draft-ietf-stir-threats-01.txt   draft-ietf-stir-threats-02.txt 
Network Working Group J. Peterson Network Working Group J. Peterson
Internet-Draft NeuStar, Inc. Internet-Draft NeuStar, Inc.
Intended status: Informational February 5, 2014 Intended status: Informational February 10, 2014
Expires: August 9, 2014 Expires: August 14, 2014
Secure Telephone Identity Threat Model Secure Telephone Identity Threat Model
draft-ietf-stir-threats-01.txt draft-ietf-stir-threats-02.txt
Abstract Abstract
As the Internet and the telephone network have become increasingly As the Internet and the telephone network have become increasingly
interconnected and interdependent, attackers can impersonate or interconnected and interdependent, attackers can impersonate or
obscure calling party numbers when orchestrating bulk commercial obscure calling party numbers when orchestrating bulk commercial
calling schemes, hacking voicemail boxes or even circumventing multi- calling schemes, hacking voicemail boxes or even circumventing multi-
factor authentication systems trusted by banks. This document factor authentication systems trusted by banks. This document
analyzes threats in the resulting system, enumerating actors, analyzes threats in the resulting system, enumerating actors,
reviewing the capabilities available to and used by attackers, and reviewing the capabilities available to and used by attackers, and
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 9, 2014. This Internet-Draft will expire on August 14, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 21 skipping to change at page 2, line 21
2. Actors . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Actors . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Endpoints . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Endpoints . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Intermediaries . . . . . . . . . . . . . . . . . . . . . 4 2.2. Intermediaries . . . . . . . . . . . . . . . . . . . . . 4
2.3. Attackers . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3. Attackers . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Voicemail Hacking via Impersonation . . . . . . . . . . . 6 3.1. Voicemail Hacking via Impersonation . . . . . . . . . . . 6
3.2. Unsolicited Commercial Calling from Impersonated Numbers 7 3.2. Unsolicited Commercial Calling from Impersonated Numbers 7
3.3. Telephony Denial-of-Service Attacks . . . . . . . . . . . 8 3.3. Telephony Denial-of-Service Attacks . . . . . . . . . . . 8
4. Attack Scenarios . . . . . . . . . . . . . . . . . . . . . . 9 4. Attack Scenarios . . . . . . . . . . . . . . . . . . . . . . 9
4.1. Solution-Specific Attacks . . . . . . . . . . . . . . . . 10 4.1. Solution-Specific Attacks . . . . . . . . . . . . . . . . 10
5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11
8. Informative References . . . . . . . . . . . . . . . . . . . 11 8. Informative References . . . . . . . . . . . . . . . . . . . 11
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction and Scope 1. Introduction and Scope
As is discussed in the STIR problem statement [2], the primary As is discussed in the STIR problem statement [2], the primary
enabler of robocalling, vishing, swatting and related attacks is the enabler of robocalling, vishing, swatting and related attacks is the
capability to impersonate a calling party number. The starkest capability to impersonate a calling party number. The starkest
example of these attacks are cases where automated callees on the examples of these attacks are cases where automated callees on the
PSTN rely on the calling number as a security measure, for example to PSTN rely on the calling number as a security measure, for example to
access a voicemail system. Robocallers use impersonation as a means access a voicemail system. Robocallers use impersonation as a means
of obscuring identity; while robocallers can, in the ordinary PSTN, of obscuring identity; while robocallers can, in the ordinary PSTN,
block (that is, withhold) their caller identity, callees are less block (that is, withhold) their calling number from presentation,
likely to pick up calls from blocked identities, and therefore callees are less likely to pick up calls from blocked identities, and
calling from some number, any number, is preferable. Robocallers therefore appearing to calling from some number, any number, is
however prefer not to call from a number that can trace back to the preferable. Robocallers however prefer not to call from a number
robocaller, and therefore they impersonate numbers that are not that can trace back to the robocaller, and therefore they impersonate
assigned to them. numbers that are not assigned to them.
