Date post: | 18-Nov-2014 |
Category: |
Technology |
Upload: | tomgilis |
View: | 2,674 times |
Download: | 0 times |
Thursday, March 26, 2009
Security Challenges in VoIP
Tom Gilis – Security Consultant
26 March 2009© Copyright Dimension Data 2000 - 20092
Agenda
Introduction
Segregation of Voice and Data
VoIP security threats
Conclusion
26 March 2009© Copyright Dimension Data 2000 - 20093
Agenda
Introduction
Segregation of Voice and Data
VoIP security threats
Conclusion
26 March 2009© Copyright Dimension Data 2000 - 20094
Who am I and what am I doing here ?
Tom Gilis
Security Consultant with Dimension Data
Penetration tests infrastructures and applications
Risk analysis
Purpose
Create awareness around VoIP security
Identify security risks and weaknesses
Evaluate protection mechanisms
26 March 2009© Copyright Dimension Data 2000 - 20095
Do we need more security with VoIP?
VoIP
Uses an existing network (and its flaws)
Increase in potential attackers
Offers more services
PBX
More difficult to access
Required specialized knowledge
26 March 2009© Copyright Dimension Data 2000 - 20096
VoIP Networks today
26 March 2009© Copyright Dimension Data 2000 - 20097
Agenda
Introduction
Segregation of Voice and Data
VoIP security threats
Conclusion
26 March 2009© Copyright Dimension Data 2000 - 20098
Network segregation
Separate voice and data network
Improve security
Easier management
Quality of service
Physical Virtual
• Expensive
• New infrastructure
• Difficult deployment
• Cheaper
• Uses current infrastructure
• Easier deployment
26 March 2009© Copyright Dimension Data 2000 - 20099
You probably already use …
Virtual Local Access Networks
Group devices together in one segment
Separate Voice and Data network
VLAN Trunking
Automatic VLAN configuration
I. DHCP Options
II. Proprietary protocols (LLDP)
III. …
26 March 2009© Copyright Dimension Data 2000 - 200910
Automatic VLAN configuration
Security tool: VoIPHopper
(voiphopper.sourceforge.net)
Easy = YES , Security = NO !
26 March 2009© Copyright Dimension Data 2000 - 200911
Add authentication layer...
802.1X standard
Authentication and authorization
Username/password or certificates
Compatible with VLAN Trunking
Requires:
Phone and switch support
Authentication server
User administration
26 March 2009© Copyright Dimension Data 2000 - 200912
Good effort but …
Off-line brute force/dictionary attack tool
(xtest.sourceforge.net)
26 March 2009© Copyright Dimension Data 2000 - 200913
Conclusion segregation
Recommended
− Quality of service
− First security barrier
Hard to properly protect
Not always possible
Segregation alone is NOT enough!
26 March 2009© Copyright Dimension Data 2000 - 200914
Agenda
Introduction
Segregation of Voice and Data
VoIP security threats
Conclusion
26 March 2009© Copyright Dimension Data 2000 - 200915
Confidentiality
Availability Integrity
Information
Security
Information Security – CIA Triad
26 March 2009© Copyright Dimension Data 2000 - 200916
Confidentiality
Availability Integrity
Information
Security in
VoIP
Information Security in VoIP
Quality of
Service
C I A Q
26 March 2009© Copyright Dimension Data 2000 - 200917
VoIP Call setup
26 March 2009© Copyright Dimension Data 2000 - 200918
VoIP Security threats
Unauthorized access
Interruption-of-service
Eavesdropping
Registration and Media manipulation
Social threats
26 March 2009© Copyright Dimension Data 2000 - 200919
Unauthorized access
Gaining unauthorized access to a VoIP system or component
using one of the remote services.
Administrative services (Telnet, HTTP(S), TFTP, …)
− Attacks: Password sniffing, Brute force attack, Exploits, …
− Goal: Change configuration, abuse telephone network …
− Protection:
System hardening (Vendor patches, ACL’s, …)
Good password policy
C I A Q
26 March 2009© Copyright Dimension Data 2000 - 200920
Source: hackingvoip.com
Brutefile.txt
Unauthorized access - TFTP bruteforce
26 March 2009© Copyright Dimension Data 2000 - 200921
Source: hackingvoip.com
Brutefile.txt
Unauthorized access - TFTP bruteforce
26 March 2009© Copyright Dimension Data 2000 - 200922
Unauthorized access – VoIP Server
26 March 2009© Copyright Dimension Data 2000 - 200923
Interruption-of-service
Disrupting the VoIP service by attacking an essential part of the
voice network.
