draft-ietf-stir-threats-03.txt   draft-ietf-stir-threats-04.txt 
Network Working Group J. Peterson Network Working Group J. Peterson
Internet-Draft NeuStar, Inc. Internet-Draft NeuStar, Inc.
Intended status: Informational June 11, 2014 Intended status: Informational August 12, 2014
Expires: December 13, 2014 Expires: February 13, 2015
Secure Telephone Identity Threat Model Secure Telephone Identity Threat Model
draft-ietf-stir-threats-03.txt draft-ietf-stir-threats-04.txt
Abstract Abstract
As the Internet and the telephone network have become increasingly As the Internet and the telephone network have become increasingly
interconnected and interdependent, attackers can impersonate or interconnected and interdependent, attackers can impersonate or
obscure calling party numbers when orchestrating bulk commercial obscure calling party numbers when orchestrating bulk commercial
calling schemes, hacking voicemail boxes or even circumventing multi- calling schemes, hacking voicemail boxes or even circumventing multi-
factor authentication systems trusted by banks. This document factor authentication systems trusted by banks. This document
analyzes threats in the resulting system, enumerating actors, analyzes threats in the resulting system, enumerating actors,
reviewing the capabilities available to and used by attackers, and reviewing the capabilities available to and used by attackers, and
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 13, 2014. This Internet-Draft will expire on February 13, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 33 skipping to change at page 3, line 33
listener require capabilities that robocallers and voicemail hackers listener require capabilities that robocallers and voicemail hackers
are unlikely to possess, and historically such attacks have not are unlikely to possess, and historically such attacks have not
played a role in enabling robocalling or related problems. played a role in enabling robocalling or related problems.
In SIP and even many traditional telephone protocols, call signaling In SIP and even many traditional telephone protocols, call signaling
can be renegotiated after the call has been established. Using can be renegotiated after the call has been established. Using
various transfer mechanisms common in telephone systems, a callee can various transfer mechanisms common in telephone systems, a callee can
easily be connected to, or conferenced in with, telephone numbers easily be connected to, or conferenced in with, telephone numbers
other than the original calling number once a call has been other than the original calling number once a call has been
established. These post-setup changes to the call are outside the established. These post-setup changes to the call are outside the
scope of impersonation considered in this model. Furthermore, this scope of impersonation considered in this model: the motivating use
threat model does not include in its scope the verification of the cases of defeating robocalling, voicemail hacking and swatting all
reached party's telephone number back to the originator of the call. rely on impersonation during the initial call setup. Furthermore,
There is no assurance to the originator that they are reaching the this threat model does not include in its scope the verification of
correct number, nor any indication when call forwarding has taken the reached party's telephone number back to the originator of the
call. There is no assurance to the originator that they are reaching
the correct number, nor any indication when call forwarding has taken
place. This threat model is focused only on verifying the calling place. This threat model is focused only on verifying the calling
party number to the callee. party number to the callee.
In much of the PSTN, there exists a supplemental service that In much of the PSTN, there exists a supplemental service that
translates calling party numbers into names, including the proper translates calling party numbers into names, including the proper
names of people and businesses, for rendering to the called user. names of people and businesses, for rendering to the called user.
These services (frequently marketed as part of 'Caller ID') provide a These services (frequently marketed as part of 'Caller ID') provide a
further attack surface for impersonation. The threat model described further attack surface for impersonation. The threat model described
in this document addresses only the calling party number, even though in this document addresses only the calling party number, even though
presenting a forged calling party number may cause a chosen calling presenting a forged calling party number may cause a chosen calling
skipping to change at page 6, line 14 skipping to change at page 6, line 14
An attacker has access to the Internet, and thus the ability to An attacker has access to the Internet, and thus the ability to
inject arbitrary traffic over the Internet, to access public inject arbitrary traffic over the Internet, to access public
directories, etc. directories, etc.
