Backspoofing 101
by Natas
What exactly is backspoofing?
Most people reading this article probably have heard of the term "backspoofing" before and don't know that the term was coined somewhat recently by a fellow phone phreak named NotTheory.
Backspoofing is a very simple, but useful technique. Essentially, it is just calling yourself with spoofed Caller ID for the purpose of getting the Caller ID Name (CNAM) associated with a particular number.
The number you spoof as your Caller ID is the number you want to receive Caller ID name information for. I believe that this will work with almost any 10-digit number within North America. To do this properly, you usually need to be calling a POTS line, because POTS lines are the only kind of lines that offer Caller ID Name, not just Caller ID Number.
However, some VoIP providers these days are now offering Caller ID Name service to compete with all the features available on traditional POTS lines. It should also be noted that cell phones do not provide Caller ID Name on incoming calls and probably never will, as the name always tends to be retrieved from the local database on the phone.
How does backspoofing work?
How is the CNAM retrieved from a number? Well, when you spoof your Caller ID to a telephone line with Caller ID Name, what happens is the receiving telephone switch does a lookup in what is known as a CNAM database via the Signaling System 7 (SS7) protocol.
This receiving switch dips in and retrieves the name associated with the particular number from the CNAM database and displays it on your little Caller ID box. Now, you might be asking why this is the least bit interesting - or, how it's useful. Well, it's extremely useful because it allows you to see information that may otherwise be private.
The telephone companies figure that even if you're some big shot movie star or even if you have an unlisted number, the person receiving your calls should still be able to see the name and the number of the person calling. After all, that's why they're paying for Caller ID. So the telco puts your name and number in their enormous database that's constantly being updated.
Even unlisted numbers will typically come back with a first and last name if it can all fit into the 15-character space designed for the Caller ID Name. This all works because you're tricking the Caller ID service into looking up the CNAM information associated with the telephone number of your choosing. I like to think of these CNAM databases as a private reverse lookup directory!
At first backspoofing may not seem like the best thing in the world, but there are lots of applicable uses for something like this, especially if you're a phone phreak! Ever find a local "elevator number?" The ones that connect you to the phone inside an elevator, allowing you to listen in on the elevator or speak to the people inside? Well... by backspoofing an elevator number you can see what the name comes back as.
Usually the name of the company whose PBX the elevator number is on or the company that occupies the building that the elevator is in. Now all you would have to do is look up the company's address and find out where the building is and you can find out exactly what elevator you're listening to! This actually came in extremely handy for me.
For about five years now, I've had elevator numbers that were supposedly at Brown University but I was never really sure. By simply backspoofing the number I was able to confirm this within a few seconds.
Telco test numbers are some of the greatest things to backspoof, because even test numbers have CNAM entries most of the time. When I first started backspoofing, I assumed test numbers would have discreet listings, but often times they list the telco's name or even a little description about the number!
Someone even showed me a modem that came back as NET 5-ESS, which is a telephone switch made by Lucent. So is was pretty obvious what turned out to be connected to that modem! If you're doing a scan and you're not sure who a particular modem belongs to, backspoofing comes in very handy! I always like to see what milliwatt numbers, and other numbers around the milliwatt number, come back as. Maybe you have some numbers to your telco and you're wondering exactly what bureau the number belongs to?
Backspoofing can sometimes tell you if you've reached RCMAC, the switch room, Mechanized Loop Assignment Center (MLAC), Information, or the code for a particular wire center.
Also, you can see just how lazy telcos are and how long some test numbers have been the same, because I've found entries with old telephone company names that are long gone! When was the last time you saw NYNEX or NEW ENGLAND TEL calling you? These companies ditched those names years ago, but there are still CNAM entries out there with those names.
Cell phone numbers are no exceptions to rules of backspoofng either!
T-Mobile currently enters their customers' names into CNAM databases. I believe Sprint is now starting to do the same. So if you're looking for a famous celebrity's cell phone numbers and you know they've got a T-Mobile account, backspoofing can come in very handy. Try backspoofing an entire T-Mobile exchange served out of the Hollywood Hills and see how many famous names you recognize!
Beware that all CNAM providers are not equal! There are lots of different CNAM databases in use, and while most of the information is the same, some databases have conflicting information. It may just be that some databases are not updated as frequently or it may just be that a certain one sucks and contains lots of outdated entries. I've found CNAM entries that were different, depending on the carrier who provided my Caller ID name service. I would get one result with Verizon and another with AT&T. There really is a lot of funky stuff that goes on in the world of CNAM.
To close the article, I want to show you just how cool backspoofing is.
I've put together a list of some of the most interesting examples I've found through backspoofing. Keep in mind that phone numbers do change quite often, so unfortunately some of these examples may be gone by the time this article comes out.
Shouts: The DDP, NotTheory, Nick84, Decoder, Lucky225, Doug, Majestic, IcOn, GreyArea, Mitnick, Agent Steal, Poulsen, StankDawg, Dual, Cessna, Vox, Strom Carlson, IBall, & Av1d. The revolution will be digitized!