"attacks against voip"

VoIP VoIP Security Behind the dialtoneSecurity Behind the dialtoneVulnerabilities, Attacks and CountermeasuresVulnerabilities, Attacks and Countermeasures

Peter Thermos

Principal Consultant

pthermos@palindrometechnologies.com

Tel: 732 835 0102

BackgroundBackground

Education MS,CS Columbia University

Consulting Government and commercial organizations, consulting on information security and assurance,

InfoSec program development and management, vulnerability assessments, security architecture, NGN/VoIP/IMS.

Research Principal investigator on research tasks, in the area of Internet MultimediaInternet Multimedia and Next Generation Next Generation

Networks (VoIP)Networks (VoIP) and security, that were are funded by government organizations such as NIST (National Institute of Standards and Technology), DARPA (Defense Advanced Research Agency), NSF (National Science Foundation) and others. In addition he has been working with domestic and foreign Telecommunications carriers and Fortune 500 companies on identifying security requirements for IMS/NGN and VoIP, conducting vulnerability assessments and product evaluations.

Member of IETF/IEEE/ACM.

OutlineOutline

Intro – Present and Future The Converged Network

VoIP Architectures Components & Protocols Security

ThreatsVulnerabilitiesAttacks

VoIP Firewalls Assessment Tools Approaches to secure VoIP/NGN networks Conclusions Further Research

Present and Future Present and Future (Summary)(Summary)PSTN NetworkPSTN Network Closed therefore

“secure” High availability

(99.999%) Limited connection to

IP (OSS provisioning, management)

IP NetworkIP Network Access is not

restricted. Best effort Connected to

accessible IP networks.

“There is one safeguard known generally to the wise, which is an advantage and security to all,

but especially to democracies as against despots. What is it? Distrust. ”.

Demosthenes (c. 384–322 B.C.), Greek orator. Second Philippic, sct. 24 (344 B.C.)

“There is one safeguard known generally to the wise, which is an advantage and security to all,

but especially to democracies as against despots. What is it? Distrust. ”.

Demosthenes (c. 384–322 B.C.), Greek orator. Second Philippic, sct. 24 (344 B.C.)

VoPSecurity.org Forum – surveyVoPSecurity.org Forum – surveyTop Economic and Technical Challenges for VoIP Deployment

- Which are the most critical?

0.00% 10.00% 20.00% 30.00% 40.00%

ConsumerSubscription

Development/Deployment

Revenue Assurance

Taxation

Standards (IETF, ITU,ANSI/ATIS)

Security

Lawful Surveillance

Intro – Present and FutureNGN/ The Converged Network Components & ProtocolsSecurity

VoIP FirewallsAssessment ToolsApproaches to secure NGN networksConclusionsFurther Research

OutlineOutline

Carrier VoIP Architectures – Packet CableCarrier VoIP Architectures – Packet Cable

The Converged NetworkThe Converged Network

Carrier VoIP Architectures - IMSCarrier VoIP Architectures - IMS

Enterprise VoIP ArchitectureEnterprise VoIP Architecture

Skype ArchitectureSkype Architecture

OutlineOutline

Components and Signaling Components and Signaling ProtocolsProtocols

ProtocolsProtocols

Dive in to the Stack – SIP ExampleDive in to the Stack – SIP Example

INVITE sip:bob@biloxi.com SIP/2.0Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK77dsMax-Forwards: 70To: Bob <sip:bob@biloxi.com>From: Alice <sip:alice@atlanta.com>;tag=1928301774Call-ID: a84b4c76e66710@pc33.atlanta.comCSeq: 314159 INVITEContact: <sip:alice@pc33.atlanta.com>Content-Type: application/sdpContent-Length: 142v=0 o=user 29739 7272939 IN IP4 pc33.atlanta.coms= c=IN pc33.atlanta.comk=clear:3b6bssiGao7Vv8Jo7sgBaLLkbrm=audio 49210 RTP/AVP 0 12m=video 3227 RTP/AVP 31a=rtpmap:31 LPC/8000

Format :

k=<method>:<encryption key>

Method=clear, base64, uri, prompt

Dive in to the Stack – SRTP ExampleDive in to the Stack – SRTP Example

Image from IETF proceedings, Aug. 2001

Example – SIP CallExample – SIP Call

OutlineOutline

What are the Threats?What are the Threats?

ThreatThreat Target(s)Target(s)Service disruption (amplification attacks DoS/DDoS)

Network Owners, Service Providers, Subscribers

Eavesdropping (including traffic analysis)

Fraud (including service and intellectual assets, confidential information)

Network Owners, Service Providers

Unauthorized access (compromise systems with intentions to attack other systems or exploit vulnerabilities to commit fraud and eavesdropping).

Annoyance (e.g. SPIT) Subscribers

11stst Case of VoIP Fraud Case of VoIP Fraud FBI arrests two for VoIP Fraud Pena, Moore

http://www.foxnews.com/story/0,2933,198778,00.html Duration 8 months Revenue/Fraud $2M Attack Objective: Compromise service VoIP service

providers and enterprise networks that support VoIP to route unauthorized VoIP traffic originating from Telecom carriers.

