Voice Over IP Security
Mark D. CollierChief Technology OfficerSecureLogix [email protected]
David EndlerDirector of Security Research
Who are we?
• Mark Collier is the chief technology officer at SecureLogix corporation, where he directs the company’s VoIP security research and development. Mark also defines and conducts VoIP security assessments for SecureLogix’s enterprise customers. Mark is actively performing research for the U.S. Department of Defense, with a focus on developing SIP vulnerability assessment tools. Prior to SecureLogix, Mark was with Southwest Research Institute (SwRI), where he directed a group performing research and development in the areas of computer security and information warfare. Mark is a frequent speaker at major VoIP and security conferences, has authored numerous articles and papers on VoIP security and is also a founding member of the Voice over IP Security Alliance (VOIPSA). Mark graduated magna cum laude from St. Mary’s University, where he earned a bachelors’ degree in computer science.
• David Endler is the director of security research for 3Com's security division, TippingPoint. In this role, he oversees 3Com's product security testing, VoIP security research center, and TippingPoint’s vulnerability research teams. While at TippingPoint, David founded an industry-wide group called the Voice over IP Security Alliance (VOIPSA) in 2005 (http://www.voipsa.org). Previously, he has performed security research working for Xerox Corporation, the National Security Agency, and Massachusetts Institute of Technology. David has authored numerous articles and papers on computer security and was named one of the Top 100 Voices in IP Communications by IP Telephony Magazine. He graduated summa cum laude from Tulane University where he earned a bachelor’s and a master’s degree in computer science.
Shameless Plug AlertWe Just Wrote a Book
We took on this project because there were no practical books onenterprise VoIP security that gave examples of how hackers attack VoIP deployments and explained to administrators how to defend against these attacks.
We spent more than a year of research writing new VoIP security tools, using them to test the latest VoIP products, and scouringVoIP state-of-the-art security.
This tutorial is based on material fromthe book.
The book was published December 1, 2006www.hackingvoip.com536 pages
Overview
Gathering Information:Footprinting
Scanning
Enumeration
Attacking the Network:Network Infrastructure Denial of Service
Network Eavesdropping
Network and Application Interception
OutlineOutline
Attacking Vendor Platforms:Cisco
Avaya
Asterisk
Softphone Technologies
Attacking the Application:Fuzzing
Disruption of Service
Signaling and Media Manipulation
OutlineOutline
VoIP systems are vulnerable:Platforms, networks, and applications are vulnerable
VoIP-specific attacks are becoming more common
Security isn’t always a consideration during deployment
The threat is increasing:VoIP deployment is growing
Deployments are critical to business operations
Greater integration with the data network
More attack tools being published
The hacking community is taking notice
IntroductionIntroductionIntroduction
Network Security (IP, UDP , TCP, etc)
Physical Security
Policies and Procedures
OS Security
Supporting Service SecuritySupporting Service Security(web server, database, DHCP)(web server, database, DHCP)
VoIP Protocol and VoIP Protocol and Application SecurityApplication Security
Weak Voicemail PasswordsAbuse of Long Distance Privileges
Total Call Server Compromise, Reboot, Denial of Service
Syn Flood, ICMP unreachable, trivial flooding attacks, DDoS, etc.
SQL Injection, DHCP resource exhaustion
Buffer Overflows, Worms, Denial of Service (Crash), Weak Configuration
Toll Fraud, SPIT, Phishing Malformed Messages (fuzzing)INVITE/BYECANCEL FloodsCALL HijackingCall EavesdroppingCall Modification
Slice of VoIP Security PyramidIntroduction
InternetConnectionInternet
Voice VLAN
PublicVoice
NetworkIP
PBX
IntroductionIntroductionCampus VoIPCampus VoIP
TDMTrunks
TDM Phones
IP Phones
Data VLAN
PCs
Introduction
InternetConnectionInternet
Voice VLAN
PublicVoice
NetworkIP
PBX
IntroductionIntroductionPublic VoIPPublic VoIP
VoIPConnection
TDM Phones
IP Phones
Data VLAN
PCs
Introduction
This is the process a hacker goes through to gather information about your organization and prepare their attack
Consists of:Footprinting
Scanning
Enumeration
Gathering InformationGathering Information
Steps taken by a hacker to learn about your enterprise before they start the actual attack
Consists of:Public website research
Google hacking
Using WHOIS and DNS
FootprintingGathering InformationFootprinting
An enterprise website often contains a lot of information that is useful to a hacker:
Organizational structure and corporate locations
Help and technical support
Job listings
Phone numbers and extensions
Public Website ResearchIntroduction
Gathering InformationFootprinting
Public Website ResearchJob Listings
Job listings can contain a ton of information about the enterprise VoIP system.
