So let's get started. This is called Weaponize Your Feature Codes. My name is Master Chen.
So let's get started. First with who I am. I'm a Grey Noise podcast founder and co-host.
There's our website if you want to listen to some of our episodes later, not during the talk.
So check us out. We do a weekly podcast here in Vegas once a week. I'm born and raised here
actually in Vegas. Yeah, thanks. This is why I need to be drunk on stage. It's just natural.
You know? So anyway, born and raised here. But the podcast is done weekly here at the local
sin shop which is actually the next bullet point. I'm a member of the sin shop hackerspace here
in Vegas. We do some cool hardware hacking. So check out that website as well. I am the
secretary over at the sin shop. It's actually next to the Nevada DMV. Perfect place.
I spoke at B-Sides in 2014 and actually this year as well. In 2014 it was what I learned as a
con man and two days ago I did a talk on Vegas surveillance. So the cameras now are on me.
That's awesome. Last year I did a talk at the Sky Talks on automating your stocking using
Twitter to follow somebody who's originally blocked you. So if you want those talk notes,
follow me on Twitter. And I can DM those to you since that talk was not recorded. And I do write
some articles for 2600. Do we have any 2600 readers out there? All right. Do we have any
tele-freakers out there? Okay. No worries. I guess they figured they'd live stream the talk
later. All right. Cool. And actually I kind of want to know a little bit about my audience. So
how many people, like if this is your first time here, how many people have you talked to in the
first DEF CON? Holy shit. Welcome, everybody. This is a cool crowd. So I've been going to DEF CON
since DC-12. So I'd like to say I'm a veteran, but this is my first time on a DC stage. So I'm
like, oh, fuck. All right. How many of you guys, this is your first time in Vegas? Woo! Be
careful. All right. So why this talk? Well, I got really involved with DEF CON when I was
phone-freaking at like DEF CON 15. And at that time I was like, shit, I missed the boat,
because all of this stuff is done. You know, the beige box, the blue box, the any colored box,
they just don't work anymore because everybody's transitioning to VoIP. And, you know, it's
just I can't do the cool shit that was done in the 80s and 90s. But wait, like I just said,
there's VoIP. So that's why I can still be considered a phone-freak, hopefully. Now, if you're
wondering about the drawings, I looked for stock images on Google, because I was like, man, I
need, you know, I need a picture of somebody missing the boat. So every stock photo that I found,
I was like, oh, this kind of sucks. Like, it's not something that I like. I don't want to put
it on my slides. So I had my best friend who's in the audience there, Ninja Nerd BGM, I had him
draw some stick figures for me, because that's what we used to do in high school. So there is me on
the dock missing the boat. There's more in the talk. All right. So today we'll be
focusing on call flooding using our feature codes, text message bombing or SMS flooding using
feature codes, as well as caller ID spoofing. Again, now, not all of this is new, but we're
going to try to implement it in a new and more efficient way. And there's also potential for
other feature codes. So before we actually do some of the demos, we have a demo of the
basic terminology. We're talking about vertical service codes. So, of course, who's ever heard
of, like, star 69, right? Like, we've all heard of star 69. You know who called you last if
they didn't block their caller ID. Or star 672 blocked your caller ID, right? So that's what
we mean when we say vertical service codes or feature codes. Vertical service codes is what
you use to manipulate your little part of the phone network. And the next basic
terminology is PBX, or private branch exchange. Usually, this is now done through a
software where before it was a big, you know, a big rack with circuit switching and whatnot.
So it's cool that software has condensed that, so. Okay. Before, again, well, before,
everything is before the demo, right? Before we go into the demos, we have also the
history of the feature codes. So it was developed by AT&T. It was called the Custom Local Area
Signaling Service. And, again, it was developed in the 60s and 70s, and it was designed to do such
things as block caller ID, who called me last, call forwarding is another one. That's like
star 72. Excuse me. Star 72. So class was trademarked by AT&T. So the other telcos came up
with vertical service code to mean the same thing. Now, why is it called vertical service
code? It's because you're dealing with your central office or your specific carrier. So, for
instance, you can't dial star 69 to manipulate an AT&T central office if you are on the
Verizon network. I'm just using that as an example, but when we say vertical, it's like if
your service is AT&T or if your service is Verizon, that's who you'll be dealing with when
you're dealing with these vertical service codes. Now, with this demonstration, I have my
own PBX, so I am the telco. Okay. So this might be a little bit hard to see, but I took this
from Wikipedia, and basically you see on the left-hand side all the vertical service codes for North
America, according to the North American numbering plan association. Now, I've zoomed into the
part here where I've noticed that, you know, star 30 has something, and then it kind of just
skips to the star 5X area. So what I'm going to do is I'm going to add the feature codes into
right in between there. We're going to be using star 4X today. So what do we mean by weaponize?
