VOIP TELEPHONY: CURRENT SECURITY ISSUES Authors: Valeriu IONESCU 1, Florin SMARANDA 2, Emil SOFRON 3 Keywords: VoIP, SIP, security University of Pitesti Abstract: Session Initiation Protocol (SIP) is the new protocol that integrates voice and data networks. Even if there are many advantages in implementing SIP, it has not yet been widely deployed because there many users are reluctant to overlook the security issues that this protocol brings. This paper presents an overview of current security model and the issues introduced by VoIP telephony. An analysis was performed using various open-source test-suites in order to determine the security problems and the equipment behavior, and results were gathered with the use of the NAGIOS network monitoring program. The applications used the Asterisk software as a complete IP PBX (Private Branch Exchange), on a Fedora Core 5 Linux OS, a Grandstream GXV-3000 Video IP Phone, and various IP Soft Phones. Because the technology is still in an early stage, many of the VoIP implementations failed to perform in a robust manner under the test. Some failures had information security implications, and should be considered as vulnerabilities. A good security policy implies a complete architecture, not a single product or protocol. Therefore, as the SIP scene matures, in order to implement a secure network with VoIP technology, a new security model must be developed based on the use of specialized hardware in internet gateways and in the SIP proxy, with integrating dedicated VoIP monitoring software. I. Introduction Voice over Internet Protocol (VoIP) refers to the transmission of speech across datastyle networks. This form of transmission is superior to conventional circuit switched communication but it adds a number of complications to existing network technology that are compounded by security considerations. Telecommunications companies and other organizations have already, or are in the process of moving their telephony infrastructure to their data networks. The VoIP solution provides an alternative to traditional PSTN phone lines, and now long distance phone calls become very inexpensive as voice traffic travels on the Internet or over private data network lines. VoIP is also cost effective because all of an organization s electronic traffic (phone and data) is condensed onto one physical network, and there is no longer a need for several teams to manage a data network and another to mange a voice network. Also, the network administrator s tasks may be lessened as they can focus on a single network. 1 Faculty of Electronics Communications and Computers, University of Pitesti, Romania (phone: 40/248/222949; fax: 40/248/216448; e-mail: valeriu@upit.ro) 2 Manager of the Communication Department, University of Pitesti, Romania (phone: 40/248/218804; fax: 40/248/216448; e-mail: florin@upit.ro) 3 Faculty of Electronics Communications and Computers, University of Pitesti, Romania (phone: 40/248/222949; fax: 40/248/216448; e-mail: sofron@upit.ro)
Although its implementation is widespread, the technology is still in the development phase, often lacking compatibility and continuity with existing systems. Nevertheless, VoIP will capture a significant portion of the telephony market, given the fiscal savings and flexibility that it can provide. VOIP systems take a wide variety of forms [1], [2]: - Traditional telephone handset: these products have extra features beyond a simple handset with dial pad: a LCD screen that allows the user to configure the handset to gain access to enhanced features such as conference calls. - Mobile units: wireless VoIP units are becoming increasingly popular, especially since many organizations already have an installed base of 802.11 networking equipment. These may present additional challenges if certain security issues are not carefully addressed (such as the use of AES encryption). - PC or softphone : any PC can be used as a VoIP unit. However, if possible, softphones should not be used where security or privacy are a concern due to the dual capability of the PC to deal with both data and voice traffic. As this paper will show, attacks come, in a dual hardware and software VoIP network, from applications running on the PCs. In addition to end-user equipment, VOIP systems include a large number of other components, including call managers, gateways, routers, firewalls, and protocols. Unlike the ordinary phone system, the basic flow of voice data in a VOIP system includes many transformations. The first step in this process is converting analog voice signals to digital, while using a compression algorithm to reduce the volume of data to be