In February, we published VoIP Fraud Analysis, a white paper that details Simwood’s three years of operating a Honeypot, coloured in by many years of real-world experience servicing wholesale voice clients of all sizes and seeing them compromised. Our research has been very well received in official circles from OFCOM to ACPO, at industry events comprising scarily competent people, and we’ve since been able to compare notes with others in darkened rooms who study this for a living. Of course, I won’t repeat the full content of the white paper here — and it certainly wouldn’t be appropriate to do so — but I will be glad to share a few observations from it.
VoIP fraud — an estimated $46bn a year problem — has come as no surprise to anyone, and as we’ve run through the mechanism of attack the majority of people in the audience have seen at least parts of the behaviour we describe in the wild. If we were describing other kinds of crime most people would be looking in from outside, but VoIP fraud is pervasive and everyone in the industry has seen it at some level. Similarly, nobody has questioned the solutions proposed; some of which are unique to Simwood though they can be employed by any provider on almost any equipment. Despite this, people remain reluctant to act and, dare I say, a little complacent. It is somebody else’s problem until it is their problem, and by then it may very well be too late. Remember, $46bn is the estimated measure of the good guys’ incompetence…the bad guys’ intent is infinite and, as we’ve seen, can quite literally put a provider out of business in just hours.
The sad fact is that the bad guys are becoming far more professional. Gone are the days of script-kiddy intruding with such blunt force that it was apparent as a DoS attack. They are still there, of course, and can still be very effective in breaching completely unprepared networks, but the serious people — the professionals — are…well, professional. There’s no impatience or fervour to their attacks and they do their homework very very well. Their reconnaissance is unobservable to those not looking out for it at the packet level, and their early compromise testing is lost amongst legitimate call traffic for those unaware of the test numbers identified. Then they wait, patiently.
Christmas 2013 was a busy time for us with almost every night seeing one of our customer’s end-users compromised. Actually, we saw the same customers compromised repeatedly night after night, as the bad guys had identified a specific vulnerability present in the equipment they’d deployed to their end-user businesses. Where the customers were ISPs (with a defined block of IP addresses containing customer equipment) the attackers had been able to identify a list of similar targets on their network vulnerable to the same attack. This would have taken a long time and a lot of patience, before striking when eyes were furthest from the ball. On every single occasion we identified the incident, proactively made contact with our customers to advise and help resolve the incident. The attackers left quietly, knowing they had a long list of other targets and could come back later. They did, every night for the Christmas period.
Don’t be fooled into thinking this is just a “VoIP” problem. Many incidents are targeted and exploit non-VoIP technologies (e.g., those present by virtue of traditional PBXs being retro-fitted with IP capability) while many others are at other levels altogether, such as the http interface of CPE or provider admin systems. The traffic may pass over VoIP as a consequence, but in many cases once the VoIP side of it has been contained it will then pass over traditional phone lines connected to the same equipment. It must be an anxious time waiting for the CPS invoices afterwards!
My point here is not to scare you, but to highlight two trends: (1) providers are becoming more complacent, and (2) attackers are becoming more professional. A destructive combination, indeed, and one that is sure to end in more tears. Attackers are not going to become less capable and less professional, so the only option is for providers to be less complacent and to — this is critical — take action. Very few if any are doing everything they could, whereas others dismissively rely on techniques that may help but are incomplete and therefore give false confidence. The bad guys can turn on an attack at any point after the reconnaissance is complete, and if you think they cannot then how will you notice and be able to react when they do?
The solutions are often simple and free, however they require a willingness to implement and generally bring many other benefits. By way of example, the vast majority of providers operate SIP on UDP 5060 because that is the out-of-the-box behaviour, whilst you’d struggle to find equipment nowadays that doesn’t support TLS. Not only are TLS endpoints far less common targets, but TLS and SRTP also give end users the privacy I think they already expect they have. Similarly, billing more frequently and getting as close to real-time as possible not only enables fraud monitoring but provides massive operational and commercial benefits too. Your carrier monitoring and enforcing fraud controls on your wholesale account, safely away from your network, is by far the most effective preventative measure, and some of us do that to varying degrees.
There are many more solutions contained in the Simwood VoIP Fraud Analysis white paper, and we urge you to implement them, and also to lean on your carrier to help you to do so. Please note that in all the “Christmas” examples it was we the carrier — not our customers — who noticed end-user compromise.
The key take-away I want to leave you with is that if you are having no trouble sleeping at night because you believe it can’t/won’t happen to you, then you really need to act now. Your network may already be compromised, with eyes awaiting your being off the ball, perhaps over a coming Bank Holiday.
VoIP Week Posts: