Date: Fri, 21 Oct 94 07:54:30 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: RE: CNID ------------------------------8<------------------------------------------- Frequently Asked Questions About Caller-ID v1.1 Mar. 1994 1) What is Caller-ID ? First ask "What is ANI" 2) OK, What is ANI ? ANI or Automatic Number Identification is a mechanism by which the different telephone companies determine what account is to be charged for a call, This information is passed between Telcos and was originally for billing purposes and predated both SS7 (Signaling System 7) and (C)LASS (Local Area Signaling Services was the original AT&T designations, the "C" was added by Bellcore after divesture) services which make CNID or Calling Number IDentification as Caller-ID is more properly known, possible. Since the Telcos had ANI, the decision was made to make it available to authorized parties such as 911 service and law enforcement agencies. ANI is also used to let a Telco operator know who is calling. More recently, ANI is used to report to 800 and 900 subscribers, who made the calls they have received, in the first case so that the 800 subscriber knows who the charge is for, and so that 900 number subscribers know who to charge. Thus while ANI is similar to CALLER-ID and may provide the same information, they are actually two different services and ANI information is not necessarily the same as what will appear on a CALLER-ID display. 3) Now (maybe) what is Caller-ID ? Caller-ID is a Telco offering that is a byproduct of (C)LASS services. In this case, only those numbers reported by participating exchanges are returned, exactly which are and which are not is currently (March 1994) at the Telco's discretion. The Federal Government has stated that it is their intent that nationwide CNID be available by mid-1995. The full text of this decision may be found FCC Report No. DC-2571 issued on March 8, 1994. The biggest effect of the ruling is to mandate transport of CPN (customer provided number) information between interconnecting networks eliminating the effective inter-LATA-only limitation that exists today in most areas. Currently there are two types of Caller-ID. The first (often referred to as "basic" service) just returns the calling number or an error message and the date/time of the call. The second ("enhanced" Caller-ID) also may return the directory information about the calling number. At a minimum, the name of the subscriber is returned (the subscriber is not the same as the caller, the phone company has no way to determine who is actually on the line). 4) How is the Caller-ID information provided ? As a 1200 baud, 7 data bits, 1 stop bit data stream usually transmitted following the first and before the second ring signal on the line. Note that this is not a standard Bell 212 or CCITT v22 data format so a standard modem will probably not be able to receive it. Further, the serial information exists as such only from the recipient's switch to the callee's location. Between carriers the signal exists as data packets. The signal is provided before the circuit is complete: picking up the receiver before the data stream is finished will stop/corrupt the transmission. Currently there are two types of information returned: a "short form" which contains the date/time (telco and not local) of the call and the calling number or error message. The "long form" will also contain the name and possibly the address (directory information) of the calling phone. The "short form" stream consists of a set of null values, followed by a two byte prefix, followed by the DATE (Month/Day), TIME (24 hour format), and number including area code in ASCII, followed by a 2s compliment checksum. Most modems/caller id devices will format the data but the raw stream looks like this : 0412303232383134333434303735353537373737xx or (prefix)02281334407555777(checksum) A formatted output would look like this: Date - Feb 28 Time - 1:34 pm Number - (407)555-7777 5) Can a Caller-ID signal be forged/altered ? Since the signal is provided by the local Telco switch and the calling party's line is not connected until after the phone is answered, generally the signal cannot be altered from the distant end. Manipulation would have to take place either at the switch or on the called party's line. However, the foregoing applies only to a properly designed CNID unit. For instance the Motorola M145447 chip has a "power down" option that wakes the Chip up when the phone rings for just long enough to receive, process, and deliver the CNID signal after which it shuts down until the next call. Should this option be disabled, the chip will be in a "listen always" state and it is theoretically possible to "flood" a line making a vulnerable box record successive erroneous numbers. I have received a report of a device called "Presto Chango" that can transmit an extra ADSI modem tone after the call has been picked up that will cause a susceptible box to display the later information. It was also reported to me that CNID boxes marketed by US-West as their brand and made by CIDCO have been used to demonstrate the "Presto Chango" box. 6) What is "ID Blocking" ? Most Telco's providing Caller-ID have been required to also provide the ability for a calling party to suppress the Caller-ID signal. Generally this is done by pressing star-six-seven before making the call. In most cases this will block the next call only however some Telcos have decided to implement this in a bewildering array of methods. The best answer is to contact the service provider and get an answer in writing. Currently this is supplied as either by-call or by-line blocking. By-Call is preferred since the caller must consciously block the transmission on each call. By-Line blocking as currently implemented has the disadvantage that the caller, without having a second caller-id