draft-ietf-stir-threats-04.txt   rfc7375.txt 
Network Working Group J. Peterson Internet Engineering Task Force (IETF) J. Peterson
Internet-Draft NeuStar, Inc. Request for Comments: 7375 NeuStar, Inc.
Intended status: Informational August 12, 2014 Category: Informational October 2014
Expires: February 13, 2015 ISSN: 2070-1721
Secure Telephone Identity Threat Model Secure Telephone Identity Threat Model
draft-ietf-stir-threats-04.txt
Abstract Abstract
As the Internet and the telephone network have become increasingly As the Internet and the telephone network have become increasingly
interconnected and interdependent, attackers can impersonate or interconnected and interdependent, attackers can impersonate or
obscure calling party numbers when orchestrating bulk commercial obscure calling party numbers when orchestrating bulk commercial
calling schemes, hacking voicemail boxes or even circumventing multi- calling schemes, hacking voicemail boxes, or even circumventing
factor authentication systems trusted by banks. This document multi-factor authentication systems trusted by banks. This document
analyzes threats in the resulting system, enumerating actors, analyzes threats in the resulting system, enumerating actors,
reviewing the capabilities available to and used by attackers, and reviewing the capabilities available to and used by attackers, and
describing scenarios in which attacks are launched. describing scenarios in which attacks are launched.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
This Internet-Draft will expire on February 13, 2015. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7375.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction and Scope . . . . . . . . . . . . . . . . . . . 2 1. Introduction and Scope ..........................................2
2. Actors . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Actors ..........................................................4
2.1. Endpoints . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Endpoints ..................................................4
2.2. Intermediaries . . . . . . . . . . . . . . . . . . . . . 4 2.2. Intermediaries .............................................5
2.3. Attackers . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3. Attackers ..................................................6
3. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Attacks .........................................................6
3.1. Voicemail Hacking via Impersonation . . . . . . . . . . . 6 3.1. Voicemail Hacking via Impersonation ........................7
3.2. Unsolicited Commercial Calling from Impersonated Numbers 7 3.2. Unsolicited Commercial Calling from Impersonated Numbers ...8
3.3. Telephony Denial-of-Service Attacks . . . . . . . . . . . 8 3.3. Telephony Denial-of-Service Attacks ........................9
4. Attack Scenarios . . . . . . . . . . . . . . . . . . . . . . 9 4. Attack Scenarios ...............................................10
4.1. Solution-Specific Attacks . . . . . . . . . . . . . . . . 10 4.1. Solution-Specific Attacks .................................11
5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 5. Security Considerations ........................................11
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 6. Informative References .........................................12
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 Acknowledgments ...................................................12
8. Informative References . . . . . . . . . . . . . . . . . . . 11 Author's Address ..................................................13
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction and Scope 1. Introduction and Scope
As is discussed in the STIR problem statement As is discussed in the STIR problem statement [RFC7340] (where "STIR"
[I-D.ietf-stir-problem-statement], the primary enabler of refers to the Secure Telephone Identity Revisited working group), the
robocalling, vishing, swatting and related attacks is the capability primary enabler of robocalling, vishing, swatting, and related
to impersonate a calling party number. The starkest examples of attacks is the capability to impersonate a calling party number. The
these attacks are cases where automated callees on the PSTN rely on starkest examples of these attacks are cases where automated callees
the calling number as a security measure, for example to access a on the Public Switched Telephone Network (PSTN) rely on the calling
voicemail system. Robocallers use impersonation as a means of number as a security measure, for example, to access a voicemail
obscuring identity; while robocallers can, in the ordinary PSTN, system. Robocallers use impersonation as a means of obscuring
block (that is, withhold) their calling number from presentation, identity. While robocallers can, in the ordinary PSTN, block (that
callees are less likely to pick up calls from blocked identities, and is, withhold) their calling number from presentation, callees are
therefore appearing to calling from some number, any number, is less likely to pick up calls from blocked identities; therefore,
preferable. Robocallers however prefer not to call from a number appearing to call from some number, any number, is preferable.
that can trace back to the robocaller, and therefore they impersonate
numbers that are not assigned to them. However, robocallers prefer not to call from a number that can trace
back to the them, so they impersonate numbers that are not assigned
to them.
The scope of impersonation in this threat model pertains solely to The scope of impersonation in this threat model pertains solely to
the rendering of a calling telephone number to a callee (human user the rendering of a calling telephone number to a callee (human user
or automaton) at the time of call set-up. The primary attack vector or automaton) at the time of call setup. The primary attack vector
is therefore one where the attacker contrives for the calling is therefore one where the attacker contrives for the calling
telephone number in signaling to be a chosen number. In this attack, telephone number in signaling to be a chosen number. In this attack,
the number is one that the attacker is not authorized to use (as a the number is one that the attacker is not authorized to use (as a
caller), but gives in order for that number to be consumed or caller) but gives in order for that number to be consumed or rendered
rendered on the terminating side. The threat model assumes that this on the terminating side. The threat model assumes that this attack
attack simply cannot be prevented: there is no way to stop the simply cannot be prevented: there is no way to stop the attacker from
attacker from creating call setup messages that contain attacker- creating call setup messages that contain attacker-chosen calling
chosen calling telephone numbers. The solution space therefore telephone numbers. The solution space therefore focuses on ways that
focuses on ways that terminating or intermediary elements might terminating or intermediary elements might differentiate authorized
differentiate authorized from unauthorized calling party numbers, in from unauthorized calling party numbers in order that policies, human
order that policies, human or automatic, might act on that or automatic, might act on that information.
information.
