VOIP Technology, Security Threats & Countermeasures Jaydip Sen Innovation Lab Tata Consultancy Services, Kolkata Email: Jaydip.Sen@tcs.com
Migration to the Integrated World Mobile Voice Fixed Voice Converged Voice End-to-end Solutions (IP) Data Communications Time
What is IP (Internet Protocol)? IP is the language that computers use to communicate over the Internet IP is the transmission mode that is expected to be used in the future for both voice and data IP enables today s services to be implemented over the same access (e.g. telephony and Internet access) IP enables multiple services to share the one network
Broadband (IP) Telephony Broadband telephony is speech/voice that is packaged and transmitted partly or entirely over IP-based networks The concept of broadband telephony is the sum of: Voice Over IP Internet telephony Related value-added services Full-featured broadband telephony uses IP technology both for voice transmission and for value-added services Broadband telephony is in the first place a follow-on product of data communications solutions Broadband telephony requires a broadband connection
Evolution of Voice Telephony Products Fixed access IP Broadband telephony Digital AXE IP GPRS IP 3G Analog AGF Analog NMT Digital GSM Mobile access
Convergence of Fixed and Mobile Voice POTS = access line VOIP = SIP server account Mobile = HLR account VOIP Mobile SIP- client = SIM card IP coverage Radio coverage All devices can or will be wireless
Prerequisites, Business Model, Time Frame Prerequisites Broadband penetration Established standards Customer needs Business model IP will generate a new logic over time Start from where you are convergence may be the best of both worlds Time frame It may be a long time before IP takes over completely
Broadband vs. Conventional Telephony Reliability Prioritization of voice packets Combining different networks Power dependency Broadband telephony doesn t work if the power is off at the customer Ability to reach alarm numbers Position information Standards Terminals Services/networks
Business People Needs Integrated Services Communicate with other people Telephone Voice-mail E-mail, sms, mms Plan and organize your work Telephone Calendar Contacts E-mail Do business Telephone E-business CRM Supply Chain mgmt Stay informed Telephone Web search News, Collaborate with other people Telephone meeting Video meeting e-meeting Project management tools
The VOIP Funnel Business Customers 2002 2003 2004 Business case Standards 2005 2006 Lab Branch office (where to start) Network management QoS Full scale Scale up to corporate level First full implementations First pilots TRENDS Classic Centrex Classic PBX IP Centrex IP PBX
Individual Customer Needs Connectivity with control Need to be in touch Voice is still the killer application Need to control accessibility Want to be reachable but need to control access based on user situations Need to stay informed Need to know what is going on around them E.g. after 9/11, increased need for security Greater capabilities for: Personal telephony Communications Mobility
Broadband Telephony SIP (Session Initiation Protocol) A standard that is establishing itself Other parties can provide services Functionality Telephony as software in a PC Simple to download Adapter or separate phone required to talk via receiver Personal phone number 0751121441 SIP address 0751121441@telia.com which can be an email address Capabilities Call control Availability information Chat Video calls
What is VoIP? A suite of IP-based communications services Provides multimedia communications over IP networks Based on open IETF and ITU standards Operates over any IP network (not just the Internet) Utilizes separate paths for signaling and media Low-cost alternative to PSTN calling
Cost Toll bypass for on-net calling Reduced network costs Lower move/add/delete (MAD) costs Reduced site preparation time Network convergence Functionality Enterprise directory integration Unified Messaging Call center applications Interactive Voice Response (IVR) IP Video Instant Messaging The Business Value of VoIP Mobility Location services (Find-Me/Follow-Me routing) Wider array of service providers Ubiquitous access
