Voice of VOIPSA

Brian Krebs from the Washington Post reports on a new VoIP Phishing (Vishing) scheme targeting Bank of America customers. The scam appears as an official looking Bank of America email and tries to convince the victim to dial a toll free number to sort out some account problems. Once the victim dials that number, they’re prompted to enter in their account number and secret pin number. The evil doers are then able to easily access the bogus system and reconstruct all of the numbers you entered. Much like how traditional email phishing attacks flourished in the last couple of years, I absolutely believe that VoIP Phishing scams will skyrocket this year.

For some background, there was a compelling presentation at last year’s BlackHat security conference by Jay Schulman, entitled Phishing with Asterisk (PDF). In his presentation, Jay showed how easy it was for attackers to use Asterisk PBX to set up a spoofed banking automated attendant and route all calls to a toll free number through to that PBX. Additionally, Mark Collier and I devoted an entire chapter to VoIP Phishing in our book, Hacking Exposed: VoIP.

I’ve included a snapshot below of one of the first VoIP Phishing emails targeting PayPal that emerged last year that we showcased in our book. Click on it to see the larger image.

Martin Geddes of at Telepocalypse raises an interesting point that has bothered me also, which comes back to the security of phones, and the ability for hackers to pass themselves off as legitimate organisations, such as your own bank. Today, the problem is that there is no way an inbound call can ever be secure, because any Caller ID number you receive could be faked, and many outbound call centres withhold the number anyway.  Also, with technology like Asterisk servers and IVRs with synthesized speech, it is quite possible to build a reasonable facsimile of your bank at a very low cost.

I have a card that I usually service online, and it is very rare that I ever need to call-up one of the call centres to speak to anyone. So recently when I received a call out-of-the-blue on my cellphone, I was surprised to be addressed by a synthesized voice. Knowing, as I do, that such things can cheaply be rigged-up using a regular PC (and perhaps Asterisk), I was not inclined to trust the call, or enter any of the bank security details it was asking for. I hung up on it, whereupon it called back a number of times before I drove into a GSM blackspot, which for the purposes of this discussion we can call Vermont. The repeated calls did nothing to reduce my suspicions.

Like Martin Geddes, when (a couple of days later) I did finally call the number suggested in the synthesized announcement, the operator I spoke to wanted to take security details from me. I explained, as I do in those situations, that this would not be a safe thing to do, as I have just called an unfamiliar number suggested by an automated voice on an inbound call. Fortunately, at least this bank have an answer to that question: there is a telephone number written on the back of the card itself, and he suggested I call that number. Now I can be pretty sure that I’m talking to who I think.

In the long run, I think banks will have to realise that they need to authenticate themselves too, and perhaps we will be able to test callers by getting them to tell us a password too.  Phishing attacks can only increase in the future due to the accessibility of VoIP technology, and part of the counter attack is to teach people how to authenticate callers, before giving up vital security information.

Edwin Pena, the man facing charges over a VoIP fraud, discussed here some months back, has fled, violating his bail conditions.  Information Week has the story here. 

SpoofCard.com, a company that sells “enhanced” calling cards providing the ever-so-popular Caller-ID spoofing feature, has recently terminated Paris Hilton’s and 50 other customer’s accounts due to said customers abusing the Caller-ID spoofing feature (go figure) to break into other people’s voice-mail accounts, listen to messages, and even change the targeted users’s greetings:

SpoofCard.com confirmed that Paris Hilton was among the terminated customers, and that Lindsay Lohan was among those whose voicemail accounts were broken into. SpoofCard has put software controls on its network so that customers can no longer use its service to break into the voicemail boxes of Miss Lohan or the other victims it has identified.

Not only is this a poor way to address the security issue, it’s not really even addressing the problem; it’s addressing the symptoms, and in an extremely limited way by only blocking access from their customers to a list of specific users’ voice-mail accounts that have already been targeted. In SpoofCard’s defense however, it probably is the best they can do; It really is the cellular carrier’s problem because they allow users to disable the passcode required to access their voice-mail services, which then defaults to using only Caller-ID information to authenticate the user.

It’s pretty telling of the state of user trust in today’s global telephony system when there are so many businesses that have sprung up around what is essentially a lack of integrity of calling-party information that has been introduced into the system by VoIP and the VoIP-to-PSTN interfaces that they feed their information through. There are still VoIP-to-PSTN service providers that will honor Caller-ID information passed to them by their users and forward it into the PSTN, and there are any number of companies like SpoofCard.com that will provide this service for the average, non-technical consumer.

It’s sad that the general populace can really no longer trust the Caller-ID information that shows up on their phone. Telephony service providers, credit card distribution verification services, banks, and other companies need to realize this as well and stop using Caller-ID information to identify or authenticate their users, and really never should have been in the first place.

New Scientist is reporting today that German company Infineon has recently filed for two patents (1,2) for technology that deliberately interferes with VoIP technology.

The application doesn’t expand on why it would be used. But it could conceivably come in handy for any company that operates both phone and internet services and would like to protect their phone business from the growing popularity of VoIP.

The first of the techniques monitors network traffic to identify voice packets, then injects additional “pseudo-packets” into the communications stream. These packets appear to be part of the media stream but in reality contain nothing useful. The device then creates an artificial bottleneck for packets that it earlier labeled as voice, essentially rate-limiting the mix of real voice packets and “pseudo-packets”, while allowing normal data packets to traverse the device unhindered. The real kicker with this method is that then, the “pseudo-packets” can be filtered back out before the voice traffic exits the device, leaving little indication to external troubleshooters as to what is actually causing the media degredation.

The second of the techniques covers methods of degrading speech sent via a WiFi hot spot.

Repeatedly, Skype has claimed that their protocol and service needs to be stealthy because large service providers who provide both Internet services and traditional telephony services see the Skype service as a threat to their telephony business and regularly try to block the Skype traffic. Also recently, multiple other companies have developed and provided VoIP filtering technologies to Chinese service providers.

If these service providers begin to employ techniques like the ones described above against not just Skype traffic but all VoIP traffic, stealthy protocols like Skype’s may have an advantage over standards-based or community developed protocols, and may begin to foster an arms race between proprietary VoIP products and services and the traditional Telcos.

Apparenly removing the email component and adding war-dialers to the mix warrants a new term for VoIP-enabled phishing, now called “vishing.” Secure Computing is reporting a new type of phishing attempt which utilizes war-dialers armed with pre-recorded messages replacing the use of e-mail lure and tackle. By calling unsuspecting people rather than emailing them, the attackers hope to elicit a better response to the seemingly more legitimate lure. You can read more in an article from the IT-Observer here.

The Register is reporting on a recent phishing scam targeted specifically at customers of the Santa Barbara Bank & Trust in Southern California. It’s of the variety making use of an IP PBX subscribed to a VoIP to PSTN service so that they can obtain a valid-looking DID number in Southern California. The targets of the scam are initially sent an official looking email asking them to call into the bank at the aforementioned DID number, where they are greeted with an automated voice system requesting that they enter their account number and other personal information.

Net security firm Websense notes that the recorded message does not mention the Santa Barbara Bank & Trust, a sign that the same phone line is potentially being lined up for fraudulent attacks targeting the customers of other online banks or ecommerce firms.

These types of attacks don’t require VoIP technologies to perform or succeed, however the low-cost and relatively easy procurement of both the consumer hardware, software, and VoIP service providing the indial are beginning to make this type of phishing attack much more prevalent.

Blue Box Podcast #31 is now available for download. In this show, Jonathan and I spend a block of time discussing the recent Pena/Moore VoIP fraud case and another large block of time discussing the recent FCC decision around the application of CALEA to VoIP service providers. We also have our regular discussion of VoIP security news, comments from listeners and more.

Cable Hastens Telco Phone Line Losses

Cable Digitial News, who recently sold themselves to the parent of Light Reading, recently put up an interesting article saying that cable now has 62% of the 6 million customer residential VoIP market; up from 52% a year ago.  The telcos have been seeing an erosion north of 8 million lines per year and claim to be reducing the churn to closer to 6 million this year.  I scratch my head at that one.  I see the trend going in the other direction now that Comcast and Charter have launched cable VoIP products in most of their footprint.  That’s almost 50% of the US market that didn’t have a cable VoIP option a year ago.  I see the churn to cellular-only picking up speed, too.

The article couldn’t resist taking a pot shot at Vonage… the poster child of failed IPOs.  Like everybody else, I’ve been watching it crater.  The FCC news this week that Vonage is going to be required to pay into Universal Service Fund just further erodes their price advantage against the telco wireline product and the cable VoIP product.  This after rulings about CALEA and 911 requirements.  I think the company will end up being worth their cash plus about $100 per subscriber. 

