Voice over IP: Unsafe at any Bandwidth?

Transcription

1 Universität Hamburg Voice over IP: Unsafe at any Bandwidth? Joachim Posegga Fachbereich Informatik SVS Sicherheit in Verteilten Systemen VoIP Security: Agenda 1. PSTN & VoIP 2. SIP: Session Initiation Protocol 3. Threats 4. SIP Security Mechanisms in Real Life 6. Conclusion Focus: PSTN-oriented View, Consumer Market UH, FB Inf, SVS, 24-Mai-04 (JP) 2 1

2 Public Telephone Networks A Public Telephone Network (PSTN) is a safety-critical, concurrent, real-time, non-stop, fault-tolerant, heterogeneous, distributed system, largely based on software. How come that it works? UH, FB Inf, SVS, 24-Mai-04 (JP) 3 Circuit-Switched Telephony Traditional PSTN Approach SS7 Signaling Network Class 4 Switch SCP Most service logic in local switches, rest in SCPs Class 5 Switch Typically analog loop, conversion to digital at local switch Circuit-based Trunks 64 kb/s digital voice Media stream Class 5 Switch Signaling Payload and Signaling use Separate Networks UH, FB Inf, SVS, 24-Mai-04 (JP) 4 2

3 Voice over IP: Rationale Pro Convergence of voice, data and video infrastructure: reduced long-term network ownership costs New voice-enabled applications (e.g. in call centers) Easy to integrate into IP-based systems Decoupling of Infrastructure & Sevices eases deployment of new services (by new players) Cf. VoIP over UMTS Lower recurring transmission charges Contra Voice Quality (wrt to bandwidth) Reliability / Availability Security UH, FB Inf, SVS, 24-Mai-04 (JP) 5 Protocols for VoIP Signaling Establish, Locate, Setup, Modify and End Sessions SIP (Session Initiation Protocol) H.323 (Packet-based Multimedia Communications Systems) Various protocols to interface with POTS/ISDN Media Transport Transmit Voice Samples RTP (Real-Time Transport Protocol) RTCP (RTP Control Protocol) SCTP (Stream Control Transmission Protocol) Support DNS, Location Servers, QoS, Routing Protocols, AAA TRIP (Telephony Routing over IP) Quality of Service RSVP(Resource Reservation Setup Protocol) UH, FB Inf, SVS, 24-Mai-04 (JP) 6 3

4 What is SIP? The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol for creating, modifying and terminating sessions with one or more participants. These sessions include Internet multimedia conferences, Internet telephone calls and multimedia distribution. UH, FB Inf, SVS, 24-Mai-04 (JP) 7 What is the SIP? SIP components: User location: Where is the end system? User availability: Is the called party willing to engage in communications? User capabilities: What media and media parameters can be used? Session setup: ringing and establishing of session parameters at both parties. Session management: transfer and termination of sessions, modifying session parameters, invoking services. UH, FB Inf, SVS, 24-Mai-04 (JP) 8 4

5 Protocol Components User Agent Handle SIP requests (terminal side) Redirect Server Redirect callers (requests) to another Server Relay Call Signaling ( Proxy requests to another server ) Fork requests to multiple targets Maintain a basic Call-State (or not) Registrar Receive registrations requests regarding user locations Store the information at a Location Server UH, FB Inf, SVS, 24-Mai-04 (JP) 9 SIP Operation Example: Alice calls Bob over the Internet. Their SIP proxies act on behalf of them to facilitate session establishment Phases: location of an end point signal of a desire to communicate negotiation of session parameters teardown of the session Alice s PC INVITE F1 100 Trying F3 180 Ringing F8 200 OK F11 SIP proxy atlanta.com INVITE F2 100 Trying F5 180 Ringing F7 200 OK F10 ACK F12 RTP Media Stream SIP proxy biloxy.com INVITE F4 180 Ringing F6 200 OK F9 Bob s SIP Phone BYE F OK F14 UH, FB Inf, SVS, 24-Mai-04 (JP) 10 5

