SIP Trunking: WARNING Caller ID
The threat is simple: with vendors offering web services to "spoof Caller-ID," the legitimacy of Caller-ID is destroyed.
The Caller-ID topic has the lamp burning in our offices. During the next couple of posts I'll be hitting on Caller-ID. I need to start with the first one being security because it demands attention. See Eric's post: FBI Warns on VoIP Attacks and these attacks are showing up because of technology being exploited. What the FBI news release doesn't elaborate on is a core issue that needs to be addressed by ITSP's, carriers and everything in between.The summary from the FBI release reads:
The perpetrators are suspected of using automated dialing programs and multiple accounts to overwhelm the land and cell phone lines of their victims with thousands of calls. When the calls are answered, the victim may hear anything from dead air (nothing on the other end), an innocuous recorded message, an advertisement, or even a telephone sex menu. The calls are typically short in duration but so numerous that victims have had to have their numbers changed to make the calls stop.
The FBI report details the crimes perpetrated using the telephone as a cloaked weapon.
At the core of this issue is Caller-ID. Caller-ID caused some states to fume over privacy concerns--Pennsylvania ring a bell? In my past posts I've argued against Caller-ID spoofing and not only is Caller-ID spoofing a threat, but not having Caller-ID is at the heart of the threat that the FBI will be dealing with.
The FBI release states: "The victims have had to have their numbers changed." Why? Because the sources of the calls could not be identified. Last June, Gary Audin wrote in Fixing a SIP Security Hole that, "A recipient of a phone call cannot "know" the verified identity of the calling party (e.g. a true caller ID)." This spells trouble especially for the past victims of these crimes and it means that calling someone at home, work, on a cell or wherever to verify a financial transaction isn't a good idea and no longer good policy, and besides -how do you know who's really calling you?
Spoofing Caller-ID is an old feature of most systems. Changing CLIP to any number/name combination is easily accomplished because it's considered necessary to populate extension users' data with their DID numbers, as one example. The threat is simple: with vendors offering web services to "spoof Caller-ID," the legitimacy of Caller-ID is destroyed. In other words, it is no longer trusted. Case in point: my numerous (honest, I was testing) exploits of spoofing the White House switchboard. What's even worse is getting unlisted numbers by spoofing them through the PSTN. How? Replace the CLIP with a number and then outcall to a landline number that has the Caller-ID feature to obtain name and number. Send just the number and the name is provided, pretty simple and very effective.
The SIP message header can be changed, encrypted, manipulated, masked or prepended/appended and this creates an issue: when the Caller ID header is null or malformed and/or has less than ten digits, the carrier/provider passes the call and anonymous call rejection fails. Why do carriers/providers even pass calls with null, malformed and incomplete message headers? Gary also warns in his post, "Look into how your vendor presently performs and validates identification. You may be disappointed by their solution."
Gary nailed this, because if you do call your ITSP or provider and request a call trace or to reveal the Caller-ID of an anonymous call, good luck! Recently, I did and our provider retrieved the call record, opened it up to read the message header and there was nothing to find.
Next, I thought maybe we could reveal anonymous call identities by doing the SIP-to-Cell transfers and then using the services of Trapcall in front of our iPhones. Their support folks told me, "We can't even give a definite answer, as there are too many variables with VoIP."
Asterisk users already reported similar symptoms of getting flooded with calls that sounded "robotic in nature." Over at VoIPSA, the post, Asterisk "hack" to show blocked Caller-ID points to larger trust issues with SIP, concludes that, "there is a good amount of work going on right now in the IETF around the whole area of strong identity."
Anonymous calls that are harassing, threatening, or annoying, including SPIT, should be a concern and will prove to be more challenging. Added into the problem, Caller-ID is not a trusted source. This doesn't mean that solving this problem is going solve or eliminate the criminal problems, but what it does mean is that the holes in the system (network) need plugging. Otherwise, just prop the screen door open.The threat is simple: with vendors offering web services to "spoof Caller-ID," the legitimacy of Caller-ID is destroyed.