[VOIPSEC] VoIP and Fraud
Geoff Devine
gdevine at cedarpointcom.com
Mon Feb 14 21:50:53 CST 2005
Mark Fletcher fletch at nortel.com writes:
> There are many potential areas, but one that concerns me is the ability for
> a user to easily spoof their Caller ID. Typically this has only been
> available to administrators of a PBX with PRI circuits. Many call this
> 'security via obscurity'. By spoofing CLID, a caller could raise havoc with
> Emergency Services and the national E9-1-1 system, or use a spoofed CLID to
> socially engineer people into giving up personal information.
The issue here is that endpoints can't be trusted. Endpoints can only be authenticated. A PBX running Primary Rate ISDN is quite different from a mass market subscriber SIP endpoint somewhere out there in the world. You should not _trust_ that device to give you accurate CallerID. The device is portable so you should use its routable IP address to obtain physical location rather than _trust_ it to tell you where it is. To create a secure service, you can't blindly pass SIP messages around as a lightweight SIP Proxy. You have to adopt a more hardened Back2Back User Agent model where you understand exactly what the endpoint is signaling and have the abilty to police the signaling.
Geoff
More information about the Voipsec
mailing list