IPTCOMM 2008 Heidelberg VoIP Security: Do Claims of Threats Justify Continued Research Efforts? Jonathan Zar Pingalo VOIPSA Eric Chen NTT Information Sharing Platform Laboratories VOIPSA 1
Lots of Activity Within VoIP Security 2
Industry Activity VoIP Security Alliance http://www.voipsa.org VOIPSA s mission is to promote the current state of VoIP security research, VoIP security education and awareness, and free VoIP testing methodologies and tools. Membership includes: Mitel, Avaya, Nortel, Siemens, Alcatel, Extreme Networks, NTT. Now over 100 members on the Technical Board of Advisors Projects: Threat Taxonomy, Security Requirements, Security Research, Best Practices, Testing Public VOIPSEC mailing list for discussion of VoIP security issues VoIP Security Threat Taxonomy released in late 2005 Current project - industry-wide Best Practices 3
Conference Activity 4
VoIP Security Books 2004 2006 2007 2008 5
Press Attention 6
Increasing Industrial Importance Well past the tipping point when new E1 favor IP provisioning VoIP technologies have become foundational in 3GPP and ITU Appear in 3G roadmaps Appear in ITU roadmaps Now several years into early market segments of mainstream consumer VoIP adoption Protocols widely used on all major IM platforms Carrier offerings Skype Other solutions With build out of NGN VoIP based protocols are diffusing widely Within enterprise SIP trunking has started 7
Public Mindshare telephone security voip security voice security 8
Public Mindshare (continued) telephone security voip security unified communications 9
R&D Decisions Matter Future results depend on allocations today Allocations are based on perceived need Misallocations are costly because its always a capital and labor trade-off impacting the course of jobs, projects, and the results from the investment Key metrics are ROI based either: True ROI where there is measurable financial return Or proxy ROI where there is an alternative return such as: Decision branches pruned Patents applied or issued Experimental candidates for commercialization 10
Plenty of Need 6 Billion People ~ $5 Trillion Base of Pyramid Market Gains Dramatically from ICT Investment Base of Pyramid Sources: C.K. Prahalad and World Resources Institute ICT 11
Methodology Mapped the risk space into a threat taxonomy Created a corpus of data of threats and vulnerabilities for the period from calendar Q4FY06 to Q2FY07 Included IMS, enterprise, and consumer risks from public and proprietary sources Included claims of threats to: VoIP enabled applications and ancillary databases real-time protocols and their implementations enabling tools and software libraries network equipment and transport endpoint devices Measured and classified the threats Synthesized results, root causes, and implications 12
VOIPSA VoIP Security Threat Taxonomy Refer to http://www.voipsa.org for more details 13
Results of Discovery Claims of Threats Supported by Evidence 14
McAfee Avert Labs Top 10 Threat Predictions for 2008 15
11 Years of Automated Attacks Source: US Department of Defense Public Unclassified 16
R&D Creates Wealth Source: Hans Rosling 17
New VoIP Attack/Security Tools http://www.hackingvoip.com/ http://www.voipsa.org/resources/tools.php More than 80 VoIP attack/security tools known (still increasing) 18
Zero Day Auctions Now Include VoIP Source: WabiSabiLabi Home Page 26 June 2008 19
VoIP Services Theft Prosecution Theft and Resale Of More Than 10 Million Minutes of VoIP Traffic Through a practice known as a Brute Force attack, [defendant] Pena and others working with him acquired the proprietary codes established by VOIP telecom providers to identify and accept authorized calls entering their networks for routing. Having penetrated the networks of VOIP telephone service providers, Pena programmed the third party s computer networks to use the illegally obtained proprietary prefix to route calls of customers of his companies. By sending calls to the VOIP telephone service providers through the unsuspecting third party s networks, the VOIP telephone service providers were unable to identify the true sender of the calls for billing purposes. Consequently, individual VOIP Telecom Providers incurred aggregate routing costs of up to approximately $300,000 per provider, without being able to identify and bill Pena. Source: Press Release and Criminal Complaint US vs. Pena (June, 2006, District of New Jersey) 20
End-point Vulnerabilities Testing of hard phones, wi-fi phones, and terminal adapters shows that many have weak security: open ports, default passwords, weak provisioning, weak cryptography defective software low tolerance for fuzzing and flooding Few systems in the field are verified by design In general there are no standards for robustness. Nor are they even good metrics for such a concept 21
End-point Vulnerability Examples (1 of 3) Senao SI-7800H VoIP wireless phone wdbrpc debug service UDP/17185 Clipcomm CPW-100E VoIP wireless handset phone open debug service TCP/60023 ZyXel P2000W (Version 2) VoIP wireless phone undocumented port UDP/9090 ACT P202S VoIP wireless phone multiple undocumented ports/services MPM HP-180W VoIP wireless desktop phone undocumented port UDP/9090 UTstarcom F1000 VoIP Wifi phone Multiple vulnerabilities Source: S. Merdinger 22
