Attackin VoIP Walter Sprener walter.sprener@csnc.ch GLÄRNISCHSTRASSE 7 POSTFACH 7 CH-80 RAPPERSWIL Tel.+ - 0 Fax+ - team@csnc.ch www.csnc.ch Aenda. Introduction VoIP. Sample Installations. SIP / RTP - Protocols. Threats to VoIP. Recommendations. Conclusion/Discussion Compass Pae
Introduction to VoIP GLÄRNISCHSTRASSE 7 POSTFACH 7 CH-80 RAPPERSWIL Tel.+ - 0 Fax+ - team@csnc.ch www.csnc.ch Introduction What is VoIP VoIP = Voice over Internet Protocol Or more enerally: "Transportin voice data over a data network" Why use VoIP Use network syneries (data network already present) Use cheaper and worldwide networks New functionality (e follow me, video conferences) Interated services (Computer Telephony Interation) Be your own telephone company Compass Pae
Introduction Protocols Sinalin SIP/SIPS (Session Initiation Protocol) H. (ITU-T standard for multimedia on packet network) Skype (peer to peer network, proprietary) Media Transport RTP & RTCP, SRTP (Realtime Transport Protocol & Control Protocol) SCTP (Stream Control Transmission Protocol) Skype Other Protocols RSVP, 80.q (Resource Reservation Protocol) DNS (Domain Name System) ENUM (Electronic Numberin) STUN (Simple Traversal of UDP over NATs) Compass Pae Introduction Implementations of VoIP-Clients Softphones (X-Lite, etc.) Hardphones (Cisco, Snom, etc.) Proprietary tools (Skype) Instant Messener (NetMeetin/ICQ) VoIP Hype or Success VoIP already known for lon time Problems with quality and functionality prevented breakthrouh Skype brouht VoIP to the end user Mixed VoIP POTS (Plain Old Telephone System) solutions in trend In the near future Plain VoIP VoIP over Wireless Compass Pae
Introduction Softphones Hardphones Compass Pae 7 Sample Installations GLÄRNISCHSTRASSE 7 POSTFACH 7 CH-80 RAPPERSWIL Tel.+ - 0 Fax+ - team@csnc.ch www.csnc.ch
Sample Installations SIP Phone @ Home Compass Pae 9 Sample Installations SIP Phone with ITSP Provider BluewinPhone, Sunrise Webphone, Cablecom diitalphone Compass Pae 0
Sample Installations Internal VoIP Gateway to POTS Small to bi companies Compass Pae Sample Installations Gateway to Gateway VoIP Worldwide companies Compass Pae
SIP & RTP - Protocols GLÄRNISCHSTRASSE 7 POSTFACH 7 CH-80 RAPPERSWIL Tel.+ - 0 Fax+ - team@csnc.ch www.csnc.ch SIP & RTP - Protocols SIP REGISTER messae REGISTER sip:9.8.00.8 SIP/.0 Via: SIP/.0/UDP 9.8.00.:0;branch=z9hGbK- rvmeapz7u;rport From: "Walter ()" <sip:wsprene@9.8.00.8>;ta=erpmtjw To: "Walter ()" <sip:wsprene@9.8.00.8> Call-ID: c700bcc-uqrufrnxw9@snom0 CSeq: REGISTER... Authorization: Diest username="wsprene",realm="asterisk",nonce="89ce7d", uri="sip:9.8.00.8",response="0ae0dbdda087 efeccdac",alorithm=md Expires: 00... Compass Pae
SIP & RTP - Protocols SIP INVITE. Lookup SIP Proxy of taret.com. Forward INVITE. Lookup destination address of bob@taret.com. INVITE to bob@taret.com. Send INVITE to phone. Open RTP Stream Compass Pae SIP & RTP - Protocols SIP INVITE messae INVITE sip:bob@taret.com SIP/.0 Via: SIP/.0/UDP pc_a.source.com;branch=z9hgbkadfvy0 Max-Forwards: 70 To: Bob <sip:bob@taret.com> From: Alice <sip:alice@source.com>;ta=0 Call-ID: abcdadf@pc_a.source.com CSeq: INVITE Contact: <sip:alice@pc_a.source.com> Content-Type: application/sdp Content-Lenth: (session description would follow) Compass Pae
SIP & RTP - Protocols SIP Methods (RFC) INVITE Initiate Sessions Chane a Session state via re-invites ACK Confirms session establishment BYE Terminates Sessions CANCEL Cancels an INVITE request sent by a client not already sent a final response for OPTIONS Query another UA or a proxy server as to its capabilities REGISTER Binds permanent address to the current location Compass Pae 7 SIP & RTP - Protocols SIP Response Codes xy Information or Provisional - request in proress but not yet completed 00 Tryin 80 Rinin 8 Call is Bein Forwarded 8 Queued 8 Session Proress xy Success - the request has completed successfully 00 OK xy Redirection - another location should be tried for the request xy Client Error xy Server Failure Compass Pae 8
