Title: Cutting Edge VoIP Security Issues Color
1Voice Over IP Security
David EndlerDirector of Security
ResearchTippingPointdendler_at_tippingpoint.com
Mark D. CollierChief Technology
OfficerSecureLogix Corporationmark.collier_at_secur
elogix.com
2Outline
Outline
- Overview
- Gathering Information
- Footprinting
- Scanning
- Enumeration
- Attacking the Network
- Network Infrastructure Denial of Service
- Network Eavesdropping
- Network and Application Interception
3Outline
Outline
- Attacking Vendor Platforms
- Avaya
- Cisco
- Attacking the Application
- Fuzzing
- Disruption of Service
- Signaling and Media Manipulation
- Social Attacks
- Voice SPAM/SPIT
- Voice Phishing
4Introduction
Introduction
- VoIP systems are vulnerable
- Platforms, networks, and applications are
vulnerable - VoIP-specific attacks are becoming more common
- Security isnt always a consideration during
deployment - The threat is increasing
- VoIP deployment is growing
- Deployments are critical to business operations
- Greater integration with the data network
- More attack tools being published
- The hacking community is taking notice
5Gathering Information
Gathering Information
- This is the process a hacker goes through to
gather information about your organization and
prepare their attack - Consists of
- Footprinting
- Scanning
- Enumeration
6Footprinting
Gathering InformationFootprinting
- Steps taken by a hacker to learn about your
enterprise before they start the actual attack - Consists of
- Public website research
- Google hacking
7Public Website ResearchIntroduction
Gathering InformationFootprinting
- An enterprise website often contains a lot of
information that is useful to a hacker - Organizational structure and corporate locations
- Help and technical support
- Job listings
- Phone numbers and extensions
8Public Website ResearchCorporate Locations
Gathering InformationFootprinting
9Public Website ResearchJob Listings
Gathering InformationFootprinting
- Job listings can contain a ton of information
about the enterprise VoIP system. - Here is a portion of an actual job listing
- Required Technical SkillsMinimum 3-5 years
experience in the management and implementation
of Avaya telephone systems/voicemails - Advanced programming knowledge of the Avaya
Communication Servers and voicemails.
10Public Website ResearchPhone Numbers
Gathering InformationFootprinting
- Google can be used to find all phone numbers on
an enterprise web site - Type 111..999-1000..9999 sitewww.mcgraw-hill.co
m
11Public Website ResearchVoice Mail
Gathering InformationFootprinting
- By calling into some of these numbers, you can
listen to the voice mail system and determine the
vendor - Check out our voice mail hacking database at
- www.hackingvoip.com
12Public Website Research Countermeasures
Gathering InformationFootprinting
- It is difficult to control what is on your
enterprise website, but it is a good idea to be
aware of what is on it - Try to limit amount of detail in job postings
- Remove technical detail from help desk web pages
13Google HackingIntroduction
Gathering InformationFootprinting
- Google is incredibly good at finding details on
the web - Vendor press releases and case studies
- Resumes of VoIP personnel
- Mailing lists and user group postings
- Web-based VoIP logins
14Google Hacking
Gathering InformationFootprinting
- Vendors and enterprises may post press releases
and case studies - Type siteavaya.com case study or
siteavaya.com company - Users place resumes on the Internet when
searching for jobs - Search Monster for resumes for company employees
- Mailing lists and user group postings
- www.inuaa.org
- www.innua.org
- forums.cisco.com
- forums.digium.com
15Google HackingWeb-Based VoIP Logins
Gathering InformationFootprinting
- Use Google to search for
- Type inrulccmuser/logon.asp
- Type inurlccmuser/logon.asp siteexample.com
- Type inurlNetworkConfiguration cisco
16Google HackingCountermeasures
Gathering InformationFootprinting