transmitted. Next, voice samples are inserted into data packets to be carried on the Internet. The protocol for the voice packets is typically the Real-time Transport Protocol, and it will be carried as data by UDP datagrams (for compatibility with data transmissions throughout the Internet). II. VoIP Security Issues In a conventional telephone system, security is more of a theoretical assumption, as intercepting conversations requires physical access to telephone lines. Few organizations encrypt voice traffic over traditional telephone lines. The same cannot be said for Internetbased connections, where packets sent from one computer to another may pass through many systems that are not under the control of the user s ISP, thus lacking the same physical wire security as the phone lines. The key to securing VoIP is to use the security mechanisms like those deployed in data networks. Quality of Service (QoS) is a fundamental concept to the operation of a VoIP network [3]. The implementation of various security measures can degrade QoS by delaying or blocking of call setups by firewalls to encryption-produced latency and delay variation. Because of the time-critical nature of VOIP, and its low tolerance for disruption and packet loss, many security measures implemented in traditional data networks just aren t applicable to VOIP in their current form. QoS is affected by: latency (for international calls, a delay of up to 400 ms is deemed tolerable, but for local calls this must be below 200 ms); jitter - refers to non-uniform packet delays (often caused by low bandwidth situations in VoIP. Although using UDP to pass packets to destination, RTP allows applications to do the reordering using the sequence number and timestamp fields, however in networks that implement security measures such as IPsec encryption may introduce delays too large to compensate by the protocol, thus increasing jitter); packet loss (resulting from excess latency or can be the result of jitter. Even if VOIP packets are very small, containing a payload of only 10-50 bytes, usually the packet losses happen in sequences - often due to congestion - so signal degradation may rapidly become a problem.) There are several implementations of VoIP protocols, such as standardized H.323 and SIP or proprietary such as Skype or GoogleTalk. As the hardware available for testing was a SIP based network, so we will focus our presentation on this specific network; however, many observations are applicable to other protocols, too. The strict performance requirements of VoIP have significant implications for
security, particularly denial of service (DoS) issues. Invalid Requests Invalid Media Fuzzing Malformed Messages Call Hijacking DoS attacks specific to VoIP Registration Media session Server masquerading QoS abuse User call Flooding Endpoint Request Flooding Call Controller Flooding Request Looping Directory Service Flooding Request flooding Spoofed messages Call redirection Fake Call Response Fig. 1 DoS attacks (the most common form of attack) are adapted to VoIP structure VoIP-specific attacks (i.e. floods of specially crafted SIP messages) may result in DoS for many VoIP-aware devices. For example, SIP phone endpoints may freeze and crash when attempting to process a high rate of packet traffic SIP proxy servers also may experience failure and intermittent log discrepancies with a VOIP-specific signaling attack of less than 1Mb/sec. In general, the packet rate of the attack may have more impact than the bandwidth; where a high packet rate may result in a denial of service even if the bandwidth consumed is low. III. SIP VoIP Networks SIP is the IETF specified protocol for initiating a two-way communication session. It is considered by some to be simpler than H.323. SIP is a text based, application level protocol, meaning that it can be carried by TCP, UDP, or SCTP. UDP may be used to decrease overhead and increase speed and efficiency, or TCP may be used if SSL/TLS is incorporated for security services. Unlike H.323, only one port is used in SIP, with the default value 5060. A SIP network is made up of end points, a proxy and/or redirect server, location server, and registrar [4]. RTP/voice traffic VoIP Phone 1 VoIP Phone 2 Location server Register Register SIP Proxy server Send Call to Destination SIP Proxy server Fig. 2 SIP Topological Elements: SIP Proxy server where both phones need to register prior to conversation, and a location server that resolves/stores the identities of the participants. Note that call invitations are sent between Proxies, not phones, and that the voice traffic, sent after a call is established, does not concern Proxies.
