View
227
Download
0
Category
Preview:
Citation preview
8/12/2019 Bh Usa 07 Dempster
1/33
VoIP Security Methodology and Results
NGS Software Ltd Barrie Dempster Senior Security Consultant barrie@ngssoftware.com
8/12/2019 Bh Usa 07 Dempster
2/33
Agenda Agenda
VoIP Security Issues
Assessment Methodology
Case Study: Asterisk
8/12/2019 Bh Usa 07 Dempster
3/33
VoIP Security IssuesVoIP Security Issues
8/12/2019 Bh Usa 07 Dempster
4/33
hy is VoIP such a !ro"lem #hy is VoIP such a !ro"lem #
If you take a systematic a!!roach to it$ it isn%t
Assessing VoIP systems is &uite different from the '!ro"eand !arse( techni&ue commonly used on data"ases and we"a!!lications)
It a!!ears this way as it%s multi*disci!line *
+ata networks$ ,oice networks and security knowledge
8/12/2019 Bh Usa 07 Dempster
5/33
Con,ergence-Con,ergence-
.ne of the ma/or selling !oints "ut one of the "iggest issues
Goes against current network security "est !ractise)0irewalls$ VPNs$ VLANS etc)) are focused on se!aration of traffic$ often tose!arate into security "oundaries
Con,ergence not only makes administration easier$ it
makes hacking easier too Voice traffic on a data network is o!en to attacks using tools andtechni&ues that ha,e "een used in the !ast on data networks
8/12/2019 Bh Usa 07 Dempster
6/33
From the NIST Security considerations for Voice over IP systems:
The flexibility of V !" comes at a price# a$$e$ complexity insecuring %oice an$ $ata. Because V !" systems are connecte$ tothe $ata networ&' an$ share many of the same har$ware an$software components' there are more ways for intru$ers to attac& aV !" system than a con%entional %oice telephone system or "B(.)
A con,ergence &uote A con,ergence &uote
8/12/2019 Bh Usa 07 Dempster
7/33
1he Main 1hreats1he Main 1hreats
1oll 0raud
2a,esdro!!ing
Caller I+ S!oofing
+enial of Ser,ice
Another 2ntry Point
8/12/2019 Bh Usa 07 Dempster
8/33
1oll 0raud1oll 0raud
It%s easy 1he slightest misconfiguration can lead to toll fraud * Misconfiguration of+ISA$ +efault !asswords and sim!le social engineering)
It%s !rofita"le 0ree use of ser,ices Ser,ices can "e resold .,erheads are low
It%s ha!!ening 3and has "een for a long time4
8/12/2019 Bh Usa 07 Dempster
9/33
8/12/2019 Bh Usa 07 Dempster
10/33
Caller*I+ S!oofingCaller*I+ S!oofing
1here are a num"er of ways to do this
1his is another threat that e6isted "efore VoIP "ut /ust got easier
It%s still not an attack method that the general !u"lic are aware of Many com!anies still use it as !art of an authentication mechanism
7ou now need no technical knowledge to s!oof Caller*I+) A num"er of com!anies sell these ser,ices
8/12/2019 Bh Usa 07 Dempster
11/33
+enial of Ser,ice+enial of Ser,ice
8!time on traditional tele!hony networks is generally ,ery high It%s not easy to +oS someone It%s not easy to hide your tracks when !erforming an attack .nly a few com!anies control the access !oints
Ser,ice Le,els for tele!hony are more im!ortant than most IP !rotocols 2mergency ser,ices Customers58sers are used to high ser,ice le,els
VoIP "rings IP%s !ro"lems to ,oice IP has suffered many +oS ,ulnera"ilities +doS is e6!ensi,e and difficult to com"at
8/12/2019 Bh Usa 07 Dempster
12/33