The scope of impersonation in this threat model pertains solely to The scope of impersonation in this threat model pertains solely to
the rendering of a calling telephone number to a callee (human user the rendering of a calling telephone number to a callee (human user
or automaton) at the time of call set-up. The primary attack vector or automaton) at the time of call set-up. The primary attack vector
is therefore one where the attacker contrives for the calling is therefore one where the attacker contrives for the calling
telephone number in signaling to be a specific number. In this telephone number in signaling to be a chosen number. In this attack,
attack, the number is one that the attacker is not authorized to use the number is one that the attacker is not authorized to use (as a
(as a caller), but gives in order for that number to be consumed or caller), but gives in order for that number to be consumed or
rendered on the terminating side. The threat model assumes that this rendered on the terminating side. The threat model assumes that this
attack simply cannot be prevented: there is no way to stop the attack simply cannot be prevented: there is no way to stop the
attacker from creating calls that contain attacker-chosen calling attacker from creating call setup messages that contain attacker-
telephone numbers. The solution space therefore focuses on ways that chosen calling telephone numbers. The solution space therefore
terminating or intermediary elements might differentiate authorized focuses on ways that terminating or intermediary elements might
from unauthorized calling party numbers, in order that policies, differentiate authorized from unauthorized calling party numbers, in
human or automatic, might act on that information. order that policies, human or automatic, might act on that
information.
Securing an authenticated calling party number at call set-up time Securing an authenticated calling party number at call set-up time
does not entail anything about the entity or entities that will send does not entail any assertions about the entity or entities that will
and receive media during the call itself. In call paths with send and receive media during the call itself. In call paths with
intermediaries and gateways (as described below), there may be no way intermediaries and gateways (as described below), there may be no way
to provide any assurance in the signaling about participants in the to provide any assurance in the signaling about participants in the
media of a call. In those end-to-end IP environments where such an media of a call. In those end-to-end IP environments where such
assurance is possible, it is highly desirable. However, in the assurance is possible, it is highly desirable. However, in the
threat model described in this document, "impersonation" does not threat model described in this document, "impersonation" does not
consider impersonating an authorized listener after a call has been consider impersonating an authorized listener after a call has been
established, such as a third party attempting to eavesdrop on a established (e.g., as a third party attempting to eavesdrop on a
conversation. Attackers that could impersonate an authorized conversation). Attackers that could impersonate an authorized
listener require capabilities that robocallers and voicemail hackers listener require capabilities that robocallers and voicemail hackers
are unlikely to possess, and historically such attacks have not are unlikely to possess, and historically such attacks have not
played a role in enabling robocalling or related problems. played a role in enabling robocalling or related problems.
In SIP and even many traditional telephone protocols, call signaling In SIP and even many traditional telephone protocols, call signaling
can be renegotiated after the call has been established. Using can be renegotiated after the call has been established. Using
various transfer mechanisms common in telephone systems, a callee can various transfer mechanisms common in telephone systems, a callee can
easily be connected to, or conferenced in with, telephone numbers easily be connected to, or conferenced in with, telephone numbers
other than the original calling number once a call has been other than the original calling number once a call has been
established. These post-setup changes to the call are outside the established. These post-setup changes to the call are outside the
scope of impersonation considered in this model. Furthermore, scope of impersonation considered in this model. Furthermore, this
impersonating a reached number to the originator of a call is outside threat model does not include in its scope the verification of the
the scope of this threat model. reached party's telephone number back to the originator of the call.
There is no assurance to the originator that they are reaching the
correct number, nor any indication when call forwarding has taken
place. This threat model is focused only on verifying the calling
party number to the callee.
In much of the PSTN, there exists a supplemental service that In much of the PSTN, there exists a supplemental service that
translates calling party numbers into regular names, including the translates calling party numbers into names, including the proper
proper names of people and businesses, for rendering to the called names of people and businesses, for rendering to the called user.
user. These services (frequently termed 'Caller ID') provide a These services (frequently marketed as part of 'Caller ID') provide a
further attack surface for impersonation. The threat model described further attack surface for impersonation. The threat model described
in this document addresses only the calling party number, even though in this document addresses only the calling party number, even though
presenting a forged calling party number may cause a chosen 'Caller presenting a forged calling party number may cause a chosen calling
ID' name to be rendered to the user as well. Providing a verifiable party name to be rendered to the user as well. Providing a
calling party number therefore improves the security of Caller ID verifiable calling party number therefore improves the security of
systems, but this threat model does not consider attacks specific to calling party name systems, but this threat model does not consider
Caller ID. Such attacks may be carried out against the databases attacks specific to names. Such attacks may be carried out against
consulted by the terminating side of a call to provide Caller ID, or the databases consulted by the terminating side of a call to provide
by impersonators forging a particular calling party number in order calling party names, or by impersonators forging a particular calling
to present a misleading Caller ID to the user. party number in order to present a misleading name to the user.
