VoIP Security Threats and Countermeasures Eric Chen NTT Information Sharing Platform Laboratories & VOIPSA Technical Board of Advisors
Agenda Increasing awareness of VoIP security Top VoIP security threats Best current practices Ongoing research efforts
Industry Activity VoIP Security Alliance (VOIPSA) launched in 2005 Mission: To promote VoIP security research, education and awareness To become a one-stop source of testing tools/methodologies Membership: Over 100 members on the Technical Board Include NTT, Mitel, Avaya, Nortel, Siemens, Alcatel, Extreme Networks, AT&T, Verizon, Columbia University VOIPSEC mailing list for discussion of VoIP security issues Projects: Threat taxonomy, best practices etc
VoIP Security Threat Taxonomy Refer to http://www.voipsa.org for more details
Conference Activity
VoIP Security Books 2004 2006 2007 2008 Source: http://www.amazon.com
Zero Day Auctions Now Include VoIP Source: WabiSabiLabi Home Page 26 June 2008
VoIP Attack Tools Now Available Online http://www.hackingvoip.com/ http://www.voipsa.org/resources/tools.php More than 80 VoIP attack/security tools known (still increasing)
Agenda Increasing awareness of VoIP security Top VoIP security threats Best current practices Ongoing research efforts
Finding Targets using Google Cisco Grandstream Sipura Polycom VoIP phones with built-in web servers to allow easy configuration May be indexed by Google if connected to the Internet without any protection Can easily find these phones using keywords included in the default URLs
SPIT SPam over Internet Telephony Definition: Automated telemarketing calls (excluding human calls) Not yet a problem due to the small number of VoIP users Can be more serious than PSTN marketing calls Can be easily automated Can be performed at low cost Can perform broadcast No country barrier in terms of call charges -> large scale Yahoo!BB Phone incidents in Japan 2004/2 Unsolicited commercial messages for an adult website 2004/8 "Number scanning" for active VoIP phone numbers (050- [provider code]-xxxx) at the rate of 6000 calls/day 2004/11 Unsolicited automatic messages asking for personal information Contracts with these spammers are terminated by the provider
SIP Scanning Send requests (REGISTER OPTIONS etc) with various spoofed originating UID to a SIP server Servers that respond with different replies for valid and invalid UIDs may be exploited
Example: SIPSCAN
Flood-based DoS Attacks VoIP is vulnerable to flood-based DoS attacks at various layers General DoS attacks target at TCP/IP Same threats to any web server on the Internet VoIP-specific DoS attacks target at UDP-based SIP and RTP Flood of bogus signaling packets may overload CPU of any SIP server or UA Flood of bogus RTP packets may degrade audio stream quality Tools available: kphone-ddos, RTP flooder, SIPBomber, SIPsak, Scapy, IAXFlooder, Seagull and SIPsak
Retrieve IP Address Motivation Method Send arbitrary packets to the target Call the target and sniff the incoming packets Contact info in 200 OK Source IP of the incoming RTP IP address of the target included
Fuzzing Attacks Send malformed SIP messages Buffer overflow Via: SIP/2.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Integer anomalies Content-Length: -1 Invalid addresses INVITE sip:user@-1.-1.-1.-1 SIP/2.0 Structural anomalies Cseq: 7038 INVITE a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 Can either crash the target or execute arbitrary code
Eavesdropping INVITE SIP Proxy A INVITE OK SIP Proxy B Intercept signaling packets to analyze call patterns INVITE OK OK Alice RTP Bob Intercept conversation
Eavesdropping Scenarios Wireless LAN with weak security Physical access to intermediate network nodes UA vulnerability ARP-Spoofing
Agenda Increasing awareness of VoIP security Top VoIP security threats Best current practices Ongoing research efforts
How to avoid being Googled Follow the product guidelines Disable the web server Apply necessary security measures (FW, NAT etc) Use Google to look for exposed devices in one s company
