+ All Categories
Home > Business > Hacking and Attacking VoIP Systems - What You Need To Know

Hacking and Attacking VoIP Systems - What You Need To Know

Date post: 18-Nov-2014
Category:
Upload: dan-york
View: 17,117 times
Download: 3 times
Share this document with a friend
Description:
Presentation by Dan York at AstriCon 2007 about how to secure VoIP systems with a focus on the Asterisk open source PBX. The presentation outlines the issues involved with VoIP security, the tools out there to attack/test VoIP systems, best practices to defend against attacks and ends with some specific security recommendations for Asterisk. Audio will soon be available at http://www.blueboxpodcast.com/ (and will be synced to this presentation).
32
Hacking and Attacking VoIP Systems What You Need To Worry About Dan York, CISSP VOIPSA Best Practices Chair September 27, 2007
Transcript
Page 1: Hacking and Attacking VoIP Systems - What You Need To Know

Hacking and Attacking VoIP Systems

What You Need To Worry About

Dan York, CISSP

VOIPSA Best Practices Chair

September 27, 2007

Page 2: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Privacy

Compliance

Cost Avoidance

Availability

Business Continuity

Confidence

Mobility

Page 3: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Page 4: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Page 6: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

TDM security is relatively simple...

TDMSwitch

PSTNGateways

PhysicalWiringVoicemail

Page 7: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

VoicemailPhysicalWiring

Databases

Directories

E-mailSystems

WebServers

VoIP security is more complex

OperatingSystems

Firewalls

DesktopPCs

Voice overIP

NetworkSwitches

WirelessDevices

PDAs

PSTNGateways

InstantMessaging

Standards

Internet

Page 8: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

What is the Industry Doing to Help?

Security Vendors

“The Sky Is Falling!”(Buy our products!)

VoIP Vendors

“Don’t Worry, Trust Us!”(Buy our products!)

Page 9: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Voice Over IP Security Alliance (VOIPSA)

ClassificationTaxonomy of

Security Threats

SecurityResearch

Best Practicesfor VoIPSecurity

SecuritySystemTesting

OutreachCommunication

of Findings

Market and SocialObjectives and

Constraints

Published Active Now Ongoing

LEGEND

• www.voipsa.org – 100 members from VoIP and security industries• VOIPSEC mailing list – www.voipsa.org/VOIPSEC/• “Voice of VOIPSA” Blog – www.voipsa.org/blog• Blue Box: The VoIP Security Podcast – www.blueboxpodcast.com• VoIP Security Threat Taxonomy• Best Practices Project underway now

Page 10: Hacking and Attacking VoIP Systems - What You Need To Know

VoIP Security

Page 11: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Security concerns in telephony are not new…

Image courtesy of the Computer History Museum

Page 12: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Nor are our attempts to protect against threats…

Image courtesy of Mike Sandman – http://www.sandman.com/

Page 13: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Security Aspects of IP Telephony

Media / Voice

PSTN

CallControl

TCP/IPNetwork

Management

Policy

Page 14: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Media

Eavesdropping

Degraded Voice Quality

Encryption

Packet Filtering

Virtual LANs (VLANs)

Page 15: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Signaling

Denial of Service

Impersonation

Encryption

Proper Programming

Encrypted Phone Software

Toll Fraud

Page 16: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Management

Web Interfaces

APIs!

Encryption

Patches? We don’t need...

Change Default Passwords!

Phones!

Page 17: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

PSTN

Page 18: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Internet LAN

Page 19: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

What about SPIT? (“SPam over Internet Telephony”)

•Makes for great headlines, but not yet a significant threat •Fear is script/tool that:

–Iterates through calling SIP addresses:

[email protected], [email protected], …

• Opens an audio stream if call is answered (by person or voicemail)

–Steals VoIP credentials and uses account to make calls

•Reality is that today such direct connections are generally not allowed

•This will change as companies make greater useof SIP trunking and/or directly connect IP-PBXsystems to the Internet (and allow incoming callsfrom any other IP endpoint)

•Until that time, Telemarketers have to initiate unsolicited calls through the PSTN to reach their primary market: slows them down and adds cost

SPAM

Page 20: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

LAN

Internet

PSTN

The Challenge of SIP Trunking

SIP ServiceProvider

IP-PBX

Page 21: Hacking and Attacking VoIP Systems - What You Need To Know

VoIP Security Tools

Page 22: Hacking and Attacking VoIP Systems - What You Need To Know

www.voipsa.org/Resources/tools.php

© 2007 VOIPSA and Owners as Marked p.

www.hackingvoip.com

Page 23: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Page 24: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Tools, tools, tools...

