Vulnerabilities in SOHO VoIP Gateways

1
Vulnerabilities in SOHO VoIP Gateways
2
Overview

• The VoPSecurity.org forum has conducted a study
  to assess the security posture of selected VoIP
  Service providers. This research has helped
  answer questions such as

3
Questions

• 1.What vulnerabilities may exist
• i.e. can I shutdown my neighbors VoIP service
  through a web interface?
• Can I manage the device remotely by gaining
  unauthorized access)?

4
Questions

• 2. What kinds of DoS (Deny of Service ) attacks
  may be applicable (e.g. message amplification,
  malformed packets)

5
Questions

• 3. What class of vulnerabilities can be exploited
  remotely (i.e. buffer overflows) in order to gain
  unauthorized access?
• 4. Can a VoIP users registration or the users
  identity be hijacked? Would they know?

6
Service Providers
7
Methodology

• in this study the focus was on the following
  areas

8
1. Manageability

• Remote management
• Authentication
• Authorization (e.g. unprivileged verses
  privileged user)
• Session Confidentiality and Control(e.g.
  session-timeout)
• Software Updates
• Configuration Updates

9
2. Node Security

• Operating System security (e.g. users
• and services)
• Default configuration

10
3. Signaling Security

• Message authentication.
• Message confidentiality.
• Information Leakage
• Robustness of software.

11
4. Media Security

• Message authentication
• Message confidentiality
• Information Leakage
• Robustness of software Implementation

12
TOOL USED
13
FINDINGS

• Manageability
• None of the SOHO/Residential VoIP gateways use
  Secure Socket Layer (SSL) to protect
  communications between the users browser and the
  remote gateway. Thus communication can
  intercepted including, credentials (such as admin
  user-id and password) and management Commands.

14
Node Security

• Default Passwords
• All SOHO/Residential gateways where delivered
  with default passwords a quick search on the
  Internet provided privileged access (internal or
  external interfaces where applicable) to every
  device.

15
Node Security
16
Node Security

• Publicly exposed ports and services The
• analysis of VG-3 revealed that management
• ports (e.g. 23/tcp, 80/http, 161/snmp and
• 443/tcp) are open on the external interface and
• accessible from the internet thus exposing the
• device to various attacks. Furthermore, default
• settings on the services running on these ports
• (e.g. default SNMP community strings, telnet
• login and password) increase the opportunity
• for an attack

17
Signaling Security

• None of the implementations used confidentiality
  mechanisms to protect signaling messages. Thus ,
  the messages were exposed to several attacks.
  Some of the most significant attacks include

18
Signaling Security

• Registration and call/identity hijacking
• during this study they were able to intercept
  SIP
• registration messages, modify, replay and
• divert any subsequent communications
• (incoming calls) to another host which was
• using a SIP soft-phone. This finding was
• applicable to both SIP VGs and positively
• answers our initial question of Can user
• registration or users identity be hijacked?

19
Conclusion

• The results of this study demonstrate that
  several security issues exist in SOHO/Residential
  VoIP gateways which can impact subscribers at
  various levels.

20
Wireless Security vulnerabilities

• Kinds of attacks
• 1. MIM attack
• When an Extensible Authentication protocol (EAP)
  message is sent from the sender party to the
  receiver party even with the approval from the
  server that this message has been authenticated
  in fact the massage contained no integrity
  preserving information.

21
Wireless Security vulnerabilities

• Session Hijacking
• In the figure below a demonstration on how a
  session hijacking could take