Wednesday, October 10, 2007

Ooma pranks, or "how to Punk Ashton Kutcher"

If we assume that ooma's "creative director" eats the company dog food and uses ooma, then a call made by the former TV star may eventually be directed through our ooma hub, as a result of the company's patent-pending "distributed termination." This feature can be exploited by attackers to perform various attacks, including:

  • Redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing

  • Tracking phone calls placed by the user

  • Preventing the phone from dialing

Plug the output of the Ooma hub that is supposed to connect to your landline into an ATA registered to your Asterisk server.

Assume that this ATA registers as "oomahub" to your server and inbound calls arrive at the context "ooma-in". In extensions.conf we may find something like this:

exten => _XXXXXXX.,1,Goto(ooma-prank,s,1)

exten => s,1,SetVar(X=$[${EPOCH} % 10])
exten => s,2,Goto(ooma-prank,prank-${X},1)

; The call will be directed to prank-0 thru prank-9

; prank 0 - send Ashton to a phone sex line
exten => prank-0,1,Answer
exten => prank-0,2,Dial(SIP/
exten => prank-0,3,Hangup

; prank 1 - play audio clip from Ashton's classic "My Boss's Daughter"
exten => prank-1,1,Answer
exten => prank-1,2,MP3Player(music/MyBossDaughter.mp3)
exten => prank-1,3,Hangup

; ... other pranks here

Of course you know that this information is provided purely for entertainment purposes and nobody should actually do this, right?

However, it does point out some of the risks associated with using ooma's service.

Wednesday, October 3, 2007

Disconnecting your phone line from the ooma hub

Ooma's promotional material states that White Rabbits and purchasers during the promotional period must have a landline which they allow to be used by Ooma for other subscribers' calls.

However, it is not clear what technically prevents a user from saying that they have a landline but simply disconnecting it. If the Hub contains some sort of mechanism to detect the absence of a landline, it would likely be a simple matter of defeating it. This could be done simply by connecting the depicted circuit across the phone jack on the Hub (thus allowing the subscriber's phone line to directly connected to the phone for their private use). Depending on the setting of the switch, this would appear to the Hub as a phone line which doesn't return dial tone, a line that is always busy, or a disconnected line.

Summary of ooma issues from around the net

Security and privacy:

Billing and Phone Company Hassles:
  • Andy Abramson and the ooma EULA

  • No Rooma For Ooma - a "white rabbit" yanks the ooma cord

  • VoIPPlanet - setting up ooma is as much of a pain as moving

  • NewsFactor Network - ooma adds roughly $10 a month to the local phone bill

  • BusinessWeek - The ooma Headache "Glad my test drive was free. I wouldn't fork over $399"

  • Bruce Fryer - ooma's math doesn't compute

  • Cnet - it was a pain to install - our long-distance fees are paid mostly to cell phone companies, so I'm not eager to pay $400 up front to get rid of long land-line distance bills which I don't have

Technical and Sound Quality:
  • BusinessWeek - the most annoying part of using ooma is the ooma dialtone, heard by both callers AND call recipients

  • - audible buzzing sound on calls, caller ID doesn't work

  • Aswath Rao - technical reasons why ooma won't work


The following are some of the web sites commenting on Ooma which appear to be written by people who understand telephony and the issues that Ooma faces. While there are numerous web sites making positive statements about Ooma, they appear to be doing so solely on unfounded expectations and lack of actual information about how Ooma works. The most believable positive things that anyone has said are about how "The hardware is elegant." (I apologize if some of these links no longer work.)

The list of such sites grows every day. I provide the above as a small sample of concerns expressed by people from many walks of life to ensure potential users can make an informed decision before using ooma.

Eavesdropping on ooma calls

When a call is routed through someone's Hub and onto their phone line, it is a rather simple matter for them to eavesdrop on the call. Ooma continually claims that they have "proprietary" technology to detect and/or prevent this, but that appears impossible, since a circuit, such as that shown at right, can easily be constructed which is undetectable.

Ooma claims to have a "proprietary" solution to this problem, but all techncial experts suggest that the most the Hub could do is to detect the drop in voltage across the line if another phone directly connected to the line goes off hook, and then break the connection in the Hub. (This is exactly what an answering machine does, so it is hardly new or "proprietary".)

If one wants to do eavesdropping on the calls going through their own phone line (maybe to make sure that no one is using it for illegal purposes for which the subscriber of the line will be held responsible) all they have to do is connect a simple circuit which presents a high DC-impedance across the line and the Hub can not possibly detect its presence. The circuit is shown, where the values of the capacitors and matching transformer depend on the nature of the input to the amplifier. Use at your own risk.

Or try the inductive tap circuit described at Unterzuber.

A more complicated (but perhaps a lot more interesting) way to capture calls made by the ooma hub on behalf of other omma subscribers would be to connect the ooma hub to an Asterisk box with an FXO/FXS card, or perhaps a Linksys/Sipura 3102 or other ATA with FXO and FXS ports (or a Sipura plus a Trixbox). The Sipura/Asterisk box could pass the call through while recording it - this would be totally transparent to the Ooma box. I will try to provide a full how-to for this in a future post.

As an ooma user, to prevent others eavesdropping on your calls in this manner, prefix all calls made via the ooma network with *82 - this also has the added benefit of presenting Calling Line ID to the callee, so that your friends who screen their calls will answer.

The right way to use Ooma

If, after careful thought about the problems addressed at various sites around the net, you still want to use Ooma service for your long distance service, then I recommend that you do it as follows, which gets around most of the problems:

Be advised: If you connect the Ooma hub to your PSTN (POTS/landline) service, they change your phone service to add Call Forwarding on Busy and remove other features. All good hackers will opt to NOT provide Ooma this information and to NOT connect their landline to the Ooma hub. If Ooma already changed your service, call your phone company and change it back to the way you want it. (You should also tell your phone company not to accept further changes from a third party.)

Suggested hacks:

  • Get the version of Ooma service without your landline connected. This option is apparently not available to "white rabbits" so alternatively, disconnect your landline from the Ooma hub.

  • Use a separate "ooma Phone" connected to the Ooma hub. Use this phone for domestic long distance calls. Optionally, use a two-line phone to have access to your real PSTN line at the same time.

  • Do not use a Scout, but rather connect all "ooma phones" to the Hub. Use these phones to make and receive Ooma calls (via the Internet).

  • Whenever placing a call over the Ooma network (using an "ooma phone" above), begin the call with *82 to force the call through a "secure" Ooma Gateway and to include Calling Line ID so that your friends who screen their calls will answer.

This arrangement will give the user the advantage of being able to use Ooma to make long-distance calls, while using their own line for local calls whenever they want.

Dialing *82 for all calls placed over the ooma network also has the side benefit of added security because it prevents your call from being sent via someone else's ooma hub and prohibits any such user from eavesdropping on your calls.