LISTENING BY SPEAKING

Similar documents
Having fun with RTP Who is speaking???

SIP security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, , Atlanta, GA (USA)

Real-Time Communications for the Web. Presentation of paper by:cullen Jennings,Ted Hardie,Magnus Westerlund

FreeSWITCH as a Kickass SBC. Moises Silva Manager, Software Engineering

Just how vulnerable is your phone system? by Sandro Gauci

MySip.ch. SIP Network Address Translation (NAT) SIP Architecture with NAT Version 1.0 SIEMENS SCHWEIZ AKTIENGESELLSCHAFT

SIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels

Secure Telephony Enabled Middle-box (STEM)

Desktop sharing with the Session Initiation Protocol

Internet Networking recitation #

P2PSIP, ICE, and RTCWeb

Load Balancing FreeSWITCHes

This is a sample chapter of WebRTC: APIs and RTCWEB Protocols of the HTML5 Real-Time Web by Alan B. Johnston and Daniel C. Burnett.

ABC SBC: Secure Peering. FRAFOS GmbH

ICE / TURN / STUN Tutorial

Internet Engineering Task Force (IETF) Request for Comments: 7403 Category: Standards Track November 2014 ISSN:

Firewall Control Proxy

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

CS 161 Computer Security

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

Reflections on Security Options for the Real-time Transport Protocol Framework. Colin Perkins

Keep Calm and Call On! IBM Sametime Communicate Softphone Made Simple. Frank Altenburg, IBM

Voice over IP. What You Don t Know Can Hurt You. by Darren Bilby

Man In The Middle Project completed by: John Ouimet and Kyle Newman

VoIP Security Threat Analysis

Avaya Port Matrix: Avaya Proprietary Use pursuant to the terms of your signed agreement or Avaya policy.

Ken Agress, Senior Consultant PlanNet Consulting, LLC.

A Multilingual Video Chat System Based on the Service-Oriented Architecture

Janus: a general purpose WebRTC gateway

Analysing Protocol Implementations

ELEC5616 COMPUTER & NETWORK SECURITY

Realtime Multimedia in Presence of Firewalls and Network Address Translation

Modern IP Communication bears risks

Ingate SIParator /Firewall SIP Security for the Enterprise

Firewalls for Secure Unified Communications

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

How to exploit the SIP Digest Leak vulnerability

SIP and MSRP over WebSocket in Kamailio. Peter Dunkley, Technical Director, Crocodile RCS Ltd

RTCWEB Working Group. Media Security: A chat about RTP, SRTP, Security Descriptions, DTLS-SRTP, EKT, the past and the future

TLS for SIP and RTP. OpenWest Conference May 9, Corey zmonkey.org. v Corey Edwards, CC-BY-SA

Janus: back to the future of WebRTC!

Internet Engineering Task Force (IETF) Request for Comments: ISSN: July 2015

Become a WebRTC School Qualified Integrator (WSQI ) supported by the Telecommunications Industry Association (TIA)

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

Instavc White Paper. Future of Enterprise Communication

ABC SBC: Securing the Enterprise. FRAFOS GmbH. Bismarckstr CHIC offices Berlin. Germany.

Unified Communication:

Analysis and Signature of Skype VoIP Session Traffic

ICE: the ultimate way of beating NAT in SIP

Internet Engineering Task Force (IETF) Request for Comments: November 2010

Overview of the Session Initiation Protocol

Studying the Security in VoIP Networks

NAT (NAPT/PAT), STUN, and ICE

CTS2134 Introduction to Networking. Module 08: Network Security

Avaya Port Matrix: Avaya Communicator for Microsoft Lync 6.4. Avaya Proprietary Use pursuant to the terms of your signed agreement or Avaya policy.