equipped line to use for checking, has no way of knowing if the last star-six-seven toggled blocking on or off. Note that blocking is provided by a "privacy" bit that is transmitted along with the CNID information and so is still available to the Telco switch, just not to the subscriber as a CNID signal. Consequently related services such as call trace, call return, & call block may still work. 7) What happens if a call is forwarded ? Generally, the number reported is that of the last phone to forward the call. Again there are some Telco differences so use the same precaution as in (6). If the forwarding is done by customer owned equipment there is no way of telling but will probably be the last calling number. Note that as specified, CNID is *supposed* to return the number of the originating caller but this is at the mercy of all forwarding devices, some of which may not be compliant. 8) What happens if I have two phone lines and a black box to do the forwarding ? If you have two phone lines or use a PBX with outdialing features, the reported number will be that of the last line to dial. Currently there is no way to tell a black box from a human holding two handsets together. 9) I called somebody from a company phone (555-1234) but their Caller-ID device reported 555-1000. Often a company with multiple trunks from the Telco and their own switch will report a generic number for all of the trunks. There is a defined protocol for PBXs to pass true CNID information on outgoing lines but it will be a long time before all existing COT (Customer Owned Telephone) equipment is upgraded to meet this standard unless they have a reason to do so. 10) I run a BBS. How can I use Caller-ID to authenticate/log callers ? There are two ways. The first utilizes a separate Caller-ID box with a serial cable or an internal card. This sends the information back to a PC which can then decide whether to answer the phone and what device should respond. Some of these are available which can handle multiple phone lines per card and multiple cards per PC. The second (and most common) is for the capability to be built in a modem or FAX/modem. While limited to a single line per modem, the information can be transmitted through the normal COM port to a program that again can decide whether or not to answer the phone and how. There is a FreeWare Caller-ID ASP script for Procomm Plus v2.x available for FTP from the Telecom archive. Most such software packages will also log each call as it is received and the action taken. Of course for true wizards, there are chips available (one of the first was the Motorola MC145447) that can recognize the CNID signal and transform it into a proper RS-232 (serial) signal. 11) How is security enhanced by using Caller-ID over a Call-Back service or one-time-passwords for dial-up access ? Caller-ID has one great advantage over any other mechanism for telephone lines. It allows the customer to decide *before* picking up the receiver, whether to answer the call. Consider hackers, crackers, and phreaks. Their goal in life is to forcibly penetrate electronic systems without permission (sounds like rape doesn't it ?). They employ demon dialers and "finger hacking" to discover responsive numbers, often checking every number in a 10,000 number exchange. If they get a response such as a modem tone, they have a target and will often spend days or weeks trying every possible combination of codes to get in. With Caller-ID answer selection, the miscreant will never get to the modem tone in the first place, yet for an authorized number, the tone will appear on the second ring. Previously the best solution for dial-ups was to set the modem to answer on the sixth ring (ats0=6). Few hackers will wait that long but it can also irritate customers. 12) What error messages will Caller-ID return ? a) "Out of Area" - (Telco) the call came from outside the Telco's service area and the Telco either has no available information or has chosen not to return what information it has. b) "Blocked" or "Private" - (Telco) the caller either has permanent call blocking enabled or has dialed star-six-seven for this call. You do not have to answer either. c) "Buffer Full" - (device manufacturer) there are many Caller-ID devices on the market and exactly how they have chosen to implement storage is up to the manufacturer. This probably mans that the divide has a limited buffer space and the device is either losing the earliest call records or has stopped recording new calls. d) "Data Error" or "Data Error #x" - (device manufacturer) signal was received that was substandard in some way or for which the checksum did not match the contents. e) "No Data Sent" - (device manufacturer) Signal was received consisting entirely of nulls or with missing information but a proper checksum. 13) Why are so many people against Caller-ID ? FUD - Fear, Uncertainty, & Doubt or 10,000,000 lemmings can't be wrong. There were some justifiable concerns that some people (battered wives, undercover policemen) might be endangered or subject to harassment (doctors, lawyers, celebrities) by Caller-ID. As mentioned above there are several legitimate ways to either block Caller-ID or to have it return a different number. It is up to the caller. The advantage is that with Caller-ID, for the first time, the called party has the same "right of refusal". Expect yet another Telco service (at a slight additional charge) to be offered to return an office number for calls made from home. Crisis centers could return the number of the local police station. Compiled by Padgett Peterson. Constructive comments to: padgett@tccslr.dnet.mmc.com Brickbats >nul. Thanks for additional material to: David J. Kovan Robert Krten John Levine David G. Lewis Karl Voss but the mistakes are all mine - Padgett (Ignorance is curable) END-----------------cut here------------------