"Attacks against VOIP"
Upcoming SlideShare
Loading in...5
×
 

"Attacks against VOIP"

on

  • 2,041 views

 

Statistics

Views

Total Views
2,041
Views on SlideShare
2,040
Embed Views
1

Actions

Likes
1
Downloads
97
Comments
0

1 Embed 1

http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • NCON has proven its worth in the market for customers whom we have gotten past the POC and installation stage. Accelaration of Revenue is very important to service providers. In order to get more revenue out of every sale service providers must derliver that service quickly placing that customers on the clock. By delivering service to that customer in 5 days instead of 21 Verizon realized a 12M revenue boost for the 600k customers they installed opposed to doing this service manually. In automating their operations that also were able to more with less. Reducing provisioning staffers from 147 to 3.3 CanTV saw a 9M recovery of stranded assets in their network by installing NCON and using its Inventory system to track and record assets in their network. In doing so they have discovered 9M of assets that were thought used but were not reflected as free in their inventory. These assets can now be used to fulfill customer service requests. CanTV now trusts their network to reflect the true inventory and has now reduced the number of truck rolls to query Network Elements to determine if they can satisfy customer requests. Another benefit is that their success rate for order installation has risen from 20% to nearly 90%. 2 out of 10 to now 9 out of 10 says the director of operation at CanTV This remarkable improvement in delivery of services at Verizon and CanTV improves the time it takes for “successful service turn-up” and improves the relationship they hold with their respective customer base.
  • NCON has proven its worth in the market for customers whom we have gotten past the POC and installation stage. Accelaration of Revenue is very important to service providers. In order to get more revenue out of every sale service providers must derliver that service quickly placing that customers on the clock. By delivering service to that customer in 5 days instead of 21 Verizon realized a 12M revenue boost for the 600k customers they installed opposed to doing this service manually. In automating their operations that also were able to more with less. Reducing provisioning staffers from 147 to 3.3 CanTV saw a 9M recovery of stranded assets in their network by installing NCON and using its Inventory system to track and record assets in their network. In doing so they have discovered 9M of assets that were thought used but were not reflected as free in their inventory. These assets can now be used to fulfill customer service requests. CanTV now trusts their network to reflect the true inventory and has now reduced the number of truck rolls to query Network Elements to determine if they can satisfy customer requests. Another benefit is that their success rate for order installation has risen from 20% to nearly 90%. 2 out of 10 to now 9 out of 10 says the director of operation at CanTV This remarkable improvement in delivery of services at Verizon and CanTV improves the time it takes for “successful service turn-up” and improves the relationship they hold with their respective customer base.
  • NCON has proven its worth in the market for customers whom we have gotten past the POC and installation stage. Accelaration of Revenue is very important to service providers. In order to get more revenue out of every sale service providers must derliver that service quickly placing that customers on the clock. By delivering service to that customer in 5 days instead of 21 Verizon realized a 12M revenue boost for the 600k customers they installed opposed to doing this service manually. In automating their operations that also were able to more with less. Reducing provisioning staffers from 147 to 3.3 CanTV saw a 9M recovery of stranded assets in their network by installing NCON and using its Inventory system to track and record assets in their network. In doing so they have discovered 9M of assets that were thought used but were not reflected as free in their inventory. These assets can now be used to fulfill customer service requests. CanTV now trusts their network to reflect the true inventory and has now reduced the number of truck rolls to query Network Elements to determine if they can satisfy customer requests. Another benefit is that their success rate for order installation has risen from 20% to nearly 90%. 2 out of 10 to now 9 out of 10 says the director of operation at CanTV This remarkable improvement in delivery of services at Verizon and CanTV improves the time it takes for “successful service turn-up” and improves the relationship they hold with their respective customer base.
  • NCON has proven its worth in the market for customers whom we have gotten past the POC and installation stage. Accelaration of Revenue is very important to service providers. In order to get more revenue out of every sale service providers must derliver that service quickly placing that customers on the clock. By delivering service to that customer in 5 days instead of 21 Verizon realized a 12M revenue boost for the 600k customers they installed opposed to doing this service manually. In automating their operations that also were able to more with less. Reducing provisioning staffers from 147 to 3.3 CanTV saw a 9M recovery of stranded assets in their network by installing NCON and using its Inventory system to track and record assets in their network. In doing so they have discovered 9M of assets that were thought used but were not reflected as free in their inventory. These assets can now be used to fulfill customer service requests. CanTV now trusts their network to reflect the true inventory and has now reduced the number of truck rolls to query Network Elements to determine if they can satisfy customer requests. Another benefit is that their success rate for order installation has risen from 20% to nearly 90%. 2 out of 10 to now 9 out of 10 says the director of operation at CanTV This remarkable improvement in delivery of services at Verizon and CanTV improves the time it takes for “successful service turn-up” and improves the relationship they hold with their respective customer base.