Securing an authenticated calling party number at call set-up time Securing an authenticated calling party number at call setup time
does not entail any assertions about the entity or entities that will does not entail any assertions about the entity or entities that will
send and receive media during the call itself. In call paths with send and receive media during the call itself. In call paths with
intermediaries and gateways (as described below), there may be no way intermediaries and gateways (as described below), there may be no way
to provide any assurance in the signaling about participants in the to provide any assurance in the signaling about participants in the
media of a call. In those end-to-end IP environments where such media of a call. In those end-to-end IP environments where such
assurance is possible, it is highly desirable. However, in the assurance is possible, it is highly desirable. However, in the
threat model described in this document, "impersonation" does not threat model described in this document, "impersonation" does not
consider impersonating an authorized listener after a call has been consider impersonating an authorized listener after a call has been
established (e.g., as a third party attempting to eavesdrop on a established (e.g., as a third party attempting to eavesdrop on a
conversation). Attackers that could impersonate an authorized conversation). Attackers that could impersonate an authorized
listener require capabilities that robocallers and voicemail hackers listener require capabilities that robocallers and voicemail hackers
are unlikely to possess, and historically such attacks have not are unlikely to possess, and historically, such attacks have not
played a role in enabling robocalling or related problems. played a role in enabling robocalling or related problems.
In SIP and even many traditional telephone protocols, call signaling In SIP, and even many traditional telephone protocols, call signaling
can be renegotiated after the call has been established. Using can be renegotiated after the call has been established. Using
various transfer mechanisms common in telephone systems, a callee can various transfer mechanisms common in telephone systems, a callee can
easily be connected to, or conferenced in with, telephone numbers easily be connected to, or conferenced in with, telephone numbers
other than the original calling number once a call has been other than the original calling number once a call has been
established. These post-setup changes to the call are outside the established. These post-setup changes to the call are outside the
scope of impersonation considered in this model: the motivating use scope of impersonation considered in this model: the motivating use
cases of defeating robocalling, voicemail hacking and swatting all cases of defeating robocalling, voicemail hacking, and swatting all
rely on impersonation during the initial call setup. Furthermore, rely on impersonation during the initial call setup. Furthermore,
this threat model does not include in its scope the verification of this threat model does not include in its scope the verification of
the reached party's telephone number back to the originator of the the reached party's telephone number back to the originator of the
call. There is no assurance to the originator that they are reaching call. There is no assurance to the originator that they are reaching
the correct number, nor any indication when call forwarding has taken the correct number, nor any indication when call forwarding has taken
place. This threat model is focused only on verifying the calling place. This threat model is focused only on verifying the calling
party number to the callee. party number to the callee.
In much of the PSTN, there exists a supplemental service that In much of the PSTN, there exists a supplemental service that
translates calling party numbers into names, including the proper translates calling party numbers into names, including the proper
names of people and businesses, for rendering to the called user. names of people and businesses, for rendering to the called user.
These services (frequently marketed as part of 'Caller ID') provide a These services (frequently marketed as part of 'Caller ID') provide a
further attack surface for impersonation. The threat model described further attack surface for impersonation. The threat model described
in this document addresses only the calling party number, even though in this document addresses only the calling party number, even though
presenting a forged calling party number may cause a chosen calling presenting a forged calling party number may cause a chosen calling
party name to be rendered to the user as well. Providing a party name to be rendered to the user as well. Providing a
verifiable calling party number therefore improves the security of verifiable calling party number therefore improves the security of
calling party name systems, but this threat model does not consider calling party name systems, but this threat model does not consider
attacks specific to names. Such attacks may be carried out against attacks specific to names. Such attacks may be carried out against
the databases consulted by the terminating side of a call to provide the databases consulted by the terminating side of a call to provide
calling party names, or by impersonators forging a particular calling calling party names or by impersonators forging a particular calling
party number in order to present a misleading name to the user. party number in order to present a misleading name to the user.