Oh, let's talk about this drawing in a second. What do we mean by weaponize? We're going to be
talking about, what do we mean by weaponize? Well, obviously, the star codes are not meant to be
malicious. Like, you're not going to star 69 and, you know, root somebody or cause a DDoS or
whatever. So when we take something that's not meant to be a weapon and then we turn it into a
weapon, it's called weaponizing. Now, the scope of damage, of course, is simple annoyance, like,
you know, getting a million text messages all by a couple of dialing digits. And it could be all
the way to business and personal relationship ruining. And so we could talk about some of the
hypotheticals there later. Imagine, you know, like, well, I'm going to save that example for
later. So the materials you will need. We're going to do this like a science project. You'll
need a Linux machine. Now, this can be physical or virtual. It could be a VM. But Asterisk,
which is what we're using today for the software PBX, is run primarily on Linux. It runs well on
Linux. I've never ran it on a Windows machine, and I don't really care to. So materials you
will need is a Linux box, according to, you know, my research. And then you'll need a hard or
soft phone. Now, hard or soft phone is going to be a VoIP ready phone, but it could be like an
application on your phone such as Bria, Xlight, Zoiper, which is what I'll be using today. Or
it could be a hard phone such as Polycom, Cisco, Yalink, et cetera, et cetera. So as long as
they're tied to the PBX that has that feature code, it'll work. And you'll also need imagination.
So I don't watch SpongeBob, but I kind of like that image. So that's why I use it. Oh, wait. I
didn't talk about this one. So as you can see, all these feature codes are being shot at me,
like star 69, star 56, and it kind of looks like it's being shot at me from a penis. I think
the intention was like a bazooka of some sort. Yeah, thanks. Thanks, dude. But it looks like a penis.
I'm going to be real with you, you know. So the structure of our feature code, in an asterisk
dial plan, you have what's called the context and that separates your functions according to,
you know, asterisk has its own scripting language. So this part here where it says context
label, that's what it will look like in the code. And think of it like your functions or your
your, yeah, your functions or your operations that are your subroutines in your programming language.
We will start all of our feature codes today with star 4X, and X meaning anything from 1 to 9.
Okay? The 4 is the, the star 4 is the feature code that we've picked or that I've picked today.
And that's where it will look like. So in the code, like for an example, star 4 2 and then
702-867-5309, nobody has that number, I'm not doxing anybody. So that will be the example,
that will be the structure of your dialing when you're dialing out with your outbound routes.
Is anybody in here familiar with asterisk at all? On a daily basis? Are you guys like VoIP
administrators out there or anybody? Okay. So you're finding this interesting just because.
All right. Cool. All right. So our first one is the call flood. And I will be flooding my
own phone here in a second. So basically as you can see up here, again, the top starts with the
context label and that's our subroutine. So you'll see that everything in here, it's going to be
grabbing input, it's going to then, my server is then going to take that input and put it into a
call file. Okay. Now the call file is then going to go into the asterisk spool and then out.
