called party from the originating end office. When you dial the number, the end office you're dialing takes that number. First off, it determines whether or not the person you're calling has calling name delivered at all. If they do, what it does, it does, that switch does a database step into the SCP with that number. And the SCP returns the name associated with that number. And this can be very useful as lucky to demonstrate later. So, okay. What is the abbreviation for the packet switch in the SS7 network? Okay. You win, kiss my bell, goodbye. All right, lucky? Well, this, first question. You explain Joip, I'll explain that. Basically, we talked about voice over IP, which is a technology that allows telephone calls to be placed over the internet, either from computer to computer, or from computer to into the phone system, or with an analog telephone adapter and a VoIP service, you can actually place phone to phone calls using a broadband connection. This is just an example of a VoIP call that routes into the PSTN, which is a public switch telephone network. Basically, it just goes through the internet. The way this routes is, if this is the phone you're dialing from, then you have either an analog terminal adapter or an actual voice over IP phone, which connects to the internet usually through your cable or DSL modem, or if you're in an office, then it'll connect through your T1 line. And it goes from the internet to the VoIP provider's point of presence. From there, it hits the public switch network. In this example, you're dialing into a big city like Los Angeles, and you're dialing a number there. So if you hit a point of presence in Los Angeles, then it'll hit the local exchange carriers access TAN, and so for example Pacific Bells TAN, Amon Grand Avenue in downtown Los Angeles, and then it'll go to the end office, you're calling and ring the phone. In the second example, if you're calling a more rural area, where they don't have a point of presence, it'll be over a standard inter-exchange carriers long distance network. But for the most part, it's pretty much the same. Alright, and messing around with a lot of these VoIP services, which is a new technology, basically we found a few exploits. Main one, caller ID spoofing, and also number trapping, which is actually obtaining someone's call party number just by having them call your phone number. So even if they start 6'7", or block their caller ID, you can still get their phone number just by having them call your phone. The first expert I'm going to talk about is one with Vonage number portability, and basically, all you have to do is call up Vonage at 1-8 Vonage Help, or no, 1 Vonage Help, and order their service, and you can tell them, yeah, I'd also like to point my cell phone over there, and you can give them any phone number that's portable to the Vonage network, and they'll go ahead and set it up so that your caller ID is actually that phone number on every outgoing call. They'll give you a virtual number for you, for people to temporarily call you while you're sending in your letter of authorization, which allows them to actually port the number over. But even if you don't send in the letter of authorization, they still have your caller ID set to your cell phone number, and when you place outgoing calls, that's what it'll say, and not only that, if someone on the Vonage network tries to call your cell phone, instead of giving them their cell phone, it'll actually ring your Vonage phone, which I'm going to demonstrate right here how this works. Oh wait, is this camera on? Yeah. As you like to say in the phone, it says, oh sorry, for experiencing difficulty. Please try to call then. Um, I have two Vonage lines here, I was going to try and call one and show the caller ID of my first, but I'm currently having the first one forwarded to my cell phone, which is why it kept ringing. But, so instead, because I can't show you the caller ID, I'm just going to call 800-444-44444, which will actually read back the phone number two. Just so you know, this is a quick line. You're calling NCI. Our system indicates you're calling from 206-209-309. Hold on. Keep calling NCI. Our system indicates you're calling from 202-867-5309. If this is the number you're calling. Some of you might have recognized that it's 212-86753-09 Jenny's number in New York. Did they try to sell it on eBay? Yeah, they tried to sell it on eBay for $80,000 and Vonage reported it without a letter of authorization. Now, if somebody on Vonage tries to write the voice mail, which it should be ringing to, or someone's on a Vonage line right now, it'll actually ring my phone like it's ringing right now. And I'll try and demonstrate that with my second Vonage line. Wait, is that plugged in? The white one? No dial time. Oh, here we go. Is that going to pick up? Those of you that can decode DTMF, that was 212-86753-09. So as you can see, I mean this can come in pretty useful, and