canto – 2006 information security and voice over ip (voip) robert potvin, cissp vp - strategic...
TRANSCRIPT
CANTO – 2006
Information Securityand Voice over IP (VoIP)
Robert Potvin,CISSP
VP - Strategic Consulting
June 21st, 2006
Copyright Above Security 20062
Voice over IP is popular!
• More VoIP PBXs are now being sold than circuit-switched PBXs
• Businesses are deploying VoIP for all sorts of reasons:
- Security is probably not one of them
Voice over IP security
Copyright Above Security 20063
Why worry about voice security?
• Telephone access is business-critical in almost all organisations
• Confidential information passes over the phones
• Emergency response often involves phone systems (911)
• Long distance fraud (Miami – 10M calls)
• PBX is now in the hands of IT (we use to worry about its security)
Voice over IP security
Copyright Above Security 20064
2005-2006 VOIP State of the market ReportMajor Concerns - Distributed Networking Associates
• Identity Management / Authentication
• Spoofed Voice Server or IP-Pbx
• Voice conversation intercepted (Lan, Wan and Internet)
• Increase Toll Fraud
• Availability (DoS)
Voice over IP security
Copyright Above Security 20065
Security knowledge is being lost
• In the seventies, some people would make long distance calls for free (or bill them to innocent victims) by using blue boxes to inject MF tones during call setup
• In the eighties and nineties, voice networks migrated to digital voice transmission and ISDN-like transport
• One of the less well-known goals of this migration was to separate the control signals from the voice traffic
- If the user has no access to the control channel, the user cannot hack the phone system
Voice over IP security
Copyright Above Security 20066
So we go back to the seventies
• Much of the Voice over IP setups mixes control and data traffic
• Blue box tone generators get replaced with Ethernet sniffer programs and other PC-based malware
• Same problems, but with a new twist: attacks can be automated
Voice over IP security
Copyright Above Security 20067
A typical (simplified) VoIP configuration
Voice over IP security
Corporate IP network
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D EF
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
VoIP PBX,Cisco Call Manager,
Asterisk, etc.Media Gateway
Corp. firewall
Internet
SIP/H.323Gatekeeper/proxy
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D EF
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
PSTN
VoIP phone VoIP phone
Analog phoneVoIP gateway
Copyright Above Security 20068
Let us not forget the previous users
Voice over IP security
Corporate IP network
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D EF
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
VoIP PBX,Cisco Call Manager,
Asterisk, etc.Media Gateway
Corp. firewallSIP/H.323Gatekeeper/proxy
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D EF
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
PSTN
VoIP phone VoIP phone
Analog phoneVoIP gateway
Internet
Copyright Above Security 20069
And the un-intended users…
Voice over IP security
Corporate IP network
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D EF
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
VoIP PBX,Cisco Call Manager,
Asterisk, etc.Media Gateway
Corp. firewallSIP/H.323Gatekeeper/proxy
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D EF
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
PSTN
VoIP phone VoIP phone
Analog phoneVoIP gateway
Internet
Crasher
DisgruntledEmployee
We Want ToCrash The
Phone System !
Copyright Above Security 200610
There are other un-intended users…
Voice over IP security
Corporate IP network
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D EF
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
VoIP PBX,Cisco Call Manager,
Asterisk, etc.Media Gateway
Corp. firewallSIP/H.323Gatekeeper/proxy
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D EF
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
PSTN
VoIP phone VoIP phone
Analog phoneVoIP gateway
Internet
Spy
CuriousEmployee
We Want ToListen To
Phone Calls !
TrojanedPC
Visitor
Copyright Above Security 200611
And still other un-intended users!
Voice over IP security
Corporate IP network
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D EF
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
VoIP PBX,Cisco Call Manager,
Asterisk, etc.Media Gateway
Corp. firewallSIP/H.323Gatekeeper/proxy
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D EF
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
PSTN
VoIP phone VoIP phone
Analog phoneVoIP gateway
Internet
Freeloader
Freeloader
We want to make long-distance
phone calls for free!
