CANTO – 2006 Information Security and Voice over IP (VoIP) Robert Potvin, CISSP VP - Strategic Consulting June 21st, 2006

CANTO – 2006

Information Securityand Voice over IP (VoIP)

Robert Potvin,CISSP

VP - Strategic Consulting

June 21st, 2006

Copyright Above Security 20062

Voice over IP is popular!

• More VoIP PBXs are now being sold than circuit-switched PBXs

• Businesses are deploying VoIP for all sorts of reasons:

- Security is probably not one of them

Voice over IP security


Why worry about voice security?

• Telephone access is business-critical in almost all organisations

• Confidential information passes over the phones

• Emergency response often involves phone systems (911)

• Long distance fraud (Miami – 10M calls)

• PBX is now in the hands of IT (we use to worry about its security)



2005-2006 VOIP State of the market ReportMajor Concerns - Distributed Networking Associates

• Identity Management / Authentication

• Spoofed Voice Server or IP-Pbx

• Voice conversation intercepted (Lan, Wan and Internet)

• Increase Toll Fraud

• Availability (DoS)



Security knowledge is being lost

• In the seventies, some people would make long distance calls for free (or bill them to innocent victims) by using blue boxes to inject MF tones during call setup

• In the eighties and nineties, voice networks migrated to digital voice transmission and ISDN-like transport

• One of the less well-known goals of this migration was to separate the control signals from the voice traffic

- If the user has no access to the control channel, the user cannot hack the phone system



So we go back to the seventies

• Much of the Voice over IP setups mixes control and data traffic

• Blue box tone generators get replaced with Ethernet sniffer programs and other PC-based malware

• Same problems, but with a new twist: attacks can be automated



A typical (simplified) VoIP configuration


Corporate IP network

4

7

PQRS

*

CISCO IP PHONE7902 SERIES

1 2

A B C

3D EF

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #

VoIP PBX,Cisco Call Manager,

Asterisk, etc.Media Gateway

Corp. firewall

Internet

SIP/H.323Gatekeeper/proxy

4

7

PQRS

*


1 2

A B C

3D EF

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #

PSTN

VoIP phone VoIP phone

Analog phoneVoIP gateway


Let us not forget the previous users



4

7

PQRS

*


1 2

A B C

3D EF

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #



Corp. firewallSIP/H.323Gatekeeper/proxy

4

7

PQRS

*


1 2

A B C

3D EF

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #

PSTN



Internet


And the un-intended users…



4

7

PQRS

*


1 2

A B C

3D EF

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #




4

7

PQRS

*


1 2

A B C

3D EF

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #

PSTN



Internet

Crasher

DisgruntledEmployee

We Want ToCrash The

Phone System !


There are other un-intended users…



4

7

PQRS

*


1 2

A B C

3D EF

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #




4

7

PQRS

*


1 2

A B C

3D EF

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #

PSTN



Internet

Spy

CuriousEmployee

We Want ToListen To

Phone Calls !

TrojanedPC

Visitor


And still other un-intended users!



4

7

PQRS

*


1 2

A B C

3D EF

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #




4

7

PQRS

*


1 2

A B C

3D EF

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #

PSTN



Internet

Freeloader

Freeloader

We want to make long-distance

phone calls for free!


More….



4

7

PQRS

*


1 2

A B C

3D E

F

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #




4

7

PQRS

*


1 2

A B C

3D E

F

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #

PSTN



Internet

Phisher

I am building a fake copy of the IVR system in order to

fool clients in giving out their access numbers and PINs

InteractiveVoice Response

FakeIVR

I am modifying the IVR to say Yes and accept collect

calls


VOIP Threats

• DoS

- Packet and Data Flood - Endpoint (PIN change)- QoS- VLAN

• Theft and Fraud

- Sniffing (eavesdropping)- Spoofing (mac, IP, arp, ANI, ect..)- Toll and Voicemail (and maybe e-mail) “text to speech”



The Voice over IP protocol landscape

• Several different protocols in use at the same time

- Some are used to communicate call information data (signalling)- Some transport the actual voice and/or video streams- Some do both- Some are standardized, some are proprietary

• And then there are the extensions…

- Multiple competing extensions to the same protocol- Multiple security extensions to the same protocol

• Wireless integration



Base protocols for IP phones


DHCP server

4

7

PQRS

*


1 2

A B C

3D E

F

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #

VoIP phone

Attacker

Attacker goals:Modify phone configurationIntercept phone voice traffic

TFTP server

DHCPRequest

for IPparameters

Parameters

TFTPRequest for

configuration and firmware

Config and firmware

Modified parms,config, and/or

firmware

DNSTFTPHTTPSNMPDHCPRSVPSDPSkinny (Cisco)Skinny over TLS


Issues about base protocols and phones

• Most of these protocols do not have security protection features

• Even if they do, the IP phones typically do not support them

• The phones (depending on brand and model) also have other network vulnerabilities:

- Remote management access to the phone (SNMP), sometimes in read/write, sometimes with a fixed community name

