TrueJournals

Comcast has recently added a new feature to their digital voice service: caller ID anywhere.  Simply download a program on your computer, enter your comcast.net username and password, and you’ll get a small alert any time you get a call.  The same system allows comcast to show caller ID alerts on your TV.

So, how does this work?  Did comcast come up with some super-secret way to encode this data so no one but them can use it?  Nope; they’re simply using XMPP.

For those unaware, XMPP is a very nice concept: an open messaging protocol.  This means that companies don’t need to invent their own protocol, or shell out big bucks to use another protocol.  Just grab a server and client, and you have an instant messaging system.  XMPP is also designed to be expandible.  Is there a feature you need that it’s missing?  Just code it in, following the current specifications.  The problem with this is that different clients can conform to different specifications for things that aren’t part of the official protocol, but that’s another discussion.

Comcast decided to not reinvent the wheel, and just use XMPP, with a little twist.  If you already know a bit about XMPP, I’ll give you the stanza as a client receives it:

<message to=”bob.graese@comcast.net/comcast” from=”callerid_alert@comcast.net/wcdc01b” id=”sn-30552863″ type=”headline”><CInfo>3NoAaS45q2vvGEmdgNb35TReIbQcE7F5d4vtkBu0l1bsyVdLRr3VxaTyWbV
nyXpEIgjAs1QbBV2CK1HJjIb+yvTDOMXh5uDGh+Q552jyV6vxPM10+tlhNBfTEvNjB7QJnTHkd2Mmj5
Cl3JCdoRRw8/RTGSzDGrSQwLAmpht6GmS7DNMGcHc=</CInfo></message>

(The line breaks above have been inserted by me in order to not destroy the layout)  So, what’s all this saying?  When your phone rings, comcast sends you a message over the XMPP protocol.  This message goes TO (your_main_account)@comcast.net, using the resource “comcast”, and comes FROM callerid_alert@comcast.net (very original naming), with a little resource tacked on the end there.  Each message has a unique ID, and a tag saying that the message is a “headline” (I’m not sure on the specifics of this, I’m guessing this would be used for news items in a XMPP client).  Then, Comcast starts the non-standard part.

When sending an IM over XMPP, there’s usually a body tag inside the message tag.  However, Comcast has invented a CInfo tag, which isn’t part of the XMPP specification.  Inside, there’s a long, encoded string.  Unfortunately, I haven’t worked out how they encode it (I’ll be working on that in the coming days; Any ideas?  Let me know!)

So, what does this mean?  It means that everything is unsecure (except the CInfo tag).  Theoretically, if comcast’s programming is dumb enough, I could send a caller ID message to any comcast user, and have it display on their TV and computer, even though their phone isn’t ringing.  Or, I could call their house, then send them a different caller ID message, and spoof my caller ID info.

Of course, this all hinges on the assumption that comcast figured no one would think of this.  I’m guessing that Comcast doesn’t check who the message is FROM.  If they do, and it needs to be from callerid_alert@comcast.net, then none of this will work.  However, if they don’t check, this could be a fun security excersise.

But first, I need to decode the information inside CInfo.  I don’t have much security expertise, so I can’t guarantee any progress on this.  If you have an idea, please let me know.  If you figure it out on your own, I’d also like to know.  If you use my ideas to expand into your own project, a small link is all I ask.

Stay tuned in the next couple of days to see if I can make any progress.