meletis belsis - voip security
TRANSCRIPT
VoIP Security: An OverviewVoIP Security: An Overview
(2008)(2008)
Meletis BelsisMeletis BelsisInformation Security ConsultantInformation Security Consultant
MPhil / MSc / BScMPhil / MSc / BSc
CWNA/CWSP, C|EH, CCSA, ISO27001LACWNA/CWSP, C|EH, CCSA, ISO27001LA
AgendaAgenda
VoIP TechnologyVoIP ComplexityVoIP ThreatsExample AttacksThe Hacker’s ToolboxVoIP CountermeasuresThe Company
VoIP TechnologyVoIP Technology
• VoIP is an integral part of modern Enterprises• VoIP allows the reduction of OpEx by providing PSTN
like services• Based on open IETF and ITU standards• Protocols used to support VoIP include
TCP/UDP/IP, DNS,TFTP, DHCP,STUN,HTTP,SIP,RTPTCP/UDP/IP, DNS,TFTP, DHCP,STUN,HTTP,SIP,RTP
• VoIP components include:Routers, Switches, Firewalls, SIP Servers,
Media Gateways, iPBX, WiFi
VoIP SecurityVoIP Security
“ The flexibility of VoIP comes at a price: added complexity in securing voice and data. Because VoIP systems are connected to the data network and share many of the same hardware and software components, there are more ways for intruders to attack a VoIP system than a conventional voice telephone system or PBX “
NIST: Considerations for Voice over IP SystemsNIST: Considerations for Voice over IP Systems
VoIP Security ComplexityVoIP Security Complexity
• Securing a VoIP network is complex because:– VoIP inherits the TCP/IP Vulnerabilitiesinherits the TCP/IP Vulnerabilities.– VoIP uses the corporate network uses the corporate network to operate. Usually
there is no network separation.– Applying security may affect other attributes of VoIP affect other attributes of VoIP
(e.g. Delay, Latency, Jitter).– VoIP usually uses UDP communication uses UDP communication and thus may
not be able to operate on networks that use firewalls. Special proxy techniques like STUNSTUN need to be applied.
VoIP ThreatsVoIP Threats
• Denial Of ServiceDenial Of Service– Flood Attacks (i.e Controller Flooding)– BYE Tear Down– Registration Reject– Hold Attack– Call Reject
• Interception AttacksInterception Attacks– Call Hijacking– Registration Hijacking– Media Session Hijacking– Server Masquerading– DNS Poisoning– Caller ID Spoofing– VoIP VLAN Hopping– ARP Spoofing
• Covert ChannelsCovert Channels• WiFi AttacksWiFi Attacks
SIP server
SIP server
Media proxy
SIP signaling
Media Stream
Sniffing
(D)DoS attack
Wiretapping
SPIT
VoIP ThreatsVoIP Threats
• VoIP Platforms Vulnerabilities– CAN-2004-0056CAN-2004-0056: Malformed H.323 packet to exploit
Nortel BCM vulnerabilities
– CAN-2004-0054CAN-2004-0054: Exploits CISCO IOS H.323 implementation
– CVE-2007-4459CVE-2007-4459: Cisco SIP DoS vulnerabilities.
– CVE-2007-6424CVE-2007-6424: Vulnerabilities on the Fonality Trixbox 2.0 PBX products
– CVE-2007-5361CVE-2007-5361: Vulnerabilities on the Alcatel- Lucent OmniPCX Enterprise Communication Server.
– CVE-2007-5556CVE-2007-5556: Vulnerabilities on the Avaya VoIP Handset.
Server Masquerading Server Masquerading
SIP Proxysip.athens.com
SIP UA BSIP: [email protected]
SIP UA ASIP: [email protected]
SIP Proxysip.thessaloniki.com
302 Moved Temporarily: The requesting client SHOULD retry the request at the new address(es)
given by the Contact header field. The Request- URI of the new request uses the value of the Contact
header field in the response
Unauthorized SIP proxy
4. FW: Invite
5. 100 Trying
SIP InjectionSIP Injection
UE’s initial Register Request looks like:REGISTER SIP: home1.de SIP/2.0Username=”user Authorization: Digest Username [email protected]”,realm=”home1.de”, nonce=” “, uri=”SIP: home1.de”, response=” “
Malicious Code infected with SQL injection looks like:REGISTER SIP: home1.de SIP/2.0Authorization: Digest Username=”[email protected];delete tableusers”, realm=”home1.de”, nonce=” “, uri=”SIP: home1.de”, response=” “
Hacker’s ToolboxHacker’s Toolbox
• OrekaOreka : A cross-platform system for recording and retrieving audio streams
• rtpBreakrtpBreak: detects, reconstructs and analyzes any RTP session through heuristics over the UDP network traffic.