Here is a portion of an actual job listing:Required Technical Skills:
Minimum 3-5 years experience in the management and implementation of Avaya telephone systems/voicemails:
* Advanced programming knowledge of the Avaya Communication Servers and voicemails.
Gathering InformationFootprinting
Public Website ResearchPhone Numbers
Google can be used to find all phone numbers on an enterprise web site:
Type: “111..999-1000..9999 site:www.mcgraw-hill.com”
Gathering InformationFootprinting
Public Website ResearchVoice Mail
By calling into some of these numbers, you can listen to the voice mail system and determine the vendor
Check out our voice mail hacking database at:www.hackingvoip.com
Gathering InformationFootprinting
Public Website Research Countermeasures
It is difficult to control what is on your enterprise website, but it is a good idea to be aware of what is on it
Try to limit amount of detail in job postings
Remove technical detail from help desk web pages
Gathering InformationFootprinting
Google is incredibly good at finding details on the web:Vendor press releases and case studies
Resumes of VoIP personnel
Mailing lists and user group postings
Web-based VoIP logins
Google HackingIntroduction
Gathering InformationFootprinting
Vendors and enterprises may post press releases and case studies:
Type: “site:avaya.com case study” or “site:avaya.com company”
Users place resumes on the Internet when searching for jobsSearch Monster for resumes of company employees
Mailing lists and user group postings:www.inuaa.org
www.innua.org
forums.cisco.com
forums.digium.com
Google HackingGathering InformationFootprinting
Some VoIP phones are accidentally exposed to the Internet
Use Google to search for:Type: inrul: “ccmuser/logon.asp”
Type: inurl: “ccmuser/logon.asp” site:example.com
Type: inurl: “NetworkConfiguration” cisco
Google HackingWeb-Based VoIP Logins
Gathering InformationFootprinting
Determine what your exposure is
Be sure to remove any VoIP phones which are visible to the Internet
Disable the web servers on your IP phones
There are services that can help you monitor your exposure:www.cyveilance.com
ww.baytsp.com
Google HackingCountermeasures
Gathering InformationFootprinting
Enterprises depend on DNS to route website visitors and external email
WHOIS searches can reveal IP addresses used by an enterprise
WHOIS and DNSIntroduction
Gathering InformationFootprinting
Use generic names where possible
Disable anonymous zone transfers on your DNS servers
WHOIS and DNSCountermeasures
Gathering InformationFootprinting
Steps taken by a hacker to identify IP addresses and hosts running VoIP
Consists:Host/device discovery
Port scanning and service discovery
Host/device identification
ScanningIntroduction
Gathering InformationScanning
Consists of various techniques used to find hosts:Ping sweeps
ARP pings
TCP ping scans
SNMP sweeps
Host/Device DiscoveryGathering InformationScanning
Host/Device DiscoveryUsing nmapnmap -O -P0 192.168.1.1-254
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-02-20 01:03 CSTInteresting ports on 192.168.1.21:(The 1671 ports scanned but not shown below are in state: filtered)PORT STATE SERVICE23/tcp open telnetMAC Address: 00:0F:34:11:80:45 (Cisco Systems)Device type: VoIP phoneRunning: Cisco embeddedOS details: Cisco IP phone (POS3-04-3-00, PC030301)Interesting ports on 192.168.1.23:(The 1671 ports scanned but not shown below are in state: closed)PORT STATE SERVICE80/tcp open httpMAC Address: 00:15:62:86:BA:3E (Cisco Systems)Device type: VoIP phone|VoIP adapterRunning: Cisco embeddedOS details: Cisco VoIP Phone 7905/7912 or ATA 186 Analog Telephone AdapterInteresting ports on 192.168.1.24:(The 1671 ports scanned but not shown below are in state: closed)PORT STATE SERVICE80/tcp open httpMAC Address: 00:0E:08:DA:DA:17 (Sipura Technology)Device type: VoIP adapterRunning: Sipura embeddedOS details: Sipura SPA-841/1000/2000/3000 POTS<->VoIP gateway
Gathering InformationScanning
Host/Device DiscoveryPorts
SIP enabled devices will usually respond on UDP/TCP ports 5060 and 5061
SCCP enabled phones (Cisco) responds on UDP/TCP 2000-2001
Sometimes you might see UDP or TCP port 17185 (VXWORKS remote debugging!)