Network − Denial-of-service
− SYN-flooding
− ARP spoofing
Service− DNS
− DHCP
Application− SIP flooding attack
− RTP/RTCP injections
26 March 2009© Copyright Dimension Data 2000 - 200924
Interruption-of-service – Network
Disrupting the VoIP service by attacking network components
Denial-of-service attacks
− Attacks: DDoS, Ping of Death, ICMP Flooding, SYN Flooding…
− Goal: Bring down an essential part of the VoIP network (routers, VoIP
gateways, telephones, …), create delay, jitter or packets drops…
− Protection:
Firewall
Intrusion Prevention Systems (IPS)
A Q
26 March 2009© Copyright Dimension Data 2000 - 200925
Interruption-of-service – Services
Disrupting proper VoIP communication by attacking an essential
service
DNS/DHCP/…
− Attacks: Rogue DHCP server, DNS Cache poisoning, …
− Goal: Re-route traffic to another compromised host, block new systems
from accessing the network
− Protection (Network level):
Rogue DHCP server detection
Intrusion Prevention Systems
A
26 March 2009© Copyright Dimension Data 2000 - 200926
Interruption-of-service – Application
Disrupting proper communication by targeting a VoIP control or
signaling protocols’ security weaknesses or risks
SIP/H323/RTCP/…
− Attacks: SIP INVITE flooding, SIP/RTCP or malformed packet
injection,…
− Goal: Flooding SIP proxy, terminating or disturbing calls through
injection of malicious messages, delay, jitter, packet drops, …
− Protection:
Enforce authentication for all packets (preferably mutual)
Firewall or IPS with VoIP capabilities
A Q
26 March 2009© Copyright Dimension Data 2000 - 200927
SiVuS – VoIP Vulnerability Scanner
26 March 2009© Copyright Dimension Data 2000 - 200928
Eavesdropping
Listening in on private communications between two or more
VoIP devices.
RTP (Real-time Transport Protocol)
− Attacks: MAC spoofing, WiFi hacking, ARP spoofing, MITM, …
− Goal: Gain access to the media stream
− Protection:
Network hardening
Encryption
– Protocol encryption SRTP, ZRTP
– (D)TLS, IPSec tunnels
C
26 March 2009© Copyright Dimension Data 2000 - 200929
ARP Spoof – Man-in-the-middle
Man-in-the-middle attack
26 March 2009© Copyright Dimension Data 2000 - 200930
Eavesdropping - Wireshark
26 March 2009© Copyright Dimension Data 2000 - 200931
Registration manipulation
Manipulating or inserting registration packets in order to redirect
or hijack sessions
Signalling protocols (SIP, H323)
− Attacks: Registration removal, hijacking or addition
− Goal: Masquerading, eavesdropping, …
− Protection:
Require authentication for all packets
Enforce decent password policy
C I
26 March 2009© Copyright Dimension Data 2000 - 200932
SiVuS – Password Bruteforcing
Attacks SIP authentication
Works both online as offline
Numeric passwords up to 10 chars +/- 8 min
26 March 2009© Copyright Dimension Data 2000 - 200933
Media manipulation
Manipulation of the media stream exchanged between two
clients
RTP (Real-time Transport Protocol)
− Attacks: RTP injection
− Goal: Change or add certain voice messages in a conversion
− Protection:
Network hardening
Protocol encryption SRTP, ZRTP
(D)TLS, IPSec tunnels
C I
26 March 2009© Copyright Dimension Data 2000 - 200934
Social threat – VoIP Spam (SPIT)
Abusing public VoIP service providers or hacked VoIP solutions
to get commercial messages to the different users
Direct access to target user
Low costs
Hard to protect against
Not popular now but what about in the future?
Interconnections through SIP trunks
More VoIP end-to-end
Easier access
26 March 2009© Copyright Dimension Data 2000 - 200935
Social threat – VISHING
Social engineering attacks in order to entice users to call a
specific number and give out confidential information
26 March 2009© Copyright Dimension Data 2000 - 200936
Agenda
Introduction
Segregation of Voice and Data
VoIP security threats
Conclusion
26 March 2009© Copyright Dimension Data 2000 - 200937
Information Security in VoIP
Confidentiality & Integrity
•Use encryption where possible
− Application layer:
SRTP, ZRTP, S/MIME in SIP
− Transport/Network Layer:
(D)TLS, IPSec
•Authentication
− Preferably mutual
− Strong passwords
•Keep your software up-to-date
26 March 2009© Copyright Dimension Data 2000 - 200938
Information Security in VoIP
Availability and Quality-of-Service
•Network hardening
•Security devices
− Firewall
− Intrusion Prevention System
•Redundancy
− Fail-over
− UPS
•Logging and monitoring
26 March 2009© Copyright Dimension Data 2000 - 200939
Conclusion – Security threats
Costs VS SecurityAdded infrastructure:
Better and faster hardware
PKI environment, RADIUS server, …
Maintenance
Installation
YES, secure VoIP exists !
26 March 2009© Copyright Dimension Data 2000 - 200940
Recommendations
Design and implement a secure network environment
Use encryption where possible
Assure availability through proper redundancy – e.g. Network
infrastructure, UPS, …
Good password management
Don’t use soft-phones
Protect your wireless clients with proper protection
Penetration tests and security audits
26 March 2009© Copyright Dimension Data 2000 - 200941
Questions and Answers
Thank you !