TUCoPS :: Phreaking Caller ID :: beatcid.txt

Beating Caller ID - v1.4

Better a bottle in front of me than a frontal lobotomy.




                           Beating Caller ID
                              by The Fixer
                            v.1.4 2000/04/30
                      (C) 1998-2000 Meester Feexer

For free distribution - you may freely repost & distribute this but not
for profit without permission of the author.


             To start off with - 15 Ways to beat Caller ID

(0) This doesn't count as a way to beat CID, but there's a general
    principle to consider when contemplating ways to beat CID.
    Generally, the CID signal your target sees corresponds to the owner
    of the dial tone you call him from.  If you call direct, you dial
    from your own dial tone and your line is identified.  If you call a
    third party, and by whatever means manage to acquire his dial tone,
    and from there dial out, it is the number associated with that
    second dial tone that your target sees.  Some of the ideas following
    this were developed with this basic idea in mind.

(0.5) This also doesn't count, but remember that beating Caller ID as
    such is only the first layer of your protection.  If your calling is
    sufficiently annoying or criminal, there is *always* a paper trail
    (ANI data, billing data, trouble reports, *57 traces, etc) leading
    back to the phone you first called from.  That trail is not always
    easy or worthwhile to track you down with.  Whether or not the trail
    is followed depends entirely upon how pissed off your target is and
    how much co-operation he can get from the phone company, law
    enforcement, etc.

(1) Use *67.   It will cause the called party's Caller ID unit to
    display "Private" or "Blocked" or "Unavailable" depending on the
    manufacturer. It is probably already available on your line, and if
    it isn't, your local phone company will (most likely - please ask
    them) set it up for free.  This is the simplest method, it's 100
    percent legal, and it works.

(2) Use a pay phone.  Not very convenient, costs 25 or 35 cents
    depending, but it cannot be traced back to your house in any way,
    not even by *57.  Not even if the person who you call has Mulder and
    Scully hanging over your shoulder trying to get an FBI trace (sic).
    Janet Reno himself couldn't subpoena your identity.  It's not your
    phone, not your problem, AND it will get past "block the blocker"
    services.  So it's not a totally useless suggestion, even if you
    have already thought of it.

(3) Go through an operator.  This is a more expensive way of doing it
    ($1.25-$2.00 per call), you can still be traced, and the person
    you're calling WILL be suspicious when the operator first asks for
    them, if you have already tried other Caller ID suppression methods
    on them.

(4) Use a prepaid calling card.  This costs whatever the per-minute
    charge on the card is, as they don't recognize local calls.  A lot
    of private investigators use these.  A *57 trace will fail but you
    could still be tracked down with an intensive investigation (read:
    subpoena the card company).  The Caller ID will show the outdial
    number of the Card issuer.

(5) Go through a PBX or WATS extender.  Getting a dial tone on a PBX is
    fairly easy to social engineer, but beyond the scope of this file.
    This is a well-known and well-loved way of charging phone calls to
    someone else but it can also be used to hide your identity from a
    Caller ID box, since the PBX's number is what appears.  You can even
    appear to be in a different city if the PBX you are using is!  This
    isn't very legal at all.  But, if you have the talent, use it!

(6) I don't have proof of this, but I *think* that a teleconference
    (Alliance teleconferencing, etc.) that lets you call out to the
    participants will not send your number in Caller ID.  In other
    words, I am pretty sure the dial tone is not your own.

(7) Speaking of dial tones which aren't yours, if you are lucky enough
    to live in an area with the GTD5 diverter bug, you can use that to
    get someone else's dial tone and from thence their identity.

(8) Still on the subject of dial tones which aren't your own, you can 
    get the same protection as with a payphone, but at greater risk,
    if you use someone else's line - either by just asking to use the
    phone (if they'll co-operate after they hear what you're calling 
    about) or by the use of a Beige Box, a hardware diverter or bridge 
    such as a Gold Box, or some other technical marvel.

(9) This won't work with an intelligent human on the other end, it
    leaves you exposed if the called party has a regular Caller ID box
    with memory, and has many other technical problems which make it
    tricky at best and unworkable for all but experts.  A second Caller
    ID data stream, transmitted from your line after the audio circuit
    is complete, will overwrite the true data stream sent by the telco
    during the ringing.  If the line you are calling is a BBS, a VMB, or
    some other automated system using a serial port Caller ID and
    software, then you can place your call using *67 first, and then
    immediately after the other end picks up, send the fake stream.  The
    second stream is what the Caller ID software processes, and you are
    allowed in.  See the technical FAQs below for an idea of the
    problems behind this method; many can be solved.  Since the first
    version of this file was published, a concept called the Orange Box
    was published.  It exploits Call Waiting Caller ID boxes and has
    some of the same problems as just sending a fake stream after
    pickup, plus the added problem of only working against Call Waiting
    Caller ID boxes.  I suspect that eventually all new Caller ID phones
    and adjunct boxes will be sold with the Call Waiting Caller ID
    feature, so that problem will probably go away.