Gathering InformationScanning
Several tools available:nmap
hping
Host/Device DiscoveryTCP Ping Scans
Gathering InformationScanning
Use firewalls and Intrusion Prevention Systems (IPSs) to block ping and TCP sweeps
VLANs can help isolate ARP pings
Ping sweeps can be blocked at the perimeter firewall
Use secure (SNMPv3) version of SNMP
Change SNMP public strings
Host/Device DiscoveryCountermeasures
Gathering InformationScanning
Consists of various techniques used to find open ports and services on hosts
These ports can be targeted later
nmap is the most commonly used tool for TCP SYN and UDP scans
Port Scanning/Service Discovery
Gathering InformationScanning
Using non-Internet routable IP addresses will prevent external scans
Firewalls and IPSs can detect and possibly block scans
VLANs can be used to partition the network to prevent scans from being effective
Port Scanning/Service DiscoveryCountermeasures
Gathering InformationScanning
After hosts are found and ports identified, the type of device can be determined
Classifies host/device by operating system
Network stack fingerprinting is a common technique for identifying hosts/devices
nmap is commonly used for this purpose
Host/Device Identification
Gathering InformationScanning
Firewalls and IPSs can detect and possibly block scans
Disable unnecessary ports and services on hosts
Host/Device IdentificationCountermeasures
Gathering InformationScanning
Involves testing open ports and services on hosts/devices to gather more information
Includes running tools to determine if open services have known vulnerabilities
Also involves scanning for VoIP-unique information such as phone numbers
Includes gathering information from TFTP servers and SNMP
EnumerationIntroduction
Gathering InformationEnumeration
Vulnerability TestingCountermeasures
Gathering InformationEnumeration
The best solution is to upgrade your applications and make sure you continually apply patches
Some firewalls and IPSs can detect and mitigate vulnerability scans
SIP EnumerationRequests
SIP Request Purpose RFC ReferenceINVITE to initiate a conversation RFC 3261
BYE to terminate an existing connection between two users in a session
RFC 3261
OPTIONS to determine the SIP messages and codecs that the UA or Server understands
RFC 3261
REGISTER to register a location from a SIP user
RFC 3261
ACK To acknowledge a response from an INVITE request
RFC 3261
CANCEL to cancel a pending INVITE request, but does not affect a completed request (for instance, to stop the call setup if the phone is still ringing)
RFC 3261
Gathering InformationEnumeration
SIP EnumerationResponses
SIP responses are 3-digit codes much like HTTP. The first digit indicates the category of the response:
1xx responses – information responses
2xx responses – successful responses
3xx responses – redirection responses
4xx responses – request failure responses
5xx responses – server failure responses
6xx responses – global failure responses
Gathering InformationEnumeration
SIP EnumerationDirectory Scanning
[root@attacker]# nc 192.168.1.104 5060
OPTIONS sip:[email protected] SIP/2.0Via: SIP/2.0/TCP 192.168.1.120;branch=4ivBcVj5ZnPYgbTo: alice <sip:[email protected]>Content-Length: 0
SIP/2.0 404 Not FoundVia: SIP/2.0/TCP192.168.1.120;branch=4ivBcVj5ZnPYgb;received=192.168.1.103To: alice sip:[email protected]>;tag=b27e1a1d33761e85846fc98f5f3a7e58.0503Server: Sip EXpress router (0.9.6 (i386/linux))Content-Length: 0Warning: 392 192.168.1.104:5060 "Noisy feedback tells: pid=29801req_src_ip=192.168.1.120 req_src_port=32773 in_uri=sip:[email protected]_uri=sip:[email protected] via_cnt==1"
Gathering InformationEnumeration
TFTP EnumerationIntroduction
Almost all phones we tested use TFTP to download their configuration files
The TFTP server is rarely well protected
If you know or can guess the name of a configuration or firmware file, you can download it without even specifying a password
The files are downloaded in the clear and can be easily sniffed
Configuration files have usernames, passwords, IP addresses, etc. in them
Gathering InformationEnumeration
TFTP EnumerationUsing TFTPBRUTE