  • NCON has proven its worth in the market for customers whom we have gotten past the POC and installation stage. Accelaration of Revenue is very important to service providers. In order to get more revenue out of every sale service providers must derliver that service quickly placing that customers on the clock. By delivering service to that customer in 5 days instead of 21 Verizon realized a 12M revenue boost for the 600k customers they installed opposed to doing this service manually. In automating their operations that also were able to more with less. Reducing provisioning staffers from 147 to 3.3 CanTV saw a 9M recovery of stranded assets in their network by installing NCON and using its Inventory system to track and record assets in their network. In doing so they have discovered 9M of assets that were thought used but were not reflected as free in their inventory. These assets can now be used to fulfill customer service requests. CanTV now trusts their network to reflect the true inventory and has now reduced the number of truck rolls to query Network Elements to determine if they can satisfy customer requests. Another benefit is that their success rate for order installation has risen from 20% to nearly 90%. 2 out of 10 to now 9 out of 10 says the director of operation at CanTV This remarkable improvement in delivery of services at Verizon and CanTV improves the time it takes for “successful service turn-up” and improves the relationship they hold with their respective customer base.
  • NCON has proven its worth in the market for customers whom we have gotten past the POC and installation stage. Accelaration of Revenue is very important to service providers. In order to get more revenue out of every sale service providers must derliver that service quickly placing that customers on the clock. By delivering service to that customer in 5 days instead of 21 Verizon realized a 12M revenue boost for the 600k customers they installed opposed to doing this service manually. In automating their operations that also were able to more with less. Reducing provisioning staffers from 147 to 3.3 CanTV saw a 9M recovery of stranded assets in their network by installing NCON and using its Inventory system to track and record assets in their network. In doing so they have discovered 9M of assets that were thought used but were not reflected as free in their inventory. These assets can now be used to fulfill customer service requests. CanTV now trusts their network to reflect the true inventory and has now reduced the number of truck rolls to query Network Elements to determine if they can satisfy customer requests. Another benefit is that their success rate for order installation has risen from 20% to nearly 90%. 2 out of 10 to now 9 out of 10 says the director of operation at CanTV This remarkable improvement in delivery of services at Verizon and CanTV improves the time it takes for “successful service turn-up” and improves the relationship they hold with their respective customer base.
  • NCON has proven its worth in the market for customers whom we have gotten past the POC and installation stage. Accelaration of Revenue is very important to service providers. In order to get more revenue out of every sale service providers must derliver that service quickly placing that customers on the clock. By delivering service to that customer in 5 days instead of 21 Verizon realized a 12M revenue boost for the 600k customers they installed opposed to doing this service manually. In automating their operations that also were able to more with less. Reducing provisioning staffers from 147 to 3.3 CanTV saw a 9M recovery of stranded assets in their network by installing NCON and using its Inventory system to track and record assets in their network. In doing so they have discovered 9M of assets that were thought used but were not reflected as free in their inventory. These assets can now be used to fulfill customer service requests. CanTV now trusts their network to reflect the true inventory and has now reduced the number of truck rolls to query Network Elements to determine if they can satisfy customer requests. Another benefit is that their success rate for order installation has risen from 20% to nearly 90%. 2 out of 10 to now 9 out of 10 says the director of operation at CanTV This remarkable improvement in delivery of services at Verizon and CanTV improves the time it takes for “successful service turn-up” and improves the relationship they hold with their respective customer base.
  • NCON has proven its worth in the market for customers whom we have gotten past the POC and installation stage. Accelaration of Revenue is very important to service providers. In order to get more revenue out of every sale service providers must derliver that service quickly placing that customers on the clock. By delivering service to that customer in 5 days instead of 21 Verizon realized a 12M revenue boost for the 600k customers they installed opposed to doing this service manually. In automating their operations that also were able to more with less. Reducing provisioning staffers from 147 to 3.3 CanTV saw a 9M recovery of stranded assets in their network by installing NCON and using its Inventory system to track and record assets in their network. In doing so they have discovered 9M of assets that were thought used but were not reflected as free in their inventory. These assets can now be used to fulfill customer service requests. CanTV now trusts their network to reflect the true inventory and has now reduced the number of truck rolls to query Network Elements to determine if they can satisfy customer requests. Another benefit is that their success rate for order installation has risen from 20% to nearly 90%. 2 out of 10 to now 9 out of 10 says the director of operation at CanTV This remarkable improvement in delivery of services at Verizon and CanTV improves the time it takes for “successful service turn-up” and improves the relationship they hold with their respective customer base.

