On Wednesday 10 May 2017, Steve Edwards wrote: > I have a 'time and attendance' application. Think janitorial or security > kind of thing where an employee goes from location to location. > > They're supposed to 'clock in' when they get to a site using a phone at > that site to prove they're there. > > Some employees have discovered 'fake caller ID' services can be used to > say they're on site when they are not.
There are legitimate reasons for faking an ident. For instance, if you are using multiple services in parallel to connect to the Outside World. While we had such a setup, we arranged with our SIP provider to attach numbers associated with our ISDN-30 line to calls we were making. And if you are providing something like a "transparent call recording" service, you need to lay the ident of the incoming call leg onto the outgoing call. Unfortunately, as you've discovered, the service can be abused ..... > How can I detect a fake CallerID? The INVITE looks the same to me. You can't. Only the first telephone company through which the call passes can tell for sure where a call is coming from. The next company through whose equipment it is passing can alter it, and nobody downstream be any the wiser. Remember, even although it's now packet-switched and multiple-redundantly- routed underneath, the whole telephone network is still basically emulating an old-fashioned, circuit-switched network; where calls get connected from the originator's local exchange onto a trunk to pass on to another exchange, and all the next exchange downstream knows for sure is which approximate direction it came in from and where it's going to. Information that would once have been implied by which pair of wires the signal was travelling down, is now sent separately, and subject to modification en passant. > If I have the employees call an 8xx number, can I ask my SIP provider to > include more headers to show the real ANI? What would that service be > called? Not really. You need to backtrack a little and rethink. Caller ID is just not something that you can rely on anymore. Presumably your staff carry mobile phones. What about an app that gets the ID of the cell tower to which it is connected, and passes it and the SIM number in a HTTP request to a server you control? You'll obviously need to do some sort of authentication dance, otherwise anyone could just manually craft a URL representing any location. (But since it's your app, you can effectively embed a different key into every copy; so in the worst case, anyone trying anything naughty is only able to spoof one handset. An .apk file is basically a .zip archive; so you should be able to unzip it into a folder structure, use your favourite scripting language to regenerate the keyfile and zip it back up. This might even scale.) -- JM or AJS Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk . -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