PSTN vs VoIP Public Switched Telephone Network (PSTN) SS7 signaling protocol Circuit-switched network (ATM/Frame Relay) Expensive infrastructure Reliable quality Voice Over IP (VoIP) SIP, H.323, SCCP, MGCP, or MegaCo signaling protocol RTP media protocol Packet switched network Converged infrastructure Unreliable quality
VoIP Protocols SIP RFC 3261 The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol for creating, modifying and terminating sessions with one or more participants. Text based messaging Modeled on HTTP Uses URI to address call flow components sip:rdh@stealthllama.org sip:robert.hagen@globalcrossing.com INVITE sip:bob@biloxi.com SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hg4bk776asdhds Max-Forwards: 70 To: Bob <sip:bob@biloxi.com> From: Alice <sip:alice@atlanta.com>;tag=1928301774 Call-ID: a84b4c76e66710@pc33.atlanta.com CSeq: 314159 INVITE Contact: <sip:alice@pc33.atlanta.com> Content-Type: application/sdp Content-Length: 142 Versatile and open with many applications Voice Video Gaming Instant Messages Presence Call-Control
SIP Methods INVITE: create a session BYE: terminates a session ACK: acknowledges a final response for an INVITE request CANCEL: cancels an INVITE request REGISTER: binds a public SIP URI to a Contact address OPTIONS: queries a server for capabilities SUBSCRIBE: installs a subscription for a resource NOTIFY: informs about changes in the state of the resource MESSAGE: delivers an Instant Message REFER: used for call transfer, call diversion, etc. PRACK: acknowledges a provisional response for an INVITE request UPDATE: changes the media description (e.g. SDP) in an existing session INFO: used to transport mid-session information PUBLISH: publication of presence information
SIP Components User Agents Clients Make requests Servers Accept requests Server types Redirect Server Proxy Server Registrar Server Location Server Gateways
Session Description Protocol (SDP) SDP IETF RFC 2327 SDP is intended for describing multimedia sessions for the purposes of session announcement, session invitation, and other forms of multimedia session initiation. SDP includes: The type of media (video, audio, etc.) The transport protocol (RTP/UDP/IP, H.320, etc.) The format of the media (H.261 video, MPEG video, etc.) Information to receive those media (addresses, ports, formats, etc) Crypto keys v=0 o=mhandley 2890844526 2890842807 IN IP4 126.16.64.4 s=sdp Seminar i=a Seminar on the session description protocol u=http://www.cs.ucl.ac.uk/staff/m.handley/sdp.03.ps e=mjh@isi.edu (Mark Handley) c=in IP4 224.2.17.12/127 t=2873397496 2873404696 a=recvonly m=audio 49170 RTP/AVP 0 m=video 51372 RTP/AVP 31 m=application 32416 udp wb a=orient:portrait
Media Protocols RTP Real-time Transport Protocol RFC 3550 Standardized packet format for delivering audio and video over IP Frequently used in streaming media systems CODECs GIPS Enhanced G.711 8kHz sampling rate Voice Activity Detection Variable bit rate G.711 8kHz sampling rate 64kbps G.729 8kHz sampling rate 8kbps Voice Activity Detection
SIP Call Flow Outbound Proxy Inbound Proxy BYE INVITE BYE INVITE 180 Ringing 100 Trying 200 OK 100 Trying 200 OK 180 Ringing BYE INVITE 200 OK 180 Ringing ACK Alice Alice Calls Bob Is Bob there? RTP Voice Bob Hello. No. I need Bob. Thanks. Bye. Steve answers Bob s phone Sorry, no, can I help you
SIP Standards A sampling of SIP RFCs RFC3261 Core SIP specification obsoletes RFC2543 RFC2327 SDP Session Description Protocol RFC1889 RTP - Real-time Transport Protocol RFC2326 RTSP - Real-Time Streaming Protocol RFC3262 SIP PRACK method reliability for 1XX messages RFC3263 Locating SIP servers SRV and NAPTR RFC3264 Offer/answer model for SDP use with SIP RFC3265 SIP event notification SUBSCRIBE and NOTIFY RFC3266 IPv6 support in SDP RFC3311 SIP UPDATE method eg. changing media RFC3325 Asserted identity in trusted networks RFC3361 Locating outbound SIP proxy with DHCP RFC3428 SIP extensions for Instant Messaging RFC3515 SIP REFER method eg. call transfer
