Secure Science Corporation Advisory TSA-052 http://www.securescience.net e-response@securescience.net 877-570-0455 --------------------------------------------------------- Callwave.com customer service automated termination service is vulnerable to caller-ID authentication spoofing, enabling arbitrary termination of customer accounts. --------------------------------------------------------------------- Vulnerability Classification: Authentication bypass, Denial of Service, Misplaced trust. Discovery Date: October 25, 2004 Vendor Contacted: October 25, 2004 Advisory publication date: November 3rd, 2004 Vendor Description: ------------------- CallWave's easy-to-install software helps consumers and businesses get more out of their wireless phone, home phone, and Internet-connected PC by 'bridging' calls between these devices. Millions of households and small businesses have installed CallWave to get important calls instantly no matter where they are, receive faxes on their PC, and even screen out unwanted calls all without purchasing or installing additional hardware. Abstract: --------- Callwave.com grant implicit trust to service subscribers Caller-ID input for customers to terminate their accounts via the automated termination service 800 number. Caller-ID spoofing allows forgery of a calling number to the target number. When spoofing a subscriber number while calling the automated 800 service, the target depends solely on the CID for authentication and grants termination of the customer account associated with the specific number spoofed. Description: ------------ During recent explorations with telephone bridging software, we signed up for the callwave service temporarily. The process to cancel the service when requested directed us to call an automated 800 service from your subscription number. Forging the caller-id and calling the 800 service number enabled the termination request to be successful. It is untested whether CID/CPN spoofing impacts other features of callwave at this time. Tested Vendors: --------------- Callwave.com Vendor and Patch Information: ----------------------------- Secure Science Corporation has made attempts to contact the vendor with no response. Solution: --------- Add 2-factor authentication (passcode requirement) by default and cease implicit trust of Caller-ID information. Alternatively use ANI with 8xx numbers. Credits: -------- Secure Science Corporation: Lance James Disclaimer: ----------- Secure Science Corporation is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Secure Science Corporation products.