There are attack scenarios in which an attacker compromises There are attack scenarios in which an attacker compromises
intermediaries in the call path, or captures credentials that allow intermediaries in the call path, or captures credentials that allow
the attacker to impersonate a caller. Those system-level attacks are the attacker to impersonate a caller. Those system-level attacks are
not considered in this threat model, though secure design and not considered in this threat model, though secure design and
operation of systems to prevent these sorts of attacks are necessary operation of systems to prevent these sorts of attacks are necessary
for envisioned countermeasures to work. for envisioned countermeasures to work. To date, robocallers and
other impersonators do not resort to compromising systems, but rather
exploit the intrinsic lack of secure identity in existing mechanisms:
it is remedying this problem that lies within the scope of this
threat model.
This threat model also does not consider scenarios in which the This threat model also does not consider scenarios in which the
operators of intermediaries or gateways are themselves adversaries operators of intermediaries or gateways are themselves adversaries
who intentionally discard valid identity information (without a user who intentionally discard valid identity information (without a user
requesting anonymity) or who send falsified identity; see requesting anonymity) or who send falsified identity; see
Section 4.1. Section 4.1.
3. Attacks 3. Attacks
The uses of impersonation described in this section are broadly The uses of impersonation described in this section are broadly
divided into two categories: those where an attacker impersonates an divided into two categories: those where an attack will not succeed
arbitrary identity in order to disguise its own, and those where an unless the attacker impersonates a specific identity, and those where
attack will not succeed unless the attacker impersonates a specific an attacker impersonates an arbitrary identity in order to disguise
identity. At a high level, impersonation encourages targets to its own. At a high level, impersonation encourages targets to answer
answer attackers' calls and makes identifying attackers more attackers' calls and makes identifying attackers more difficult.
difficult. This section shows how concrete attacks based on those This section shows how concrete attacks based on those different
different techniques might be launched. techniques might be launched.
3.1. Voicemail Hacking via Impersonation 3.1. Voicemail Hacking via Impersonation
A voicemail service may allow users calling from their phones access A voicemail service may allow users calling from their phones access
to their voicemail boxes on the basis of the calling party number. to their voicemail boxes on the basis of the calling party number.
If an attacker wants to access the voicemail of a particular target, If an attacker wants to access the voicemail of a particular target,
the attacker may try to impersonate the calling party number using the attacker may try to impersonate the calling party number using
one of the scenarios described in Section 4. one of the scenarios described in Section 4.
This attack is closely related to attacks on similar automated This attack is closely related to attacks on similar automated
systems, potentially including banks, airlines, calling-card systems, potentially including banks, airlines, calling-card
services, conferencing providers, ISPs, and other businesses that services, conferencing providers, ISPs, and other businesses that
fully or partly grant access to resources on the basis of the calling fully or partly grant access to resources on the basis of the calling
party number. It is analogous to an attack in which a human is party number alone (rather than any shared secret or further identity
encouraged to answer a phone, or to divulge information once a call check). It is analogous to an attack in which a human is encouraged
is in progress, by seeing a familiar calling party number. to answer a phone, or to divulge information once a call is in
progress, by seeing a familiar calling party number.
The envisioned countermeasures for this attack involve the voicemail The envisioned countermeasures for this attack involve the voicemail
system treating calls that supply an authenticated calling number system treating calls that supply an authenticated calling number
data differently from other calls. In the absence of that identity data differently from other calls. In the absence of that identity
information, for example, a voicemail service might enforce some information, for example, a voicemail service might enforce some
other caller authentication policy (perhaps requiring a PIN for other caller authentication policy (perhaps requiring a PIN for
caller authentication). Asserted caller identity alone provides an caller authentication). Asserted caller identity alone provides an
authenticated basis for granting access to a voice mailbox only when authenticated basis for granting access to a voice mailbox only when
an identity is claimed legitimately; the absence of calling identity an identity is claimed legitimately; the absence of a verifiably
here may not be evidence of malice, just of uncertainty or a legitimate calling identity here may not be evidence of malice, just
limitation imposed by the set of intermediaries traversed for a of uncertainty or a limitation imposed by the set of intermediaries
specific call path. traversed for a specific call path.