Upstream provider pays fraudster, downstream provider doesn’t know.

Where are the vulnerabilities?Where are the vulnerabilities?Threat model, vulnerabilities originate from the difficulty

to foresee future threats (e.g. Signaling System No.7)

Design & specification vulnerabilities come from errors or oversights in the design of the protocol that make it inherently vulnerable (e.g., SIP, MCGP, 802.11b)

Implementation vulnerabilities are vulnerabilities that are introduced by errors in a protocol implementation

Architecture, network topology and association (e.g. routing) with other network elements.

Attacks (lab-experimentation)Attacks (lab-experimentation) DoS

Against phones, proxies, routers SIP/MGCP/H.323/RTP

Call Hijacking Flood target phone Spoof registration Calls are routed to the location described in

the new registration

Eavesdropping and traffic analysis

Attacks - Attacks - Spoofing Caller-IDSpoofing Caller-ID

Companies that offer Caller-ID Companies that offer Caller-ID SpoofingSpoofing

https://connect.voicepulse.com/

http://www.nufone.net/

http://www.spooftel.net/

Spoofing Caller-ID using SiVuSSpoofing Caller-ID using SiVuS Manipulate the FROM header information Send and INVITE to a phone

Lab Exercise #4Lab Exercise #4

Presence Hijacking/Masquerading Attack using SIP

Presence Hijacking using Presence Hijacking using SiVuSSiVuS The objective is to spoof a REGISTER

request The REGISTER request contains the

“Contact:” header which indicates the IP address of the SIP device.

Presence Hijacking using SiVuS – Presence Hijacking using SiVuS – Regular Register RequestRegular Register Request

The AttackThe Attack

Manipulated REGISTER request Manipulated REGISTER request propertiesproperties

REGISTER sip:216.1.2.5 SIP/2.0Via: SIP/2.0/UDP 192.168.1.6;branch=xajB6FLTEHIcd0From: 732-835-0102 <sip:12125550102@voip-service-provider.net:5061>;tag=5e374a8bad1f7c5x1To: 732-835-0102 <sip:12125550102@voip-service-provider.net:5061>Call-ID: QTEv5G5dOHYc@192.168.1.2CSeq: 123456 REGISTERContact: 2125550102 <sip:12125550102@192.168.1.3:5061>;Digest username="12125550102",realm="216.1.2.5",nonce="716917624",uri="sip:voip-service-provider.net:5061",algorithm=MD5,response="43e001d2ef807f1e2c96e78adfd50bf7"Max_forwards: 70User Agent: 001217E57E31 VoIP-Router/RT31P2-2.0.13(LIVd)Content-Type: application/sdpSubject: SiVuS TestExpires: 7200Content-Length: 0

IP address of the VoIP device on which a

POTS phone is attached

IP address that calls will be

routed to (attacker)

Authentication MD5 digest can beintercepted

and used to replay messages

Presence Hijacking using SiVuS – Presence Hijacking using SiVuS – The REGISTER MessageThe REGISTER Message

The ExerciseThe Exercise Using SiVuS craft a REGISTER request In the “Contact” header insert your IP

address Send the registration request to the SIP

proxy Make a phone call to the user you

spoofed to see if the call is diverted.

Attacks - EavesdroppingAttacks - EavesdroppingDecoding communications with EtherealDecoding communications with Ethereal

Ethereal capture and decode to Ethereal capture and decode to .au file (1 of 3).au file (1 of 3)

Analyze a session will automatically re-assemble the selected session which can be save to an audio file.

Analyzed sessions can be save to a .au (audio) file.

The resultThe result

OutlineOutline

VoIP and FirewallsVoIP and FirewallsProblems NAT traversal SIP spam Various attacks,

including DoS

Current solutions Application Layer Gateways

(ALGs) Session Border Controllers ICE – Interactive

Connectivity Establishment (STUN, TURN, MIDCOM)

OutlineOutline

ToolsTools Eavesdropping

Ethereal Vomit (vomit - voice over misconfigured internet telephones)

http://vomit.xtdnet.nl/ VoIPong - http://www.enderunix.org/voipong/

Assessment SIVuS – The VoIP Vulnerability Scanner –

www.vopsecurity.org

Tool – Attack TrendTool – Attack Trend

More tools are being developed

Vulnerability Assessment Vulnerability Assessment

SiVuS – Message GeneratorSiVuS – Message Generator

SiVuS - DiscoverySiVuS - Discovery

SiVuS – configurationSiVuS – configuration

SiVuS – Control PanelSiVuS – Control Panel

SiVuS – ReportingSiVuS – Reporting

SiVuS – Authentication AnalysisSiVuS – Authentication Analysis

Intro – Present and Future NGN/ The Converged Network Components & Protocols Security

VoIP Firewalls Assessment Tools Approaches to secure VoIP/NGN networks Conclusions Further Research

OutlineOutline

How do we secure NGN networks?How do we secure NGN networks?

SECURITY is NOT a product, it’s a PROCESS !SECURITY is NOT a product, it’s a PROCESS !

