VOIP Security: Threats, And. Counter Measures. Researchjournali s Journal of Computer Science. Department of Computer Science, Ebonyi State

Transcription

1 1 VOIP Security: Threats, And Counter Measures Francis N. Nwebonyi Department of Computer Science, Ebonyi State University, Abakaliki, Nigeria Nweso Emmanuel Nwogbaga Department of Computer Science, Ebonyi State University, Nigeria

2 2 ABSTRACT VoIP (Voice Over Internet Protocol) has become popular among organisations and users. Its ability to converge voice, images and data in the same network makes it more flexible and cost effective compared to the traditional telephone system. However, it comes with a number of security constraints in the midst of these advantages. We give an overview of VoIP protocols and the vulnerabilities that accompany them, as well as the classification of threats that are associated with VoIP. We also present popular attacks on VoIP systems, and measures to mitigate such attacks. We suggest more research on some areas, while encouraging the adoption of some already proposed security approaches for VoIP systems. This paper aims to offer relevant security tips for VoIP users and practitioners. Keywords: VoIP (Voice over Internet Protocol); SIP (Session Initiation Protocol); H.323; Vulnerabilities; Attacks; VoIPSA; Mitigation 1. INTRODUCTION Technological advancement is on a rapid growth; new technologies evolve regularly and are also adopted by organizations/individuals at a similar rapid rate. VoIP (Voice over Internet Protocol) is a product of this technological growth that allows the flow of voice, data and images through a packet data network. This gives it more flexibility and cost effective advantage over the traditional telephone system [1], thus making it popular among organisations and individuals in a manner that many want to use it. However, with this rapid adoption of VoIP, there is always a form of struggle in balancing its numerous advantages with some accompanied security concerns [2]. In most cases the interest of users in the advantages seem to outweigh the involved security concerns, and as a result, they pay less attention to the security side; giving attackers numerous platforms to launch attacks and exploit the services for their personal gain. Many of the advantages of VoIP are traceable to the IP network through which it is transmitted. On the other hand, the internet's open architecture has also made it vulnerable to many attacks. This combines with other vulnerabilities from the VoIP protocols to increase security concerns in VoIP systems [5]. The codecs and configurations required for VoIP infrastructures and protocols to smoothly interact with the infrastructures of the IP network usually introduce high complexity in VoIP systems. This complexity also leads to variety of threats due to unforeseen interaction of components [3]. Accordingly, many VoIP products are weak [2] and vulnerable to many potential security threats some of which are inherent from the traditional telephone system and many others from data network which it uses. This paper looks into security vulnerabilities, threats and attacks on VoIP, suggesting possible approaches to detect, avoid or reduce them. In section II the protocols of VoIP are addressed, this is necessary because

3 3 VoIP security has everything to do with the security of its protocols. Section III presents some vulnerabilities of VoIP. In session IV we present common attacks on VoIP systems, followed by mitigation measures in section V. While conclusion and future work is presented in section VI. 2. VOIP PROTOCOLS/STANDARDS VoIP uses a number of protocols for various specific roles during massage transmission. It uses H.323, SIP and MGCP (Media Gateway Control Protocol) for signaling, which involve setting up calls, modifications of calls and tear-down. It also uses the RTP and RTCP as media transport protocols, involved in transportation of multimedia and voice data from one end to the other. These are all application layer protocols, they operate on top of IP protocol. In this section we shall look into H.323 and SIP which are the major protocols of VoIP [3]. H.323 H.323 is an ITU-T's standard. It allows real time audio, data, as well as video communications. It uses Secure Real Time Protocol (SRTP) for providing confidentiality, and Multimedia Internet Keying (MIKEY) for exchanging keys [2]. H.323 defines four entities/logical components, which include Terminals (or endpoints), Gateways, Gatekeepers and Multipoint Control Units (MCUs). The endpoints include telephones, PCs, etc, used by the end-users to interact. Gateways take care of signaling and media transport. They serve as interface to other network types such as PSTN, ISDN or other H.323 system. For instance, if a packet based network such as VoIP is to connect to a circuit switched network such as PSTN, then an interface must reconcile them to each other; this is done by the gateways. Gatekeepers on the hand perform the task of address resolution between Alias addresses and IP addresses. They also manage the access of endpoints to services and monitors service usage. And MCUs which is the fourth component of H.323 provides support for conferencing between three or more endpoints [4]. SIP (Session Initiation Protocol) SIP is an application layer signaling protocol [5], it uses a client/server transaction model that is similar to HTTP [6]. It is primarily used for creating, modifying as well as terminating sessions between two or more participants. SIP is designed to support the following five main multimedia communication services; User location, User availability, user capabilities, session setup and session management. The user location identifies the endpoint of an SIP session while the user availability gives the participant an opportunity to indicate if he/she is willing to engage in the communication. Similarly, the user capabilities service allows for the agreement upon communication media parameters and the establishment of such media. The session setup is where the session parameters are usually negotiated and established. And the session management allows for session modification, data transfer, calling up appropriate services and session termination. Although SIP