2. Actors 2. Actors
2.1. Endpoints 2.1. Endpoints
There are two main categories of end-user terminals relevant to this There are two main categories of end-user terminals relevant to this
discussion, a dumb device (such as a 'black phone') or a smart discussion, a dumb device (such as a 'black phone') or a smart
device. device:
Dumb devices comprise a simple dial pad, handset and ringer, o Dumb devices comprise a simple dial pad, handset, and ringer,
optionally accompanied by a display that can render a limited optionally accompanied by a display that can render a limited
number of characters. Typically the display renders enough number of characters. Typically, the display renders enough
characters for a telephone number and an accompanying name, but characters for a telephone number and an accompanying name, but
sometimes fewer are rendered. Although users interface with these sometimes fewer are rendered. Although users interface with these
devices, the intelligence that drives them lives in the service devices, the intelligence that drives them lives in the service
provider network. provider network.
Smart devices are general purpose computers with some degree of o Smart devices are general-purpose computers with some degree of
programmability, and with the capacity to access the Internet and programmability and with the capacity to access the Internet and
to render text, audio and/or images. This category includes smart to render text, audio, and/or images. This category includes
phones, telephone applications on desktop and laptop computers, IP smart phones, telephone applications on desktop and laptop
private branch exchanges, etc. computers, IP private branch exchanges, etc.
There is a further category of automated terminals without an end There is a further category of automated terminals without an end
user. These include systems like voicemail services, which may user. These include systems like voicemail services, which may
provide a different set of services to a caller based solely on the provide a different set of services to a caller based solely on the
calling party's number, for example granting the (purported) mailbox calling party's number, for example, granting the (purported) mailbox
owner access to a menu while giving other callers only the ability to owner access to a menu while giving other callers only the ability to
leave a message. Though the capability of voicemail services varies leave a message. Though the capability of voicemail services varies
widely, many today have Internet access and advanced application widely, many today have Internet access and advanced application
interfaces (to render 'visual voicemail,' [refs.OMTP-VV] to interfaces (to render 'visual voicemail' [OMTP-VV], to automatically
automatically transcribe voicemail to email, etc.). transcribe voicemail to email, etc.).
2.2. Intermediaries 2.2. Intermediaries
The endpoints of a traditional telephone call connect through The endpoints of a traditional telephone call connect through
numerous intermediary devices in the network. The set of numerous intermediary devices in the network. The set of
intermediary devices traversed during call setup between two intermediary devices traversed during call setup between two
endpoints is referred to as a call path. The length of the call path endpoints is referred to as a call path. The length of the call path
can vary considerably: it is possible in VoIP deployments for two can vary considerably: it is possible in Voice over IP (VoIP)
endpoint entities to send traffic to one another directly, but, more deployments for two endpoint entities to send traffic to one another
commonly, several intermediaries exist in a VoIP call path. One or directly, but, more commonly, several intermediaries exist in a VoIP
more gateways also may appear on a call path. call path. One or more gateways also may appear on a call path.
Intermediaries forward call signaling to the next device in the o Intermediaries forward call signaling to the next device in the
path. These intermediaries may also modify the signaling in order path. These intermediaries may also modify the signaling in order
to improve interoperability, to enable proper network-layer media to improve interoperability, to enable proper network-layer media
connections, or to enforce operator policy. This threat model connections, or to enforce operator policy. This threat model
assumes there are no restrictions on the modifications to assumes there are no restrictions on the modifications to
signaling that an intermediary can introduce (which is consistent signaling that an intermediary can introduce (which is consistent
with the observed behavior of such devices). with the observed behavior of such devices).
A gateway is a subtype of intermediary that translates call o A gateway is a subtype of intermediary that translates call
signaling from one protocol into another. In the process, they signaling from one protocol into another. In the process, they
tend to consume any signaling specific of the original protocol tend to consume any signaling specific to the original protocol
(elements like transaction-matching identifiers) and may need to (elements like transaction-matching identifiers) and may need to
transcode or otherwise alter identifiers as they are rendered in transcode or otherwise alter identifiers as they are rendered in
the destination protocol. the destination protocol.
This threat model assumes that intermediaries and gateways can This threat model assumes that intermediaries and gateways can
forward and retarget calls as necessary, which can result in a call forward and retarget calls as necessary, which can result in a call
terminating at a place the originator did not expect; this is a terminating at a place the originator did not expect; this is a
common condition in call routing. This observation is significant to common condition in call routing. This observation is significant to
the solution space, because it limits the ability of the originator the solution space because it limits the ability of the originator to
to anticipate what the telephone number of the respondent will be anticipate what the telephone number of the respondent will be (for
(for more on the "unanticipated respondent" problem, see more on the "unanticipated respondent" problem, see [SIP-SECURITY]).
[I-D.peterson-sipping-retarget]).