[root@attacker]# perl tftpbrute.pl 192.168.1.103 brutefile.txt 100tftpbrute.pl, , V 0.1
TFTP file word database: brutefile.txtTFTP server 192.168.1.103Max processes 100Processes are: 1
<snip>Processes are: 12*** Found TFTP server remote filename : sip.cfg*** Found TFTP server remote filename : 46xxsettings.txtProcesses are: 13Processes are: 14
*** Found TFTP server remote filename : sip_4602D02A.txt*** Found TFTP server remote filename : XMLDefault.cnf.xml*** Found TFTP server remote filename : SipDefault.cnf
Gathering InformationEnumeration
TFTP EnumerationCountermeasures
Gathering InformationEnumeration
It is difficult not to use TFTP, since it is so commonly used by VoIP vendors
Some vendors offer more secure alternatives
Firewalls can be used to restrict access to TFTP servers to valid devices
SNMP EnumerationIntroduction
SNMP is enabled by default on most IP PBXs and IP phones
Simple SNMP sweeps will garner lots of useful information
If you know the device type, you can use snmpwalk with the appropriate OID
You can find the OID using Solarwinds MIB
Default “passwords”, called community strings, are common
Gathering InformationEnumeration
SNMP Enumerationsnmpwalk
[root@domain2 ~]# snmpwalk -c public -v 1 192.168.1.53 1.3.6.1.4.1.6889
SNMPv2-SMI::enterprises.6889.2.69.1.1.1.0 = STRING: "Obsolete"SNMPv2-SMI::enterprises.6889.2.69.1.1.2.0 = STRING: "4620D01B"SNMPv2-SMI::enterprises.6889.2.69.1.1.3.0 = STRING: "AvayaCallserver"SNMPv2-SMI::enterprises.6889.2.69.1.1.4.0 = IpAddress: 192.168.1.103SNMPv2-SMI::enterprises.6889.2.69.1.1.5.0 = INTEGER: 1719SNMPv2-SMI::enterprises.6889.2.69.1.1.6.0 = STRING: "051612501065"SNMPv2-SMI::enterprises.6889.2.69.1.1.7.0 = STRING: "700316698"SNMPv2-SMI::enterprises.6889.2.69.1.1.8.0 = STRING: "051611403489"SNMPv2-SMI::enterprises.6889.2.69.1.1.9.0 = STRING: "00:04:0D:50:40:B0"SNMPv2-SMI::enterprises.6889.2.69.1.1.10.0 = STRING: "100"SNMPv2-SMI::enterprises.6889.2.69.1.1.11.0 = IpAddress: 192.168.1.53SNMPv2-SMI::enterprises.6889.2.69.1.1.12.0 = INTEGER: 0SNMPv2-SMI::enterprises.6889.2.69.1.1.13.0 = INTEGER: 0SNMPv2-SMI::enterprises.6889.2.69.1.1.14.0 = INTEGER: 0SNMPv2-SMI::enterprises.6889.2.69.1.1.15.0 = STRING: "192.168.1.1"SNMPv2-SMI::enterprises.6889.2.69.1.1.16.0 = IpAddress: 192.168.1.1SNMPv2-SMI::enterprises.6889.2.69.1.1.17.0 = IpAddress: 255.255.255.0...SNMPv2-SMI::enterprises.6889.2.69.1.4.8.0 = INTEGER: 20SNMPv2-SMI::enterprises.6889.2.69.1.4.9.0 = STRING: "503"
Gathering InformationEnumeration
Disable SNMP on any devices where it is not needed
Change default public and private community strings
Try to use SNMPv3, which supports authentication
SNMP EnumerationCountermeasures
Gathering InformationEnumeration
The VoIP network and supporting infrastructure are vulnerable to attacks
Most attacks will originate inside the network, once access is gained
Attacks include:Network infrastructure DoS
Network eavesdropping
Network and application interception
Attacking The Network
Attacking The Network
Several attack vectors include:Installing a simple wired hub
Wi-Fi sniffing
Compromising a network node
Compromising a VoIP phone
Compromising a switch
Compromising a proxy, gateway, or PC/softphone
ARP poisoning
Circumventing VLANs
Attacking The NetworkGaining Access
Attacking The NetworkGaining Access
Some techniques for circumventing VLANs:If MAC filtering is not used, you can disconnect a VoIP phone and connect a PC
Even if MAC filtering is used, you can easily spoof the MAC
Be especially cautious of VoIP phones in public areas (such as lobby phones)
Attacking The NetworkGaining Access
Attacking The NetworkGaining Access
Some other VLAN attacks:MAC flooding attack
802.1q and ISL tagging attack
Double-encapsulated 802.1q/Nested VLAN attack
Private VLAN attack
Spanning-tree protocol attack
VLAN trunking protocol attack
Attacking The NetworkGaining Access
Attacking The NetworkGaining Access
The VoIP network and supporting infrastructure are vulnerable to attacks
VoIP media/audio is particularly susceptible to any DoS attack which introduces latency and jitter
Attacks include:Flooding attacks
Network availability attacks
Supporting infrastructure attacks
Network Infrastructure DoS
