[VOIPSEC] Voipsec Digest, Vol 46, Issue 11

Dustin D. Trammell dtrammell at bpointsys.com
Mon Oct 27 11:12:51 CDT 2008 

On Sat, 2008-10-25 at 16:03 +0100, Frank Leonhardt wrote:
> >Dustin D. Trammell writes:
> >> Consider the scenario where an attacker wants to DoS Bob specifically.
> >> Rather than attack the endpoint technology, or even the VoIP
> >infrastructure,
> >> it's far easier to simply attack the user themselves.
> >> Send a call once every 2-5 minutes.
> <snip>
> >
> >Geoff Devine replied:
> >This is why users have access to a malicious call trace feature.  In the
> >good 'ol days, the network always knew the identity of the caller.  With
> >VoIP, it's now possible to spoof your identity and the network at the VoIP
> >to TDM boundary does not enforce any kind of identity checking.  In
> >particular, 'calling party number' on a Primary Rate ISDN SETUP message
> >isn't checked by anybody I've ever experimented with and I've been around
> >Primary Rate for 20 years.  This never used to be a problem since all PRI
> >interfaces had a contract between a corporation (for their PBX) and a
> >service provider.  I've never had the opportunity to experiment on a live
> >SS#7 network but the same problem exists there.  That interface is now being
> >used to bridge VoIP to the PSTN.  I view this as a public policy issue.  If
> >you are a VoIP service provider, malicious call trace has to work.  If you
> >allow your customers to spoof their identity, the FCC should be empowered to
> >pull the plug on your interface to the PSTN.  If that means that as a VoIP
> >service provider, you need to give every customer a piece of hardware to
> >create a digital certificate that validates their identity before making a
> >phone call, so be it.

Unfortunately, the act of spoofing your Caller-ID information isn't
illegal in the States, so the FCC can't really do much about it.  I've
been following the Truth in Caller-ID Act[1] (originally of 2006) since
it's inception.  It didn't make it through the 109th (2005-2006)
Congress and was reintroduced at the beginning of the current 110th
(2007-2008) Congress as the Truth in Caller ID Act of 2007.  So far, it
hasn't made it through this Congress yet either, and this Congress has
effectively come to a close.  The House continues to pass it, and then
the Senate sits on it.  It doesn't seem to really be much of a priority,
and I fully expect it to be reintroduced as the Truth in Caller ID Act
of 2009 in next year's Congress, where it will likely again pass the
House and then just sit there immobile in the Senate.

Also, assuming it does make it through congress as currently written,
I've already made a case about it's practical applicability[2] due to a
possible loophole in the verbiage.

> The idea that a malicious caller can be traced is attractive, but I'm sad to
> say it too far behind the times.

I completely agree.  Also given that in many VoIP protocols a call can
be initiated with a single packet which not only spoofs it's
application-layer identity, but also it's network-layer identity, I
really don't see how you can hope to accomplish this through legislation
alone.  Consider SIP, which is often transported via UDP.  It only takes
a single packet every minute or two to perform the slow-rate "annoyance"
DoS that I was originally describing:
    
      Phone A          Phone B
         |                |
         |     INVITE     |
         |--------------->|
         |  180 Ringing   |
         |<---------------|
         |     200 OK     |
         |<---------------|

It only takes one UDP packet to cause the recipient phone to ring, which
is both spoofable at the application layer with falsified Caller-ID
information, as well as at the network layer with a falsified network
source address (assuming the attacker only wants the phone to ring, not
actually connect a call).  There are a couple of scenarios where
spoofing a nonexistent host might cause call termination before the
first annoyance ring due to an intermediate SIP proxy, PSTN gateway, or
the destination host itself receiving an ICMP host unreachable or
something, but in most cases this attack works just fine with very
little effort and reasonable expectation of anonymity.

[1] http://www.govtrack.us/congress/bill.xpd?bill=s110-704
[2] http://voipsa.org/blog/2007/01/29/truth-in-caller-id-act-of-2007/

-- 
Dustin D. Trammell
Security Researcher
BreakingPoint Systems, Inc.

More information about the Voipsec mailing list