VoIP Security
Threats and Countermeasures
Eric Chen
NTT Information Sharing Platform Laboratories &
VOIPSA Technical Board of Advisors
Agenda
� Increasing awareness of VoIP security
� Top VoIP security threats
� Best current practices
� Ongoing research efforts
Industry Activity
� VoIP Security Alliance (VOIPSA) launched in 2005
� Mission: � To promote VoIP security research, education and awareness
� To become a one-stop source of testing tools/methodologies
� Membership: � Over 100 members on the Technical Board
� Include NTT, Mitel, Avaya, Nortel, Siemens, Alcatel, Extreme Networks, AT&T, Verizon, Columbia University
� “VOIPSEC” mailing list for discussion of VoIP security issues
� Projects: Threat taxonomy, best practices etc
VoIP Attack Tools Now Available Online
http://www.hackingvoip.com/ http://www.voipsa.org/Resources/tools.php
More than 80 VoIP attack/security tools known (still increasing)
Agenda
� Increasing awareness of VoIP security
� Top VoIP security threats
� Best current practices
� Ongoing research efforts
Finding Targets using Google
� VoIP phones with built-in web servers to allow easy configuration
� May be indexed by Google if connected to the Internet without any
protection
� Can easily find these phones using keywords included in the default
URLs
Cisco Grandstream Sipura Polycom
SPIT� SPam over Internet Telephony
� Definition: Automated telemarketing calls (excluding human calls)
� Not yet a problem due to the small number of VoIP users
� Can be more serious than PSTN marketing calls
� Can be easily automated
� Can be performed at low cost
� Can perform broadcast
� No country barrier in terms of call charges -> large scale
� Yahoo!BB Phone incidents in Japan
� 2004/2 Unsolicited commercial messages for an adult website
� 2004/8 "Number scanning" for active VoIP phone numbers (050-
[provider code]-xxxx) at the rate of 6000 calls/day
� 2004/11 Unsolicited automatic messages asking for personal
information
� Contracts with these “spammers” are terminated by the provider
SIP Scanning� Send requests (REGISTER、OPTIONS etc) with various spoofed
originating UID to a SIP server
� Servers that respond with different replies for valid and invalid UIDs may be exploited
Flood-based DoS Attacks
� VoIP is vulnerable to flood-based DoS attacks at various layers
� General DoS attacks target at TCP/IP
� Same threats to any web server on the Internet
� VoIP-specific DoS attacks target at UDP-based SIP and RTP
� Flood of bogus signaling packets may overload CPU of any SIP server or UA
� Flood of bogus RTP packets may degrade audio stream quality
� Tools available: kphone-ddos, RTP flooder, SIPBomber, SIPsak, Scapy,
IAXFlooder, Seagull and SIPsak
Retrieve IP Address� Motivation
� Send arbitrary packets to the target
� Method� Call the target and sniff the incoming packets
� Contact info in 200 OK
� Source IP of the incoming RTP
IP address
of the target
included
Fuzzing Attacks
� Send malformed SIP messages
� Buffer overflow
� Via: SIP/2.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
� Integer anomalies
� Content-Length: -1
� Invalid addresses
� INVITE sip:[email protected] SIP/2.0
� Structural anomalies
� Cseq: 7038 INVITE a1 a2 a3 a4 a5 a6 a7 a8 a9 a10
� Can either crash the target or execute arbitrary code
Eavesdropping
Alice
SIP
Proxy A
SIP
Proxy B
Bob
INVITE
INVITE
INVITE
OK OK
OK
RTP
Intercept signaling
packets to analyze
call patterns
Intercept
conversation
Eavesdropping Scenarios
� Wireless LAN with weak security
� Physical access to intermediate network nodes
� UA vulnerability
� ARP-Spoofing
Agenda
� Increasing awareness of VoIP security
� Top VoIP security threats
� Best current practices
� Ongoing research efforts
How to avoid being “Googled”
� Follow the product guidelines
� Disable the web server
� Apply necessary security measures (FW, NAT etc)
� Use Google to look for exposed devices in one’s company
Use VoIP Firewalls
� VoIP clients use various RTP ports to connect with
their peers outside. Statically opening all possible
ports using a regular firewall introduces new threats.