Out to your upstream carrier. And it will send, you know, let's see, so down here you'll see
call amount, C-A-L-L-A-M-T, all in caps. That's the variable. And it's accepting 3-digit
dials. So I can send anywhere from one call to 999 calls at one time. So I can send anywhere from
one call to 999 calls at one time. So that's just my own limit that I've set. I figured we'll be
nice a little bit, you know. So I've limited to at least 999 as a max. And so these, this next
part is the call flood shell script. So after we enter the information into the 10-digit dial or
into the feature code, it's going to be made into that text file and this script right here
takes that text file and forwards it to the spooler for as long as it takes. So that's the
code. So now we're going to test this. And the first thing we're going to do is we're going to
set a counter to the call amount. And so it's going to say the first time. I'm going to
make this counter equal to the call amount that I've given. So it could be 500. It could be
600. It could be 1 if I'm nice. I'm never nice. For testing. For testing. So and that's
basically what the code looks like. All this is on GitHub and the link is at the end of the
presentation. So now it's demo time. And as those who might, may know, live demos, they just work
So we're going to see if the demo gods are in my favor. I'll let you guys interpret this stick
figure there. I think that's what the face of God might look like. Or whatever. I don't
know. Okay. So the way this is going to work is I'm going to dial from my soft phone. It's
the soft phone Zoipro application. I will dial from here. It will go out to my PBX and then
out and it will come back around to my cell phone provider. So I am calling myself. I am going
to flood myself. And so you'll be able to hear all these calls as I explain the next part. So
let's go ahead and do this. Star four zero. Let's say, what's a good number? 50. I'm going to
send myself 50 calls here. Seven zero two eight. I was ready. Now I did put this on full
volume. So in a second you'll be hearing call after call after call after call. And that's okay
because as long as the demo works. Let's dismiss this one. The first one came in. That's great.
Okay. Well there will definitely be more as you will hear in just a second. So basically the
caller ID, if you saw in the previous slide, the caller ID is set to 302.000.0001. So the
caller ID is not coming from my phone or from my application. It's changed. It's spoofed, you
know. Let's see here. Let's see what the voicemail sounds like. Because it's leaving me
confused. Are you ready for this? Monkey's having sex. Oh come on. Now you don't want to
work? Okay. Let's try that again. Let's try that again. Okay. So for those who don't know
and. Oh. There's another call. Okay. So for those who don't know and. Oh. There's another call.
Okay. So I'm going to have to dismiss this for the rest of my talk. Oh. Okay. So basically what
you're hearing there, the monkey's. That's another voicemail. The live demo worked
and now it's interrupting my speech. Oh, there's another text. Hey, this works. It works.
All right. So what you're hearing is the monkey's having sex. So basically when the caller
answers the phone, that is what they will be hearing.
.
Now if they ignore the call like I'm doing. .
. 302-000-0001. And that might get annoying. I should have picked like 10. Oh,
shut up, son of a bitch. . Okay. So what you're hearing though is basically if
you answer the phone, if you answer that call as the target. I'm going to put this on silent
now. Like maybe everybody else should be doing. No, I'm just kidding. I don't care. Okay. So
basically when you answer the call, that's what you'll be hearing. And even if you ignore the
call, that's going to go to your voicemail. . So you either have a choice to check the
voicemail or to then delete it, which if you don't have visual voicemail, could get really
difficult. . So here we go. And I got to go to like silent on this one. But basically
excuse me. Sorry. Oh, it's interrupting me. . Okay. Yeah. Now I'm going to go to the
phone. Now it's off. Now it's like no calls, no vibration. So that's a way to call flood.
Okay. So I sent 50 calls to myself. And as you can see, it's just going to keep going until
this call stream is done and ready. But you can send upwards of 900 and 999. And if you
program to more than just the four digit input, it can go much further and much longer than
that. So you can probably disrupt somebody's phone service for a good eight hour shift or
full day. . It's completely dependent on you and how you want to
program. By the way, I am not a lawyer. I anal. So be careful. All right. So the demo
worked. That's cool. Thank you, demo gods, wherever you are. The beard looks good on you.
Okay. So let's talk about the star four zero feature code mitigation techniques. How do we
stop an attack like this? Well, if you have an asterisk box, you can take that call or ID and
then drop any call from that call or ID. So if you're the target and you're getting spammed,
you can say, let's drop a call or ID. If you're the target and you're getting spammed, you can say,
drop all the calls from this particular call or ID and it will drop the call. Now, that could
easily be remitigated or like a chess board, I can say, okay, let me change the call or ID with
every call. So the first call would come from 302, 000, 0001. The second call would come from
0002, 0003, et cetera, et cetera, et cetera. So even if you're blocking that call or ID, I will
get through. And if you block all the 302 area code or whatever area code I'm using,
a lot of people don't want to do that, especially if you're a business, because then that
blocks potentially real business. If I was to block all of the 702 area codes, none of Vegas
would be able to call me. So that's a business disruption. So you can drop the calls, but why
would you want to if that's disrupting your business? And you don't know how long the attack
is going. So while that is a mitigation technique, it's kind of on faulty ground there. Now,
what about people who are not hiding behind the PBX? Like, for instance, this
phone is still going, and I can't stop it. That's okay. Hopefully it's done in an hour.
