An old description of the IMS vulnerabilities and mitigation controls

1. Meletis Belsis
Information Security Consultant
MPhil / MRes/ BSc, C|EH / CCSA / CWSP
IMS SecurityIMS Security

2. IMS ArchitectureIMS Architecture
IMS ComplexityIMS Complexity
IMS ThreatsIMS Threats
VoIP AttacksVoIP Attacks
The Hacker’s ToolboxThe Hacker’s Toolbox
IMS SecurityIMS Security
PresentationPresentation
AgendaAgenda

3. IMS ArchitectureIMS Architecture
• IP Multimedia Subsystem (IMS)IP Multimedia Subsystem (IMS) was initiated by the 3GPP Group to
allow Mobile Service Providers extend their services using the
TCP/IP protocolTCP/IP protocol.
• IMS was build around TCP/IP ver 6TCP/IP ver 6. Due to the fact that currently
most providers use the TCP/IP ver. 4TCP/IP ver. 4 the initial security features
proposed cannot be implemented
• The System was further enhanced by the TISPAN group with
the idea of the Next Generation Network (NGN)Next Generation Network (NGN) which extend the
IMS to allow access through ADSL and Land Lines.
• Mobile Operators will use the IMS to offer multimedia services
including VoIPVoIP and VoDVoD.

4. IMS ArchitectureIMS Architecture
•IMS architectures use the SIPSIP
protocolprotocol to exchange signaling
messages and the RTP protocolRTP protocol
to exchange customer traffic.
•The IMS Core is build around a
Call Session Control FunctionCall Session Control Function
(CSCF)(CSCF) which manages the user
access and allows the distribution
of Content Services.
•To perform the user
management the HomeHome
Subscriber Server (HSS)Subscriber Server (HSS) is used.
HSS is similar to the HLR in 3G
Networks.
•The Diameter protocol is used for

5. IMS ComponentsIMS Components

6. IMS ComponentsIMS Components

7. IMS Security ComplexityIMS Security Complexity
•Securing a IMS network is complex because:
• IMS inherits most TCP/IP Vulnerabilitiesinherits most TCP/IP Vulnerabilities
• IMS users connect through a number of different access media
(e.g. UMTS, ADSL, PSTN ).
• IMS uses the SIP and RTP (UDP communication)uses the SIP and RTP (UDP communication) and thus may not be
able to operate on networks that use firewalls. Special proxy
techniques like Simple Traversal of UDP through NATs (STUN)Simple Traversal of UDP through NATs (STUN) need to
be applied.
• Signaling (SIP)Signaling (SIP) and Media (RTP)Media (RTP) traffic may follow different routes.

8. IMS ThreatsIMS Threats
• Denial Of ServiceDenial Of Service
• Flood Attacks
• BYE Tear Down
• Registration Reject
• Hold Attack
• Call Reject
• Interception AttacksInterception Attacks
• Call Hijacking
• Registration Hijacking
• Media Session Hijacking
• Server Masquerading
• DNS Poisoning
• Caller ID Spoofing
• VoIP VLAN Hopping
• ARP Spoofing
• SIP Injection
• Session Modification
• Social AttacksSocial Attacks
• SPIT
• Fraud AttacksFraud Attacks

9. P ThreatsP Threats
• VoIP Platforms VulnerabilitiesVoIP Platforms Vulnerabilities
• CAN-2004-0056: Malformed H.323 packet to exploit Nortel
BCM vulnerabilities
• CAN-2004-0054: Exploits CISCO IOS H.323 implementation
• CVE-2007-4459: Cisco SIP DoS vulnerabilities.
• CVE-2007-6424: Vulnerabilities on the Fonality Trixbox 2.0 PBX
products
• CVE-2007-5361: Vulnerabilities on the Alcatel- Lucent
OmniPCX Enterprise Communication Server.
• CVE-2007-5556: Vulnerabilities on the Avaya VoIP Handset.

