Security Challenges In VoIP

3,294 views

Published on

Nowadays VoIP technologies have taken the upper hand offering many advantages compared to the traditional telephone network, but what are the security risks involved when voice and data networks come together. In this presentation, we will identify and evaluate these different security risks and their countermeasures both from a defensive as offensive position.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,294
On SlideShare
0
From Embeds
0
Number of Embeds
33
Actions
Shares
0
Downloads
232
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Security Challenges In VoIP

  1. 1. Security Challenges in VoIP Tom Gilis – Security Consultant Thursday, March 26, 2009
  2. 2. Agenda  Introduction  Segregation of Voice and Data  VoIP security threats  Conclusion 2 © Copyright Dimension Data 2000 - 2009 26 March 2009
  3. 3. Agenda  Introduction  Segregation of Voice and Data  VoIP security threats  Conclusion 3 © Copyright Dimension Data 2000 - 2009 26 March 2009
  4. 4. Who am I and what am I doing here ? Tom Gilis Security Consultant with Dimension Data Penetration tests infrastructures and applications Risk analysis Purpose Create awareness around VoIP security Identify security risks and weaknesses Evaluate protection mechanisms 4 © Copyright Dimension Data 2000 - 2009 26 March 2009
  5. 5. Do we need more security with VoIP? PBX More difficult to access Required specialized knowledge VoIP Uses an existing network (and its flaws) Increase in potential attackers Offers more services 5 © Copyright Dimension Data 2000 - 2009 26 March 2009
  6. 6. VoIP Networks today 6 © Copyright Dimension Data 2000 - 2009 26 March 2009
  7. 7. Agenda  Introduction  Segregation of Voice and Data  VoIP security threats  Conclusion 7 © Copyright Dimension Data 2000 - 2009 26 March 2009
  8. 8. Network segregation Separate voice and data network Improve security Easier management Quality of service Physical Virtual • Expensive • Cheaper • New infrastructure • Uses current infrastructure • Difficult deployment • Easier deployment 8 © Copyright Dimension Data 2000 - 2009 26 March 2009
  9. 9. You probably already use … Virtual Local Access Networks Group devices together in one segment Separate Voice and Data network VLAN Trunking Automatic VLAN configuration I. DHCP Options II. Proprietary protocols (LLDP) III. … 9 © Copyright Dimension Data 2000 - 2009 26 March 2009
  10. 10. Automatic VLAN configuration Easy = YES , Security = NO ! Security tool: VoIPHopper (voiphopper.sourceforge.net) 10 © Copyright Dimension Data 2000 - 2009 26 March 2009
  11. 11. Add authentication layer... 802.1X standard Authentication and authorization Username/password or certificates Compatible with VLAN Trunking Requires: Phone and switch support Authentication server User administration 11 © Copyright Dimension Data 2000 - 2009 26 March 2009
  12. 12. Good effort but … Off-line brute force/dictionary attack tool (xtest.sourceforge.net) 12 © Copyright Dimension Data 2000 - 2009 26 March 2009
  13. 13. Conclusion segregation Recommended − Quality of service − First security barrier Hard to properly protect Not always possible Segregation alone is NOT enough! 13 © Copyright Dimension Data 2000 - 2009 26 March 2009
  14. 14. Agenda  Introduction  Segregation of Voice and Data  VoIP security threats  Conclusion 14 © Copyright Dimension Data 2000 - 2009 26 March 2009
  15. 15. Information Security – CIA Triad Confidentiality Information Security Availability Integrity 15 © Copyright Dimension Data 2000 - 2009 26 March 2009
  16. 16. Information Security in VoIP Confidentiality Quality of Service Information Security in VoIP Availability Integrity C I A Q 16 © Copyright Dimension Data 2000 - 2009 26 March 2009
  17. 17. VoIP Call setup 17 © Copyright Dimension Data 2000 - 2009 26 March 2009
  18. 18. VoIP Security threats Unauthorized access Interruption-of-service Eavesdropping Registration and Media manipulation Social threats 18 © Copyright Dimension Data 2000 - 2009 26 March 2009
  19. 19. Unauthorized access Gaining unauthorized access to a VoIP system or component using one of the remote services. Administrative services (Telnet, HTTP(S), TFTP, …) − Attacks: Password sniffing, Brute force attack, Exploits, … − Goal: Change configuration, abuse telephone network … − Protection:  System hardening (Vendor patches, ACL’s, …)  Good password policy C I A Q 19 © Copyright Dimension Data 2000 - 2009 26 March 2009
  20. 20. Unauthorized access - TFTP bruteforce Brutefile.txt Source: hackingvoip.com 20 © Copyright Dimension Data 2000 - 2009 26 March 2009
  21. 21. Unauthorized access - TFTP bruteforce Brutefile.txt Source: hackingvoip.com 21 © Copyright Dimension Data 2000 - 2009 26 March 2009
  22. 22. Unauthorized access – VoIP Server 22 © Copyright Dimension Data 2000 - 2009 26 March 2009
  23. 23. Interruption-of-service Disrupting the VoIP service by attacking an essential part of the voice network. Network − Denial-of-service − SYN-flooding − ARP spoofing Service − DNS − DHCP Application − SIP flooding attack − RTP/RTCP injections 23 © Copyright Dimension Data 2000 - 2009 26 March 2009
