Vulnerability Analysis on Mobile VoIP Supplementary Services and MITM Attack

Transcription

1 Vulnerability Analysis on Mobile VoIP Supplementary Services and MITM Attack You Joung Ham Graduate School of Computer Engineering, Hanshin University, 411, Yangsan-dong, Osan, Gyeonggi, Rep. of Korea [ Hyung-Woo Lee School of Computer Engineering, Hanshin University, 411, Yangsan-dong, Osan, Gyeonggi, Rep. of Korea [ Abstract Mobile VoIP(mVoIP) is to provide Voice based telephony service using wired/wireless network on Smartphone. We can use several kinds of mvoip services on smartphone such as the Supplementary Service registration / release process, coloring, call forwarding, absence guide, three-way calling, and simultaneous receipt. But the smartphone based mvoip services are vulnerable to security threat because SIP protocol used on mvoip phones can be easily tampered sending or receiving packets and therefore we can find several problems on sender authentication process. Therefore, we analysis the vulnerability of existing mvoip based telephony services on smartphone and propose a possible attack on existing mvoip services. Keywords- Vulnerability, FMC, Mobile VoIP, Security, Attack I. INTRODUCTION Mobile Voice over Internet Protocol (mvoip) telephone systems is susceptible to diverse kinds of attacks because these devices have several kinds of Internet connections [1]. Main challenges are to perfectly pass through some authentication threats of existing mvoip services by using additional security mechanism on smartphone [2]. Although having a secure mobile phone is more possible to implement with mvoip service stacks, most existing commercial mvoip solutions do not fully support an encryption function. As a result, it is relatively easy to eavesdrop on mvoip calls and even change their contents by malicious attackers. An Android based mvoip service is very convenient in that it allows a single mobile phone to be substituted for existing wired/wireless telephone and makes a free of charge telephony service via Wi-Fi. In addition, the mvoip devices provide various forms of supplementary features for user convenience such as missed call notification, simultaneous ring, call waiting, and three-way calling and thus is very likely to emerge as a representative phone service. However, there are new problems caused due to those advantages. They include attacks using the vulnerability of VoIP services, including malicious attacks on SIP-based supplementary services such as call forking, conference-call tapping/interception, and ring back tone misapplication, and such attacks are becoming more intelligent and advanced. Most of those attacks take place because there is no problem with the attacker's modifying, deleting or changing normal SIP communications packets[3,4]. In order to settle the security vulnerabilities of SIP-based VoIP services in a smartphone, it is necessary to analyze the current status and features of VoIP services, identify security threats to the mvoip service, and investigate threat-related cases. Since most of studies conducted until now are analyses of vulnerabilities in a wired or wireless network environment, there is a need to study an integrated environment of wired and wireless networks. Android-based mobile telephony devices have a structure for shifting existing VoIP and cellular telephony service to a new level of both mobility and efficiency on voice communication. Therefore, the attacker also can use the vulnerability of existing supplementary services on smartphone. In this study, we presented the call flow of commercially available on mvoip supplementary services and analyzed the vulnerabilities on those services. In detail, we analysis the threat and vulnerability of VoIP service on FMC mvoip telephony device and propose a possible attack scenarios on existing mvoip service. II. MVOIP PROTOCOL AND ATTACK A. SIP Protocol Analysis The Session Initiation Protocol (SIP) [6] is a call setup, management and control protocol that includes voice, text and multimedia communications on session. When we start calling clients, servers should respond to the call. SIP session is requested in first with the setup and communication with proxy server. The session establishment and communication process begins with the user's registration with a proxy server and ends with his/her request for call connection or disconnection. SIP packet flow of communication process is as follows Fig.1 & 2. Fig. 1. Call Flow for Successful INVITE request 406

