VoIP Security Presentation

● VoIP Introduction● VoIP Vendors● Security Concerns

– Structural security issues– Implementation security issues

● Security Checklist– Alleviate structural issues– Proper implementation procedures

Agenda

VoIP Introduction● Protocols

– SIP– H323– IAX– SKINNY– MGCP

● Network Setup– ToS/QoS– NAT/STUN

● CODECS– G711u– G729– GSM

● FoIP– T.38– G711u

Major VoIP Vendors● Service Provider/Large Enterprise

– Broadsoft

– Sylantro

– Cisco Call Manager

● Enterprise/Large Business– Cisco Call Manager

– Avaya

– Broadsoft

– Asterisk (Few Vendors)

● Small Business– Cisco CME (Call Manager Express)

– Asterisk (Many Vendors)

VoIP Security Tools● Ethereal (http://www.ethereal.com)

– Packet Sniffer

– RTP Stream Decoder

● Cain (http://www.oxid.it)– ARP spoofing

– Packet Sniffer

– RTP Playback

● SiVuS (http://www.vopsecurity.org/html/tools.html)– VoIP Vulnerability Scanner

– General Purpose VoIP packet generation, spoofing, testing tool.

VoIP Security Concerns● VoIP Protocols and Media Not Encrypted

● No Centralized Username/Password Management

● Many devices configured with default passwords (phones, analog adapters, SIP Accounts, etc)

● VoIP System becomes central point of convergence for Data, Network services, and voice.

● VoIP Depends on unsecured network services (TFTP/FTP)

● Social Engineering Concerns

● VoIP Systems open new line of communication from outside world (PSTN) into network services.

VoIP is not Encrypted● Cisco is one of few vendors currently supporting SRTP

encryption of voice media streams (Call Manager 4.1, SKINNY protocol). It is not enabled by default, and works only with supported phones.

● SRTP is not secured for use across the public internet. The SRTP headers may be exposed, rendering the encryption useless.

● When using VoIP across the public internet use VPN technology to secure your calls.

● Intraoffice VoIP can be secured by using a separate network or VLAN for Voice traffic if SRTP is not available.

SIP/RTP Interception

Demonstration of Call Interception

Default Administration Passwords● VoIP handsets can be locally configured, and

have default administration credentials which are easily found on the internet.

● With these credentials users can change their extension number, codec settings, and much more.

Registration Spoofing● Can Cause effective DoS attack.● Can be used to masquerade as someone else.● Attack performed by reconfiguring a phone to

have the same SIP user id as another phone.● Could be massively applied to redirect all calls

for entire enterprise to a different entity.

No Centralized User Management● No Vendor supports integration to directory services for SIP

user management ( Unless external Radius Authentication is used).

● Some systems may store username/passwords in unencrypted flat files, or unencrypted databases.

● With a SIP username and password, a person can masquerade as someone else.

● Because there is no centralized management, maintenance is difficult. This causes people to use a single username and password for all phones, or use a person's extension number as both username and password.

VoIP Center of Communication● VoIP Systems allow easy integration of multiple

services.● VoIP System must communicate with many

different network services.● This can create a central store of credentials,

which if compromised could grant access to many systems.

VoIP Depends on TFTP/FTP● TFTP and FTP are unencrypted protocols.

● Many VoIP phones use these protocols for automated configuration and software updates.

● A user on the network could upload a bad software load for all of the phones, causing them to crash, lose features, or even cause them to “brick”.

● A malicious user could upload bad configuration files for phones, causing similar problems. Also they could use this means to perform spoofing attacks mentioned earlier.

● Both Polycom and Cisco require that the configuration directory be writeable as they use the directory to upload log information as well as per phone configuration overrides.

Social Engineering with VoIP● Caller ID Spoofing

– Make Called Party think you are someone else

– Attempt to gain information or access that you shouldn't have

● Incoming Call Spoofing– Make Calling Party believe you are someone else

– Gain information you shouldn't have

● Outgoing Call Redirection– If VoIP System is breached, attacker could redirect an outgoing call to

himself to gain information.

New Public Access Avenue● Integrated VoIP Systems open your network to

a new public access mechanism namely the PSTN.

● If Dialplans, IVRs and Menus are not properly implemented, attackers can gain access to private information or system resources.

VoIP Security Solutions

Encrypt VoIP Traffic● Where ever possible encrypt VoIP Traffic with

VPN technologies.● If VoIP is implemented on a corporate LAN use

SRTP if it is available, if not, attempt to segregate VoIP traffic from normal data traffic using either VLANs or a completely separate physical network.

● If Cisco Call Manager is in use, use the latest version that supports encryption, and enable said encryption.

Use Unique Username/Password● Phones should be configured with non-default

administrative passwords.● Enable authentication on SIP accounts.● SIP accounts should use unique usernames

and passwords (not just extension numbers).● Because of the lack of centralized management

this is cumbersome to implement but worth it.

Secure VoIP System● Ensure that VoIP System is not accessible from

public internet.● Use “good” passwords on all accounts on VoIP

System.● All integration with external systems should be

achieved using encrypted protocols and passwords.

● Store as few passwords as possible on VoIP System.

Secure VoIP Configuration● If phone configuration relies on FTP (Polycom) use non-default

username/password for FTP account.

● If phone configuration relies on TFTP you must implement an auditing process of the configuration files.

● Unfortunately, because these protocols are unencrypted, a determined user can gain access to these directories and reconfigure phones pretty much at will using techniques already discussed.

● Internal Firewalls/ACLs should be configured to block telnet and http traffic from reaching voice VLANs or subnets.

Social Engineering Resolution● VoIP Social Engineering is no different from other social

engineering issues already known.● Users need to be trained on proper procedure, and must

not violate procedure based on any “trust” factors that may be introduced.

● Spoofing CallerID and Called Party information with VoIP is very easy. Users must be trained not to trust CallerID.

● VoIP Systems should have security audits often to ensure that the system has not been compromised allowing a malicious user to redirect outbound calls.

Secure All Access Avenues● VoIP Integration projects often open database,

CRM, customer information, or employee information to access from the PSTN.

● All PSTN access routes should be guarded by PINs at the very least. PINs should not be empty or set to a default.

● All configuration menus should be guarded by PINs/passwords.

Questions & Answers

www.singlepointnetworks.com