Another 2ntry Point Another 2ntry Point VoIP "rings !ro"lems to the IP network as well
It%s as "ad as email$ IM clients and we" "rowsers3which is "ad-4
Com!licated5Numerous !rotocols Lots of ,ulnera"ilities already found
Attackers are finding more
8/12/2019 Bh Usa 07 Dempster
13/33
MethodologyMethodology
8/12/2019 Bh Usa 07 Dempster
14/33
8/12/2019 Bh Usa 07 Dempster
15/33
8/12/2019 Bh Usa 07 Dempster
16/33
So we "reak it down into com!onentsSo we "reak it down into com!onents
VoIP is made u! of a num"er of com!onents$ many of these are co,ered "ye6isting testing methodologies)
1he .!erating Platform
Configuration
VoIP Protocols
Su!!ort Protocols
8/12/2019 Bh Usa 07 Dempster
17/33
8/12/2019 Bh Usa 07 Dempster
18/33
ConfigurationConfiguration
9ow to assess configuration #
Scanning with war diallers and similar software is not enough
1he configuration also has to "e manually re,iewed$ "y checking theconfiguration file5data"ase)
Charting IV %s and call dialing !lans makes ,ulnera"ilities o",ious
8/12/2019 Bh Usa 07 Dempster
19/33
ConfigurationConfiguration
+efault !asswords
still ram!ant in P;
8/12/2019 Bh Usa 07 Dempster
20/33
VoIP ProtocolsVoIP Protocols
SIP5 1P5 1CP5MGCP5IA
8/12/2019 Bh Usa 07 Dempster
21/33
Su!!ort ProtocolsSu!!ort Protocols
1he 'IP( com!onent in VoIP is slightly more than IP$ it e6tends to 1CP$8+P and su!!orting !rotocols like +9CP$+NS$ 101P etc)))
1hese !rotocols all ha,e their own issues
1hese !rotocols also ha,e some ideas for solutions 3eg)) IPsec$VPN%s$I+S5IPS$ firewalls etc))))4
Com"ined with VoIP increase the risk of some of the attacks that canoccur
A VoIP assessment can "e done as !art of an infrastructure assessmentor standalone "ut standalone assessments should ca,eat that ,alidity isde!endent on infrastructure assessments "eing !erformedinde!endantly)
8/12/2019 Bh Usa 07 Dempster
22/33
Case Study: AsteriskCase Study: Asterisk
8/12/2019 Bh Usa 07 Dempster
23/33
hy Asterisk as a study su"/ect #hy Asterisk as a study su"/ect #
It%s !o!ular
It%s freely a,aila"le
No additional hardware re&uired
It%s o!en source
8/12/2019 Bh Usa 07 Dempster
24/33
Asterisk: .!erating Platform Asterisk: .!erating Platform
Network infrastructure 0irewalls will ha,e to "e configured to su!!ort Asterisk Mail ser,er configuration ;asic networking +NS$ 1CP$ 8+P$ IP etc)))
.!erating Systems uns on Linu6 so security issues relating to Linu6 a!!ly to Asterisk) Patching of the .S5Asterisk and other com!onents$ file !ermissions$ i!ta"les etc)))
+ata"ases5 e"ser,ices5C M Can ha,e a data"ase "ackend Commonly integrated with SugarC M 9as a num"er of we" front ends 3AsteriskN. $ 0reeP;
8/12/2019 Bh Usa 07 Dempster
25/33
Asterisk: Vulnera"ilities = +enial of Ser,ice Asterisk: Vulnera"ilities = +enial of Ser,ice
Asterisk SIP Channel +ri,er 3chan>si!4 SIP Malformed 8+P Packet+oS
Asterisk Manager Interface Passwordless 8ser M+? Authentication +oS Asterisk Malformed SIP INVI12 e&uest +oS Asterisk Crafted SIP es!onse Code handle>res!onse 0unction +oS Asterisk Malformed SIP egister Packet emote +oS Asterisk SIP Channel +ri,er 8ns!ecified emote +oS Asterisk IAia6@ IA
8/12/2019 Bh Usa 07 Dempster
26/33
8/12/2019 Bh Usa 07 Dempster
27/33
Asterisk: Vulnera"ilities = Code 26ecution Asterisk: Vulnera"ilities = Code 26ecution