Request for Comments: 3959 Category: Standards Track December 2004

Department of Computer Science. Burapha University 6 SIP (I)

Man-In-The-Browser Attacks. Daniel Tomescu

TSIN02 - Internetworking

Internet Technology 4/29/2013

CDCS: a New Case-Based Method for Transparent NAT Traversals of the SIP Protocol

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Network Address Translators (NATs) and NAT Traversal

Virtual Dispersive Networking Spread Spectrum IP

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

SIP AND MSRP OVER WEBSOCKET

Oracle Communications WebRTC Session Controller

Chapter 8 roadmap. Network Security

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Real-time Communications Security and SDN

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

The trace file is here:

OpenScape Business V2

Conducting an IP Telephony Security Assessment

VoipSwitch User Portal for Rich Communiation Suite RCS features, HTML 5, WebRTC powered FOR DESKTOP AND MOBILES

Security for SIP-based VoIP Communications Solutions

Journal of Information, Control and Management Systems, Vol. X, (200X), No.X SIP OVER NAT. Pavel Segeč

Chapter 5. Security Components and Considerations.

APP NOTES TeamLink and Firewall Detect

APP NOTES Onsight Connect Network Requirements

Asterisk 15 Video Conferencing. The new video conferencing functionality in Asterisk 15 and the journey to get there

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Installation & Configuration Guide Version 4.0

From POTS to VoP2P: Step 1. P2P Voice Applications. Renato Lo Cigno

MonAM ( ) at TUebingen Germany

Allstream NGNSIP Security Recommendations

WebRTC Monitoring and Alerting

Chapter 11: It s a Network. Introduction to Networking

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Network Working Group Request for Comments: 4573 Category: Standard Track July MIME Type Registration for RTP Payload Format for H.

Time Synchronization Security using IPsec and MACsec

Inspection for Voice and Video Protocols

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013

CyberP3i Course Module Series

Analyze of SIP Messages and Proposal of SIP Routing

Encryption setup for gateways and trunks

CIS 5373 Systems Security

CSC 574 Computer and Network Security. TCP/IP Security

Transcription:

LISTENING BY SPEAKING

(AN UNDER-ESTIMATED SECURITY ATTACK ON MEDIA GATEWAYS AND RTP RELAYS)

ECHO $USER About Sandro Gauci: Behind Enable Security GmbH We do Pentests! VoIP / RTC / Network Infrastructure / Web Application / Software security testing Amongst this audience, I'm known for SIPVicious

ON RTCFUZZ Collaboration between Alfred Farrugia and myself, an Enable Security project In our spare/research time: we have started an internal project called RTC fuzz Making use of fuzzing techniques, i.e. mutated input fed to target code and observing behaviour Using well-known tools like AFL and Radamsa together with our custom tools Reporting back to the community

ON RTCFUZZ So far: PJSIP (2 findings) Asterisk (1 finding separate from PJSIP) FreeSWITCH (1 finding) Kamailio (nothing yet)

ON SIPVICIOUS PRO https://sipvicious.pro Allows you to test I'm about to describe

AGENDA We will explain what this is NOT about Explain the attack itself and how it came about Show what can be done with this attack

AGENDA Explain how it affects traditional media gateways and RTP proxies Touch upon how it applies to WebRTC and SRTP Discuss solutions that we have looked at Give an brief summary our findings in OSS Q&A Weissbeer

PURPOSE This room is full of experts Will not be explaining how RTP works Start a conversation, get feedback and discuss and naturally...

BEFORE WE DESCRIBE THE ATTACK... NO NEED FOR MAN-IN-THE- MIDDLE

(image taken from benthamsgaze blog)

MITM not required

NO MITM REQUIRED Our RTP attack does not require the attacker to be MITM But it can be used to create a man-in-the-middle situation Additionally, it has other security implications for RTC systems

EXPLAINING RTP HIJACK/INJECT/BLEED

ABOUT RTP PROXIES Have the job of defying the limitations of NAT Sometimes also have the bene t of allowing calls to be recorded... or intercepted In various cases, the both of the above are a requirement

HOW DOES IT ACTUALLY WORK? Affected RTP proxies do the following: 1. Listen on ports set in the signaling protocol (e.g. SDP within an INVITE message) 2. Learn about where to send responses by inspecting the incoming RTP traffic 3. Respond to that IP and port, relaying the proxied RTP stream

HOW DOES IT ACTUALLY WORK? From a security perspective, this means: no authentication takes place trust is based on.. not knowing the port? timing?

