[VOIPSEC] VoIP and Fraud

Geoff Devine gdevine at cedarpointcom.com
Fri Mar 11 08:26:13 CST 2005 

Maybe we need a little history here....
 
In the dark ages, Class 5 offices operated by the ILEC signaled the 7-digit subscriber phone number to the 911 tandem switch operated by the PSAP (Public Services Access Provider) over T1 using dialpulse, MF, or DTMF tones.  This subscriber phone number was part of the database inside the Class 5 office.  The ILEC would provide daily updates to the PSAP as they added, moved, and deleted subscribers giving the PSAP the physical street address that went with each phone number.  On receipt of any 911 call, the PSAP would do a lookup in this database and route the call to the correct answering position based on the town/city in the database.
 
A key requirement in the wireline 911 environment is that only the PSAP can release the call.  If the subscriber who dials 911 hangs up their phone, when they go offhook again, they're still connected to the PSAP.
 
Over time, the wireline network added features.  The 7-digit stuff expanded to 10-digit.  SIgnaling could be done by either legacy T1 Pulse/Tone or via SS#7.  Special handling was added to deal with PBXs where the PBX wsa trusted to signal the correct calling party number.
 
In the cellular network, it's done somewhat differently.  The cellular service provider passes the PSAP the geographical coordinates of the caller along with their phone number.  The phone assists in this by reporting the signal strength it sees with multiple base stations but modern base stations have a means of validating this.  Some older PSAP 911 tandems don't know how to deal with this so a mobile 911 call may very well route to a generic answering position in some jurisdictions.
 
When you introduce VoIP into the mix, you have issues with both trust and mobility.  If you dig back in the archives, Brian Rosen explained a very useful proposed solution he's working on.  To solve the mobility issue, his group suggests that there be a local service a VoIP device can query to find its geographical location.  For example, the WiFi router in your local Starbucks would answer back with the geographical location of that Starbucks.  The VoIP device would then provide this geographical information to the network & PSAP as part of VoIP signaling for 911 calls.
http://voipsa.org/pipermail/voipsec_voipsa.org/2005-February/000076.html
 
The issue still remains with respect to trust and 911 calls.  In legacy wireline networks, you can trust that the phone dialing 911 isn't lying about position since it's either at the end of a copper strand from an ILEC or hanging off a business PBX that has a commercial arrangement with the ILEC. In wireless, the cellular service provider provides the geographical location.  In VoIP, the location is signaled by the end device and it's possible to lie.  If the signaling is encrypted between the SIP UA and the SIP Proxy, it's difficult to insert the paranoia needed to ensure that the UA isn't lying.  You can use digital certificates to deal with this but there's a public policy issue that you might not want to deny 911 service to a user who doesn't have a proper digital certificate since so many VoIP devices don't participate in a Verisign-like certificate scheme.  As services like Skype proliferate, the problem just gets more difficult.  I'm not sure there's a good answer here unless you force everybody to go to hardened (not self-signed) digital certificate scheme.
 
Geoff

________________________________


Date: Thu, 10 Mar 2005 19:31:03 -0500
From: natas natas <natas05 at gmail.com>
Subject: RE: [VOIPSEC] VoIP and Fraud
To: Voipsec at voipsa.org
Message-ID: <90729e4905031016313541f9fb at mail.gmail.com>
Content-Type: text/plain; charset=US-ASCII

When you say CLID are your referring to the ANI (Billing Telephone
Number) or Caller ID? Why would such an important system like E911
only rely on Caller ID information??? These commercially available
sites that offer Caller ID spoofing do not spoof any sort of ANI,
which is what I was told E911 utilized. Also, I don't believe that any
of these spoofing sites have access to E911 services as their carriers
do not have access to E911 at this time, so the only way to do
anything to E911 would be through a backdoor POTS number.

I also see this as a security problem and not a fraud problem.

-Natas

Mark Fletcher fletch at nortel.com writes:
>Take the E911 system for example, no location data is actually 'passed' from
>the origination point. The E911 Location screen is populated at the
>dispatcher console based on a ALI database dip using the CLID as the index.
>So for example in NJ, I can be in Atlantic City, hit a local PRI trunk with
>spoofed CLID, and end up at a PSAP in Newark (practically the other end of
>the State). E911 routing is based on CLID and nothing else, and
>unfortunately that is now easier to spoof.


Mark Fletcher fletch at nortel.com writes:
> There are many potential areas, but one that concerns me is the
> ability for a user to easily spoof their Caller ID. Typically this has
> only been available to administrators of a PBX with PRI circuits. Many
> call this 'security via obscurity'. By spoofing CLID, a caller could
> raise havoc with Emergency Services and the national E9-1-1 system, or
> use a spoofed CLID to socially engineer people into giving up personal
> information.

More information about the Voipsec mailing list