- Determine what your exposure is
- Be sure to remove any VoIP phones which are
visible to the Internet - Disable the web servers on your IP phones
- There are services that can helpyou monitor your
exposure - www.cyveilance.com
- ww.baytsp.com
17ScanningIntroduction
Gathering InformationScanning
- Steps taken by a hacker to identify IP addresses
and hosts running VoIP - Consists
- Gaining access
- Host/device discovery and identification
- Port scanning and service discovery
18ScanningGaining Access
Attacking The NetworkGaining Access
- Several attack vectors include
- Installing a simple wired hub
- Wi-Fi sniffing
- Compromising a network node
- Compromising a VoIP phone
- Compromising a switch
- Compromising a proxy, gateway, or PC/softphone
- ARP poisoning
- Circumventing VLANs
19Host/DeviceDiscovery and Identification
Gathering InformationScanning
- Consists of various techniques used to find
hosts - Ping sweeps
- ARP pings
- TCP ping scans
- SNMP sweeps
- After hosts are found, the type of device can be
determined - Classifies host/device by operating system
- Network stack fingerprinting is a common
technique for identifying hosts/devices
20Host/Device DiscoveryUsing nmap
Gathering InformationScanning
- nmap -O -P0 192.168.1.1-254
- Starting Nmap 4.01 ( http//www.insecure.org/nmap/
) at 2006-02-20 0103 CST - Interesting ports on 192.168.1.21
- (The 1671 ports scanned but not shown below are
in state filtered) - PORT STATE SERVICE
- 23/tcp open telnet
- MAC Address 000F34118045 (Cisco Systems)
- Device type VoIP phone
- Running Cisco embedded
- OS details Cisco IP phone (POS3-04-3-00,
PC030301) - Interesting ports on 192.168.1.23
- (The 1671 ports scanned but not shown below are
in state closed) - PORT STATE SERVICE
- 80/tcp open http
- MAC Address 00156286BA3E (Cisco Systems)
- Device type VoIP phoneVoIP adapter
- Running Cisco embedded
- OS details Cisco VoIP Phone 7905/7912 or ATA 186
Analog Telephone Adapter
21Host/Device DiscoveryPing Sweeps/ARP Pings
Gathering InformationScanning
22Host/Device DiscoverySNMP Sweeps
Gathering InformationScanning
23Host/Device DiscoveryCountermeasures
Gathering InformationScanning
- Use firewalls and Intrusion Prevention Systems
(IPSs) to block ping and TCP sweeps - VLANs can help isolate ARP pings
- Ping sweeps can be blocked at the perimeter
firewall - Use secure (SNMPv3) version of SNMP
- Change SNMP public strings
24Port Scanning/Service Discovery
Gathering InformationScanning
- Consists of various techniques used to find open
ports and services on hosts - These ports can be targeted later
- nmap is the most commonly used tool for TCP SYN
and UDP scans
25Port Scanning/Service DiscoveryCountermeasures
Gathering InformationScanning
- Using non-Internet routable IP addresses will
prevent external scans - Firewalls and IPSs can detect and possibly block
scans - VLANs can be used to partition the network to
prevent scans from being effective
26EnumerationIntroduction
Gathering InformationEnumeration
- Involves testing open ports and services on
hosts/devices to gather more information - Includes running tools to determine if open
services have known vulnerabilities - Also involves scanning for VoIP-unique
information such as phone numbers - Includes gathering information from TFTP servers
and SNMP
27Vulnerability TestingTools
Gathering InformationEnumeration
28Vulnerability TestingTools
Gathering InformationEnumeration
29Vulnerability TestingTools
Gathering InformationEnumeration
30Vulnerability TestingCountermeasures
Gathering InformationEnumeration
- The best solution is to upgrade your applications
and make sure you continually apply patches - Some firewalls and IPSs can detect and mitigate
vulnerability scans
31SIP EnumerationDirectory Scanning
Gathering InformationEnumeration
- root_at_attacker nc 192.168.1.104 5060
- OPTIONS siptest_at_192.168.1.104 SIP/2.0
- Via SIP/2.0/TCP 192.168.1.120branch4ivBcVj5ZnPY
gb - To alice ltsiptest_at_192.168.1.104gt
- Content-Length 0
- SIP/2.0 404 Not Found
