Vulnerabilities in SOHO VoIP Gateways

Vulnerabilities in SOHO VoIP Gateways Is grandma safe? Peter Thermos pthermos@vopsecurity.org pthermos@palindrometechnologies.com 1

Purpose of the study VoIP subscription is growing and therefore security concerns None of the vendors or providers mentioned security (why? Purposefully left out due to known problems, subscribers not asking for security?) Preliminary evaluation of SOHO VoIP gateways A snapshot in time Help promote future work 2

Objectives Tested 3 as deployed services/devices using traditional vulnerability assessment methodology What vulnerabilities may exist (i.e. DoS, buffer overflow)? What class of vulnerabilities/attacks can be exploited remotely (i.e. configuration, buffer overflows, SPIT)? Can a VoIP user s registration or the user s identity be hijacked? Would they know? 3

Methodology Traditional Vulnerability Assessment Methods (i.e. discovery, evaluation and analysis, test, verify, document) Areas of focus Manageability Node Security Signaling Media 4

Targets of Evaluation SP-1: Maintains a VoIP infrastructure and has ubiquitous presence through existing ISP s (Internet Service Providers, including DSL/Cable) in North America. Furthermore, this service provider plans to establish global presence. SP-2: This service provider has been an incumbent telecommunications carrier (including PSTN and wireless), therefore taking advantage of their existing switched infrastructure to route calls. Their VoIP presence, at the moment, is limited to the US. SP-3: This service provider maintains a VoIP infrastructure that offers VoIP service to residents within a local region (i.e. State not National). They are low cost producers of VoIP services. 5

ToE and device mapping Service Provider Voice Gateway Protocols Used SP-1 VG-1 SIP/RTP SP-2 VG-2 MGCP/RTP SP-3 VG-3 SIP/RTP 6

Network Topology 7

Management Findings (1 of 4) Administrative sessions are protected with userid/password only. No SSL capability thus credentials and configuration commands can be intercepted and in some cases replayed. Role based controls is limited (one role for all administration/management) Logs are not maintained by the device 8

Node Security Findings (2 of 4) Open Ports on external interface allow various attacks including DoS and unauthorized access and management. Default credentials allow attackers to remotely compromise poorly configured devices. 9

Signaling Findings (3 of 4) Registration and call/presence/identity hijacking; Denial of Service Implementation issues (e.g. buffer overflows) discovered through robustness testing. 10

Example of a SIP call 11

Presence Hijacking 12

Presence Hijacking Register Request REGISTER sip:216.115.25.57 SIP/2.0 Via: SIP/2.0/UDP 192.168.1.6;branch=xajB6FLTEHIcd0 From: 732-835-0102 <sip:12125550102@voip-serviceprovider.net:5061>;tag=5e374a8bad1f7c5x1 To: 732-835-0102 <sip:12125550102@voip-service-provider.net:5061> Call-ID: QTEv5G5dOHYc@192.168.1.2 CSeq: 123456 REGISTER Contact: 2125550102 <sip:12125550102@192.168.1.3:5061>; Digest username="12125550102",realm="216.1.2.5",nonce="716917624", uri="sip:voip-service-provider.net:5061",algorithm=md5, response="43e001d2ef807f1e2c96e78adfd50bf7" Max_forwards: 70 User Agent: 001217E57E31 VoIP-Router/RT31P2-2.0.13(LIVd) Content-Type: application/sdp Subject: SiVuS Test Expires: 7200 Content-Length: 0 13

Provider Response Dear Peter Thermos, Thank you for contacting customer care. In response to your email, no this is not possible. We are more secure than a regular phone line. While I see that you have a log of SIP messages from your own account, this is not the same as re-routing and listening to someone else's calls. I hope that I have resolved your problem. Do not hesitate to contact us if you need further assistance. Sincerely, Dave S. Tier 2 Tech Support 14

Caller-ID Demo SiVuS toolkit 15

16

Media Findings (4 of 4) Eavesdropping (sensitive information captured including credit card numbers and pins) Voice quality degradation and media manipulation 17

General observations Security through obscurity - Use of port 5061 for SIP/UDP Firewalling capability to restrict connections from specific nodes (i.e. VG-2 provides a firewall capability). 18

Conclusions - Is grandma Safe? No, and worse she's likely to get very annoyed at the poor availablity and annoying VoIP SPAM from marketers and VoIP Joyriders Current security posture of SOHO gateways is not adequate As attacks against VoIP subscribers increase in the next 3 years what do we do to protect against them? What carriers, service providers and users should do? 19

Recommendations Architecture Routing Controls/Network Segmentation to provide a level of protection for VoIP subscribers (i.e. SBC/DPI) Robust implementations Security Requirements IETF, ATIS, ITU Initiatives such as VoPSecurity Forum and VoIPSA may help. 20