6 Example of Operation Transaction begins with Alice s phone sending an INVITE request addressed to Bob s SIP URI. INVITE is a SIP method that specifies an action that the requestor (Alice) wants the server (Bob) to take. The INVITE request contains a number of header fields (named attributes): a unique identifier for the call the destination address Alice s address information about the type of session that Alice wishes to establish with Bob UH, FB Inf, SVS, 24-Mai-04 (JP) 11 Overview of Operation INVITE Method name INVITE sip:bob@biloxi.com SIP/2.0 The address which Alice is expecting to receive responses + return path Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hg4bk776asdhds Max-Forwards: 70 To: Bob <sip:bob@biloxi.com> A SIP URI towards which the request was originally directed From: Alice <sip:alice@atlanta.com>;tag= Globally unique identifier Call-ID: a84b4c76e66710@pc33.atlanta.com for this call Sequence number + CSeq: INVITE method name URI that represents a direct route back Contact: <sip:alice@pc33.atlanta.com> Content-Type: application/sdp Content-Length: 142 Content description Details of the session, type of media, codec, sampling rate, etc. are not described in SIP but in the SDP UH, FB Inf, SVS, 24-Mai-04 (JP) 12 6

7 Overview of Operation F1: Alice s Terminal does not know the location of Bob or his SIP server, and sends the INVITE to the SIP server that serves her domain F3: the proxy sends 100 (Trying) back: This indicates that the INVITE has been received, and that the proxy is working on routing the INVITE to the destination. Alice s PC INVITE F1 100 Trying F3 180 Ringing F8 200 OK F11 atlanta.com INVITE F2 100 Trying F5 180 Ringing F7 200 OK F10 ACK F12 RTP Media Stream BYE F OK F14 biloxy.com INVITE F4 180 Ringing F6 200 OK F9 Bob s SIP Phone F2: The atlanta.com proxy locates the proxy biloxi.com, possibly by DNS, adds a Via header and forwards the INVITE request. F4: The proxy queries a location service for the IP address of Bob. It adds another Via header with its own address to the INVITE and proxies it to Bob s SIP phone. UH, FB Inf, SVS, 24-Mai-04 (JP) 13 Overview of Operation F5: The biloxi.com proxy server receives the INVITE and responds with 100 (Trying) back to the atlanta.com proxy server Alice s PC atlanta.com biloxy.com F6: Bob s SIP phone received the INVITE and the phone rings. The phone indicates this in a 180 (Ringing) INVITE F1 Bob s SIP Phone response, which is INVITE F2 routed back in the 100 Trying F3 INVITE F4 reverse direction. 100 Trying F5 180 Ringing F6 180 Ringing F7 180 Ringing F8 The Via header fields determine where to 200 OK F9 send responses; no 200 OK F OK F10 lookups or state in the proxies is ACK F12 needed. RTP Media Stream BYE F OK F14 UH, FB Inf, SVS, 24-Mai-04 (JP) 14 7

8 Overview of Operation F9: Bob decides to answer the call; 200 (OK) indicates that the call has been answered. Alice s PC 200 (OK) contains a message body with the media description (SDP) of the type of session that Bob is willing to establish. INVITE F1 100 Trying F3 180 Ringing F8 200 OK F11 atlanta.com INVITE F2 100 Trying F5 180 Ringing F7 200 OK F10 ACK F12 RTP Media Stream biloxy.com 200 OK F9 If Bob did not answer the call or was busy on another call, an error response would have been sent instead of the 200 (OK). Bob s SIP Phone A proxy server can also forward an INVITE F4 INVITE to a number 180 Ringing F6 of locations ( forking ). BYE F OK F14 UH, FB Inf, SVS, 24-Mai-04 (JP) 15 SIP Response SIP/ OK The first line of the response contains the response code (200) and the reason phrase (OK) Added by biloxy.com SIP Proxy Via: SIP/2.0/UDP server10.biloxi.com;branch=z9hg4bknashds8 ;received= Via: SIP/2.0/UDP bigbox3.site3.atlanta.com;branch=z9hg4bk77ef4c ;received= Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hg4bk776asdhds ;received= To: Bob <sip:bob@biloxi.com>;tag=a6c85cf 465 From: Alice <sip:alice@atlanta.com>;tag= Call-ID: a84b4c76e66710 CSeq: INVITE Contact: <sip:bob@ > Content-Type: application/sdp Content-Length: (Bob s SDP not shown) Added by atlanta.com SIP Proxy Added by Alice s softphone Contains a URI at which Bob can be directly reached at his SIP phone. UH, FB Inf, SVS, 24-Mai-04 (JP) 16 8