4 4 also uses some other protocols to perform necessary tasks that allow participants to communicate successfully, the above mentioned are the major ones [4]. SIP massages can be classified into two; request and respond. The six requests (or methods) used by SIP include; REGISTER, INVITE, ACK, OPTIONS, BYE and CANCEL. The SIP server usually generates an SIP response when a request is sent to it; each of these responses is usually identified with a numeric static code [5] as illustrated in figure I. Figure I SIP is more flexible than H.323, it is also less expensive to install. It supports SRTP used for securing media traffic as well as TSL and S/MIME for the protection of signaling. The flexibility, extensibility and openness of SIP is giving it increased adoption as a signaling protocol for internet real-time communication [7]. 3. VULNERABILITIES AND THREATS ASSOCIATED WITH VOIP The quest for openness, modularity, interoperability and flexibility [3] in VoIP systems usually lead to much configurations and codecs that raise the complexity of VoIP systems so high that they are more vulnerable to attacks than some other communication systems such as the traditional telephone system. Some of these vulnerabilities are directly associated with the protocols used by the VoIP system, while others arise from the network through which VoIP transmits. We discuss some of these vulnerabilities under the following heading. 3.1 VOIP VULNERABILITIES Many vulnerabilities that affect VoIP has to do with Session Initiation Protocol (SIP) which is the most popular signaling protocol in VoIP [7]. As could be noticed from session II, SIP Transaction Users (TU)

5 5 maintain transaction state for some amount of time, this include INVITATION, ACK, and others, as illustrated in figure II above. Keeping the transaction state in this manner could also be a vulnerability, since it can be exploited with ease by flooding the process with outrageous number of requests. Some malicious INVITE requests could be used to launch attacks, examples of such INVITE massage include the intertwining of spoofed INVITE massages that are carrying wrong credentials in the INVITE massage exchange authentication cycle, and replaying pre-coded INVITE massages, etc [8]. Furthermore, SIP devices are fundamentally software driven, the same classes of vulnerabilities faced by other software also apply to them. For instance, SIP hardphones and softphones are both vulnerable to buffer overflows; allowing malicious users access to the system, even to the point of gaining full control of the device. This type of vulnerabilities emerge from poor programming practices and poor testing, as well as from choice of programming languages, [3]. H.323 is also not free from vulnerabilities, its authentication process also exposes it to vulnerability of username enumeration and password retrieval. In the authentication process, the H.323 endpoints usually sends its username and password to the authentication device. Although the password is usually sent across inform of cyphertext, the username is usually in plain text [9]. This username can be sniffed by attackers using some tools such as wireshark, and once the username is sniffed, some basic brute-force attacks can reveal the password. We already know from previous sections that H.323 and SIP are both application layer protocols, this implies that the design (architecture) of the application layer impacts directly to their functionality and security features. Basic security concerns were not addressed during the design of the TCP/IP, it was primarily targeted at openness. For example, although it is easy to add new hosts into a network that is already existing, no reliable packet authentication is in place. Once a host is connected he/she can begin to send to all destinations possible. Only the destination/receiving host is left to decide whether or not to serve a packet. Even the immediate routers while forwarding packets to the destination, do not examine the content of the packet but simply forwards it based on the destination address. This backdrop opens up for flooding Denial of Service vulnerability in both protocols and generally in VoIP [10]. Call interception vulnerabilities also constitute a huge concern with VoIP, it can allow for eavesdropping and decoding of video/audio streams in a network traffic. This type vulnerability can arise from odd protocol interactions or/and implementation decisions [3]. For instance, not checking credentials properly by the proxy or registrar or the SNMP agents on VoIP devices could lead to interception of the traffic and impersonation of user(s). Also of a reasonable importance concerning user impersonation is the use of default configurations especially as it concern usernames and passwords. Many default settings can be found via internet search engines. And if such default setting is in use, an attacker can use it to impersonate the user. This becomes a

6 6 more serious case if the account involved has administrator privilege or if the involved setting is that of the NTP or DNS servers. The list of VoIP vulnerabilities could be so long that the volume of this work may not allow for in-depth discussion of each one, some more vulnerabilities of VoIP include; ICMP flood, DHCP server insertion, TFTP server insertion, SIP Registration Hijacking, SIP Registration Hijacking, SIP Registration Hijacking, MGCP hijack, MGCP hijack, MGCP hijack, Cancel/Bye attack, Cancel/Bye attack, SDP (Session Description Protocol) Redirect, RTP tampering, Default Configuration, TCP/UDP replay, IP spoofing, IP frag, MAC spoofing, etc. Most of which affects various layers of the TCP/IP [2] 3.2 VOIP THREATS VoIP threats could be grouped into six major classes, according to VoIPSA security threat taxonomy [2], [11]; 1) Social threats: these threats are aimed at humans directly. For instance misconfiguration, bad protocols or bugs may facilitate attacks that misrepresent a malicious identity as genuine. This threat may act as a stepping stone for attackers to launch further attacks such as theft of service, phishing or unwanted contact. 2) Eavesdropping, interception, and modification threats: this involve situations where an adversary can listen to VoIP signaling or session without authorization from the concerned parties. The attacker can also modify some aspect of the session while avoiding detection. Interception and rerouting of unencrypted RTP sessions are examples of this kind of attack. 3) Denial of Service Threats: this potential attack deny legitimate users access to VoIP system. This could pose huge problem in a case of emergency especially if the involved organisation(s) has all its VoIP and data communications channeled on the same network that is susceptible to DOS attack. 4) Service Abuse threats: this covers the use of VoIP services in an improper way, especially if the services are offered in commercial setting. Billing avoidance and toll fraud are examples of this threat. 5) Physical access Threats: this involves unauthorized access to VoIP equipments physically or at the network physical layer of the OSI model. 6) Interruption of Services threats: this refer to problems which are not intentional but may cause VoIP services to be inaccessible or unusable. Example; loss of power as a result of inclement weather, performance issues leading to degrade in call quality, and resource exhaustion as a result of over-subscription.

7 7 4. ATTACKS ON VOIP SYSTEMS There are various form of attacks that could be targeted at VoIP systems, just as our discussion on vulnerability suggests. Many of these attacks affect VoIP generally, while some others has to do with the protocol on which a given VoIP infrastructure is running. VoIP attacks are therefore discussed as follows; Denial of Service Attack This attack was reported in 2008 to be among the top five attacks that any VoIP system could face [5]. It prevents legitimate users from accessing the network services, thereby causing unavailability of network resources. It could be targeted at an individual or set of individuals to prevent them from placing or getting calls; this can be done by keeping the line busy for quite a long time, and causing disconnection of calls. The mechanisms that could be adopted to achieve this could vary depending on the protocol on which the VoIP infrastructure in question is running. For instance in SIP, an attacker could take advantage of the series of massages exchanged during call establishment to impersonate and hijack (deny) VoIP calls from genuine users. The attacker can also resort to sending outrageous number of legitimate SIP packets to the point that the system becomes very slow and unable to attend to any other call. Large number of malicious (or malformed) massages could also be sent to the SIP server just to disrupt its stability in a way that could make it easier for the attackers to get what they want [1]. Similarly, in H.323 protocols, the attacker can prevent an endpoint from registering by sending incorrect timestamp information to the H.323 device. This is true because during H.323 authentication process, a timestamp from an NTP server is usually used to create MD5 hash which is required for the authentication. Since NTP uses UDP which is connectionless (unreliable) for transport, it is easy to fake NTP packets. Alternatively, the attacker may decide to crash the system by sending nonstandardmessage packets to the target H.323 device which will not be able to interpret it, causing the system to be overloaded with packets up to a crashing point [9]. Man-in-the-middle attack Man-in-the-Middle attack is also one of the serious attacks that could be launched on VoIP systems. It is an attack that allows an attacker to get between the server (usually SIP) and a legitimate user. Once this attack is successfully launched during VoIP conversation, the attacker can cause numerous harm to the system such as wiretapping, call hijacking, etc. Apart from the more general form of man-in-the-middle attack in which the attacker need to initially be in the VoIP communication path, it is also possible for an attacker who is not in the communication path initially to successfully launch man-in-the-middle-attack by exploiting some vulnerabilities especially in SIP protocol based systems. Since some VoIP phones (SIP based for instance) uses DNS query to obtain SIP server's IP address, and DNS uses UDP which is connectionless, a remote

