Your SlideShare is downloading. ×
0
SECURING VOICE
COMMUNICATION
(The NSA does not need to hear about this.)

by Luca Pradovera
About me
Luca Pradovera
Voice Application Developer
Mojo Lingo LLC, Atlanta, GA

Securing telephony - AdhearsionConf 2013 ...
CAN WE
TRUST
VOIP?

NO.

Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Alice, Bob and Bubba

All
cleartext!
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Signaling: SIP
(SESSION INITIATION PROTOCOL)

Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Request methods: INVITE,
ACK,
BYE
SIP is similar

to HTTP
Headers: To, From
Securing telephony - AdhearsionConf 2013 - Dec...
INVITE sip:123@10.203.175.11 SIP/2.0	
Via: SIP/2.0/UDP
10.203.175.1:63851;rport;branch=z9hG4bKPjOZmllyLuQ52Gda.vzcmWrVVtmF...
Content-Type: application/sdp	
Content-Length: 396	

!
v=0	
o=- 3595073567 3595073567 IN IP4 10.203.175.1	
s=Blink Pro 3.4...
Attacking SIP
(TRY THIS AT SOMEONE ELSE’S HOME.)

Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
SIP digest auth is weak.
MD5-1 = MD5 (Username:Realm:Password)

MD5-2 = MD5 (Method:URI)

Response MD5 Value = MD5 (MD5-1:...
SIP is vulnerable
Forging Contact: to hijack a session
Easy man-in the
middle attacks
DoS via Expires: 0
Denial of service...
SIPS
How do we solve this?
(SIP Secure)

Very similar to HTTPS - Requires client support
Securing telephony - AdhearsionCo...
Software support
•

Asterisk: https://wiki.asterisk.org/wiki/display/AST/Secure
+Calling+Tutorial

•

FreeSWITCH: http://w...
Media: RTP
(REAL-TIME TRANSPORT PROTOCOL)

Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
RTP Basics
UDP protocol

Ports 1024 to 65535

Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Let me hear you say…
Packet sniffing enables easy eavesdropping

A switched network requires an ARP cache poisoning
attack ...
What if I want to be REALLY bad?
The timestamp usually starts with 0 and increments by the
length of the codec content (e....
How can we have fun?

Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Audio injection
By predicting timestamp, sequence and SSRC, we can
play whatever frame we want.

“Did you just say
somethi...
Audio replacement
Using higher sequences and timestamp, we
make the original audio packets obsolete.

Just replace “buy” w...
What if I am just
grumpy?
DoS via packet flooding
(keep repeating a packet)
DoS by RTCP Bye
(session teardown)

Securing te...
By the way, the NSA
knows about this.
(AND IN CASE THEY WERE MISSING ANYTHING, IT IS IN
MY DROPBOX ANYWAY)

Securing telep...
SRTP

(Secure RTP)
Uses AES in counter mode (AESCTR) with 128 or 256 bit keys

Generates a cypher stream that
is XORed rea...
Still need those keys…
(NEGOTIATION)

Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
MIKEY and SDES
MIKEY was never actually adopted
because it requires additional SIP
capabilities

SDES (SDP Security Descri...
Keying in the media
path: DTLS-SRTP
•

DTLS exchange over the media port

•

Uses secrets from the DTLS handshake as keyin...
ZRTP

(Z is cooler than S.)

Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
What it does
1. Discovery phase, to find out if the peers
support ZRTP
2. Key agreement phase, to exchange the
keying data...
How it works
•

Exchange happens in
media path

•

Diffie-Hellman key
exchange

•

SAS (Short Authentication
String) produ...
Hellman, the mayonnaise guy?

Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
Why is the SAS important?
•

The Short Authentication String is computed with a
hash of the keys negotiated during DH exch...
Benefits
•

Does not require any signaling security

•

It is, in fact, signaling and server agnostic (SIP, H.
323, Jingle...
Software support
•

FreeSWITCH: https://wiki.freeswitch.org/wiki/ZRTP

•

Jitsi: https://jitsi.org/

•

ZFone: http://zfon...
Final caveats
•

You are never truly
secure

•

Ensure you never
drop out of the IP
network

•

Endpoints are easy
targets...
Bibliography
•

Hacking VoIP: Protocols, Attacks and
Countermeasures (http://goo.gl/33EtU7)

•

SIP: Understanding the Ses...
Thank you!
•

http://
mojolingo.com

•

@lucaprado on
Twitter

•

polysics on
Github and IRC

Securing telephony - Adhears...
Upcoming SlideShare
Loading in...5
×

Securing Voice Communication

455

Published on

A presentation given at AdhearsionConf 2013 about the possible attacks against SIP and RTP relative countermeasures.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
455
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
15
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Securing Voice Communication"

  1. 1. SECURING VOICE COMMUNICATION (The NSA does not need to hear about this.) by Luca Pradovera
  2. 2. About me Luca Pradovera Voice Application Developer Mojo Lingo LLC, Atlanta, GA Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  3. 3. CAN WE TRUST VOIP? NO. Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  4. 4. Alice, Bob and Bubba All cleartext! Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  5. 5. Signaling: SIP (SESSION INITIATION PROTOCOL) Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  6. 6. Request methods: INVITE, ACK, BYE SIP is similar to HTTP Headers: To, From Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  7. 7. INVITE sip:123@10.203.175.11 SIP/2.0 Via: SIP/2.0/UDP 10.203.175.1:63851;rport;branch=z9hG4bKPjOZmllyLuQ52Gda.vzcmWrVVtmFKSyRuz Max-Forwards: 70 From: "Luca Pradovera" <sip:usera@10.203.175.11>;tag=DRTwWU5q2EfrbebG7IMvd3RdDbsKFPOX To: <sip:123@10.203.175.11> Contact: <sip:23941570@10.203.175.1:63851> Call-ID: PvpN2LErALSXW16MbkJPBcZNf7fzeSc4 CSeq: 15461 INVITE Allow: SUBSCRIBE, NOTIFY, PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER Supported: 100rel, replaces, norefersub, gruu User-Agent: Blink Pro 3.4.0 (MacOSX) Authorization: Digest username="usera", realm="asterisk", nonce="080a602e", uri="sip: 123@10.203.175.11", response="40732f23b39bc681484874c89c424bf4", algorithm=MD5 SIP Headers Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  8. 8. Content-Type: application/sdp Content-Length: 396 ! v=0 o=- 3595073567 3595073567 IN IP4 10.203.175.1 s=Blink Pro 3.4.0 (MacOSX) c=IN IP4 10.203.175.1 t=0 0 m=audio 50000 RTP/AVP 108 99 98 9 0 8 96 a=rtcp:50001 a=rtpmap:108 opus/48000 a=fmtp:108 useinbandfec=1 a=rtpmap:9 G722/8000 SDP Payload a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:96 telephone-event/8000 a=fmtp:96 0-15 a=sendrecv Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  9. 9. Attacking SIP (TRY THIS AT SOMEONE ELSE’S HOME.) Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  10. 10. SIP digest auth is weak. MD5-1 = MD5 (Username:Realm:Password)
 MD5-2 = MD5 (Method:URI)
 Response MD5 Value = MD5 (MD5-1:Nonce:MD5-2) The only unknown term is the password = An offline attack is possible! Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  11. 11. SIP is vulnerable Forging Contact: to hijack a session Easy man-in the middle attacks DoS via Expires: 0 Denial of service via REGISTER Denial of service via BYE Identity theft Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  12. 12. SIPS How do we solve this? (SIP Secure) Very similar to HTTPS - Requires client support Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  13. 13. Software support • Asterisk: https://wiki.asterisk.org/wiki/display/AST/Secure +Calling+Tutorial • FreeSWITCH: http://wiki.freeswitch.org/wiki/SIP_TLS • Many softphones and hardware phones Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  14. 14. Media: RTP (REAL-TIME TRANSPORT PROTOCOL) Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  15. 15. RTP Basics UDP protocol Ports 1024 to 65535 Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  16. 16. Let me hear you say… Packet sniffing enables easy eavesdropping A switched network requires an ARP cache poisoning attack but not much more CREEPY DEMO TIME! Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  17. 17. What if I want to be REALLY bad? The timestamp usually starts with 0 and increments by the length of the codec content (e.g. 160ms); the sequence starts with 0 and increments by 1, and the SSRC is usually a static value for the session and a function of time. = They are PREDICTABLE! Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  18. 18. How can we have fun? Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  19. 19. Audio injection By predicting timestamp, sequence and SSRC, we can play whatever frame we want. “Did you just say something? Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  20. 20. Audio replacement Using higher sequences and timestamp, we make the original audio packets obsolete. Just replace “buy” with “sell” and watch Bitcoin crash! Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  21. 21. What if I am just grumpy? DoS via packet flooding (keep repeating a packet) DoS by RTCP Bye (session teardown) Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  22. 22. By the way, the NSA knows about this. (AND IN CASE THEY WERE MISSING ANYTHING, IT IS IN MY DROPBOX ANYWAY) Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  23. 23. SRTP (Secure RTP) Uses AES in counter mode (AESCTR) with 128 or 256 bit keys Generates a cypher stream that is XORed real-time with plaintext media Headers are signed, payload is encrypted Uses symmetric keys and ciphers that need to be negotiated somehow Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  24. 24. Still need those keys… (NEGOTIATION) Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  25. 25. MIKEY and SDES MIKEY was never actually adopted because it requires additional SIP capabilities SDES (SDP Security Descriptions) a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj|2^20|1:32 requires full TLS protection and still exposes keying to SIP servers. Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  26. 26. Keying in the media path: DTLS-SRTP • DTLS exchange over the media port • Uses secrets from the DTLS handshake as keying information • Requires PKI (Public Key Infrastructure) • Used by WebRTC Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  27. 27. ZRTP (Z is cooler than S.) Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  28. 28. What it does 1. Discovery phase, to find out if the peers support ZRTP 2. Key agreement phase, to exchange the keying data 3. Secure phase, confirming the cryptographic exchange worked and switching to SRTP Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  29. 29. How it works • Exchange happens in media path • Diffie-Hellman key exchange • SAS (Short Authentication String) produced so it can be compared by humans Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  30. 30. Hellman, the mayonnaise guy? Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  31. 31. Why is the SAS important? • The Short Authentication String is computed with a hash of the keys negotiated during DH exchange • It is usually a 4 digit number • It guarantees the absence of a man-in-the-middle • It is retained and reused for subsequent communications Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  32. 32. Benefits • Does not require any signaling security • It is, in fact, signaling and server agnostic (SIP, H. 323, Jingle, WebRTC) • Protected against man-in-the-middle attacks • Best-effort encryption with feedback (the user agent knows if the line is secure or not) • It has a Z in the acronym. Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  33. 33. Software support • FreeSWITCH: https://wiki.freeswitch.org/wiki/ZRTP • Jitsi: https://jitsi.org/ • ZFone: http://zfoneproject.com/ Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  34. 34. Final caveats • You are never truly secure • Ensure you never drop out of the IP network • Endpoints are easy targets Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  35. 35. Bibliography • Hacking VoIP: Protocols, Attacks and Countermeasures (http://goo.gl/33EtU7) • SIP: Understanding the Session Initiation Protocol (http://goo.gl/sFSsSi) • Applied Cryptography: Protocols, Algorithms, and Source Code in C (http://goo.gl/U4QOJj) • Countless RFCs and extensions Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  36. 36. Thank you! • http:// mojolingo.com • @lucaprado on Twitter • polysics on Github and IRC Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×