- Via SIP/2.0/TCP
- 192.168.1.120branch4ivBcVj5ZnPYgbreceived192.1
68.1.103 - To alice siptest_at_192.168.1.104gttagb27e1a1d3376
1e85846fc98f5f3a7e58.0503 - Server Sip EXpress router (0.9.6 (i386/linux))
- Content-Length 0
- Warning 392 192.168.1.1045060 "Noisy feedback
tells pid29801 - req_src_ip192.168.1.120 req_src_port32773
in_urisiptest_at_192.168.1.104 - out_urisiptest_at_192.168.1.104 via_cnt1"
32SIP EnumerationDirectory Scanning
Gathering InformationEnumeration
33TFTP EnumerationIntroduction
Gathering InformationEnumeration
- Almost all phones we tested use TFTP to download
their configuration files - The TFTP server is rarely well protected
- If you know or can guess the name of a
configuration or firmware file, you can download
it without even specifying a password - The files are downloaded in the clear and can be
easily sniffed - Configuration files have usernames, passwords, IP
addresses, etc. in them
34TFTP EnumerationUsing TFTPBRUTE
Gathering InformationEnumeration
- root_at_attacker perl tftpbrute.pl 192.168.1.103
brutefile.txt 100tftpbrute.pl, , V 0.1 - TFTP file word database brutefile.txt
- TFTP server 192.168.1.103
- Max processes 100
- Processes are 1
- ltsnipgt
- Processes are 12
- Found TFTP server remote filename sip.cfg
- Found TFTP server remote filename
46xxsettings.txt - Processes are 13
- Processes are 14
- Found TFTP server remote filename
sip_4602D02A.txt - Found TFTP server remote filename
XMLDefault.cnf.xml - Found TFTP server remote filename
SipDefault.cnf
35TFTP EnumerationCountermeasures
Gathering InformationEnumeration
- It is difficult not to use TFTP, since it is so
commonly used by VoIP vendors - Some vendors offer more secure alternatives
- Firewalls can be used to restrict access to TFTP
servers to valid devices
36SNMP EnumerationIntroduction
Gathering InformationEnumeration
- SNMP is enabled by default on most IP PBXs and IP
phones - Simple SNMP sweeps will garner lots of useful
information - If you know the device type, you can use snmpwalk
with the appropriate OID - You can find the OID using Solarwinds MIB
- Default passwords, called community strings,
are common
37SNMP EnumerationSolarwinds
Gathering InformationEnumeration
38SNMP Enumerationsnmpwalk
Gathering InformationEnumeration
- root_at_domain2 snmpwalk -c public -v 1
192.168.1.53 1.3.6.1.4.1.6889 - SNMPv2-SMIenterprises.6889.2.69.1.1.1.0
STRING "Obsolete" - SNMPv2-SMIenterprises.6889.2.69.1.1.2.0
STRING "4620D01B" - SNMPv2-SMIenterprises.6889.2.69.1.1.3.0
STRING "AvayaCallserver" - SNMPv2-SMIenterprises.6889.2.69.1.1.4.0
IpAddress 192.168.1.103 - SNMPv2-SMIenterprises.6889.2.69.1.1.5.0
INTEGER 1719 - SNMPv2-SMIenterprises.6889.2.69.1.1.6.0
STRING "051612501065" - SNMPv2-SMIenterprises.6889.2.69.1.1.7.0
STRING "700316698" - SNMPv2-SMIenterprises.6889.2.69.1.1.8.0
STRING "051611403489" - SNMPv2-SMIenterprises.6889.2.69.1.1.9.0
STRING "00040D5040B0" - SNMPv2-SMIenterprises.6889.2.69.1.1.10.0
STRING "100" - SNMPv2-SMIenterprises.6889.2.69.1.1.11.0
IpAddress 192.168.1.53 - SNMPv2-SMIenterprises.6889.2.69.1.1.12.0
INTEGER 0 - SNMPv2-SMIenterprises.6889.2.69.1.1.13.0
INTEGER 0 - SNMPv2-SMIenterprises.6889.2.69.1.1.14.0
INTEGER 0 - SNMPv2-SMIenterprises.6889.2.69.1.1.15.0
STRING "192.168.1.1" - SNMPv2-SMIenterprises.6889.2.69.1.1.16.0
IpAddress 192.168.1.1 - SNMPv2-SMIenterprises.6889.2.69.1.1.17.0
IpAddress 255.255.255.0
39SNMP EnumerationCountermeasures
Gathering InformationEnumeration
- Disable SNMP on any devices where it is not
needed - Change default public and private community
strings - Try to use SNMPv3, which supports authentication
40Attacking The Network
Attacking The Network
- The VoIP network and supporting infrastructure
are vulnerable to attacks - Most attacks will originate inside the network,
once access is gained - Attacks include
- Network infrastructure DoS
- Network eavesdropping
- Network and application interception
41Attacking The NetworkGaining Access
Attacking The NetworkGaining Access
