VoIP Security. Threats and Countermeasures. Eric Chen NTT Information Sharing Platform Laboratories & VOIPSA Technical Board of Advisors

Transcription

1 VoIP Security Threats and Countermeasures Eric Chen NTT Information Sharing Platform Laboratories & VOIPSA Technical Board of Advisors

2 Agenda Increasing awareness of VoIP security Top VoIP security threats Best current practices Ongoing research efforts

3 Industry Activity VoIP Security Alliance (VOIPSA) launched in 2005 Mission: To promote VoIP security research, education and awareness To become a one-stop source of testing tools/methodologies Membership: Over 100 members on the Technical Board Include NTT, Mitel, Avaya, Nortel, Siemens, Alcatel, Extreme Networks, AT&T, Verizon, Columbia University VOIPSEC mailing list for discussion of VoIP security issues Projects: Threat taxonomy, best practices etc

4 VoIP Security Threat Taxonomy Refer to for more details

5 Conference Activity

6 VoIP Security Books Source:

7 Zero Day Auctions Now Include VoIP Source: WabiSabiLabi Home Page 26 June 2008

8 VoIP Attack Tools Now Available Online More than 80 VoIP attack/security tools known (still increasing)

9 Agenda Increasing awareness of VoIP security Top VoIP security threats Best current practices Ongoing research efforts

10 Finding Targets using Google Cisco Grandstream Sipura Polycom VoIP phones with built-in web servers to allow easy configuration May be indexed by Google if connected to the Internet without any protection Can easily find these phones using keywords included in the default URLs

11 SPIT SPam over Internet Telephony Definition: Automated telemarketing calls (excluding human calls) Not yet a problem due to the small number of VoIP users Can be more serious than PSTN marketing calls Can be easily automated Can be performed at low cost Can perform broadcast No country barrier in terms of call charges -> large scale Yahoo!BB Phone incidents in Japan 2004/2 Unsolicited commercial messages for an adult website 2004/8 "Number scanning" for active VoIP phone numbers (050- [provider code]-xxxx) at the rate of 6000 calls/day 2004/11 Unsolicited automatic messages asking for personal information Contracts with these spammers are terminated by the provider

12 SIP Scanning Send requests (REGISTER OPTIONS etc) with various spoofed originating UID to a SIP server Servers that respond with different replies for valid and invalid UIDs may be exploited

13 Example: SIPSCAN

14 Flood-based DoS Attacks VoIP is vulnerable to flood-based DoS attacks at various layers General DoS attacks target at TCP/IP Same threats to any web server on the Internet VoIP-specific DoS attacks target at UDP-based SIP and RTP Flood of bogus signaling packets may overload CPU of any SIP server or UA Flood of bogus RTP packets may degrade audio stream quality Tools available: kphone-ddos, RTP flooder, SIPBomber, SIPsak, Scapy, IAXFlooder, Seagull and SIPsak

15 Retrieve IP Address Motivation Method Send arbitrary packets to the target Call the target and sniff the incoming packets Contact info in 200 OK Source IP of the incoming RTP IP address of the target included

16 Fuzzing Attacks Send malformed SIP messages Buffer overflow Via: SIP/2.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Integer anomalies Content-Length: -1 Invalid addresses INVITE SIP/2.0 Structural anomalies Cseq: 7038 INVITE a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 Can either crash the target or execute arbitrary code

17 Eavesdropping INVITE SIP Proxy A INVITE OK SIP Proxy B Intercept signaling packets to analyze call patterns INVITE OK OK Alice RTP Bob Intercept conversation

18 Eavesdropping Scenarios Wireless LAN with weak security Physical access to intermediate network nodes UA vulnerability ARP-Spoofing

19 Agenda Increasing awareness of VoIP security Top VoIP security threats Best current practices Ongoing research efforts

20 How to avoid being Googled Follow the product guidelines Disable the web server Apply necessary security measures (FW, NAT etc) Use Google to look for exposed devices in one s company

21 Use VoIP Firewalls VoIP clients use various RTP ports to connect with their peers outside. Statically opening all possible ports using a regular firewall introduces new threats. VoIP firewall Dynamically open/close necessary ports through stateful inspection of VoIP traffic ( pinhole ) Inspecting the SDP payload in an INVITE message, extract the UDP port number to be used and open the port before the session starts Close the port when the BYE message corresponding to the session is detected Hide IP addresses of VoIP clients using NAT to prevent them from being direct targets on the Internet

22 Segregation of VoIP Network Segregate data and voice networks using VLAN etc Minimize impact on voice network from sudden traffic surge caused by PCs infected by worms on data network Reduce the risks of eavesdropping Prevent broadcast traffic on data network from entering VoIP network To further prevent unauthorized machines from accessing and attacking voice network IEEE802.1x MAC address filtering Allows only dedicated VoIP appliances on voice network (less programmability, less risk to be exploited) What to do with soft phones (e.g. X-Lite)? Don t allow them on mission-critical voice networks Restrict installation of applications Deploy immune networks

23 Software Updates Check various sources for new vulnerability information Source VOIPSA Blue Box CERT/CC JPCERT/CC IPA Vendor HP Description New VoIP security/attack tools Blog and mailing list discussions VoIP security-related podcast Tutorials Security incident report SIP vulnerability report (Japanese only) New firmware and patches URL com/

24 Penetration Tests Conduct simulated attacks using tools available on PROTOS/Codenomicon (fuzzing) SIPSCAN SiVuS SIPBomber...etc Verification criteria Terminal status Connection status QoS

25 Encryption Securing the signaling channel IPSec TLS/DTLS Securing the media channel IPSec SRTP (two candidates for SRTP key exchange now at IETF) DTLS-SRTP ZRTP

26 Vendor Solutions Arbor Networks ( Borderware ( Captus Networks ( Cisco Riverhead ( Ingate ( Mazu Networks ( Mirage Networks ( SecureLogix ( Sipera ( TippingPoint ( TopLayer (

27 Agenda Increasing awareness of VoIP security Top VoIP security threats Best current practices Ongoing research efforts

28 Research Opportunities in VoIP Security VoIP-specified DDoS attacks SPIT Adaptive detection against fuzzing attacks

29 NTT s SIP Guard for SIP-specific DoS attacks Eric Y. Chen, "Detecting DoS Attacks on SIP Systems", IEEE workshop on VoIP Management and Security at NOMS 2006, Canada, April 2006

30 NEC s VOIP SEAL Roman Schlegel, Saverio Niccolini, Sandra Tartarelli, Marcus Brunner SPam over Internet Telephony (SPIT) Prevention Framework, GLOBECOM 2006

31 Other Research Efforts Gaston Ormazabal, Secure SIP: A scalable prevention mechanism for DoS attacks on SIP based VoIP systems, IPTCOMM 2008 Charles Shen, SIP Server Overload Control: Design and Evaluation, IPTCOMM 2008 Mohamed Nassar, Holistic VoIP Intrusion Detection and Prevention System, IPTCOMM 2007 Jens Fiedler, VoIP Defender: Highly Scalable SIP-based Security Architecture, IPTCOMM 2007 Ge Zhang, Denial of Service Attack and Prevention on SIP VoIP Infrastructures Using DNS Flooding, IPTCOMM 2007

32 Conclusion VoIP is still an emerging technology, so is its security framework No such thing as perfect security, but risks can be significantly reduced using currently available solutions Challenges for Vendor Increase effort devoted to software engineering practices to minimize implementation flaws Provider User Learn to securely integrate different physical components (SIP servers, SIP clients) and solutions from multiple vendors Be aware of the new threats introduced by VoIP