Attacking The NetworkNetwork DoS
Flooding attacks generate so many packets at a target, that it is overwhelmed and can’t process legitimate requests
Flooding AttacksIntroduction
Attacking The NetworkNetwork DoS
VoIP is much more sensitive to network issues than traditional data applications like web and email:
Network Latency – amount of time it takes for a packet to travel from the speaker to the listener
Jitter – occurs when the speaker sends packets at constant rates but they arrive at the listener at variable rates
Packet Loss – occurs under heavy load and oversubscription
Mean Opinion Score – subjective quality of a conversation measured from 1 (unintelligible) to 5 (very clear)
R-value – mathematical measurement from 1 (unintelligible) to 100 (very clear)
Flooding AttacksCall Quality
Attacking The NetworkNetwork DoS
Software applications (wireshark, adventnet, Wildpackets, etc.)
Hardware Appliances (Aglient, Empirix, Qovia,, etc.)
Integrated router and switches (e.g. Cisco QoS Policy Manager)
Flooding AttacksCall Quality
Attacking The NetworkNetwork DoS
Some types of floods are:UDP floods
TCP SYN floods
ICMP and Smurf floods
Worm and virus oversubscription side effect
QoS manipulation
Application flooding
Flooding AttacksTypes of Floods
Attacking The NetworkNetwork DoS
Layer 2 and 3 QoS mechanisms are commonly used to give priority to VoIP media (and signaling)
Use rate limiting in network switches
Use anti-DoS/DDoS products
Some vendors have DoS support in their products (in newer versions of software)
Flooding AttacksCountermeasures
Attacking The NetworkNetwork DoS
This type of attack involves an attacker trying to crash the underlying operating system:
Fuzzing involves sending malformed packets, which exploit a weakness in software
Packet fragmentation
Buffer overflows
Network Availability Attacks
Attacking The NetworkNetwork DoS
A network IPS is an inline device that detects and blocks attacks
Some firewalls also offer this capability
Host based IPS software also provides this capability
Network Availability Attacks Countermeasures
Attacking The NetworkNetwork DoS
VoIP systems rely heavily on supporting services such as DHCP, DNS, TFTP, etc.
DHCP exhaustion is an example, where a hacker uses up all the IP addresses, denying service to VoIP phones
DNS cache poisoning involves tricking a DNS server into using a fake DNS response
Supporting Infrastructure Attacks
Attacking The NetworkNetwork DoS
Configure DHCP servers not to lease addresses to unknown MAC addresses
DNS servers should be configured to analyze info from non-authoritative servers and dropping any response not related to queries
Supporting Infrastructure AttacksCountermeasures
Attacking The NetworkNetwork DoS
VoIP signaling, media, and configuration files are vulnerable to eavesdropping
Attacks include:TFTP configuration file sniffing
Number harvesting and call pattern tracking
Conversation eavesdropping
Network EavesdroppingIntroduction
Attacking The NetworkEavesdropping
TFTP files are transmitted in the clear and can be sniffed
One easy way is to connect a hub to a VoIP phone, reboot it, and capture the file
By sniffing signaling, it is possible to build a directory of numbers and track calling patterns
voipong automates the process of logging all calls
TFTP/Numbers/Call Patterns
Attacking The NetworkEavesdropping
Other tools include:vomit
Voipong
voipcrack (not public)
DTMF decoder
Conversation RecordingOther Tools
Attacking The NetworkEavesdropping
Place the TFTP server on the same VLAN as the VoIP phones and use a firewall to ensure that only VoIP phones communicate with it
Use encryption:Many vendors offer encryption for signaling
Use the Transport Layer Security (TLS) for signaling
Many vendors offer encryption for media
Use Secure Real-time Transport Protocol (SRTP)
Use ZRTP
Use proprietary encryption if you have to
Network EavesdroppingCountermeasures
Attacking The NetworkEavesdropping
The VoIP network is vulnerable to Man-In-The-Middle (MITM) attacks, allowing:
Eavesdropping on the conversation
Causing a DoS condition
Altering the conversation by omitting, replaying, or inserting media
Redirecting calls
