Meletis BelsisInformation Security Consultant

MPhil / MRes/ BSc, C|EH / CCSA / CWSP

IMS Security IMS Security

IMS ArchitectureIMS ArchitectureIMS ComplexityIMS ComplexityIMS ThreatsIMS ThreatsVoIP AttacksVoIP AttacksThe Hacker’s ToolboxThe Hacker’s ToolboxIMS SecurityIMS Security

PresentationPresentationAgendaAgenda

IMS ArchitectureIMS Architecture

• IP Multimedia Subsystem (IMS)IP Multimedia Subsystem (IMS) was initiated by the 3GPP Group to allow Mobile Service Providers extend their services using the TCP/IP protocolTCP/IP protocol.

• IMS was build around TCP/IP ver 6TCP/IP ver 6. Due to the fact that currently most providers use the TCP/IP ver. 4 TCP/IP ver. 4 the initial security features proposed cannot be implemented

• The System was further enhanced by the TISPAN group with the idea of the Next Generation Network (NGN) Next Generation Network (NGN) which extend the IMS to allow access through ADSL and Land Lines.

• Mobile Operators will use the IMS to offer multimedia services including VoIPVoIP and VoDVoD.

IMS Architecture IMS Architecture

•IMS architectures use the SIP SIP protocol protocol to exchange signaling messages and the RTP protocol RTP protocol to exchange customer traffic. •The IMS Core is build around a Call Session Control Function Call Session Control Function (CSCF) (CSCF) which manages the user access and allows the distribution of Content Services. •To perform the user management the Home Home Subscriber Server (HSS) Subscriber Server (HSS) is used. HSS is similar to the HLR in 3G Networks. •The DiameterDiameter protocol is used for AAA.

IMS Components IMS Components

IMS Components IMS Components

IMS Security ComplexityIMS Security Complexity

•Securing a IMS network is complex because:• IMS inherits most TCP/IP Vulnerabilitiesinherits most TCP/IP Vulnerabilities• IMS users connect through a number of different access media

(e.g. UMTS, ADSL, PSTN ).• IMS uses the SIP and RTP (UDP communication) uses the SIP and RTP (UDP communication) and thus may not be

able to operate on networks that use firewalls. Special proxy techniques like Simple Traversal of UDP through NATs (STUN) Simple Traversal of UDP through NATs (STUN) need to be applied.• Signaling (SIP) Signaling (SIP) and Media (RTP) Media (RTP) traffic may follow different routes.

IMS ThreatsIMS Threats

• Denial Of ServiceDenial Of Service• Flood Attacks • BYE Tear Down• Registration Reject• Hold Attack• Call Reject

• Interception AttacksInterception Attacks• Call Hijacking• Registration Hijacking• Media Session Hijacking• Server Masquerading• DNS Poisoning• Caller ID Spoofing• VoIP VLAN Hopping• ARP Spoofing• SIP Injection• Session Modification

• Social Attacks Social Attacks • SPIT

• Fraud AttacksFraud Attacks

VoIP ThreatsVoIP Threats

• VoIP Platforms VulnerabilitiesVoIP Platforms Vulnerabilities• CAN-2004-0056: Malformed H.323 packet to exploit Nortel

BCM vulnerabilities• CAN-2004-0054: Exploits CISCO IOS H.323 implementation• CVE-2007-4459: Cisco SIP DoS vulnerabilities.• CVE-2007-6424: Vulnerabilities on the Fonality Trixbox 2.0 PBX

products• CVE-2007-5361: Vulnerabilities on the Alcatel- Lucent

OmniPCX Enterprise Communication Server.• CVE-2007-5556: Vulnerabilities on the Avaya VoIP Handset.

Server Masquerading Server Masquerading

UE’s initial Register Request looks like:REGISTER SIP: home1.de SIP/2.0Username=”user Authorization: Digest Username user_private@home1.de”,realm=”home1.de”, nonce=” “, uri=”SIP: home1.de”, response=” “

Malicious Code infected with SQL injection looks like:REGISTER SIP: home1.de SIP/2.0Authorization: Digest Username=”user_private@home1.de;delete tablesubscriber”, realm=”home1.de”, nonce=” “, uri=”SIP: home1.de”, response=” “

SIP InjectionSIP Injection

Hacker’s ToolboxHacker’s Toolbox

• Oreka Oreka : A cross-platform system for recording and retrieving audio streams • rtpBreakrtpBreak: detects, reconstructs and analyzes any RTP session through heuristics

over the UDP network traffic. • SIPCrack SIPCrack : a SIP protocol login cracker • SiVusSiVus : A SIP Vulnerability Scanner.• BYE Teardown: BYE Teardown: disconnect an active VoIP conversation by spoofing the SIP BYE

message from the receiving party • SipRogue :SipRogue :multifunctional SIP proxy that can be inserted between two talking

parties • RTPInject RTPInject :attack tool that injects arbitrary audio into established RTP

connections. • TFTP Cracker: TFTP Cracker: A tool to attack VoIP endpoint and copy their configuration

through tftp• ILTY(I am Listening to You) ILTY(I am Listening to You) : A multi-channel VoIP Sniffer • Registration Adder: Registration Adder: A tool to allow fake registrations to be send

Hackers Toolbox Hackers Toolbox

RTPInjectRTPInject SiVUS ScannerSiVUS Scanner

IMS CountermeasuresIMS Countermeasures

• EncryptionEncryption: The original standard proposed the use of IPSecIPSec protocol on a hop-by-hop deployment. The TLSTLS protocol can also be used to encrypt the SIP messages exchanged between the nodes.

• FirewallsFirewalls:: Ensure that VoIP components (i.e. SIP Proxy, DNS, DHCP, Radius) are logically located behind Session Session Border Controllers (SBC). Border Controllers (SBC). SBCs provide Firewalling capabilities while bypassing NAT Problems. Traditional firewalls can used to build DMZ zones for IP based systems (i.e. DNS, Radius).

IMS CountermeasuresIMS Countermeasures

• ManagementManagement:: Avoid using weak management protocols like tftp, telnet and SNMP ver 2.

• Security Gateways (SEGs) Security Gateways (SEGs) SEG must be deployed at the edge of an IMS. These will create a Network Network

Security Domain (NDS) Security Domain (NDS) which will protect the IMS core from other IMS networks.

• AntivirusAntivirus: Deploy hardware antivirus appliances at the customer edge.

IMS CountermeasuresIMS Countermeasures

• Hardening the network Environment• Enforce Security at the Network Equipment:Network Equipment:

• Port Security• DHCP Snooping• Receive Access Lists• Enable MAC Filtering • Define the maximum number of MAC addresses per port.• Use Egress and Ingress filtering on all Border Routers• Apply DoS protection techniques at the edge (e.g. Black Holing)• Use Dedicated Management VLANs on the IMS Core• BGP and Routing Security

• Use AAAAAA on all IMS infrastructure Systems

• Harden the OS Harden the OS of the platforms used• DNZ Zone Transfers• IP to MAC mappings on DHCP• Apply Security Patches / Updates• Disable Telnet and/or r-utilities

IMS CountermeasuresIMS Countermeasures

• IDS/IPSIDS/IPS• SIP aware IDS / IPS• Host based IDS/IPS at the Application

Servers

• VoIP HoneypotsVoIP Honeypots• VoIP Phones• Fake SIP Proxies

Questions ?Questions ?Meletis BelsisMeletis Belsis