- Some techniques for circumventing VLANs
- Without MAC filtering, disconnect a phone and
connect a PC - Even if MAC filtering is used, you can easily
spoof the MAC - Be especially cautious of VoIP phones in public
areas - Some other VLAN attacks
- MAC flooding attack
- 802.1q and ISL tagging attack
- Double-encapsulated 802.1q/Nested VLAN attack
- Private VLAN attack
- Spanning-tree protocol attack/VLAN trunking
protocol attack
42Network Infrastructure DoS
Attacking The NetworkNetwork DoS
- The VoIP network and supporting infrastructure
are vulnerable to attacks - VoIP media/audio is particularly susceptible to
any DoS attack which introduces latency and
jitter - Attacks include
- Flooding attacks
- Network availability attacks
- Supporting infrastructure attacks
43Flooding AttacksIntroduction
Attacking The NetworkNetwork DoS
- Flooding attacks generate so many packets at a
target, that it is overwhelmed and cant process
legitimate requests
44Flooding AttacksTypes of Floods
Attacking The NetworkNetwork DoS
- Some types of floods are
- UDP floods
- TCP SYN floods
- ICMP and Smurf floods
- Worm and virus oversubscription side effect
- QoS manipulation
- Application flooding
45Flooding AttacksCountermeasures
Attacking The NetworkNetwork DoS
- Layer 2 and 3 QoS mechanisms are commonly used to
give priority to VoIP media (and signaling) - Use rate limiting in network switches
- Use anti-DoS/DDoS products
- Some vendors have DoS support in their products
(in newer versions of software)
46Network Availability Attacks
Attacking The NetworkNetwork DoS
- This type of attack involves an attacker trying
to crash the underlying operating system - Fuzzing involves sending malformed packets, which
exploit a weakness in software - Packet fragmentation
- Buffer overflows
47Network Availability Attacks Countermeasures
Attacking The NetworkNetwork DoS
- A network IPS is an inline device that detects
and blocks attacks - Some firewalls also offer this capability
- Host based IPS software also provides this
capability
48Supporting Infrastructure Attacks
Attacking The NetworkNetwork DoS
- VoIP systems rely heavily on supporting services
such as DHCP, DNS, TFTP, etc. - DHCP exhaustion is an example, where a hacker
uses up all the IP addresses, denying service to
VoIP phones - DNS cache poisoning involves tricking a DNS
server into using a fake DNS response
49Supporting Infrastructure AttacksCountermeasures
Attacking The NetworkNetwork DoS
- Configure DHCP servers not to lease addresses to
unknown MAC addresses - DNS servers should be configured to analyze info
from non-authoritative servers and dropping any
response not related to queries
50Network EavesdroppingIntroduction
Attacking The NetworkEavesdropping
- VoIP configuration files, signaling, and media
are vulnerable to eavesdropping - Attacks include
- TFTP configuration file sniffing (already
discussed) - Number harvesting and call pattern tracking
- Conversation eavesdropping
51Numbers/Call Patterns
Attacking The NetworkEavesdropping
- By sniffing signaling, it is possible to build a
directory of numbers and track calling patterns - voipong automates the process of logging all
calls - Wireshark is very good at sniffing VoIP signaling
52Conversation RecordingWireshark
Attacking The NetworkEavesdropping
53Conversation RecordingWireshark
Attacking The NetworkEavesdropping
54Conversation RecordingCain And Abel
Attacking The NetworkEavesdropping
55Conversation RecordingOther Tools
Attacking The NetworkEavesdropping
- Other tools include
- vomit
- Voipong
- voipcrack (not public)
- DTMF decoder
56Network EavesdroppingCountermeasures
Attacking The NetworkEavesdropping
- Use encryption
- Many vendors offer encryption for signaling
- Use the Transport Layer Security (TLS) for
signaling - Many vendors offer encryption for media
- Use Secure Real-time Transport Protocol (SRTP)
- Use ZRTP
- Use proprietary encryption if you have to
57Network/Application InterceptionIntroduction
Attacking The NetworkNet/App Interception