8 8 attacker can forge and also inject DNS response packet to a target VoIP (SIP) phone [12]. If the forged packet meet necessary criteria, it will be accepted by the target phone/endpoint. Some DNS query uses IDs that are predictable sometimes with limited port range, making brute-force quicker for the attacker. Usually the attacker triggers the target device (phone) to send DNS request in order to place it in a mood to accept the forged DNS response. He does this by exploiting some of the earlier mention vulnerabilities such as malformed INVITE message, which can allow him/her to crash and reboot the device remotely, knowing that VoIP endpoints (example SIP phone) send a DNS request each time it restart. Eavesdropping Eavesdropping attack enables the attacker to listen to the victims conversations without permission by intercepting the voice packets or the RTP (Real Time Protocol) media streams, thus violating the confidentiality security requirement. This attack does not only affect voice massages, other forms of VoIP communications such as fax can also be affected[13]. Tools such as wireshark can be easily used to capture and possibly reconstruct VoIP conversations. The codecs information contained on the header of RTP packets reduces the attackers' stress on decoding saved RTP streams. With eavesdropping, an attacker can access valuable information such as phone numbers, usernames, passwords, confidential business information and more. This kind of information if gained and saved by an attacker can mean much havoc for the adversary. Toll Fraud Toll Fraud can be referred to as unauthorized access to a VoIP network which enables the attacker to make long distant calls. The attackers do some spoofing to the system, causing it to recognise their phone as a legitimate one. In this way attackers can make numerous calls using their cloned identity. An attacker can also use this attack for financial gain by placing a large volume of calls to a premium-rate telephone numbers, in which case part of the high charged fees would go to the attacker. Integrity which is an important security requirement is a stake here. Toll fraud attack can use up significant resources of the victim (enterprise), such as bandwidth and could as a result cause network latency [13], [14]. This makes the attack a serious security issue in VoIP. Call Hijacking or Redirection As part of the flexibility advantage that VoIP offers, callers can easily find anyone they wish to converse with, using a single phone number not minding the location of the person [14]. That is, the phone number is always directed to wherever the current location of the person may be, without any need for a different number. Call Redirection attack in VoIP takes advantage of this flexible and enables attackers to redirect victim's call to their phone, thereby impersonating the victim. An attacker may also choose to replace the

9 9 address of a voice mail with the hacker's specified IP address, in this way the massage will no longer get to the intended recipient. Buffer Overflow Attack As identified earlier in the vulnerabilities, Buffer Overflow attack is really possible in VoIP systems. It is occurs when attempt is made to store in a buffer, more data than it is meant to hold [14]. This causes an overflow in the buffer and enables the attacker to hijack or crash the system. Call Interception Call interception involves the monitoring of voice packets by attackers. These packets could also be captured and the corresponding voice packet payload decoded for malicious use [2]. Some tools such as Vomit (Voice over internet telephones) could be used to assemble captured conversation into a form that will be easy to read. Tcpdump is also a tool that could be used by an attacker in this regard to detect the MAC and IP addresses of the victims' phone. This way the attacker can impersonate a phone on the network and even the local gateway. An attacker could also insert a phone with a spoofed MAC address in a way to cause interception of the voice traffic. This kind of attack may not be very easy, but some attackers also go extra mile. Physical attack This involves the compromise of entry systems to the place where VoIP infrastructures are placed. These entry systems may include locks and keys used to lock the physical location of the VoIP components, surveillance systems, alarm systems and security guards [15]. Lots of interruptions could be caused if these entry systems are compromised and an attacker gains access to the location of the VoIP infrastructures, such as unauthorized configuration, ARP and IP spoofing, deliberate loss of power and physical damage to the system components. It is therefore important to give due security attention into physically safeguarding the VoIP system components. Spam Over Internet Telephony (SPIT) This is a social attack in which the victim is disturbed with numerous unwanted calls and advertisements from an attacker [15]. This kind of attack is usually aimed at persuading the victim into some transactions that he/she may not ordinarily be interested in. 5. MITIGATION MEASURES This section unleashes some measures that could be adopted in order to ensure a safer VoIP. It is obvious that a perfect security system is not very easy to come by, but with the following tips, safer VoIP conversations could be attained.

