Friday, June 09, 2006

Indictments in the VOIP scam.

The DoJ has published the indictments in the VOIP scam reported recently. Pena Moore (via VOIPSEC)

The scam shows how bad security has a way of catching up with you eventually. The VOIP 'security' scheme relied on what was essentially a password to authenticate call connection requests.

The 'proprietary preffix' was too short to be an effective password. It is alleged that the perps brute forced the scheme trying six million prefixes before finding one that worked. This allowed them to place calls on the network for free. They then sold wholesale call connection services to other VOIP providers for a million dollars or so.


Rob Welbourn said...

It could all have been avoided if the service providers involved had used TLS for the SIP signaling traffic (assuming it was SIP and not H.323), with two-way PKI to authenticate each other.

So far as I can tell, it was not an attack based on breaking SIP digest authentication, but rather guessing what amounts to a PIN that prefixed the dialed numbers in the call setup messages.


voip said...

Hi! I recommend a new service - Voip review. Do you want to know more about voip providers? Make cheap calls.