It’s unfortunate that the lay person now thinks VoIP == Vonage and the brand is associated with low quality and a gigantic stockmarket failure.  The cable VoIP product has quality parity with the telco wireline product.  It just goes to show that if you set out to build a quality product rather than take advantage of regulatory arbitrage, you end up winning in the end.

An interesting factoid I’ve picked up recently is that when cable companies sell or trade properties to other cable operators, they value each customer who takes their VoIP product $1000 more than one who doesn’t.  I think this is going to be a big incentive for cable operators to roll out VoIP in their smaller markets since those are the properties that tend to be traded around frequently.  I’ll refrain from talking about my own company but Nortel just announced a scaled down version of their product called the CS 1500 that is clearly targeted at smaller markets. 

Obligatory mention of VoIP Security:

I’ve found myself deluged both from executives within my company and from the cable-oriented trade press about the Net2Phone theft of service hacker case.  There were all kinds rumors flying around that our product was somehow involved.  I had to run through the littany of layers of security that protect cable VoIP. 

• DOCSIS is encrypted with 56-bit DES
• Cable modem chips can only listen on the downstream.  You need a $10K piece of test equipment to sniff the upstream
• The media terminal adapter (MTA) has a digitial certificate burned into it
• The MTA authenticates with a Kerberos Key Distribution Center as part of the boot & provisioning sequence
• The MTA is bound to a single Cable Modem Termination System so a cloned MTA will only work in a small geographical area
• PacketCable Softswitches sit behind firewalls
• Nobody turns on signaling or media security today but all the products support it and are conformance tested at CableLabs
• With a simple port blocking strategy, you could make the Softswitch and MTA invisible on their signaling port

 I did get extensively quoted in one article but they mis-spelled my name.  So far, I’ve only consumed a few nanoseconds of my 15 minutes of fame.

This morning Business Week weighed into the ongoing Pena/Moore story with their article “Is Your VoIP Phone Vulnerable?” Given that the article covers mostly familiar ground (and, like most articles in the mainstream press, brings up the fear of SPIT), the significance to me is not so much the content as it is the fact that it is in Business Week, which is well read and highly regarded within at least North American corporate leadership. I do agree with the conclusion:

Businesses would do well to consider the threats on the front end, given how fast VoIP adoption is growing. Although only 5% deploy VoIP companywide, 87% of companies are using VoIP in some capacity. Numbers like that may be too alluring for hackers to pass up.

Security should definitely be considered as part of a VoIP rollout plan – and you definitely need to be asking your vendor / reseller about the security of the VoIP system you are looking to implement.

The challenging part about this article – and most others I have seen on the subject in recent days – is that it lumps everything into a broad “VoIP” category while the reality is that there are definite differences between enterprise VoIP systems and the consumer / wholesale VoIP market. Now I don’t personally work in the consumer/carrier/service provider space, so I can’t really speak to that space, but I do see more and more “VoIP providers” popping up offering wholesale termination services. From an outsider’s point-of-view, it looks a bit Wild West-ish and in that cauldron of competition, I could easily see some newer entities overlooking security in the rush for the gold. However, through communication among VOIPSA members, I know that there are certainly service providers who do have a clue and are offering secure services. Unfortunately all get tarred with the same brush.

That same brush in articles like this unfortunately tars all of us on the corporate enterprise side as well. And I suppose the same “Wild West” image could be applied to a certain limited degree given the number of small startups launching various IP-PBXs. But that’s not the overall reality. While many of those new entrants are thriving, still most corporate enterprises are buying their phone systems from a limited range of vendors: 3Com, Alcatel, Avaya, Cisco, Mitel, NEC, Nortel, Polycom, Siemens… and probably a few others who I am forgetting right now. The point is, though, that within the enterprise market most all of us are offering VoIP systems that do provide security against many if not most or all of the threats outlined in the VOIP Security Threat Taxonomy (some of those vulnerabilities lie in the corporate network and so there is only so much we as vendors can do). Now each one of us will of course have our own reasons why our security is better than our competitors – and some are offering more security than others – but the point is that we do provide secure VoIP.

The challenge is that to those of us on the inside, the “VoIP industry” is this large space with lots of different segments and players. We can see the differences I outline (and many more). But to the larger business world, Voice over IP in general is so new that everything gets labelled as “VoIP”. That will change over time… and really it falls to organizations like VOIPSA and others to help in that education.

In the meantime, articles like this one in Business Week will hopefully at least cause business to ask questions about the security of their VoIP products – and VoIP services. To me, that’s a good thing.

[Full disclosure: I work at Mitel.]