- The VoIP network is vulnerable to
Man-In-The-Middle (MITM) attacks, allowing - Eavesdropping on the conversation
- Causing a DoS condition
- Altering the conversation by omitting, replaying,
or inserting media - Redirecting calls
- Attacks include
- Network-level interception
- Application-level interception
58Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
- The most common network-level MITM attack is ARP
poisoning - Involves tricking a host into thinking the MAC
address of the attacker is the intended address - There are a number of tools available to support
ARP poisoning - Cain and Abel
- ettercap
- Dsniff
- hunt
59Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
60Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
61Network InterceptionCountermeasures
Attacking The NetworkNet/App Interception
- Some countermeasures for ARP poisoning are
- Static OS mappings
- Switch port security
- Proper use of VLANs
- Signaling encryption/authentication
- ARP poisoning detection tools, such as arpwatch
62Attacking The Platform
Attacking The Platform
- This section describes unique attacks against
specific VoIP vendor platforms, including - Avaya
- Cisco
63Avaya Communication Manager
Attacking The PlatformAvaya
- The Avaya Communication Manager is Avayas
enterprise-class offering - Offers strong security, but some default
configuration should be changed - Avaya uses Linux and VxWorks as the underlying
operating system on many components, which is
arguably more secure than Windows
64Avaya Communication Manager
Attacking The PlatformAvaya
65Open Ports
Attacking The PlatformAvaya
66Open Ports
Attacking The PlatformAvaya
67Open Ports
Attacking The PlatformAvaya
68Open Ports
Attacking The PlatformAvaya
69Open Ports
Attacking The PlatformAvaya
70Open Ports
Attacking The PlatformAvaya
71Open PortsCountermeasures
Attacking The PlatformAvaya
72Open PortsCountermeasures
Attacking The PlatformAvaya
73SNMP and TFTP
Attacking The PlatformAvaya
- Avaya uses TFTP and SNMP
- In 3.0, SNMP is enabled by default on the IP PBX
and IP phones - Some components ship with default public and
private community strings -
74SNMP and TFTPCountermeasures
Attacking The PlatformAvaya
- Use the same countermeasures as before
- Avaya provides a secure copy feature as an
alternative to TFTP - Communication Manager 4.0 disables SNMP by
default - Version 2.6 for IP phones does not ship with
default community strings -
75Flooding Attacks
Attacking The PlatformAvaya
- We used udpflood and tcpsynflood to perform DoS
attacks against various components - Unfortunately, these attacks were very disruptive
-
76Flooding AttacksCountermeasures
Attacking The PlatformAvaya
- Use the same countermeasures as before
- Avaya C-LAN cards provide some level of DoS
mitigation - Newer IP phone software provides better DoS
mitigation - http//support.avaya.com/security
-
77Miscellaneous Security Issues
Attacking The PlatformAvaya
- Avaya signaling and media are vulnerable to
eavesdropping - Avaya uses some default passwords on key IP PBX
components - Password recommendations for IP phones are weak
- By default, Avaya IP phones can be reconfigured
when booted
78Miscellaneous Security IssuesCountermeasures
Attacking The PlatformAvaya
- Avaya supports proprietary encryption for
signaling and media. SRTP will be supported in
Communication Manager 4.0 - Default passwords should be changed to strong
values - Local access to the IP phone can be controlled
with a password -
79Cisco Unified Call Manager
Attacking The PlatformAvaya
- The Cisco Unified Call Manager is Ciscos
enterprise class offering - Offers strong security, but requires some
configuration - Version 4.1 is based on Windows. Version 5.0 is
based on Linux - A Must Read Document is the Solution Reference
Network Design (SRND) for Voice communications.
(http//tinyurl.com/gd5r4). - Includes great deployment scenarios and security
use cases (lobby phone, desktop phone, call
manager encryption how-to, etc.)
