Security Challenges In VoIP

Thursday, March 26, 2009

Security Challenges in VoIP

Tom Gilis – Security Consultant

26 March 2009© Copyright Dimension Data 2000 - 20092

Agenda

Introduction

Segregation of Voice and Data

VoIP security threats

Conclusion


Agenda

Introduction



Conclusion


Who am I and what am I doing here ?

Tom Gilis

Security Consultant with Dimension Data

Penetration tests infrastructures and applications

Risk analysis

Purpose

Create awareness around VoIP security

Identify security risks and weaknesses

Evaluate protection mechanisms


Do we need more security with VoIP?

VoIP

Uses an existing network (and its flaws)

Increase in potential attackers

Offers more services

PBX

More difficult to access

Required specialized knowledge


VoIP Networks today


Agenda

Introduction



Conclusion


Network segregation

Separate voice and data network

Improve security

Easier management

Quality of service

Physical Virtual

• Expensive

• New infrastructure

• Difficult deployment

• Cheaper

• Uses current infrastructure

• Easier deployment


You probably already use …

Virtual Local Access Networks

Group devices together in one segment

Separate Voice and Data network

VLAN Trunking

Automatic VLAN configuration

I. DHCP Options

II. Proprietary protocols (LLDP)

III. …


Automatic VLAN configuration

Security tool: VoIPHopper

(voiphopper.sourceforge.net)

Easy = YES , Security = NO !


Add authentication layer...

802.1X standard

Authentication and authorization

Username/password or certificates

Compatible with VLAN Trunking

Requires:

Phone and switch support

Authentication server

User administration


Good effort but …

Off-line brute force/dictionary attack tool

(xtest.sourceforge.net)


Conclusion segregation

Recommended

− Quality of service

− First security barrier

Hard to properly protect

Not always possible

Segregation alone is NOT enough!


Agenda

Introduction



Conclusion


Confidentiality

Availability Integrity

Information

Security

Information Security – CIA Triad


Confidentiality

Availability Integrity

Information

Security in

VoIP

Information Security in VoIP

Quality of

Service

C I A Q


VoIP Call setup


VoIP Security threats

Unauthorized access

Interruption-of-service

Eavesdropping

Registration and Media manipulation

Social threats


Unauthorized access

Gaining unauthorized access to a VoIP system or component

using one of the remote services.

Administrative services (Telnet, HTTP(S), TFTP, …)

− Attacks: Password sniffing, Brute force attack, Exploits, …

− Goal: Change configuration, abuse telephone network …

− Protection:

System hardening (Vendor patches, ACL’s, …)

Good password policy

C I A Q


Source: hackingvoip.com

Brutefile.txt

Unauthorized access - TFTP bruteforce


Source: hackingvoip.com

Brutefile.txt

Unauthorized access - TFTP bruteforce


Unauthorized access – VoIP Server


Interruption-of-service

Disrupting the VoIP service by attacking an essential part of the

voice network.

Network − Denial-of-service

− SYN-flooding

− ARP spoofing

Service− DNS

− DHCP

Application− SIP flooding attack

− RTP/RTCP injections


Interruption-of-service – Network

Disrupting the VoIP service by attacking network components

Denial-of-service attacks

− Attacks: DDoS, Ping of Death, ICMP Flooding, SYN Flooding…

− Goal: Bring down an essential part of the VoIP network (routers, VoIP

gateways, telephones, …), create delay, jitter or packets drops…

− Protection:

Firewall

Intrusion Prevention Systems (IPS)

A Q


Interruption-of-service – Services

Disrupting proper VoIP communication by attacking an essential

service

DNS/DHCP/…

− Attacks: Rogue DHCP server, DNS Cache poisoning, …

− Goal: Re-route traffic to another compromised host, block new systems

from accessing the network

− Protection (Network level):

Rogue DHCP server detection

Intrusion Prevention Systems

A


Interruption-of-service – Application

Disrupting proper communication by targeting a VoIP control or

signaling protocols’ security weaknesses or risks

SIP/H323/RTCP/…

− Attacks: SIP INVITE flooding, SIP/RTCP or malformed packet

injection,…

− Goal: Flooding SIP proxy, terminating or disturbing calls through

injection of malicious messages, delay, jitter, packet drops, …

− Protection:

Enforce authentication for all packets (preferably mutual)

Firewall or IPS with VoIP capabilities

A Q


SiVuS – VoIP Vulnerability Scanner


Eavesdropping

Listening in on private communications between two or more

VoIP devices.

RTP (Real-time Transport Protocol)

− Attacks: MAC spoofing, WiFi hacking, ARP spoofing, MITM, …

− Goal: Gain access to the media stream

− Protection:

Network hardening

Encryption

– Protocol encryption SRTP, ZRTP

– (D)TLS, IPSec tunnels

C


ARP Spoof – Man-in-the-middle

Man-in-the-middle attack


Eavesdropping - Wireshark


Registration manipulation

Manipulating or inserting registration packets in order to redirect

or hijack sessions

Signalling protocols (SIP, H323)

− Attacks: Registration removal, hijacking or addition

− Goal: Masquerading, eavesdropping, …

− Protection:

Require authentication for all packets

Enforce decent password policy

C I


SiVuS – Password Bruteforcing

Attacks SIP authentication

Works both online as offline

Numeric passwords up to 10 chars +/- 8 min


Media manipulation

Manipulation of the media stream exchanged between two

clients

RTP (Real-time Transport Protocol)

− Attacks: RTP injection

− Goal: Change or add certain voice messages in a conversion

− Protection:

Network hardening

Protocol encryption SRTP, ZRTP

(D)TLS, IPSec tunnels

C I


Social threat – VoIP Spam (SPIT)

Abusing public VoIP service providers or hacked VoIP solutions

to get commercial messages to the different users

Direct access to target user

Low costs

Hard to protect against

Not popular now but what about in the future?

Interconnections through SIP trunks

More VoIP end-to-end

Easier access


Social threat – VISHING

Social engineering attacks in order to entice users to call a

specific number and give out confidential information


Agenda

Introduction



Conclusion



Confidentiality & Integrity

•Use encryption where possible

− Application layer:

SRTP, ZRTP, S/MIME in SIP

− Transport/Network Layer:

(D)TLS, IPSec

•Authentication

− Preferably mutual

− Strong passwords

•Keep your software up-to-date



Availability and Quality-of-Service

•Network hardening

•Security devices

− Firewall

− Intrusion Prevention System

•Redundancy

− Fail-over

− UPS

•Logging and monitoring


Conclusion – Security threats

Costs VS SecurityAdded infrastructure:

Better and faster hardware

PKI environment, RADIUS server, …

Maintenance

Installation

YES, secure VoIP exists !


Recommendations

Design and implement a secure network environment

Use encryption where possible

Assure availability through proper redundancy – e.g. Network

infrastructure, UPS, …

Good password management

Don’t use soft-phones

Protect your wireless clients with proper protection

Penetration tests and security audits


Questions and Answers

Thank you !

Date post:	18-Nov-2014
Category:	Technology
Upload:	tomgilis
View:	2,674 times
Download:	0 times

Security Challenges In VoIP

Technology