2. Actors 2. Actors
2.1. Endpoints 2.1. Endpoints
There are two main categories of end-user terminals relevant to this There are two main categories of end-user terminals relevant to this
discussion, a dumb device (such as a 'black phone') or a smart discussion, a dumb device (such as a 'black phone') or a smart
device. device.
Dumb devices comprise a simple dial pad, handset and ringer, Dumb devices comprise a simple dial pad, handset and ringer,
optionally accompanied by a display that can render a limited optionally accompanied by a display that can render a limited
number of characters (typically, enough for a telephone number and number of characters. Typically the display renders enough
an accompanying name, sometimes less). Although users interface characters for a telephone number and an accompanying name, but
with these devices, the intelligence that drives them lives in the sometimes fewer are rendered. Although users interface with these
service provider network. devices, the intelligence that drives them lives in the service
provider network.
Smart devices are general purpose computers with some degree of Smart devices are general purpose computers with some degree of
programmability, and with the capacity to access the Internet and programmability, and with the capacity to access the Internet and
to render text, audio and/or images. This category includes smart to render text, audio and/or images. This category includes smart
phones, telephone applications on desktop and laptop computers, IP phones, telephone applications on desktop and laptop computers, IP
private branch exchanges, and so on. private branch exchanges, etc.
There is a further category of automated terminals without an end There is a further category of automated terminals without an end
user. These include systems like voicemail services, which may user. These include systems like voicemail services, which may
provide a different set of services to a caller based solely on the provide a different set of services to a caller based solely on the
calling party's number, for example granting the mailbox owner access calling party's number, for example granting the (purported) mailbox
to a menu while giving other callers only the ability to leave a owner access to a menu while giving other callers only the ability to
message. Though the capability of voicemail services varies widely, leave a message. Though the capability of voicemail services varies
many today have Internet access and advanced application interfaces widely, many today have Internet access and advanced application
(to render 'visual voicemail,' to automatically transcribe voicemail interfaces (to render 'visual voicemail,' [7] to automatically
to email, and so on). transcribe voicemail to email, etc.).
2.2. Intermediaries 2.2. Intermediaries
The endpoints of a traditional telephone call connect through The endpoints of a traditional telephone call connect through
numerous intermediary switches in the network. The set of numerous intermediary devices in the network. The set of
intermediary devices traversed during call setup between two intermediary devices traversed during call setup between two
endpoints is referred to as a call path. The length of the call path endpoints is referred to as a call path. The length of the call path
can vary considerably: it is possible in VoIP deployments for two can vary considerably: it is possible in VoIP deployments for two
endpoint entities to send traffic to one another directly, but, more endpoint entities to send traffic to one another directly, but, more
commonly, several intermediaries exist in a VoIP call path. One or commonly, several intermediaries exist in a VoIP call path. One or
more gateways may also appear on a call path. more gateways also may appear on a call path.
Intermediaries forward call signaling to the next entity in the Intermediaries forward call signaling to the next device in the
path. These intermediaries may also modify the signaling in order path. These intermediaries may also modify the signaling in order
to improve interoperability, to enable proper network-layer media to improve interoperability, to enable proper network-layer media
connections, or to enforce operator policy. This threat model connections, or to enforce operator policy. This threat model
assumes there are no restrictions on the modifications to assumes there are no restrictions on the modifications to
signaling that an intermediary can introduce (which is consistent signaling that an intermediary can introduce (which is consistent
with the observed behavior of such devices). with the observed behavior of such devices).
Gateways translate call signaling from one protocol into another. A gateway is a subtype of intermediary that translates call
In the process, they tend to consume any signaling specific of the signaling from one protocol into another. In the process, they
original protocol (elements like transaction-matching identifiers) tend to consume any signaling specific of the original protocol
and may need to transcode or otherwise alter identifiers as they (elements like transaction-matching identifiers) and may need to
are rendered in the destination protocol. transcode or otherwise alter identifiers as they are rendered in
the destination protocol.
This threat model assumes that intermediaries and gateways can This threat model assumes that intermediaries and gateways can
forward and retarget calls as necessary, which can result in a call forward and retarget calls as necessary, which can result in a call
terminating at a place the originator did not expect; this is an terminating at a place the originator did not expect; this is an
common condition in call routing. This is significant to the common condition in call routing. This observation is significant to
solution space, because it limits the ability of the originator to the solution space, because it limits the ability of the originator
anticipate what the telephone number of the respondent will be (for to anticipate what the telephone number of the respondent will be
more on the "unanticipated respondent" problem, see [3]). (for more on the "unanticipated respondent" problem, see [4]).
Furthermore, we assume that some intermediaries or gateways may, due Furthermore, we assume that some intermediaries or gateways may, due
to their capabilities or policies, discard calling party number to their capabilities or policies, discard calling party number
information, in whole or part. Today, many IP-PSTN gateways simply information, in whole or part. Today, many IP-PSTN gateways simply
ignore any information available about the caller in the IP leg of ignore any information available about the caller in the IP leg of
the call, and allow the telephone number of the PRI line used by the the call, and allow the telephone number of the PRI line used by the
gateway to be sent as the calling party number for the PSTN leg of gateway to be sent as the calling party number for the PSTN leg of
the call. A call might also gateway to a multifrequency network the call. A call might also gateway to a multi-frequency network
where only a limited number of digits of automatic numbering where only a limited number of digits of automatic numbering
identification (ANI) data are signaled, for example. Some protocols identification (ANI) data are signaled, for example. Some protocols
may render telephone numbers in a way that makes it impossible for a may render telephone numbers in a way that makes it impossible for a
terminating side to parse or canonicalize a number. In these cases, terminating side to parse or canonicalize a number. In these cases,
providing authenticated identity may be impossible, but this is not providing authenticated calling number data may be impossible, but
indicative of an attack or other security failure. this is not indicative of an attack or other security failure.
2.3. Attackers 2.3. Attackers
We assume that an attacker has the following capabilities: We assume that an attacker has the following capabilities:
An attacker can create telephone calls at will, originating them An attacker can create telephone calls at will, originating them
either on the PSTN or over IP, and can supply an arbitrary calling either on the PSTN or over IP, and can supply an arbitrary calling
party number. party number.
An attacker can capture and replay signaling previously observed An attacker can capture and replay signaling previously observed
by it. by it.
An attacker has access to the Internet, and thus the ability to An attacker has access to the Internet, and thus the ability to
inject arbitrary traffic over the Internet, to access public inject arbitrary traffic over the Internet, to access public
directories, and so on. directories, etc.
There are attack scenarios in which an attacker compromises There are attack scenarios in which an attacker compromises
intermediaries in the call path, or captures credentials that allow intermediaries in the call path, or captures credentials that allow
the attacker to impersonate a target. Those system-level attacks are the attacker to impersonate a caller. Those system-level attacks are
not considered in this threat model, though secure design and not considered in this threat model, though secure design and
operation of systems to prevent these sorts of attacks is necessary operation of systems to prevent these sorts of attacks is necessary
for envisioned countermeasures to work. for envisioned countermeasures to work.
This threat model also does not consider scenarios in which the This threat model also does not consider scenarios in which the
operators of intermediaries or gateways are themselves adversaries operators of intermediaries or gateways are themselves adversaries
who intentionally discard valid identity information (without a user who intentionally discard valid identity information (without a user
requesting anonymity) or who send falsified identity using their own requesting anonymity) or who send falsified identity; see
credentials. The design of the credential system will however limit Section 4.1.
the scope of the credentials issued to carriers or national
authorities to those numbers that fall under their purview.
3. Attacks 3. Attacks
The uses of impersonation described in this section are broadly The uses of impersonation described in this section are broadly
divided into two categories: those where an attacker impersonates an divided into two categories: those where an attacker impersonates an
arbitrary identity in order to disguise their own, and those where an arbitrary identity in order to disguise its own, and those where an
attack will not succeed unless the attacker impersonates a specific attack will not succeed unless the attacker impersonates a specific
identity. At a high level, impersonation encourages targets to identity. At a high level, impersonation encourages targets to
answer attackers' calls and makes identifying attackers more answer attackers' calls and makes identifying attackers more
difficult. This section shows how concrete attacks based on those difficult. This section shows how concrete attacks based on those
different techniques might be launched. different techniques might be launched.
3.1. Voicemail Hacking via Impersonation 3.1. Voicemail Hacking via Impersonation
A voicemail service allows users calling from their phones access to A voicemail service may allow users calling from their phones access
their voicemail boxes on the basis of the calling party number. If to their voicemail boxes on the basis of the calling party number.
an attacker wants to access the voicemail of a particular target, the If an attacker wants to access the voicemail of a particular target,
attacker may try to impersonate the calling party number using one of the attacker may try to impersonate the calling party number using
the scenarios described below. one of the scenarios described in Section 4.
