Secure Science Corporation Advisory TSA-052
https://www.securescience.net
e-response@securescience.net
877-570-0455

---------------------------------------------------------

Callwave.com customer service automated termination service is 
vulnerable to caller-ID authentication spoofing, enabling arbitrary
termination of customer accounts.

---------------------------------------------------------------------

Vulnerability Classification: Authentication bypass, Denial of Service,
Misplaced trust.

Discovery Date: October 25, 2004
Vendor Contacted: October 25, 2004
Advisory publication date: November 3rd, 2004


Vendor Description:
-------------------
CallWave's easy-to-install software helps consumers and businesses get more
out of their wireless phone, home phone, and Internet-connected PC by 'bridging'
calls between these devices. Millions of households and small businesses have
installed CallWave to get important calls instantly no matter where they are, 
receive faxes on their PC, and even screen out unwanted calls all without 
purchasing or installing additional hardware.

Abstract:
---------
Callwave.com grant implicit trust to service subscribers Caller-ID input for
customers to terminate their accounts via the automated termination service 800
number. Caller-ID spoofing allows forgery of a calling number to the target
number. When spoofing a subscriber number while calling the automated 800 
service, the target depends solely on the CID for authentication and grants 
termination of the customer account associated with the specific number spoofed.

Description:
------------
During recent explorations with telephone bridging software, we signed up for
the callwave service temporarily. The process to cancel the service when
requested directed us to call an automated 800 service from your subscription
number. Forging the caller-id and calling the 800 service number enabled the
termination
request to be successful. 

It is untested whether CID/CPN spoofing impacts other features of callwave at
this time. 


Tested Vendors:
---------------
Callwave.com


Vendor and Patch Information:
-----------------------------
Secure Science Corporation has made attempts to contact the vendor with no
response.


Solution:
---------
Add 2-factor authentication (passcode requirement) by default and cease implicit
trust of Caller-ID information. Alternatively use ANI with 8xx numbers.

Credits: 
--------
Secure Science Corporation: Lance James

Disclaimer:
----------- 
Secure Science Corporation is not responsible for the misuse of any of the
information we provide on this website and/or through our security advisories.
Our advisories are a service to our customers intended to promote secure
installation and use of Secure Science Corporation products.