Voice of VOIPSA

According to the New York Times, it appears as if consumers in Italy are rapidly moving toward encryption for voice technologies due to rampant publication of private conversations, both due to leaked conversations that were a result of government wiretaps as well as conversations recorded through private means. From the article:

What has spurred encryption sales is not so much the legal wiretapping authorized by Italian magistrates–though information about those calls is also frequently leaked to the press–but the widespread availability of wiretapping technology over the Internet, which has created a growing pool of amateur eavesdroppers. Those snoops have a ready market in the Italian media for filched celebrity conversations.

It would seem that in Italy, it’s fairly common to take someone’s private conversations straight to the press… Even the national telco’s head of Security was in on the game:

This year, Bonini’s name was among thousands that surfaced in an illegal-wiretapping scandal involving employees of Telecom Italia, the Italian phone company.

Twenty people were arrested, including the former chief of Telecom Italia security, in what investigators say was an attempt to use the intercepted phone conversations to blackmail Italian public figures.

Many of the cell-phone encryption products mentioned in the article that are being marketed to Italian consumers sound a lot like Zfone, essentially providing end-to-end encryption for the audio between two devices that run the encryption software in advance of the call.

The March 19th edition of NewsWeek has an article about cyber thieves stealing VoIP minutes by hacking into VoIP providers’ gateways. It’s the first time I’ve actually seen real numbers applied to VoIP theft:

‘These thieves steal 200 million minutes a month, worth $26 million, says New York telecom Stealth Communications. With more than 5,000 wholesale-minutes markets worldwide, located mainly on Internet forums, fraud is hard to track. Emmanuel Gadaix, head of TSTF, a Hong Kong firm that investigates VoIP thefts, says it’s “very easy to set up a temporary link” through a hacked gateway. His company was recently hired by a Panamanian telecom that lost $110,000 to phreakers. TSTF followed tracks, in vain, that snaked through Bulgaria, Canada, Costa Rica, Hong Kong and the United States. Phreaker trails are “way too complicated” to track successfully, says Gadaix.’

This brings up memories of the Edwin Pena case, in which he was able to rake in over $1 million USD in profits from stealing and reselling VoIP minutes from several providers.

Does anyone know for sure how these VoIP provider gateways are being broken into? Default passwords? Well known vulnerabilities in the operating system? Stolen access codes?

Brian Krebs from the Washington Post reports on a new VoIP Phishing (Vishing) scheme targeting Bank of America customers. The scam appears as an official looking Bank of America email and tries to convince the victim to dial a toll free number to sort out some account problems. Once the victim dials that number, they’re prompted to enter in their account number and secret pin number. The evil doers are then able to easily access the bogus system and reconstruct all of the numbers you entered. Much like how traditional email phishing attacks flourished in the last couple of years, I absolutely believe that VoIP Phishing scams will skyrocket this year.

For some background, there was a compelling presentation at last year’s BlackHat security conference by Jay Schulman, entitled Phishing with Asterisk (PDF). In his presentation, Jay showed how easy it was for attackers to use Asterisk PBX to set up a spoofed banking automated attendant and route all calls to a toll free number through to that PBX. Additionally, Mark Collier and I devoted an entire chapter to VoIP Phishing in our book, Hacking Exposed: VoIP.

I’ve included a snapshot below of one of the first VoIP Phishing emails targeting PayPal that emerged last year that we showcased in our book. Click on it to see the larger image.

Martin Geddes of at Telepocalypse raises an interesting point that has bothered me also, which comes back to the security of phones, and the ability for hackers to pass themselves off as legitimate organisations, such as your own bank. Today, the problem is that there is no way an inbound call can ever be secure, because any Caller ID number you receive could be faked, and many outbound call centres withhold the number anyway.  Also, with technology like Asterisk servers and IVRs with synthesized speech, it is quite possible to build a reasonable facsimile of your bank at a very low cost.

I have a card that I usually service online, and it is very rare that I ever need to call-up one of the call centres to speak to anyone. So recently when I received a call out-of-the-blue on my cellphone, I was surprised to be addressed by a synthesized voice. Knowing, as I do, that such things can cheaply be rigged-up using a regular PC (and perhaps Asterisk), I was not inclined to trust the call, or enter any of the bank security details it was asking for. I hung up on it, whereupon it called back a number of times before I drove into a GSM blackspot, which for the purposes of this discussion we can call Vermont. The repeated calls did nothing to reduce my suspicions.

Like Martin Geddes, when (a couple of days later) I did finally call the number suggested in the synthesized announcement, the operator I spoke to wanted to take security details from me. I explained, as I do in those situations, that this would not be a safe thing to do, as I have just called an unfamiliar number suggested by an automated voice on an inbound call. Fortunately, at least this bank have an answer to that question: there is a telephone number written on the back of the card itself, and he suggested I call that number. Now I can be pretty sure that I’m talking to who I think.

In the long run, I think banks will have to realise that they need to authenticate themselves too, and perhaps we will be able to test callers by getting them to tell us a password too.  Phishing attacks can only increase in the future due to the accessibility of VoIP technology, and part of the counter attack is to teach people how to authenticate callers, before giving up vital security information.

