Wiretapping VoIP:   Techniques to exploit VoIP over WLAN [1] Young J. Won (20063292) Date: May 30, 2007 Email: yjwon@poste...
Introduction <ul><li>Security of the VoIP are mainly related to  </li></ul><ul><ul><li>Weakness of the combination of the ...
Secure SIP/RTP <ul><li>Session Initiation Protocol – RFC 3261 </li></ul><ul><li>Realtime Transport Protocol – RFC 3550 </l...
VoIP Element & Topology <ul><li>NIST publication 800-58 </li></ul><ul><ul><li>Security considerations for Voice over IP sy...
Eavesdropping and Sniffing <ul><li>Interception of the VoIP call is even simpler </li></ul><ul><ul><li>Listen to an unprot...
Man in the Middle Attack (1/2) <ul><li>Two wireless adapters in the same machine </li></ul><ul><ul><li>Master mode - rogue...
Man in the Middle Attack (2/2) <ul><li>Using Airreplay to </li></ul><ul><ul><li>Inject in the wireless network through the...
Denial of Service (1/2) <ul><li>A SIP service can fail because of an invalid SIP not valid messages </li></ul><ul><ul><li>...
Denial of Service (2/2) <ul><li>Exceptional Element Categories </li></ul><ul><ul><li>Known vulnerabilities - SIP </li></ul...
Call Interruption <ul><li>Forwarding of a BYE message </li></ul><ul><ul><li>immediate call interruption </li></ul></ul><ul...
Building False Calls <ul><li>Injecting an acknowledgement packets containing </li></ul><ul><ul><li>The same and destinatio...
Challenges of Wireless Monitoring <ul><li>Limited capacity of each sniffer: each sniffer has the limitations, e.g. on sign...
US Patents <ul><li>Methods and Apparatus for Wiretapping IP-Based Telephone Lines </li></ul><ul><li>Protecting Wireless Lo...
US Patent  (1)
US Patent  (2)
Conclusion <ul><li>Introduction to </li></ul><ul><ul><li>Security Measures by VoIP Wireless technologies </li></ul></ul><u...
Reference <ul><li>G. Me, D. Verdone. “An Overview of Some Techniques to Exploit VoIP over WLAN”, International Conference ...
Upcoming SlideShare
Loading in...5
×

yjwon_2007.05.28.ppt

178

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
178
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • We will be introducing the concept of Semantic Overlay Networks which can be applied to existing peer-to-peer networks.
  • We introduced the concept of semantic overlay clusters in super-peer based networks. SOC’s are designed for very large, highly distributed networks improving search and semantic interoperability. We studied how to improve the efficiency of a peer-to-peer system by clustering nodes with similar content in Semantic Overlay Networks (SONs). We showed how SONs can efficiently process queries while preserving a high degree of node autonomy. The super-peer topology, consisting of a super-peer backbone with powerful computers and smaller clients which are linked to these super-peers, is very suitable for this approach. Further on we showed four extensions to an existing super-peer network, allowing a dynamic clustering of information provider peers to super-peer based clusters: RDF-based models for information provider peers formulated by using knowledge from existing approaches of the data base community,
  • yjwon_2007.05.28.ppt