Normal RTP being proxied from Bob to Alice and back

Simple RTP hijack taking place on Alice's RTP session

WHAT HAPPENS IN THIS CASE? 1. Attacker RTP is injected in the RTP stream 2. Attacker receives the proxied RTP stream The attack has two different security implications

DEMO

0:00 / 5:04

NOTE - THIS IS A WORST CASE SCENARIO In the demo, one RTP packet caused all RTP traffic to be sent to the attacker. In many other cases, the attacker needs to constantly send RTP traffic.

GIVE CREDIT WHERE CREDIT IS DUE Klaus-Peter Junghanns presenting in 2010 27th Chaos Communication Congress

PREVIOUS WORK Presentation in 2010-12-30: Having fun with RTP by Klaus-Peter Junghanns in 2010 @ CCC Olle filed an issue for Asterisk in 2011-09-11: Enable strictrtp by default Last year at Kamailio World I spoke to Mikko Lehto and he mentioned his concern about RTP proxies not checking source IP/port

PREVIOUS WORK Sometime in July last year I started exploring this and started understanding the impact, Found one of our clients who had implemented their own RTP proxy, to be vulnerable Also found the default Debian packaged RTPproxy to be vulnerable Our work, although researched and developed independently from Klaus-Peter Junghanns, is very similar

DOES THIS ATTACK SCALE? i.e. can we attack service providers on a large scale?

SURE attackers can send RTP packets to all ports on the media gateways (like a UDP port scan) whenever the attacker receives RTP responses, starts sending RTP to that particular port SIPVicious PRO supports this by default

DEMO

0:00 / 1:22

WORD OF CAUTION Doing this on live systems will lead to Denial of Service, i.e. all calls will go mute

WHAT ELSE CAN WE DO?

INJECT OUR OWN RTP MEDIA

0:00 / 0:44

WHAT ABOUT WEBRTC AND SRTP? WebRTC does not need traditional RTP proxies thanks to ICE, STUN and TURN but we still found proxying of SRTP in WebRTC anyway if SRTP is in use, the security implications on confidentiality of the voice data (should) become a non-concern seems to be mainly a DoS issue - which in RTC is a major problem

WHAT SOLUTIONS HAVE WE SEEN?

STICK TO WHAT IS ADVERTISED IN SDP Major problem with NAT

LATCHING, TEMPORARY TRUST, PROBATION PERIOD Latching is usually vulnerable to a race condition i.e if the attacker is scanning all the time, he/she will get some of the RTP streams before the victim does

LATCHING AND HANDLING CHANGING IPS When no RTP has been received for a while by trusted IP, allow for change Race condition issue (again), upon each change of IP Possibility to DoS the endpoint (unlikely)

SRTP AS A SOLUTION TO THIS ISSUE It addresses confidentiality Should also address integrity, i.e. injection of RTP traffic introduced by the attacker Does not address the denial-of-service aspect

AUTHENTICATED STUN Is an effective way to authenticate and whitelist IP addresses Seems like IP spoofing might be an interesting vector here If successful, would allow RTP injection

HOW DO OPEN SOURCE RTC SOLUTIONS FARE? RTPproxy 1.2.1-2.2 RTPproxy 2.2.alpha.20160822 (github)

RTPPROXY 1.2.1-2.2

RTPPROXY 2.2.ALPHA.20160822 (GITHUB) Very similar to 1.2.1 in that: race condition exists within the first few seconds

RECAP AND CONCLUDE Vulnerable systems allow: receiving of RTP media injection of RTP media This seems to be a widespread security issue Some of the solutions implemented have their limiations Let us get this security issue sorted

THANKS, APPRECIATION & REFERENCES @kapejod for 27c3: Having fun with RTP and his feedback Alfred for his feedback Daniel for the invitation RFC 7362: Latching: Hosted NAT Traversal (HNT) for Media in Real-Time Communication RFC 3550 RTP: A Transport Protocol for Real-Time Applications

Q&A TIME TO ASK ME THOSE TRICKY QUESTIONS ;-) Test RTP Hijack by getting SIPVicious PRO Beta https://sipvicious.pro sandro@enablesecurity.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback