[VOIPSEC] VoIP and Fraud

[Brian Rosen]

We've been working on this problem for some time.
Among other things, I am the chair of the long term
working group in NENA, the North American Emergency
Number Association, that is defining how we will do
9-1-1 in the long term.  There is considerable work
also occurring in the IETF, which has an entire work
group dedicated to location, and how it is represented
and kept private.  The latter is an essential component
of dealing with location, and the issue of forging
location has to be balanced with the issue of protecting
the privacy of the location.

I believe we are going to do it the way I described.
By using a digital signature, we can reasonably prevent
wholesale forgery.  Using timestamps, we can limit the
exposure of a replay attack.  There are some who want to
use a key mechanism (you give the client a key, which is
carried in place of location, to some entity that can
ask a Location Information Service what the location is.
This mitigates location replay somewhat more than carrying
location because the time window for replay is much smaller.

With VoIP, there isn't necessarily a trusted carrier.
You can run your own VoIP system.  We can't assume
a trust relationship with any entity (to be sure, in most
cases, the access network provider, who actually knows where
you are, is often a trustworthy entity, but it isn't always
possible to trust them).  We are not depending on any authentication
of the client with its proxy, because we don't trust the
proxy necessarily anyways.  We will protect the signaling
with TLS, but we will accept a self signed cert.  We will
require TCP, and we won't complete the call until we get 
the TCP round trip so that you can't spoof your IP address.

Your VPN example is a good one.  I often use a variation of 
this example where we have a patron in a Starbucks connected via
a WiFi hotspot to the Internet, with a VPN tunnel open to
her employer with a VoIP softclient running inside the tunnel.
Her employer is in Sierra Leone, where the emergency number
is not 9-1-1.

What we are doing will work correctly for this case.
When the PC was powered (or roams), the hotspot gives it
an IP address, with DHCP.  It will also give it location.
In slightly more detail, the DSL service provider at the
Starbucks will supply location.  The DSL modem will relay that
to the Access Point, and the Access Point will relay it to the
laptop.  The address in this case is the correct address; the
location of the Starbucks.  When a call to 9-1-1 is placed, the
Sierra Leone VoIP PBX will recognize it (details unimportant
here) and it will include location (the first=outer location)
in the SIP INVITE.  The Sierra Leone PBX will have access to
a global routing database that will translate the location to
the URI that the call should be forwarded to, with its location.
In this case, that would be a URI that would lead to the Chicago
PSAP.

Brian


> -----Original Message-----
> From: Geoff Devine [mailto:gdevine at cedarpointcom.com]
> Sent: Tuesday, February 15, 2005 9:39 PM
> To: Brian Rosen; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] VoIP and Fraud
> 
> Brian Rosen wrote:
> > So the way this will work in VoIP if things go the way I think they are
> > going is:
> > 1. The PHONE learns its location when it boots using, for example, a new
> > option to carry location in DHCP
> > 2. When an emergency call is placed, the location is put in the
> signaling on
> > the call using, for example, PIDF-LO for SIP.
> 
> Since the VoIP endpoint isn't trusted, this is not a secure way to
> implement the feature.  To build this feature in a secure way, you either
> need to have some trusted component within the service provider network
> implement the feature or you need a trusted network component to validate
> all the SIP signaling to ensure that the SIP User Agent isn't lying.
> 
> An approach could be to have the SIP Proxy (or a session controller)
> validate the contents of each SIP message from the user agent.  If it's
> supplying CallerID information, the SIP Proxy would have a policy that
> ensures the user agent isn't lying.  For 911 calls, it could have a policy
> to ensure that the UA isn't lying about coordinate information.  To make
> it truly secure, you're pretty much implementing a Back2Back User Agent
> since you can't allow anything to be passed on in the network that you
> can't understand and validate.
> 
> There are varying degrees of security policy and paranoia.  At one
> extreme, you have the lightweight SIP Proxy that doesn't even authenticate
> when a SIP user agent REGISTERs.  All SIP messages are blindly relayed.
> Slightly better than that, you can have a SIP Proxy that challenges the
> REGISTER so the User Agent is at least authenticated.  This is how Vonage
> works.  To get improved security, you can implement additional policy that
> enforces well-behaved protocol.  At the other extreme, you only pass
> things on to the network that you can understand and police.
> 
> I suggest we avoid using 911 in our examples since it's usually fairly
> easy to defeat any IP-based coordinate/location method.  With VPN,  I can
> sit at my house and talk to the DHCP server at my office.  If I dial 911
> from a soft client on my home PC while I'm using my corporate VPN, it
> would get coordinate information indicating that it is at my office.
> 
> Geoff
>