A Taxonomy of VoIP Security Threats An outline of the ... · A Taxonomy of VoIP Security Threats An...
Transcript of A Taxonomy of VoIP Security Threats An outline of the ... · A Taxonomy of VoIP Security Threats An...
A Taxonomy of VoIP Security Threats
An outline of the security threats that face SIP based VoIP and other real-time applications
Peter CoxCTO Borderware Technologies Inc
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
VoIP Security Threats
VoIP Applications Run over IP Networks
Network Level Threats, in common with all IP applicationsApplication and Protocol specific threatsContent Related Threats
Network Level
Application & Protocol
Content
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
Network Level Threats
Threats propagated via low-level protocols, IP and TCP/UDP
Malformed packet attacksFlooding attacks, including connection floodingDenial of Service AttacksBuffer overflow attacks
ConsequencesFull or partial service lossLoss of system control
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
Application and Protocol Threats
VoIP applications use a mix of standards based and proprietary protocols including:
H.323 Legacy protocol used in Microsoft’s NetMeeting and in some commercial VoIP productsSkinny, Cisco proprietary protocol, used by Call ManagerSkype, proprietary protocol designed to use a number of transports to find a way through FirewallsSession Initiation Protocol, emerging as the Internet Standard
• Implemented in new products• Implemented in virtually all legacy products for interoperability• Scope is much wider than VoIP
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
Session Initiation Protocol (SIP)
A relatively new protocol (first proposed March 1999)Designed to support Internetbased real-time messaging
• Voice Telephony (VoIP)• Video Conferencing• Instant Messaging
Many of these services already exist as regular telecommunications applicationsThe First time a major new Internet protocol has emerged to drive existing applications
Real-time messaging, existing service concept
SIP1999
Web, new service concept
HTTP1991
Email, new service concept
SMTP1982
ApplicationProtocolDate
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
What role does SIP Play
SIP is responsible primarily for session controlDevice registration, Call setupCall terminationAdvanced features such as call transferVoIP and Video conferencing use other protocols for call data, typically RTP (real-time transport protocol)Call data parameters negotiated via SDP (Session Description Protocol)Instant Messaging and related services use SIP directly for message transfer
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
SIP Network Components
SIP Application Server, Proxy Server, IP-PBX, Soft-switch• Routes calls, holds local user database• Equivalent to the Private Branch Exchange (Telephone switch)
SIP phones, User agents (UA)• Hardware phones• Softphones
UA’s REGISTER with the IP-PBXCalls established with INVITE requests
IP-PBX
UA
UA
UA
REGISTER
REGISTER
REGISTER
INVITE
INVITE
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
SIP Protocol Details
Text based protocol, similar to Web (HTTP) and Email (SMTP) protocolsShares many of the same security risks and vulnerabilitiesEasy to monitor/spoof
REGISTER sip:sip.borderware.co.uk SIP/2.0Via: SIP/2.0/UDP 192.168.19.12:5060;branch=z9hG4bK927ec13a8c04928Max-Forwards: 70To: <sip:[email protected]>From: <sip:[email protected]>;tag=9600645Call-ID: [email protected]: 20482 REGISTERContact: <sip:[email protected]>User-Agent: SIP desktop phoneContent-Length: 0
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
Registration Attacks (Protocol Level)
Denial of Service AttacksRegistration flooding (PBX can’t make or accept calls)De-registration attacks (device can’t receive calls)
Attacks possible because ofOptional authentication serviceNo automatic message verification
REGISTER sip:borderware.co.uk SIP/2.0Expires: 3600
REGISTER sip:borderware.co.uk SIP/2.0Expires: 0
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
Unlawful Session Intercept (Protocol Level)
Unauthorised device registration and eavesdroppingAttacker registers additional devices under user’s SIP URLCalls to user also received by attacker
REGISTER
REGISTER
INVITE INVITE
INVITE
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
BYE Attack, Call Termination (Protocol Level)
SIP Calls Terminated with a “BYE” messageOriginating from a call participantOriginating from the IP-PBX or AdministratorAn unauthorised “BYE” will prematurely terminate the call3 Vulnerability Points:
INVITE INVITE
BYEBYEBYE
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
Dissecting a Bye Attack (1)
Call from PBX to Extension 413
Normal Termination
PBXExtn 413
BYE
BYE sip:[email protected]:5060 SIP/2.0Via: SIP/2.0/UDP 192.168.4.28:5060;branch=z9hG4bK28107c34;rportFrom: "Sales Desk" <sip:[email protected]>;tag=as466c284fTo: <sip:[email protected]:5060>;tag=4ab274367f880505i0Call-ID: [email protected]: 103 BYEUser-Agent: Branch Office PBXMax-Forwards: 70Content-Length: 0
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
Dissecting a Bye Attack (2)
Call from PBX to Extension 413
BYE Attack
PBXExtn 413
BYE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP 192.168.4.28:5060;branch=z9hG4bK3028e41aMax-Forwards: 70To: <sip:[email protected]>From: <sip:[email protected]>;tag=e0ae24c56f1952bfi0Call-ID: [email protected]: 102 BYEExpires: 240Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFERContact: <sip:456:6.7.8.9>Content-Length: 0
BYE
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
SIP Protocol Threats, Summary
• Call disruption• Service Degredation
• Call Termination AttackBYE
• Confidentiality breach• Unauthorised ForwardingREFER
• Loss of service• Denial of Service• Confidentiality breach
• Call Flooding• Call Transfer Attack• Call Intercept
INVITE
• Loss of service• Password compromise• Call disruption
• Registration Flood• Dictionary Attack• DeRegistration Attack
REGISTERConsequencesAttacksSIP Method
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
RTP Protocol Attacks
RTP Carries call media between end-points
Peer-to-PeerVia ServerDefaults to clear-text
IP-PBX
SIP
call-s
etup
SIP call-setup
RTP
RTP
RTPRTP InjectionSend an RTP stream to and end-point Replace or combine with valid stream
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
Content Threats
Threats at the Call Content LevelUnwanted CallsVoIP SpamUnauthorised MonitoringMalicious Payloads (Worms, Viruses)
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
Is VoIP Spam a reality?
The explosion of email spam lagged email growth Spammers need a critical mass of users for Spam to be cost effectiveDon’t wait, even a low level of Spam will make VoIP unusable“Spam, defined as the transmission of bulk unsolicited email, hasbeen a plague on the Internet email system, rendering it nearly useless. Many solutions have been documented and deployed to counter the problem. None of these solutions is ideal. However, one thing is clear: the spam problem would be much less significant had solutions been deployed ubiquitously before the problem became widespread.”
The Session Initiation Protocol (SIP) and Spamhttp://www.ietf.org/internet-drafts/draft-ietf-sipping-spam-03.txt
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
Eavesdropping / Unlawful Monitoring
Monitor and record the call…The old fashioned way using packet sniffers and other tools:
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
Eavesdropping / Unlawful Monitoring
Monitor and record the call…The easy way, point and click wire-tapping from anywhere on the net….
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
0102030405060708090
100
0 20 40 60 80 100
Exploit Ease
Impa
ctThreat Impact
REG Auth Flood
REG Flood
BYECall Flood
Spam
Eavesdropping
Syn Flood
Call Transfer
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
Information Sources
White PapersVoIP Threat LandscapeFar-end NAT TraversalSecuring and Federating VoIP using Encryption
VoIP Threat Demonstration (Podcast)http://www.youtube.com/watch?v=UA1quyLOTdghttp://tinyurl.com/2s42jr
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
VoIP Threat Demonstration
Protocol and ApplicationCall Termination AttackCall FloodingCaller ID Spoofing
ContentVoIP SpamUnauthorised Monitoring
At our vendor booth
PBX
Extn 301 Extn 302
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
Contacts
Stuart [email protected]+44 7855 416126
Peter [email protected]+44 7785 333832
© Copyright 2007 BorderWare Technologies Inc. All Rights Reserved.
Introducing SIPassure
SIP Security gateway for VoIP, Video Conferencing, IM and other applications
Appliance form factorFirewall grade secure operating systemApplication level protection against flooding attacks and call disruptionCall pattern analysis for Spam and malicious call threatsAdvanced reputation services for tracking abuse sourcesSIP TLS encryption, SRTP for RTP encryption and caller/call recipient verificationComprehensive management and auditing Compliancy and policy control including legal call monitoring