SIP & RTP - Protocols Functionality Problems NAT, Tunnelin In traditional SIP/RTP, the phones must have a routable Internet Address. The two phones will connect to each other directly for the Voice Traffic (RTP) With Network Address Translation (NAT,PAT) and firewalls in between, the connection will not succeed. Therefore, workarounds have been invented: tunnellin of traffic, for example STUN or X-Tunnel. Interoperability There were many problems with the interoperability of clients (SIP / H.) and partial implementations of these protocols. It seems that SIP will be the most used standard. Compass Pae 9 SIP & RTP - Protocols Quality Problems In POTS, the quality of the phone conversation is mostly excellent, it does not matter if you phone your neihbour or to another continent. The maximum delay of the spoken word to arrive at the other end is defined to 0ms for a ood quality voice transmission. Jitter In IP networks, not all the packets take the same path. Some packets are dropped or retained for a while. Jitter is the effect when we have variations in packet assemblin. Delay In order to prevent Jitter, the packet assemblin loic will buffer data packets. If the packets have too much Jitter, we have to wait too lon to be able to assemble the voice information correctly. Compass Pae 0
Threats to VoIP GLÄRNISCHSTRASSE 7 POSTFACH 7 CH-80 RAPPERSWIL Tel.+ - 0 Fax+ - team@csnc.ch www.csnc.ch Threats to VoIP VoIP differences to POTS Decentralized infrastructure Client is part of the network. Loical functions are built into the phone. In POTS, the loic is in the branch exchane. Network is manaed by many different parties, not only by the Telco provider IP protocol and networkin are well known. In POTS, very special know-how is required. VoIP is built on top of Internet Protocol, and inherits its weaknesses. VoIP Protocol (SIP, RTP) was not desined for security. Security has to be added. Data and Voice networks are shared. Data-network problems affect Voice traffic. New technoloy with functional problems. In POTS, hih availability and excellent quality is state of the art. Compass Pae
Threats to VoIP Threat Locations VoIP Infrastructure Network VoIP Client Compass Pae Threats to VoIP Attackin the Network VoIP Traffic (SIP/RTP) is transmitted in clear-text. Eavesdropper can capture traffic information (who phones who) and listen to conversations. VoIP traffic can be redirected or manipulated. E invalid information/voice messaes could be inserted. VoIP traffic could be disturbed. Tearin down connections, delayin packets or deny phone service completely. Makin the service unreliable. SIP/RTP is based on UDP, which can easily be spoofed. BruteForce SIP Password (Challene-Response) Compass Pae
Threats to VoIP Attackin the VoIP Infrastructure (Proxies, PBX, Reistrar) VoIP components are often based on well known operatin systems. If the systems are not adequately protected and hardened an intruder could break into the system. IP based attacks can be tareted aainst the VoIP infrastructure. VoIP components are a ateway from the POTS to the data network. Weaknesses in the ateway would allow an attacker to access the data network. If an attacker compromises VoIP Infrastructure, he could: Eavesdrop on conversations/connection statistics Deny service Redirect traffic to expensive numbers Listen to voice mails Capture SIP credentials Phone for free