Voice over IP (VoIP) security

1
Voice over IP (VoIP) security
2
Introduction

• Voice over IP and IP telephony
• Network convergence
• Telephone and IT
• PoE (Power over Ethernet)
• Mobility and Roaming
• Telco
• Switched -gt Packet (IP)
• Closed world -gt Open world
• Security and privacy
• IPhreakers
• VoIP vs 3G

3
Architecture protocols

• Signaling
• User location
• Session
• Setup
• Negotiation
• Modification
• Closing
• Transport
• Encoding, transport, etc.

4
Architecture protocols

• SIP
• IETF - 5060/5061 (TLS) - HTTP-like, all in one
• Proprietary extensions
• Protocol becoming an architecture
• End-to-end (between IP PBX)
• Inter-AS MPLS VPNs
• Transitive trust
• IM extensions (SIMPLE)
• H.323
• Protocol family
• H.235 (security), Q.931H.245 (management), RTP,
  CODECs, etc.
• ASN.1

5
Architecture protocols

• RTP (Real Time Protocol)
• 5004/udp
• RTCP
• No QoS/bandwidth management
• Packet reordering
• CODECs
• old G.711 (PSTN/POTS - 64Kb/s)
• current G.729 (8Kb/s)

6
Architecture systems

• Systems
• SIP Proxy
• Call Manager/IP PBX
• User management and reporting (HTTP, etc)
• H.323 GK (GateKeeper)
• Authentication server (Radius)
• Billing servers (CDR/billing)
• DNS, TFTP, DHCP servers

7
Architecture systems

• Voice Gateway (IP-PSTN)
• Gateway Control Protocols
• Signaling SS7 interface
• Media Gateway Controller
• Controls the MG (Megaco/H.248)
• SIP interface
• Signaling Gateway
• Interface between MGC and SS7
• SCTP - ISUP, Q.931
• Transport
• Media Gateway audio conversion

8
Architecture firewall/VPN

• Firewall
• Non-stateful filtering
• Stateful filtering
• Application layer filtering (ALGs)
• NAT / firewall piercing
• (H.323 2xTCP, 4x dynamic UDP - 1719,1720)
• (SIP 5060/udp)
• Encrypted VPN
• SSL/TLS
• IPsec
• Where to encrypt (LAN-LAN, phone-phone, etc)?

9
VOIP Threats

• Denial of Service
• ICMP Flood
• IP Spoofing
• Port Scans
• Land Attack
• IP Source Route
• Evasdropping or recording
• In VOIP eavesdropping is a type of an attack, if
  an attacker able to eavesdropp a communication.
  Then he can launch different type of an attack
  like Man in the Middle attack etc.
• Call Hijacking and Spoofing
• Call Redirection
• Voice SPAM (Vishing, Mailbox Stuffing,
  Unsolicited Calling)
• Voicemail Hacking

10
VOIP Attacks

• Signaling Layer Attacks
• SIP Registration Hijacking
• Impersonating a Server
• SIP Message Modification
• SIP Cancel / SIP BYE attack
• SIP DOS attack
• Media Layer Attacks
• Eavesdropping
• RTP insertion attack
• SSRC collision attacks

11
Signaling Layer Attacks

• SIP Registration attack
• Attacker impersonates a valid UA to a registrar
  himself as a valid user agent. So attacker can
  recieve calls for a legitmate user.
• Impersonating a Server
• When an attacker impersonates a remote server and
  user agent request are served by the attacker
  machine.
• SIP Message Modification
• If an attacker launches a man in the middle
  attack and modify a message. Then attacker could
  lead the caller to connect to malicious system.
• SIP CANCEL / SIP BYE
• SIP Denial of Service
• In SIP attacker creates a bogus request that
  contained a fake IP address and Via field in the
  SIP header contains the identity of the target
  host.

12
Media Layer Attacks

• Eavesdropping
• SSRC collision
• If an attacker eavesdropp the conversation and
  uses ones peer SSRC to send RTP packet to other
  peer, it causes to terminate a session.

13
Security Solutions

• Two types of security solutions
• End-to-End security
• In SIP end points can ensure end-to-end security
  to those messages which proxy does not read, like
  SDP messages could be protectedusing S/MIME.
• Media is transferred directly, so end-to-end
  security is achieved by SRTP.
• Hop-by-hop security
• TLS, IPSec
• TLS provide transport layer security over TCP.
  Normally SIP URI is in the form of
  sipabc_at_example.com, but if we are using TLS then
  SIP URI will be sipsabc_at_example.com and
  signaling must be send encrypted.

14
Authentication

• Authentication means to identify a person.
• If we take SIP as signaling protocol in VOIP, it
  defines two mechanisms for authentication
• HTTP digest authentication
• S/MIME
• HTTP Digest Authentication
• HTTP digests mechanisms used between users to
  proxies, users to users but not between proxies
  to proxies.
• S/MIME
• S/MIME uses X.509 certificates to
  authenticate end users in the same way that web
  browsers use them.

15
Media Encryption

• In VOIP media is send directly between users
  using RTP. Encryption of media is achieved by
• IPSec
• Secure RTP (SRTP)
• It provides a framework for encryption and
  message authentication of RTP and RTCP.
• Cipher Algorithum AES
• Authenitcation is an optional feature.
• SRTP uses Security Description for Media Streams
  (SDES) algorithum to negotiate session keys in
  SDP.
• MIKKEY
• Mikkey provides its own authentication and
  integrity mechanisim.
• Mikkey messages carried in a SDP with akey-mgmt
  attritbute.

16
There are Specialized Hacking Tools

• SIPScan - enumerate SIP interfaces
• TFTPBrute - TFTP directory attacking
• UDP and RTP Flooder - DoS tools
• hping2 TCP session flooding
• Registration Hijacker - tool to take over H.323
  session
• SIVUS - SIP authentication and registration
  auditor
• Vomit - RTP Playback
• VOIP HOPPER IP Phone mimicing tool
• Dsniff - various utilitarian tools (macof and
  arpspoof)
• Wireshark (Ethereal) / tcpdump - packet capture
  and protocol analysis

17
Thanks You