Dial-Back Security

A computer security device that is often referred to as being foolproof is the
dial back system. In the case of a dial back system, a computer has a dial up
access number where users may enter their user IDs and then their passwords.
Then they hang up or are disconnected from the computer and the very system
they just called will call back on a prearranged number after a short period of
time. The hacker cannot penetrate this because after he discovers the working
ID/password combination, he cannot do anything but hang up and wait for the
computer to call out to the prearranged number. It is extremely difficult for a
hacker to receive a call at that prearranged number. unless he taps into the
cable-pair at the home or office of the person who owns the account and then
uses a portable computer and modem while squatting in a sewer, on a telephone
pole; or perhaps in bushes. 

The number itself is not specified when the call is initiated. but at some
previous time. Usually when the account was first set up. Many companies rely
on dial-back systems for protection and will walk around smiling, lost in
nirvana over how secure their systems are-how foolproof they are. But these
systems are potentially vulnerable. These vulnerabilities are due to the phone
system and the modems used, and make it all too possible for a hacker to
connect to the callback call and fool the modem into thinking it had dialed the
legitimate user. 

How

Some older telephone switches use caller control where the call is only
disconnected if the caller who originates the call hangs up. This means that a
modem could not hang up on a caller---usually a local caller-who dialed into
the computer. The modem would go "on hook," and the computer would think that
it hung up, but the caller would still be there the second it picked up again
to make an outgoing call. 

The modem might not notice that they were still there and would attempt to dial
and then wait until the call went through and for a modem to pick up. After a
short period of time an answer tone could be sent, and they would be connected
to the system simply by not hanging up. 

Of course, some modems incorporate dial tone detection before dialing and 
ringback detectors. These will not dial until they "hear" a dial tone and then 
a ring, but these could be fooled with a recording of a dial tone or a ring. 

Some modems will even try to pick up a ringing line and attempt to make an
outgoing call on it. This could be used by a system penetrator to break dial
back security even on joint control or called party control switches. A 
penetrator would merely have to dial in on the dial-out line, just as the modem
was about to dial out. The same technique of waiting for dialing to complete
and then supplying an answerback could be used as well as the recorded dialtone
technique. 

Calling the dial-out line would work well in cases where the modem has disabled
auto-answer because it was about to pick up (answer) the phone in order to
start dialing.

Even carefully written software can be fooled by the ring
window problem. Many COs actually will connect an incoming call to a line if
the line goes off hook just as the call comes in without first having put the
20 Hz. ringing voltage on the line to make it ring. The ring voltage in many
telephone central offices is supplied asynchronously every 6 seconds to every
line on which there is an incoming call that has·not been answered. so an
incoming can be answered in some cases before a ring can be detected.

This means that a modem that picks up the line to dial out just as our
penetrator dials in may not see any ring voltage and may therefore have no way
of knowing that it is connected to an incoming call. And even if the switch
always rings before connecting an incoming call most modems have a window just
as they are going off hook to originate a call when they will ignore transients (such as ringing voltage) on the assumption that they originate from the 
going-off-hook process.

It is impossible to say with any certainty that when a modem goes off hook and
tries to dial out on a line which can accept incoming calls it really is
connected to the switch and actually making an outgoing call. And because it is
relatively easy for a system penetrator to fool the tone detecting circuitry in
a modem into believing thal it is seeing dial tone, ringhack and so forth until
he supplies answerhack tone and connects and penetrates the system, security
should not depend on this sort of dial-back.

The best thing to do to solve this problem is to use a different line for
dial-out. Use of random time delays hetween dial in and dial back comhined with
allowing the modem to answer during the wait period (with provisions made for
recognizing the fact that this wasn't the originated call-perhaps by checking
to see if the modem is in originate or answer mode) will substantially reduce
this window of vulnerability but nothing can completely eliminate it.

Obviously, if one has an older CO switch, it is not good at all to use the same
line for dial in and dial out.

It is best to make sure that the phone number for the dial out is different
from that of the dial-in, perhaps even in a different exchange, which isn't all
that impossible.