Asterisk 1) B S+P Parser chan>si!)c !rocess>sd! 0unction .,erflows
else if 33 sscanf*a' +T,- ax/ate0anagement#1s+' s2 DD E44 Ffound D Eif 3o!tion>de"ug H @4ast>log3L.G>+2;8G$ ateMangement: JsKn $ s4if 3-strcasecm!3s$ local1C0 44
!eert Bca!a"ility D T,- 3(4/3T54036375056T48 C384TC 9else if 3-strcasecm!3s$ transferred1C0 44!eert Bca!a"ility D T,- 3(4/3T54036375056T4T/36S 5/5D4TC 9****************************************************************************************************else if 3 *sscanf*a' +T,- ax:$p5C#1s+' s2 DD E44 Ffound D Eif 3o!tion>de"ug H @4ast>log3L.G>+2;8G$ 8+P 2C: JsKn $ s4if 3-strcasecm!3s$ t B8+P edundancy 44 F!eert Bca!a"ility D T,- 3(4:D"45C4/5D:6D36C;9ast>ud!tl>set>error>correction>scheme3!*Hud!tl$:D"T845// /4C //5CT! 64/5D:6D36C;29
8/12/2019 Bh Usa 07 Dempster
28/33
Asterisk: Configuration Asterisk: Configuration
+efault !asswordsVery common on Asterisk$ as are easily guessa"le SIP !asswords
;ad dial !lan logic
+ial !lan logic in Asterisk can "ecome fairly com!le6 and the flat file format makes ithard to follow$ if the dial !lan isn%t documented 3and u!dated4 it can make it easy to
make mistakes) Common mistakes in Asterisk include gi,ing access to too manyconte6ts or too many o!tions in a !u"lic conte6t)
Call Control and monitoring Asterisk can "e configured 3Mi6Monitor4 to record calls to a file and these can often"e left with la6 !ermissions) Asterisk also has Intrude5;arge functionality withChanS!y) A misconfigured dial !lan can unintentionaly gi,e call monitoring a"ilities)
Accounting and ;illing1here are a ,ariety of o!tions for "illing with Asterisk$ they generally !lug in to
Asterisk using it%s Call +etail ecord files) 2ach of these has their own securityconsiderations)
8/12/2019 Bh Usa 07 Dempster
29/33
Asterisk: VoIP Protocols Asterisk: VoIP Protocols
2ncry!tion o!tions #
e%,e already seen sim!le ,ulnera"ilities in the
im!lementations
0airly com!licated to configure
Assum!tions made "y the de,elo!ers
8/12/2019 Bh Usa 07 Dempster
30/33
ConclusionConclusion
8/12/2019 Bh Usa 07 Dempster
31/33
ConfigurationConfiguration
Practise safe con,ergence
A!!ly traditional network security logic to VoIP)
Check the VoIP !roducts for ,ulnera"ilities)
+on%t /ust scan$ audit as well-
8/12/2019 Bh Usa 07 Dempster
32/33
here else can I get more information#here else can I get more information#
htt!:55www),oi!sa)org * 1he VoIP security alliance released a ,oi! threatta6onomy and ha,e an acti,e mailing list co,ering VoIP issues
htt!:5www)nist)go, * 8S centric "ut ha,e e6cellent tele!hony security
references
htt!:55www),oi!*info)org * Not !articularly security related "ut a goodsource of VoIP information)
htt!:55www)osstmm)org * 1he .!en Source Security 1esting MethodologyManual) 1he VoIP com!onent is currently under de,elo!ment)
8/12/2019 Bh Usa 07 Dempster
33/33
http://www.ngssoftware.com/ Copyright 2006. Next Generation Security Software Lt . !"" other tra e mar#s are the property of their respecti$e owner% an are use in an e itoria" context without intent
Thank YouThank You
omments!"uestions #omments!"uestions #$arrie %em&ster ' (arrie)ngssoft*are+com$arrie %em&ster ' (arrie)ngssoft*are+com
Recommended