"Attacks against VOIP"

1 of 62 © 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved

VoIP VoIP Security Behind the dialtoneSecurity Behind the dialtoneVulnerabilities, Attacks and CountermeasuresVulnerabilities, Attacks and Countermeasures

Peter Thermos

Principal Consultant

[email protected]

Tel: 732 835 0102

2 of 62© 2006 Palindrome Technologies, All Rights Reserved© 2006 Palindrome Technologies, All Rights Reserved

BackgroundBackground

Education MS,CS Columbia University

Consulting Government and commercial organizations, consulting on information security and assurance,

InfoSec program development and management, vulnerability assessments, security architecture, NGN/VoIP/IMS.

Research Principal investigator on research tasks, in the area of Internet MultimediaInternet Multimedia and Next Generation Next Generation

Networks (VoIP)Networks (VoIP) and security, that were are funded by government organizations such as NIST (National Institute of Standards and Technology), DARPA (Defense Advanced Research Agency), NSF (National Science Foundation) and others. In addition he has been working with domestic and foreign Telecommunications carriers and Fortune 500 companies on identifying security requirements for IMS/NGN and VoIP, conducting vulnerability assessments and product evaluations.

Member of IETF/IEEE/ACM.


OutlineOutline

Intro – Present and Future The Converged Network

VoIP Architectures Components & Protocols Security

ThreatsVulnerabilitiesAttacks

VoIP Firewalls Assessment Tools Approaches to secure VoIP/NGN networks Conclusions Further Research


Present and Future Present and Future (Summary)(Summary)PSTN NetworkPSTN Network Closed therefore

“secure” High availability

(99.999%) Limited connection to

IP (OSS provisioning, management)

IP NetworkIP Network Access is not

restricted. Best effort Connected to

accessible IP networks.

“There is one safeguard known generally to the wise, which is an advantage and security to all,

but especially to democracies as against despots. What is it? Distrust. ”.

Demosthenes (c. 384–322 B.C.), Greek orator. Second Philippic, sct. 24 (344 B.C.)

“There is one safeguard known generally to the wise, which is an advantage and security to all,

but especially to democracies as against despots. What is it? Distrust. ”.

Demosthenes (c. 384–322 B.C.), Greek orator. Second Philippic, sct. 24 (344 B.C.)


VoPSecurity.org Forum – surveyVoPSecurity.org Forum – surveyTop Economic and Technical Challenges for VoIP Deployment

- Which are the most critical?

0.00% 10.00% 20.00% 30.00% 40.00%

ConsumerSubscription

Development/Deployment

Revenue Assurance

Taxation

QoS

Standards (IETF, ITU,ANSI/ATIS)

E911

Security

Lawful Surveillance


Intro – Present and FutureNGN/ The Converged Network Components & ProtocolsSecurity


VoIP FirewallsAssessment ToolsApproaches to secure NGN networksConclusionsFurther Research

OutlineOutline


Carrier VoIP Architectures – Packet CableCarrier VoIP Architectures – Packet Cable


The Converged NetworkThe Converged Network


Carrier VoIP Architectures - IMSCarrier VoIP Architectures - IMS


Enterprise VoIP ArchitectureEnterprise VoIP Architecture


Skype ArchitectureSkype Architecture





OutlineOutline


Components and Signaling Components and Signaling ProtocolsProtocols


ProtocolsProtocols


Dive in to the Stack – SIP ExampleDive in to the Stack – SIP Example

INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK77dsMax-Forwards: 70To: Bob <sip:[email protected]>From: Alice <sip:[email protected]>;tag=1928301774Call-ID: [email protected]: 314159 INVITEContact: <sip:[email protected]>Content-Type: application/sdpContent-Length: 142v=0 o=user 29739 7272939 IN IP4 pc33.atlanta.coms= c=IN pc33.atlanta.comk=clear:3b6bssiGao7Vv8Jo7sgBaLLkbrm=audio 49210 RTP/AVP 0 12m=video 3227 RTP/AVP 31a=rtpmap:31 LPC/8000

SIP

SDP

Format :

k=<method>:<encryption key>

Method=clear, base64, uri, prompt


Dive in to the Stack – SRTP ExampleDive in to the Stack – SRTP Example

Image from IETF proceedings, Aug. 2001


Example – SIP CallExample – SIP Call





OutlineOutline


What are the Threats?What are the Threats?

ThreatThreat Target(s)Target(s)Service disruption (amplification attacks DoS/DDoS)

Network Owners, Service Providers, Subscribers

Eavesdropping (including traffic analysis)


Fraud (including service and intellectual assets, confidential information)

Network Owners, Service Providers

Unauthorized access (compromise systems with intentions to attack other systems or exploit vulnerabilities to commit fraud and eavesdropping).