If the voicemail service could learn ahead of time that it should If the voicemail service could learn ahead of time that it should
expect authenticated calling number data from a particular number, expect authenticated calling number data from a particular number,
that would enable the voicemail service to adopt stricter policies that would enable the voicemail service to adopt stricter policies
for handling a request without authentication data. Since users for handling a request without authentication data. Since users
typically contact a voicemail service repeatedly, the service could typically contact a voicemail service repeatedly, the service could
for example remember which requests contain authenticated calling for example remember which requests contain authenticated calling
number data and require further authentication mechanisms when number data and require further authentication mechanisms when
identity is absent. Alternatively, issuers of credentials or other identity is absent. The deployment of such a feature would be
authorities could provide a service that informs verifiers that they facilitated in many environments by the fact that the voicemail
should expect identity in calls from particular numbers. service is often operated by an organization that would be in a
position to enable or require authentication of calling party
identity (for example, carriers or enterprises). Even if the
voicemail service is decoupled from the number assignee, issuers of
credentials or other authorities could provide a service that informs
verifiers that they should expect identity in calls from particular
numbers.
3.2. Unsolicited Commercial Calling from Impersonated Numbers 3.2. Unsolicited Commercial Calling from Impersonated Numbers
The unsolicited commercial calling, or for short robocalling, attack The unsolicited commercial calling, or for short robocalling, attack
is similar to the voicemail attack, except that the robocaller does is similar to the voicemail attack, except that the robocaller does
not need to impersonate the particular number controlled by the not need to impersonate the particular number controlled by the
target, merely some "plausible" number. A robocaller may impersonate target, merely some "plausible" number. A robocaller may impersonate
a number that is not an assignable number (for example, in the United a number that is not an assignable number (for example, in the United
States, a number beginning with 0), or an unassigned number. A States, a number beginning with 0), or an unassigned number. This
robocaller may change numbers every time a new call is placed, e.g., behavior is seen in the wild today. A robocaller may change numbers
selecting numbers randomly. every time a new call is placed, e.g., selecting numbers randomly.
A closely related attack is sending unsolicited bulk commercial A closely related attack is sending unsolicited bulk commercial
messages via text messaging services. These messages usually messages via text messaging services. These messages usually
originate on the Internet, though they may ultimately reach endpoints originate on the Internet, though they may ultimately reach endpoints
over traditional telephone network protocols or the Internet. While over traditional telephone network protocols or the Internet. While
most text messaging endpoints are mobile phones, increasingly, most text messaging endpoints are mobile phones, increasingly,
broadband residential services support text messaging as well. The broadband residential services support text messaging as well. The
originators of these messages typically impersonate a calling party originators of these messages typically impersonate a calling party
number, in some cases a "short code" specific to text messaging number, in some cases a "short code" specific to text messaging
services. services.
skipping to change at page 10, line 25 skipping to change at page 10, line 36
That IAM then traverses the PSTN until (perhaps after a call That IAM then traverses the PSTN until (perhaps after a call
forwarding) it reaches another gateway, this time back to the IP forwarding) it reaches another gateway, this time back to the IP
realm, to an H.323 network. The PSTN-IP gateway takes the calling realm, to an H.323 network. The PSTN-IP gateway takes the calling
party number in the IAM CgPN field and puts it into the SETUP party number in the IAM CgPN field and puts it into the SETUP
request. When the SETUP reaches the endpoint terminal, the terminal request. When the SETUP reaches the endpoint terminal, the terminal
renders the attacker's chosen calling party number as the calling renders the attacker's chosen calling party number as the calling
identity. identity.
