[VOIPSEC] Is there a anti-phishing "blackhole list" of phone numbers?

[Geoff Devine]

Jonathan K. Creasy writes:

> In many of the cases I have witnessed the source number is that of an
> innocent victim. Many cases involve systems that are hacked because
> of poor security and the outbound calls are placed using the
> credentials of a phone on their network.

On a Primary Rate ISDN interface, the integrity of Calling_Party_Number
usually isn't policed by the circuit switch.  When the interface was
designed and implemented, everyone assumed that there would be a business
relationship (a service contract) between the Telco and the customer where
the Telco could pull the plug on the interface if the customer abused their
identity assertion.  Nobody envisioned that PRI would be used as a service
provider interface to bridge VoIP to the PSTN.  Nobody is going to upgrade
their legacy circuit switches to correct the problem.  SS#7 has the exact
same problem.  Many SIP trunking implementations also have no way of
policing this CallerID information.  Once you've done your SIP digest
authentication, you can pass whatever you want.  I was working this issue a
year ago from the Cable side feeding requirements into the SIP Forum for
SIPConnect since it's a real hole.  Today, if you're using an IP-PBX with a
SIP handoff to a service provider, you can offer whatever you want for
CallerID and the network will blindly pass it through in many
implementations.

The conclusion is that CallerID is horribly broken and you can't reliably
construct a "blackhole list" of phone numbers since it's so trivial to
supply a different one.

Geoff Devine