"attacks against voip"
Post on 08-Jun-2015
2.249 Views
Preview:
TRANSCRIPT
1 of 62 © 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
VoIP VoIP Security Behind the dialtoneSecurity Behind the dialtoneVulnerabilities, Attacks and CountermeasuresVulnerabilities, Attacks and Countermeasures
Peter Thermos
Principal Consultant
pthermos@palindrometechnologies.com
Tel: 732 835 0102
2 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
BackgroundBackground
Education MS,CS Columbia University
Consulting Government and commercial organizations, consulting on information security and assurance,
InfoSec program development and management, vulnerability assessments, security architecture, NGN/VoIP/IMS.
Research Principal investigator on research tasks, in the area of Internet MultimediaInternet Multimedia and Next Generation Next Generation
Networks (VoIP)Networks (VoIP) and security, that were are funded by government organizations such as NIST (National Institute of Standards and Technology), DARPA (Defense Advanced Research Agency), NSF (National Science Foundation) and others. In addition he has been working with domestic and foreign Telecommunications carriers and Fortune 500 companies on identifying security requirements for IMS/NGN and VoIP, conducting vulnerability assessments and product evaluations.
Member of IETF/IEEE/ACM.
3 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
OutlineOutline
Intro – Present and Future The Converged Network
VoIP Architectures Components & Protocols Security
ThreatsVulnerabilitiesAttacks
VoIP Firewalls Assessment Tools Approaches to secure VoIP/NGN networks Conclusions Further Research
4 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Present and Future Present and Future (Summary)(Summary)PSTN NetworkPSTN Network Closed therefore
“secure” High availability
(99.999%) Limited connection to
IP (OSS provisioning, management)
IP NetworkIP Network Access is not
restricted. Best effort Connected to
accessible IP networks.
“There is one safeguard known generally to the wise, which is an advantage and security to all,
but especially to democracies as against despots. What is it? Distrust. ”.
Demosthenes (c. 384–322 B.C.), Greek orator. Second Philippic, sct. 24 (344 B.C.)
“There is one safeguard known generally to the wise, which is an advantage and security to all,
but especially to democracies as against despots. What is it? Distrust. ”.
Demosthenes (c. 384–322 B.C.), Greek orator. Second Philippic, sct. 24 (344 B.C.)
5 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
VoPSecurity.org Forum – surveyVoPSecurity.org Forum – surveyTop Economic and Technical Challenges for VoIP Deployment
- Which are the most critical?
0.00% 10.00% 20.00% 30.00% 40.00%
ConsumerSubscription
Development/Deployment
Revenue Assurance
Taxation
QoS
Standards (IETF, ITU,ANSI/ATIS)
E911
Security
Lawful Surveillance
6 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Intro – Present and FutureNGN/ The Converged Network Components & ProtocolsSecurity
ThreatsVulnerabilitiesAttacks
VoIP FirewallsAssessment ToolsApproaches to secure NGN networksConclusionsFurther Research
OutlineOutline
7 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Carrier VoIP Architectures – Packet CableCarrier VoIP Architectures – Packet Cable
8 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
The Converged NetworkThe Converged Network
9 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Carrier VoIP Architectures - IMSCarrier VoIP Architectures - IMS
10 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Enterprise VoIP ArchitectureEnterprise VoIP Architecture
11 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Skype ArchitectureSkype Architecture
12 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Intro – Present and FutureNGN/ The Converged Network Components & ProtocolsSecurity
ThreatsVulnerabilitiesAttacks
VoIP FirewallsAssessment ToolsApproaches to secure NGN networksConclusionsFurther Research
OutlineOutline
13 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Components and Signaling Components and Signaling ProtocolsProtocols
14 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
ProtocolsProtocols
15 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Dive in to the Stack – SIP ExampleDive in to the Stack – SIP Example
INVITE sip:bob@biloxi.com SIP/2.0Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK77dsMax-Forwards: 70To: Bob <sip:bob@biloxi.com>From: Alice <sip:alice@atlanta.com>;tag=1928301774Call-ID: a84b4c76e66710@pc33.atlanta.comCSeq: 314159 INVITEContact: <sip:alice@pc33.atlanta.com>Content-Type: application/sdpContent-Length: 142v=0 o=user 29739 7272939 IN IP4 pc33.atlanta.coms= c=IN pc33.atlanta.comk=clear:3b6bssiGao7Vv8Jo7sgBaLLkbrm=audio 49210 RTP/AVP 0 12m=video 3227 RTP/AVP 31a=rtpmap:31 LPC/8000
SIP
SDP
Format :
k=<method>:<encryption key>
Method=clear, base64, uri, prompt
16 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Dive in to the Stack – SRTP ExampleDive in to the Stack – SRTP Example
Image from IETF proceedings, Aug. 2001
17 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Example – SIP CallExample – SIP Call
18 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Intro – Present and FutureNGN/ The Converged Network Components & ProtocolsSecurity
ThreatsVulnerabilitiesAttacks
VoIP FirewallsAssessment ToolsApproaches to secure NGN networksConclusionsFurther Research
OutlineOutline
19 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
What are the Threats?What are the Threats?