Furthermore, we assume that some intermediaries or gateways may, due Furthermore, we assume that some intermediaries or gateways may, due
to their capabilities or policies, discard calling party number to their capabilities or policies, discard calling party number
information, in whole or in part. Today, many IP-PSTN gateways information in whole or in part. Today, many IP-PSTN gateways simply
simply ignore any information available about the caller in the IP ignore any information available about the caller in the IP leg of
leg of the call, and allow the telephone number of the PRI line used the call and allow the telephone number of the Primary Rate Interface
by the gateway to be sent as the calling party number for the PSTN (PRI) line used by the gateway to be sent as the calling party number
leg of the call. For example, a call might also gateway to a multi- for the PSTN leg of the call. For example, a call might also gateway
frequency network where only a limited number of digits of automatic to a multi-frequency network where only a limited number of digits of
numbering identification (ANI) data are signaled. Some protocols may automatic numbering identification (ANI) data are signaled. Some
render telephone numbers in a way that makes it impossible for a protocols may render telephone numbers in a way that makes it
terminating side to parse or canonicalize a number. In these cases, impossible for a terminating side to parse or canonicalize a number.
providing authenticated calling number data may be impossible, but In these cases, providing authenticated calling number data may be
this is not indicative of an attack or other security failure. impossible, but this is not indicative of an attack or other security
failure.
2.3. Attackers 2.3. Attackers
We assume that an attacker has the following capabilities: We assume that an attacker has the following capabilities:
An attacker can create telephone calls at will, originating them o An attacker can create telephone calls at will, originating them
either on the PSTN or over IP, and can supply an arbitrary calling either on the PSTN or over IP, and can supply an arbitrary calling
party number. party number.
An attacker can capture and replay signaling previously observed o An attacker can capture and replay signaling previously observed
by it. by it.
An attacker has access to the Internet, and thus the ability to o An attacker has access to the Internet and thus the ability to
inject arbitrary traffic over the Internet, to access public inject arbitrary traffic over the Internet, to access public
directories, etc. directories, etc.
There are attack scenarios in which an attacker compromises There are attack scenarios in which an attacker compromises
intermediaries in the call path, or captures credentials that allow intermediaries in the call path or captures credentials that allow
the attacker to impersonate a caller. Those system-level attacks are the attacker to impersonate a caller. Those system-level attacks are
not considered in this threat model, though secure design and not considered in this threat model, though secure design and
operation of systems to prevent these sorts of attacks are necessary operation of systems to prevent these sorts of attacks are necessary
for envisioned countermeasures to work. To date, robocallers and for envisioned countermeasures to work. To date, robocallers and
other impersonators do not resort to compromising systems, but rather other impersonators do not resort to compromising systems but rather
exploit the intrinsic lack of secure identity in existing mechanisms: exploit the intrinsic lack of secure identity in existing mechanisms;
it is remedying this problem that lies within the scope of this remedying this problem lies within the scope of this threat model.
threat model.
This threat model also does not consider scenarios in which the This threat model also does not consider scenarios in which the
operators of intermediaries or gateways are themselves adversaries operators of intermediaries or gateways are themselves adversaries
who intentionally discard valid identity information (without a user who intentionally discard valid identity information (without a user
requesting anonymity) or who send falsified identity; see requesting anonymity) or who send falsified identity; see
Section 4.1. Section 4.1.
3. Attacks 3. Attacks
The uses of impersonation described in this section are broadly The uses of impersonation described in this section are broadly
divided into two categories: those where an attack will not succeed divided into two categories: those where an attack will not succeed
unless the attacker impersonates a specific identity, and those where unless the attacker impersonates a specific identity and those where
an attacker impersonates an arbitrary identity in order to disguise an attacker impersonates an arbitrary identity in order to disguise
its own. At a high level, impersonation encourages targets to answer its own. At a high level, impersonation encourages targets to answer
attackers' calls and makes identifying attackers more difficult. attackers' calls and makes identifying attackers more difficult.
This section shows how concrete attacks based on those different This section shows how concrete attacks based on those different
techniques might be launched. techniques might be launched.
3.1. Voicemail Hacking via Impersonation 3.1. Voicemail Hacking via Impersonation
A voicemail service may allow users calling from their phones access A voicemail service may allow users calling from their phones access
to their voicemail boxes on the basis of the calling party number. to their voicemail boxes on the basis of the calling party number.
If an attacker wants to access the voicemail of a particular target, If an attacker wants to access the voicemail of a particular target,
the attacker may try to impersonate the calling party number using the attacker may try to impersonate the calling party number using
one of the scenarios described in Section 4. one of the scenarios described in Section 4.
This attack is closely related to attacks on similar automated This attack is closely related to attacks on similar automated
systems, potentially including banks, airlines, calling-card systems, potentially including banks, airlines, calling-card
services, conferencing providers, ISPs, and other businesses that services, conferencing providers, ISPs, and other businesses that
fully or partly grant access to resources on the basis of the calling fully or partly grant access to resources on the basis of the calling
party number alone (rather than any shared secret or further identity party number alone (rather than any shared secret or further identity
check). It is analogous to an attack in which a human is encouraged check). It is analogous to an attack in which a human is encouraged
to answer a phone, or to divulge information once a call is in to answer a phone or to divulge information once a call is in
progress, by seeing a familiar calling party number. progress, by seeing a familiar calling party number.
The envisioned countermeasures for this attack involve the voicemail The envisioned countermeasures for this attack involve the voicemail
system treating calls that supply an authenticated calling number system treating calls that supply authenticated calling number data
data differently from other calls. In the absence of that identity differently from other calls. In the absence of that identity
information, for example, a voicemail service might enforce some information, for example, a voicemail service might enforce some
other caller authentication policy (perhaps requiring a PIN for other caller authentication policy (perhaps requiring a PIN for
caller authentication). Asserted caller identity alone provides an caller authentication). Asserted caller identity alone provides an
authenticated basis for granting access to a voice mailbox only when authenticated basis for granting access to a voicemail box only when
an identity is claimed legitimately; the absence of a verifiably an identity is claimed legitimately; the absence of a verifiably
legitimate calling identity here may not be evidence of malice, just legitimate calling identity here may not be evidence of malice, just
of uncertainty or a limitation imposed by the set of intermediaries of uncertainty or a limitation imposed by the set of intermediaries
traversed for a specific call path. traversed for a specific call path.
If the voicemail service could learn ahead of time that it should If the voicemail service could learn ahead of time that it should
expect authenticated calling number data from a particular number, expect authenticated calling number data from a particular number,
that would enable the voicemail service to adopt stricter policies that would enable the voicemail service to adopt stricter policies
for handling a request without authentication data. Since users for handling a request without authentication data. Since users
typically contact a voicemail service repeatedly, the service could typically contact a voicemail service repeatedly, the service could,
for example remember which requests contain authenticated calling for example, remember which requests contain authenticated calling
number data and require further authentication mechanisms when number data and require further authentication mechanisms when
identity is absent. The deployment of such a feature would be identity is absent. The deployment of such a feature would be
facilitated in many environments by the fact that the voicemail facilitated in many environments by the fact that the voicemail
service is often operated by an organization that would be in a service is often operated by an organization that would be in a
position to enable or require authentication of calling party position to enable or require authentication of calling party
identity (for example, carriers or enterprises). Even if the identity (for example, carriers or enterprises). Even if the
voicemail service is decoupled from the number assignee, issuers of voicemail service is decoupled from the number assignee, issuers of
credentials or other authorities could provide a service that informs credentials or other authorities could provide a service that informs
verifiers that they should expect identity in calls from particular verifiers that they should expect identity in calls from particular
numbers. numbers.
3.2. Unsolicited Commercial Calling from Impersonated Numbers 3.2. Unsolicited Commercial Calling from Impersonated Numbers
The unsolicited commercial calling, or for short robocalling, attack The unsolicited commercial calling, or 'robocalling' for short,
is similar to the voicemail attack, except that the robocaller does attack is similar to the voicemail attack except that the robocaller
not need to impersonate the particular number controlled by the does not need to impersonate the particular number controlled by the
target, merely some "plausible" number. A robocaller may impersonate target, merely some "plausible" number. A robocaller may impersonate
a number that is not an assignable number (for example, in the United a number that is not an assignable number (for example, in the United
States, a number beginning with 0), or an unassigned number. This States, a number beginning with 0) or an unassigned number. This
behavior is seen in the wild today. A robocaller may change numbers behavior is seen in the wild today. A robocaller may change numbers
every time a new call is placed, e.g., selecting numbers randomly. every time a new call is placed, e.g., selecting numbers randomly.
A closely related attack is sending unsolicited bulk commercial A closely related attack is sending unsolicited bulk commercial
messages via text messaging services. These messages usually messages via text messaging services. These messages usually
originate on the Internet, though they may ultimately reach endpoints originate on the Internet, though they may ultimately reach endpoints
over traditional telephone network protocols or the Internet. While over traditional telephone network protocols or the Internet. While
most text messaging endpoints are mobile phones, increasingly, most text messaging endpoints are mobile phones, broadband
broadband residential services support text messaging as well. The residential services are increasingly supporting text messaging as
originators of these messages typically impersonate a calling party well. The originators of these messages typically impersonate a
number, in some cases a "short code" specific to text messaging calling party number, in some cases, a "short code" specific to text
services. messaging services.
The envisioned countermeasures to robocalling are similar to those in The envisioned countermeasures to robocalling are similar to those in
the voicemail example, but there are significant differences. One the voicemail example, but there are significant differences. One
important potential countermeasure is simply to verify that the important potential countermeasure is simply to verify that the
calling party number is in fact assignable and assigned. Unlike calling party number is in fact assignable and assigned. Unlike
voicemail services, end users typically have never been contacted by voicemail services, end users typically have never been contacted by
the number used by a robocaller before. Thus they can't rely on past the number used by a robocaller before. Thus, they can't rely on
association to anticipate whether or not the calling party number past association to anticipate whether or not the calling party
should supply authenticated calling number data. If there were a number should supply authenticated calling number data. If there
service that could inform the terminating side that it should expect were a service that could inform the terminating side that it should
this data for calls or texts from that number, however, that would expect this data for calls or texts from that number, however, that
also help in the robocalling case. would also help in the robocalling case.