(10) Someone in alt.2600 (using a stolen AOL account, so I can't credit
    him or her properly) suggested going through 10321 (now 10-10-321)
    or 10288.  Apparently using a 10xxx even for a local call causes
    "Out of Area" to show up on the Caller ID display.  I live in Canada
    where we don't have 10xxx dialing so I can't verify nor disprove
    this.

(11) There are 1-900 lines you can call that are designed to circumvent
    Caller ID, ANI, traces, everything.  These services are *very*
    expensive, some as high as $5.00 a minute, but they include long
    distance charges.  This was first published in 1990 in 2600
    magazine, and in 1993 the IIRG reported that 1-900-STOPPER still
    works.  Beware - even if you get a busy signal or no answer, you
    will get charged at 1-900 rates!  Another one published in 2600 in
    1990: 1-900-RUN-WELL.  That one supposedly allows international
    calls.  I'm not about to call either one to find out.  Note that you
    could still be caught if the operators of these services were to be
    subpoenaed.

(12) Use an analog cellular phone.  Most providers of plain old analog
    service show up on Caller ID as "Private" or "Out of Area" or a main
    switchboard number for the cell network.  This is becoming less and
    less true as cellular providers move to digital cellular and PCS,
    which pass the phone's number on Caller ID.  Corollary: Rent a
    cellphone by the day.  This might even be cheaper than using a
    prepaid phone card.

(13) Get the co-operation of a third party with Three Way Calling.  You
    call your friend (who might be at work, school, or anywhere else
    where there is a phone with either 3-Way Calling or a 2-line
    conference mode) and he then places the call for you.  You're then
    connected to whoever you really want to talk to, but you're not
    physically at the location the call is traced to.  If you're doing
    it this way because you expect a SWAT team to descend on the traced
    location, then it should be a phone in a place where your friend can
    get away and leave you and your target talking (which rules out
    school and work but not, say, a courtesy phone in a store somewhere.)

(14) Voice mail!  If your target has the voice mail service provided by
    his local telephone company, you can leave a message on it directly
    without having to call his line (thus avoiding Caller ID).  Look
    in his local phone book for the direct dial-in number.

(15) If you ever reach an intercept operator who asks you what number
    you are calling from, oftentimes whatever you tell her will appear
    on your target's Caller ID box!  According to Rufus T. Firefly in
    alt.phreaking, OCI/Wiltel and likely several other companies don't
    pass ANI, so if you call their main 800 number through an operator,
    and ask to place a card or collect call, you will sometimes be asked
    for your phone number.  Tell her some phony number, the number of
    the White House, another number in the same building, a nearby
    payphone, whatever.


                          How Caller ID Works

Caller ID is a data stream sent by the phone company to your line
between the first and second ring.  The data stream conforms to Bell
202, which is a 1200 baud half-duplex FSK modulation.  That is why
serial Caller ID boxes run at 1200 baud.

The data stream itself is pretty straightforward.  Here's an example:

UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU€'^D032415122503806467x

The first thing of note is the 30 U's.  Those are actually sync pulses.
A "U" is 55 hex, or 01010101 binary.  This is called the "Channel
Siezure Signal."

After that comes 130 milliseconds of 1200 Hz (the Bell 202 "mark"
frequency) which usually shows up in the datastream as a character or
two of garbage.

That is followed by the "message type word", which is 04 hex for
standard Caller ID, 07 hex for Name & Number.  A word, by the way, is 8
bits for our purposes.

That is followed by the "message length word" which tells us how many
bytes follow.

The next four bytes are the date, in ASCII.  In the example above, the
date is 0324, or March 24th.

The next four bytes after the date are the time, also in ASCII.  In the
example, the time is 1512, or 3:12pm.

The next 10 digits are the phone number that is calling.  In the
example, the phone number is 250-380-6467.  The number is also in ASCII
and doesn't contain the hyphens.  Some phone companies will leave out
the area code and only transmit 7 digits for a local call, others will
always send the area code as well.