Attacks include:Network-level interception
Application-level interception
Network/Application InterceptionIntroduction
Attacking The NetworkNet/App Interception
The most common network-level MITM attack is ARP poisoning
Involves tricking a host into thinking the MAC address of the attacker is the intended address
There are a number of tools available to support ARP poisoning:
Cain and Abel
ettercap
Dsniff
hunt
Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
Network InterceptionCountermeasures
Attacking The NetworkNet/App Interception
Some countermeasures for ARP poisoning are:Static OS mappings
Switch port security
Proper use of VLANs
Signaling encryption/authentication
ARP poisoning detection tools, such as arpwatch
Application InterceptionIntroduction
Attacking The NetworkNet/App Interception
It is also possible to perform a MITM attack at the application layer
Some possible ways to perform this attack include:Registration hijacking
Redirection attacks
VoIP phone reconfiguration
Inserting a bridge via physical network access
User UserAttacker
Attacker
Proxy Proxy
Attacker PlacesThemselves
Between ProxiesOr Proxy/UA
Application Interception
Attacking The NetworkNet/App Interception
Application InterceptionCountermeasures
Attacking The NetworkNet/App Interception
Some countermeasures to application-level interception are:Use VLANs for separation
Use TCP/IP
Use signaling encryption/authentication (such as TLS)
Enable authentication for requests
Deploy SIP firewalls to protect SIP proxies from attacks
This section describes unique attacks against specific VoIP vendor platforms, including:
Avaya
Cisco
Attacking The Platform
Attacking The Platform
The Avaya Communication Manager is Avaya’s enterprise-class offering
Offers strong security, but some default configuration should be changed
Avaya uses Linux and VxWorks as the underlying operating system on many components, which is arguably more secure than Windows
Avaya Communication Manager
Attacking The PlatformAvaya
SNMP and TFTP
Attacking The PlatformAvaya
Avaya uses TFTP and SNMP
In 3.0, SNMP is enabled by default on the IP PBX and IP phones
Some components ship with default public and private community strings
SNMP and TFTPCountermeasures
Attacking The PlatformAvaya
Use the same countermeasures as before
Avaya provides a secure copy feature as an alternative to TFTP
Communication Manager 4.0 disables SNMP by default
Version 2.6 for IP phones does not ship with default community strings
Flooding Attacks
Attacking The PlatformAvaya
We used udpflood and tcpsynflood to perform DoS attacks against various components
Unfortunately, these attacks were very disruptive
Flooding AttacksCountermeasures
Attacking The PlatformAvaya
Use the same countermeasures as before
Avaya C-LAN cards provide some level of DoS mitigation
Newer IP phone software provides better DoS mitigation
http://support.avaya.com/security
Miscellaneous Security Issues
Attacking The PlatformAvaya
Avaya signaling and media are vulnerable to eavesdropping
Avaya uses some default passwords on key IP PBX components
Password recommendations for IP phones are weak
By default, Avaya IP phones can be reconfigured when booted
Miscellaneous Security IssuesCountermeasures
Attacking The PlatformAvaya
Avaya supports proprietary encryption for signaling and media. SRTP will be supported in Communication Manager 4.0
Default passwords should be changed to strong values
Local access to the IP phone can be controlled with a password
The Cisco Unified Call Manager is Cisco’s enterprise class offering
Offers strong security, but requires some configuration
Version 4.1 is based on Windows. Version 5.0 is based on Linux
A Must Read Document is the Solution Reference Network Design (SRND) for Voice communications. (http://tinyurl.com/gd5r4).
Includes great deployment scenarios and security use cases (lobby phone, desktop phone, call manager encryption how-to, etc.)
Cisco Unified Call Manager
Attacking The PlatformAvaya
Cisco Discovery Protocol – Cisco’s proprietary layer 2 network management protocol.
Contains juicy information that is broadcast on the entire segment – Disable it!