End-point Vulnerability Examples (2 of 3) Cisco Unified IP Phone SSH server with hard coded default user account and default password that is used for debugging Linksys WIP 330 VoIP wireless phone crash from Nmap scan Cisco 7905 VoIP phone crashing from dsniff arpspoof Clipcomm CP-100E Undocumented open port TCP/60023 allows remote access to two debugging accounts: Clip and USH Hitachi WIP-5000 HTTP index page discloses software version, phone MAC address, IP address and routing HTTP no default login credentials SNMP enabled, read/write using any credentials Undocumented open port TCP/3390 Unidata Shell Hardcoded admin login 0000 on device keypad Source: S. Merdinger 23
End-point Vulnerability Examples (3 of 3) Senao SI-680H VoIP Wifi phone undocumented open port Zyxel P2000W (Version1) VoIP Wifi phone multiple vulnerabilities GrandStream GXP-2000 VoIP Desktop Phonw multiple undocumented UDP ports and DoS PolyCom IP-301 VoIP Desktop Phone HTTP server DoS and undocumented TCP port 42 Linksys SPA-921 VoIP Desktop Phone HTTP server DoS Source: S. Merdinger 24
Results of Analysis Root Causes and Key Findings 25
Root Causes Data Structures Routing Course Virtual Protection Incomplete Coverage Incomplete Exception Handling Weak Identification Poor Auditability Inadequate Input Validation Presumptive and Eager Commits Defective Coverage Non-reversible Routing Non-abelian Non-transitive Processes Promiscuous Routing Costly Enforcement Non-atomic Authentication Protocol and Application Vulnerabilities Logic Trust Semantics 26
Key Findings Q: How important is this field? A: Quite important. The infrastructure for modern telecommunications and enterprise peering is at risk. Q: Who are the customers for R&D? A: Industry and government for the benefit of the public. Q: What are the needs? A: Robust design for all devices that touch the traffic. Improvements in the root causes areas that contribute to defects. Increased investment focused in specific areas as recommended. Regulatory support for transitional QA investment tariffs. Q: Do the facts support continued research? A: Yes. The threats are real, significant in harm, and growing. 27
Key Findings (continued) Q: What do the risks tell us? A: That communication software, including embedded software, and micro devices with compiled logic are vulnerable to at least 14 root cause defects and will be under sustained and malicious attack. Q: How does learning inform decision makers? A: Digital communications are prone to increasing compromise. The risks threaten both commerce and national security. The art of quality for communication software across the entire industry is substantially less than what is considered acceptable by the public everywhere in the manufacture of articles of commerce. Investment would thus be prudent. 28
Many Technical Opportunities End-point Security Protocol Stability RT Transactional Security Robust Implementations Metrics and Methods Authentication and Admissions for interconnecting with other carriers for DoS prevention for Phishing countermeasures Trust Logic Multiparty Signaling Payload Security Micro transactions OSS/BSS Extensions Security Transactions Advertising Commercial Zero Defects Incumbents New Large Entrants Open Source Multi-tenant Hosted Systems Privacy Hacker Ethics 29
Where to Focus Candidate VOIPSA Projects 30
Global Test-bed Project Need Create a global carrier peering test-bed for service validation and QA Attractive for entrepreneurs building new user communities and inviting to researchers in quality assurance and security Distinct from regulated network, internal network, or honey-pots Project Network contribution and establishment Developer programs for S/W, H/W, QA, pen-testing, and Web 3.0 Management, operations, and regulatory clearance Benefit Effective public large scale test-bed National means for sharing investment in Web 3.0 and security research 31
End Point Security Project Need MANY terminal adapters and end-points (of all types) have weak security Carriers are surrounded by these devices many of which could, if compromised, open the core network to the attack In general there are no standards to ensure end-point security or improve goods in the supply chain Project Define a roadmap for security standards for end-points Increase the ability of suppliers to source compliant goods Step-by-step raise the bar on quality Benefit Defect reduction across the value chain from end-points Practical and significant improvement in system reliability 32
Secure IMS Billing Project Need Support for secure advertising, micropayment, presence, location, or transaction billing Current CDR information is already vulnerable: the next generation billing models will require more detail and hence more security VoIP and IMS security research and OSS/BSS research is required in collaboration to assure the public that future generation billing systems can be trusted Project Collaborate on new service delivery billing elements, workflows and enabled security of data and data exchange Generate the learning and input for standards to assure the public Benefit Trusted commerce model for monetizing IMS 33
Privacy Commerce Project Need The public consistently polls in favor of privacy interests and is willing to pay for some measure of privacy either in fees or benefits Industry sector regulation of privacy worldwide increases year-by-year Missing are the market enablers for a commercial market in IMS based privacy solutions Project Explicate the technical requirements for general privacy solutions Enable the technical infrastructure Benefit ROI to drive carrier adoption of S/W and H/W enablers Better consumer privacy and business regulatory compliance 34
Discussion Please Join Us For Q&A Immediately After Today s Demos 35