� VoIP firewall
� Dynamically open/close necessary ports through stateful
inspection of VoIP traffic (“pinhole”)
� Inspecting the SDP payload in an INVITE message, extract
the UDP port number to be used and open the port before the
session starts
� Close the port when the BYE message corresponding to the
session is detected
� Hide IP addresses of VoIP clients using NAT to prevent
them from being direct targets on the Internet
Segregation of VoIP Network
� Segregate data and voice networks using VLAN etc
� Minimize impact on voice network from sudden traffic surge caused by PCs infected by worms on data network
� Reduce the risks of eavesdropping
� Prevent broadcast traffic on data network from entering VoIP network
� To further prevent unauthorized machines from accessing and attacking voice network
� IEEE802.1x
� MAC address filtering
� Allows only dedicated VoIP appliances on voice network (less programmability, less risk to be exploited)
� What to do with soft phones (e.g. X-Lite)?
� Don’t allow them on mission-critical voice networks
� Restrict installation of applications
� Deploy immune networks
Software Updates
� Check various sources for new vulnerability information
・New firmware and patchesVendor HP
http://www.ipa.go.jp
http://www.cert.org
http://www.jpcert.or.jp
http://www.blueboxpodcast.
com/
http://www.voipsa.org/
URL
・SIP vulnerability report (Japanese
only)
IPA
・Security incident reportCERT/CC
JPCERT/CC
・VoIP security-related podcast
・Tutorials
Blue Box
・New VoIP security/attack tools
・Blog and mailing list discussions
VOIPSA
DescriptionSource
Penetration Tests
� Conduct simulated attacks using tools available on http://www.voipsa.org/Resources/tools.php� PROTOS/Codenomicon (fuzzing)
� SIPSCAN
� SiVuS
� SIPBomber...etc
� Verification criteria� Terminal status
� Connection status
� QoS
Encryption
� Securing the signaling channel� IPSec
� TLS/DTLS
� Securing the media channel� IPSec
� SRTP (two candidates for SRTP key exchange now at IETF)
� DTLS-SRTP
� ZRTP
Vendor Solutions
� Arbor Networks (http://www.arbornetworks.com)
� Borderware (http://www.borderware.com)
� Captus Networks (http://www.captusnetworks.com)
� Cisco’ Riverhead (http://www.cisco.com)
� Ingate (http://www.ingate.com)
� Mazu Networks (http://www.mazunetworks.com)
� Mirage Networks (http://www.miragenetworks.com)
� SecureLogix (http://www.secuirelogix.com)
� Sipera (http://www.sipera.com)
� TippingPoint (http://www.tippingpoint.com)
� TopLayer (http://www.toplayer.com)
Agenda
� Increasing awareness of VoIP security
� Top VoIP security threats
� Best current practices
� Ongoing research efforts
Research Opportunities in VoIP Security
� VoIP-specified DDoS attacks
� SPIT
� Adaptive detection against fuzzing attacks
NTT’s SIP Guard for SIP-specific DoS attacks
Eric Y. Chen, "Detecting DoS Attacks on SIP Systems", IEEE workshop on VoIP Management and Security at NOMS 2006, Canada, April 2006
NEC’s VOIP SEAL
Roman Schlegel, Saverio Niccolini, Sandra Tartarelli, Marcus Brunner”
SPam over Internet Telephony (SPIT) Prevention Framework”, GLOBECOM
2006
Other Research Efforts
� Gaston Ormazabal, “Secure SIP: A scalable prevention mechanism
for DoS attacks on SIP based VoIP systems”, IPTCOMM 2008
� Charles Shen, “SIP Server Overload Control: Design and
Evaluation”, IPTCOMM 2008
� Mohamed Nassar, “Holistic VoIP Intrusion Detection and Prevention
System”, IPTCOMM 2007
� Jens Fiedler, “VoIP Defender: Highly Scalable SIP-based Security
Architecture”, IPTCOMM 2007
� Ge Zhang, “Denial of Service Attack and Prevention on SIP VoIP
Infrastructures Using DNS Flooding”, IPTCOMM 2007
Conclusion
� VoIP is still an emerging technology, so is its security framework
� No such thing as “perfect security”, but risks can be significantly reduced using currently available solutions
� Challenges for
� Vendor� Increase effort devoted to software engineering practices to minimize
implementation flaws
� Provider� Learn to securely integrate different physical components (SIP
servers, SIP clients) and solutions from multiple vendors
� User� Be aware of the new threats introduced by VoIP