OutlineOutline

Conclusions (1 of 2)Conclusions (1 of 2) Security is not a product, it’s a process! Can we have adequately secure VoIP networks?

Yes, but at what cost? -> Performance (e.g., There is a performance impact when using

IPSec point to point for signaling) Time and expertise. It requires appropriate resources and time

to secure out of the box products. We need to ask vendors to have baseline security requirements for VoIP products.

Is voice quality degraded with encryption? Not really

Conclusions (2 of 2)Conclusions (2 of 2) How’s security in VoIP products today?

Poor to average security controls are not mature not implemented in deployments Implementations inherit traditional vulnerabilities

(e.g. Buffer Overflows) We need better developed software that do not maintain

poor security standards. Security controls/features to enforce stronger security

posture (protocol, user and administrative) Define and impose baseline security requirements for

product vendors

OutlineOutline

Distributed VoIP Security TestbedDistributed VoIP Security Testbed

NSF funding, $600K http://www.nsf.gov/news/news_summ.jsp?cntn_id=106828

Research areas Denial of Service (DoS) and Distributed DoS (DDoS) Spam and “Spit” Social Networks Identity Management Quality of Service (QoS) and Security Mechanisms

Testbed conceptual viewTestbed conceptual view

VoP Security ForumVoP Security Forum

The objectives of the VoPSecurity.org forum:

Encourage education in NGN/VoIP security through publications, online forums and mailing lists (voptalk@vopsecurity.org and members@vopsecurity.org)

Develop capabilities (tools, interoperability testing, methodologies and best practices) for members to maintain security in their respective infrastructure.

Conduct research to help identify vulnerabilities and solutions associated with NGN/VoIP.

Coordinate annual member meetings to disseminate information, provide updates and promote interaction and initiatives regarding NGN/VoIP security.

The VoP Security forum is viewed as a mechanism for participating members to be proactive and stay current with the threats and vulnerabilities associated with NGN/VoIP security and extend research in this area.

VoPSecurity ForumVoPSecurity Forum Current Activities

Mailing lists Public (voptalk@vopsecurity.org)

Documentation Intro to NGN Security (available) Vulnerability Analysis Methodology for VoIP networks (in

development) VoIP Firewalls (in development)

Tools SiVuS – VoIP vulnerability Scanner (available)

Research Security evaluation of residential VoIP gateways

Join the

Join the community

community !

StandardsStandards ITU

Focus Group on Next Generation Networks (FGNGN ) - http://www.itu.int/ITU-T/ngn/fgngn/

Open Communications Architecture Forum (OCAF) Focus Group http://www.itu.int/ITU-T/ocaf/index.html

IETF Transport area -

http://www.ietf.org/html.charters/wg-dir.html#Transport%20Area Security Area -

http://www.ietf.org/html.charters/wg-dir.html#Security%20Area ATIS - http://www.atis.org/0191/index.asp

T1S1.1--Lawfully Authorized Electronic Surveillance T1S1.2--Security

Lawful Intercept 3GPP - TS 33.106 and TS 33.107 ETSI DTS 102 v4.0.4

ReferencesReferences NIST –

Security Considerations for VoIP Systems Voice over Internet Protocol (VoIP), Security Technical Implementation Guide (DISA)

http://www.ietf.org/html.charters/iptel-charter.html IP Telephony Tutorial, http://www.pt.com/tutorials/iptelephony/ Signaling System 7 (SS7), http://www.iec.org/online/tutorials/ss7/topic14.html SIP - http://www.cs.columbia.edu/sip/ IP Telephonly with SIP - www.iptel.org/sip/ SIP Tutorials

The Session Initiation Protocol (SIP) http://www.cs.columbia.edu/~hgs/teaching/ais/slides/sip_long.pdf SIP and the new network communications model

http://www.webtorials.com/main/resource/papers/nortel/paper19.htm H.323 ITU Standards, http://www.imtc.org/h323.htm Third Generation Partnership Project (3gpp), http://www.3gpp.org/

Q & AQ & A

Contact info:Peter Thermospthermos@vopsecurity.org pthermos@palindrometechnologies.com

"attacks against voip"

voip deployment

network topology

network elements

enterprise voip architecture

unauthorized voip traffic

voip fraud pena

security architecture

spit network owners

Documents

senss against volumetric ddos attacks

backdoor attacks against learning systems

(sec306) defending against ddos attacks

evaluating dos attacks on sip based voip systems

sybil attacks against mobile users

worldwide attacks against dams - cowarn attacks... ·...

defending against application dos attacks

voip – vulnerabilities and attacks

protect your ippbx against voip attacks

mitigating denial-of-service attacks on voip environment

a survey on voip security attacks and their proposed...

on traffic analysis attacks to encrypted voip calls ›...

sybilguard defending against sybil attacks

understanding malicious attacks against...

securing passwords against dictionary attacks

defending against ddos attacks

optimal strategies against generative attacks

improving side-channel attacks against pairing- …€¦ ·...

attacks against real-world cryptography · attacks against...

voip: attacks & countermeasures in the corporate world