Annoyance (e.g. SPIT) Subscribers


11stst Case of VoIP Fraud Case of VoIP Fraud FBI arrests two for VoIP Fraud Pena, Moore

http://www.foxnews.com/story/0,2933,198778,00.html Duration 8 months Revenue/Fraud $2M Attack Objective: Compromise service VoIP service

providers and enterprise networks that support VoIP to route unauthorized VoIP traffic originating from Telecom carriers.

Upstream provider pays fraudster, downstream provider doesn’t know.


Where are the vulnerabilities?Where are the vulnerabilities?Threat model, vulnerabilities originate from the difficulty

to foresee future threats (e.g. Signaling System No.7)

Design & specification vulnerabilities come from errors or oversights in the design of the protocol that make it inherently vulnerable (e.g., SIP, MCGP, 802.11b)

Implementation vulnerabilities are vulnerabilities that are introduced by errors in a protocol implementation

Architecture, network topology and association (e.g. routing) with other network elements.


Attacks (lab-experimentation)Attacks (lab-experimentation) DoS

Against phones, proxies, routers SIP/MGCP/H.323/RTP

Call Hijacking Flood target phone Spoof registration Calls are routed to the location described in

the new registration

Eavesdropping and traffic analysis


Attacks - Attacks - Spoofing Caller-IDSpoofing Caller-ID


Companies that offer Caller-ID Companies that offer Caller-ID SpoofingSpoofing

https://connect.voicepulse.com/

http://www.nufone.net/

http://www.spooftel.net/


Spoofing Caller-ID using SiVuSSpoofing Caller-ID using SiVuS Manipulate the FROM header information Send and INVITE to a phone


Lab Exercise #4Lab Exercise #4

Presence Hijacking/Masquerading Attack using SIP


Presence Hijacking using Presence Hijacking using SiVuSSiVuS The objective is to spoof a REGISTER

request The REGISTER request contains the

“Contact:” header which indicates the IP address of the SIP device.


Presence Hijacking using SiVuS – Presence Hijacking using SiVuS – Regular Register RequestRegular Register Request


The AttackThe Attack


Manipulated REGISTER request Manipulated REGISTER request propertiesproperties

REGISTER sip:216.1.2.5 SIP/2.0Via: SIP/2.0/UDP 192.168.1.6;branch=xajB6FLTEHIcd0From: 732-835-0102 <sip:[email protected]:5061>;tag=5e374a8bad1f7c5x1To: 732-835-0102 <sip:[email protected]:5061>Call-ID: [email protected]: 123456 REGISTERContact: 2125550102 <sip:[email protected]:5061>;Digest username="12125550102",realm="216.1.2.5",nonce="716917624",uri="sip:voip-service-provider.net:5061",algorithm=MD5,response="43e001d2ef807f1e2c96e78adfd50bf7"Max_forwards: 70User Agent: 001217E57E31 VoIP-Router/RT31P2-2.0.13(LIVd)Content-Type: application/sdpSubject: SiVuS TestExpires: 7200Content-Length: 0

IP address of the VoIP device on which a

POTS phone is attached

IP address that calls will be

routed to (attacker)

Authentication MD5 digest can beintercepted

and used to replay messages


Presence Hijacking using SiVuS – Presence Hijacking using SiVuS – The REGISTER MessageThe REGISTER Message


The ExerciseThe Exercise Using SiVuS craft a REGISTER request In the “Contact” header insert your IP

address Send the registration request to the SIP

proxy Make a phone call to the user you

spoofed to see if the call is diverted.


Attacks - EavesdroppingAttacks - EavesdroppingDecoding communications with EtherealDecoding communications with Ethereal


Ethereal capture and decode to Ethereal capture and decode to .au file (1 of 3).au file (1 of 3)



Analyze a session will automatically re-assemble the selected session which can be save to an audio file.



Analyzed sessions can be save to a .au (audio) file.


The resultThe result





OutlineOutline


VoIP and FirewallsVoIP and FirewallsProblems NAT traversal SIP spam Various attacks,

including DoS

Current solutions Application Layer Gateways

(ALGs) Session Border Controllers ICE – Interactive

Connectivity Establishment (STUN, TURN, MIDCOM)





OutlineOutline


ToolsTools Eavesdropping

Ethereal Vomit (vomit - voice over misconfigured internet telephones)

http://vomit.xtdnet.nl/ VoIPong - http://www.enderunix.org/voipong/

Assessment SIVuS – The VoIP Vulnerability Scanner –

www.vopsecurity.org


Tool – Attack TrendTool – Attack Trend

More tools are being developed


Vulnerability Assessment Vulnerability Assessment

SiVuS


SiVuS – Message GeneratorSiVuS – Message Generator


SiVuS - DiscoverySiVuS - Discovery


SiVuS – configurationSiVuS – configuration


SiVuS – Control PanelSiVuS – Control Panel


SiVuS – ReportingSiVuS – Reporting


SiVuS – Authentication AnalysisSiVuS – Authentication Analysis


Intro – Present and Future NGN/ The Converged Network Components & Protocols Security


VoIP Firewalls Assessment Tools Approaches to secure VoIP/NGN networks Conclusions Further Research

OutlineOutline


How do we secure NGN networks?How do we secure NGN networks?