10. Server MasqueradingServer Masquerading

11. UE’s initial Register Request looks like:
REGISTER SIP: home1.de SIP/2.0
Username=”user Authorization: Digest Username
user_private@home1.de”,
realm=”home1.de”, nonce=” “, uri=”SIP: home1.de”,
response=” “
Malicious Code infected with SQL injection looks like:
REGISTER SIP: home1.de SIP/2.0
Authorization: Digest
Username=”user_private@home1.de;delete table
subscriber”, realm=”home1.de”, nonce=” “, uri=”SIP:
home1.de”, response=” “
SIP InjectionSIP Injection

12. Hacker’s ToolboxHacker’s Toolbox
• OrekaOreka : A cross-platform system for recording and retrieving audio streams
• rtpBreakrtpBreak: detects, reconstructs and analyzes any RTP session through heuristics
over the UDP network traffic.
• SIPCrackSIPCrack : a SIP protocol login cracker
• SiVusSiVus : A SIP Vulnerability Scanner.
• BYE Teardown:BYE Teardown: disconnect an active VoIP conversation by spoofing the SIP BYE
message from the receiving party
• SipRogue :SipRogue :multifunctional SIP proxy that can be inserted between two talking
parties
• RTPInjectRTPInject :attack tool that injects arbitrary audio into established RTP
connections.
• TFTP Cracker:TFTP Cracker: A tool to attack VoIP endpoint and copy their configuration
through tftp
• ILTY(I am Listening to You)ILTY(I am Listening to You) : A multi-channel VoIP Sniffer
• Registration Adder:Registration Adder: A tool to allow fake registrations to be send

13. Hackers ToolboxHackers Toolbox
RTPInjectRTPInject SiVUS ScannerSiVUS Scanner

14. IMS CountermeasuresIMS Countermeasures
• EncryptionEncryption: The original standard proposed the use of
IPSecIPSec protocol on a hop-by-hop deployment. The TLSTLS
protocol can also be used to encrypt the SIP messages
exchanged between the nodes.
• FirewallsFirewalls:: Ensure that VoIP components (i.e. SIP Proxy,
DNS, DHCP, Radius) are logically located behind SessionSession
Border Controllers (SBC).Border Controllers (SBC). SBCs provide Firewalling
capabilities while bypassing NAT Problems. Traditional
firewalls can used to build DMZ zones for IP based
systems (i.e. DNS, Radius).

15. IMS CountermeasuresIMS Countermeasures
• ManagementManagement:: Avoid using weak
management protocols like tftp,
telnet and SNMP ver 2.
• Security Gateways (SEGs)Security Gateways (SEGs) SEG must
be deployed at the edge of an
IMS. These will create a NetworkNetwork
Security Domain (NDS)Security Domain (NDS) which will protect
the IMS core from other IMS
networks.
• AntivirusAntivirus: Deploy hardware
antivirus appliances at the
customer edge.

16. IMS CountermeasuresIMS Countermeasures
• Hardening the network Environment
• Enforce Security at the Network Equipment:Network Equipment:
• Port Security
• DHCP Snooping
• Receive Access Lists
• Enable MAC Filtering
• Define the maximum number of MAC addresses per port.
• Use Egress and Ingress filtering on all Border Routers
• Apply DoS protection techniques at the edge (e.g. Black Holing)
• Use Dedicated Management VLANs on the IMS Core
• BGP and Routing Security
• Use AAAAAA on all IMS infrastructure Systems
• Harden the OSHarden the OS of the platforms used
• DNZ Zone Transfers
• IP to MAC mappings on DHCP
• Apply Security Patches / Updates
• Disable Telnet and/or r-utilities

17. IMS CountermeasuresIMS Countermeasures
• IDS/IPSIDS/IPS
• SIP aware IDS / IPS
• Host based IDS/IPS at the Application
Servers
• VoIP HoneypotsVoIP Honeypots
• VoIP Phones
• Fake SIP Proxies

18. Questions ?Questions ?
Meletis BelsisMeletis Belsis