Edwin Pena, the man facing charges over a VoIP fraud, discussed here some months back, has fled, violating his bail conditions.  Information Week has the story here. 

SpoofCard.com, a company that sells “enhanced” calling cards providing the ever-so-popular Caller-ID spoofing feature, has recently terminated Paris Hilton’s and 50 other customer’s accounts due to said customers abusing the Caller-ID spoofing feature (go figure) to break into other people’s voice-mail accounts, listen to messages, and even change the targeted users’s greetings:

SpoofCard.com confirmed that Paris Hilton was among the terminated customers, and that Lindsay Lohan was among those whose voicemail accounts were broken into. SpoofCard has put software controls on its network so that customers can no longer use its service to break into the voicemail boxes of Miss Lohan or the other victims it has identified.

Not only is this a poor way to address the security issue, it’s not really even addressing the problem; it’s addressing the symptoms, and in an extremely limited way by only blocking access from their customers to a list of specific users’ voice-mail accounts that have already been targeted. In SpoofCard’s defense however, it probably is the best they can do; It really is the cellular carrier’s problem because they allow users to disable the passcode required to access their voice-mail services, which then defaults to using only Caller-ID information to authenticate the user.

It’s pretty telling of the state of user trust in today’s global telephony system when there are so many businesses that have sprung up around what is essentially a lack of integrity of calling-party information that has been introduced into the system by VoIP and the VoIP-to-PSTN interfaces that they feed their information through. There are still VoIP-to-PSTN service providers that will honor Caller-ID information passed to them by their users and forward it into the PSTN, and there are any number of companies like SpoofCard.com that will provide this service for the average, non-technical consumer.

It’s sad that the general populace can really no longer trust the Caller-ID information that shows up on their phone. Telephony service providers, credit card distribution verification services, banks, and other companies need to realize this as well and stop using Caller-ID information to identify or authenticate their users, and really never should have been in the first place.

New Scientist is reporting today that German company Infineon has recently filed for two patents (1,2) for technology that deliberately interferes with VoIP technology.

The application doesn’t expand on why it would be used. But it could conceivably come in handy for any company that operates both phone and internet services and would like to protect their phone business from the growing popularity of VoIP.

The first of the techniques monitors network traffic to identify voice packets, then injects additional “pseudo-packets” into the communications stream. These packets appear to be part of the media stream but in reality contain nothing useful. The device then creates an artificial bottleneck for packets that it earlier labeled as voice, essentially rate-limiting the mix of real voice packets and “pseudo-packets”, while allowing normal data packets to traverse the device unhindered. The real kicker with this method is that then, the “pseudo-packets” can be filtered back out before the voice traffic exits the device, leaving little indication to external troubleshooters as to what is actually causing the media degredation.

The second of the techniques covers methods of degrading speech sent via a WiFi hot spot.

Repeatedly, Skype has claimed that their protocol and service needs to be stealthy because large service providers who provide both Internet services and traditional telephony services see the Skype service as a threat to their telephony business and regularly try to block the Skype traffic. Also recently, multiple other companies have developed and provided VoIP filtering technologies to Chinese service providers.

If these service providers begin to employ techniques like the ones described above against not just Skype traffic but all VoIP traffic, stealthy protocols like Skype’s may have an advantage over standards-based or community developed protocols, and may begin to foster an arms race between proprietary VoIP products and services and the traditional Telcos.

Apparenly removing the email component and adding war-dialers to the mix warrants a new term for VoIP-enabled phishing, now called “vishing.” Secure Computing is reporting a new type of phishing attempt which utilizes war-dialers armed with pre-recorded messages replacing the use of e-mail lure and tackle. By calling unsuspecting people rather than emailing them, the attackers hope to elicit a better response to the seemingly more legitimate lure. You can read more in an article from the IT-Observer here.

The Register is reporting on a recent phishing scam targeted specifically at customers of the Santa Barbara Bank & Trust in Southern California. It’s of the variety making use of an IP PBX subscribed to a VoIP to PSTN service so that they can obtain a valid-looking DID number in Southern California. The targets of the scam are initially sent an official looking email asking them to call into the bank at the aforementioned DID number, where they are greeted with an automated voice system requesting that they enter their account number and other personal information.

Net security firm Websense notes that the recorded message does not mention the Santa Barbara Bank & Trust, a sign that the same phone line is potentially being lined up for fraudulent attacks targeting the customers of other online banks or ecommerce firms.

These types of attacks don’t require VoIP technologies to perform or succeed, however the low-cost and relatively easy procurement of both the consumer hardware, software, and VoIP service providing the indial are beginning to make this type of phishing attack much more prevalent.

Blue Box Podcast #31 is now available for download. In this show, Jonathan and I spend a block of time discussing the recent Pena/Moore VoIP fraud case and another large block of time discussing the recent FCC decision around the application of CALEA to VoIP service providers. We also have our regular discussion of VoIP security news, comments from listeners and more.