But if you're not hiding behind a PBX where you can control the call flow, what then? How would
you then drop the calls or stop that attack? I'd like to discuss that with people who know more
than me, actually. Okay. So our next feature code is star 4 1. And it's going to be the SMS
flood. So instead of sending a call flood now, we will be sending a text message to the
message bomb or, you know, same idea, but instead of 500 calls, we're sending 500 text messages.
Okay? So the code is set up the same way. We're taking star 4 1 as the input. And this next
part in the ‑‑ after that break in the code, you'll see that that's ‑‑ what is that?
Star 2 2 ‑‑ or, sorry, 2 2 8. So I'm going to use that as an extension to tell my feature ‑‑
or my ‑‑ my call ‑‑ or my ‑‑ I'm sorry, text message flooder. I will denote that as AT&T.
2 8 8, AT&T, right? So sprint would be like SPR, whatever that DTMF dial tone would be, or
whatever that DTMF touch tone would be. I am personally a Google fly subscriber, so to flood
this, it would be 466, which is what we'll be using in just a second. So this is how we
start our text message flood. Now, I will turn the volume back on so you can hear how many
times I get a text message. Because I'm a masochist. So I'm going to go ahead and
pick a number. Who wants to pick a number? I can't believe I'm doing this to myself.
420. I like where your head is at. I'm just kidding. 256. 256. Okay. Let's see. I
guess I could be that mean to myself. Awesome. Challenge accepted. Okay. What was that?
Oh, okay. So again, I am using my own phone as the test subject. So I'm calling out and it's
coming right back to my phone. So I will be dialing star 41702, redacted. And then we'll go
from there. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 200. Okay so while . . . 200 time. And so it will tell me who I am
targeting and how many times. While waiting for that to come in, again to explain this
feature code, it's going to dial out of my PPX. It's actually is starting a call flooding script
script that then attacks the e-mail gateway to my MMS service. So it's a big loop. Here we
go. The text is from actually let me do this part. The text is from your mom at
PornHub.com. So obviously the e-mail is spoofed. So I am sending an MMS from my PBX
server back through to the Google Fi e-mail gateway which then goes to my cell phone and it'll
just keep going like that. And for a very long time. I'm kind of waiting for more. It's
going. It's going. There you go. Ding. Let's ding this a couple more times. I forgot what
number we picked. Oh, 200. That's right. 200. There's another one. Your mom at PornHub.com.
So you can see how this is going. I'm going to go back to the e-mail gateway and I'm going to
see how this becomes very annoying. You can see how this becomes very annoying. You can see
how this becomes very annoying. See, I just sent you three right there, right? All right. So
let's talk about practical use. So it's a text message bomb. It's an SMS flood. It's pretty
annoying. But how can this be utilized on a really big attack surface? So let's say instead
of just sending, you know, your mom at PornHub.com, what if we sent a message with a
malicious link? Like, if you want to stop the flood, click on this link. We're lying to the
target. So you're not actually going to stop the flood by clicking on the malicious
link. But what if we told them that? What if we said, hey, if you want to stop this flood,
click the malicious link. So they click the malicious link. It installs whatever you want to
install or, you know, however you want to set that up. That's out of the scope of this talk.
But the links you can send. You can send these links. And if they're, you know, if they're not
noob enough or green enough, they'll click on that because they want to stop the call flood.
They don't want 200 messages. And they don't know that it's 200. They just know that they have a
flood of text messages going on right now. So they'll probably do anything to stop it,
especially if you're sending upwards of 4,000, 5,000, any upward limit. That's still going.
There you go. It's still going. The good news, though, is that the calls stopped. So that's
the thing. We can send this through a malicious link or we can use this to send a malicious
link. And again, we're lying to the target. So we're not going to stop the flood. So we're
lying. But that's an easy way to install that link right there. Now, another cool ‑‑ cool is
not the right word. Another creepy thing. That's a better word. Creepy thing is the 3 a.m. text
from a mistress. So let's say, for instance, and this is just an example, I promise. 3 a.m.,
you know that your target is cheating on his wife. So you send 300 messages at 3 a.m. saying I
love you. Ding, ding, ding, ding. Guess who starts asking questions? I don't suggest it.