Modify dial plans Compass Pae Threats to VoIP Attackin the VoIP Client Weak confiuration of hardphone allows an attacker to manipulate the phone. Security of computer runnin the softphone is crucial. Read traffic information Listen to conversations Chane phone behaviour Dial numbers, establish expensive connections (dialer) Deny service Capture loin credentials Trojan/Virus could collect SIP credentials stored in reistry The SIP credentials (username/password) are the key to VoIP. But who wants to enter username and password before he is placin a phone call? Credentials are always stored in softclient or in hardphone memory! Compass Pae
Threats to VoIP Other threats Availability Service is based on the data network. No phone calls can be placed when there is: No electricity Network outaes Network problems (DNS, Firewall, VoIP Infrastructure) When the computer network is down, how do you hold your business up? With phone conversations? How do you call emerency numbers? Annoyances As real VoIP services do not cost, there will be much more SPAM phone calls (called SPIT) as before. How about lettin your phone rin at niht? Think about a worm that calls VoIP phones at random! Compass Pae 7 Recommendations GLÄRNISCHSTRASSE 7 POSTFACH 7 CH-80 RAPPERSWIL Tel.+ - 0 Fax+ - team@csnc.ch www.csnc.ch
Recommendations General Recommendations No direct access to phones in company network from Internet Be careful with softphones: Check password storae Phone conversation is on same network as computers if only one network card is used! Write and save los Use encrypted protocols (SIPS, SRTP) Use VLANs to separate phones from data network VoIP phones are computers -> patch manaement Use Checklists to secure Installation E NIST: Security Considerations for Voice Over IP Systems Compass Pae 9 Recommendations Securin VoIP Infrastructure Harden all VoIP operatin systems Disable all unused services Disable unused phone interfaces (web, telnet) Use stron passwords to access components Use stron SIP credentials Use separate DHCP servers Use separate Windows domains Protect components in firewall zones Use SBC (Session Boarder Controller, VoIP Firewall) Use encrypted VPNs for Homeworkers Compass Pae 0
Conclusion GLÄRNISCHSTRASSE 7 POSTFACH 7 CH-80 RAPPERSWIL Tel.+ - 0 Fax+ - team@csnc.ch www.csnc.ch Conclusion Securin a VoIP based solution is not an easy task. It is essential to understand the functionality of VoIP and to know the products and features to be used. Security requirements have to be defined before implementin the solution. This may have remarkable impacts on the desin and the cost of the project. VoIP is still in development. The same quality and security like in POTS solutions has not been reached yet. Compass Pae
Discussion GLÄRNISCHSTRASSE 7 POSTFACH 7 CH-80 RAPPERSWIL Tel.+ - 0 Fax+ - team@csnc.ch www.csnc.ch References References VoIP Security, Ransome/Rittinhouse ISBN: -8--, Elsevier Diital Press Switchin to VoIP, Wallinford ISBN: 0-9-0088-, O'Reilly "E.T. Can't Phone Home - VoIP Security" Presentation from Ofir Arkin at Black Hat 00 Maazins: Hakin9, September/October 00 ix, October 00, heise Kes, Nr. Mai 00, SecuMedia NIST: Security Considerations for Voice Over IP Systems http://csrc.nist.ov/publications/nistpubs/800-8/sp800-8-final.pdf An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol http://www.cs.columbia.edu/~salman/skype/ Compass Pae
Abbreviations POTS: Plain Old Telephone System PSTN: Public Switched Telephone Network ITSP: Internet Telephony Service Providers NAT: Network Address Translation PAT: Port Address Translation VLAN: Virtual Local Area Network VPN: Virtual Private Network DHCP: Dynamic Host Confiuration Protocol Compass Pae