When a human callee is to be alerted at call setup time, the time When a human callee is to be alerted at call setup time, the time
frame for executing any countermeasures is necessarily limited. frame for executing any countermeasures is necessarily limited.
Ideally, a user would not be alerted that a call has been received Ideally, a user would not be alerted that a call has been received
until any necessary identity checks have been performed. This could until any necessary identity checks have been performed. This could,
however result in inordinate post-dial delay from the perspective of however, result in inordinate post-dial delay from the perspective of
legitimate callers. Cryptographic and network operations must be legitimate callers. Cryptographic and network operations must be
minimized for these countermeasures to be practical. For text minimized for these countermeasures to be practical. For text
messages, a delay for executing anti-impersonation countermeasures is messages, a delay for executing anti-impersonation countermeasures is
much less likely to degrade perceptible service. much less likely to degrade perceptible service.
The eventual effect of these countermeasures would be to force The eventual effect of these countermeasures would be to force
robocallers to either block their caller identity, in which case end robocallers to either (a) block their caller identity, in which case
users could opt not to receive such calls or messages, or to force end users could opt not to receive such calls or messages, or (b) use
robocallers to use authenticated calling numbers traceable to them, authenticated calling numbers traceable to them, which would then
which would then allow for other forms of redress. allow for other forms of redress.
3.3. Telephony Denial-of-Service Attacks 3.3. Telephony Denial-of-Service Attacks
In the case of telephony denial-of-service (or TDoS) attacks, the In the case of telephony denial-of-service (TDoS) attacks, the attack
attack relies on impersonation in order to obscure the origin of an relies on impersonation in order to obscure the origin of an attack
attack that is intended to tie up telephone resources. By placing that is intended to tie up telephone resources. By placing incessant
incessant telephone calls, an attacker renders a target number telephone calls, an attacker renders a target number unreachable by
unreachable by legitimate callers. These attacks might target a legitimate callers. These attacks might target a business, an
business, an individual or a public resource like emergency individual, or a public resource like emergency responders; the
responders; the attacker may intend to extort the target. Attack attacker may intend to extort the target. Attack calls may be placed
calls may be placed from a single endpoint, or from multiple from a single endpoint or from multiple endpoints under the control
endpoints under the control of the attacker, and the attacker may of the attacker, and the attacker may control endpoints in different
control endpoints in different administrative domains. Impersonation administrative domains. Impersonation, in this case, allows the
in this case allows the attack to evade policies that would block attack to evade policies that would block based on the originating
based on the originating number, and furthermore prevents the victim number and furthermore prevents the victim from learning the
from learning the perpetrator of the attack, or even the originating perpetrator of the attack or even the originating service provider of
service provider of the attacker. the attacker.
As is the case with robocalling, the attacker typically does not have As is the case with robocalling, the attacker typically does not have
to impersonate a specific number in order to launch a denial-of- to impersonate a specific number in order to launch a denial-of-
service attack. The number simply has to vary enough to prevent service attack. The number simply has to vary enough to prevent
simple policies from blocking the attack calls. An attacker may simple policies from blocking the attack calls. An attacker may,
however have a further intention to create the appearance that a however, have a further intention to create the appearance that a
particular party is to blame for an attack, and in that case, the particular party is to blame for an attack; in that case, the
attacker might want to impersonate a secondary target in the attack. attacker might want to impersonate a secondary target in the attack.
The envisioned countermeasures are twofold. First, as with The envisioned countermeasures are twofold. First, as with
robocalling, ensuring that calling party numbers are assignable or robocalling, ensuring that calling party numbers are assignable or
assigned will help mitigate unsophisticated attacks. Second, if assigned will help mitigate unsophisticated attacks. Second, if
authenticated calling number data is supplied for legitimate calls, authenticated calling number data is supplied for legitimate calls,
then Internet endpoints or intermediaries can make effective policy then Internet endpoints or intermediaries can make effective policy
decisions in the middle of an attack by deprioritizing unsigned calls decisions in the middle of an attack by deprioritizing unsigned calls
when congestion conditions exist; signed calls, if accepted, have the when congestion conditions exist; signed calls, if accepted, have the
necessary accountability should it turn out they are malicious. This necessary accountability should it turn out they are malicious. This
skipping to change at page 9, line 37 skipping to change at page 10, line 8
There are certain flavors of TDoS attacks, including those against There are certain flavors of TDoS attacks, including those against
emergency responders, against which authenticated calling number data emergency responders, against which authenticated calling number data
is unlikely to be a successful countermeasure. These entities are is unlikely to be a successful countermeasure. These entities are
effectively obligated to attempt to respond to every call they effectively obligated to attempt to respond to every call they
receive, and the absence of authenticated calling number data in many receive, and the absence of authenticated calling number data in many
cases will not remove that obligation. cases will not remove that obligation.
4. Attack Scenarios 4. Attack Scenarios
The examples that follow rely on Internet protocols including SIP The examples that follow rely on Internet protocols including SIP
[RFC3261] and WebRTC [I-D.ietf-rtcweb-overview]. [RFC3261] and WebRTC [RTCWEB-OVERVIEW].
