We looked at the story of the possibility that someone tried fooling the Pakistani president with a fake phone call tht almost started a hot war between Pakistan and Indian. In this post we explore some technical aspect of how a hoax could go down and fool some basic protection system.

Click Read More see the details

**Possible hack**

Lets say someone wanted to fool a government in to believing a phone call is coming from somewhere else. How can it be done? Its easier then it seems.
The Pakistan Goverment claims one of the ways they where able to verify the phone call was using CLI (caller’s line identification) which you might know by its more common name in the US, [Caller ID](http://en.wikipedia.org/wiki/Caller_ID).

>”It is not possible for any call to come through to the president without multiple caller identity verifications,” Information Minister Sherry Rehman said in a statement.

>”In fact the identity of this particular call, as evident from the CLI (caller’s line identification) device, showed that the call was placed from a verified official Phone Number of the Indian Ministry of External Affairs.”

Source: [Reuters via Yahoo UK](http://uk.news.yahoo.com/22/20081206/tpl-uk-india-mumbai-pakistan-sb-81f3b62.html)

Yet Caller ID is very easily hack and has been for a long time. The first time I heard about this was almost 6 years ago by [Kevin Mitnick](http://en.wikipedia.org/wiki/Kevin_Mitnick) talking about using a PBX to fake caller ID and make his calls seem like he is calling from the White House, and he mentions this in his book *The Art of Deception: Controlling the Human Element of Security*. Today its easier using VOIP and [Asterisk](http://www.asterisk.org/), an open source PBX.

This has not stopped others from putting trust in the very weak Caller ID system. For the longest time your cell phone company might have been using caller ID as the ONLY thing protecting your voice mails. For a while some phone providers would allow you to check your voice mail without any pin code as they would check if your caller ID was the one that belonged to your voice mail account. Well if you could fake a caller ID, you could almost take control of anyones voice mail. I have in the past written an post on a forum about this,[http://www.dslreports.com/forum/remark,14661279](http://www.dslreports.com/forum/remark,14661279). You can read mover over at wiki page on [Caller ID spoofing](http://en.wikipedia.org/wiki/Caller_ID_spoofing)

While Pakistan government has claimed they have used other systems to verify the phone call, the repeating theme is they heavily relied on Caller ID and not on the other standards of verifying phone calls. According again to the Reuters article the same caller may have tried to call Sec of State Rice of the United States and the call was rebuffed due to the fact it failed the required security checks.
This indicated more then likely the Pakistani were negligent at lest in checking the phone call was authentic or not. And this comes down to a more important aspect about any type of security, the human factor. If rules and protocols where kept in place, maybe this story would not have happen. If you read any of Mitnick’s books you would know the Humans tend to be the worst thing for security and sometimes all it takes is some [social engineering](http://en.wikipedia.org/wiki/Social_engineering_(security)) to convince a person in to believing what you want them to believe. No Jedi mind tricks, just basic talking.

A good example of Social Engineering is an old “TheBroken” ep on how to trick a pizza joint in to giving you a free pizza

**Prevention**

Well this could get longer then it should be but I will try to keep it simple. First is better diplomatic relationship between Pakistan and Indian would be a great step forward in cooling and preventing something like this happening. On [NPR: Talk of the Nation from 12/11/2008](http://www.npr.org/templates/story/story.php?storyId=98138640), Richard Haass, president of the Council on Foreign Relations, described the Pakistan-Indian diplomatic ties as one of the most underdeveloped of two nations who are at odds with each other, more so then the USSR-USA during the Cold War. A secure “hotline” be it a phone or some other forum of communications would be a great step. Physical security is one that can provided the greatest amount of trust.

But their should be an open system for world leader to easily communicate with each other quickly and securely. In the public security model we have [PKI](http://en.wikipedia.org/wiki/Public_key_infrastructure) as a way one can use to verify the true identify of someone. But how would you apply this on a world model? Who would be the CA? The UN?
Well thats for another post =P

Click Read More to read more of the story and how can it be done

*The Story*

The TimesOnline UK [http://www.timesonline.co.uk/tol/news/world/asia/article5302549.ece](http://www.timesonline.co.uk/tol/news/world/asia/article5302549.ece) and AP via google [http://www.google.com/hostednews/ap/article/ALeqM5hz0C0SXcxgP0NxzlqGA_EI57FBkQD94TSPMG0](http://www.google.com/hostednews/ap/article/ALeqM5hz0C0SXcxgP0NxzlqGA_EI57FBkQD94TSPMG0) is reporting Pakistan received a phone call by a person claiming to be the India’s Foreign Minister stating that India is planing to take military action against Pakistan.

> “The hoax caller threatened to take military action against Pakistan in response to the then ongoing Mumbai attacks, which India has since blamed on the Pakistan-based militant group Lashkar-e-Taiba (LeT), they said.”

This set off a chain reaction by Pakistan president ordering the Air Force to go on “high alert”, which by some is interpreted as getting nuclear weapons ready. This type of action could have easily had resulted in Indian misinterpreting pakistan movements can caused them to attack first or Pakistan trying a first strike in defense. This plays out like a script out of a movie, where someone could influence the actions of two counties.

Pakistan claims that phone call did come from inside Indian and from the Indian Foreign office and that they did verify the authenticity of the phone call, while Indian claims stedfast that Pakistan was negligence in checking the phone call authenticity.

Looking over the finger pointing, how can the communication between two nuclear powers be in such a state of disarray that a confirmation needs to be done manually.

Without knowing what type of phone system/communication system is in place currently we see as early as 2004 the two countries try addressing the lack of communication by setting up a hot line

> “The two countries agreed as early as 2004 to establish a hotline between their foreign ministers in case of an accidental nuclear launch, but neither side could clarify today whether the link was up and running.”

So there is no confirmation if the hot line is up and running and we know in the past the lack of such system can cause much headache. A good example was the cuban missile crises where both the US and USSR where reduced to communicating over radio. This pushed the US and the USSR to setup a hotline which was not really a phone but a type system.

So how would someone fool a phone call? More to come in the next post…

Pictures of the even after the break