June 2012, Hyatt Dulles, Sterling, Virginia, USA: Carrier VoIP Security was the first technical topic discussed at the SIPForum's SIPNOC 2012 conference. A standing-room-only crowd of engineers attended an informal Birds-of-Feather (BOF) session on the latest in VoIP Security Threats and Prevention techniques.
Why the huge interest? There was a well-attended security BoF at SIPNOC 2011, but this year the crowd was enormous. This year, everyone is feeling the pain of service theft. Most of the SIPNOC 2012 attendees represent VoIP Carriers. When their service is hacked, it costs a lot of money, and interferes with normal business operations.
Stealing phone service is not new. AT&T, as the United States' first major long-distance service provider, has fought theft of service for ages. But the advent of widespread carrier VoIP over the Internet has created an excellent opportunity to steal service. Attackers need not physically attach to your network to steal your service; they need only connect to your service across the Internet.
The top threat identified was theft of service. The essence is that someone uses a service to make phone calls without authorization. The owner or operator of the service is then responsible for paying the telephone bills. The expensive, and interesting destinations to which calls are placed are typically in "Developing" countries. For example, one recent story highlighted the plight of an Ipswich, Massachusetts businessman whose service was stolen. The thief used his service to call Somalia, at the rate of US $22.00 per minute.
These are not cases of a lonely foreign college student calling his mother back home. This is big business. In the case of the Ipswich manufacturer, the thieves averaged around 7 concurrent calls to Somalia for 4 days.
His carrier has since dropped the bill and absorbed the cost. That's good for the consumer -- but what if you are the carrier? You may be asked to absorb a $1M phone bill to avoid putting your customer out of business.
About a third of the Security BoF participants say that they block calls to expensive destinations by default. That is, if you need to do business with Somalia, and you're willing to pay the $1,320.00/hour to do so, then changes are high that your VoIP carrier won't let you call them without getting special permission.
This is a simple and safe strategy. But VoIP Carriers should be careful in how they do this; the FCC does regulate a VoIP carrier's flexibility to decide not to route calls to certain destinations. (Although, to the best of my knowledge, these rules only affect domestic US destinations.)
If you're familiar with the legacy telco model, where the "local" provider is distinct from the "long distance" provider. In many VoIP service providers, this is not the case; the local service includes your long distance calling. There is no "Equal Access" to alternate long-distance carriers with these VoIP services.
Many BoF participants also considered it critical to be able to successfully detect stolen service as it is occurring. All of the techniques for doing this amount to behavioral monitoring of some form: try to determine if the user is making "unusual" calls.
Many participants use some sort of threshold. For example, they may count the number of expensive, International calls being placed each day. And if that count exceeds some fixed number, say, 5, then they have automatically detected the service. Others do their detection after some billing analysis has been done, so they can suspect fraud only if a threshold of dollars has been exceeded.
Some carriers reported using the customer's history to set the threshold. The more sophisticated systems, like ECG's Fraudstopper, do some auto-learning to detect the behavioral patterns of use.
There was also no single answer on how to handle a new customer. What is the appropriate fraud limit if you have no history or behavioral patterns?
After the fraud is detected, many BoF participants said they would automatically disable expensive calling on the affected telephone. Many raised concerns about disabling telephone services.
One successful strategy put forward was to notify the customer. A letter such as this one may be sent via email:
Dear customer, your terms of service say that you're responsible for security of your phones. We're only going to charge you for $50 of fraudulent service, not the full invoice. But we disabled your phone in the mean time.
One participant noted special risks that come when you allow customers to signup for telephone service with a credit card. Thieves may sign up for service with a stolen credit card then make expensive calls. Until that card is reported as stolen, or fraud is detected by the credit card company, it does not appear possible for the VoIP Carrier to prevent the fraud.
Many participants noted that SIP REGISTER floods are continuing, apparently through the use of SIPVicious. These floods are caused when attackers scan the system, looking for SIP accounts that they can steal. By scanning the system very fast, they may overload it, and cause an outage before the fraud even begins.
A classic model appears to be (a) detection of SIP accounts with poor authentication; (b) test calls to verify the service early in the work week; then (c) heavy fraudulent use starting Friday night, when fraud detection is weaker over the weekend.
Many fraudulent calls appear to come from Skype and Google Voice gateways. In addition, North Africa and the Palestinian Territory were common sources at the IP layer for the attacks.
One carrier reported special problems with their Bring-Your-Own-Device model. In their service, customers buy SIP service, but use their own devices. Many of these devices are SIP phones on the public Internet. Attackers can scan the Internet (often via Google) for SIP phones, then retrieve the SIP authentication credentials right off the phone. Then they can REGISTER as that phone with the VoIP service provider, and make fraudulent calls.
This carrier strongly recommended avoiding IP Phones when connected directly to the Public Internet. They should, instead, be connected to the network through a firewall or NAT device that prevents incoming connections.
The fundamental vulnerability is that the SIP phones do not adequately protect themselves against the public Internet. The vendors do not expect users will be putting their phones on the public Internet; they expect them to have private IPs inside a NAT-protected network.
SIP PBXs (such as Asterisk and Cisco Call Manager) are commonly directly connected to the Internet. Many BoF participants mentioned cases where a customer's PBX is exploited. In these cases, the attacker places fraudulent calls through the Internet, to the customer's PBX. Then the customer's PBX routes those calls to the VoIP carrier. Even if you have quality SIP authentication credentials to authenticate that SIP PBX, you can't detect that the calls are actually not legitimate.
Similar cases were reported with Adtran TA900-series IADs. Attackers would login to these devices, reconfigure them to allow SIP calling through the Internet, then route calls from the attacker, via the IAD, to the SIP PBX. We would expect this to be possible on all SIP-to-SIP capable devices, including Cisco IAD2430-series devices, those from Audiocodes, and many more. The key is proper securing of the SIP PBX or IAD to prevent an attacker from gaining control.
One carrier reported multiple attempts to create a Denial of Service simply by using up all voice ports on a customer's device. For instance, an attacker would place many phone calls to a bank's Interactive Voice Response (IVR) system. This effectively may prevent the bank from receiving calls through that IVR while the attack is ongoing. (I wonder if this type of attack is coordinated with credit card fraud on that bank's customers, with the hope being to prevent a suspicious vendor from checking in with the bank to verify a credit card.)
Someone asked about the VoIP Security Testing tools; for example, SIPVicious. Is anybody using those tools to actively test their own network, or their customers networks? Only one BoF participant said that he was.
Meetings like this are rare. We discussed how to better disseminate information about the latest threats, and wisdom on how to make the roll-out of VoIP go more smoothly. Some participants mentioned the difficulty in getting formal authority to actually exchange information about their threats and counter-techniques.
SIPForum SIPNOC can be a useful, in person meeting to discuss these risks and threats. Some participants also mentioned the FBI Infraguard program, but also noted that it seems to be a "listen-only" forum. That is, many companies join to hear what the FBI has to say, but few want to publicize anything they're seeing, even among a limited set of participants.
VoIPSA may be another good forum where public content can be published.
Perhaps the challenge is convincing everyone that sharing information about the latest threats is actually beneficial. But this is an old debate, extended to the new telephone network. Is it really good for everyone involved if the information about the threats is publicized?