Impersonation, IP-IP Impersonation, IP-IP
An attacker with an IP phone sends a SIP request to an IP-enabled An attacker with an IP phone sends a SIP request to an IP-enabled
voicemail service. The attacker puts a chosen calling party number voicemail service. The attacker puts a chosen calling party
into the From header field value of the INVITE. When the INVITE number into the From header field value of the INVITE. When the
reaches the endpoint terminal, the terminal renders the attacker's INVITE reaches the endpoint terminal, the terminal renders the
chosen calling party number as the calling identity. attacker's chosen calling party number as the calling identity.
Impersonation, PSTN-PSTN Impersonation, PSTN-PSTN
An attacker with a traditional PBX (connected to the PSTN through An attacker with a traditional Private Branch Exchange (PBX)
ISDN) sends a Q.931 SETUP request with a chosen calling party number (connected to the PSTN through ISDN) sends a Q.931 SETUP request
which a service provider inserts into the corresponding SS7 [Q931] with a chosen calling party number, which a service
[refs.Q764] calling party number (CgPN) field of a call setup message provider inserts into the corresponding SS7 [Q764] calling party
(IAM). When the call setup message reaches the endpoint switch, the number (CgPN) field of a call setup message (Initial Address
terminal renders the attacker's chosen calling party number as the Message (IAM)). When the call setup message reaches the endpoint
calling identity. switch, the terminal renders the attacker's chosen calling party
number as the calling identity.
Impersonation, IP-PSTN Impersonation, IP-PSTN
An attacker on the Internet uses a commercial WebRTC service to send An attacker on the Internet uses a commercial WebRTC service to
a call to the PSTN with a chosen calling party number. The service send a call to the PSTN with a chosen calling party number. The
contacts an Internet-to-PSTN gateway, which inserts the attacker's service contacts an Internet-to-PSTN gateway, which inserts the
chosen calling party number into the SS7 [refs.Q764] call setup attacker's chosen calling party number into the SS7 [Q764] call
message (the CgPN field of an IAM). When the call setup message setup message (the CgPN field of an IAM). When the call setup
reaches the terminating telephone switch, the terminal renders the message reaches the terminating telephone switch, the terminal
attacker's chosen calling party number as the calling identity. renders the attacker's chosen calling party number as the calling
identity.
Impersonation, IP-PSTN-IP Impersonation, IP-PSTN-IP
An attacker with an IP phone sends a SIP request to the telephone An attacker with an IP phone sends a SIP request to the telephone
number of a voicemail service, perhaps without even knowing that the number of a voicemail service, perhaps without even knowing that
voicemail service is IP-based. The attacker puts a chosen calling the voicemail service is IP-based. The attacker puts a chosen
party number into the From header field value of the INVITE. The calling party number into the From header field value of the
attacker's INVITE reaches an Internet-to-PSTN gateway, which inserts INVITE. The attacker's INVITE reaches an Internet-to-PSTN
the attacker's chosen calling party number into the CgPN of an IAM. gateway, which inserts the attacker's chosen calling party number
That IAM then traverses the PSTN until (perhaps after a call into the CgPN of an IAM. That IAM then traverses the PSTN until
forwarding) it reaches another gateway, this time back to the IP (perhaps after a call forwarding) it reaches another gateway, this
realm, to an H.323 network. The PSTN-IP gateway takes the calling time back to the IP realm, to an H.323 network. The PSTN-IP
party number in the IAM CgPN field and puts it into the SETUP gateway takes the calling party number in the IAM CgPN field and
request. When the SETUP reaches the endpoint terminal, the terminal puts it into the SETUP request. When the SETUP reaches the
renders the attacker's chosen calling party number as the calling endpoint terminal, the terminal renders the attacker's chosen
identity. calling party number as the calling identity.
4.1. Solution-Specific Attacks 4.1. Solution-Specific Attacks
Solution-specific attacks are outside the scope of this document, Solution-specific attacks are outside the scope of this document,
though two sorts of solutions are anticipated by the STIR problem though two sorts of solutions are anticipated by the STIR problem
statement: in-band and out-of-band solutions (see statement: in-band and out-of-band solutions (see [RFC7340]). There
[I-D.ietf-stir-problem-statement]). There are a few points which are a few points that future work on solution-specific threats must
future work on solution-specific threats must acknowledge. The acknowledge. The design of the credential system envisioned as a
design of the credential system envisioned as a solution to this solution to these threats must, for example, limit the scope of the
threats must for example limit the scope of the credentials issued to credentials issued to carriers or national authorities to those
carriers or national authorities to those numbers that fall under numbers that fall under their purview. This will impose limits on
their purview. This will impose limits on what (verifiable) what (verifiable) assertions can be made by intermediaries.
assertions can be made by intermediaries.