"Attacks against VOIP" "Attacks against VOIP" Presentation Transcript

  • VoIP Security Behind the dialtone Vulnerabilities, Attacks and Countermeasures Peter Thermos Principal Consultant [email_address] Tel: 732 835 0102
  • Background
    • Education
      • MS,CS Columbia University
    • Consulting
      • Government and commercial organizations, consulting on information security and assurance, InfoSec program development and management, vulnerability assessments, security architecture, NGN/VoIP/IMS.
    • Research
      • Principal investigator on research tasks, in the area of Internet Multimedia and Next Generation Networks (VoIP) and security, that were are funded by government organizations such as NIST (National Institute of Standards and Technology), DARPA (Defense Advanced Research Agency), NSF (National Science Foundation) and others. In addition he has been working with domestic and foreign Telecommunications carriers and Fortune 500 companies on identifying security requirements for IMS/NGN and VoIP, conducting vulnerability assessments and product evaluations.
    • Member of IETF/IEEE/ACM.
  • Outline
    • Intro – Present and Future
    • The Converged Network
      • VoIP Architectures
    • Components & Protocols
    • Security
      • Threats
      • Vulnerabilities
      • Attacks
    • VoIP Firewalls
    • Assessment Tools
    • Approaches to secure VoIP/NGN networks
    • Conclusions
    • Further Research
  • Present and Future (Summary)
    • PSTN Network
    • Closed therefore “secure”
    • High availability (99.999%)
    • Limited connection to IP (OSS provisioning, management)
    • IP Network
    • Access is not restricted.
    • Best effort
    • Connected to accessible IP networks.
    “ There is one safeguard known generally to the wise, which is an advantage and security to all, but especially to democracies as against despots. What is it? Distrust. ”. Demosthenes (c. 384–322 B.C.), Greek orator. Second Philippic, sct. 24 (344 B.C.)
  • VoPSecurity.org Forum – survey
    • Top Economic and Technical Challenges for VoIP Deployment
    • - Which are the most critical?
    • Intro – Present and Future
    • NGN/ The Converged Network
    • Components & Protocols
    • Security
      • Threats
      • Vulnerabilities
      • Attacks
    • VoIP Firewalls
    • Assessment Tools
    • Approaches to secure NGN networks
    • Conclusions
    • Further Research
    Outline
  • Carrier VoIP Architectures – Packet Cable
  • The Converged Network
  • Carrier VoIP Architectures - IMS
  • Enterprise VoIP Architecture
  • Skype Architecture
    • Intro – Present and Future
    • NGN/ The Converged Network
    • Components & Protocols
    • Security
      • Threats
      • Vulnerabilities
      • Attacks
    • VoIP Firewalls
    • Assessment Tools
    • Approaches to secure NGN networks
    • Conclusions
    • Further Research
    Outline
  • Components and Signaling Protocols
  • Protocols
  • Dive in to the Stack – SIP Example INVITE sip:bob@biloxi.com SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK77ds Max-Forwards: 70 To: Bob <sip:bob@biloxi.com> From: Alice <sip:alice@atlanta.com>;tag=1928301774 Call-ID: a84b4c76e66710@pc33.atlanta.com CSeq: 314159 INVITE Contact: <sip:alice@pc33.atlanta.com> Content-Type: application/sdp Content-Length: 142 v=0 o=user 29739 7272939 IN IP4 pc33.atlanta.com s= c=IN pc33.atlanta.com k=clear:3b6bssiGao7Vv8Jo7sgBaLLkbr m=audio 49210 RTP/AVP 0 12 m=video 3227 RTP/AVP 31 a=rtpmap:31 LPC/8000 SIP SDP Format : k=<method>:<encryption key> Method=clear, base64, uri, prompt
  • Dive in to the Stack – SRTP Example Image from IETF proceedings, Aug. 2001
  • Example – SIP Call
    • Intro – Present and Future