Page 51

SECURITY is NOT a product, it’s a PROCESS !SECURITY is NOT a product, it’s a PROCESS !

Fro

m t

he

gro

un

d u

pF

rom

th

e g

rou

nd

up

Ass

ess

and

Ver

ify

Ass

ess

and

Ver

ify





OutlineOutline


Conclusions (1 of 2)Conclusions (1 of 2) Security is not a product, it’s a process! Can we have adequately secure VoIP networks?

Yes, but at what cost? -> Performance (e.g., There is a performance impact when using

IPSec point to point for signaling) Time and expertise. It requires appropriate resources and time

to secure out of the box products. We need to ask vendors to have baseline security requirements for VoIP products.

Is voice quality degraded with encryption? Not really


Conclusions (2 of 2)Conclusions (2 of 2) How’s security in VoIP products today?

Poor to average security controls are not mature not implemented in deployments Implementations inherit traditional vulnerabilities

(e.g. Buffer Overflows) We need better developed software that do not maintain

poor security standards. Security controls/features to enforce stronger security

posture (protocol, user and administrative) Define and impose baseline security requirements for

product vendors





OutlineOutline


Distributed VoIP Security TestbedDistributed VoIP Security Testbed

NSF funding, $600K http://www.nsf.gov/news/news_summ.jsp?cntn_id=106828

Research areas Denial of Service (DoS) and Distributed DoS (DDoS) Spam and “Spit” Social Networks Identity Management Quality of Service (QoS) and Security Mechanisms


Testbed conceptual viewTestbed conceptual view


VoP Security ForumVoP Security Forum

The objectives of the VoPSecurity.org forum:

Encourage education in NGN/VoIP security through publications, online forums and mailing lists ([email protected] and [email protected])

Develop capabilities (tools, interoperability testing, methodologies and best practices) for members to maintain security in their respective infrastructure.

Conduct research to help identify vulnerabilities and solutions associated with NGN/VoIP.

Coordinate annual member meetings to disseminate information, provide updates and promote interaction and initiatives regarding NGN/VoIP security.

The VoP Security forum is viewed as a mechanism for participating members to be proactive and stay current with the threats and vulnerabilities associated with NGN/VoIP security and extend research in this area.


VoPSecurity ForumVoPSecurity Forum Current Activities

Mailing lists Public ([email protected])

Documentation Intro to NGN Security (available) Vulnerability Analysis Methodology for VoIP networks (in

development) VoIP Firewalls (in development)

Tools SiVuS – VoIP vulnerability Scanner (available)

Research Security evaluation of residential VoIP gateways

Join the

Join the community

community !


StandardsStandards ITU

Focus Group on Next Generation Networks (FGNGN ) - http://www.itu.int/ITU-T/ngn/fgngn/

Open Communications Architecture Forum (OCAF) Focus Group http://www.itu.int/ITU-T/ocaf/index.html

IETF Transport area -

http://www.ietf.org/html.charters/wg-dir.html#Transport%20Area Security Area -

http://www.ietf.org/html.charters/wg-dir.html#Security%20Area ATIS - http://www.atis.org/0191/index.asp

T1S1.1--Lawfully Authorized Electronic Surveillance T1S1.2--Security

Lawful Intercept 3GPP - TS 33.106 and TS 33.107 ETSI DTS 102 v4.0.4


ReferencesReferences NIST –

Security Considerations for VoIP Systems Voice over Internet Protocol (VoIP), Security Technical Implementation Guide (DISA)

http://www.ietf.org/html.charters/iptel-charter.html IP Telephony Tutorial, http://www.pt.com/tutorials/iptelephony/ Signaling System 7 (SS7), http://www.iec.org/online/tutorials/ss7/topic14.html SIP - http://www.cs.columbia.edu/sip/ IP Telephonly with SIP - www.iptel.org/sip/ SIP Tutorials

The Session Initiation Protocol (SIP) http://www.cs.columbia.edu/~hgs/teaching/ais/slides/sip_long.pdf SIP and the new network communications model

http://www.webtorials.com/main/resource/papers/nortel/paper19.htm H.323 ITU Standards, http://www.imtc.org/h323.htm Third Generation Partnership Project (3gpp), http://www.3gpp.org/


Q & AQ & A

Contact info:Peter [email protected] [email protected]

Date post:	08-Jun-2015
Category:	Documents
Upload:	catharine24
View:	2,232 times
Download:	7 times

"Attacks against VOIP"

Documents