[ Features Index | Silicon Valley | Metroactive Home | Archives ]

Techsploits Phone Phun By Annalee Newitz TELEPHONES are starting to be cool again. When I was first getting into computers, there were a whole bunch of dorks in the not-so-illustrious cracker scene who liked to "phreak"—mostly that meant they figured out ways to finagle free long distance out of phone companies. Either they used a piece of technology that emitted the precise tone required to get a long-distance connection in a phone booth, or they went online and stole phone company codes for free long-distance calling. Sadly, the phone system has changed a lot since I was 14—it's more highly regulated in several ways and a lot harder to hack. Plus, the Internet became such an obvious target for hackers that the whole phreaking thing seemed beside the point. But now, phones are part of the Internet. The latest evolution in phone technology is something called "voice over Internet Protocol" (VoIP for short), which refers to a bunch of hardware and software that send phone calls over the Internet. You can use a VoIP phone, which means your call is sent over the Internet from end-to-end (and, by the way, is completely free of all long-distance and out-of-country charges, mwah ha ha). Or you can use VoIP to create a bridge between a VoIP phone and a regular phone. Software already exists to bridge the gap between the phone network and the Internet. Of course, Congress is already waging battles over how the damn things will be regulated. The problem is that VoIP straddles the line between two realms that the FCC never believed would meet: the realm of "information services" and the realm of "telecommunications services." These two areas are regulated quite differently—indeed, there is a question about whether information services should fall under the FCC's purview. And VoIP is a telecommunications service that uses an information service (the Internet) to do its thing. Sen. John Sununu (R-N.H.) has proposed a bill, the VoIP Regulatory Freedom Act, which would bar states from taxing and regulating VoIP—presumably so that policy makers could come up with an overarching federal standard for these bastard children of telecom and information technologies. Sununu's bill is in committee and could hit the Senate floor before the end of the year. Meanwhile, the feds are freaked out about VoIP because (start the sad violins) it's just so darn hard to wiretap. Several law-enforcement agencies, including the FBI and DEA, recently petitioned the FCC to add VoIP to an already-existing law called the Communications Assistance to Law Enforcement Act (CALEA). Currently, CALEA forces telecom companies to comply with a set of regulations that make it quite simple for law enforcement agents to tap telephones. The law mandates that phone companies build backdoors into the telephone system so that listening in on your conversations is as easy as flipping a switch. But if you're talking over VoIP, flipping that switch is a lot harder. It's not impossible, mind you—it just means that Jane Fed will have to exercise her technobrain a little bit more to listen in on my conversations. One VoIP provider, a European company called Skype, does end-to-end Internet phone calls that don't interact with telecom networks at all. Phone calls done with Skype are routed peer-to-peer-style across the net and are also completely encrypted. Good luck trying to intercept a Skype phone call and figure out what the people are saying without spending a few weeks working on it. Other providers, such as Vonage, route calls from the phone network to Internet routers and back. Their system might be a bit easier to tap. Meanwhile, the same old players are ponying up their own Internet telephony crap: über-ISP Earthlink is working on a VoIP service, as is übertelecom AT&T. I'm guessing that these guys, already accustomed to working with the feds, are going to figure out a way to make VoIP into a surveillance-friendly system. But in the meantime, let's play! A phreaker calling himself Lucky 225 has a nifty little device that allows him to use VoIP to spoof phone numbers. He can make caller-ID programs think that he's calling from anywhere; he can also unmask the phone numbers that people try to hide with caller-ID blocking. One use for such a device, aside from personal amusement, is to activate someone else's credit card. Since most credit card companies authenticate your identity by requiring you to call from your home number to activate a card, Lucky's trick could turn out to be quite tricky indeed. Bruce Schneier, a computer security expert, wrote an article recently in which he worried that VoIP spoofing might lead to attackers hijacking phone calls and sending them to the wrong place. Or it could lead to denial-of-service attacks where somebody cuts off all your incoming calls without your knowledge. Yup, the phreakers are back in town. Crank calls are about to go cyber on your ass. Annalee Newitz ([email protected]) is a surly media nerd who could really use some free long distance. Send a letter to the editor about this story to letters@metronews.com. [ Silicon Valley | Metroactive Home | Archives ]