This is just a hypothetical scenario. Okay? But obviously you can see how this does not
just become annoying, but then it becomes potentially relationship ruining. Because then
the person loses that trust, it becomes more of a social engineering slash phishing game,
right? So now the why for the significant other is like, who was that? Who was that? Who
was calling you from, you know, et cetera, et cetera. And so that's how we can make this a
little bit more powerful and going a little bit beyond code. So that's the end of the star
4 1 feature code. It's still going. Maybe it's not the end of it. I don't know why I picked
200. Oh, yeah. That's why. Because I'm on stage. All right. So SMS flood mitigation. Okay.
So it's up to the carrier to limit SMS and how fast and how often it comes through. So that's kind
of out of the hands of the target. Obviously this is kind of just still going on. I have
53 currently. So I have about 150 more. Now you could also use Google Voice because I
found out that the e-mail gateway posted by Google Voice does not send those messages. So
as I try to send from a Google Voice number or I'm sorry to a Google Voice number, Google
just drops it. You can't get through that e-mail gateway at least by this method and so it
won't go through. I tested that and again my method it's verified that it does not work for
Google Voice. But the funny thing is it works for Google Fi, Project Fi. You can still send
these messages and they still work. Is that because Google Fi is running off of the T-Mobile
and Sprint networks? Maybe. That part I haven't investigated. But you are still susceptible
if you are a Project Fi user. Now as far as the other carriers, with permission, I've tested
Verizon, AT&T and of course the numbers were a lot smaller like a three just to make sure it
works. But I tested on all these major carriers and it does work. It's just exploiting the e-mail
gateway that they have posted as public information on their website. Now what's another
mitigation technique? You can turn off your phone, just kidding, because it won't
work. You turn on the phone and you'll start getting those messages again. Yeah. You won't
forget me. So that's the Star41 feature code. Ok so this next one I call it a spoofy ghost.
We'll be spoofing caller ID. Oh there you go. Ding again. Maybe I should turn this on its
island again. No, no let's keep it. Let's keep that going. So a spoofy ghost. It's the same
idea. We are taking the feature code and we are taking input from the email data. You can show
dial pattern and then changing the caller ID to what matches there. So actually the target will
be I'll be using star 42. The target will be the 10 digit phone number that goes after that
feature code and then it will ask for my target which will be myself. So it will ask for the
target and then it will go and call me with whatever number I specify. So just to let you
guys know, I know it's going to be hard and I don't have a video of the caller ID, but I will
be spoofing from 702.867.5309. Who knows why? Thank you. Okay, just making sure. You're in a
VoIP talk. You need to know your numbers. So let's do this demo because it's demo time.
All right. Here we go. Star 42. All right. All right. All right. All right.
.
way around so. Okay so this time I call from all 8's. It's ringing. Okay it's hard to see
but it's 702-888-888-8888. So basically what we're doing here is making it easier to
launch attacks. And that's the whole point of this talk is to make it easier to launch
attacks. So and I'll get to that in just one second. So again spoofing caller ID spoofing is
not new. It's been around for a long time but it's still practical. We can use caller ID
spoofing in social engineering attacks and you can still use it for voice mail hacking on
certain characters. You can still use it for voice mail hacking on certain characters. So
that's quickly becoming a thing of the past. But hey it's still something that can be used to
gain trust and run an exploit of the human variety. So what was all that imagination talk I
said earlier? See it's not Spongebob but it's my friend's drawing. Let's see there's a
dinosaur in there. An upside down purple fish not a gold fish. But apparently there's an
imagination. I wonder what goes on in his head. Actually I don't. I don't wonder what's
going on in his head. So what about all of the talk? We had star four one. We had
star four zero. We had star four one and star four two. I am working on using star four three
as a voice mail brute forcer. But what about star four four through star four nine? These
aren't used. These aren't used by the North American numbering plan association. So they're
just kind of there for the taking. I'm not stepping on any other administration or I'm not
stepping on any other configuration such as star six nine or what not. That still is used
regularly. But what are we going to do with all of these other feature codes? We're going to
use the feature code like star four four as an end map scan. Star four four IP address as your
input. Right? So you can launch the attack without being at a computer. You're doing it from
your phone. So that's something that I imagine as far as ways that the feature codes can be
used. Another thing that I see in my head is like a combined attack. Like what if we use star
four six as both a call flutter and a message. So we're going to use star four six as both a call
flutter and a text message flutter at the same time. Like Razelle beat boxing. Okay. Nobody
gets that reference. So you have that too. So what are these combined attacks? I mean there's
a lot of things you can do. There's a lot of potential. And I leave that up to you guys. In
fact, that's my question. Do we have any ideas of another way that we could launch an attack
from a star feature code? No. All right. So the idea though here is to launch an attack from a
launch automated campaigns. So for instance, if you had and I'm going to go back to the NMAP
example. If you use the IP address as input when you're dialing, you have a script that's
already set up to search for these flags or to scan for these flags. You know, like your
Christmas tree and all these other scan flags that you want for your NMAP scan. You take that
IP address as input and then you're launching the attack or the scan from your phone without being
able to use the IP address. So that's something that I thought was kind of cool. That hasn't
been coded yet. So that's probably the next thing I'll try. So it's still going. It's still
going. Let's see how many I'm at right now. I am at 152. So there's still a little bit
more to go. And there's another one. So that's the end of the feature talk. Thank you.
