[VOIPSEC] Watering down VoIP security expectations

Tobias Glemser tglemser at tele-consulting.com
Fri Mar 10 08:19:10 CST 2006 

Mark,

 > When attempting to filter Spam over Internet Telephony (SPIT), it is
 > much harder for VoIP vendors or ancillary product vendors to design
 > content filters based (..)

I totally agree with you that the inspection of SPIT is way more 
difficult than the inspection of SPAM. By nature a "Anti-SPIT-System" 
will never be able to analyze the content of a call. But, and this is 
were SPAM and SPIT can be treated the same, this system could analyze 
the headers of each call.
In our researches we recognized, that many end-devices accept almost 
every rubbish content of headers, as long it's syntactically correct. 
Even MUSTs of some RFCs are just ignored.
In my opinion, this would be a first attempt to filter some SPIT: Check 
the validity of all header information.

Another point is, that your phone normally only accepts incoming calls 
from its very own SIP-Proxy (this is how it _should_ be, many phones 
ring even if they're not logged on to any SIP-Proxy).
Calls without costs for the connection are normally only available 
between customers of one SIP ServiceProvider and other cross-connected 
networks.
So if someone who wants to send SPIT, he wants to do it for free, of 
course. In other words, he has to have a valid login to the 
ServiceProvider you ("the target") is connected to. It's not that hard 
for SPs to recognize SPITTERs on their systems very fast and efficient, 
e. g. by providing a "I've been SPITtey by.." webform for their customers.

To put this together:
1. Your phone only accepts incoming calls from your SIP-Proxy.
2. -> a SPITTER has to be on the same or a cross-connected SIP-Provider 
to make the call without costs
3. -> he has to have a valid account
4. -> the SP has to establish barriers at the registering process (e. g. 
one money transfer from a bank account, even if the SIP-Provider offers 
his services for free)
5. -> the SP has to establish good SPIT reporting systems

This would mean to a SPITTER
1. If he wants to make free calls, he has to get through this 
registration process
2. He has to register quite often whith changing bank accounts
3. He has to make sure that he can not be traced back by the authorities 
because he sent SPIT and transfered money from his bank account
4. He could attack the end-device to avoid that only calls from the 
SIP-Proxy are accepted (e. g. by DNS-poisoning), but this seems a little 
bit to extensive
5. He could pay for the call at his POTS provider elsewhere

So my second conclusion for this day :) :
Maybe the solution to reduced SPIT does not exist in only technical, but 
organisational concepts.

Cheers,

Toby



Mark Teicher wrote on 10.03.2006 14:20:
> If we go by SPAM by the numbers: 55 is the percentage of companies that have not implemented spam filtering due to the fact that they are afraid legitimate messages may be blocked, 19 is the percentage of opt-in, legitimate electronic mail from electronic newsletter publishers that never reach subscribers due to over-active spam filters, 400 is the number of domain names used by a typical spammer (source: National Spam Mail Abuse Association). For SPAM it is accurate to state that a majority of the electronic mail people receive can be broken out into various categories (i.e. personal correspondence, work-related correspondence, opt-in newsletters, bulletins, mailing lists, e-mail alerts).   
> 
> When attempting to filter Spam over Internet Telephony (SPIT), it is much harder for VoIP vendors or ancillary product vendors to design content filters based on tell-tale calling patterns, war dialers, short call durations, patterns of spoken words or phrases or communicating with someone who legitimately has Tourette's Syndrome, faint calls, calls originating from people on headsets utilizing a public restroom at an airport, originating call tracking, poor call quality, etc.  It is much different problem than addressing SPAM, although most argue it is a combined problem, when it really isn't.  Although there are probably people who post to the list that have written or published ways of reducing SPIT in a converged network environment, hopefully they will have something helpful to contribute.
> 
> 
> 
> 
> On Fri, Mar 10, 2006 at 10:16:00AM +0100, Tobias Glemser wrote:
>> So my conclusion is this:
>> The SPAM/SPIT problem will never be beaten, we can only try to develop 
>> better and better solutions to eleminate as many SPAM/SPIT as possible 
>> before it reaches the user. This is where we can evolve, just have a 
>> look at Anti-SPAM Boxes today. The race has begun but it will never finish.
> 
> 
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Ari Takanen
> Sent: Friday, March 10, 2006 4:51 AM
> To: Tobias Glemser
> Cc: voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Watering down VoIP security expectations.
> 
> Hello all,
> 
> Good conclusion there Tobias. There is no technical solution for SPAM
> as it is not a technical problem. It is a problem in all free, open
> and un-moderated services. There is no way people can beat SPAM in
> "Free Internet Telephony", and that is exactly why there is a business
> opportunity in VoIP. People will still pay for good service.
> 
> The best prevention methods that aim at this focus on providing:
> 
> - reliable identity (SIM cards in mobile phones is one good idea)
> - generic legislation, and specific contract practices between parties
> - trust relationships between VoIP providers
> 
> So if someone spams you from Romania, you should be able to know who
> to blame. The carriers will blacklist VoIP providers and servers that
> do not act according to best practices, and hopefully someone will sue
> the negligent service providers. Problem solved.
> 
> This still leaves SPAM bots, and other attacks where a system is
> compromised and a trojan is installed on the system. This is a reason
> why you should use reliable platforms and devices. List of Codenomicon
> recommended vendors is available on our web site!
> 
> /Ari
> 
> PS: Update your VoIP devices regularly!
> 
> On Fri, Mar 10, 2006 at 10:16:00AM +0100, Tobias Glemser wrote:
>> So my conclusion is this:
>> The SPAM/SPIT problem will never be beaten, we can only try to develop 
>> better and better solutions to eleminate as many SPAM/SPIT as possible 
>> before it reaches the user. This is where we can evolve, just have a 
>> look at Anti-SPAM Boxes today. The race has begun but it will never finish.
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list