    1. 1. Wiretapping VoIP: Techniques to exploit VoIP over WLAN [1] Young J. Won (20063292) Date: May 30, 2007 Email: yjwon@postech.ac.kr DP & NM Lab., POSTECH EECE 702, Wireless Security
    2. 2. Introduction <ul><li>Security of the VoIP are mainly related to </li></ul><ul><ul><li>Weakness of the combination of the SIP and RTP protocols </li></ul></ul><ul><ul><li>Assuming WPA enabled (rather than WEP) </li></ul></ul><ul><li>Several types of attack </li></ul><ul><ul><li>Eavesdropping and sniffing of VoIP WLAN </li></ul></ul><ul><ul><li>Man in the Middle Attack </li></ul></ul><ul><ul><li>Denial of Service </li></ul></ul><ul><ul><li>Call Interruption </li></ul></ul><ul><ul><li>Build false calls </li></ul></ul><ul><li>US Patents </li></ul>
    3. 3. Secure SIP/RTP <ul><li>Session Initiation Protocol – RFC 3261 </li></ul><ul><li>Realtime Transport Protocol – RFC 3550 </li></ul><ul><ul><li>Transporting the multimedia datastream </li></ul></ul><ul><ul><li>Sending packets via UDP </li></ul></ul><ul><li>To become the standard protocol for VoIP </li></ul><ul><li>Protocol for Multimedia-support in UMTS </li></ul>
    4. 4. VoIP Element & Topology <ul><li>NIST publication 800-58 </li></ul><ul><ul><li>Security considerations for Voice over IP systems, vulnerabilities, and etc. </li></ul></ul>
    5. 5. Eavesdropping and Sniffing <ul><li>Interception of the VoIP call is even simpler </li></ul><ul><ul><li>Listen to an unprotected WiFi network </li></ul></ul><ul><li>RTP stream reassembly using Ethereal </li></ul><ul><ul><li>Identify the VoIP calls, using the SIP protocol </li></ul></ul><ul><ul><li>Graphical representation of packet exchange </li></ul></ul>
    6. 6. Man in the Middle Attack (1/2) <ul><li>Two wireless adapters in the same machine </li></ul><ul><ul><li>Master mode - rogue AP </li></ul></ul><ul><ul><li>http://sourceforge.net/projects/ipw2200-ap </li></ul></ul><ul><li>Manipulating signal strength? </li></ul>
    7. 7. Man in the Middle Attack (2/2) <ul><li>Using Airreplay to </li></ul><ul><ul><li>Inject in the wireless network through the interface the de-authentication frame </li></ul></ul><ul><ul><li>Disconnect the client from his legitimate AP </li></ul></ul><ul><li>Observing the VoIP packets </li></ul><ul><ul><li>Determine the UDP port, then forward packets using iptables. </li></ul></ul>
    8. 8. Denial of Service (1/2) <ul><li>A SIP service can fail because of an invalid SIP not valid messages </li></ul><ul><ul><li>Monitoring SIP messages </li></ul></ul><ul><ul><li>Using SIP, INVITE messages to find out vulnerabilities </li></ul></ul><ul><li>Call Conductor v. 1.03 </li></ul><ul><ul><li>Discovery of SIP vulnerabilities </li></ul></ul><ul><ul><ul><li>INVITE messages with negative Content-Length </li></ul></ul></ul><ul><ul><ul><li>INVITE messages with Content-Length higher than 1073741823 bytes </li></ul></ul></ul><ul><ul><ul><li>Express Talk & X-lite free Open Source tools </li></ul></ul></ul><ul><li>Attacking the wireless station </li></ul><ul><ul><li>Not being associated ourselves </li></ul></ul>
    9. 9. Denial of Service (2/2) <ul><li>Exceptional Element Categories </li></ul><ul><ul><li>Known vulnerabilities - SIP </li></ul></ul><ul><ul><li>PROTO </li></ul></ul>
    10. 10. Call Interruption <ul><li>Forwarding of a BYE message </li></ul><ul><ul><li>immediate call interruption </li></ul></ul><ul><li>Using CANCEL method </li></ul><ul><ul><li>Detect SIP setup, collect INVITE message </li></ul></ul><ul><ul><li>scapy library </li></ul></ul><ul><ul><ul><li>injecting the message in the wireless channel </li></ul></ul></ul><ul><ul><ul><li>Interactive packet manipulation program </li></ul></ul></ul><ul><ul><ul><li>Decoding protocols (including VoIP decoding on WEP encrypted channel) </li></ul></ul></ul><ul><ul><ul><li>http://www.secdev.org/projects/scapy/ </li></ul></ul></ul>
    11. 11. Building False Calls <ul><li>Injecting an acknowledgement packets containing </li></ul><ul><ul><li>The same and destination fields of the previous INVITE request, Call-ID field </li></ul></ul><ul><li>Terminals do not receive the audio </li></ul><ul><ul><li>Discrepancy between the UDP ports (RTP stream) </li></ul></ul><ul><li>This produces many contemporary SIP calls inside the network </li></ul><ul><ul><li>Detecting attack attempts </li></ul></ul>
    12. 12. Challenges of Wireless Monitoring <ul><li>Limited capacity of each sniffer: each sniffer has the limitations, e.g. on signal receiving range, disk space, processing power, etc. </li></ul><ul><li>Placement: finding the best location for each sniffer is difficult. </li></ul><ul><li>Data collection: it is difficult to collect and synchronize a large volume of data from multiple sniffers. </li></ul>
    13. 13. US Patents <ul><li>Methods and Apparatus for Wiretapping IP-Based Telephone Lines </li></ul><ul><li>Protecting Wireless Local Area Networks From Intrusion by Eavesdropping on the Eavesdroppers and Dynamically reconfiguring Encryption Upon Detection of Intrusion </li></ul><ul><li>Method and System for Providing Private Virtual Secure Voice Over Internet Protocol Communications </li></ul><ul><li>Peer-to-Peer Telephone System: Skype (World Intellectual Property Organization) </li></ul>
    14. 14. US Patent (1)
    15. 15. US Patent (2)
    16. 16. Conclusion <ul><li>Introduction to </li></ul><ul><ul><li>Security Measures by VoIP Wireless technologies </li></ul></ul><ul><li>We have looked at attacks in VoIP over WLAN </li></ul><ul><ul><li>Eavesdropping and sniffing of VoIP WLAN </li></ul></ul><ul><ul><li>Man in the Middle Attack </li></ul></ul><ul><ul><li>Denial of Service </li></ul></ul><ul><ul><li>Call Interruption </li></ul></ul><ul><ul><li>Build false calls </li></ul></ul><ul><li>US Patents about Wiretapping of VoIP in wireless </li></ul><ul><ul><li>Monitoring framework in wireless networks </li></ul></ul><ul><ul><li>Issues and security measured in wired environment </li></ul></ul><ul><li>Monitoring VoIP call over WLAN using commodity hardware in mobility - Interference and Location Discovery ? </li></ul>
    17. 17. Reference <ul><li>G. Me, D. Verdone. “An Overview of Some Techniques to Exploit VoIP over WLAN”, International Conference on Digital Telecommunications, 2006. </li></ul><ul><li>S. Upson. “Wiretapping Woes”, IEEE Spectrum, May 2007. </li></ul><ul><li>A. Batchvarov. “Security Issues and Solutions for Voice over IP compared to Circuit Switched Networks”, INFOTECH Seminar ACS, 2004. </li></ul><ul><li>J. Yeo et al. “A Framework for Wireless LAN Monitoring and Its Applications”, WiSE, October 2004. </li></ul><ul><li>A. Bakre. “Intel VoIP over WLAN Architecture, WICON, August 2006. </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×