    • NGN/ The Converged Network
    • Components & Protocols
    • Security
      • Threats
      • Vulnerabilities
      • Attacks
    • VoIP Firewalls
    • Assessment Tools
    • Approaches to secure NGN networks
    • Conclusions
    • Further Research
    Outline
  • What are the Threats? Subscribers Annoyance (e.g. SPIT) Network Owners, Service Providers, Subscribers Unauthorized access (compromise systems with intentions to attack other systems or exploit vulnerabilities to commit fraud and eavesdropping). Network Owners, Service Providers Fraud (including service and intellectual assets, confidential information) Network Owners, Service Providers, Subscribers Eavesdropping (including traffic analysis) Network Owners, Service Providers, Subscribers Service disruption (amplification attacks DoS/DDoS) Target(s) Threat
  • 1 st Case of VoIP Fraud
    • FBI arrests two for VoIP Fraud Pena, Moore
      • http://www.foxnews.com/story/0,2933,198778,00.html
    • Duration 8 months
    • Revenue/Fraud $2M
    • Attack Objective: Compromise service VoIP service providers and enterprise networks that support VoIP to route unauthorized VoIP traffic originating from Telecom carriers.
    • Upstream provider pays fraudster, downstream provider doesn’t know.
  • Where are the vulnerabilities?
    • Threat model, vulnerabilities originate from the difficulty to foresee future threats (e.g. Signaling System No.7)
    • Design & specification vulnerabilities come from errors or oversights in the design of the protocol that make it inherently vulnerable (e.g., SIP, MCGP, 802.11b)
    • Implementation vulnerabilities are vulnerabilities that are introduced by errors in a protocol implementation
    • Architecture , network topology and association (e.g. routing) with other network elements.
  • Attacks (lab-experimentation)
    • DoS
      • Against phones, proxies, routers
      • SIP/MGCP/H.323/RTP
    • Call Hijacking
      • Flood target phone
      • Spoof registration
      • Calls are routed to the location described in the new registration
    • Eavesdropping and traffic analysis
  • Attacks - Spoofing Caller-ID
  • Companies that offer Caller-ID Spoofing https://connect.voicepulse.com/ http://www.nufone.net/ http://www.spooftel.net/
  • Spoofing Caller-ID using SiVuS
    • Manipulate the FROM header information
    • Send and INVITE to a phone
  • Lab Exercise #4 Presence Hijacking/Masquerading Attack using SIP
  • Presence Hijacking using SiVuS
    • The objective is to spoof a REGISTER request
    • The REGISTER request contains the “Contact:” header which indicates the IP address of the SIP device.
  • Presence Hijacking using SiVuS – Regular Register Request
  • The Attack
  • Manipulated REGISTER request properties REGISTER sip:216.1.2.5 SIP/2.0 Via: SIP/2.0/UDP 192.168.1.6 ;branch=xajB6FLTEHIcd0 From: 732-835-0102 <sip:12125550102@voip-service-provider.net:5061>;tag=5e374a8bad1f7c5x1 To: 732-835-0102 <sip:12125550102@voip-service-provider.net:5061> Call-ID: QTEv5G5dOHYc@192.168.1.2 CSeq: 123456 REGISTER Contact : 2125550102 <sip:12125550102@192.168.1.3:5061>; Digest username=&quot;12125550102&quot;,realm=&quot;216.1.2.5&quot;,nonce=&quot;716917624&quot;, uri=&quot;sip:voip-service-provider.net:5061&quot;,algorithm=MD5, response=&quot; 43e001d2ef807f1e2c96e78adfd50bf7 &quot; Max_forwards: 70 User Agent: 001217E57E31 VoIP-Router/RT31P2-2.0.13(LIVd) Content-Type: application/sdp Subject: SiVuS Test Expires: 7200 Content-Length: 0 IP address of the VoIP device on which a POTS phone is attached IP address that calls will be routed to (attacker) Authentication MD5 digest can be intercepted and used to replay messages