9 Overview of Operation atlanta.com biloxy.com F12: Finally, Alice s softphone sends an acknowledgement message to Bob s SIP phone Alice s PC INVITE F1 100 Trying F3 180 Ringing F8 200 OK F11 INVITE F2 100 Trying F5 180 Ringing F7 200 OK F10 ACK F12 RTP Media Stream INVITE F4 180 Ringing F6 200 OK F9 Bob s SIP Phone ACK is sent directly from Alice s softphone to Bob s SIP phone, bypassing the two proxies. The endpoints have learned each other s address from the Contact header fields through the INVITE/200 (OK) exchange. BYE F OK F14 End of INVITE/200/ACK three-way handshake UH, FB Inf, SVS, 24-Mai-04 (JP) 17 Overview of Operation Alice and Bob s media session has started. In general, the end-to-end media packets take a route different from the SIP signaling messages During the session, either Alice or Bob may decide to change the characteristics of the media session by sending a re-invite containing a new media description. The other party sends a 200 (OK) to accept the change. The requestor responds to the 200 (OK) with an ACK. If the other party does not accept the change, he sends an error response such as 406 (Not Acceptable), which also receives an ACK. UH, FB Inf, SVS, 24-Mai-04 (JP) 18 9

10 Overview of Operation F13/F14: At the end of the call, Bob disconnects (hangs up) and generates a BYE message (bypassing the proxies). atlanta.com biloxy.com Alice confirms receipt of the BYE with a 200 (OK) response, which terminates the session and the BYE transaction. Alice s PC INVITE F1 100 Trying F3 180 Ringing F8 200 OK F11 INVITE F2 100 Trying F5 180 Ringing F7 200 OK F10 Bob s SIP Phone INVITE F4 180 Ringing F6 200 OK F9 ACK F12 RTP Media Stream BYE F OK F14 UH, FB Inf, SVS, 24-Mai-04 (JP) 19 Overview of Operation Registration At periodic intervals, Bob s SIP phone REGISTERs on to a server in the biloxi.com domain: the SIP Registrar. SIP Location Server 2. Write in DB SIP Registration Server The REGISTER messages associate Bob s SIP URI (sip:bob@biloxi.com) with the machine he is logged on. The registrar stores this binding in a database, called the location service. 3. Query for Bob s Location 4. Zero (0) or more URIs 1. REGISTER Bob is not limited to registering from a single device. Similarly, more than one user can be registered on a single device. biloxy.com Bob s SIP Phone UH, FB Inf, SVS, 24-Mai-04 (JP) 20 10

11 Overview of Operation Registration F1 REGISTER Bob -> Registrar REGISTER sip:registrar.biloxi.com SIP/2.0 Via: SIP/2.0/UDP bobspc.biloxi.com:5060; branch=z9hg4bknashds7 Max-Forwards: 70 To: Bob From: Bob Call-ID: CSeq: 1826 REGISTER Contact: Expires: 7200 Content-Length: 0 SIP Registration Server REGISTER F1 200 OK F2 Bob s SIP Phone UH, FB Inf, SVS, 24-Mai-04 (JP) 21 Overview of Operation CANCEL The CANCEL is used to cancel a previous request sent by a client (INVITE). A client that receives a CANCEL request for an INVITE, but has not yet sent a final response, would stop ringing, and then respond to the INVITE with a specific error response (487). Alice s PC INVITE F1 100 Trying F2 180 Ringing F3 Bob s SIP Phone CANCEL F4 487 (Request Terminated) F5 UH, FB Inf, SVS, 24-Mai-04 (JP) 23 11

12 VoIP Security: Agenda 1. PSTN & VoIP 2. SIP: Session Initiation Protocol 3. Threats 4. SIP Security Mechanisms in Real Life 6. Conclusion UH, FB Inf, SVS, 24-Mai-04 (JP) 24 General Threats to VoIP Components Protocols Impersonation, chosen protocol attacks, connection hijacking,... Implementation Buffer overflows, race conditions, power and timing analysis,... Viruses/worms (e.g. to capture credentials) Infrastructure Sniffing, injecting, or altering network traffic Every TCP/IP DoS SYN floods Ping floods All other attacks that work against TCP/IP hosts UH, FB Inf, SVS, 24-Mai-04 (JP) 25 12

13 SIP Protocol Threats Denial-of-Service CANCEL BYE Using response codes Call Hijacking Through the Registrar Through the usage of 3xy response messages Mid-Session tricks MITM Attacks Through 301 & 302 Response codes (moved permanently/temporarily) Through 305 (Use Proxy) response code UH, FB Inf, SVS, 24-Mai-04 (JP) 26 Denial of Service Using Response Codes A malicious party can use response codes to introduce a denial of service conditions: 4xx responses are definite failure responses: The client SHOULD NOT retry the same request without modification [..]. 5xx responses are failure responses given when a server itself has erred. 6xx responses indicate that a server has definitive information about a particular user, not just the particular instance indicated in the Request-URI. UH, FB Inf, SVS, 24-Mai-04 (JP) 27 13