10 10 Network Based Intrusion Prevention Systems (NIPS) This system could be used for monitoring and analysing network traffics in order to detect intrusion. It usually sound alarm if it encounters any suspicious transaction. This could also assist in blocking malicious users/hosts from accessing the network if duly configured[18]. This approach can be used can enhance network availability and thus keep denial of service attacks considerably reduced. Multi-layer Protection Scheme is also a very good approach in preventing denial of service attacks that are based on the application and transport layer of a VoIP network system [19]. This promises to be efficient since it has already yielded a good result in TCP for detecting SYN flood attack. S/MIME The security stack of VoIP consists of three layers; they include signaling protection, media protection and management of key [16]. Considering SIP which is one of the mostly used protocols, TLS is the only mechanism used for signaling protection because it gets integrated easily with various popular PBX systems. S/MIME has not gained popularity in softphones. However, the end-to-end confidentiality provided by S/MIME which prevents the SIP header from being touched promises a better signaling protection, as opposed to the point-to-point signaling protection provided by the existing schemes. S/MIME is therefore strongly suggested for VoIP systems such as softphones. Establishing a separate firewall This is also an important step that could be taken towards ensuring a more secure VoIP. As may be required, firewalls may be configured to open and close certain ports. Mounting intrusion detection at different endpoints in the network could be of a good assistance in monitoring the flow and operations in the network system [17]. Although firewalls may not fix all the security concerns in VoIP, if well configured and managed it could reduce the risk of the network to some attacks. Packet Encryption and Authentication Proper application of enhanced encryption and authentication of VoIP packets can prevent/reduce unauthorized listening to VoIP calls. IPSec could offer a sound encryption and authentication function [17], to guard against eavesdropping and falsifications. Encapsulating Security Payload (ESP) as a member of IPSec ensures the confidentiality and integrity of IP packets, validating the identity of sources and thus adds greatly to network attack resistance. Blacklist filtering With this mechanism, the callers identity is usually compared with already stored set of identities before a connection is made or rejected [15]. Based on some decisions by the system, an identity could be stored in a

11 11 blacklist so that when such number attempts connecting it will be rejected. This is one of the ways through which Spit could be checked. VoIP over VPN This approach proposed by Wafaa B. D, Samir T, and Carole B. uses IPSec as a tunneling protocol, while using crtp and IPHC for compression. It uses SIP for exchanging IPSec parameters. This promises enhanced security for voice traffic without dropdown in performance in quality of service [20]. This is a good proposition because performance and quality of service will not have to suffer as the case would be in some other IPSec approach such as IPSec Virtual Private Networks. Having relevant laws in place to protect the security of network information [17] It is pathetic to know that some countries especially the third world countries where VoIP and other information systems are used have no relevant laws to protect the security of these systems. This gives attackers a very free platform to operate, thus undermining the security of victim systems such as VoIP. Relevant laws need therefore to be put in place in countries like this to guarantee the safe flow of VoIP and other information systems. For the countries that have these laws already, necessary updates need to be maintained to keep in pace with the fast rate of technological growth. 6. CONCLUSION AND FUTURE WORK We have discussed various vulnerabilities and attacks that affect VoIP as well as suggested techniques to control them. However, VoIP could be said to be in evolution process at the moment because there seem not to be a popular general security solution to handle competently all its current security challenges. So many approaches have evolved and have been suggested, IPSec to VPN for instance is a good security choice but it also comes with some shortfalls such as affecting performance and quality of service. Although VoIP has attracted huge research interest, more is still needed especially towards identifying measures to combat its numerous attacks without considerably reducing performance and quality of service, minding the real time nature of the massage it carries. The implementation of already suggested approaches such as the VoIP over VPN is also recommended. Furthermore, this work recommends better security attitude for anyone using VoIP system. Even in the midst of many security challenges, VoIP is not presently without any resistance to attacks. If the already in-place security potentials of VoIP is optimally employed, many of the attacks could be avoided or controlled. For instance, it is easy for a security careless person to completely give away confidential information such as username and/or password in response to SPIT attack, as against when someone with the right security