  • Presence Hijacking using SiVuS – The REGISTER Message
  • The Exercise
    • Using SiVuS craft a REGISTER request
    • In the “Contact” header insert your IP address
    • Send the registration request to the SIP proxy
    • Make a phone call to the user you spoofed to see if the call is diverted.
  • Attacks - Eavesdropping Decoding communications with Ethereal
  • Ethereal capture and decode to .au file (1 of 3)
  • Ethereal capture and decode to .au file (2 of 3) Analyze a session will automatically re-assemble the selected session which can be save to an audio file.
  • Ethereal capture and decode to .au file (3 of 3) Analyzed sessions can be save to a .au (audio) file.
  • The result
    • Intro – Present and Future
    • NGN/ The Converged Network
    • Components & Protocols
    • Security
      • Threats
      • Vulnerabilities
      • Attacks
    • VoIP Firewalls
    • Assessment Tools
    • Approaches to secure NGN networks
    • Conclusions
    • Further Research
    Outline
  • VoIP and Firewalls
    • Problems
    • NAT traversal
    • SIP spam
    • Various attacks, including DoS
    • Current solutions
    • Application Layer Gateways (ALGs)
    • Session Border Controllers
    • ICE – Interactive Connectivity Establishment (STUN, TURN, MIDCOM)
    • Intro – Present and Future
    • NGN/ The Converged Network
    • Components & Protocols
    • Security
      • Threats
      • Vulnerabilities
      • Attacks
    • VoIP Firewalls
    • Assessment Tools
    • Approaches to secure NGN networks
    • Conclusions
    • Further Research
    Outline
  • Tools
    • Eavesdropping
      • Ethereal
      • Vomit (vomit - voice over misconfigured internet telephones) http://vomit.xtdnet.nl/
      • VoIPong - http://www.enderunix.org/voipong/
    • Assessment
      • SIVuS – The VoIP Vulnerability Scanner – www.vopsecurity.org
  • Tool – Attack Trend
    • More tools are being developed
  • Vulnerability Assessment Si V uS
  • SiVuS – Message Generator
  • SiVuS - Discovery
  • SiVuS – configuration
  • SiVuS – Control Panel
  • SiVuS – Reporting
  • SiVuS – Authentication Analysis
    • Intro – Present and Future
    • NGN/ The Converged Network
    • Components & Protocols
    • Security
      • Threats
      • Vulnerabilities
      • Attacks
    • VoIP Firewalls
    • Assessment Tools
    • Approaches to secure VoIP/NGN networks
    • Conclusions
    • Further Research
    Outline
  • How do we secure NGN networks? Page SECURITY is NOT a product, it’s a PROCESS ! From the ground up Assess and Verify
    • Intro – Present and Future
    • NGN/ The Converged Network
    • Components & Protocols
    • Security
      • Threats
      • Vulnerabilities
      • Attacks
    • VoIP Firewalls
    • Assessment Tools
    • Approaches to secure NGN networks
    • Conclusions
    • Further Research
    Outline
  • Conclusions (1 of 2)
    • Security is not a product, it’s a process!
    • Can we have adequately secure VoIP networks?
      • Yes, but at what cost? ->
        • Performance (e.g., There is a performance impact when using IPSec point to point for signaling)
        • Time and expertise. It requires appropriate resources and time to secure out of the box products. We need to ask vendors to have baseline security requirements for VoIP products.
    • Is voice quality degraded with encryption?
      • Not really
  • Conclusions (2 of 2)
    • How’s security in VoIP products today?
      • Poor to average
        • security controls are not mature
        • not implemented in deployments
        • Implementations inherit traditional vulnerabilities (e.g. Buffer Overflows)
    • We need better developed software that do not maintain poor security standards.