Complexities of VOIP Architecture Copied from NSA Security Guidance for Deploying IP Telephony Systems, Report Number: I332-016R-2005
VOIP Security Threats Robert Wood
Most Common VOIP Security Mistakes 1. Treating VOIP security the same way as Network security 2. Not treating VOIP security the same way as Network Security How it s the Same How it s Different Uses mostly the same protocols Uses mostly the same Operating Systems Many of the same threats What we Commonly See Some unique protocols Traditional Security devices (IDS/Firewalls can disrupt service) People treat it like the old phone system! Segmentation without monitoring Improperly configured systems Little device hardening Little understanding of privacy threats No regular security assessments ON the VOIP segment
VOIP Threat Taxonomy Social Threats Misrepresentation Identity Authority Rights Content Theft of Services VoIP Threats Unwanted Contact Harassment Extortion Unwanted Lawful Content (spam and other offensive material) Eavesdropping Call Pattern Tracking Traffic Capture Number Harvesting Call Reconstruction (voice, video, fax, text, voicemail)
VoIP Threats VOIP Threat Taxonomy Interception and Modification Call Black Holing Call Rerouting Fax Alteration Conversation Alteration Conversation Degradation Conversation Impersonation and Hikacking False Caller Identification Service Abuse Denial of Service VoIP Specific DoS Request Flooding Malformed Requests and Messages QoS Abuse Spoofed Messages Call Hijacking Network Services DoS Underlying Operating System/Firmware DoS Distributed DoS (DDoS) Physical Intrusion
VoIP Threats VOIP Threat Taxonomy Other Disruptions of Service Loss of Power Resource Exhaustion Performance Latency and Metrics
Summary of VOIP Risks? Service Disruption or Denial of Service Theft of Service or Data Infrastructure Attacks Voice SPAM (Vishing, Mailbox Stuffing, Unsolicited Calling) Call Hijacking and Spoofing Call Eavesdropping or recording Voicemail Hacking Every other network and system vulnerability not unique to VOIP!
Threat Model for VOIP Systems Voice Mail VOIP Environment VOIP Network Gateway VOIP Application Layer Supporting Applications Layer Configuration Databases IP Phones Firewall Fax SBC Call Manager Servers HW Platform, OS VOIP Protocol Layer Signaling and Transfer Protocols Facility/Infrastructure
What are the Threat Vectors? OS Exploits Signaling Attacks Endpoint Admin Privilege Exploits Proxy Impersonation Real Time Protocol (RTP) Attacks VoIP Wiretapping VoWiFi Attacks DoS Attacks Spam for Internet Telephony (SPIT) IP PBX and Telephony Server Exploits Vishing (VoIP Phishing)
Who are You Protecting Against? Malicious Attack Unintentional Exposure Intentional Exposure Risk is Irrelevant of Intent
Specialized Hacking Tools SIPScan - enumerate SIP interfaces TFTPBrute - TFTP directory attacking UDP and RTP Flooder - DoS tools hping2 TCP session flooding Registration Hijacker - tool to take over H.323 session SIVUS - SIP authentication and registration auditor Vomit - RTP Playback VOIP HOPPER IP Phone mimicing tool LDAPMiner - collect ldap directory information Dsniff - various utilitarian tools (macof and arpspoof) Wireshark (Ethereal) / tcpdump - packet capture and protocol analysis
Hardware Can be Gussed "Your call is being answered by Audix. [USER'S NAME] {is not available... to leave a message wait for the tone, is busy... to leave a message wait for the tone}." "[USER'S NAME] {is on the phone, is unavailable} Please leave your message after the tone. When done, hang up or press the pound key." "Record your message at the tone. When you are finished, hang up or hold for more options."
DDoS Attack? call
Toll Fraud Hacker sells your company calling information Your company gets the bill
Call Manager OS
Call Manager OS?