14 Call Hijack Re-INVITE this modification can involve changing addresses or ports, adding a media stream, deleting media stream, by sending a new INVITE request within the same dialog that established the session Re-INVITE can introduce other participants to the session: Eavesdropping made easy UH, FB Inf, SVS, 24-Mai-04 (JP) 28 More Threats Covert Channels Unknown Header fields Enumerating OPTIONS Call Leg does not exists Wiretapping Who s in my path? SIP Proxies are allowed to send messages through a set of additional proxies Call Tracking Malicious Clients (more later) UH, FB Inf, SVS, 24-Mai-04 (JP) 29 14

15 VoIP Security: Agenda 1. PSTN & VoIP 2. SIP: Session Initiation Protocol 3. Threats to SIP 4. SIP Security Mechanisms 5. Real Life 6. Conclusion UH, FB Inf, SVS, 24-Mai-04 (JP) 30 SIP Security Mechanisms Authentication of Signaling Data using HTTP Digest Authentication Basic Authentication discouraged, but possible S/MIME Usage within SIP TLS usage within SIP RFC 3261 mandates the use of TLS for proxies, redirect servers, and registrars to protect SIP signaling. Using TLS for UAs is recommended. IPsec usage within SIP IPsec may be used for SIP signaling at the network layer. (Most suited to securing SIP hosts in a SIP VPN scenario or between administrative SIP domains. Confidentiality of Media Data SIP itself does not consider the encryption of media data. RTP may provide confidentiality. UH, FB Inf, SVS, 24-Mai-04 (JP) 31 15

16 Authentication: The Core of VoIP Security Underlying Assumption There is a (universally accessible) trust infrastructure for Authentication (PKI?) Practical Considerations: What is the trust model? Who is going to provide (an interoperable) PKIs? What is the basis for granting certificates? Terminals: Who is the Principal? User? Platform? Process? Network Interface?... How to protect credentials? How will users deal with credentials? Anyone can issue a certificate... -> Doable (though hard) for enterprises, but also consumer-proof? UH, FB Inf, SVS, 24-Mai-04 (JP) 32 Client & Server Security VoIP/SIP components use ordinary computers (PCs) as platforms VoIP systems are (at best) as secure as the underlying platforms Example: Many VoIP devices run Web servers for remote management, which may be vulnerable to attacks ranging from information disclosure to buffer overflows. UH, FB Inf, SVS, 24-Mai-04 (JP) 33 16

17 UH, FB Inf, SVS, 24-Mai-04 (JP) 34 VoIP Terminals Ofir Arkin: The Trivial Cisco IP Phones Compromise Abstract The paper lists several severe vulnerabilities with Cisco systems SIP-based IP Phone 7960 and its supporting environment. These vulnerabilities lead to complete control of a user s credentials,..., and the ability to subvert the entire IP Telephony environment. Sept UH, FB Inf, SVS, 24-Mai-04 (JP) 35 17

18 Spam VoIP Spam (by machines) Much more obtrusive then Spam Your phone rings (in the middle of the night) Blacklisting does not work (cf. ) Whitelisting does not work I want new people to call me Certificates don t work Grant them based on what? Possible Solution Implement a Turing Test to detect machines? UH, FB Inf, SVS, 24-Mai-04 (JP) 36 Lawful Interception Lawful interception (LI) is the legally sanctioned official access to private communications, such as telephone calls or messages. The VoIP provider and the access provider are generally different entities Signaling and payload can take different (unpredictable) routes Signaling and payload traffic are linked together only in terminals Payload encryption is controlled exclusively terminals Can LI be technically deployed without a footprint in terminals? You had to intercept all SIP traffic, and, after call setup, intercept in real time the network traffic of a provider not necessarily known before UH, FB Inf, SVS, 24-Mai-04 (JP) 37 18

19 For the Long-term Memory VoIP is much harder to secure than PSTN: Distributed System, no central management Built-in mobility (cf. GSM) No separate signaling channel Attacks scale easily (e.g. DoS) VOIP inherits all properties of TCP/IP including security weaknesses All problems of complex, IP-based terminals (platform weaknesses, security awareness of users, ) Convergence of two global and structurally different networks introduces new security weaknesses VoIP needs a universal trust infrastructure (based on smart cards?) or very different business models! All hope abandon, ye who enter here! -- Inferno. Canto III, Dante Alighieri UH, FB Inf, SVS, 24-Mai-04 (JP) 38 VoIP: Back to the Roots? Initial Deployment of the Telephone Network Overhead Wires at Broadway and John Street, New York, 1890 UH, FB Inf, SVS, 24-Mai-04 (JP) 39 19