Voice of VOIPSA

Over on his blog Steve Gold laments the lack of focus on VoIP Security at the recent VoIP for Business event in London, and also talks about the failure of Ofcom (the Office of Communications in the UK) to take on the issue in their recently published VoIP service provider regulations. 

For those that don’t know the name, Gold is a security consultant of some pedigree: he was famously prosecuted by the UK government back in the 1980’s for compromising accounts in the Prestel system, a videotex system that was one of the world’s first online networks.  The failure of this prosecution led to the drafting of the Computer Misuse Act in the UK.

I was intrigued by a talk advertised for the upcoming Black Hat Europe 2007 conference about hacking SS7.  Philippe Langlois will talk about SCTPscan - Finding entry points to SS7 Networks & Telecommunication Backbones, and as he says:

“SCTP is the protocol used to carry all telecom signalling information on IP according to the SIGTRAN protocol suite. It’s the foundation, as TCP is the foundation for the web and email.”

SS7 has been largely a secret world, a private network of networks for signaling voice calls across all the world’s cellcos and telcos.  In traditional SS7, all the links are achieved with T1 or E1 pipes, and there’s no opportunity to get access to this signalling backbone. 

However, SIGTRAN effectively uses an IP network as a transport system for signalling, doing away with the need for T1/E1 links and specialized hardware.  SCTP is a protocol that is used instead of TCP or UDP for this purpose.  So from a hacker point of view, SCTP is a pipe that can be exploited and scanned in order to get access to telco resources.

Increasingly, with NGNs being interconnected with traditional networks, tools like SIGTRAN will be used to allow different IP architectures to co-exist, so as Langlois implies, a hacker can write special tools that spoof higher protocol layers like M3UA, ISUP and TCAP to explore or interfere with the operation of SS7.  This is a potential danger because normally a high degree of trust exists between different SS7 network operators, and when they interconnect they do so in the understanding that each party will “behave nicely”.

In the Internet world, of course, there is no guarantee of “niceness”, and SIGTRAN links need to be locked down with tools like firewalls.  In an ideal world, SCTP would be only protocol allowed through on SIGTRAN links, and furthermore each party should have checks on the source addresses that are allowed to send messages and interact with SS7 service elements.  You would normally expect that SIGTRAN links (into SS7 backbones) could not be accessed or routed to from anywhere on the public network, but of course routing and Ethernet switching errors can occur, accidentally connecting segments that should not be.

However, SS7 has some advantages on its side in this war.  Firstly, it is a complex set of protocols, and most hackers will not have any “hands-on” experience that will help them find weaknesses in the network.  Also, SS7 networks in practice use a system called global title addressing, which means that co-operating networks can use each others’ services without needing to know the internal construction of the network.  This will work to defeat outsiders from understanding how a network is put together.

Whatever the pros and cons, we should not be complacent, and I’m sure the traditional telcos will not be, since money is at stake. We can be sure in the Internet that anything that can be hacked, someone will try to hack it.  

 

One of the highlights of 3GSM Barcelona for me was visiting NEC at their stand, and to see their demonstrations in action. There was some discussion in the VoIP and security space over the last weeks about a server technology called VoIP SEAL that NEC were to demonstrate at the show, and I was keen to see this in action. VoIP SEAL is a system that attempts to defend a VoIP system against VoIP SPAM or SPIT (SPAM over Internet Telephony).

Luckily, at the time I visited the stand, Saverio Niccolini of NEC was there. Saverio is a prominent researcher for NEC, and was a speaker at the 3rd Annual VoIP Security Workshop last year, which I attended and wrote about here. It was great to meet up with Saverio, and he showed me the VoIP SEAL demo himself.

To briefly summarize the system, VoIP SEAL combines a number of different techniques to detect a suspicious VoIP call. Each module does a test and produces a score or index, and at the end the indices are weighted and combined to give an overall score that measures how ‘dangerous’ a call might be. For example, there are modules that can apply blacklist or whitelist logic; measure SIP INVITE rates; test reputation or check that different SIP URIs are not coming from the same IP address. So, each module is dedicated to measuring for a particular exploit or security aspect, and they can be combined in different ways, with different weights.

An interesting part of VoIP SEAL is that it can apply tests in two phases: firstly before answering the call and then after picking up. In the first phase, the ‘suspiciousness level’ of a call can be assessed, and if the level is low, the second phase can be skipped, simply connecting the call to the recipient. However, if the level passes a configured threshold, the call is diverted to a specialized answer machine that can apply further tests. Having this two-phase approach helps to minimize false positives, where genuine human callers get trapped in the system and can’t get through.

In phase 2, VoIP SEAL can measure the speech energy when a greeting or outgoing message is being played. For a genuine human caller, this energy should be low, as humans tend to listen rather than talk over greetings. A bot or SPAM application will behave differently, perhaps starting to stream audio continuously as soon as the media channel is available. There are more sophisticated audio CAPTCHA tests (Turing Tests) that can also be applied to attempt to tell the difference between a human and a bot. If the call is considered suspicious, it can just be allowed to play its message into a voicemail SPAM queue, and perhaps this queue would be periodically reviewed by an administrator to make sure that the VoIP SEAL was working effectively and not trapping too many real human callers.

If you want to hear more about VoIP SEAL, I recorded an interview with Saverio where he explains it in more detail. This interview will be coming up in a future edition of the Bluebox Podcast, run by two of our VOIPSA Chairs, Dan York and Jonathan Zar.

In June last year, I attended the 3rd VoIP Security Workshop in Berlin and wrote about some of it here.  It seems there is now a successor conference (although not with the same name) to be held at Columbia University in New York in July, organized by the same committee.