12 12 attitude is involved. Having the right security policies in place and following them carefully, will go a long way in complementing the present level of VoIP security. 7. REFERENCES [1] H. Al-Allouni, A. E. Rohiem, M. Hashem, A. El-moghazy and A. E. -. Ahmed, "VoIP denial of service attacks classification and implementation," in Radio Science Conference, NRSC National, 2009, pp [2] E. Coulibaly and Lian Hao Liu, "Security of voip networks," in Computer Engineering and Technology (ICCET), nd International Conference on, 2010, pp. V3-104-V [3] A. D. Keromytis, "A look at VoIP vulnerabilities," USENIX; Login: Magazine, vol. 35, [4] T. Porter, Practical VoIP Security. Syngress Publishing, [5] Hongli Zhang, Zhimin Gu, Caixia Liu and Tang Jie, "Detecting VoIP-specific denial-of-service using change-point method," in Advanced Communication Technology, ICACT th International Conference on, 2009, pp [6] J. K. Prasad and B. A. Kumar, "Analysis of SIP and realization of advanced IP-PBX features," in Electronics Computer Technology (ICECT), rd International Conference on, 2011, pp [7] Xianglin Deng and M. Shore, "Advanced flooding attack on a SIP server," in Availability, Reliability and Security, ARES '09. International Conference on, 2009, pp [8] H. Sengar, "Overloading vulnerability of VoIP networks," in Dependable Systems & Networks, DSN '09. IEEE/IFIP International Conference on, 2009, pp [9] H. Dwivedi, Hacking VoIP: Protocols, Attacks, and Countermeasures. No Starch Press, [10] S. Ehlert, D. Geneiatakis and T. Magedanz, "Survey of network security systems to counter SIP-based denial-of-service attacks," Comput. Secur., vol. 29, pp , [11] A. D. Keromytis, "A Comprehensive Survey of Voice over IP Security Research," Communications Surveys & Tutorials, IEEE, vol. 14, pp , [12] R. Zhang, X. Wang, R. Farley, X. Yang and X. Jiang, "On the feasibility of launching the man-in-the-middle attacks on VoIP from remote attackers," in Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, 2009, pp [13] E. A. Blake, "Network security: VoIP security on data network--a guide," in Proceedings of the 4th Annual Conference on Information Security Curriculum Development, 2007, pp. 27. [14] D. Butcher, Xiangyang Li and Jinhua Guo, "Security Challenge and Defense in VoIP Infrastructures," Systems, Man, and Cybernetics, Part C: Applications and Reviews, IEEE Transactions on, vol. 37, pp , L. Corte, "Security analysis and countermeasures assessment against spit attacks on VoIP systems," in Internet Security (WorldCIS), 2011 World Congress on, 2011, pp [16] D. Perez-Botero and Y. Donoso, "VoIP eavesdropping: A comprehensive evaluation of cryptographic countermeasures," in Networking and Distributed Computing (ICNDC), 2011 Second International Conference on, 2011, pp [17] Yan Zhang and Huimin Huang, "VOIP voice network technology security strategies," in Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC), nd International Conference on, 2011, pp [18] I. Jouravlev, "Mitigating Denial-Of-Service Attacks On VoIP Environment," International Journal of Applied Management and Technology, vol. 6, pp. 8, [19] A. Keromytis, "A survey of Voice over IP security research," Information Systems Security, pp. 1-17, [20] W. B. Diab, S. Tohme and C. Bassil, "VPN analysis and new perspective for securing voice over VPN networks," in Networking and Services, ICNS Fourth International Conference on, 2008, pp