In the SIP model [3], [5], a user is not linked to a specific host. The user initially reports their location to a registrar, which may be integrated into a proxy or redirect server. This information is in turn stored in the external location server. Messages from endpoints must be routed through a proxy/redirect server. The proxy server intercepts messages from endpoints, inspects their To: field, contacts the location server to resolve the username into an address and forwards the message along to the appropriate end point or another server. The SIP protocol itself is modeled on the three-way handshake method implemented in TCP. A SIP call monitored with WireShark software is seen in figure 3. Fig. 3 SIP call steps include requests/responses that follow a TCP three-way handshake The text encoding of SIP makes it easier to analyze using standard parsing tools such as Perl or lex and yacc, so new requirements must be placed on the firewall in a SIP-based VoIP network. First, firewalls must be stateful and monitor SIP traffic to determine which RTP ports are to be opened and made available to which addresses. The other issues SIPbased VOIP encounters are related to NAT implementations, because of the changes in IP addresses and port numbers from source to destination. Also, firewalls are usually placed on the NAT border as the SIP proxy is normally outside the NAT device, meaning that attacks from within the NAT are very hard to stop. IV. Test setup configuration The tests performed are using a SIP based network, with an Asterisk 1.2.12.1 on Fedora Core 5 Linux O.S. platform and Grandstream GXV-3000 Video IP Phone. In order to asses a part of the security issues, especially those coming from exceeding QoS recommendations, we used the PROTOS (Security Testing of Protocol Implementations) [6] that includes syntax testing procedures which aim to stress a SIP server's parser. Being java based it can run on any system, and for the purpose of this test we used a Windows XP machine. This allows sending customized SIP packages in a network, in order to test the behavior of the targeted devices. The packets sent in the network had both a malformed message body, and did not respect the three-way handshake SIP protocol. After de INVITE request and RINGING response, there will be immediately sent a CANCEL request, followed by an immediate INVITE request. This way the phone would not only have to decode and interpret the message sent but it will als bo faced with a great number of requests. As the calls were sent from a computer behind the firewall, all the hardware equipments were devoid of its protection. The first network test was to see how a hardware VoIP phone would react to the test packets. The timing diagram below shows one aspect of the modified call structure: as soon as the caller receives a SIP client receives the 180 (RINGING) response it cancels the call and
places another call invitation. Also, the packet s formatting shows the missing fields as seen in figure 4. Fig. 4 The hardware VoIP phone received the malformed request and started ringing The result was that the hardware received the packets and started ringing, and multiple missed calls were listed in phone s call history. If the number of packets was doubled, the phone not only started ringing, but it indicated multiple on hold connections. If the number of packages was further increased, no other unexpected behavior was noticed, due perhaps to the lack of computational power on the hardware unit. Fig. 5 The hardware VoIP phone could no longer process the received requests The other test concerned two soft phones: X-Lite and SJ-Phone. These phones were exposed to the same bad formatted packets in two configurations: with firewall on and without firewall (the second case tries to emulate the situation of the hardware unit, which had no firewall present). With the firewall on the attacking computer doesn t receive a 180 (Ringing) response, but it continues to execute the same attack sequence. On the target computer there is no call initiated. Fig. 6 The VoIP softphone phone did not answer the requests with firewall on With the firewall off, the softphone detects the incomplete requests and sends an according message. The CANCEL request, which references the transaction to be cancelled, will be invalid as the phone has not yet entered the ringing state. Fig. 7 The VoIP softphone phone indicated errors in the requests with firewall off
With or without the firewall, both softphones behaved correctly, and none of them initiated the call, or listed any missing calls. V. Conclusions VoIP is still an emerging technology, so it is somewhat speculative to develop a complete picture of what a mature worldwide VOIP network will one day look like. Although there are currently many different architectures and protocols to choose from, eventually a dominant standard will emerge. The most obvious of these competing standards are SIP and H.323. SIP is a fast growing protocol with similarities to current Internet standards such as HTTP. The test performed revealed that the soft SIP phone successfully managed the attack, even in the case when the firewall was down. This confirms the recommendation of many SIP equipment manufacturers that software and hardware VoIP telephony should be separated. Also because we used a PC in order to launch the attack makes their presence in the same network with the hardware SIP devices, a real security problem. Also, the timing of firmware updates for the hardware devices varies from producer to producer, while softphones can be easily upgraded or even replaced with other versions if security problems are discovered. Another conclusion that results from this test is that DoS attack for VoIP telephony are not the only threat when it comes to spamming packages in a network. As DoS attacks can prove hard to be fully successful, it was proven that, while not being required to put down the network, programs that merely slow it down or generate random hardware behavior can become a problem. Also the hardware vendor s response may prove not be fast enough, leading to VoIP down time, financial and reputation loss. As the attacking packages were successfully dropped by the external firewall router, it is also interesting to note that the main security issues come, as is the case in many situations, from within the network from potential unwary or ill intentioned users. References: [1] Cisco Whitepaper (2004). Overview of SIP Security. www.cisco.com [2] Cisco Whitepaper (2006). Security in SIP-Based Networks. www.cisco.com [3] Rick Kuhn (2004). Voice over Internet Protocol (VOIP) security. National Institute of Standards and Technology, Computer Security Division [4] O. Abouabdalla and R. Sureswaran (2003). SIP functionality and structure of the protocol. www.qgpop.net/2003fukuoka/papers/a7-3.doc [5] The Internet Society: Network Working Group (2002). SIP: Session Initiation Protocol. www.ietf.org/rfc/rfc3261.txt [6] PROTOS -Security Testing of Protocol Implementations (2005). http:// www.ee.oulu.fi /research/ouspg/protos/