This attack is closely related to attacks on similar automated This attack is closely related to attacks on similar automated
systems, potentially including banks, airlines, calling-card systems, potentially including banks, airlines, calling-card
services, conferencing providers, ISPs and other businesses that services, conferencing providers, ISPs, and other businesses that
fully or partly grant access to resources on the basis of the calling fully or partly grant access to resources on the basis of the calling
party number. It would also be analogous to an attack where a human party number. It is analogous to an attack in which a human is
is encouraged to answer a phone, or to divulge information once a encouraged to answer a phone, or to divulge information once a call
call is in progress, by seeing a familiar calling party number. is in progress, by seeing a familiar calling party number.
The envisioned countermeasures for this attack involve the voicemail The envisioned countermeasures for this attack involve the voicemail
system treating calls that supply an authenticated identity system treating calls that supply an authenticated calling number
differently from other calls. In the absence of identity, for data differently from other calls. In the absence of that identity
example, a voicemail service might enforce some other caller information, for example, a voicemail service might enforce some
authentication policy (perhaps requiring a PIN for caller other caller authentication policy (perhaps requiring a PIN for
authentication). Authenticated identity alone provides a positive caller authentication). Asserted caller identity alone provides an
confirmation only when an identity is claimed legitimately; the authenticated basis for granting access to a voice mailbox only when
absence of authenticated identity here may not be evidence of malice, an identity is claimed legitimately; the absence of calling identity
just of uncertainty. here may not be evidence of malice, just of uncertainty or a
limitation imposed by the set of intermediaries traversed for a
specific call path.
If the voicemail service could learn ahead of time that it should If the voicemail service could learn ahead of time that it should
expect authenticated identity from a particular number, that would expect authenticated calling number data from a particular number,
enable the voicemail service to adopt stricter policies for handling that would enable the voicemail service to adopt stricter policies
a request without authenticated identity. Since users typically for handling a request without authentication data. Since users
contact a voicemail service repeatedly, the service could for example typically contact a voicemail service repeatedly, the service could
remember which users usually sign their requests and require further for example remember which requests contain authenticated calling
authentication mechanisms when signatures are absent. Alternatively, number data and require further authentication mechanisms when
issuers of credentials or other authorities could provide a service identity are absent. Alternatively, issuers of credentials or other
that informs verifiers that they should expect identity signatures in authorities could provide a service that informs verifiers that they
calls from particular numbers. should expect identity in calls from particular numbers.
3.2. Unsolicited Commercial Calling from Impersonated Numbers 3.2. Unsolicited Commercial Calling from Impersonated Numbers
The unsolicited commercial calling, or for short robocalling, attack The unsolicited commercial calling, or for short robocalling, attack
is similar to the voicemail attack, except that the robocaller does is similar to the voicemail attack, except that the robocaller does
not need to impersonate the particular number controlled by the not need to impersonate the particular number controlled by the
target, merely some "plausible" number. A robocaller may impersonate target, merely some "plausible" number. A robocaller may impersonate
a number that is not an assignable number (for example, in the United a number that is not an assignable number (for example, in the United
States, a number beginning with 0), or an unassigned number. A States, a number beginning with 0), or an unassigned number. A
robocaller may change numbers every time a new call is placed, even robocaller may change numbers every time a new call is placed, e.g.,
selecting numbers randomly. selecting numbers randomly.
A closely related attack is sending unsolicited bulk commercial A closely related attack is sending unsolicited bulk commercial
messages via text messaging services. These messages usually messages via text messaging services. These messages usually
originate on the Internet, though they may ultimately reach endpoints originate on the Internet, though they may ultimately reach endpoints
over traditional telephone network protocols or the Internet. While over traditional telephone network protocols or the Internet. While
most text messaging endpoints are mobile phones, increasingly most text messaging endpoints are mobile phones, increasingly
broadband residential services support text messaging as well. The broadband residential services support text messaging as well. The
originators of these messages typically impersonate a calling party originators of these messages typically impersonate a calling party
number, in some cases a "short code" specific to text messaging number, in some cases a "short code" specific to text messaging
services. services.