Cisco Discovery Protocol
Attacking The PlatformCisco
Cisco Unified Call Manager requires a large number of open ports
Port Scanning
Attacking The PlatformCisco
Cisco IOS has a great feature called “autosecure” thatdisables a slew of services (finger, http, ICMP, source routing, etc.)
enables some services (password encryption, TCP synwait-time, logging, etc.).
And locks down the router and switch (enables only ssh, blocks private address blocks from traversing, enables netflow, etc.)
Port ScanningCountermeasures
Attacking The PlatformCisco
Network Flooding Countermeasures:Another great feature from Cisco is AutoQos, a new IOS feature (auto qos command).
Enables Quality of Service for VoIP traffic across every Cisco router and switch
Scavenger class QoS also a relatively new Cisco strategy –rate shape all bursty non-VoIP traffic
FloodingCountermeasures
Attacking The PlatformCisco
Patch Management is key – use the Cisco Voice Technology Group Subscription Tool (http://www.cisco.com/cgi-bin/Software/Newsbuilder/Builder/VOICE.cgi)
DoS and OS ExploitationCountermeasures
Attacking The PlatformCisco
Eavesdropping and Interception Countermeasures:Enable port security on Cisco Switches to help mitigate ARP Spoofing
Enable Dynamic ARP inspection to thwart ARP Spoofing
Dynamically restrict Ethernet port access with 802.1x port authentication
Enable DHCP Snooping to prevent DHCP Spoofing
Configure IP source guard on Switches
Eavesdropping and InterceptionCountermeasures
Attacking The PlatformCisco
Eavesdropping and Interception Countermeasures:Configure VTP Transparent Mode
Change the default Native VLAN Value to thwart VLAN hopping
Disable Dynamic Trunk Protocol (DTP) to thwart VLAN Hopping
Eavesdropping and InterceptionCountermeasures
Attacking The PlatformCisco
Eavesdropping and Interception Countermeasures:Activate authentication and encryption of the signaling and media streams
Skinny over TLS
SRTP
Requires creating and distributing certificates on phones
Attacking The PlatformCisco
Eavesdropping and InterceptionCountermeasures
VoIP systems are vulnerable to application attacks against the various VoIP protocols
Attacks include:Fuzzing attacks
Flood-based DoS
Signaling and media manipulation
Attacking The Application
Attacking The Application
Fuzzing describes attacks where malformed packets are sent to a VoIP system in an attempt to crash it
Research has shown that VoIP systems, especially those employing SIP, are vulnerable to fuzzing attacks
There are many public domain tools available for fuzzing:Protos suite
Asteroid
Fuzzy Packet
NastySIP
Scapy
FuzzingIntroduction
Attacking The ApplicationFuzzing
SipBomber
SFTF
SIP Proxy
SIPp
SIPsak
INVITE sip:[email protected]:6060;user=phone SIP/2.0Via: SIP/2.0/UDP 192.168.22.36:6060From: UserAgent<sip:[email protected]:6060;user=phone>To: 6713<sip:[email protected]:6060;user=phone>Call-ID: [email protected]: 1 INVITESubject: VovidaINVITEContact: <sip:[email protected]:6060;user=phone>Content-Type: application/sdpContent-Length: 168
Attacking The ApplicationFuzzing
FuzzingExample
INVITE sip:[email protected]:6060;user=phone SIP/2.0Via: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa…From: UserAgent<sip:[email protected]:6060;user=phone>To: 6713<sip:[email protected]:6060;user=phone>Call-ID: [email protected]: 1 INVITESubject: VovidaINVITEContact: <sip:[email protected]:6060;user=phone>Content-Type: application/sdpContent-Length: 168
Attacking The ApplicationFuzzing
FuzzingExample
There are many public domain tools available for fuzzing:Protos suite
Asteroid
Fuzzy Packet
NastySIP
Scapy
FuzzingPublic Domain Tools
Attacking The ApplicationFuzzing
SipBomber
SFTF
SIP Proxy
SIPp
SIPsak
There are some commercial tools available:Beyond Security BeStorm
Codenomicon
MuSecurity Mu-4000 Security Analyzer
Security Innovation Hydra
Sipera Systems LAVA tools
FuzzingCommercial Tools
Attacking The ApplicationFuzzing
Make sure your vendor has tested their systems for fuzzing attacks
Consider running your own tests
A VoIP-aware IPS can monitor for and block fuzzing attacks
FuzzingCountermeasures
Attacking The ApplicationFuzzing
Describes an attack where a flood of packets overwhelms a target, such as a SIP proxy or phone
Attacking The ApplicationFlood-Based DoS
Flood-Based DoSIntroduction
