The poor state of SIP endpoint security

Similar documents
Carrier-grade VoIP platform with Kamailio at 1&1

History of xser/kamailio at 1&1

Scaling Location Services with Kamailio Henning Westerholt, Marius Zbihlei Kamailio Project

Troubleshooting Converged Enterprise Networks

Carrier grade VoIP systems with Kamailio

MEET THE FUTURE TODAY WITH NEXT GENERATION TECHNOLOGY. Your mall is now powered by Fibre - move to high-speed connectivity today.

HIGH QUALITY TELEPHONY USING A FAIL-SAFE MEDIA RELAY SETUP. Pawel Kuzak VoIP Backend Development

An Introduction to the Max PVN

Modern IP Communication bears risks

System Structure. Steven M. Bellovin December 14,

FRITZ! Up Your Business

10 FOCUS AREAS FOR BREACH PREVENTION

The tale of one thousand and one ADSL modems

Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

Step 3 - How to Configure Basic System Settings

Recommendations for Device Provisioning Security

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

The DNS of Things. A. 2001:19b8:10 1:2::f5f5:1d Q. WHERE IS Peter Silva Sr. Technical Marketing

Minfy MS Workloads Use Case

Communications Transformations 2: Steps to Integrate SIP Trunk into the Enterprise

The Problem with Privileged Users

Voice Modernization for Contact Centers

Media-Ready Network Transcript

Changing the Voice of

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

The Future of Network Infrastructure & Management

Germany - Telecoms, Mobile, Broadband and Digital Media - Statistics and Analyses. German telecom sector ambitious for gigabit society by 2025

Minfy MS Workloads Use Case

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

DATA SHEET HIGHTLIGHTS Deploying a Single System to Manage All Devices and Services Implementing Service Assurance

Data Retrieval Firm Boosts Productivity while Protecting Customer Data

Transform your network and your customer experience. Introducing SD-WAN Concierge

Application Note Asterisk BE with SIP Trunking - Configuration Guide

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE

Mobile TeleSystems (MTS) Converges Fixed and Mobile Telephony

We will divide the many telecom fraud schemes into three broad categories, based on who the fraudsters are targeting. These categories are:

IPv6. Akamai. Faster Forward with IPv6. Eric Lei Cao Head, Network Business Development Greater China Akamai Technologies

Locking down a Hitachi ID Suite server

WHAT YOU NEED TO KNOW BEFORE YOU DEPLOY A HIGH

10 years of SIP. And some lessons along the way. Presented by Tim Bray Technical Director ProVu Communications Ltd

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Transform your network and your customer experience. Introducing SD-WAN Concierge

Unified Communications Express AM

Advanced Threat Hunting:

Technical Bulletin. Toll Fraud Reminder & Update

Document Number. Huawei AR G3 Enterprise Router Channel Sales Guide. Issue V1.0. Date HUAWEI TECHNOLOGIES CO., LTD.

31270 Networking Essentials Focus, Pre-Quiz, and Sample Exam Answers

Symantec VIP Quick Start Guide. Helping your users. Version 1.0. Author Maren Peasley Symantec. All rights reserved.

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

How to Build a Culture of Security

Securing Access to Network Devices

VPN Cloud. Mako s SD-WAN Technology

How to Configure Azure Route Tables (UDR) using Azure Portal and ARM

Presents...NOC-as-a-Service

Contents. Introduction Upgrade your firmware to v Always use strong passwords Secure Web Admin user password...

MigrationWiz Security Overview

Y O UR BUS I N E SS IS ONL Y A S S TR ON G A S YO U R CONNEC T I O N T HE I M P ORTANCE OF R ELI ABLE CO NNECTIVITY W HAT S IN SIDE:

Grandstream Networks, Inc. UCM6100 Security Manual

Are You Avoiding These Top 10 File Transfer Risks?

How to Secure ipads, Tablets and Android Devices for Corporate Use. John Masserini CISO Dow Jones

Five Nightmares for a Telecom

EP502/EP504 IP PBX 1.1 Overview

Choices when it comes to your communications infrastructure A BUYER S GUIDE TO IP-BASED SOLUTIONS

2(&'ÃJOREDOÃFRQIHUHQFHÃRQ WHOHFRPPXQLFDWLRQVÃSROLF\ÃIRUÃWKH GLJLWDOÃHFRQRP\

Virtualizing Managed Business Services for SoHo/SME Leveraging SDN/NFV and vcpe

Release Notes System Software

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

CHAPTER. Introduction. Last revised on: February 13, 2008

Application Note Asterisk BE with Remote Phones - Configuration Guide

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

Allstream NGNSIP Security Recommendations

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

Redundancy for Corporate Broadband WHITE PAPER

Enabling IPv6 at Comparis.CH. A Case Study Gert Döring, Riyadh, May

The Spoofing/Authentication Threat

IT & DATA SECURITY BREACH PREVENTION

Digitized Engineering Notebook

About The Presentation 11/3/2017. Hacker HiJinx-Human Ways to Steal Data. Who We Are? Ethical Hackers & Security Consultants

10 QUESTIONS TO ASK BEFORE YOU SELECT A SIP TRUNKING PROVIDER

Virtual PBX Product Guide MODEL: SP-250 SP-500 SP-1000 SP-1500 SP-3000

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

The of Passw0rds: Notes from the field

Victra A Verizon Authorized Retailer

Accessing CharityMaster data from another location

Alcatel 7515 Media Gateway. A Compact and Cost-effective NGN Component

Release Notes System Software

Grandstream Networks, Inc. UCM series IP PBX Security Manual

EdgeMarc 250W Network Services Gateway

Release Notes System Software

Three Steps Towards Lync Nirvana

Ken Agress, Senior Consultant PlanNet Consulting, LLC.

VoIP for the Small Business

MyCloud Computing Business computing in the cloud, ready to go in minutes

UNITED INTERNET AG. 6-Month Frankfurt/Main, August 13, 2018

Simplifying the Branch Network

TREND REPORT. Hosted VoIP: What IT Decision-Makers Really Think

MySip.ch. SIP Network Address Translation (NAT) SIP Architecture with NAT Version 1.0 SIEMENS SCHWEIZ AKTIENGESELLSCHAFT

Never Drop a Call With TecInfo SIP Proxy White Paper

Transcription:

The poor state of SIP endpoint security Kamailio World, 03.04.2014 Henning Westerholt Head of IT Operations Access 1

Agenda Introduction Reasons for security issues, motivation for attackers Past security issues in 2013 FritzBox security issue Security process and preparations 2

About me In general Open Source and Linux guy since 2001 Seriously involved in IT since 2003 1&1 Telecommunication AG Since beginning of 2007 as software and system developer Now department lead in IT Operations, responsible for the Access IT systems Kamailio Open Source project Since 2007 involved in the project Developer and member of management board Regularly present on different events Part of the much bigger team that design, build and also operate the services I ll present in this talk 3

1&1 Telecommunication AG More than 6250 employees in the group 2,656 billion revenue in 2013 about 312 Million EBIT Offices in several European and international locations Main development and IT offices in Karlsruhe VoIP development also in Bucharest Five datacenters with over 70.000 Servers in Europe and USA Own global redundant WAN with hundreds of Gbit/s external bandwith Second place w/r to customer base in the German DSL market Other products, but not focus of this talk webhosting, E-Mails, Portal, Advertising Biggest customer growths in 2013 in the mobile area Source: United Internet Financial Reports, Shareholder Statements, http://www.united-internet.de/ 4

VoIP backend at 1&1 Operated mainly with Open Source components Kamailio, Asterisk, MySQL, Puppet, Debian.. One of the biggest deployments out there Data Over three million customers on the platform More than eight Million subscribers Interconnections to Telefonica, Vodafone and QSC and others More then one billion minutes per Month to the PSTN Geographical redundant backend in a load-sharing setup Focus towards small businesses and home users Provides services for ADSL, VDSL, UMTS and LTE customer connections 5

Reasons for CPE security issues (Too) many features in one box IP Routing, Firewall, Application level gateway, QoS.. HTTP Server, FTP Server, UPnP Server, Media Server.. DSL and VoIP User Agent, PBX Server, VoIP Registration Server Competitive Environment Smaller ARPUs, smaller margins Competition over price and features Usually no huge interest or incentive from customer and operators to update Interesting target Good connected to IP and phone network Always on, no or little user monitoring Access to user data and network traffic Usually Outdated software and hardware Huge numbers deployed in the field 6