Use VoIP Firewalls VoIP clients use various RTP ports to connect with their peers outside. Statically opening all possible ports using a regular firewall introduces new threats. VoIP firewall Dynamically open/close necessary ports through stateful inspection of VoIP traffic ( pinhole ) Inspecting the SDP payload in an INVITE message, extract the UDP port number to be used and open the port before the session starts Close the port when the BYE message corresponding to the session is detected Hide IP addresses of VoIP clients using NAT to prevent them from being direct targets on the Internet
Segregation of VoIP Network Segregate data and voice networks using VLAN etc Minimize impact on voice network from sudden traffic surge caused by PCs infected by worms on data network Reduce the risks of eavesdropping Prevent broadcast traffic on data network from entering VoIP network To further prevent unauthorized machines from accessing and attacking voice network IEEE802.1x MAC address filtering Allows only dedicated VoIP appliances on voice network (less programmability, less risk to be exploited) What to do with soft phones (e.g. X-Lite)? Don t allow them on mission-critical voice networks Restrict installation of applications Deploy immune networks
Software Updates Check various sources for new vulnerability information Source VOIPSA Blue Box CERT/CC JPCERT/CC IPA Vendor HP Description New VoIP security/attack tools Blog and mailing list discussions VoIP security-related podcast Tutorials Security incident report SIP vulnerability report (Japanese only) New firmware and patches URL http://www.voipsa.org/ http://www.blueboxpodcast. com/ http://www.cert.org http://www.jpcert.or.jp http://www.ipa.go.jp
Penetration Tests Conduct simulated attacks using tools available on http://www.voipsa.org/resources/tools.php PROTOS/Codenomicon (fuzzing) SIPSCAN SiVuS SIPBomber...etc Verification criteria Terminal status Connection status QoS
Encryption Securing the signaling channel IPSec TLS/DTLS Securing the media channel IPSec SRTP (two candidates for SRTP key exchange now at IETF) DTLS-SRTP ZRTP
Vendor Solutions Arbor Networks (http://www.arbornetworks.com) Borderware (http://www.borderware.com) Captus Networks (http://www.captusnetworks.com) Cisco Riverhead (http://www.cisco.com) Ingate (http://www.ingate.com) Mazu Networks (http://www.mazunetworks.com) Mirage Networks (http://www.miragenetworks.com) SecureLogix (http://www.secuirelogix.com) Sipera (http://www.sipera.com) TippingPoint (http://www.tippingpoint.com) TopLayer (http://www.toplayer.com)
Agenda Increasing awareness of VoIP security Top VoIP security threats Best current practices Ongoing research efforts
Research Opportunities in VoIP Security VoIP-specified DDoS attacks SPIT Adaptive detection against fuzzing attacks
NTT s SIP Guard for SIP-specific DoS attacks Eric Y. Chen, "Detecting DoS Attacks on SIP Systems", IEEE workshop on VoIP Management and Security at NOMS 2006, Canada, April 2006
NEC s VOIP SEAL Roman Schlegel, Saverio Niccolini, Sandra Tartarelli, Marcus Brunner SPam over Internet Telephony (SPIT) Prevention Framework, GLOBECOM 2006
Other Research Efforts Gaston Ormazabal, Secure SIP: A scalable prevention mechanism for DoS attacks on SIP based VoIP systems, IPTCOMM 2008 Charles Shen, SIP Server Overload Control: Design and Evaluation, IPTCOMM 2008 Mohamed Nassar, Holistic VoIP Intrusion Detection and Prevention System, IPTCOMM 2007 Jens Fiedler, VoIP Defender: Highly Scalable SIP-based Security Architecture, IPTCOMM 2007 Ge Zhang, Denial of Service Attack and Prevention on SIP VoIP Infrastructures Using DNS Flooding, IPTCOMM 2007
Conclusion VoIP is still an emerging technology, so is its security framework No such thing as perfect security, but risks can be significantly reduced using currently available solutions Challenges for Vendor Increase effort devoted to software engineering practices to minimize implementation flaws Provider User Learn to securely integrate different physical components (SIP servers, SIP clients) and solutions from multiple vendors Be aware of the new threats introduced by VoIP