80CiscoIntroduction
Attacking The PlatformCisco
81Cisco Discovery Protocol
Attacking The PlatformCisco
- Cisco Discovery Protocol Ciscos proprietary
layer 2 network management protocol. - Contains juicy information that is broadcast on
the entire segment
82Port Scanning
Attacking The PlatformCisco
- Cisco Unified Call Manager requires a large
number of open ports
83Port ScanningCountermeasures
Attacking The PlatformCisco
- Cisco IOS has a great feature called autosecure
that - disables a slew of services (finger, http, ICMP,
source routing, etc.) - enables some services (password encryption, TCP
synwait-time, logging, etc.). - And locks down the router and switch (enables
only ssh, blocks private address blocks from
traversing, enables netflow, etc.)
84FloodingCountermeasures
Attacking The PlatformCisco
- Network Flooding Countermeasures
- Another great feature from Cisco is AutoQos, a
new IOS feature (auto qos command). - Enables Quality of Service for VoIP traffic
across every Cisco router and switch - Scavenger class QoS also a relatively new Cisco
strategy rate shape all bursty non-VoIP traffic
85DoS and OS ExploitationCountermeasures
Attacking The PlatformCisco
- Patch Management is key use the Cisco Voice
Technology Group Subscription Tool
(http//www.cisco.com/cgi-bin/Software/Newsbuilder
/Builder/VOICE.cgi)
86Eavesdropping and InterceptionCountermeasures
Attacking The PlatformCisco
- Eavesdropping and Interception Countermeasures
- Enable port security on Cisco Switches to help
mitigate ARP Spoofing - Enable Dynamic ARP inspection to thwart ARP
Spoofing - Dynamically restrict Ethernet port access with
802.1x port authentication - Enable DHCP Snooping to prevent DHCP Spoofing
- Configure IP source guard on Switches
87Eavesdropping and InterceptionCountermeasures
Attacking The PlatformCisco
- Eavesdropping and Interception Countermeasures
- Configure VTP Transparent Mode
- Change the default Native VLAN Value to thwart
VLAN hopping - Disable Dynamic Trunk Protocol (DTP) to thwart
VLAN Hopping
88Eavesdropping and InterceptionCountermeasures
Attacking The PlatformCisco
- Eavesdropping and Interception Countermeasures
- Activate authentication and encryption of the
signaling and media streams - Skinny over TLS
- SRTP
- Requires creating and distributing certificates
on phones
89Attacking The Application
Attacking The Application
- VoIP systems are vulnerable to application
attacks against the various VoIP protocols - Attacks include
- Fuzzing attacks
- Flood-based DoS
- Signaling and media manipulation
90FuzzingIntroduction
Attacking The ApplicationFuzzing
- Fuzzing describes attacks where malformed packets
are sent to a VoIP system in an attempt to crash
it - Research has shown that VoIP systems, especially
those employing SIP, are vulnerable to fuzzing
attacks
91FuzzingExample
Attacking The ApplicationFuzzing
INVITE sip6713_at_192.168.26.1806060userphone
SIP/2.0 Via SIP/2.0/UDP 192.168.22.366060 From
UserAgentltsip6710_at_192.168.22.366060userphonegt
To 6713ltsip6713_at_192.168.26.1806060userphonegt
Call-ID 96561418925909_at_192.168.22.36 Cseq 1
INVITE Subject VovidaINVITE Contact
ltsip6710_at_192.168.22.366060userphonegt Content-T
ype application/sdp Content-Length 168
92FuzzingExample
Attacking The ApplicationFuzzing
INVITE sip6713_at_192.168.26.1806060userphone
SIP/2.0 Via aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaa aaaaaaaaaaaaa From
UserAgentltsip6710_at_192.168.22.366060userphonegt
To 6713ltsip6713_at_192.168.26.1806060userphonegt
Call-ID 96561418925909_at_192.168.22.36 Cseq 1
INVITE Subject VovidaINVITE Contact
ltsip6710_at_192.168.22.366060userphonegt Content-T
ype application/sdp Content-Length 168
93FuzzingPublic Domain Tools
Attacking The ApplicationFuzzing
- There are many public domain tools available for
fuzzing - Protos suite
- Asteroid
- Fuzzy Packet
- NastySIP
- Scapy
- SipBomber
- SFTF
- SIP Proxy
- SIPp
- SIPsak
94FuzzingCommercial Tools
Attacking The ApplicationFuzzing
- There are some commercial tools available
- Beyond Security BeStorm
- Codenomicon
- MuSecurity Mu-4000 Security Analyzer
- Security Innovation Hydra
- Sipera Systems LAVA tools
95FuzzingCountermeasures
Attacking The ApplicationFuzzing