2 III. CALL FLOW ANALYSIS ON SUPPLEMENTARY SERVICES A. Kinds of SIP Supplementary Services on mvoip Mobile VoIP service is a convergence service by using the smartphone handset through Wi-Fi network. To assist the user's convenience, supplementary services are provided to the existing mvoip service as shown in Table 1. Fig. 2. Call Flow for Unsuccessful INVITE request B. Mobile VoIP Attack The mvoip services are exposed to the risk of attack, as these are also similar to a computer system connected to the Internet. Therefore, careful attentions should be paid to the security and control of the mvoip equipment. This study is intended to configure a mvoip vulnerability analysis environment for its security threat analysis. The mvoipcapable smart phones are connected to the wired/wireless service network. And then mobile SIP connection was issued by Internet phone on 3G and Wi-Fi zone for analyzing real SIP packets. Based on this structure shown in Fig. 3, we evaluated the vulnerability of various mvoip services on the commercial network based on the proposed attack scenario. Fig. 3. Supplementary Service Vulnerability Analysis Environment for mvoip Devices The SIP packet corresponding to an INVITE packet can be used for attack purposes, because it is easy to collect or forge its data in most additional services. For example, the attacker is able to make changes in or cancel the registered service, posing as the target. The INVITE packet is one of the most important packets in the processes of using SIP additional service features, including service registration or cancellation. An INVITE message contains information about calling and called parties as well as a connection request status, and especially when there is a service feature registered or cancelled, it can be known through the INVITE packet what service has been requested by the caller. In case of a three-way call, the INVITE packet contains an XML message, so if an attacker detects the packet and changes or forges information in it, the damage may become greater. TABLE 1. FMC SUPPLEMENTARY SERVICES Service Description Name Service that transmits ring-back service message, Colouring which the service user registers instead of the existing ring back-tone. Call Service that connects currency connection request Forwarding by other telephones Service that requests currency connection to 2 Multiple Calls listeners and 3 people connect so that lives can speak Vacation Guide over the telephone service Service that gives guidance message among absence that has presented to sender when receiver is absent. Service that holds current calls for a moment and Call Waiting makes other call continuously. Simultaneous Service that connects call received previously Call among all telephone calls Service that pays fare to listener and requests Toll-free calls currency connection Call Forwarding Service makes a connection to other phones when the phone call is being missed. This service diverts the telephone received by the Internet phone to the other Internet phone set up in advance. When you are absent or busy, incoming calls are forwarded to a previously registered phone number to make the final connection. The simultaneous calling service resembles the previous call forwarding service. Similar to Call Forwarding feature, this service provides simultaneous ringing service on multiple Internet phones. And multiple call service is also similar with the previous simultaneous call service. Three people can join SIP based conference call at the same time using this supplementary service. In call waiting service, even if others got off the phone without the line, the continuous call services are available during a call. Alternately, new call can be serviced continuously after receiving previous incoming calls. And this call waiting service can be applied through the Internet. Tollfree call service is that a recipient pays a fee as a service to connect the call for City and long distance calling. If the recipient rejects the call by determine whether the recipient is receiving calls, phone connection and service charges are not added. When we got a call, a user specific music or announcements are provided while connecting the caller to keep it out of boring in case of using SIP coloring service. Further improvements of high-quality phone services are available by using a variety of Supplementary Services listed in the table above. The kind of Supplementary Services is growing rapidly because total amount of service traffic is in a gradual increase. 407

3 B. SIP Supplementary Services Registration & Release Each Supplementary Service is assigned a unique number for corresponding and different identification numbers are also allocated respectively to register or release on those services. Fig. 6. Call Flow on Call Forwarding Service Fig. 4. Service Registration & Release Call Flow In this case, INVITE packet for registration is generated first for each Supplementary Service to be available by assigning a unique number. And its disable process is also performed after doing the similar process. C. Colouring Service When an mvoip user registers coloring services, some music and announcements information as sound effects are provided while connecting mvoip service instead of traditional ring tones. E. Absence Notification Service This service is to send a recorded message for notifying someone s absence from out goings and business trip, etc. After receiving INVITE packet for connecting a User_A with User B, SSW transmits RTP message to a sender User_A after confirming that User B is in the list of subscriber on absence notification service. F. Multiple calls Service This service is to setup multiple calls by single INVITE packet. In a call initiate process, a caller sends INVITE packet to SSW for requesting two receivers simultaneously. Fig. 8 shows the simultaneous connection call flow between User_A and User_B/C. User_A transmits INVITE packet containing User_B and User_C s phone numbers to the SSW. At this point, the destination address of INVITE packet is set to that of SSW, but not to the destination User_B or User_C. And XML form specifies also uses those addresses. Meanwhile, the User_A to connect the SSW with the User_B and User_C received the INVITE packet. In this connection step, the 183 Session Progress SDP packets are sent to User_A for holding further session. Since then, User_B and User_C will perform the connection process respectively. Fig. 5. Coloring Service Call Flow In case of ring tones, the sender sends the INVITE packet and SSW receives the INVITE packet sent by user. And it is sent to the recipient User B. After these steps, SSW transmits coloring RTP packet [7] to the sender with 183 Session Progress SDP message if the receiver sends a 180 Ringing message after a 100-Trying packet and simultaneously the SSW makes sure that the receiver is in the list of the coloring service subscribers. Before connecting between the sender and the receiver, the receiver hears the coloring message. D. Call Forwarding Service When you are absent or busy, incoming calls are forwarded to another phone number registered previously to make a final connection. Detailed progress is shown below. Fig. 7. Absence Notification Call Flow 408