Past security issues Asus Two security problems reported from researcher in Q3 2013 to manufacturer Rollout not done in time Public in February 2014 Security bugs Login to FTP server without password Internal backup suite cfg files world-readable Remote changes on cfg files Possible attacks Access to all internal traffic Gateway to internal network for further attacks Data access on FTP server Data access on internal backup server Still many routers online with this bug 7

Past security issues D-Link had several issues in the past year Security Bug in the UPnP module Attack with special POST request Remote OS command injection On some devices also remote file execution Possible attack - access to everything possible Security bug with User-Agent handling Access with special UA without password Configuration changes possible Possible attack - Man in the middle over DNS or IP routing changes O2 router issues Security Bug Insecure standard WLAN password Possible attack access to internal WLAN traffic 8

FritzBox Security issue FritzBox used from 1&1 and many other German providers, manufactured from AVM Security bug Access to cfg without password Remote code execution from web sites or HTML email Almost all AVM products affected Possible attacks Access to user credentials Access to internal communication Setup of VPN connection to internal network Attacks seen Fraud with stolen user credentials, several hundred thousand euro damage at a regional telecommunication provider Fraud with telephony accounts setup on local FritzBox Several fraud cases also at 1&1 9

FritzBox Security issue development Extension in attack vector over time First only CPEs with activated remote management Later most of the CPEs Later again all CPEs and also WLAN and Powerline adapters Increasing publicity of the issue First week of February reports in IT smaller news sources Second week in February reports in major IT news sources Third week in February reports in the television and major newspapers First week in March public exploit in news Increasing effort in incident response Due to extensions in attack vector Increasing risks due the publicity of the bug Increasing customer communication requirements 10

FritzBox Bug Incident measures Security incident for tracking of all tasks inside the company Coordination of internal and external communication Information to management Publishing of updates for all affected hardware in short time from AVM Update of all firmware software in a few weeks Rollout of updates with automatic provisioning processes Monitor process closely, optimize if necessary Changes of password for affected services automatically or by customer information Customer information expensive and not really effective Closely monitor fraud volume and vectors fast development of counter measures Work with local law enforcement Proactively blocking of expensive destinations 11

How to prepare Have established incident processes involving all important company parts You don t want to work on the basic infrastructure when something bad happens Maintain a close relationship with your CPE vendor E.g. with regular telephone conferences and technical discussion Ask your vendor for security evaluations including source code review Most of the mentioned security bugs were in the input validation domain AVM stated that four independent companies did not found the issue Enforce the usage of TR.69 for all of your customers To enable automatic firmware rollouts and password changes Secure default configuration External admin access disabled UPnP or other media server restricted to local network Random WLAN password User generated password for admin access 12

How to prepare Have resources in place for preparation and executing the rollout Firmware needs to be tested Fast firmware rollout generates a lot of load on the systems Some boxes will also break during rollout Think about the whole process You have updated your boxed in the field, what about the ones in stock? Prepare your management It will get expensive and block many other projects Prepare your customer communication Work closely with the CPE vendor Prepare boxes replacement policies Customers will get nervous about this issue from media report and flood Hotline and also social media channels 13

How to prepare Have real-time monitoring and fraud alarming tools On a weekend a lot of damage can be done You want to improve your tools, not develop them during an attack Don t re-use service credentials for user visible services They are much harder to change Don t overload your infrastructure or people with the unusual requirements Databases or firmware download hosts On-call services and testing resources Protect your backend Overload protection on edge servers Brute force protection on application server 14

Summary Attackers only get better over time, so expect more CPE issues in the future Most big security issues starts small, so try to catch the attackers early Learn from past attacks and think about your available processes and tools Choose a serious CPE vendor, establish a good relationship and stay there Risks from bad incident handling are usually much higher that attack risks Don t panic 15

Thanks for your attention! Questions? 16

Contact Henning Westerholt hw@kamailio.org Looking for a job? VoIP Backend Developer for Kamailio and Asterisk System Administrator for VoIP and DSL More information from me or at http://jobs.1und1.de/ License of this slides http://creativecommons.org/licenses/by-nc-nd/3.0 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback