The State Of VoIP Security, a.k.a.��

“Does Anyone Really Give A _____ About VoIP Security?”

Dan York, CISSP�Chair, VoIP Security Alliance

October 5, 2011

© 2011 VOIPSA http://www.flickr.com/photos/willpate/46488553/

© 2011 VOIPSA

Does Anyone Really �Give A _____ About�

VoIP Security?

© 2011 VOIPSA

Does Anyone Really �Give A _____ About�

VoIP Unified Communications Security?

© 2011 VOIPSA

Technical Solutions

© 2011 VOIPSA

Widely Deployed

© 2011 VOIPSA

TLS-Encrypted SIP

© 2011 VOIPSA

Secure RTP (SRTP)

© 2011 VOIPSA

MORE Secure�Than PSTN

© 2011 VOIPSA http://www.flickr.com/photos/mattblaze/2275723713/

© 2011 VOIPSA

MORE Secure�Than Ever Before

© 2011 VOIPSA

Almost All Venders�Have Support

© 2011 VOIPSA

Almost All Customers�Don’t Turn It On

© 2011 VOIPSA

Why Not?

© 2011 VOIPSA

Complexity

© 2011 VOIPSA

PBX

Voicemail Physical Wiring

PSTN Gateways

Fingerpointing, a.k.a. “One Throat To Choke”

© 2011 VOIPSA

Physical Wiring

IP Network

IP-PBX

Voicemail

PSTN Gateways

Mobile Devices

IM Networks

Web Servers

Email Servers

Desktop PCs

Operating Systems

Firewalls

Internet

Directory Servers

VoIP

CRM Systems

Social Networks

Database Servers

Application Servers

Fingerpointing - 2011

Session Border

Controllers

© 2011 VOIPSA

“UC”

© 2011 VOIPSA

Debugging

© 2011 VOIPSA

Turn It Back On?

© 2011 VOIPSA

SIP Is So Simple, Right?

© 2011 VOIPSA

Riiiiiigggghhhttt… (Fingerpointing Redux)

© 2011 VOIPSA

Evolution

© 2011 VOIPSA

Carrier

PSTN

Carrier

Carrier Carrier

Carrier

Carrier Carrier

The Old Boys’ Club

© 2011 VOIPSA © 2010 VOIPSA and Owners as Marked

ITSP

PSTN

ITSP

ITSP ITSP

ITSP

ITSP ITSP ITSP

ITSP

ITSP

ITSP

ITSP

ITSP

ITSP

ITSP

ITSP

ITSP

ITSP

ITSP

ITSP

ITSP

ITSP

ITSP

ITSP

ITSP ITSP

ITSP

ITSP

ITSP

ITSP ITSP

ITSP ITSP

ITSP

ITSP

The Wild West…

© 2011 VOIPSA

Evolution of Attacks

© 2011 VOIPSA

DoS

© 2011 VOIPSA

DDoS

© 2011 VOIPSA

Fraud

© 2011 VOIPSA

If 1 Is Good, Why Not 3?

© 2011 VOIPSA

Geography

© 2011 VOIPSA

Internet LAN

© 2011 VOIPSA

UC System

Corp  HQ  

Internet Firewall Home Firewall

IP Phone

PC

Home  

© 2011 VOIPSA

UC System

Corp  HQ  

Internet Firewall WiFi Café

Router

Mobile UC

client

Laptop UC

client

Mobile Data

Network

© 2011 VOIPSA

IM

Corp  HQ  

Corporate Network

Presence

Call Control

IVR IM

Office  A  

Presence

Call Control

Voicemail IM

Office  B  

Presence

Call Control

PSTN

Conferencing

Internet

© 2011 VOIPSA

© 2011 VOIPSA

Benefits (for us… and for attackers)

© 2011 VOIPSA

DDoS�(the old-fashioned kind)�

(Asterisk & Amazon EC2, anyone?)