The envisioned countermeasures to robocalling are similar to those in The envisioned countermeasures to robocalling are similar to those in
the voicemail example, but there are significant differences. One the voicemail example, but there are significant differences. One
important potential countermeasure is simply to verify that the important potential countermeasure is simply to verify that the
calling party number is in fact assignable and assigned. Unlike calling party number is in fact assignable and assigned. Unlike
voicemail services, end users typically have never been contacted by voicemail services, end users typically have never been contacted by
the number used by a robocaller before. Thus they can't rely on past the number used by a robocaller before. Thus they can't rely on past
association to anticipate whether or not the calling party number association to anticipate whether or not the calling party number
should supply authenticated identity. If there were a service that should supply authenticated calling number data. If there were a
could inform the terminating side of that it should expect an service that could inform the terminating side that it should expect
identity signature in calls or texts from that number, however, that this data for calls or texts from that number, however, that would
would also help in the robocalling case. also help in the robocalling case.
When a human callee is to be alerted at call setup time, the time When a human callee is to be alerted at call setup time, the time
frame for executing any countermeasures is necessarily limited. frame for executing any countermeasures is necessarily limited.
Ideally, a user would not be alerted that a call has been received Ideally, a user would not be alerted that a call has been received
until any necessary identity checks have been performed. This could until any necessary identity checks have been performed. This could
however result in inordinate post-dial delay from the perspective of however result in inordinate post-dial delay from the perspective of
legitimate callers. Cryptographic and network operations must be legitimate callers. Cryptographic and network operations must be
minimized for these countermeasures to be practical. For text minimized for these countermeasures to be practical. For text
messages, a delay for executing anti-impersonation countermeasures is messages, a delay for executing anti-impersonation countermeasures is
much less likely to degrade perceptible service. much less likely to degrade perceptible service.
The eventual effect of these countermeasures would be to force The eventual effect of these countermeasures would be to force
robocallers to either block their caller identity, in which case end robocallers to either block their caller identity, in which case end
users could opt not to receive their calls or messages, or to force users could opt not to receive such calls or messages, or to force
robocallers to use authenticated identity for numbers traceable to robocallers to use authenticated calling numbers traceable to them,
them, which would then allow for other forms of redress. which would then allow for other forms of redress.
3.3. Telephony Denial-of-Service Attacks 3.3. Telephony Denial-of-Service Attacks
In the case of telephony denial-of-service (or TDoS) attacks, the In the case of telephony denial-of-service (or TDoS) attacks, the
attack relies on impersonation in order to obscure the origin of an attack relies on impersonation in order to obscure the origin of an
attack that is intended to tie up telephone resources. By placing attack that is intended to tie up telephone resources. By placing
constant telephone calls, an attacker renders a target number incessant telephone calls, an attacker renders a target number
unreachable by legitimate callers. These attaacks might target a unreachable by legitimate callers. These attacks might target a
business, an individual or a public resource like emergency business, an individual or a public resource like emergency
responders; the attack may intend to extort the target or have other responders; the attacker may intend to extort the target. Attack
motivations. Attack calls may be placed from a single endpoint, or calls may be placed from a single endpoint, or from multiple
from multiple endpoints under the control of the attacker, and the endpoints under the control of the attacker, and the attacker may
attacker may control endpoints in different administrative domains. control endpoints in different administrative domains. Impersonation
Impersonation in this case allows the attack to evade policies that in this case allows the attack to evade policies that would block
would block based on the originating number, and furthermore prevents based on the originating number, and furthermore prevents the victim
the victim from learning the perpetrator of the attack, or even the from learning the perpetrator of the attack, or even the originating
originating service provider of the attacker. service provider of the attacker.
As is the case with robocalling, the attacker typically does not have As is the case with robocalling, the attacker typically does not have
to impersonate a specific number in order to launch a denial-of- to impersonate a specific number in order to launch a denial-of-
service attack. The number simply has to vary enough to prevent service attack. The number simply has to vary enough to prevent
simple policies from blocking the attack calls. An attacker may simple policies from blocking the attack calls. An attacker may
however have a further intention to create the appearance that a however have a further intention to create the appearance that a
particular party is to blame for an attack, and in that case, the particular party is to blame for an attack, and in that case, the
attacker might want to impersonate a secondary target in the attack. attacker might want to impersonate a secondary target in the attack.