If this were a name-and-number Caller ID data stream, the number would
be followed by a delimiter (01h) and another message length byte to
indicate the number of bytes in the name.  This would be followed by the
name itself, in ASCII.

If this call originated from an area that doesn't support Caller ID,
then instead of the phone number, a capital "O" is transmitted (4F hex).

If the call was marked "private" as a result of the caller using *67 or
having a permanent call blocking service, then instead of the phone
number, a capital "P" (50 hex) would be sent.

The very last byte of the data stream is a checksum.  This is calculated
by adding the value of all the other bytes in the data message (the
message type, length, number and name data, and any delimiters) and
taking the two's complement of the low byte of the result (in other
words, the two's complement of the modulo-256 simple checksum of the CID
data).



                          Some Technical FAQ's


Q: When I block Caller ID with *67, does it send my number anyway and
   just set a "private bit" so that the other person's Caller ID Display
   unit won't display it?

A: No.  The person you're calling doesn't get your phone number anywhere
   in his data stream if you block your call that way.  All he/she gets
   is "P" and the date/time of the call.

   I would like to refer to an experiment I performed in March, 1998
   with a Serial Port Caller ID, which delivers the raw data stream to a
   PC for software interpretation.  The following Usenet message (edited
   for this file) is the report I published on that experiment:

        Newsgroups: alt.2600
        From: The Fixer <fixer@bc1.com>
        Date: Tue, 24 Mar 98 16:12:58 -0800
        Subject: Caller ID and *67 - The Facts

        OK, it's time to shovel the bullshit which is piling up in this
        newsgroup about Caller ID.

        A few people are saying that when you block your Caller ID with
        *67, the switch sends your number anyway along with a so-called
        "private bit" that tells the Caller ID display unit to suppress
        display of the number.

        In order to squelch those who'd rather flame back with "show me
        proof" than just read a FAQ, here is the proof.  These are
        actual raw data captures from a Bell 202 demodulator (better
        known as a serial port Caller ID) which I captured myself today.
        They prove conclusively that the "Private Bit" is a myth.

        Here is what I got in my raw data stream when I called my voice
        line from one of my BBS lines (which is unlisted, hence the
        PRIVATE string in the name field):

        UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU€'^A^H03241512^A2503806467^G^OPRIVATE        x

        This is what I got when I did the same thing with *67:

        UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU€^P^A^H03241512^D^AO^H^AP(˙

        The number I was calling from was 250-380-6467.  That string is
        clearly displayed in the first (non *67) call.  In the number
        field of the second call, only the letter "O" is transmitted.
        In the name field, only the letter "P" is transmitted.

        In both calls, the date and time (03/24, 15:12) is transmitted,
        but transmission of the calling telephone number is suppressed
        in the second call.  There is no "private flag" suppressing
        display of the number by the display unit; the calling number is
        not transmitted at all!

        For those of you unfamiliar with the CID raw data stream, the
        U's are actually sync pulses (an ASCII "U" is 01010101 binary).
        The control characters are field delimiters.  The first 8-digit
        number is the date and time in MMDDHHSS format.  The second
        number in the first call is the phone number, in NPANXXXXXX
        format.  That is followed by the name (for those of us with name
        & number CID).  The ^O (0Fh) just before the name indicates how
        many characters are in the name - in this case "PRIVATE" is
        padded out with 8 spaces (20h) to make 15 characters.  At the
        very end is an 8-bit checksum.

   Believe me, if I were wrong about this, there would be a huge
   marketing frenzy to sell "*67 proof Caller ID boxes" and I would be
   making a fortune selling my Serial Caller ID software, which works
   directly with the data streams illustrated above!


Q: Can't I just send noise down the line to scramble the Caller ID
   signal between the rings?

A: No.  Your phone line doesn't generate the Caller ID signal.  It is
   made by the switch on your calling party's line, and the audio
   circuit between your line and his is not completed until after he
   picks up the phone.


Q: Do 1-800 numbers have Caller ID?  Can I hide my identity from them?

A: Some do have Caller ID, and the *67 block will work, but many more
   have realtime ANI - Automatic Number Identification.  This is an
   older technology which uses a separate line to deliver your number,
   and cannot be blocked.  And all 800 subscribers get a list of
   everyone who called them on their monthly bill, blocked or not.


Q: Can I hide my identity by sending a fake Caller ID signal down the
   line before they answer?