4.1. Solution-Specific Attacks 4.1. Solution-Specific Attacks
Solution-specific attacks are outside the scope of this document. Solution-specific attacks are outside the scope of this document,
There are a few points which future work on solution-specific threats though two sorts of solutions are anticipated by the STIR problem
must acknowledge. The design of the credential system envisioned as statement: in-band and out-of-band solutions (see
a solution to this threats must for example limit the scope of the [I-D.ietf-stir-problem-statement]). There are a few points which
credentials issued to carriers or national authorities to those future work on solution-specific threats must acknowledge. The
numbers that fall under their purview. This will impose limits on design of the credential system envisioned as a solution to this
what (verifiable) assertions can be made by intermediaries. threats must for example limit the scope of the credentials issued to
carriers or national authorities to those numbers that fall under
their purview. This will impose limits on what (verifiable)
assertions can be made by intermediaries.
Some of the attacks that should be considered in the future include Some of the attacks that should be considered in the future include
the following: the following:
Attacks Against In-band Attacks Against In-band Solutions
Replaying parts of messages used by the solution
Token replay
Baiting a call to a chosen number with a REFER Using a SIP REFER request to induce a party with access to
credentials to place a call to a chosen number
Removal of in-band signaling features Removing parts of messages used by the solution
Attacks Against Out-of-Band Attacks Against Out-of-Band Solutions
Provisioning Garbage CPRs Provisioning false or malformed data reflecting a placed call into
any datastores that are part of the out-of-band mechansim
Data Mining Mining any datastores that are part of the out-of-band mechanism
Attacks Against Either Approach Attacks Against Either Approach
Attack on directories/services that say whether you should expect
authenticated calling number data or not Attack on any directories/services that report whether you should
expect authenticated calling number data or not
Canonicalization attacks Canonicalization attacks
5. Acknowledgments 5. Acknowledgments
Sanjay Mishra, David Frankel, Penn Pfautz, Stephen Kent, Brian Rosen, Sanjay Mishra, David Frankel, Penn Pfautz, Stephen Kent, Brian Rosen,
Alex Bobotek, Henning Schulzrinne, Hannes Tschofenig, Cullen Jennings Alex Bobotek, Henning Schulzrinne, Hannes Tschofenig, Cullen Jennings
and Eric Rescorla provided key input to the discussions leading to and Eric Rescorla provided key input to the discussions leading to
this document. this document.
skipping to change at page 11, line 28 skipping to change at page 11, line 44
This memo includes no request to IANA. This memo includes no request to IANA.
7. Security Considerations 7. Security Considerations
This document provides a threat model and is thus entirely about This document provides a threat model and is thus entirely about
security. security.
8. Informative References 8. Informative References
[I-D.ietf-rtcweb-overview] [I-D.ietf-rtcweb-overview]
Alvestrand, H., "Overview: Real Time Protocols for Brower- Alvestrand, H., "Overview: Real Time Protocols for
based Applications", draft-ietf-rtcweb-overview-09 (work Browser-based Applications", draft-ietf-rtcweb-overview-10
in progress), February 2014. (work in progress), June 2014.
[I-D.ietf-stir-problem-statement] [I-D.ietf-stir-problem-statement]
Peterson, J., Schulzrinne, H., and H. Tschofenig, "Secure Peterson, J., Schulzrinne, H., and H. Tschofenig, "Secure
Telephone Identity Problem Statement and Requirements", Telephone Identity Problem Statement and Requirements",
draft-ietf-stir-problem-statement-05 (work in progress), draft-ietf-stir-problem-statement-05 (work in progress),
May 2014. May 2014.
[I-D.peterson-sipping-retarget] [I-D.peterson-sipping-retarget]
Peterson, J., "Retargeting and Security in SIP: A Peterson, J., "Retargeting and Security in SIP: A
Framework and Requirements", draft-peterson-sipping- Framework and Requirements", draft-peterson-sipping-
 End of changes. 19 change blocks. 
50 lines changed or deleted 68 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/