Security Challenges In VoIP

Security Challenges in VoIP

Tom Gilis – Security Consultant

Thursday, March 26, 2009

Agenda

 Introduction

 Segregation of Voice and Data

 VoIP security threats

 Conclusion

2 © Copyright Dimension Data 2000 - 2009 26 March 2009

Agenda

 Introduction



 Conclusion


Who am I and what am I doing here ?
Tom Gilis
Security Consultant with Dimension Data
Penetration tests infrastructures and applications
Risk analysis

Purpose
Create awareness around VoIP security
Identify security risks and weaknesses
Evaluate protection mechanisms


Do we need more security with VoIP?
PBX
More difficult to access
Required specialized knowledge

VoIP
Uses an existing network (and its flaws)
Increase in potential attackers
Offers more services


VoIP Networks today


Agenda

 Introduction



 Conclusion


Network segregation
Separate voice and data network
Improve security
Easier management
Quality of service

Physical Virtual

• Expensive • Cheaper
• New infrastructure • Uses current infrastructure
• Difficult deployment • Easier deployment


You probably already use …
Virtual Local Access Networks
Group devices together in one segment
Separate Voice and Data network
VLAN Trunking

Automatic VLAN configuration
I. DHCP Options
II. Proprietary protocols (LLDP)
III. …


Automatic VLAN configuration

Easy = YES , Security = NO !
Security tool: VoIPHopper

(voiphopper.sourceforge.net)

Add authentication layer...
802.1X standard
Authentication and authorization
Username/password or certificates
Compatible with VLAN Trunking
Requires:
Phone and switch support
Authentication server
User administration


Good effort but …
Off-line brute force/dictionary attack tool

(xtest.sourceforge.net)


Conclusion segregation
Recommended
− Quality of service
− First security barrier

Hard to properly protect
Not always possible

Segregation alone is NOT enough!


Agenda

 Introduction



 Conclusion


Information Security – CIA Triad

Confidentiality

Information
Security

Availability Integrity


Information Security in VoIP

Confidentiality Quality of
Service

Information
Security in
VoIP

Availability Integrity

C I A Q

VoIP Call setup


VoIP Security threats
Unauthorized access

Interruption-of-service

Eavesdropping

Registration and Media manipulation

Social threats

Unauthorized access
Gaining unauthorized access to a VoIP system or component
using one of the remote services.
Administrative services (Telnet, HTTP(S), TFTP, …)
− Attacks: Password sniffing, Brute force attack, Exploits, …
− Goal: Change configuration, abuse telephone network …
− Protection:
 System hardening (Vendor patches, ACL’s, …)
 Good password policy

C I A Q

Unauthorized access - TFTP bruteforce

Brutefile.txt

Source: hackingvoip.com

Unauthorized access – VoIP Server


Interruption-of-service
Disrupting the VoIP service by attacking an essential part of the
voice network.
Network
− Denial-of-service
− SYN-flooding
− ARP spoofing

Service
− DNS
− DHCP

Application
− SIP flooding attack
− RTP/RTCP injections


Interruption-of-service – Network
Disrupting the VoIP service by attacking network components
Denial-of-service attacks
− Attacks: DDoS, Ping of Death, ICMP Flooding, SYN Flooding…
− Goal: Bring down an essential part of the VoIP network (routers, VoIP
gateways, telephones, …), create delay, jitter or packets drops…
− Protection:
 Firewall
 Intrusion Prevention Systems (IPS)

A Q

Interruption-of-service – Services
Disrupting proper VoIP communication by attacking an essential
service
DNS/DHCP/…
− Attacks: Rogue DHCP server, DNS Cache poisoning, …
− Goal: Re-route traffic to another compromised host, block new systems
from accessing the network
− Protection (Network level):
 Rogue DHCP server detection
 Intrusion Prevention Systems

A

Interruption-of-service – Application
Disrupting proper communication by targeting a VoIP control or
signaling protocols’ security weaknesses or risks
SIP/H323/RTCP/…
− Attacks: SIP INVITE flooding, SIP/RTCP or malformed packet
injection,…
− Goal: Flooding SIP proxy, terminating or disturbing calls through
injection of malicious messages, delay, jitter, packet drops, …
− Protection:
 Enforce authentication for all packets (preferably mutual)
 Firewall or IPS with VoIP capabilities

A Q

SiVuS – VoIP Vulnerability Scanner


Eavesdropping
Listening in on private communications between two or more
VoIP devices.
RTP (Real-time Transport Protocol)
− Attacks: MAC spoofing, WiFi hacking, ARP spoofing, MITM, …
− Goal: Gain access to the media stream
− Protection:
 Network hardening
 Encryption
– Protocol encryption SRTP, ZRTP

– (D)TLS, IPSec tunnels

C

ARP Spoof – Man-in-the-middle
Man-in-the-middle attack


Eavesdropping - Wireshark


Registration manipulation
Manipulating or inserting registration packets in order to redirect
or hijack sessions
Signalling protocols (SIP, H323)
− Attacks: Registration removal, hijacking or addition
− Goal: Masquerading, eavesdropping, …
− Protection:
 Require authentication for all packets
 Enforce decent password policy

C I

SiVuS – Password Bruteforcing

Attacks SIP authentication
Works both online as offline
Numeric passwords up to 10 chars  +/- 8 min


Media manipulation
Manipulation of the media stream exchanged between two
clients
RTP (Real-time Transport Protocol)
− Attacks: RTP injection
− Goal: Change or add certain voice messages in a conversion
− Protection:
 Network hardening
 Protocol encryption SRTP, ZRTP
 (D)TLS, IPSec tunnels

C I

Social threat – VoIP Spam (SPIT)
Abusing public VoIP service providers or hacked VoIP solutions
to get commercial messages to the different users
Direct access to target user
Low costs
Hard to protect against

Not popular now but what about in the future?
Interconnections through SIP trunks
More VoIP end-to-end
Easier access


Social threat – VISHING
Social engineering attacks in order to entice users to call a
specific number and give out confidential information


Agenda

 Introduction



 Conclusion


Confidentiality & Integrity
• Use encryption where possible
− Application layer:
 SRTP, ZRTP, S/MIME in SIP
− Transport/Network Layer:
 (D)TLS, IPSec
• Authentication
− Preferably mutual
− Strong passwords

• Keep your software up-to-date


Availability and Quality-of-Service
• Network hardening
• Security devices
− Firewall
− Intrusion Prevention System

• Redundancy
− Fail-over
− UPS

• Logging and monitoring


Conclusion – Security threats

YES, secure VoIP exists !

Costs VS Security
Added infrastructure:
Better and faster hardware
PKI environment, RADIUS server, …
Maintenance
Installation


Recommendations
 Design and implement a secure network environment

 Use encryption where possible

 Assure availability through proper redundancy – e.g. Network
infrastructure, UPS, …

 Good password management

 Don’t use soft-phones

 Protect your wireless clients with proper protection

 Penetration tests and security audits


Questions and Answers

Thank you !


Security Challenges In VoIP

More Related Content

What's hot

Viewers also liked

Similar to Security Challenges In VoIP

Recently uploaded

Security Challenges In VoIP