VoIP Security

1
VoIP Security

• Henning Schulzrinne
• Columbia University

2
Overview

• Taxonomy
• General network threats made worse
• Resources

3
Services

• Call control
• call establishment, reporting, mid-call service
  features, and teardown ? SIP, proxies
• Directory services
• alias, user name, extension, E.164 number ? URL
  (ENUM)
• Gateway service
• inter-work between two different types of
  networks, e.g., PSTN and VoIP ? media gateways
• Network services
• DNS, TFTP, FTP, DHCP, HTTP, Telnet, RADIUS, and
  DIAMETER
• Session border control functions
• signaling and/or bearer traffic as it crosses a
  trust boundary

VoIPSA report
4
Multi-party freedom model

• People can move from role to role
• Initiating contact
• Joining communication in progress
• Accepting contact
• Terminating communication in progress
• Refusing contact

5
VoIP threat taxonomy
6
User requirements and goals

• User is able to
• invite anyone
• to join multiple parties
• refuse an invite
• drop out of a session
• indicate consent for any and all contact and
  reporting
• refuse consent for any and all contact and
  reporting
• set policies for the user and all legally
  subordinate domains
• user is assured confidentiality and immunity for
  lawful communication

7
Privacy and security

• The Privacy Concept privilege of all people to
  have their communication systems and content free
  from unauthorized access, interruption, delay or
  modification
• consent of the person claiming privacy
• within the limits of the law
• Security
• the right to protect privacy,
• a method of achieving privacy
• ways to keep communication systems and content
  free from unauthorized access, interruption,
  delay or modification

8
Social threats Misrepresentation

• Misrepresentation includes the delivery of
  information which is false as to the identity,
  authority or rights of another party or false as
  to the content of information communicated
• identity
• authority (false authentication)
• rights (false authorization)
• content (audio, video, text)

• Examples
• false caller ID, organization, name
• voice masking and impersonation
• false presence information
• phishing, vishing
• social engineering (see ChoicePoint)
• false claim of government authority

9
Social threats Theft of services

• Theft of services is any unlawful taking of an
  economic benefit of a service provider by means
  intended to deprive the provider of lawful
  revenue or property.
• unauthorized deletion or altering of billing
  records
• unauthorized bypass of lawful billing systems
• unauthorized billing
• taking of service provider property
• Common in PSTN
• e.g., resale of services with delayed billing
• blue boxes

10
Social threats unwanted contact

• Unwanted contact is any contact that either
  bypasses prior affirmative consent (opt-in) or a
  refusal of consent (opt-out)
• Can be illegal (harassment, extortion, fraud) or
  just unwanted
• Harassment
• Harassment is any form of unwanted communication
  which embarrasses, intimidates, vexes, annoys or
  threatens the receiver of the communication with
  actions which are improper under the law.
• Extortion
• Extortion is any act to induce another to do or
  refrain from any conduct or give up any freedom,
  right, benefit or property, under a threat of
  loss or harm to the person, their reputation,
  property or the health, safety, reputation or
  welfare of anyone they know.

11
Resources

• Security consideration sections in RFCs
• http//www.voipsa.org