Tuesday, June 27, 2006

More on the recent VoIP fraud

There has been much discussion lately (for example, in Business Week, TechWeb and TMCnet) of the VoIP fraud allegedly perpetrated by Edwin Pena, abetted by Robert Moore, on a number of VoIP service providers.

The complete story, of course, has not been told. I had a brief email conversation with the owner of a Houston-based VoIP service provider that was scammed, and what follows is his tale.

In his case, the protocol was H.323 and not SIP. He tells me that his VoIP-PSTN gateway was expertly hacked, apparently using a master password, and its configuration was altered. To verify that the hack worked, test calls were made to a cellphone in New Jersey, according to logs in the equipment, which also revealed that they were made from Brazil.

Once it was verified that the calls got through, traffic was directed to the hacked gateway from (presumably) an H.323 gatekeeper, apparently located at the NAP of the Americas in Miami.

The fraud was discovered by the unusual traffic patterns that resulted, when all the circuits on the gateway became busy. The destination of most of the calls was Jamaica, with origins as diverse as the UK, Australia and the US.

Once alerted to the fraud, the aggrieved business owner did some investigation, and traced the cellphone to Fortes Telecom in New York.

What surprised me about this story is that it doesn't involve hacked networks at New York hedge funds, decoy servers at hosting companies, nor brute force attacks to discover account prefixes, as laid out in the criminal complaints against Edwin Pena and Robert Moore. It seems as though a variety of attacks were made, not all of which were described by the US Attorney's office.

Nevetheless, it does stress the need for adequate perimeter security around VoIP softswitches and gateways, a case I think the proponents of session border controllers have made fairly convincingly on the VOIPSEC list recently.

Wednesday, June 14, 2006

ITAA slams Feds' regs on VoIP wiretapping

Yesterday the IT Association of America released a report decrying the move by the FCC to apply the Communications Assistance for Law Enforcement Act to VoIP traffic. The report's authors are an illustrious bunch, including Internet and security luminaries Vint Cerf, Steve Bellovin, Whitfield Diffie and Jon Peterson.

The key charge levelled by the report is that the Feds want to make VoIP over the Internet work like the PSTN, simply so that it is amenable to wiretapping. This turns the Internet notion of the stupid network upside-down, replacing it with centralized switching and control. The report points out that once a call is set up between two parties, the VoIP service provider(s) involved don't necessarily play any role in routing the IP packets that carry the actual conversations, making interception problematical.

This is especially a problem for P2P-based services like Skype, which would be covered by the proposed CALEA regulations, simply because they offer PSTN interconnection through services such as SkypeIn and SkypeOut. A close reading of the regulations indicates that the mere interconnection of a VoIP network with the PSTN would render all calls entirely within the VoIP network subject to the purview of CALEA, even if they don't touch the PSTN. To quote the FCC ruling:
To be clear, a service offering is “interconnected VoIP” if it offers the capability for users to receive calls from and terminate calls to the PSTN; the offering is covered by CALEA for all VoIP communications, even those that do not involve the PSTN. Furthermore, the offering is covered regardless of how the interconnected VoIP provider facilitates access to and from the PSTN, whether directly or by making arrangements with a third party.
This can also be interpreted to mean that if any subscriber to a VoIP service can be reached at a phone number through that service, or can make an outgoing call to the PSTN somehow, then all subscribers to the service are subject to CALEA.

This is less of a problem for the likes of Vonage, who simply provide PSTN replacement, as the VoIP phone calls usually do transit the networks of the VoIP service providers, in contrast to the scenario described in the ITAA report. There is one principal reason for this: a service provider has to provide media proxies to allow subscribers behind firewalls to communicate with each other, and those proxies naturally sit at the boundary of the VoIP service provider's network. Since the majority of VoIP subscribers have broadband routers that provide network address translation and firewalling, then most (if not all) calls will be routed via media proxies.

These media proxies are commonly known in the industry as session border controllers, and they are much more than simply rendezvous points for firewalled subscribers: they provide firewalling for the service provider's own network, allowing in authenticated VoIP signaling and media traffic while protecting it from VoIP-borne threats. This processing of both the call signaling and the call contents makes them ideal for -- you guessed it -- wiretapping.

So, are the concerns of Vint Cerf and his colleagues misplaced? Those looking simply to replace the PSTN with something a little more flexible and a little cheaper, can simply use session border controllers for CALEA; those wanting to create innovative P2P communities, bypassing the PSTN altogether are probably OK (wiretapping then becomes the responsibility of the broadband access provider); but those wanting to marry innovation with the PSTN had best watch out.

The FCC's deadline for VoIP service providers to comply with CALEA is 14 May 2007. It will be interesting to see whether SkypeIn and SkypeOut are still available then.