4 a specified telephone number is called. In this way, this service provides one of the key benefits of a MADN (multiple appearance directory number)-the ability to answer the same call from different, even distant locations-at very little cost and without having to use multiline telephone sets. Fig. 8. Multiple Calls Service Call Flow G. Call Waiting Service During a call, even if others got off the phone without the line, the continuous call services are available. Alternately, new call can be serviced continuously after receiving previous incoming calls. And this call waiting service can be applied through the Internet. Fig. 10. Call Flow of Simultaneous Call Service In order to connect User_A with User_B, the SSW is confirmed that User_B is in the list of subscribers on a call forwarding service, SSW sends INVITE packet to User_C as well User_B. And when each User_B and User_C receives the INVITE packet, they transmit a 180 Ringing message. User B, who has received the call in first time, sends a 200 OK message to the SSW. The SSW sends a CANCEL packet to terminate the connection with User C. And then both User_A and User_B will establish connections. I. Toll-free Telephone Service This service is that a recipient pays a fee as a service to connect the call for City and long distance calling. If the recipient rejects the call by determine whether the recipient is receiving calls, phone connection and service charges are not added. Fig. 9. Call Flow of Call Waiting Service User_A will send a 486 busy here message to SSW if it receives an INVITE packet from someone else during a call setup procedure. This is for establishing a new connection between the SSW and User_C by sending 183 packets. And User_A sends a Hold INVITE message to User_B for waiting a call and User_A can establish a new connection with User_C through the SSW after notifying INFO packet to User_B. H. Simultaneous Call Service Simultaneous Calling, an optional feature available on mvoip telephones, allows a pre-defined group of up to 5 onnetwork DNs (directory numbers) to ring simultaneously when Fig. 11. Call Flow of Toll-free telephone Service 409

5 IV. VULNERABILITY ANALYSIS ON SIP SUPPLEMENTARY SERVICE A. Transmit of Registering INVITE Packet INVITE packet is the most important packet in the registration/release process of Supplementary Services. Using the contents of INVITE message, we can see the status of the connection request. In particular, we can find the status of service registration and release rarely asked about any Supplementary Services through the INVITE packet. In case of three people call, damage may increase if an attacker detects (or) monitors the INVITE packet and modulates its content as the XML message is contained inside of those INVITE packets. Eventually attacks on Supplementary Services are possible if Supplementary Services registration INVITE packet is sent to the SSW instead of the regular users, Likewise, modified attack is possible when the attacker sends INVITE packet for releasing some Supplementary Service instead of legal user, although user had already registered the Supplementary Services. status is contained within the XML message. As it is easy to gather (or) change this information, an attacker can easily modify those contents of XML message. After doing this attack, legal connection will be interrupted or incorrect connection will be established without knowing its real caller. Fig. 14. XML message on INVITE Packet D. Attack on SIP 486 Busy Here packet An attacker can impersonate the SSW by sending INVITE packets generated at random to the Victim. And then the victim transmits '486 Busy here ' message for holding the current connection status. Additionally, an attacker can generate 486 busy here message intentionally and then hold the current connection status in order to causing interference. E. Attack on SIP CANCEL Packet When all the numbers registered on the bell ring and someone receives a call, the bell will be cleared on the phones except the one finally connected call in case of using simultaneous forwarding services. For this purpose, CANCEL packet is used to cancel the connection request. Fig. 12. Attack on INVITE Packet B. Attack on SIP RTP Packet RTP announcement messages sent by the SSW for registration and release of Supplementary Service are always fixed. Therefore, if an attacker were to collect these messages, Supplementary Service may be vulnerable to the spoofing attack on RTP packet. Fig. 15. Simultaneous Call Service Attack Each listeners, who receive CANCEL packet like above Fig., end conjunction transmitting 487 Request Terminated packets. If attacker transmits CANCEL packet to listeners, each listeners will end conjunction by transmitting 487 Request Terminated packets. Fig. 13. Registration/Release announcement contained RTP Message C. Call XML Content Modification XML message is contained on the INFO packet of call waiting service. Information about the recipient and the current F. Attack on SIP RTP Packet In the case of toll-free number currency service, the sender transmits data to SSW in voice by RTP form to authenticate oneself with listener's telephone number, which helps listener to accept call correctly according to guidance message. 410

