[VOIPSEC] SPIT and vishing

[Dan York]

Thijs,

Welcome to the VOIPSEC list and it's great that you are doing research  
in this field.  More research is definitely needed.  To that end, you  
may find some great sources of information from the recent IPTCOMM  
event in Heidelberg, Germany:

   http://www.iptcomm.org/

The attendees included a huge number of the leading researchers in the  
field. The program schedule is here:

   http://www.iptcomm.org/page14/page14.html

The presentations were all put up yesterday at:

   http://www.iptcomm.org/page15/page15.html

I don't see anything in there specific to botnets or SPIT, per se, but  
all of them are dealing with VoIP security.

As to some of your specific questions, my comments are inline:

On Jul 17, 2008, at 10:03 AM, Thijs van Esveld wrote:

> Thank you Tobias,
>
> The only proof I found about a VoIP botnet is probably the same poc  
> as the
> one you know of.

IMHO, we won't see serious botnets targeted at SIP until there is a  
viable market for that to happen.  Right now, how many actual SIP  
servers are exposed on the public Internet?  How many actual SIP  
proxies are waiting on the public Internet to accept SIP connections?   
Yes, the numbers are increasing...  but still, what we are talking?   
Hundreds? Thousands? As much as I'm a huge proponent (and user) of  
SIP, I somehow don't think we are talking about 10s of thousands of  
Internet-exposed SIP proxy servers.  (Maybe we are.... please tell me  
I'm wrong... I'd love to be wrong on this one.)  Sure, there are  
probably tens of thousands of SIP endpoints (phones, softphones) out  
there (maybe more?), but how many are exposed to the open Internet?

A botnet needs *targets* to justify the time spent on creation... and  
in my opinion we're not there yet.

If we think of the motivation of running a botnet, off the top of my  
head, I can think of two main uses cases:

1. DDOS - you want to take down someone's service, either for revenge,  
for fun or because you're being paid by someone else to do so (or  
you're going to try to get the company to pay you to stop).  So for  
SIP, you want to kill someone's ability to make/receive calls.  So you  
launch a massive DDoS against the SIP proxy on the network edge.  Ta  
da... the SIP proxy is completely occupied dealing with bogus requests  
and calls can't go out.

2. SPAM/SPIT - you want to flood someone's phone system with voice  
spam/SPIT and want it to originate from many endpoints so that it  
can't be easily stopped or traced.  So you have bots open up SIP  
connections and start streaming audio to anyone who answers.

In both cases, you need to have SIP servers that you can attack.   
Sure, they are out there, but I would argue that they aren't *yet*  
plentiful enough to justify someone spending the time to create a  
botnet.  Most research has found that botnets are all financially  
motivated at this stage in time... and I don't see the return-on- 
investment yet for someone wanting to build a SIP-focused botnet.  The  
time *will* come, though.


Likewise, to your general question about SPIT, I don't think we'll see  
it until you can have the equivalent random connections between SIP  
endpoints that we have on the PSTN.  Think about it.  There are  
something like 3,000 people on this mailing list... probably 3 of us  
can actually receive a SIP call from another random SIP endpoint.  (I  
can - sip:dyork at corpsip.voxeo.com )  Maybe with this VoIP-centric list  
it might be 10 people... maybe 50... but regardless, it's not many,  
and certainly isn't a viable market for someone to set up a large SPIT  
operation.

Most of the SIP connections from enterprises are out to SIP service  
providers and they are all authenticated (or *should* be).  The  
enterprise SIP proxy will only allow connections from the SIP service  
provider and no one else. Or SIP proxies might allow connections in  
from specific IP addresses.  In any case, it *won't* accept  
connections from random SIP endpoints out there.

The reality is that while I may have a SIP infrastructure in my  
company and you may have one in yours, for us to communicate to each  
other, we're still going through SIP service providers and across the  
PSTN.  The PSTN serves as a defacto firewall between us.

This will change.  More and more people are looking at how to link up  
their SIP clouds in federations and other forms.  But until the time  
comes when: a) there are tons of SIP servers exposed on the Internet;  
and b) those servers allow connections from random SIP endpoints...  
until that time, there's not a huge market potential for someone to   
bother setting up a SPIT operation.

>  I combined your definition
> of vishing with mine and I think it now covers the subject way  
> better, I
> will only focus on vishing with the help of VoIP.

The linguist in me truly detests the word "vishing", but we are  
probably stuck with it.  I agree with Tobias' definition. Vishing is  
trying to get sensitive data by using voice technologies vs. email/ 
websites.  To me, "vishing" is simply another modality of  
"phishing"... adding voice into the mix of email and websites... and  
often used together.  For example, you get an email that looks like it  
is from your bank saying that you urgently need to contact your bank  
fraud department and asking you to call this phone number.  You call  
that number and get an IVR system that *sounds* like your bank  
(because the attacker probably recorded all the prompts in your bank's  
IVR tree).  You go through the prompts... perhaps even talk to  
someone... and ultimately give away your info.

> Do you people here at VOIPSA think we will be ready for the SPIT  
> problem
> when the big wave hits the world very soon? For what I've been  
> reading and
> thinking about a worst case scenario, where a current botnet herder  
> manages
> to make his botnet (for example Srizbi) send SPIT aswell, it would  
> result in
> utter chaos.


As I note above, I think we're a ways out until there are enough SIP  
servers out there on the public Internet to justify a botherder  
bothering to spend any time on it.  They are making way too much money  
right now spewing out email spam or executing DDoS attacks.  Why  
bother going from that to something where there are so few targets?   
(Especially when, for a basic DoS attack on a SIP server, you could  
just use a regular network DDoS botnet attack.)  Until there are  
masses of targets, I don't see it happening.

Will we be ready when we do get to that point?  I hope so... that's  
one of the reasons why there is a huge amount of work going on in the  
IETF right now around the area of "strong identity".  Most of us view  
that as one of the key building blocks in combatting SPIT.  We'll see.

Hope this helps... best wishes with your research,
Dan

-- 
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO    Voxeo Corporation     dyork at voxeo.com
Phone: +1-407-455-5859  Skype: danyork  http://www.voxeo.com
Blogs: http://blogs.voxeo.com  http://www.disruptivetelephony.com

Build voice applications based on open standards.
Find out how at http://www.voxeo.com/free