ThreatThreat Target(s)Target(s)Service disruption (amplification attacks DoS/DDoS)
Network Owners, Service Providers, Subscribers
Eavesdropping (including traffic analysis)
Network Owners, Service Providers, Subscribers
Fraud (including service and intellectual assets, confidential information)
Network Owners, Service Providers
Unauthorized access (compromise systems with intentions to attack other systems or exploit vulnerabilities to commit fraud and eavesdropping).
Network Owners, Service Providers, Subscribers
Annoyance (e.g. SPIT) Subscribers
20 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
11stst Case of VoIP Fraud Case of VoIP Fraud FBI arrests two for VoIP Fraud Pena, Moore
http://www.foxnews.com/story/0,2933,198778,00.html Duration 8 months Revenue/Fraud $2M Attack Objective: Compromise service VoIP service
providers and enterprise networks that support VoIP to route unauthorized VoIP traffic originating from Telecom carriers.
Upstream provider pays fraudster, downstream provider doesn’t know.
21 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Where are the vulnerabilities?Where are the vulnerabilities?Threat model, vulnerabilities originate from the difficulty
to foresee future threats (e.g. Signaling System No.7)
Design & specification vulnerabilities come from errors or oversights in the design of the protocol that make it inherently vulnerable (e.g., SIP, MCGP, 802.11b)
Implementation vulnerabilities are vulnerabilities that are introduced by errors in a protocol implementation
Architecture, network topology and association (e.g. routing) with other network elements.
22 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Attacks (lab-experimentation)Attacks (lab-experimentation) DoS
Against phones, proxies, routers SIP/MGCP/H.323/RTP
Call Hijacking Flood target phone Spoof registration Calls are routed to the location described in
the new registration
Eavesdropping and traffic analysis
23 of 62 © 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Attacks - Attacks - Spoofing Caller-IDSpoofing Caller-ID
24 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Companies that offer Caller-ID Companies that offer Caller-ID SpoofingSpoofing
https://connect.voicepulse.com/
http://www.nufone.net/
http://www.spooftel.net/
25 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Spoofing Caller-ID using SiVuSSpoofing Caller-ID using SiVuS Manipulate the FROM header information Send and INVITE to a phone
26 of 62 © 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Lab Exercise #4Lab Exercise #4
Presence Hijacking/Masquerading Attack using SIP
27 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Presence Hijacking using Presence Hijacking using SiVuSSiVuS The objective is to spoof a REGISTER
request The REGISTER request contains the
“Contact:” header which indicates the IP address of the SIP device.
28 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Presence Hijacking using SiVuS – Presence Hijacking using SiVuS – Regular Register RequestRegular Register Request
29 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
The AttackThe Attack
30 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Manipulated REGISTER request Manipulated REGISTER request propertiesproperties
REGISTER sip:216.1.2.5 SIP/2.0Via: SIP/2.0/UDP 192.168.1.6;branch=xajB6FLTEHIcd0From: 732-835-0102 <sip:12125550102@voip-service-provider.net:5061>;tag=5e374a8bad1f7c5x1To: 732-835-0102 <sip:12125550102@voip-service-provider.net:5061>Call-ID: QTEv5G5dOHYc@192.168.1.2CSeq: 123456 REGISTERContact: 2125550102 <sip:12125550102@192.168.1.3:5061>;Digest username="12125550102",realm="216.1.2.5",nonce="716917624",uri="sip:voip-service-provider.net:5061",algorithm=MD5,response="43e001d2ef807f1e2c96e78adfd50bf7"Max_forwards: 70User Agent: 001217E57E31 VoIP-Router/RT31P2-2.0.13(LIVd)Content-Type: application/sdpSubject: SiVuS TestExpires: 7200Content-Length: 0
IP address of the VoIP device on which a
POTS phone is attached
IP address that calls will be
routed to (attacker)
Authentication MD5 digest can beintercepted
and used to replay messages
31 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Presence Hijacking using SiVuS – Presence Hijacking using SiVuS – The REGISTER MessageThe REGISTER Message
32 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
The ExerciseThe Exercise Using SiVuS craft a REGISTER request In the “Contact” header insert your IP
address Send the registration request to the SIP
proxy Make a phone call to the user you
spoofed to see if the call is diverted.
33 of 62 © 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Attacks - EavesdroppingAttacks - EavesdroppingDecoding communications with EtherealDecoding communications with Ethereal
34 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Ethereal capture and decode to Ethereal capture and decode to .au file (1 of 3).au file (1 of 3)
35 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Ethereal capture and decode to Ethereal capture and decode to .au file (2 of 3).au file (2 of 3)
Analyze a session will automatically re-assemble the selected session which can be save to an audio file.
36 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Ethereal capture and decode to Ethereal capture and decode to .au file (3 of 3).au file (3 of 3)
Analyzed sessions can be save to a .au (audio) file.
37 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
The resultThe result
38 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Intro – Present and FutureNGN/ The Converged Network Components & ProtocolsSecurity
ThreatsVulnerabilitiesAttacks
VoIP FirewallsAssessment ToolsApproaches to secure NGN networksConclusionsFurther Research
OutlineOutline
39 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
VoIP and FirewallsVoIP and FirewallsProblems NAT traversal SIP spam Various attacks,
including DoS
Current solutions Application Layer Gateways
(ALGs) Session Border Controllers ICE – Interactive
Connectivity Establishment (STUN, TURN, MIDCOM)
40 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Intro – Present and FutureNGN/ The Converged Network Components & ProtocolsSecurity
ThreatsVulnerabilitiesAttacks
VoIP FirewallsAssessment ToolsApproaches to secure NGN networksConclusionsFurther Research
OutlineOutline
41 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
ToolsTools Eavesdropping
Ethereal Vomit (vomit - voice over misconfigured internet telephones)
http://vomit.xtdnet.nl/ VoIPong - http://www.enderunix.org/voipong/
Assessment SIVuS – The VoIP Vulnerability Scanner –
www.vopsecurity.org
42 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Tool – Attack TrendTool – Attack Trend
More tools are being developed
43 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Vulnerability Assessment Vulnerability Assessment
SiVuS
44 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
SiVuS – Message GeneratorSiVuS – Message Generator
45 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
SiVuS - DiscoverySiVuS - Discovery
46 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
SiVuS – configurationSiVuS – configuration
47 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
SiVuS – Control PanelSiVuS – Control Panel
48 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
SiVuS – ReportingSiVuS – Reporting
49 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
SiVuS – Authentication AnalysisSiVuS – Authentication Analysis
50 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Intro – Present and Future NGN/ The Converged Network Components & Protocols Security
ThreatsVulnerabilitiesAttacks
VoIP Firewalls Assessment Tools Approaches to secure VoIP/NGN networks Conclusions Further Research
OutlineOutline
51 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
How do we secure NGN networks?How do we secure NGN networks?
Page 51
SECURITY is NOT a product, it’s a PROCESS !SECURITY is NOT a product, it’s a PROCESS !
Fro
m t
he
gro
un
d u
pF
rom
th
e g
rou
nd
up
Ass
ess
and
Ver
ify
Ass
ess
and
Ver
ify
52 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Intro – Present and FutureNGN/ The Converged Network Components & ProtocolsSecurity
ThreatsVulnerabilitiesAttacks
VoIP FirewallsAssessment ToolsApproaches to secure NGN networksConclusionsFurther Research
OutlineOutline
53 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Conclusions (1 of 2)Conclusions (1 of 2) Security is not a product, it’s a process! Can we have adequately secure VoIP networks?