- Remote login access to the phone- VxWorks debug access to the phone



Network layer 2 attacks:MAC address spoofing

• An attacker equipment can modify its MAC address at will- and impersonate other equipments (including phones)

• The attacker can generate many packets with many different source MAC addresses

- this can cause the network to crash- or allow the attacker to listen to traffic he/she should not be able to

access



Network layer 2 attacks:ARP cache poisoning

• ARP is the protocol used to associate Ethernet and IP addresses dynamically

• Supports broadcast and unicast communication methods

• Attacker can use ARP attacks to reroute IP traffic, including voice



Network layer 2 attacks:VLAN boundary crossing

• Virtual LANs are used to group network switch ports into zones- Communication between VLANs must go over a router or gateway- Groups of VLANs can be transported over a single physical link

between switches on a VLAN trunk

• On some network switches, VLAN trunk setup is automatic- This feature is enabled by default- A client system can convince the switch that a user port should become

a trunk by sending the right packets to it- Ports that become trunks make all VLANs accessible by default- Attackers can use this to access other VLANs



VoIP signalling protocol attacks



4

7

PQRS

*


1 2

A B C

3D EF

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #



Corp. firewall

Internet


4

7

PQRS

*


1 2

A B C

3D EF

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #

PSTN


Analog phoneVoIP gatewaySIP, H.323

SIP, H.323SCCP

SIP, H.323

MGCP

SIP, H.323


H.323 protocol components security• By default, no protection is built in the protocols

- Everything is in cleartext, with nothing signed, no replay protection, etc.- An attacker with enough access can listen to/alter the messages at will

• Cisco recommends protecting the protocol with IPSEC- Requires X.509 certificates and public key certificate servers in order to

scale

• H.323 transports IP addresses and port numbers in the application stream

- In cleartext, it is already difficult to pass H.323 over NAT gateways- Forget it once H.323 is encrypted- Implies the H.323 NAT box must be an endpoint, decrypt the traffic, and

re-encrypt it before forwarding



SIP protocol security• By default, no protection is built in the protocol (like H.323)

- Everything is in cleartext, with nothing signed, no replay protection, etc.- An attacker with enough access can listen to/alter the messages at will

• SIP can be protected with TLS or IPSEC- Requires X.509 certificates and public key certificate servers in order to

scale

• SIP also transports IP addresses and port numbers in the application stream

- SIP is designed to go over proxies- It may be difficult to maintain end-to-end security when communicating

with points outside the organization



SIP Vulnerabilities• INVITE

- Vulnerabilities in message exchange between 2 SIP endpoints during call setup

• SIP proxy server- Cisco

• ASN.1- Decoding error in SSL implementation (also in H.323)



VoIP transport protocol attacks



4

7

PQRS

*


1 2

A B C

3D EF

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #



Corp. firewall

Internet


4

7

PQRS

*


1 2

A B C

3D EF

4 5

J K L

6

M N OG H I

7 8

T U V

9

W X Y ZP Q R S

* 0 #

PSTN


Analog phoneVoIP gatewayRTP/RTCP

RTSP

RTP/RTCPRTSP

RTP/RTCPRTSP

RTP/RTCPRTSP

RTP/RTCPRTSP


Voice transport protocol issues• RTP (Real Time Protocol) and RTCP (Real Time Control Protocol)

are used to transport the actual voice in both H.323 and SIP configurations

- By default, all voice traffic is in cleartext and can be captured with already existing attack tools

• SRTP (Secure Real Time Protocol)- Can encrypt and authenticate the voice traffic- Relies on the Mikey protocol- Needs an X.509 certificate infrastructure in order to scale



DOS• TLS Connection Reset

- By sending a crafted packet, you can force a reset on the signalling channel between the phone and the server

• Packet replay- Out of sequence packets can add delay and degrade QoS

• Services- DoS on DHCP, DNS, TFTP….

• Wireless- Jamming



Call Hijacking and/or eavesdropping• ARP Spoofing

- Duplicate an end-point or a gateway

• Registration (UA)- Redirect incoming calls

• Proxy- Intercept SIP messages

• Toll- Rogue devices can be used to place long distance call on PSTN

• ANI- Caller ID spoofing



Security Pathway• Architecture

- Switches, VLANs, Nat and Firewall- Encryption- Mac Filtering- Services (DHCP, TFTP…ect..)

• Hardening- PBX- Gateway- Accounting (call data)- Voice Mail- SoftPhones



Security Pathway• Authentication

- SIPS = HTTPS- Certificates- MAC Filtering- Radius

• Physical security- PBX, Gateway…..ect…- Switches (heat on Power Over Ethernet)- Sniffers



Security Pathway• Logging and Monitoring

- Centralize logs- Synchronize logs- IDS- Vulnerabilities

• Pen-Test often- External- Internal- Wireless



Questions and Contact

Robert Potvin,CISSP

[email protected]

450-430-8166 #2108


mailto:[email protected]

Documents

CANTO – 2006 Information Security and Voice over IP (VoIP) Robert Potvin, CISSP VP - Strategic Consulting June 21st, 2006