Copyright Above Security 200612
More….
Voice over IP security
Corporate IP network
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D E
F
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
VoIP PBX,Cisco Call Manager,
Asterisk, etc.Media Gateway
Corp. firewallSIP/H.323Gatekeeper/proxy
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D E
F
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
PSTN
VoIP phone VoIP phone
Analog phoneVoIP gateway
Internet
Phisher
I am building a fake copy of the IVR system in order to
fool clients in giving out their access numbers and PINs
InteractiveVoice Response
FakeIVR
I am modifying the IVR to say Yes and accept collect
calls
Copyright Above Security 200613
VOIP Threats
• DoS
- Packet and Data Flood - Endpoint (PIN change)- QoS- VLAN
• Theft and Fraud
- Sniffing (eavesdropping)- Spoofing (mac, IP, arp, ANI, ect..)- Toll and Voicemail (and maybe e-mail) “text to speech”
Voice over IP security
Copyright Above Security 200614
The Voice over IP protocol landscape
• Several different protocols in use at the same time
- Some are used to communicate call information data (signalling)- Some transport the actual voice and/or video streams- Some do both- Some are standardized, some are proprietary
• And then there are the extensions…
- Multiple competing extensions to the same protocol- Multiple security extensions to the same protocol
• Wireless integration
Voice over IP security
Copyright Above Security 200615
Base protocols for IP phones
Voice over IP security
DHCP server
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D E
F
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
VoIP phone
Attacker
Attacker goals:Modify phone configurationIntercept phone voice traffic
TFTP server
DHCPRequest
for IPparameters
Parameters
TFTPRequest for
configuration and firmware
Config and firmware
Modified parms,config, and/or
firmware
DNSTFTPHTTPSNMPDHCPRSVPSDPSkinny (Cisco)Skinny over TLS
Copyright Above Security 200616
Issues about base protocols and phones
• Most of these protocols do not have security protection features
• Even if they do, the IP phones typically do not support them
• The phones (depending on brand and model) also have other network vulnerabilities:
- Remote management access to the phone (SNMP), sometimes in read/write, sometimes with a fixed community name
- Remote login access to the phone- VxWorks debug access to the phone
Voice over IP security
Copyright Above Security 200617
Network layer 2 attacks:MAC address spoofing
• An attacker equipment can modify its MAC address at will- and impersonate other equipments (including phones)
• The attacker can generate many packets with many different source MAC addresses
- this can cause the network to crash- or allow the attacker to listen to traffic he/she should not be able to
access
Voice over IP security
Copyright Above Security 200618
Network layer 2 attacks:ARP cache poisoning
• ARP is the protocol used to associate Ethernet and IP addresses dynamically
• Supports broadcast and unicast communication methods
• Attacker can use ARP attacks to reroute IP traffic, including voice
Voice over IP security
Copyright Above Security 200619
Network layer 2 attacks:VLAN boundary crossing
• Virtual LANs are used to group network switch ports into zones- Communication between VLANs must go over a router or gateway- Groups of VLANs can be transported over a single physical link
between switches on a VLAN trunk
• On some network switches, VLAN trunk setup is automatic- This feature is enabled by default- A client system can convince the switch that a user port should become
a trunk by sending the right packets to it- Ports that become trunks make all VLANs accessible by default- Attackers can use this to access other VLANs
Voice over IP security
Copyright Above Security 200620
VoIP signalling protocol attacks
Voice over IP security
Corporate IP network
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D EF
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
VoIP PBX,Cisco Call Manager,
Asterisk, etc.Media Gateway
Corp. firewall
Internet
SIP/H.323Gatekeeper/proxy
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D EF
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