6 MITM attack, there is the transformation attack method on the absence announcement and coloring weakness attack. This method carries out the modulation attack about the message, which is directly sending out or receiving after monitoring the target of attack. Victim 183 Packet과 RTP Packet (Coloring)Transmission Fig. 16. Simultaneous Call service attack User A User B Fake SSW Counterfeited Packet SSW Transmission Previously Generated Packet by Attacker instead of User A Counterfeited RTP Counterfeited Packet 183 Packet Packet (Coloring) Interception User C Attacker User IP Mac Addr Supp. Service User A A1C23D Coloring User B A2B2C3 Call Switchover User C A3B3C3 Absence Noti.... Simul. Inbound... Fig. 19. Spam Coloring MITM Attack Fig. 17. Attack by Altering on RTP Contents Attacker can attack by changing sender's hope number to alteration or attacker-selected number. Therefore, it is weak on security as an attacker can change audio data during its transmission. G. Attack on SIP INFO Packet The INFO packet is the message, which a receiver sends to SSW in case there is the transmitter requesting a connection. In the INFO packet, XML data are stored. Whenever the transmitter who a receiver desires a connection is changed, the INFO packet is generated and it is transmitted to SSW. The transmitted INFO packet is again transmitted to a receiver. Therefore, a confirmation is possible between a receiver and transmitter to the connected state. By using this kind of characteristic, an attacker can attack the attack which changes the INFO message or which it deletes. Therefore, an attacker can carry out the call connection interference attack. Fig. 18. XML message on INFO packet H. Active MITM Attack The attack method can be combined with an active attack by Man-In-The-Middle (MITM) attacker. First, as to the attack of the MITM method, an attacker watches the SIP communication network of the attack subject. And in case the connection which oneself wants was generated, an attacker confirms this. In conclusion, an attacker carries out an attack including the packet deny or the modulation, and etc. As a V. CONCLUSIONS In this research, we analyzed the mvoip call flow for Supplementary Service based on SIP protocol. And we presented the basic mvoip protocol with its internal structure. Consequently, most of supplementary services are composed with the Call Setup & Binding process similarly. And in this Call Binding process, an attacker could collect related mvoip packet easily. In addition, the content of the mvoip packet that an attacker can collect was not fully encrypted for enhancing security service on smartphone. Therefore, attacker can get main mvoip session information easily. Particularly, an attacker could obtain information through the transmitted INVITE packet, which is most of information sent or received in the initial mvoip connection setting. Through this, an attacker could know the overall state of the mvoip connection request information and received or transmitted between smartphones during its connection. Additionally, as existing mvoip device used fixed announcement in each RTP message, supplementary Services are also weak on MITM attack. REFERENCES [1] S. Niccolini, VoIP Security Threats, Internet-Draft, NEC SPEERMINT Working Group, [2] Sik-Whan Cho, et. al., mvoip Service attack and authentication mechanism on s Smart work device, In Proc. of International Conference on Computer Science and Network Technology (ICCSNT2011), Vol.1, pp , [3] S. Salsano, et. al., SIP Security Issues: The SIP authentication procedure and its processing load, IEEE Network, November/December, [4] G. Ormazabal, et. al., Secure SIP: A Scalable Prevention Mechanism for DoS Attacks on SIP Based VoIP Systems, In Proc. of International Conference on Principles, Systems and Applications of IP Telecommunications 2008, LNCS 5310, pp , [5] G. A Mills-Tettey, Mobile Voice Over IP (MVOIP) : An Applicationlevel Protocol, Technical Report, Dartmouth College Hanvoer, 2001, [6] J. Rosenberg, et. al., SIP: Session Initiation Protocol, IETF RFC 3261, June [7] H. Schulzrinne, et. al., RTP: A Transport Protocol for Real-Time Applications, IETF RFC 3550, July