Call Forwarding/Spoofing? call
Expose Private Conversations! call
Block Certain Calls? 555-1212 999-1213 987-6543
Log Call Activity call
Hijacking/Injection Attack call
Call Forwarding/Spoofing call
Call Forwarding/Spoofing call
Eavesdropping Outbound Proxy Inbound Proxy SIP Kevin Yak Alice RTP Bob Yak DTMF intercept IM snooping Call pattern analysis Number harvesting Network discovery Voice reconstruction Fax reconstruction Video reconstruction
Spoofing Outbound Proxy Inbound Proxy SIP BYE BYE Alice RTP Bob Hello? Yak Kevin Hello? Yak Kevin forges a BYE from Alice
Recording call
Interception Outbound Proxy Inbound Proxy 202 BYE Accepted SIP 202 Accepted INVITE BYE 200 REFER OK BYE 202 Accepted INVITE REFER Alice 200 OK RTP Bob Yak Kevin Hello? Yak Yak Kevin forges a REFER from Bob
Key Mitigation Strategies Create VOIP Specific Security Policies Segmentation as appropriate Restrict logical network access to critical servers and VoIP call processors Utilize separate VLANs for voice and data Device Hardening Do not use default passwords Turn off unnecessary services Apply vendor supplied patches in a timely manner Perform vendor installation security checklist to harden applications Perform Security Assessments on and against the VOIP infrastructure Apply Appropriate Encryption
Key Mitigation Strategies Utilize VoIP aware Firewalls, Intrusion Prevention Systems (IPS) and Session Border Controllers (SBC) when possible Utilize end-to-end QoS Continue to protect against traditional system attacks (Toll Fraud, Modem Security, Social Networking Attacks & etc.)
Security Solutions Robert Wood
Network Solutions: Security Policy Establish a corporate security policy Acceptable Use Policy Analog/Dial-in/ISDN Line Policy Anti-Virus Process E-mail Policy Automatic Forwarding Usage Retention Ethics Policy Password Protection Policy Patch Management Process Router Security Policy Server Security Policy Risk Assessment Policy VPN Security Policy Wireless Security Policy GISFI # 2, Allahabad, http://www.sans.org/resources/policies/#template September 17, 2010
Security Solutions: Network Network Design by Cisco Systems
Security Solutions: DoS & DDoS Provide redundancy through: Mesh Corporate WAN design Utilizing multiple ISPs Fallback PSTN Gateway(s) Uninterruptible Power Supplies Negotiate QoS agreements
Security Solutions: Hacking Segment networks into separate VLANs Voice network Data network Monitoring and control network
Security Solutions: Hacking Maintain VoIP application server updates Call manager server(s) Voicemail server(s) Gateway server(s) Install current Operating System patches Install current application software patches
Security Solutions: Spoofing Eliminate unknown devices DHCP Snooping DAI: Dynamic Address Resolution Protocol Inspection IP Source Guard Eliminate unknown software Digital Signatures
Security Solutions: Threats Manage and prevent threats via: Stateful Firewalls Virus Filters Intrusion Detection (NIDS) Intrusion Prevention (HIPS) Filter unnecessary ports on: Routers Switches PCs IP Telephones Firewalls
Security Solutions: Complete
Network Diagram Legend
Summary of Countermeasures Authentication and Encryption Digest Authentication Used during UA registration Authenticates UA to SIP proxy Similar to HTTP digest from web browser to web server Cannot be used between proxies Transport Layer Security (TLS) Used to secure signaling path Authenticates each endpoint on a link Provides encrypted path between each link Non-transitive trust Can be used between proxies Requires X.509 certificates
Summary of Countermeasures Authentication and Encryption Secure RTP (SRTP) Used to secure the media path Provides end-to-end security Requires X.509 certificates Zphone (ZRTP) Used to secure the media path Provides end-to-end security IETF draft written by Phil Zimmermann Requires no X.509 certificates Relies on OSI layer 8 authorization
Physical Security Summary of Countermeasures VoIP equipment in secured datacenter Lock wiring closet doors VoIP VLANs = Good Separate VoIP network = Better Separate VoIP network + Authentication + Encryption = Best! Logical Security CIS Benchmarks applied to all host platforms Regular patching and assessments Network IDS Firewall and NAT protection of gateway and proxies
Conclusion VOIP will lead to convergence of voice and data into a common infrastructure for wiring, routers, network connectivity. Companies will be able to deploy, manage and maintain one network to serve all communication needs, saving on infrastructure costs and resources. With VoIP the Internet becomes the backbone of a company s phone network. This leads to a number of threats: Hackers Worms Viruses DoS attacks The challenge of VoIP security is not new. History has shown that advances and trends in information technology typically outpace the corresponding realistic security requirements. Such requirements are often tackled only after these technologies have been widely adopted and deployed Cable Datacom News
Thank You! 66