Beating Caller ID
by The Fixer
v.1.03 98/08/30
(C) 1998 The Fixer's Tech Room
For free distribution - you may freely repost & distribute this but not
for profit without permission of the author. See further restrictions
at the end of this file.
To start off with - 12 Ways to beat Caller ID
(0) This doesn't count as a way to beat CID, but there's a general
principle to consider when contemplating ways to beat CID.
Generally, the CID signal your target sees corresponds to the owner
of the dial tone you call him from. If you call direct, you dial
from your own dial tone and your line is identified. If you call a
third party, and by whatever means manage to acquire his dial tone,
and from there dial out, it is the number associated with that
second dial tone that your target sees. Some of the ideas following
this were developed with this basic idea in mind.
(0.5) This also doesn't count, but remember that beating Caller ID as
such is only the first layer of your protection. If your calling is
sufficiently annoying or criminal, there is *always* a paper trail
(ANI data, billing data, trouble reports, *57 traces, etc) leading
back to the phone you first called from. That trail is not always
easy or worthwhile to track you down with. Whether or not the trail
is followed depends entirely upon how pissed off your target is and
how much co-operation he can get from the phone company, law
enforcement, etc.
(1) Use *67. It will cause the called party's Caller ID unit to
display "Private" or "Blocked" or "Unavailable" depending on the
manufacturer. It is probably already available on your line, and if
it isn't, your local phone company will (most likely - please ask
them) set it up for free. This is the simplest method, it's 100
percent legal, and it works.
(2) Use a pay phone. Not very convenient, costs 25 or 35 cents
depending, but it cannot be traced back to your house in any way,
not even by *57. Not even if the person who you call has Mulder and
Scully hanging over your shoulder trying to get an FBI trace (sic).
Janet Reno himself couldn't subpoena your identity. It's not your
phone, not your problem, AND it will get past "block the blocker"
services. So it's not a totally useless suggestion, even if you
have already thought of it.
(3) Go through an operator. This is a more expensive way of doing it
($1.25-$2.00 per call), you can still be traced, and the person
you're calling WILL be suspicious when the operator first asks for
them, if you have already tried other Caller ID suppression methods
on them.
(4) Use a prepaid calling card. This costs whatever the per-minute
charge on the card is, as they don't recognize local calls. A lot
of private investigators use these. A *57 trace will fail but you
could still be tracked down with an intensive investigation (read:
subpoena the card company). The Caller ID will show the outdial
number of the Card issuer.
(5) Go through a PBX or WATS extender. Getting a dial tone on a PBX is
fairly easy to social engineer, but beyond the scope of this file.
This is a well-known and well-loved way of charging phone calls to
someone else but it can also be used to hide your identity from a
Caller ID box, since the PBX's number is what appears. You can even
appear to be in a different city if the PBX you are using is! This
isn't very legal at all. But, if you have the talent, use it!
(6) I don't have proof of this, but I *think* that a teleconference
(Alliance teleconferencing, etc.) that lets you call out to the
participants will not send your number in Caller ID. In other
words, I am pretty sure the dial tone is not your own.
(7) Speaking of dial tones which aren't yours, if you are lucky enough
to live in an area with the GTD5 diverter bug, you can use that to
get someone else's dial tone and from thence their identity.
(8) Still on the subject of dial tones which aren't your own, you can
get the same protection as with a payphone, but at greater risk,
if you use someone else's line - either by just asking to use the
phone (if they'll co-operate after they hear what you're calling
about) or by the use of a Beige Box, a hardware diverter or bridge
such as a Gold Box, or some other technical marvel.
(9) This won't work with an intelligent human on the other end, it
leaves you exposed if the called party has a regular Caller ID box
with memory, and has many other technical problems which make it
tricky at best and unworkable for all but experts. A second Caller
ID data stream, transmitted from your line after the audio circuit
is complete, will overwrite the true data stream sent by the telco
during the ringing. If the line you are calling is a BBS, a VMB, or
some other automated system using a serial port Caller ID and
software, then you can place your call using *67 first, and then
immediately after the other end picks up, send the fake stream. The
second stream is what the Caller ID software processes, and you are
allowed in. See the technical FAQs below for an idea of the
problems behind this method; many can be solved.
(10) Someone in alt.2600 (using a stolen AOL account, so I can't credit
him or her properly) suggested going through 10321 (now 10-10-321)
or 10288. Apparently using a 10xxx even for a local call causes
"Out of Area" to show up on the Caller ID display. I live in Canada
where we don't have 10xxx dialing so I can't verify nor disprove
this.
(11) There are 1-900 lines you can call that are designed to circumvent
Caller ID, ANI, traces, everything. These services are *very*
expensive, some as high as $5.00 a minute, but they include long
distance charges. This was first published in 1990 in 2600
magazine, and in 1993 the IIRG reported that 1-900-STOPPER still
works. Beware - even if you get a busy signal or no answer, you
will get charged at 1-900 rates! Another one published in 2600 in
1990: 1-900-RUN-WELL. That one supposedly allows international
calls. I'm not about to call either one to find out. Note that you
could still be caught if the operators of these services were to be
subpoenaed.
(12) Use an analog cellular phone. Most providers of plain old analog
service show up on Caller ID as "Private" or "Out of Area" or a main
switchboard number for the cell network. This is becoming less and
less true as cellular providers move to digital cellular and PCS,
which pass the phone's number on Caller ID. Corollary: Rent a
cellphone by the day. This might even be cheaper than using a
prepaid phone card.
How Caller ID Works
Caller ID is a data stream sent by the phone company to your line
between the first and second ring. The data stream conforms to Bell
202, which is a 1200 baud half-duplex FSK modulation. That is why
serial Caller ID boxes run at 1200 baud.
The data stream itself is pretty straightforward. Here's an example:
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU€'^D032415122503806467x
The first thing of note is the 30 U's. Those are actually sync pulses.
A "U" is 55 hex, or 01010101 binary. This is called the "Channel
Siezure Signal."
After that comes 130 milliseconds of 1200 Hz (the Bell 202 "mark"
frequency) which usually shows up in the datastream as a character or
two of garbage.
That is followed by the "message type word", which is 04 hex for
standard Caller ID, 07 hex for Name & Number. A word, by the way, is 8
bits for our purposes.
That is followed by the "message length word" which tells us how many
bytes follow.
The next four bytes are the date, in ASCII. In the example above, the
date is 0324, or March 24th.
The next four bytes after the date are the time, also in ASCII. In the
example, the time is 1512, or 3:12pm.
The next 10 digits are the phone number that is calling. In the
example, the phone number is 250-380-6467. The number is also in ASCII
and doesn't contain the hyphens. Some phone companies will leave out
the area code and only transmit 7 digits for a local call, others will
always send the area code as well.
If this were a name-and-number Caller ID data stream, the number would
be followed by a delimiter (01h) and another message length byte to
indicate the number of bytes in the name. This would be followed by the
name itself, in ASCII.
If this call originated from an area that doesn't support Caller ID,
then instead of the phone number, a capital "O" is transmitted (4F hex).
If the call was marked "private" as a result of the caller using *67 or
having a permanent call blocking service, then instead of the phone
number, a capital "P" (50 hex) would be sent.
The very last byte of the data stream is a checksum. This is calculated
by adding the value of all the other bytes in the data message (the
message type, length, number and name data, and any delimiters) and
taking the two's complement of the low byte of the result (in other
words, the two's complement of the modulo-256 simple checksum of the CID
data).
Some Technical FAQ's
Q: When I block Caller ID with *67, does it send my number anyway and
just set a "private bit" so that the other person's Caller ID Display
unit won't display it?
A: No. The person you're calling doesn't get your phone number anywhere
in his data stream if you block your call that way. All he/she gets
is "P" and the date/time of the call.
I would like to refer to an experiment I performed in March, 1998
with a Serial Port Caller ID, which delivers the raw data stream to a
PC for software interpretation. The following Usenet message (edited
for this file) is the report I published on that experiment:
Newsgroups: alt.2600
From: The Fixer