PSTN
VoIP phone VoIP phone
Analog phoneVoIP gatewaySIP, H.323
SIP, H.323SCCP
SIP, H.323
MGCP
SIP, H.323
Copyright Above Security 200621
H.323 protocol components security• By default, no protection is built in the protocols
- Everything is in cleartext, with nothing signed, no replay protection, etc.- An attacker with enough access can listen to/alter the messages at will
• Cisco recommends protecting the protocol with IPSEC- Requires X.509 certificates and public key certificate servers in order to
scale
• H.323 transports IP addresses and port numbers in the application stream
- In cleartext, it is already difficult to pass H.323 over NAT gateways- Forget it once H.323 is encrypted- Implies the H.323 NAT box must be an endpoint, decrypt the traffic, and
re-encrypt it before forwarding
Voice over IP security
Copyright Above Security 200622
SIP protocol security• By default, no protection is built in the protocol (like H.323)
- Everything is in cleartext, with nothing signed, no replay protection, etc.- An attacker with enough access can listen to/alter the messages at will
• SIP can be protected with TLS or IPSEC- Requires X.509 certificates and public key certificate servers in order to
scale
• SIP also transports IP addresses and port numbers in the application stream
- SIP is designed to go over proxies- It may be difficult to maintain end-to-end security when communicating
with points outside the organization
Voice over IP security
Copyright Above Security 200623
SIP Vulnerabilities• INVITE
- Vulnerabilities in message exchange between 2 SIP endpoints during call setup
• SIP proxy server- Cisco
• ASN.1- Decoding error in SSL implementation (also in H.323)
Voice over IP security
Copyright Above Security 200624
VoIP transport protocol attacks
Voice over IP security
Corporate IP network
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D EF
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
VoIP PBX,Cisco Call Manager,
Asterisk, etc.Media Gateway
Corp. firewall
Internet
SIP/H.323Gatekeeper/proxy
4
7
PQRS
*
CISCO IP PHONE7902 SERIES
1 2
A B C
3D EF
4 5
J K L
6
M N OG H I
7 8
T U V
9
W X Y ZP Q R S
* 0 #
PSTN
VoIP phone VoIP phone
Analog phoneVoIP gatewayRTP/RTCP
RTSP
RTP/RTCPRTSP
RTP/RTCPRTSP
RTP/RTCPRTSP
RTP/RTCPRTSP
Copyright Above Security 200625
Voice transport protocol issues• RTP (Real Time Protocol) and RTCP (Real Time Control Protocol)
are used to transport the actual voice in both H.323 and SIP configurations
- By default, all voice traffic is in cleartext and can be captured with already existing attack tools
• SRTP (Secure Real Time Protocol)- Can encrypt and authenticate the voice traffic- Relies on the Mikey protocol- Needs an X.509 certificate infrastructure in order to scale
Voice over IP security
Copyright Above Security 200626
DOS• TLS Connection Reset
- By sending a crafted packet, you can force a reset on the signalling channel between the phone and the server
• Packet replay- Out of sequence packets can add delay and degrade QoS
• Services- DoS on DHCP, DNS, TFTP….
• Wireless- Jamming
Voice over IP security
Copyright Above Security 200627
Call Hijacking and/or eavesdropping• ARP Spoofing
- Duplicate an end-point or a gateway
• Registration (UA)- Redirect incoming calls
• Proxy- Intercept SIP messages
• Toll- Rogue devices can be used to place long distance call on PSTN
• ANI- Caller ID spoofing
Voice over IP security
Copyright Above Security 200628
Security Pathway• Architecture
- Switches, VLANs, Nat and Firewall- Encryption- Mac Filtering- Services (DHCP, TFTP…ect..)
• Hardening- PBX- Gateway- Accounting (call data)- Voice Mail- SoftPhones
Voice over IP security
Copyright Above Security 200629
Security Pathway• Authentication
- SIPS = HTTPS- Certificates- MAC Filtering- Radius
• Physical security- PBX, Gateway…..ect…- Switches (heat on Power Over Ethernet)- Sniffers
Voice over IP security
Copyright Above Security 200630
Security Pathway• Logging and Monitoring
- Centralize logs- Synchronize logs- IDS- Vulnerabilities
• Pen-Test often- External- Internal- Wireless
Voice over IP security
Copyright Above Security 200631
Questions and Contact
Robert Potvin,CISSP
450-430-8166 #2108
Voice over IP security