•UDP Flooder• IAX Flooder• IAX Enumerator•ohrwurm RTP Fuzzer•RTP Flooder• INVITE Flooder•AuthTool•BYE Teardown•Redirect Poison•Registration Hijacker•Registration Eraser•RTP InsertSound•RTP MixSound•SPITTER

•Asteroid•enumIAX• iWar•StegRTP•VoiPong•Web Interface for SIP Trace•SIPScan•SIPCrack•SiVuS•SIPVicious Tool Suite•SIPBomber•SIPsak•SIP bot

Page 25: Hacking and Attacking VoIP Systems - What You Need To Know

Asterisk & Security

Page 26: Hacking and Attacking VoIP Systems - What You Need To Know

www.asterisk.org/security

© 2007 VOIPSA and Owners as Marked p.

Page 27: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Security Suggestions for Asterisk

1. TLS-encrypted SIP• needs SIP over TCP first...

2. Secure RTP (SRTP)• there’s a patch

3. SRTP Key Exchange• sdescriptions now, DTLS or potentially ZRTP in the future

4. Figure out the phone configuration mess• so that the web servers on the phones can be disabled

• auto configuration is a start, but how secure are the config files?

5. Identity• RFC 4474 (SIP Identity)

6. Watch out for the APIs and the apps• always fun when a rolodex app can crash your phone system!

7. Toll fraud??8. Testing with tools?

If Asterisk is configured to use IMAP as its backend storage for voicemail, then an e-mail sent to a user with an invalid/corrupted MIME body will cause Asterisk to crash when the user listens to their voicemail using the phone.

Page 28: Hacking and Attacking VoIP Systems - What You Need To Know

Resources

Page 29: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Security Links

•VoIP Security Alliance - http://www.voipsa.org/ –Threat Taxonomy - http://www.voipsa.org/Activities/taxonomy.php

–VOIPSEC email list - http://www.voipsa.org/VOIPSEC/

–Weblog - http://www.voipsa.org/blog/

–Security Tools list - http://www.voipsa.org/Resources/tools.php

–Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com

•NIST SP800-58, “Security Considerations for VoIP Systems”– http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf

•Network Security Tools– http://sectools.org/

•Hacking Exposed VoIP site and tools– http://www.hackingvoip.com/

Page 30: Hacking and Attacking VoIP Systems - What You Need To Know

Q&eh?

www.voipsa.org

Page 31: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Speaker Introduction – Dan York

Dan York, CISSP, is the Best Practices Chair for the VOIP Security Alliance where he leads the project to develop and document a concise set of industry-wide best practices for security VoIP systems. He is also heading up VOIPSA's move into "social media" with the launch of the Voice of VOIPSA group weblog. Additionally, York is the producer of Blue Box: The VoIP Security Podcast where each week he and co-host Jonathan Zar discuss VoIP security news and interview people involved in the field.

Most recently he served as Director of IP Technology reporting to the CTO of Mitel Corporation and focused on emerging VoIP technology and VoIP security. As chair of Mitel's Product Security Team, he coordinates the efforts of a cross-functional group to communicate both externally and internally on VoIP security issues, respond to customer inquiries related to security, investigate security vulnerability reports, and monitor security standards and trends. Previously, York served in Mitel Product Management bringing multiple products to market including Mitel's secure VoIP Teleworker Solution in 2003.

His writing can also be found online at his weblog, Disruptive Telephony.

Page 32: Hacking and Attacking VoIP Systems - What You Need To Know

© 2007 VOIPSA and Owners as Marked p.

Other Best Practices

• Network–Networks should be evaluated for readiness to carry VoIP traffic.

–Secure mechanisms should be used for traversal of firewalls.

• Phone Sets–Set software loads should be encrypted and tamper-proof.

–Sets should run the minimum of services required.

–Connection of a set to the system must require an initial authentication and authorization.

• Servers–Servers should be incorporated into appropriate patch management and anti-virus systems.

–Sufficient backup power should be available to maintain operation of telephony devices (and necessary network infrastructure) in the event of a power failure.

• Wireless–All wireless devices should implement WPA and/or WPA2 versus WEP.

Policy

Media / Voice

CallControl

Management

PSTN

TCP/IPNetwork


Recommended