- Make sure your vendor has tested their systems
for fuzzing attacks - Consider running your own tests
- An VoIP-aware IPS can monitor for and block
fuzzing attacks
96Flood-Based DoS
Attacking The ApplicationFlood-Based DoS
- Several tools are available to generate floods at
the application layer - rtpflood generates a flood of RTP packets
- inviteflood generates a flood of SIP INVITE
packets - SiVuS a tool which a GUI that enables a variety
of flood-based attacks - Virtually every device we tested was susceptible
to these attacks
97Flood-Based DoSCountermeasures
Attacking The ApplicationFlood-Based DoS
- There are several countermeasures you can use for
flood-based DoS - Use VLANs to separate networks
- Use TCP and TLS for SIP connections
- Use rate limiting in switches
- Enable authentication for requests
- Use SIP firewalls/IPSs to monitor and block
attacks
98Signaling/Media ManipulationIntroduction
Attacking The Application Sig/Media Manipulation
- In SIP and RTP, there are a number of attacks
possible, which exploit the protocol - Registration manipulation
- Redirection attacks
- Session teardown
- SIP phone reboot
- RTP insertion/mixing
99Registration Manipulation
Attacking The Application Sig/Media Manipulation
100Redirection Attacks
Attacking The Application Sig/Media Manipulation
101Session Teardown
Attacking The Application Sig/Media Manipulation
102IP Phone Reboot
Attacking The Application Sig/Media Manipulation
103Audio Insertion/Mixing
Attacking The Application Sig/Media Manipulation
Attacker SeesPackets AndInserts/Mixes InNew
Audio
104Signaling/Media ManipulationCountermeasures
Attacking The Application Sig/Media Manipulation
- Some countermeasures for signaling and media
manipulation include - Use digest authentication where possible
- Use TCP and TLS where possible
- Use SIP-aware firewalls/IPSs to monitor for and
block attacks - Use audio encryption to prevent RTP
injection/mixing
105Social Attacks
Social Attacks
- There are a couple of evolving social threats
that will affect enterprises - Voice SPAM or SPAM over Internet Telephony (SPIT)
- Voice phishing
106Voice SPAMIntroduction
Social AttacksVoice SPAM
- Voice SPAM refers to bulk, automatically
generated, unsolicited phone calls - Similar to telemarketing, but occurring at the
frequency of email SPAM - Not an issue yet, but will become prevalent when
- The network makes it very inexpensive or free to
generate calls - Attackers have access to VoIP networks that allow
generation of a large number of calls - It is easy to set up a voice SPAM operation,
using Asterisk, tools like spitter, and free
VoIP access
107Voice SPAM
Social AttacksVoice SPAM
- Voice SPAM has the potential to be very
disruptive because - Voice calls tend to interrupt a user more than
email - Calls arrive in realtime and the content cant be
analyzed to determine it is voice SPAM - Even calls saved to voice mail must be converted
from audio to text, which is an imperfect process - There isnt any capability in the protocols that
looks like it will address Voice SPAM
108Voice SPAMCountermeasures
Social AttacksVoice SPAM
- Some potential countermeasures for voice SPAM
are - Authenticated identity movements, which may help
to identify callers - Legal measures
- Enterprise voice SPAM filters
- Black lists/white lists
- Approval systems
- Audio content filtering
- Turing tests
109VoIP PhishingIntroduction
Social AttacksPhishing
- Similar to email phishing, but with a phone
number delivered though email or voice - When the victim dials the number, the recording
requests entry of personal information - The hacker comes back later and retrieves the
touch tones or other information
110VoIP PhishingExample
Social AttacksPhishing
- Hi, this is Bob from Bank of America calling.
Sorry I missed you. If you could give us a call
back at 1-866-555-1324 we have an urgent issue to
discuss with you about your bank account. - Hello. This is Bank of America. So we may best
serve you, please enter your account number
followed by your PIN.
111VoIP PhishingExample
Social AttacksPhishing
112VoIP PhishingCountermeasures
Social AttacksPhishing
- Traditional email spam/phishing countermeasures
come in to play here. - Educating users is a key