The envisioned countermeasures are twofold. First, as with The envisioned countermeasures are twofold. First, as with
robocalling, ensuring that calling party numbers are assignable or robocalling, ensuring that calling party numbers are assignable or
assigned will help mitigate unsophisticated attacks. Second, if assigned will help mitigate unsophisticated attacks. Second, if
authenticated identity is supplied for legitimate calls, then authenticated calling number data is supplied for legitimate calls,
Internet endpoints or intermediaries can make effective policy then Internet endpoints or intermediaries can make effective policy
decisions in the middle of an attack by deprioritizing unsigned calls decisions in the middle of an attack by deprioritizing unsigned calls
when congestion conditions exist; signed calls, if accepted, have the when congestion conditions exist; signed calls, if accepted, have the
necessary accountability should it turn out they are malicious. This necessary accountability should it turn out they are malicious. This
could extend to include, for example, an originating network could extend to include, for example, an originating network
observing a congestion condition for a destination number and perhaps observing a congestion condition for a destination number and perhaps
dropping unsigned calls that are clearly part of a TDoS attack. As dropping unsigned calls that are clearly part of a TDoS attack. As
with robocalling, all of these countermeasures must execute in a with robocalling, all of these countermeasures must execute in a
timely manner to be effective. timely manner to be effective.
There are certain flavors of TDoS attacks, including those against There are certain flavors of TDoS attacks, including those against
emergency responders, against which authenticated identity is emergency responders, against which authenticated calling number data
unlikely to be a successful countermeasure. These entities are is unlikely to be a successful countermeasure. These entities are
effectively obligated to attempt to respond to every call they effectively obligated to attempt to respond to every call they
receive, and the absence of an authenticated identity signature, or receive, and the absence of authenticated calling number data in many
even the presence of an invalid signature, in many cases will not cases will not remove that obligation.
remove that obligation.
4. Attack Scenarios 4. Attack Scenarios
The examples that follow rely on Internet protocols including SIP [1] The examples that follow rely on Internet protocols including SIP [1]
and WebRTC. and WebRTC [3].
Impersonation, IP-PSTN Impersonation, IP-IP
An attacker on the Internet uses a commercial WebRTC service to send An attacker with an IP phone sends a SIP request to an IP-enabled
a call to the PSTN with a chosen calling party number. The service voicemail service. The attacker puts a chosen calling party number
contacts an Internet-to-PSTN gateway, which inserts the attacker's into the From header field value of the INVITE. When the INVITE
chosen calling party number into the SS7 call setup message (the CPN reaches the endpoint terminal, the terminal renders the attacker's
field of an IAM). When the call setup message reaches the
terminating telephone switch, the terminal renders the attacker's
chosen calling party number as the calling identity. chosen calling party number as the calling identity.
Impersonation, PSTN-PSTN Impersonation, PSTN-PSTN
An attacker with a traditional PBX (connected to the PSTN through An attacker with a traditional PBX (connected to the PSTN through
ISDN) sends a Q.931 SETUP request with a chosen calling party number ISDN) sends a Q.931 SETUP request with a chosen calling party number
which a service provider inserts into the corresponding SS7 calling which a service provider inserts into the corresponding SS7 [5]
party number (CPN) field of a call setup message (IAM). When the calling party number (CgPN) field of a call setup message (IAM).
call setup message reaches the endpoint switch, the terminal renders When the call setup message reaches the endpoint switch, the terminal
the attacker's chosen calling party number as the calling identity. renders the attacker's chosen calling party number as the calling
identity.
Impersonation, IP-IP Impersonation, IP-PSTN
An attacker with an IP phone sends a SIP request to an IP-enabled An attacker on the Internet uses a commercial WebRTC service to send
voicemail service. The attacker puts a chosen calling party number a call to the PSTN with a chosen calling party number. The service
into the From header field value of the INVITE. When the INVITE contacts an Internet-to-PSTN gateway, which inserts the attacker's
reaches the endpoint terminal, the terminal renders the attacker's chosen calling party number into the SS7 [5] call setup message (the
CgPN field of an IAM). When the call setup message reaches the
terminating telephone switch, the terminal renders the attacker's
chosen calling party number as the calling identity. chosen calling party number as the calling identity.
Impersonation, IP-PSTN-IP Impersonation, IP-PSTN-IP
An attacker with an IP phone sends a SIP request to the telephone An attacker with an IP phone sends a SIP request to the telephone
number of a voicemail service, perhaps without even knowing that the number of a voicemail service, perhaps without even knowing that the
voicemail service is IP-based. The attacker puts a chosen calling voicemail service is IP-based. The attacker puts a chosen calling
party number into the From header field value of the INVITE. The party number into the From header field value of the INVITE. The
attacker's INVITE reaches an Internet-to-PSTN gateway, which inserts attacker's INVITE reaches an Internet-to-PSTN gateway, which inserts
the attacker's chosen calling party number into the CPN of an IAM. the attacker's chosen calling party number into the CgPN of an IAM.