© 2011 VOIPSA

SPIT�(“SPam for Internet Telephony”)

SPAM

© 2011 VOIPSA

Complexity

© 2011 VOIPSA

Physical Wiring

IP Network

IP-PBX

Voicemail

PSTN Gateways

Mobile Devices

IM Networks

Web Servers

Email Servers

Desktop PCs

Operating Systems

Firewalls

Internet

Directory Servers

VoIP

CRM Systems

Social Networks

Database Servers

Application Servers

Fingerpointing - 2011

Session Border

Controllers

© 2011 VOIPSA

The Device Formerly�Known As A�

“Phone”

© 2011 VOIPSA

Mobility

© 2011 VOIPSA

RTCWEB / WebRTC

© 2011 VOIPSA

Complexity

© 2011 VOIPSA

Physical Wiring

IP Network

IP-PBX

Voicemail

PSTN Gateways

Mobile Devices

IM Networks

Web Servers

Email Servers

Desktop PCs

Operating Systems

Firewalls

Internet

Directory Servers

VoIP

CRM Systems

Social Networks

Database Servers

Application Servers

Fingerpointing - 2011

Session Border

Controllers

© 2011 VOIPSA

Interoperability

© 2011 VOIPSA

“The Hitchiker’s Guide�To SIP”

© 2011 VOIPSA

Forgotten�Simple Things

© 2011 VOIPSA

Biggest Financial Threat?

© 2011 VOIPSA

Toll Fraud

© 2011 VOIPSA

IT Security 101

© 2011 VOIPSA

PIN = “1234”

© 2011 VOIPSA

Password = “password”

© 2011 VOIPSA

Default password list

© 2011 VOIPSA

VoIP = bits

© 2011 VOIPSA

IT Security 101

© 2011 VOIPSA

Does Anyone Really �Give A _____ About�

VoIP Security?

© 2011 VOIPSA

WHEN Will They Care?

© 2011 VOIPSA

EVENT

© 2011 VOIPSA

Identity Theft

© 2011 VOIPSA

Celebrity

© 2011 VOIPSA

Trusted Leader

© 2011 VOIPSA

“VoIP Is Insecure!!!”

© 2011 VOIPSA

“VoIP Is Insecure!!!” Stupidly deployed

^

© 2011 VOIPSA

“VoIP Is Insecure!!!”

© 2011 VOIPSA

Cover Your ____

© 2011 VOIPSA

SOLUTIONS?

© 2011 VOIPSA

IT Security 101

© 2011 VOIPSA

Audit, Audit, Audit

© 2011 VOIPSA

Enable What You Have

© 2011 VOIPSA

Interoperability

© 2011 VOIPSA

www.sipit.net

© 2011 VOIPSA

Identity

© 2011 VOIPSA

Simplicity

© 2011 VOIPSA

Fabric

© 2011 VOIPSA

Air

© 2011 VOIPSA

© 2011 VOIPSA

Secure By Default

© 2011 VOIPSA

Education

© 2011 VOIPSA

What is the Industry Doing to Help?

Security Vendors

“The Sky Is Falling!” (Buy our products!)

VoIP Vendors

“Don’t Worry, Trust Us!” (Buy our products!)

© 2011 VOIPSA

www.voipsa.org/Resources/tools.php

© 2011 VOIPSA

Security Links

• VoIP Security Alliance - http://www.voipsa.org/ – Threat Taxonomy - http://www.voipsa.org/Activities/taxonomy.php – VOIPSEC email list - http://www.voipsa.org/VOIPSEC/ – Weblog - http://www.voipsa.org/blog/ – Security Tools list - http://www.voipsa.org/Resources/tools.php – Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com

• NIST SP800-58, “Security Considerations for VoIP Systems” –  http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf

• Network Security Tools –  http://sectools.org/

• Hacking Exposed VoIP site and tools –  http://www.hackingvoip.com/

• Seven Deadliest Unified Communications Attacks –  http://www.7ducattacks.com/

© 2011 VOIPSA

Thank You For�Giving A _____

© 2011 VOIPSA

Dan York - dan.york@voipsa.org�+1-802-735-1624 DisruptiveTelephony.com danyork.com�twitter.com/danyork

Thank you! Q & eh?

www.voipsa.org 7ducattacks.com

blueboxpodcast.com