VoIP Security: An OverviewVoIP Security: An Overview

(2008)(2008)

Meletis BelsisMeletis BelsisInformation Security ConsultantInformation Security Consultant

MPhil / MSc / BScMPhil / MSc / BSc

CWNA/CWSP, C|EH, CCSA, ISO27001LACWNA/CWSP, C|EH, CCSA, ISO27001LA

AgendaAgenda

VoIP TechnologyVoIP ComplexityVoIP ThreatsExample AttacksThe Hacker’s ToolboxVoIP CountermeasuresThe Company

VoIP TechnologyVoIP Technology

• VoIP is an integral part of modern Enterprises• VoIP allows the reduction of OpEx by providing PSTN

like services• Based on open IETF and ITU standards• Protocols used to support VoIP include

TCP/UDP/IP, DNS,TFTP, DHCP,STUN,HTTP,SIP,RTPTCP/UDP/IP, DNS,TFTP, DHCP,STUN,HTTP,SIP,RTP

• VoIP components include:Routers, Switches, Firewalls, SIP Servers,

Media Gateways, iPBX, WiFi

VoIP SecurityVoIP Security

“ The flexibility of VoIP comes at a price: added complexity in securing voice and data. Because VoIP systems are connected to the data network and share many of the same hardware and software components, there are more ways for intruders to attack a VoIP system than a conventional voice telephone system or PBX “

NIST: Considerations for Voice over IP SystemsNIST: Considerations for Voice over IP Systems

VoIP Security ComplexityVoIP Security Complexity

• Securing a VoIP network is complex because:– VoIP inherits the TCP/IP Vulnerabilitiesinherits the TCP/IP Vulnerabilities.– VoIP uses the corporate network uses the corporate network to operate. Usually

there is no network separation.– Applying security may affect other attributes of VoIP affect other attributes of VoIP

(e.g. Delay, Latency, Jitter).– VoIP usually uses UDP communication uses UDP communication and thus may

not be able to operate on networks that use firewalls. Special proxy techniques like STUNSTUN need to be applied.

VoIP ThreatsVoIP Threats

• Denial Of ServiceDenial Of Service– Flood Attacks (i.e Controller Flooding)– BYE Tear Down– Registration Reject– Hold Attack– Call Reject

• Interception AttacksInterception Attacks– Call Hijacking– Registration Hijacking– Media Session Hijacking– Server Masquerading– DNS Poisoning– Caller ID Spoofing– VoIP VLAN Hopping– ARP Spoofing

• Covert ChannelsCovert Channels• WiFi AttacksWiFi Attacks

SIP server

SIP server

Media proxy

SIP signaling

Media Stream

Sniffing

(D)DoS attack

Wiretapping

SPIT

VoIP ThreatsVoIP Threats

• VoIP Platforms Vulnerabilities– CAN-2004-0056CAN-2004-0056: Malformed H.323 packet to exploit

Nortel BCM vulnerabilities

– CAN-2004-0054CAN-2004-0054: Exploits CISCO IOS H.323 implementation

– CVE-2007-4459CVE-2007-4459: Cisco SIP DoS vulnerabilities.

– CVE-2007-6424CVE-2007-6424: Vulnerabilities on the Fonality Trixbox 2.0 PBX products

– CVE-2007-5361CVE-2007-5361: Vulnerabilities on the Alcatel- Lucent OmniPCX Enterprise Communication Server.

– CVE-2007-5556CVE-2007-5556: Vulnerabilities on the Avaya VoIP Handset.

Server Masquerading Server Masquerading

SIP Proxysip.athens.com

SIP UA BSIP: Nikos@thessaloniki.com

SIP UA ASIP: Vassilis@athens.com

SIP Proxysip.thessaloniki.com

302 Moved Temporarily: The requesting client SHOULD retry the request at the new address(es)

given by the Contact header field. The Request- URI of the new request uses the value of the Contact

header field in the response

Unauthorized SIP proxy

4. FW: Invite

5. 100 Trying

Vlan HoppingVlan Hopping

SourceSource: : http://www.securityfocus.com/infocus/1892

SIP InjectionSIP Injection

UE’s initial Register Request looks like:REGISTER SIP: home1.de SIP/2.0Username=”user Authorization: Digest Username user_private@home1.de”,realm=”home1.de”, nonce=” “, uri=”SIP: home1.de”, response=” “

Malicious Code infected with SQL injection looks like:REGISTER SIP: home1.de SIP/2.0Authorization: Digest Username=”user_private@home1.de;delete tableusers”, realm=”home1.de”, nonce=” “, uri=”SIP: home1.de”, response=” “

Hacker’s ToolboxHacker’s Toolbox

• OrekaOreka : A cross-platform system for recording and retrieving audio streams

• rtpBreakrtpBreak: detects, reconstructs and analyzes any RTP session through heuristics over the UDP network traffic.