Yes, but at what cost? -> Performance (e.g., There is a performance impact when using
IPSec point to point for signaling) Time and expertise. It requires appropriate resources and time
to secure out of the box products. We need to ask vendors to have baseline security requirements for VoIP products.
Is voice quality degraded with encryption? Not really
54 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Conclusions (2 of 2)Conclusions (2 of 2) How’s security in VoIP products today?
Poor to average security controls are not mature not implemented in deployments Implementations inherit traditional vulnerabilities
(e.g. Buffer Overflows) We need better developed software that do not maintain
poor security standards. Security controls/features to enforce stronger security
posture (protocol, user and administrative) Define and impose baseline security requirements for
product vendors
55 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Intro – Present and FutureNGN/ The Converged Network Components & ProtocolsSecurity
ThreatsVulnerabilitiesAttacks
VoIP FirewallsAssessment ToolsApproaches to secure NGN networksConclusionsFurther Research
OutlineOutline
56 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Distributed VoIP Security TestbedDistributed VoIP Security Testbed
NSF funding, $600K http://www.nsf.gov/news/news_summ.jsp?cntn_id=106828
Research areas Denial of Service (DoS) and Distributed DoS (DDoS) Spam and “Spit” Social Networks Identity Management Quality of Service (QoS) and Security Mechanisms
57 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Testbed conceptual viewTestbed conceptual view
58 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
VoP Security ForumVoP Security Forum
The objectives of the VoPSecurity.org forum:
Encourage education in NGN/VoIP security through publications, online forums and mailing lists (voptalk@vopsecurity.org and members@vopsecurity.org)
Develop capabilities (tools, interoperability testing, methodologies and best practices) for members to maintain security in their respective infrastructure.
Conduct research to help identify vulnerabilities and solutions associated with NGN/VoIP.
Coordinate annual member meetings to disseminate information, provide updates and promote interaction and initiatives regarding NGN/VoIP security.
The VoP Security forum is viewed as a mechanism for participating members to be proactive and stay current with the threats and vulnerabilities associated with NGN/VoIP security and extend research in this area.
59 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
VoPSecurity ForumVoPSecurity Forum Current Activities
Mailing lists Public (voptalk@vopsecurity.org)
Documentation Intro to NGN Security (available) Vulnerability Analysis Methodology for VoIP networks (in
development) VoIP Firewalls (in development)
Tools SiVuS – VoIP vulnerability Scanner (available)
Research Security evaluation of residential VoIP gateways
Join the
Join the community
community !
60 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
StandardsStandards ITU
Focus Group on Next Generation Networks (FGNGN ) - http://www.itu.int/ITU-T/ngn/fgngn/
Open Communications Architecture Forum (OCAF) Focus Group http://www.itu.int/ITU-T/ocaf/index.html
IETF Transport area -
http://www.ietf.org/html.charters/wg-dir.html#Transport%20Area Security Area -
http://www.ietf.org/html.charters/wg-dir.html#Security%20Area ATIS - http://www.atis.org/0191/index.asp
T1S1.1--Lawfully Authorized Electronic Surveillance T1S1.2--Security
Lawful Intercept 3GPP - TS 33.106 and TS 33.107 ETSI DTS 102 v4.0.4
61 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
ReferencesReferences NIST –
Security Considerations for VoIP Systems Voice over Internet Protocol (VoIP), Security Technical Implementation Guide (DISA)
http://www.ietf.org/html.charters/iptel-charter.html IP Telephony Tutorial, http://www.pt.com/tutorials/iptelephony/ Signaling System 7 (SS7), http://www.iec.org/online/tutorials/ss7/topic14.html SIP - http://www.cs.columbia.edu/sip/ IP Telephonly with SIP - www.iptel.org/sip/ SIP Tutorials
The Session Initiation Protocol (SIP) http://www.cs.columbia.edu/~hgs/teaching/ais/slides/sip_long.pdf SIP and the new network communications model
http://www.webtorials.com/main/resource/papers/nortel/paper19.htm H.323 ITU Standards, http://www.imtc.org/h323.htm Third Generation Partnership Project (3gpp), http://www.3gpp.org/
62 of 62 © 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved
Q & AQ & A
Contact info:Peter Thermospthermos@vopsecurity.org pthermos@palindrometechnologies.com
top related