Several tools are available to generate floods at the application layer:
rtpflood – generates a flood of RTP packets
inviteflood – generates a flood of SIP INVITE packets
SiVuS – a tool with a GUI that enables a variety of flood-based attacks
Virtually every device we tested was susceptible to these attacks
Attacking The ApplicationFlood-Based DoS
Flood-Based DoS
There are several countermeasures you can use for flood-based DoS:
Use VLANs to separate networks
Use TCP and TLS for SIP connections
Use rate limiting in switches
Enable authentication for requests
Use SIP firewalls/IPSs to monitor and block attacks
Flood-Based DoSCountermeasures
Attacking The ApplicationFlood-Based DoS
In SIP and RTP, there are a number of attacks possible, which exploit the protocol:
Registration removal/addition
Registration hijacking
Redirection attacks
Session teardown
SIP phone reboot
RTP insertion/mixing
Attacking The ApplicationSig/Media Manipulation
Signaling/Media ManipulationIntroduction
Proxy
User
Proxy
Attacker User
Attacker ErasesOr Adds Bogus
Registrations, CausingCalls to be Dropped
Or Sent to theWrong Address
Registration Removal/Addition
Attacking The ApplicationSig/Media Manipulation
Proxy
User
Proxy
Attacker
HijackedMedia
HijackedSession
User
Registration Hijacking
Attacking The ApplicationSig/Media Manipulation
Inbound CallsAre Redirected
Attacker
Proxy Proxy
User
Attacker Sends“301/302 – Moved”
Message
User
Redirection Attacks
Attacking The ApplicationSig/Media Manipulation
Attacker SendsBYE Messages
To UAs
Attacker
Proxy Proxy
User User
Session Teardown
Attacking The ApplicationSig/Media Manipulation
Attacker Sendscheck-sync Messages
To UA
Attacker
Proxy Proxy
User User
IP Phone Reboot
Attacking The ApplicationSig/Media Manipulation
Attacker SeesPackets And
Inserts/Mixes InNew Audio
Attacker
Proxy Proxy
User User
Audio Insertion/Mixing
Attacking The ApplicationSig/Media Manipulation
Some countermeasures for signaling and media manipulation include:
Use digest authentication where possible
Use TCP and TLS where possible
Use SIP-aware firewalls/IPSs to monitor for and block attacks
Use audio encryption to prevent RTP injection/mixing
Attacking The ApplicationSig/Media Manipulation
Signaling/Media ManipulationCountermeasures
There are a couple of evolving social threats that will affect enterprises:
Voice SPAM or SPAM over Internet Telephony (SPIT)
Voice phishing
Social Attacks
Social Attacks
Voice SPAM refers to bulk, automatically generated, unsolicited phone calls
Similar to telemarketing, but occurring at the frequency of email SPAM
Not an issue yet, but will become prevalent when:The network makes it very inexpensive or free to generate calls
Attackers have access to VoIP networks that allow generation of a large number of calls
It is easy to set up a voice SPAM operation, using Asterisk, tools like “spitter”, and free VoIP access
Voice SPAMIntroduction
Social AttacksVoice SPAM
Voice SPAM has the potential to be very disruptive because:
Voice calls tend to interrupt a user more than email
Calls arrive in realtime and the content can’t be analyzed to determine it is voice SPAM
Even calls saved to voice mail must be converted from audio to text, which is an imperfect process
There isn’t any capability in the protocols that looks like it will address Voice SPAM
Voice SPAM
Social AttacksVoice SPAM
Some potential countermeasures for voice SPAM are:Authenticated identity movements, which may help to identify callers
Legal measures
Enterprise voice SPAM filters:Black lists/white lists
Approval systems
Audio content filtering
Turing tests
Voice SPAMCountermeasures
Social AttacksVoice SPAM
VoIP PhishingIntroduction
Similar to email phishing, but with a phone number delivered though email or voice
When the victim dials the number, the recording requests entry of personal information
The hacker comes back later and retrieves the touch tones or other information
Social AttacksPhishing
VoIP PhishingExample
“Hi, this is Bob from Bank of America calling. Sorry I missed you. If you could give us a call back at 1-866-555-1324 we have an urgent issue to discuss with you about your bank account.”
Hello. This is Bank of America. So we may best serve you, please enter your account number followed by your PIN.
Social AttacksPhishing