• SIPCrackSIPCrack : a SIP protocol login cracker • SiVusSiVus : A SIP Vulnerability Scanner.• BYE Teardown: BYE Teardown: disconnect an active VoIP conversation by spoofing the

SIP BYE message from the receiving party • SipRogueSipRogue :multifunctional SIP proxy that can be inserted between two

talking parties • RTPInject RTPInject :attack tool that injects arbitrary audio into established RTP

connections. • TFTP CrackerTFTP Cracker: A tool to attack VoIP endpoint and copy their

configuration through tftp• ILTY(I am Listening to You) ILTY(I am Listening to You) : A multi-channel VoIP Sniffer • Registration AdderRegistration Adder: A tool to allow fake registrations to be send• VoIP HopperVoIP Hopper: Allows to hope from a normal VLAN to the VoIP Vlan

Hackers Toolbox Hackers Toolbox

RTPInject SiVUS Scanner

13

WiFi VoIPWiFi VoIP

NetStumbler NetStumbler Is used by WarDrivers Is used by WarDrivers to detect unprotected to detect unprotected WiFi NetworksWiFi Networks

AirSnort AirSnort Is widely used to attack WEP passwords

VoIP CountermeasuresVoIP Countermeasures

• Network Separation Network Separation : Although dedicated VoIP VLANs offer a level of security, a dedicate VoIP network will be more secure.

• SIP EncryptionSIP Encryption: The TLS protocol can be used to encrypt the SIP messages exchanged between the nodes. TLS provides only Server authentication. S/MIME is another option for SIP encryption.

• RTP EncryptionRTP Encryption: Secure RTP(SRTP) can be used to encrypt media in a VoIP network

VoIP CountermeasuresVoIP Countermeasures

• ManagementManagement: Avoid using weak management protocols like Telnet, tftp and SNMP ver 2.

• FirewallsFirewalls: Ensure that VoIP components (i.e. SIP Proxy, DNS, DHCP, Radius) are logically located behind VoIP aware firewalls (e.g. CISCO SIP Extensions for ASA).

• IDS/IPSIDS/IPS : The existent IDS/IPS architecture can be extended using SIP Aware Sensors

VoIP CountermeasuresVoIP Countermeasures

• Hardening the network EnvironmentHardening the network Environment– Enforce Security at the Network Equipment:

• Port Security• DHCP Snooping• Receive Access Lists• Enable MAC Filtering • Define the maximum number of MAC addresses per port.• Enable 802.1x for VoIP devices

– Use AAA on all VoIP infrastructure Systems– Disable the PC Port on VoIP phone with multiple ports.– Harden the OS of the platforms used

• DNZ Zone Transfers• IP to MAC mappings on DHCP• Apply Security Patches / Updates• Disable Telnet and/or r-utilities

• VoIP Honeypots– VoIP Phones– Fake SIP Proxies (i.e.

Asterix)

VoIP CountermeasuresVoIP Countermeasures

Extra MaterialExtra Material

Detecting WiFi NetworksDetecting WiFi Networks

20

Detecting WiFi NetworksDetecting WiFi Networks

Bypassing MAC ACLsBypassing MAC ACLs

Being in the Middle Being in the Middle

• DNSDNS (modify entries to point all traffic to a hacker's machine)

• DHCP DHCP (make all traffic go to hackers machine as default gateway, or change DNS entry to point at hacker's machine so all names resolve to hacker's IP address)

• ARP ARP (reply with hacker's MAC address, gratuitous ARPs or regular ARP replies)

• Flood CAM Flood CAM tables in switches to destroy existing MAC addr/port associations so all traffic is broadcast out every port, and then use ARP attacks

• Routing protocols Routing protocols (change routing such that traffic physically passes through a router/machine controlled by hacker)

• Spanning tree attacks Spanning tree attacks to change layer 2 forwarding topology

• Physical insertion Physical insertion (e.g. PC with dual NIC cards, be it Ethernet based or WLAN-based)

Questions ?Questions ?