Secure Telephony Identity Revisited (STIR)

For those not familiar with STIR, it is an effort (working group) attempting to solve the issue of spoofed calling number (caller ID). It has become so easy to generate calls with random anonymous numbers or specific/targeted spoofed numbers, that the source number has lost most of its value as an indicator of who is calling. This enables some attacks, but more importantly, makes other attacks such as Telephony Denial of Service (TDoS), voice SPAM (robocalls), scams, voice phishing (vishing), and harassing/threatening calls much more of an issue.

I just finished attending the 2014 SIP Network Operators Conference (SIPNOC). I couldn't attend some of the conference and missed the update on the Secure Telephony Identify Revisited (STIR). However, I checked the checked the IETF website and there has been quite a bit of activity and there are several new documents that are worth a read. You can find these documents at:


SecureLogix offers solutions to the issues described above and spoofed calling number makes this a challenge.

DDoS (Could be TDoS) Services for Hire

Here are a couple of articles about various DDoS services set up and ready for hire. There is also a brief discussion about how a service was used to attack a VoIP service. This isn't TDoS per se, but as I have said before, the botnets that the attackers use could easily generate VoIP based calls (rather than lots of packets) and target any enterprise site, contact center, user, consumer, etc.



So a tiny bit of background here. Attackers create botnets by assembling a collection (100's, 1000's, 10,000's) of individual bots on zombied computers. These bots sit dormant, but are ready to go if the attacker wants to generate an attack (or is paid). The bots can do pretty much anything - often it is to generate specific or floods of packets for DDoS attack. The more bots, the more traffic and harder it is to mitigate the attack. Of course the bot can generate one or more VoIP/SIP based phone calls, which could for example all hit a large contact center. If the bots are smart enough to spoof their caller ID, the would be difficult to differentiate from real traffic. If they play similar audio, that could be detected, but if they did something really nasty, like play a random audio file/song from the zombie computer's iTunes directory, the attack would be very difficult to mitigate.

Harassing Call/Bomb Threat Against Walmart Stores

Over the weekend, an attacker generated multiple bomb threat calls into Walmart stores in the Kansas area. At least 2 stores were evacuated, with as many as 10 stores threatened. According to the story, the attack was automated (the threat was pre-recorded), so there is a good chance there will be more attacks. Here is a link to some national and local coverage:



What the attacker has done here is quite simple. I would assume they gathered a groups of numbers from one of many sources on the Internet. They could have certainly gathered a lot more.

Once the numbers are gathered, the attacker can manually make calls and play a pre-recorded threat. This can be as crude as making the call, playing a .wav file on a computer, and placing the microphone next to the computer speaker. The attack could also be fully automated, where the attacker has a call generation tool (Asterisk + a call generator work great) and SIP access to the network.

If they are smart, they are also spoofing their Caller-ID. This is trivial with Asterisk. It is also easy with a number of services, including Spoofcard and PhoneGangster. Phone Ganster also has apps that run on smart phones.

We are likely to see a lot more of thse types of attacks. It is easy and cheap to anonymously send threatening calls. Threatening/harassing calls are just one use case - we will also see voice SPAM, phishing, and TDoS. One day target enterprises and government agencies may receive so many threatening calls, that their customers/employees spend a lot of time outside their doors and/or start ignoring real attacks.