Some of the attacks that should be considered in the future include Some of the attacks that should be considered in the future include
the following: the following:
Attacks Against In-band Solutions o Attacks against in-band solutions
Replaying parts of messages used by the solution
Using a SIP REFER request to induce a party with access to
credentials to place a call to a chosen number
Removing parts of messages used by the solution
Attacks Against Out-of-Band Solutions
Provisioning false or malformed data reflecting a placed call into * Replaying parts of messages used by the solution
any datastores that are part of the out-of-band mechansim
Mining any datastores that are part of the out-of-band mechanism * Using a SIP REFER request to induce a party with access to
credentials to place a call to a chosen number
Attacks Against Either Approach * Removing parts of messages used by the solution
Attack on any directories/services that report whether you should o Attacks against out-of-band solutions
expect authenticated calling number data or not
Canonicalization attacks * Provisioning false or malformed data reflecting a placed call
into any datastores that are part of the out-of-band mechanism
5. Acknowledgments * Mining any datastores that are part of the out-of-band
mechanism
Sanjay Mishra, David Frankel, Penn Pfautz, Stephen Kent, Brian Rosen, o Attacks against either approach
Alex Bobotek, Henning Schulzrinne, Hannes Tschofenig, Cullen Jennings
and Eric Rescorla provided key input to the discussions leading to
this document.
6. IANA Considerations * Attack on any directories/services that report whether you
should expect authenticated calling number data or not
This memo includes no request to IANA. * Canonicalization attacks
7. Security Considerations 5. Security Considerations
This document provides a threat model and is thus entirely about This document provides a threat model and is thus entirely about
security. security.
8. Informative References 6. Informative References
[I-D.ietf-rtcweb-overview] [OMTP-VV] Open Mobile Terminal Platform, "Visual Voice Mail
Alvestrand, H., "Overview: Real Time Protocols for Interface Specification", Version 1.3, June 2010,
Browser-based Applications", draft-ietf-rtcweb-overview-10 <http://www.gsma.com/newsroom/wp-content/uploads/2012/07/
(work in progress), June 2014. OMTP_VVM_Specification_1_3.pdf>.
[I-D.ietf-stir-problem-statement] [Q764] ITU, "Signalling System No. 7 - ISDN User Part signalling
Peterson, J., Schulzrinne, H., and H. Tschofenig, "Secure procedures", Recommendation ITU-T Q.764, December 1999,
Telephone Identity Problem Statement and Requirements", <http://www.itu.int/rec/T-REC-Q.764/>.
draft-ietf-stir-problem-statement-05 (work in progress),
May 2014.
[I-D.peterson-sipping-retarget] [Q931] ITU, "ISDN user-network interface layer 3 specification
Peterson, J., "Retargeting and Security in SIP: A for basic call control", Recommendation ITU-T Q.931,
Framework and Requirements", draft-peterson-sipping- May 1998, <http://www.itu.int/rec/T-REC-Q.931/>.
retarget-00 (work in progress), February 2005.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002. June 2002, <http://www.rfc-editor.org/rfc/rfc3261.txt>.
[refs.OMTP-VV] [RFC7340] Peterson, J., Schulzrinne, H., and H. Tschofenig, "Secure
OMTP, , "Visual Voice Mail Interface Specification", URL: Telephone Identity Problem Statement and Requirements",
http://www.gsma.com/newsroom/wp-content/uploads/2012/07/ RFC 7340, September 2014,
OMTP_VVM_Specification_1_3.pdf, May 1998. <http://www.rfc-editor.org/info/rfc7340>.
[refs.Q764] [RTCWEB-OVERVIEW]
ITU-T, , "Signaling System No. 7; ISDN User Part Signaling Alvestrand, H., "Overview: Real Time Protocols for
procedure", ITU-T URL: Browser-based Applications", Work in Progress,
http://www.itu.int/rec/T-REC-Q.764/_page.print, September draft-ietf-rtcweb-overview-12, October 2014.
1997.
[refs.Q931] [SIP-SECURITY]
ITU-T, , "ISDN user-network interface layer 3 Peterson, J., "Retargeting and Security in SIP: A
specification for basic call control", ITU-T URL: Framework and Requirements", Work in Progress,
http://www.itu.int/rec/T-REC-Q.931-199805-I/en, May 1998. draft-peterson-sipping-retarget-00, February 2005.
Acknowledgments
Sanjay Mishra, David Frankel, Penn Pfautz, Stephen Kent, Brian Rosen,
Alex Bobotek, Henning Schulzrinne, Hannes Tschofenig, Cullen
Jennings, and Eric Rescorla provided key input to the discussions
leading to this document.
Author's Address Author's Address
Jon Peterson Jon Peterson
NeuStar, Inc. NeuStar, Inc.
1800 Sutter St Suite 570 1800 Sutter St. Suite 570
Concord, CA 94520 Concord, CA 94520
US United States
Email: jon.peterson@neustar.biz EMail: jon.peterson@neustar.biz
 End of changes. 73 change blocks. 
245 lines changed or deleted 237 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/