Is there any way (standard, proposed or draft) that will allow for secure Caller ID over SIP / VOIP networks?
I have constantly heard that Caller ID is insecure when used over these services. Can anyone explain why Caller ID is insecure when used over these networks?
When the call is coming from an external PBX, then the Caller ID you receive is what the caller's service provider sends to your service provider. This could by anything the caller's service provider wants. Many service providers choose to respect that and send the real Caller ID to your service provider (and eventually, to you).
Many SIP / VOIP service providers give their users the option to set an arbirtrary Caller ID which will be sent to the callee's service provider (and eventually, to the callee).
That's how the whole Caller ID system works, it is inherently insecure because it relies on the information provided to you being accurate. Think, HTTP_REFERE.
The STIR IETF charter group is working on this problem now. (Literally right now, join the Jabber or listen) Namely this article highlights the need for CallerID due to
Former solutions include:
RFC 4474 defines SIP "Identity", however this isn't compatible with existing deployments so it hasn't been used. RFC447bis is a modification to that proposal that may be included in STIR's meeting.
P-Asserted-Identity (P-A-I) in RFC3225, however this is focused on solving the problem within a trusted subset of known players.
These solutions focus on "identity" and include a "SIP URI" or "SIP address" and while the ultimate STIR mechanism (or a variant thereof) might also work for SIP URIs, the focus in this initial work is all around securing the origin identification of telephone numbers.
The aspect that gives the STIR group more potential is that its focus makes a great amount of sense given that so much of the SIP traffic today is a result of telecom service providers moving their regular calls to telephone numbers off of the legacy PSTN networks and over to IP networks where they use SIP. Additionally, a great amount of the "problem" traffic seen in VoIP today can be created by attackers who use simple VoIP software to generate their calls to regular telephone numbers.
Caller ID is always insecure, VOIP Caller ID is no more insecure than any other. If you want to know for sure who the caller is, you have to do a trace rather than trust the included information. Caller ID is kind of like politely asking someone for their name, they don't have to tell you the truth.
