Spoofing-phone-calls-and... Spoofing phone calls and text messages over VOIP infrastructure | by Peter ...


Spoofing phone calls and text messages over VOIP infrastructure

Peter Brosnan
Mar 22 · 4 min read

Spoofing is the act of falsely representing the identity of something else. There are many kinds of spoofing, namely, IP Spoofing, MAC Spoofing, URL Spoofing, GPS Spoofing, Caller ID Spoofing and SMS Spoofing. For the purpose of this article, we will be exploring Caller ID Spoofing and SMS Spoofing.

Image for post

SS7 Backbone — A brief history

One of the oldest networks is the PSTN (Public Switched Telephony Network) which is responsible for all the domestic communications within a country or a geographical region. It started as a network of fixed-line analog telephone systems, but has grown in size as well as evolved to encompass everything from fixed telephones to mobile networks. During the 20th century, phone calls across a country became circuit-switched and were completely automated. However, long-distance calls or calls made to other countries had to be manually-switched by an operator, as there was multi-frequency signalling involved across multiple operators. To solve this problem, SS7 protocol was devised in 1975 which was used to integrate all the PSTNs to a larger network, now known as the SS7 backbone. Every piece of information — be it a phone call, a text message, the emails you send or the websites you browse — flows through the SS7 backbone, either in encrypted or unencrypted manner.

For a long time, access to the SS7 network was only limited to the telecom providers. With advancement in Internet technologies, VoIP started getting traction as means of making cheaper or almost free calls over the Internet. But setting up such an infrastructure was expensive and could only be afforded by large enterprises. All of this changed in 2004 when VeriSign offered VoIP Providers Easy Way To Connect to the SS7 network. Now small companies or startups could venture into this space and build solutions for non-enterprise customers. Among the most popular ones are Twilio.com and Plivo.com

Flaws in SS7 that enable Spoofing

The major flaw is that SS7 is based on trust. Any request a telecom provider receives is considered legitimate. Therefore anyone with access to a server or gateway on the SS7 network can send a location or redirect request to your telecom, and the telecom will likely comply. For example, if Verizon receives a call request from Airtel server for +15765757560 from +919898989898, Verizon cannot verify if Airtel servers can originate calls from +919898989898. Airtel can also request for nearest cell tower location for the number +15765757560 (VLR lookup). The same can also be done by VoIP providers like Plivo or Twilio, who do not issue SIM cards but can originate calls on behalf of either phone numbers. They can also send requests to auto-forward all text messages for a given number to another number of their choice.

The Attack

This is fairly simple. All you have to do is register an account with one of the VoIP providers, Plivo.com in this case. It has very straightforward documentation explaining the different parts of a call process. Authentication is performed with a pair of auth_id and auth_token provided in their dashboard.

import plivoclient = plivo.RestClient(
fake_phone_number = '+919898989898'
target_phone_number = '+15765757560'
answer_url = 'https://example.com/assets/steps.xml'
response = client.calls.create(

The contents of steps.xml look something like:

<?xml version="1.0" encoding="UTF-8"?>
<Dial callerId="+919898989898">

In the above sample, a conference call between +15765757560 and +491008008000 is being set up, but +15765757560 will be under the impression that they received the call from +919898989898.

Doing the same for text messages is slightly different. Every country has some regulation on what can be set as the from address. It is technically known as Sender ID and can be alphanumeric, not exceeding 13 characters. For countries without any regulation around it, a similar approach as above can be used to send a text message from any fake number. However, in some countries like US and Canada, it is mandated to use a registered VoIP number, while in some countries like India, they have a regulation to follow a 8-character system, prefixed by 2 characters of the service provider.

Legal Concerns

The VoIP providers do not limit this ability and lay all the responsibility on the customer using the service. Due to the involvement of international jurisdiction on such matters, except for the United States, other countries find it difficult to request customer data for smaller cases.


Popular Posts