when they try, if someone on Vonage tries to call that phone number, instead of reaching the actual person, they'll reach your Vonage line. Okay, I see that's wrong. So, believe me. Oh! Okay. I want to do a quick storm. The next exploit I'm going to talk about, doesn't look like we have time to demonstrate this. This is Doug, over there. And this is with a service called Voice Pulse which you can sign up at VoicePulse.com. They offer unlimited long distance and a whole lot of features. One of them which is called anonymous call rejection with prompting. Now, what this feature does is when you turn that feature on and someone calls to try, someone tries to call you a Voice Pulse line, it'll say, if they call it with their phone, tell me where you're calling from. And you punch in the phone number that you want to call from, and that's what'll show up on the caller ID. Now, if you turn on call forwarding, you can actually forward all your calls to the number that you want to spoof to and you just call up your VoicePulse number with the caller ID blocked and it'll ask you what number do you want to call from and you punch it in and then it'll call your friend or whoever you're trying to call and when they look at you. We're going to talk about another exploit with VXML, which is a basically VoiceXML, it's a scripting language for phones, it's what TellMe uses and basically, you can go to erase.us slash bvocal.xml and sign up for bvocal.xml service at cafe.bvocal.com and if you upload that script you can call the 1-800 number and just punch in the phone number you want to call from and the phone number you want to call to and it'll give you a free 1-minute call with your caller ID spoofed. I was also going to talk about back spoofing, which is basically, you just spoof call ID back to your home line and when you look at the caller ID the name that'll show up is the actual name associated with that phone number. So if you have a phone number and you don't know what the name or the business is of that number you can just call yourself the name right on your caller ID. Okay. You have 3 minutes left. Okay, I've got 3 minutes left. This basically, I was just going to talk about a call party number, you can sign up for a voicemail called case7.net and they'll give you a Seattle 206 number and it's just like any other voicemail but when anyone calls it, even if they block the caller ID and the voicemail message it'll have their phone number on it. Another example is FreeWorld Dial-up which is another VoIP service and you can use a superior device to make calls with it. You can give people your FreeWorld Dial-up extension which this is a free service and anyone that calls 248-724-700 when they can your FreeWorld Dial-up number on the caller ID it'll show their phone number whether or not it's blocked. In call forwarding, basically the same thing as case7 or anything else you can just have your phone number forwarded to one of these case7 voicemails and the phone company will automatically forward their call party number to your voicemail and then it'll get trapped so you can give out your home phone number have it call forwarded to your case7 voicemail and when anyone calls and leaves a message it'll have their phone number in the message. We were going to talk about asterisk we don't have our speaker here today but basically there's some IOX providers that you can just set your call party number to whatever you want and you can have people call your asterisk number and it'll show the call party number when they call your asterisk line and you can have it set up just like a regular phone and there's all kinds of other neat stuff you can do with asterisk and that's pretty much the end of our speech it's seven o'clock okay so we have a couple minutes left so let's do a little bit of a question for the phone. What's the name of the restaurant I referred to at the beginning of the speech? I can't tell who yelled at first um okay um okay okay okay what street in downtown Los Angeles is Pacific Bell's DMS tandem on get the phone and I'm going to give you this software from some ancient computer from 1982 yes you so we have any questions quickly? no sorry in color ID and blocking is the asterisk what would be the configuration file you'd need basically you just have to set the color ID field let's see what was that unblocking for incoming unblocking for incoming right the provider will automatically send the number and it'll be in your logs no no no the voice of the IP provider will usually just send the number to you okay wrap it up yes ask away call forward your cell phone to a K7 voicemail and usually it'll get right on you when they leave a message on the voicemail it'll have their phone number on it we're incoming calls yes we're incoming calls is it possible to spoof an AII? yes and no you can spoof we're at where at you can spoof with some PBX's that will forward your color ID sorry are you fine? yes