• SIPCrackSIPCrack : a SIP protocol login cracker • SiVusSiVus : A SIP Vulnerability Scanner.• BYE Teardown: BYE Teardown: disconnect an active VoIP conversation by spoofing the
SIP BYE message from the receiving party • SipRogueSipRogue :multifunctional SIP proxy that can be inserted between two
talking parties • RTPInject RTPInject :attack tool that injects arbitrary audio into established RTP
connections. • TFTP CrackerTFTP Cracker: A tool to attack VoIP endpoint and copy their
configuration through tftp• ILTY(I am Listening to You) ILTY(I am Listening to You) : A multi-channel VoIP Sniffer • Registration AdderRegistration Adder: A tool to allow fake registrations to be send• VoIP HopperVoIP Hopper: Allows to hope from a normal VLAN to the VoIP Vlan
13
WiFi VoIPWiFi VoIP
NetStumbler NetStumbler Is used by WarDrivers Is used by WarDrivers to detect unprotected to detect unprotected WiFi NetworksWiFi Networks
AirSnort AirSnort Is widely used to attack WEP passwords
VoIP CountermeasuresVoIP Countermeasures
• Network Separation Network Separation : Although dedicated VoIP VLANs offer a level of security, a dedicate VoIP network will be more secure.
• SIP EncryptionSIP Encryption: The TLS protocol can be used to encrypt the SIP messages exchanged between the nodes. TLS provides only Server authentication. S/MIME is another option for SIP encryption.
• RTP EncryptionRTP Encryption: Secure RTP(SRTP) can be used to encrypt media in a VoIP network
VoIP CountermeasuresVoIP Countermeasures
• ManagementManagement: Avoid using weak management protocols like Telnet, tftp and SNMP ver 2.
• FirewallsFirewalls: Ensure that VoIP components (i.e. SIP Proxy, DNS, DHCP, Radius) are logically located behind VoIP aware firewalls (e.g. CISCO SIP Extensions for ASA).
• IDS/IPSIDS/IPS : The existent IDS/IPS architecture can be extended using SIP Aware Sensors
VoIP CountermeasuresVoIP Countermeasures
• Hardening the network EnvironmentHardening the network Environment– Enforce Security at the Network Equipment:
• Port Security• DHCP Snooping• Receive Access Lists• Enable MAC Filtering • Define the maximum number of MAC addresses per port.• Enable 802.1x for VoIP devices
– Use AAA on all VoIP infrastructure Systems– Disable the PC Port on VoIP phone with multiple ports.– Harden the OS of the platforms used
• DNZ Zone Transfers• IP to MAC mappings on DHCP• Apply Security Patches / Updates• Disable Telnet and/or r-utilities
• VoIP Honeypots– VoIP Phones– Fake SIP Proxies (i.e.
Asterix)
VoIP CountermeasuresVoIP Countermeasures
Being in the Middle Being in the Middle
• DNSDNS (modify entries to point all traffic to a hacker's machine)
• DHCP DHCP (make all traffic go to hackers machine as default gateway, or change DNS entry to point at hacker's machine so all names resolve to hacker's IP address)
• ARP ARP (reply with hacker's MAC address, gratuitous ARPs or regular ARP replies)
• Flood CAM Flood CAM tables in switches to destroy existing MAC addr/port associations so all traffic is broadcast out every port, and then use ARP attacks
• Routing protocols Routing protocols (change routing such that traffic physically passes through a router/machine controlled by hacker)
• Spanning tree attacks Spanning tree attacks to change layer 2 forwarding topology
• Physical insertion Physical insertion (e.g. PC with dual NIC cards, be it Ethernet based or WLAN-based)