Strictly for security probers, "huge holes" from Bruce Schneier 7/15
*snip*
"The big idea here is to leverage the development techniques of the Web to
services for telephony. New services are essential, because all the
carriers have cut their collective throats on per-minute long-distance
rates. Premium services are seen by many as the only source of meaningful
revenue in the future. This means that telephony, which has heretofore
been slow and methodical and reliable, will become as freewheeling as the
Internet....
I am terrified at the security implications of these services... encrypted, and authentication will be
enforced, but I don't believe for a minute that this will remain
unhacked....It's not the details of the protocols. It doesn't matter how many bits the
key is, or what authentication protocol they employ: we've learned from
experience that all systems like this are hackable.
The worry is that these protocols open a huge hole into the telephone system. The problem is
that these telephony control systems will sit on top of insecure operating systems.
They will be hacked, and then things will get ugly....
It gets worse. The FCC is mandating that cell phone companies pinpoint
phone locations to within 50-100 meters (for use with 911 calls)...."
-------------------------
{and so on....}
-------------------------
*whole thing*
CRYPTO-GRAM
July 15, 2001
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com
<http://www.counterpane.com>
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on computer security and cryptography.
Back issues are available at
<http://www.counterpane.com/crypto-gram.html>. To subscribe or
unsubscribe, see below.
Copyright (c) 2001 by Counterpane Internet Security, Inc.
** *** ***** ******* *********** *************
In this issue:
Phone Hacking: The Next Generation
Crypto-Gram Reprints
News
Counterpane Internet Security News
Single Sign-On
Monitoring First
Comments from Readers
** *** ***** ******* *********** *************
Phone Hacking: The Next Generation
The phone network and the Internet are converging. That's good news for
smart telephones, new telephony services, and customer convenience, and bad
news for security. If you think that phone hacking is bad now, take a
gander at what's coming.
During the last fifteen years or so, there has been a trend toward
intelligent telephone networking. We've seen ISDN. We've seen SS7. We've
seen IN (Intelligent Networking). These protocols are responsible for all
the cool telephony features we've come to know and love: call forwarding,
call following, local number portability, caller ID, etc. These features
work fine, but are limited because they are all controlled by the phone
company. If you want to initiate caller ID, you need to get the phone
company involved. If you want your business calls forwarded to your home
after 5:00 PM, you need to turn that on and off every day.
On the corporate side, we've seen Computer Telephony Integration (CTI),
which didn't work very well because it was so big and clunky. It might be
fine if you're a huge call center, but it just wasn't cost-effective for
your average business. Development cycles were long, and service creation
horrendously expensive; usage was rare.
But along came the Internet, and everything changed. The notion of
intelligent endpoints (computers) and a dumb network (routers) turns the
telephony model upside down. There are several consortiums and standards
bodies working on bringing the Internet model to the telephone network, and
allowing Internet-based control of telephone switching. The idea is to
turn the telephone network into a giant networking resource that people
outside the telephone network can control and manage. The benefit to the
enterprise is more features and control: cost savings, better sales and
marketing, improved customer service, etc.
The Parlay Group is a major player in this space. A consortium of
software, hardware, and telephony companies, they are creating a
specification and API to enable phone-system control from outside the
secure telco network. This API will allow software to do such things as
reroute calls, get notified of call attempts, retrieve the location of
mobile users, and more. Even access to telco billing systems is
planned. The idea is that computer applications can have integrated
telephone components.
Even more fundamentally, all the switching protocols will interoperate at
multiple points. Switches, gatekeepers, proxies, and call control agents
will all be components of the new telephony control system. Control can be
distributed or centralized, depending on the application.
Meanwhile, the IETF is defining the Session Initiation Protocol (SIP) for
Voice over IP (VoIP) and more. This protocol will allow a user to define
complicated ways to redirect calls: between 9 AM and 5 PM ring my office
number, between 5 and 6 PM call my cell phone, after 6 PM call my home
phone, and if my mother calls at any time, send her directly to voice
mail. The protocol even includes a programming language, so a user can
write a program to handle phone calls to match his own needs. While these
features are nominally controlled by the user, the programs are stored in
the telco network, and a DNS-like service is used to handle the profile and
call forwarding. SIP is becoming a big thing; it's currently being used
for VoIP telephony, will control calls in 3G wireless networks, and is
being envisaged for all sorts of other uses like Instant Messaging.
The big idea here is to leverage the development techniques of the Web to
services for telephony. New services are essential, because all the
carriers have cut their collective throats on per-minute long-distance
rates. Premium services are seen by many as the only source of meaningful
revenue in the future. This means that telephony, which has heretofore
been slow and methodical and reliable, will become as freewheeling as the
Internet.
I am terrified at the security implications of these services. Sure, the
Parlay spec says that communication between the Parlay client and Parlay
server in the telco network is encrypted, and authentication will be
enforced, but I don't believe for a minute that this will remain
unhacked. SIP contains security provisions, but I don't trust them.
It's not the details of the protocols. It doesn't matter how many bits the
key is, or what authentication protocol they employ: we've learned from
experience that all systems like this are hackable. The worry is that
these protocols open a huge hole into the telephone system. The problem is
that these telephony control systems will sit on top of insecure operating
systems. They will be hacked, and then things will get ugly.
Think about the possibilities for a minute. Denial-of-service attacks are
a breeze: just reroute all calls to a person elsewhere. Or reroute all
calls to a popular phone-sex service to another person. Or maybe just
eavesdrop: set up a three-way conference bridge whenever someone receives a
phone call. Remember the Trojan program that quietly made the modem dial
Moldavia; this kind of system would make that hack a lot easier. And don't
you think all of those hackers who chat on IRC would much rather take over
a PBX and set up a conference call? You don't need me to think up the
possibilities; there are lots and lots of them, none of them good.
One of the biggest backward steps is the re-merging of the control and
voice channels. Switch and PBX hacking used to be very easy when signaling
was done in-band. SS7 is an out-of-band signaling system, which separated
the voice from the telephone control and made "beeping into the receiver"
hacking impossible. These new IP telephony systems rebuild that old,
vulnerable model.
It gets worse. The FCC is mandating that cell phone companies pinpoint
phone locations to within 50-100 meters (for use with 911 calls). The
carriers plan to use this information to create new data services based on
location. The location information will also be available through services
like Parlay for third parties to use. Imagine the security implications of
that information getting into unauthorized hands. What if someone
correlated a person's cell phone with his online identity? Could he
pinpoint locations of desktop computers on the Internet? (This is actually
a serious issue for 911 services. Unless one can somehow manage location
information for endpoints, there's no hope of fielding a reasonable
life-critical communications system based on the Internet.)
And think about reliability. The one thing about the telephone system is
that it just works. That reliability is very hard to engineer using
Internet protocols. As the phone system starts to look more and more like
the Internet, it will become as reliable as the Internet. This means that
it will forever be in beta. This means there will be software
incompatibilities, upgrade problems, and random weird errors. This means
that it will fail, catastrophically, once in a while.
Telephone hacking is not new. There have been decades of allegations and
investigations into Las Vegas crime syndicates surreptitiously rerouting
escort-service phone numbers, and the dial telephone was invented in the
late 1800s by someone convinced that operators were rerouting his calls to
rival businesses. Before the Internet, the phone network was the primary
focus of hackers.
But it's a hard network to hack. Telephony is still a controlled closed
universe. The protocols are often proprietary, access is limited, and
information is scarce. You need to speak SS7, have the right physical
connections, etc. There is nominally no interconnect to the TCP/IP
Internet. Even with knowledge, it is the limited physical access that
provides the most constraint. Voice and control are on separate
channels. None of this provides absolute security, but it helps keep the
number of hackers down.
The Internet, on the other hand, is much easier to hack. It's
public. It's available. Anyone can connect a computer up to the
Internet. Anyone can download boatloads of hacking tools. Anyone can
become a script kiddie.
What we're seeing is another example of the tension between functionality
and security. Opening the network is a good thing from the perspective of
creating innovative new services, speeding up development cycles, adding
value to data and voice. Yet when we do this, we open up the potential for
the bad things as well. It's impossible to get the one without the other.
Soon the phone network will become just like the Internet. Putting control
of telephony networks on the Internet means anyone can hack
chicago.switch.uswest.net. These protocols will turn control over to both
authorized and unauthorized Internet control. If you think phone phreaking
was bad, just wait until anyone can do it.
Standards and companies active in this area:
<http://www.parlay.org>
<http://www.telecomsys.com>
<http://www.invertix.com>
<http://www.locationet.com>
<http://www.openls.org>
<http://www.locationforum.org>
<http://www.3gpp.org>
<http://www.sipforum.org>
<http://www.sipcenter.com>
<http://www.etsi.org/tiphon>
Steve Bass and John Ladwig both helped with this article. |
