Security Threats and Requirements for Emergency Calling draft-tschofenig-ecrit-security-threats

1
Security Threats and Requirements for Emergency
Callingdraft-tschofenig-ecrit-security-threats

• Hannes Tschofenig
• Henning Schulzrinne
• M. Shanmugam

2
Terminology

• Internet Access Provider (IAP)
• Emergency call routing support routes calls
  (e.g., SIP proxy)
• Directory maps location to PSAP address
• Asserted location information somebody vouches
  for this information

3
Framework
location provider (DHCP, )
A(V)SP
IAP
directory
configuration information
PSAP
4
Participant-visible threats

• Standard problems
• eavesdropping (privacy, interference with law
  enforcement)
• modification of call content
• preventing service to single user
  (burglar-cutting-phone-wire)
• Since no direct monetary gain, threat model
  focuses on disruption of emergency service to
  legitimate users
• by causing infrastructure failure
• by tying up call takers
• by dispatching emergency responders
• Difference to most other systems
• PSAP doesnt care who you are as long as you
  dont lie about the location or nature of the
  emergency

5
Layers of defense(DOS, crank calls)
prevent or limit
detect filter
prosecute
6
Threats

• Denial-of-service (resource exhaustion) attacks
• entities affected
• directory
• call routing infrastructure
• PSAP
• resources
• network bandwidth
• processing
• human resources (call takers, first responders)
• Call identity spoofing
• primarily to elude DOS attack prosecution

7
Authentication

• Classical requirement must be able to place
  call without authentication
• Really?
• ? anonymity!
• Probably really want
• place call without being a paying customer of IAP
• thus, may still be known to service provider
• former customer
• third-party cert (e.g., some government
  authority)
• device cert (payphone on corner of Third and
  Main)

8
Details security threat to one caller

• Confidentiality
• Modification to configuration information
• Modification of call information
• call signaling
• media
• PSAP impersonation

9
Details infrastructure threats

• denial-of-service attacks
• modification of configuration information

10
Caller identity spoofing

• ? authentication
• avoid delays during emergency call setups
• avoid multiple round-trip times
• define authentication independent of customer
  relationships
• e.g., might only need non-1918 IP address to
  determine port and customer

11
Location spoofing

• End user provided location
• IAP provides assertion
• limited usefulness if wide coverage area
• Emergency call router inserts
• retrieved by V(A)SP from IAP
• must be based on some identifier
• IAP may sign
• Need to insert timestamp and identity
• prevent replay and copy-and-paste attacks
• identity may not be NAI
• IP address, MAC address
• primarily needed for traceability

12
Location spoofing threat mediation
prevent wide-area spoofing avoid global attacks avoid international jurisdictional issues
accountability reasonable chance that the person can be brought to justice future calls from the same person are considered suspect
prevent local-area spoofing attacker cant pretend to be in place X
prevent local-area collusion attacker cant get friend to give him location information for X
prevent local-area time cloning attacker cant pretend to be in X now if they were in X earlier
13
Impersonating a PSAP

• Assurance of reaching an authorized or legitimate
  PSAP
• Attacker may intercept directory request or call
  routing request
• ? Integrity-protect directory and signaling
  interactions
• Directory must be authoritative for information
• may be hard to prove

14
Open issues

• Mixture of threat description and requirements
• Should requirements be merged into general
  requirements document (or remove security issues
  from general requirements document)?