So I'm going to go back to the feature codes. These are my references. The code that I use, the
feature codes and the bash scripting, it was just, it was just scripting and bash. That's on my
GitHub which you can see there that I prepared for DEF CON. And so there we are. Are there any
questions with today's talk? What was that? Oh. Yeah. I'll keep that there. Go ahead and take
pictures. I don't care.
Okay. So I don't know if there are microphones running around. I will try to, I have really bad
vision. So I will try to see if hands are raised. Yes? Can you use it for, okay, so you have
sent, you're using publicly posted e-mail addresses. Can you also use this as a vector for
publicly posted MMS addresses? I'm sorry. Can you repeat that one more time? Yeah. Okay.
So you're sending it to the e-mail address. Can you also, they also have MMS addresses. Oh, okay. I apologize.
That's me being not so detailed. So the way that this attack is working right now, the one that's
still going on, I am actually sending it to that MMS gateway. The from address was the yourmom
at Pornhub.com. Right. Can you just like bomb somebody basically, run up their data
chart? Yes. In fact, a long time ago, there was this co-worker that I had who said I don't need
text messaging, 500 is enough. You're laughing because you see my face. So 500 is not
enough because you have stuff like what we just, what we've just mentioned. Your 500 allotted
monthly text messages will, and I don't think it's a problem in this room, but if somebody has
that, I mean like you're talking about an average of a half an hour and the rest of your text
messages are done for the month. Okay. So with, with call flood, you're talking about a
month. You're spoofing the caller ID. Yes. So there's no way to backtrack for them to get
you, trace you. There would be a lot of work to trace and a lot of involvement with other.
But if you're doing the email or you're doing the SMS, then you probably, you probably need
to run like your own SMTP over a VPN and come out somewhere else, right? Oh, yeah,
absolutely. All this can be done. Okay. So, yep. Remember that the folk, and I know we have a lot of
time. We're running out of time. We're running out of time. We're running out of time. We're
running out of technical people in here obviously. So the scope of this talk is how do we launch
the attack? Now what attack are we talking about? Whether it be like an SMS bomb through a VPN
and et cetera, et cetera. That's obviously there, but it's outside of the scope of this, you
know, of this talk. But yes, that's there. How you decide to launch the attack is up to you.
The bottom line is that these feature codes are input vectors. So you are inputting information
into your computer that then runs the attack. So it's this, it's this Linux box that we've set up,
that runs the attack. So it's running the call flutter, it's running the text message flutter,
and that's all, you know, taken care of on the server end. Yes. So once you launch the attack,
you can't stop it. You better really want your target to get these messages. Now as far as
duration goes, that depends on the speed of your computer because of how fast it can send out
the spool. It also depends on how your carrier handles that type of calling or, you know, mass
calling. And another thing too is when we're talking about call fluttering and grabbing all
those messages, like for instance, if I wanted to send 100 calls, I send such a high amount
because not all of them will go through. So maybe the, maybe your upstream provider only lets
through 50 because it's just inundated with a whole bunch of call attacks. So I'm not going to
send out 50, but not 500. And that's okay. If we want to get the job done, 50 calls gets
the message, there you go. So, yes. Not a lot. I don't have the exact numbers. I've been
using this VoIP provider for quite a while, and I've never really, I mean, it's cheap calling,
and that's the cool thing about VoIP, right, is that it's cheap calling. It's not going to
do anything. So even if you're talking about outbound, it's really not expensive at all,
actually. This attack is very cheap as far as the call fluttering goes. Because if the call is
not answered, you actually don't get charged for the termination. So you're really talking
about a penny a minute if answered. So it's not expensive at all. Over there. I'm sorry?
