Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 18 Sep 96 17:33:07 +0000
From:      Andrew.Gordon@net-tel.co.uk
To:        graichen@axp5.physik.fu-berlin.de
Cc:        hardware@FreeBSD.org
Subject:   Re: dail back modems (or dialing back with modems)
Message-ID:  <"28729-960918154318-B6B1*/G=Andrew/S=Gordon/O=NET-TEL Computer Systems Ltd/PRMD=NET-TEL/ADMD=Gold 400/C=GB/"@MHS>
In-Reply-To: <199609140727.JAA00994@mordillo>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> does anyone here know about hardware dial back modems (you call them and
> then
> they call directly back to you) - if yes - whats the price for them
> compared
> to a normal modem ?

Among others, the USR Courier supports this.  "Compared to a normal modem"
depends what you think a normal modem is; compared to a cheapest-possible
modem, maybe double the price - but so far as I am concerned my USR Courier
is my "normal modem"....

HOWEVER, this may not be what you want.  Depending on your local phone
system, dial-back with a single line/modem may not offer you the security
that you hope for.

Certainly in the UK "calling party clears" applies to most phone lines -
this means that if you make a call and the answering end hangs up, the call
remains open and if they pick up again the incoming call is still there.
The call is only cleared if the calling party hangs up (or after a timeout).

This allows the following exploit with simple dialback systems:

Intruder dials in and requests dialback
Answering modem hangs up ready to dial back
Intruder does not hang up when carrier is lost, so call remains open
Answering modem picks up expecting dialtone
Intruder simulates dialtone on the still-open call
Answering modem dials number, but as call is open it has no effect at all
Intruder simulates ringing and answer
Call is connected, even though Intruder is not calling from the number dialled back.

This makes the "dial back" no more secure than a simple password scheme.

Of course, your phone system might not have calling-party-clears, or it
might provide polarity reversals that a clever modem can use to detect
the difference between a real connect and a fake one, but you require
detailed knowledge of both modem and phone system to be sure.

The safe way to do dial-back is to use two modems, connected to two phone lines, and dial back on the other line.

Round here, we use Caller-ID for secure dial-in, which has the advantage of
being much faster as well as (probably) more secure.  It is also quite
cheap here.  In your case, ISDN may be a better bet.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?"28729-960918154318-B6B1*/G=Andrew/S=Gordon/O=NET-TEL Computer Systems Ltd/PRMD=NET-TEL/ADMD=Gold 400/C=GB/">