The scope is broader this year, encompassing not only VoIP Security, but a range of IP and NGN related topics.  They have just published a call for papers, so please take a look at the IPTComm site here.  I’m sure it will be a stimulating event, as the last one was.

 

Those interested in the topic of Lawful Intercept (LI) and CALEA might be interested in a new blog over on the TMC site.  Scott Coleman of SS8 is writing a new column called Demystifying Lawful Intercept and CALEA.  The cunningly-named SS8 market a number of products including LI solutions. And no, LI is not done with crocodile clips.

In a recent Rich Tehrani blog entry, he touched on the subject of a type of email phishing attack termed Spear Phishing.  For those that have not heard the term before, Rich describes it:

“In a recent US example, a phisher bluffed his way into the network of a port authority by spoofing an internal email address. Once on the inside, with an apparently genuine email identity, he was able to fool employees into revealing passwords for applications.

This sort of attack has been termed ‘spear’ phishing, designed to bamboozle unsuspecting ‘colleagues’ into revealing information that will give the perpetrator access into secure areas of corporate networks. “

This type of attack is possible because many email services either don’t insist on any kind of authentication, or because they do not look the ‘from’ email address you specify and check that it is consistent with your actual service-provided email address.  This is one of the weaknesses of today’s email system that makes life so easy for spammers.

Unfortunately, Spear Phishing also applies to VoIP, since in many cases VoIP services can be fooled into using and displaying a false caller ID number.  So you can imagine the scenario:  You are sitting at your office desk, and a call comes in to your desk phone.  The number on the display is 400, and that this is the extension you normally call to reach the IT help desk.  It’s definitely not an ‘outside’ number.  You pick-up and although you didn’t know that the IT help desk now has a technician called ‘Steve’, perhaps if he knows one other bit of corroborating information, this will be enough to make to accept that he is bona fide.  In the conversation that follows, he might tell you that Mike from Sales called him, can you tell him where Mike is?  Of course, if he knows that Mike sits near you, you might be tempted to believe that Steve is for real.  Bingo.  Now maybe you’re ready to tell him something secret?

Of course this kind of confidence trick is nothing new, but just using new tools to achieve the same goal.  The defence?  Well if you have the slightest doubt of someone’s veracity, you could offer to call them back, and do not use any information they have given you to do it.  For example, call someone else you know in the help desk, and ask them about ‘Steve’.  “Steve who?”

 

 

 

Over on VoIP News there’s a piece about some of the VoIP threats and possible responses to them. John Edwards talks about Denial of Service; Toll Fraud; VoIP Spam and Phishing.

Voice SPAM is increasingly a problem, as the cost of making calls gets lower and lower in real terms.  I was interested to see that GrandCentral are taking steps to block Voice SPAM for their customers.  If you haven’t come across GrandCentral yet, they have an interesting product offering that alows you to have one telephone number from them, and have a single voicemail system and the ability to have inbound calls follow you to whatever fixed or mobile devices you are using at any moment.  They also have a lot of advanced features like color ringback (CRBT), call screening, and control via a web interface. 

We’ve talked here before about caller ID spoofing, i.e. that using various services you can lie about your source telephone number.  GrandCentral say on their blog that they know the caller’s number even if the caller ID is not displayed: I presume this means they’re using some good, old-fashioned SS7 signalling technology (rather than IP and SIP).  It will be interesting to see if a blacklisting approach works in the long term, since in the future spammers using VoIP technology to initiate SPAM will not be connected directly to today’s digital telephone networks, but instead will be using some kind of gateway to cross from VoIP to traditional networks.  Presumably once such a VoIP gateway gets blacklisted, the spammers will simply move to the next gateway with a change of IP address.

 

Dean Elwood, one of the founders of voipuser.org (a free VoIP service provider and online magazine) recently wrote an interesting article called “How To Build A Voip Network: 7 rules for the VoIP entrepreneur in 2007.“  It’s a great read from someone with experience of creating value from a VoIP service, rather than the usual marketing “talking head”.  It also raises some interesting VoIP security questions, including Session Border Controllers, Lawful Intercept, Denial of Service and confidentiality.

Martin Geddes of at Telepocalypse raises an interesting point that has bothered me also, which comes back to the security of phones, and the ability for hackers to pass themselves off as legitimate organisations, such as your own bank. Today, the problem is that there is no way an inbound call can ever be secure, because any Caller ID number you receive could be faked, and many outbound call centres withhold the number anyway.  Also, with technology like Asterisk servers and IVRs with synthesized speech, it is quite possible to build a reasonable facsimile of your bank at a very low cost.

I have a card that I usually service online, and it is very rare that I ever need to call-up one of the call centres to speak to anyone. So recently when I received a call out-of-the-blue on my cellphone, I was surprised to be addressed by a synthesized voice. Knowing, as I do, that such things can cheaply be rigged-up using a regular PC (and perhaps Asterisk), I was not inclined to trust the call, or enter any of the bank security details it was asking for. I hung up on it, whereupon it called back a number of times before I drove into a GSM blackspot, which for the purposes of this discussion we can call Vermont. The repeated calls did nothing to reduce my suspicions.

Like Martin Geddes, when (a couple of days later) I did finally call the number suggested in the synthesized announcement, the operator I spoke to wanted to take security details from me. I explained, as I do in those situations, that this would not be a safe thing to do, as I have just called an unfamiliar number suggested by an automated voice on an inbound call. Fortunately, at least this bank have an answer to that question: there is a telephone number written on the back of the card itself, and he suggested I call that number. Now I can be pretty sure that I’m talking to who I think.

In the long run, I think banks will have to realise that they need to authenticate themselves too, and perhaps we will be able to test callers by getting them to tell us a password too.  Phishing attacks can only increase in the future due to the accessibility of VoIP technology, and part of the counter attack is to teach people how to authenticate callers, before giving up vital security information.