  24. 24. Interruption-of-service – Network Disrupting the VoIP service by attacking network components Denial-of-service attacks − Attacks: DDoS, Ping of Death, ICMP Flooding, SYN Flooding… − Goal: Bring down an essential part of the VoIP network (routers, VoIP gateways, telephones, …), create delay, jitter or packets drops… − Protection:  Firewall  Intrusion Prevention Systems (IPS) A Q 24 © Copyright Dimension Data 2000 - 2009 26 March 2009
  25. 25. Interruption-of-service – Services Disrupting proper VoIP communication by attacking an essential service DNS/DHCP/… − Attacks: Rogue DHCP server, DNS Cache poisoning, … − Goal: Re-route traffic to another compromised host, block new systems from accessing the network − Protection (Network level):  Rogue DHCP server detection  Intrusion Prevention Systems A 25 © Copyright Dimension Data 2000 - 2009 26 March 2009
  26. 26. Interruption-of-service – Application Disrupting proper communication by targeting a VoIP control or signaling protocols’ security weaknesses or risks SIP/H323/RTCP/… − Attacks: SIP INVITE flooding, SIP/RTCP or malformed packet injection,… − Goal: Flooding SIP proxy, terminating or disturbing calls through injection of malicious messages, delay, jitter, packet drops, … − Protection:  Enforce authentication for all packets (preferably mutual)  Firewall or IPS with VoIP capabilities A Q 26 © Copyright Dimension Data 2000 - 2009 26 March 2009
  27. 27. SiVuS – VoIP Vulnerability Scanner 27 © Copyright Dimension Data 2000 - 2009 26 March 2009
  28. 28. Eavesdropping Listening in on private communications between two or more VoIP devices. RTP (Real-time Transport Protocol) − Attacks: MAC spoofing, WiFi hacking, ARP spoofing, MITM, … − Goal: Gain access to the media stream − Protection:  Network hardening  Encryption – Protocol encryption SRTP, ZRTP – (D)TLS, IPSec tunnels C 28 © Copyright Dimension Data 2000 - 2009 26 March 2009
  29. 29. ARP Spoof – Man-in-the-middle Man-in-the-middle attack 29 © Copyright Dimension Data 2000 - 2009 26 March 2009
  30. 30. Eavesdropping - Wireshark 30 © Copyright Dimension Data 2000 - 2009 26 March 2009
  31. 31. Registration manipulation Manipulating or inserting registration packets in order to redirect or hijack sessions Signalling protocols (SIP, H323) − Attacks: Registration removal, hijacking or addition − Goal: Masquerading, eavesdropping, … − Protection:  Require authentication for all packets  Enforce decent password policy C I 31 © Copyright Dimension Data 2000 - 2009 26 March 2009
  32. 32. SiVuS – Password Bruteforcing Attacks SIP authentication Works both online as offline Numeric passwords up to 10 chars  +/- 8 min 32 © Copyright Dimension Data 2000 - 2009 26 March 2009
  33. 33. Media manipulation Manipulation of the media stream exchanged between two clients RTP (Real-time Transport Protocol) − Attacks: RTP injection − Goal: Change or add certain voice messages in a conversion − Protection:  Network hardening  Protocol encryption SRTP, ZRTP  (D)TLS, IPSec tunnels C I 33 © Copyright Dimension Data 2000 - 2009 26 March 2009
  34. 34. Social threat – VoIP Spam (SPIT) Abusing public VoIP service providers or hacked VoIP solutions to get commercial messages to the different users Direct access to target user Low costs Hard to protect against Not popular now but what about in the future? Interconnections through SIP trunks More VoIP end-to-end Easier access 34 © Copyright Dimension Data 2000 - 2009 26 March 2009
  35. 35. Social threat – VISHING Social engineering attacks in order to entice users to call a specific number and give out confidential information 35 © Copyright Dimension Data 2000 - 2009 26 March 2009
  36. 36. Agenda  Introduction  Segregation of Voice and Data  VoIP security threats  Conclusion 36 © Copyright Dimension Data 2000 - 2009 26 March 2009
  37. 37. Information Security in VoIP Confidentiality & Integrity • Use encryption where possible − Application layer:  SRTP, ZRTP, S/MIME in SIP − Transport/Network Layer:  (D)TLS, IPSec • Authentication − Preferably mutual − Strong passwords • Keep your software up-to-date 37 © Copyright Dimension Data 2000 - 2009 26 March 2009
  38. 38. Information Security in VoIP Availability and Quality-of-Service • Network hardening • Security devices − Firewall − Intrusion Prevention System • Redundancy − Fail-over − UPS • Logging and monitoring 38 © Copyright Dimension Data 2000 - 2009 26 March 2009
  39. 39. Conclusion – Security threats YES, secure VoIP exists ! Costs VS Security Added infrastructure: Better and faster hardware PKI environment, RADIUS server, … Maintenance Installation 39 © Copyright Dimension Data 2000 - 2009 26 March 2009
  40. 40. Recommendations  Design and implement a secure network environment  Use encryption where possible  Assure availability through proper redundancy – e.g. Network infrastructure, UPS, …  Good password management  Don’t use soft-phones  Protect your wireless clients with proper protection  Penetration tests and security audits 40 © Copyright Dimension Data 2000 - 2009 26 March 2009
  41. 41. Questions and Answers Thank you ! 41 © Copyright Dimension Data 2000 - 2009 26 March 2009

×