So you're asking if I can change it to, I'm sorry, if I can do MMS, like change the address of
the MMS? Oh, okay. So this SMS flood is actually an MMS attack vector. So you're using the
email gateway. So you can I'm sorry, without using the what? I'm sorry, without using the
MMS. That's a good question. I will have to find out. I didn't do that for this talk. So I can do
research and we can talk about that. Orange shirt, please. Reverse that. Can I answer the
call and start getting charged for the MMS that you're using? Oh, and keep it on the line?
Actually, yes, you can. So that's a good way to, like, piss off the attacker, right? Luckily, with
all my testing, that hasn't happened. But I'm testing. You know, it's there. Everybody who's
been called knows that I'm calling. But yeah, that's a good way to just rack up the bill. Not
yet, but I will now. But you know what? That's okay. That's why I come to these things. That's
why I come to DEF CON because you guys have better ideas than I do. So I'm going to limit myself
now. Any other questions? Okay. So I'm going to go ahead and start the call. So I'm going to go
ahead and start the call. So it depends on the channel. I believe, like, I have a 10-channel
trunk, so we're talking about, like, 10 consistent calls or, like, consecutive calls. So if you
have, like, a line of 500 or 500 calls, 10 will go out at a time. 10 will go out at a time.
Let's make that star 47. Right? Remember, we still have all these feature codes and, again,
I am grabbing all these ideas, so hopefully I get to code it first. But yes, that is
absolutely possible. You basically, you spoof one, you spoof the other. They call each other and
piss each other off. So ex-boyfriend, ex-girlfriend, call at 2 in the morning, ooh. Let's
see. Let's see if I can get any from this side. Any questions, guys? Yes. Are you able to accept
your victim, like, if they get called, if they press number 3, another script run? Yes,
actually. You would have to set up an IVR to do that. So an IVR, for those who don't know,
it's like an auto attendant. So you answer the call and it's, like, so you're saying, press one
for billing, press two for not getting owned, press three for an operator. So you can do that,
yes. So basically the call would wait for input from the user and they could then pick their
poison. Oh, I want to get call flooded today. Let's dial zero for that. Is that the right way? I'm
that. Or let's get 1,000 text messages. Let's dial two. That's definitely possible. Any
other questions? Up front. I'm blind. Yes. Respect, I guess. There really is nothing
stopping me from using any of the feature code. The PBX is my own creation as far as the
way it's set up, the call flow, et cetera. So I could set up star 69 to do an attack like
this. I just picked these other feature codes because I didn't want to step on anybody's
toes. Not that I would be, but it's almost like a freak or honor code. I'm not going to mess
with the system that's already there and in place. I'm going to use that system, but let's
keep star 69 for what it is. It's my own limit. Was there a question in the front? Wait.
Okay. Sorry, the speaker was like... Sorry, the speaker was like... Sorry, the
speaker was in the way. I don't mean me. I mean the speaker. If you have that question, go
ahead and ask it. Yeah. I believe we have star 49. Again, you guys, all of this is...
a very good question. All of this is potential, and this is all within your minds of like how do I
want to code this thing? So basically what I put here is kind of like an infrastructure, a way
to maybe do it. But remember, we don't have star four four, we don't have star four five yet.
So what else can we come up with? Absolutely, we can do something like that. That can all be
coded. Yes? . I'm sorry? . Now you're talking about
total fraud. Total fraud. We'll call the 900 number. Well, no, I'm not going to call the 900
number. That's $3 a minute. But yeah, again, it's all potential, it's all there. Anything
that you want to do, now it's up to your creativity. So if this is inspiring to you guys,
cool. And I mean, that's where it is. We laid down some groundwork and if you guys have some
coding ideas, follow me on Twitter, get me on GitHub and let's talk about what we can do
next. Let's break some shit. Within reason. Within reason, please. So I have five minutes
here, you guys. I want to just say thank you. Again, this is the biggest crowd I've ever
spoken in front of. And it's not even day one of a con. .