A: *Generally*, no.  The audio circuit between your phone line and their
   line is not completed until the other party picks up.  Once they do,
   they would hear your fake signal and know what you were doing...
   unless the person you're calling is very poorly informed or
   untrained.  Even so, most Caller ID devices have memory and so the
   person you're calling could just as easily scroll back through the
   box's memory and find your true number.

   Once upon a time, the phone system worked differently, and the audio
   circuit WAS connected even before the called party picked up.  A
   device called a "mute" or a "black box" was used to take advantage of
   this fact and allow anyone calling a line with a black box to do so
   toll-free.  If the system still worked that way (and there's no
   technical reason why it couldn't in these days of digital switching)
   then yes, it would be very feasible to send a fake Bell 202 data
   stream down the line; in fact you'd hear the real one every time you
   called someone with Caller ID and you'd get a really good feel for
   the timing involved.  But if it worked that way, then black boxes
   would also still work, and they don't.


Q: What about the Orange Box?  Doesn't that spoof Caller ID?

A: Yes it does, but it's not very useful.  Your target must have a Call
   Waiting Caller ID compatible box.  It's not necessary for the target
   to actually subscribe to Call Waiting but since the Orange Box relies
   partially on victim stupidity it will help if he already expects that
   feature to activate occasionally.  During the call (which can be as
   early as a split second after pickup) you send an alert signal which
   tells the Caller ID Box that a call is coming in.  To simplify, after
   that you send the fake Caller ID signal as an audio stream, and your
   fake ID then shows on the target's Caller ID box as a "New Caller".
   IF your target didn't look at the Caller ID before answering, and IF
   he doesn't look back through his Caller ID memory, then he may be
   fooled into believing that the fake information is your real info.
   However one push of the "back" button will reveal your identity
   (unless you used *67 first).

   There has been some discussion in alt.phreaking of the possibility of
   spoofing a large amount of Caller ID data at once - like a few
   hundred calls' worth - with the idea of scrolling all the legitimate
   calls in the Caller ID Box's memory out, including the data sent in
   your call.  However, that would take a fairly noticeable amount of
   time - at 1200 bps (120 characters per second) that's not very fast.
   I think most people would think something is up when they hear Caller
   ID signal noise for 30 or 60 seconds after picking up the phone.  Not
   to mention that the spoofed data would be clobbered by the "Hello?
   Who is this?  What is that noise?" etc.

   
Q: How about *69?  If I protect my call using *67, can they still call
   me back?

A: Not in 604/250 anyway, and probably not most places.

   Some interesting notes about this:  When *69 was first introduced
   here in 250, if you tried to *69 a blocked call, you would get a
   recording telling you that the number could not be announced.  And it
   would then offer to connect you anyway!  I guess it was business who
   asked for the change because that meant a telemarketer using *67
   would have people call back and their switchboard answer "Sleazebag
   Marketing, how can I help you?".  At that point the number was a
   white pages lookup away.  So Telus, and I would venture to guess its
   part-owner company GTE and many others, changed it so that *69 won't
   even call back.

   If you find in your area that you CAN call back with *69 to a *67
   protected number, you're a lucky sonofabitch!  Why is that?  Well,
   with the "old" working of *69, you may still be able to get the
   number of a blocked caller if you are (a) lucky and (b) patient. Take
   your phone off the hook until midnight (if it's a business) or early
   afternoon (if it's a person). THEN activate *69.  No incoming calls
   will have come into your line since it was off-hook, so your line's
   *69 last-call register will still have their phone number in it, and
   at those times you are far more likely to get an answering machine
   which may spill the beans as to who called you... clever huh?




                               Final Word


Caller ID can be worked around in so many ways that it really offers no
value to its subscribers.  I am not against the existence of Caller ID,
as I have been on the receiving end of harassing phone calls and slimy
telemarketers, all of whom I've been able to put in their place thanks
to this technology.  There's no doubt that Caller ID can help bring
those who deserve it to justice.  But at the same time, we all have the
right to privacy, and the option to not share your identity with someone
you're calling is, and always should be, available.

For this reason, I think that Caller ID should be available free on
every line as part of the basic service.  It's worth nothing anyway!

---------------------------------------------------------------------------

That's it.  This file may be updated as I receive more information.
Look for updates on my web site at

        http://phreaking.iscool.net

---------------------------------------------------------------------------

This file is a freely-distributable copyrighted work.  You may repost
this file free of charge without modifications, but no for-profit
distribution is allowed without prior arrangement with the author.

(C) Copyright 2000 The Fixer's Tech Room, a division of Whirlwind
    Software (British Columbia).  All rights reserved.  Phreaking lives
    in '01!



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH