[VOIPSEC] NY Times, ABC News reporting on fraud scheme using hacked VoIP service providers

Ajay Joseph AJoseph at ibasis.net
Thu Jun 8 12:11:31 CDT 2006 

I think what may be happening here is due to proprietary prefixes in the
called number to identify customers. 
--Ajay--

-----Original Message-----
From: Zmolek, Andrew (Andy) [mailto:zmolek at avaya.com] 
Sent: Thursday, June 08, 2006 12:35 PM
To: dan_york at Mitel.com; voipsec at voipsa.org
Subject: Re: [VOIPSEC] NY Times, ABC News reporting on fraud scheme using
hacked VoIP service providers

Sorry folks, encryption wasn't really the issue here (though a
well-designed PKI solution might have helped). Based on my conversations
with the NYT reporter yesterday (and detailed in DOJ press release
below), it seems clear that access to unencrypted signaling was not
exploited here:

     "Through a practice known as a "Brute Force" attack, Pena 
     and others working with him acquired the proprietary codes 
     established by VOIP telecom providers to identify and accept 
     authorized calls entering their networks for routing, 
     according to the Complaint. The codes, known as "prefixes," 
     are part of the call data that must be transmitted with each 
     VOIP telephone call."

Frankly, if the attacker had figured out how to leverage the unencrypted
signaling for reconnaissance, he wouldn't have had to brute force those
codes in the first place. I'm guessing that what was obtained were
credentials for SIP accounts, since the reporter kept referring to the
equipment as "proxies" in our conversation--but that's just a guess. But
it could have been that what was "cracked" was just the DID/ANI used in
the "from" address which is even less of a "code" (and certainly a poor
man's way to authenticate - as easy to spoof and prevent as IP
addressing). In any case, this isn't a whole lot different than
brute-forcing calling card numbers for old-school toll fraud.

The good news here is that if we can learn a bit more about what
authentication systems were exploited, we might be able to make the case
as a community that VoIP has fundamentally better authentication
solutions. Using PKI (or even alphanumeric passwords) for authentication
is something that wasn't as realistic in the TDM world, but is easy to
do with VoIP. Of course, as long as VoIP has to be integrated with the
PSTN there will always be some PINs required for backwards compatibility
at some point near the gateway. And until SS7 gets upgraded with a more
secure peering security model (a la BGP for IP), ANI spoofing will
continue to be unbelievably easy to pull off in a multi-carrier world.


/\\//\Y/\   Andy Zmolek  |  zmolek at avaya.com  |  303-538-6040 
            Senior Manager, Security Planning and Strategy
            GCS Security Technology Development  |  Avaya, Inc. 


-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of dan_york at Mitel.com
Sent: Thursday, June 08, 2006 9:02 AM
To: voipsec at voipsa.org
Subject: [VOIPSEC] NY Times, ABC News reporting on fraud scheme using
hacked VoIP service providers

VOIPSEC readers,

Dave Endler wrote about this on the VOIPSA blog last night (
http://voipsa.org/blog/2006/06/07/hacker-cracks-net-phone-providers-for-
gain/
) but list member Craig Bowser also dropped me a note today pointing out
that this item was being discussed by ABC News (Thanks, Craig!).  If you
haven't followed the story, this summary is from the US Dept of Justice
press release yesterday:

NEWARK, N.J. ? A Miami man who purported to be a legitimate wholesaler
of Internet-based phone services was arrested today for allegedly
running a sophisticated fraud, by secretly hacking into the computer
networks of unsuspecting Voice Over Internet Protocol (VOIP) telephone
service providers, including one Newark-based company, to route his
customers' 
calls, U.S. Attorney Christopher J. Christie announced.
Through his scheme, defendant Edwin Andres Pena, is alleged to have sold
more than 10 million minutes of Internet phone service to telecom
businesses at deeply discounted rates. The victimized Newark-based
company, which transmits VOIP services for other telecom businesses, was
billed for more than 500,000 unauthorized telephone calls routed through
its calling network that were "sold" to the defendant's unwitting
customers at those deeply discounted rates

More links here:

  DOJ press release: 
http://www.usdoj.gov/usao/nj/publicaffairs/NJ_Press/files/pena0607_r.htm
  NY Times: 
http://news.com.com/Hacker+cracked+Net+phone+networks+for+gain,+feds+say
/2100-7348_3-6081014.html
  ABC News: http://abcnews.go.com/Technology/wireStory?id=2051976&page=1

Interestingly, it seems the defendant paid a hacker $20,000 to break
into the VoIP service providers and set this up.

The NY Times article quoted a Verisign rep who pointed out that a large
part of the issue is that many consumer VoIP vendors primarily send
their traffic over the Internet un-encrypted.  Of course, one would
expect Verisign to say this, given their business... but I do agree with
them on this point. While encryption is not a cure-all, it certainly
would have make a fraud like this very difficult to do.

Regards,
Dan

--
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel Corp.     http://www.mitel.com
dan_york at mitel.com +1-613-592-2122
PGP key (F7E3C3B4) available for
secure communication
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list