That IAM then traverses the PSTN until (perhaps after a call That IAM then traverses the PSTN until (perhaps after a call
forwarding) it reaches another gateway, this time back to the IP forwarding) it reaches another gateway, this time back to the IP
realm, to an H.323 network. The PSTN-IP gateway puts takes the realm, to an H.323 network. The PSTN-IP gateway puts takes the
calling party number in the IAM CPN field and puts it into the SETUP calling party number in the IAM CgPN field and puts it into the SETUP
request. When the SETUP reaches the endpoint terminal, the terminal request. When the SETUP reaches the endpoint terminal, the terminal
renders the attacker's chosen calling party number as the calling renders the attacker's chosen calling party number as the calling
identity. identity.
4.1. Solution-Specific Attacks 4.1. Solution-Specific Attacks
Solution-specific attacks are outside the scope of this document. Solution-specific attacks are outside the scope of this document.
There are a few points which future work on solution-specific threats
must acknowledge. The design of the credential system envisioned as
a solution to this threats must for example limit the scope of the
credentials issued to carriers or national authorities to those
numbers that fall under their purview. This will impose limits on
what (verifiable) assertions can be made by intermediaries.
Some of the attacks that should be considered in the future include Some of the attacks that should be considered in the future include
the following: the following:
Attacks Against In-band Attacks Against In-band
Token replay Token replay
Removal of in-band signaling features Removal of in-band signaling features
Attacks Against Out-of-Band Attacks Against Out-of-Band
Provisioning Garbage CPRs Provisioning Garbage CPRs
Data Mining Data Mining
Attacks Against Either Approach Attacks Against Either Approach
Attack on directories/services that say whether you should expect Attack on directories/services that say whether you should expect
authenticated identity or not authenticated calling number data or not
Canonicalization attacks Canonicalization attacks
5. Acknowledgments 5. Acknowledgments
David Frankel, Penn Pfautz, Stephen Kent, Brian Rosen, Alex Bobotek, David Frankel, Penn Pfautz, Stephen Kent, Brian Rosen, Alex Bobotek,
Henning Schulzrinne, Hannes Tschofenig, Cullen Jennings and Eric Henning Schulzrinne, Hannes Tschofenig, Cullen Jennings and Eric
Rescorla provided key input to the discussions leading to this Rescorla provided key input to the discussions leading to this
document. document.
6. IANA Considerations 6. IANA Considerations
skipping to change at page 11, line 23 skipping to change at page 11, line 31
8. Informative References 8. Informative References
[1] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [1] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002. June 2002.
[2] Peterson, J., Schulzrinne, H., and H. Tschofenig, "Secure [2] Peterson, J., Schulzrinne, H., and H. Tschofenig, "Secure
Telephone Identity Problem Statement", draft-ietf-stir- Telephone Identity Problem Statement", draft-ietf-stir-
problem-statement-01 (work in progress), December 2013. problem-statement-03 (work in progress), January 2014.
[3] Peterson, J., "Retargeting and Security in SIP: A [3] Alvestrand, H., "Overview: Real Time Protocols for Brower-
based Applications", draft-ietf-rtcweb-overview-08 (work
in progress), September 2013.
[4] Peterson, J., "Retargeting and Security in SIP: A
Framework and Requirements", draft-peterson-sipping- Framework and Requirements", draft-peterson-sipping-
retarget-00 (work in progress), February 2005. retarget-00 (work in progress), February 2005.
[5] ITU-T, , "Signaling System No. 7; ISDN User Part Signaling
procedure", ITU-T URL:
http://www.itu.int/rec/T-REC-Q.764/_page.print, September
1997.
[6] ITU-T, , "ISDN user-network interface layer 3
specification for basic call control", ITU-T URL:
http://www.itu.int/rec/T-REC-Q.931-199805-I/en, May 1998.
[7] OMTP, , "Visual Voice Mail Interface Specification", URL:
http://www.gsma.com/newsroom/wp-content/uploads/2012/07/
OMTP_VVM_Specification_1_3.pdf, May 1998.
Author's Address Author's Address
Jon Peterson Jon Peterson
NeuStar, Inc. NeuStar, Inc.
1800 Sutter St Suite 570 1800 Sutter St Suite 570
Concord, CA 94520 Concord, CA 94520
US US
Email: jon.peterson@neustar.biz Email: jon.peterson@neustar.biz
 End of changes. 56 change blocks. 
147 lines changed or deleted 178 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/