AsteriskCase StudyCommunityGeneralIP PhoneIsraelTechnicalUncategorized

The JCC Bomb Threats – The telephony challenge

Over the course of the past few weeks, multiple bomb threats had been raised against various Jewish Community Centers in the United States. While many look to the various aspects of racism, antisemitism and issues of cultural tolerance – as a telecommunications company, I would like to take a small beef into the subject of – “Why is it so hard to stop these threats?”

If you ask a man on the street what he thinks of this, their most possible answer would be: “Why don’t they just trace the call and get the guy?” – but the truth of the matter is, doing that is virtually impossible. As telephony and telecommunication technologies evolved over the years, the infrastructure had changed dramatically. During the 1980’s, through the 1990’s and maybe even early 2000’s – most of the inter-state telephony and international telephony was performed via SS7/ISUP links. This means that every phone call, as it traversed the network, left a “trail” as to where it came from. The results was simple, calls were fairly easy to “trace”, as long as the call was active. Normally, the authorities had access to the various switching centers, and thus, calls could be traced.

Fast forward 10 years into the future, the year is now 2010. Most of the links between carriers are no longer IUSP based, they are now SIP based. Also, the introduction of Sessions Border Controllers and Topology Hiding techniques basically say the following: “You can only trace your call from your point to the closest hop, not beyond that”. The result is, putting a piece of hardware on your phone line and hoping to trace call – is virtually impossible. Why impossible? simple – you just can’t see the next hop. So, in order to trace something back, you actually need to have access to all the various carriers along the way, be it national or international.

A recent posting on sound cloud published the following call recording:

It is very clear the person on the other side of the line is masking their voice – but the thing is, they can also mask their origin and everything about their call. Now, originally, the callers were masking their CallerID to show as anonymous. However, following the original threats, the JCC centers got approval to present the CallerID presentation, even if the remote party didn’t disclose it. Yes, it can be done both in ISUP and SIP. In SIP, normally this information is provided via the PAI header (P-Asserted-Identity), which is normally shared between carriers only – but can be exposed to the receiving party upon special request. But, alas, our callers were spoofing their calls, and their origins.

For example, let us assume that our caller is buying services from some out-of-country, Tier-4 SIP provider. Thus, the IP route taken in order to traverse that call into the US may look something like this:

Step 1: "Potential Terrorist" -> Hacked PBX (US) 
Step 2: Hacked PBX -> Remote Tier-4 (CZ) 
Step 3: Remote Tier-4 (CZ) -> Remote Tier-3 (RU)
Step 4: Remote Tier-3 (RU) -> Remote Tier-2 (CN) 
Step 5: Remote Tier-2 (CN) -> Remote Tier-1 (US)
Step 6: Remote Tier-1 (US) -> US ILEC 
Step 7: US ILEC -> US CLEC -> JCC Office

In other words, in order to track this call – the authorities will need to get approval from 3 different countries around the world, 3 local carriers in the US, and they’ll need to do this in real-time – as the only way to trace the call is as it is live. The minute it disconnects, finding out where the call traversed is even harder to do and costs an arm and a leg.

Initially, when I was thinking about this blog post, I was thinking of actually putting up a small phone number in the US, that when you call it, will mask your number with a new one and call to a number of your choice. I then realized that this is a bad thing, as some may use this “educational tool” as a means to harass and harm others – so I abandoned the idea. But of course, if I thought of it, others have surely thought of it prior to me – and most probably turned it into a business. So, here they are:

https://www.spoofmyphone.com/

Screen Shot 2017-03-14 at 14.00.27

https://www.spoofcard.com/

Screen Shot 2017-03-14 at 14.00.40

https://www.spooftel.com/freecall/

Screen Shot 2017-03-14 at 14.00.54

 

Paul Goldenberg, director of the Secure Community Network said:

“They’re sophisticated enough to leverage technology on their behalf,” he said. “They’re using 
a machine that masks their voice. They’re using a technology that allows them to look like 
they’re calling from the inside.”
from: http://www.jta.org/2017/02/01/news-opinion/united-states/jcc-bomb-threat-probe-hindered-by-tech-disguises

In the same artice, Jim Hartnett, a formar FBI Supervisor said:

“They have the technology. It may take some analysis and some resources. They’ll be successful 
in pursuing and identifying the individual or individuals that are behind this.”

The word “some” is highly under-rated here, as the resources required to track this down are far greater than one would anticipate. While Goldenberg is optimistic as to the capture of the person behind these calls, I’m fairly pessimistic – as I’m familiar with the technology used to drive this. The technology itself is incredibly simple and had been around for years. There had been publications of scripts and methodologies of doing this, available online publically, as early as 2006. Kevin Mitnick, one of the world’s most notorious hackers had demonstrated it a few years back, and searching Google yields multiple results with extreme accuracy:

http://allanfeid.com/content/caller-id-spoofing-w-asterisk

https://www.chrismoos.com/2009/10/16/writing-a-freeswitch-caller-id-spoofing-interface/

In other words, the only way to truly capture the person behind this is combined work – not by just law enforcement agencies, but carriers, PBX owners and wholesale SIP providers. For example, a service called humbug had been around for a few years now, capable of aggregating call data from multiple carriers and correlating it in real time. The service is free of charge, and imagine what would happen if the entities mentioned before were connected to that service, and a call takes place. The second that call is disconnected, the service correlation engine can be queried for that call and see what it knows about the respective caller ID and call generation point. The entire concept of call spoofing will be futile, as there is a “see all” platform capable of saying what generated where. But the truth is, carriers don’t like sharing their information, PBX owners are far from being knowledgeable in the field of security – and wholesale carriers, well, they only care about their pockets – they always were. So, the entire system is built in a methodology that enables a shady person to take advantage of it and exploit others.

I truly wish that the person behind this is caught, not because I’m Jewish, simply because racism in any form is something I don’t stand for.

 

Leave a Reply

Your email address will not be published. Required fields are marked *