Fear and Loathing in Las VoIP

Adam J. O’Donnell, Ph.D.Senior Research Scientist

Cloudmark, Inc.adam@cloudmark.com

Predictions regarding VoIP security are amusing.

Security attacks on/involving VoIP are fascinating.

“An electronic Pearl Harbor-type event will happen in 2006 or 2007. I do stand by

that...”

“New technologies such as VoIP risk driving a horse and cart through ... our network.”

There are 500,000 hits on Google for “spit voip”...... why?

•Taking down the entire phone network via large scale DDoS

•Massive Spam and Phishing

•Large-scale authentication abuse - Phishers proporting to be banks

what was predicted...

•One-off DoS against specific SIP implementations

•E-mail-driven phishing with VoIP phone numbers

•Large-scale authentication abuse... but people posing as other people, not as organizations

...what is being seen

•Hackers are trying to gain the highest level of notoriety for their investment.

•Spammers and Phishers are trying to contact the maximum number of people for the minimum cost.

why? Economics

DoS Economics

•First step in writing a full exploit is crashing the service

•Very well-established process:

•Grab protocol description

•Write “fuzzer”

•Publish results

DoS Economics

•Looking for vulnerabilities in new services is a standard pass-time for hackers looking to learn.

•The target isn’t VoIP, but rather a new, possibly privileged service on the server

Phishing Economics

•Again, a very well established process:

•Choose a target and a mailing list

•Either compromise or buy compromised web servers to host a target page

•Generate messages

•Retrieve data provided by fooled users from webservers

Pitch

Callback

Phishing has become so standardized that diversification of labor has taken place,

with separate groups of individuals supplying the web servers, mail servers,

money laundering services, etc...

Phishing “Market Pressures”

•As phishing became standardized, so did several of the anti-phishing techniques

•Classifiers were trained to look for e-mail mentioning banks with odd-looking URLs

•Phishing hosts were reported to network operators, who act quickly to remediate the issue

Phishing “Market Pressures”

•The target market for phishers began to shrink, due both to user education and improved content filters

•For phishing to continue to be profitable, both the pitch and the callback information have to become

•More novel to the target

•Difficult to analyze

VoIP-carrying Phishing Scams

•Novel: customers aren’t used to phone numbers being unsafe

•Difficult to analyze: No whois-style information readily available for anti-phishers

•Cost effective: the time required to acquire an inbound VoIP number is inline with compromising a desktop for use as a webserver

Your online credit card account has high-risk activity status. We are contacting you to remind that our Account Review Team identified some unusual activity in your account. In accordance with Philadelphia FCU Bank User Agreement and to ensure that your account has not been compromised, access your account was limited. Your account access will remain limited until this issue has been resolved.

We encourage you to call our Account Verification Department at phone number (517) XXX-XXXX and perform the steps necessary to verify your account informations as soon as possible. Allowing your account access to remain limited for an extended period of time may result in further limitations on the use of your account and possible account closure.

Contact our Account Verification Department at (888) 354-9907 24 hours / 7 days a week to verify your account informations and to confirm your identity.

Dear Customer, We've noticed that you experienced trouble logging into Santa Barbara Bank & Trust Online Banking. After three unsuccessful attempts to access your account, your Santa Barbara Bank & Trust Online Profile has been locked. This has been done to secure your accounts and to protect your private information. Santa Barbara Bank & Trust is committed to make sure that your online transactions are secure. Call this phone number (1-805-XXX-XXXX) to verify your account and your identity. Sincerely,Santa Barbara Bank & Trust Inc.Online Customer Service

What can we expect?

•Given that...

•Appears to be the work of a limited number of phishers.

•Small number of relatively unsophisticated messages

•First number had 1500 callers in 3 days, which is a far better response rate than webpages

What can we expect?

•More of the same, until...

•Lines of communication are established between anti-phishers and VoIP providers

•Banks adopt and customers expect multifactor authentication

Authentication Economics

•Phone numbers are used as authentication, because it is cheap (already in place)

•Spoofing phone numbers was previously expensive, requiring expertise in compromising phone switches

Authentication Economics

•The MGC component of VoIP systems are responsible for passing the calling party’s phone number into the system

•Spoofing phone numbers is trivial for anyone with access to an MGC (ie, anyone who runs Asterisk)

•Several companies, such as camophone.com and spoofcard.com have been established to offer just this service

Think about all the systems that use only yourphone number as a form of authentication...

This is the enemy.

This is the enemy.

Aug 23rd (TMZ.com): Paris Hilton dropped from spoofcard.com for hacking into Lindsay Lohan’s voicemail, thus violating the ToS.

Consider the possibilities...

•In 1997, a measure was passed through Congress to ban radio receivers that covered the cellular phone band after a group of individuals recorded a high-level Republican conference call chaired by Newt Gingrich

Consider the possibilities...

•While not meant to be FUD, what will happen to VoIP regulation if some Hill staffer gets ideas after reading the Paris Hilton/Lindsay Lohan story...

Remediation?•Authentication? Trivial, move to

multi-factor systems, such as a PIN number.

•ACL? Also trivial, only accept calls across the MGC from phone numbers delegated to that provider

•Identity? A little harder. Maybe push crypto-signed signed phone numbers over the CallerID packet

Remediation?

•Reputation? This can be assigned to:

•Phone numbers

•Source IPs

•Content

•Reporters of reputation information themselves

Remediation?

•If the response time is too long, FNs and FPs skyrocket

•Sender reputation is likely to be far easier to establish for mail spammers than VoIP spammers

•Not many home machines are mail servers, but many home machines are going to be VoIP users

Moral of the story?

•The possibility of attack isn’t as important as the economic viability of attack

•Hackers and spammers are going to go with minor modifications on what they know, rather than major jumps in methodology

Questions?Adam J. O’Donnell, adam@cloudmark.com