    • Security controls/features to enforce stronger security posture (protocol, user and administrative)
    • Define and impose baseline security requirements for product vendors
    • Intro – Present and Future
    • NGN/ The Converged Network
    • Components & Protocols
    • Security
      • Threats
      • Vulnerabilities
      • Attacks
    • VoIP Firewalls
    • Assessment Tools
    • Approaches to secure NGN networks
    • Conclusions
    • Further Research
    Outline
  • Distributed VoIP Security Testbed
    • NSF funding, $600K
      • http://www.nsf.gov/news/news_summ.jsp?cntn_id=106828
    • Research areas
      • Denial of Service (DoS) and Distributed DoS (DDoS)
      • Spam and “Spit”
      • Social Networks
      • Identity Management
      • Quality of Service (QoS) and Security Mechanisms
  • Testbed conceptual view
  • VoP Security Forum
    • The objectives of the VoPSecurity.org forum:
    • Encourage education in NGN/VoIP security through publications, online forums and mailing lists ( [email_address] and [email_address] )
    • Develop capabilities (tools, interoperability testing, methodologies and best practices) for members to maintain security in their respective infrastructure.
    • Conduct research to help identify vulnerabilities and solutions associated with NGN/VoIP.
    • Coordinate annual member meetings to disseminate information, provide updates and promote interaction and initiatives regarding NGN/VoIP security.
    • The VoP Security forum is viewed as a mechanism for participating members to be proactive and stay current with the threats and vulnerabilities associated with NGN/VoIP security and extend research in this area.
  • VoPSecurity Forum
    • Current Activities
      • Mailing lists
        • Public ( [email_address] )
      • Documentation
        • Intro to NGN Security (available)
        • Vulnerability Analysis Methodology for VoIP networks (in development)
        • VoIP Firewalls (in development)
      • Tools
        • SiVuS – VoIP vulnerability Scanner (available)
      • Research
        • Security evaluation of residential VoIP gateways
    Join the community !
  • Standards
    • ITU
      • Focus Group on Next Generation Networks (FGNGN ) - http://www.itu.int/ITU-T/ngn/fgngn /
      • Open Communications Architecture Forum (OCAF) Focus Group http://www.itu.int/ITU-T/ocaf/index.html
    • IETF
      • Transport area - http://www.ietf.org/html.charters/wg-dir.html#Transport%20Area
      • Security Area - http://www.ietf.org/html.charters/wg-dir.html#Security%20Area
    • ATIS - http://www.atis.org/0191/index.asp
      • T1S1.1 --Lawfully Authorized Electronic Surveillance
      • T1S1.2 --Security
    • Lawful Intercept
      • 3GPP - TS 33.106 and TS 33.107
      • ETSI DTS 102 v4.0.4
  • References
    • NIST –
      • Security Considerations for VoIP Systems
      • Voice over Internet Protocol (VoIP) , Security Technical Implementation Guide (DISA)
    • http://www.ietf.org/html.charters/iptel-charter.html
    • IP Telephony Tutorial, http:// www.pt.com/tutorials/iptelephony /
    • Signaling System 7 (SS7), http://www.iec.org/online/tutorials/ss7/topic14.html
    • SIP - http://www.cs.columbia.edu/sip/
    • IP Telephonly with SIP - www.iptel.org /sip/
    • SIP Tutorials
      • The Session Initiation Protocol (SIP)
      • http:// www.cs.columbia.edu/~hgs/teaching/ais/slides/sip_long.pdf
      • SIP and the new network communications model http://www.webtorials.com/main/resource/papers/nortel/paper19.htm
    • H.323 ITU Standards, http://www.imtc.org/h323.htm
    • Third Generation Partnership Project (3gpp), http://www.3gpp.org/
  • Q & A Contact info: Peter Thermos [email_address] [email_address]