Voice Over IP Security Mark D. Collier Chief Technology Officer SecureLogix Corporation David Endler Director of Security Research TippingPoint

Who are we? Mark Collier is the chief technology officer at SecureLogix corporation, where he directs the company’s VoIP security research and development. Mark also defines and conducts VoIP security assessments for SecureLogix’s enterprise customers. Mark is actively performing research for the U.S. Department of Defense, with a focus on developing SIP vulnerability assessment tools. Prior to SecureLogix, Mark was with Southwest Research Institute (SwRI), where he directed a group performing research and development in the areas of computer security and information warfare. Mark is a frequent speaker at major VoIP and security conferences, has authored numerous articles and papers on VoIP security and is also a founding member of the Voice over IP Security Alliance (VOIPSA). Mark graduated magna cum laude graduate from St. Mary’s University, where he earned a bachelors’ degree in computer science. David Endler is the director of security research for 3Com's security division, TippingPoint. In this role, he oversees 3Com's product security testing, VoIP security research center, and TippingPoint’s vulnerability research teams. While at TippingPoint, David founded an industry- wide group called the Voice over IP Security Alliance (VOIPSA) in 2005 ( Previously, he has performed security research working for Xerox Corporation, the National Security Agency, and Massachusetts Institute of Technology. David has authored numerous articles and papers on computer security and was named one of the Top 100 Voices in IP Communications by IP Telephony Magazine. He graduated summa cum laude from Tulane University where he earned a bachelor’s and master’s degree in computer science.

Shameless Plug Alert We Just Wrote a Book We took on this project because there were no practical books on enterprise VoIP security that gave examples of how hackers attack VoIP deployments and explained to administrators how to defend against these attacks. We spent more than a year of research writing new VoIP security tools, using them to test the latest VoIP products, and scouring VoIP state-of-the-art security. This tutorial is based on material from the book. The book was published December 1, pages

Overview Gathering Information:  Footprinting  Scanning  Enumeration Attacking the Network:  Network Infrastructure Denial of Service  Network Eavesdropping  Network and Application Interception Outline

Attacking Vendor Platforms:  Avaya  Cisco Attacking the Application:  Fuzzing  Disruption of Service  Signaling and Media Manipulation Outline

Social Attacks:  Voice SPAM/SPIT  Voice Phishing Outline

VoIP systems are vulnerable:  Platforms, networks, and applications are vulnerable  VoIP-specific attacks are becoming more common  Security isn ’ t always a consideration during deployment The threat is increasing:  VoIP deployment is growing  Deployments are critical to business operations  Greater integration with the data network  More attack tools being published  The hacking community is taking notice Introduction Introduction

Introduction Layers of Security Introduction

Network Security (IP, UDP, TCP, etc) Physical Security Policies and Procedures OS Security Supporting Service Security (web server, database, DHCP) VoIP Protocol and Application Security Weak Voic Passwords Abuse of Long Distance Privileges Total Call Server Compromise, Reboot, Denial of Service Syn Flood, ICMP unreachable, trivial flooding attacks, DDoS, etc. SQL Injection, DHCP resource exhaustion Buffer Overflows, Worms, Denial of Service (Crash), Weak Configuration Toll Fraud, SPIT, Phishing Malformed Messages (fuzzing) INVITE/BYECANCEL Floods CALL Hijacking Call Eavesdropping Call Modification Slice of VoIP Security Pyramid Introduction

Internet Connection Internet Voice VLAN Public Voice Network IP PBX Introduction Campus VoIP TDM Trunks TDM Phones IP Phones Data VLAN PCs Introduction

Internet Connection Internet Voice VLAN Public Voice Network IP PBX Introduction Public VoIP VoIP Connection TDM Phones IP Phones Data VLAN PCs Introduction

This is the process a hacker goes through to gather information about your organization and prepare their attack Consists of:  Footprinting  Scanning  Enumeration Gathering Information

Steps taken by a hacker to learn about your enterprise before they start the actual attack Consists of:  Public website research  Google hacking  Using WHOIS and DNS Footprinting Gathering Information Footprinting

An enterprise website often contains a lot of information that is useful to a hacker:  Organizational structure and corporate locations  Help and technical support  Job listings  Phone numbers and extensions Public Website Research Introduction Gathering Information Footprinting

Public Website Research Organization Structure Gathering Information Footprinting

Public Website Research Corporate Locations Gathering Information Footprinting

Public Website Research Helpdesk Gathering Information Footprinting

Public Website Research Helpdesk

Public Website Research Job Listings Job listings can contain a ton of information about the enterprise VoIP system. Here is a portion of an actual job listing: Required Technical Skills: Minimum 3-5 years experience in the management and implementation of Avaya telephone systems/voic s: * Advanced programming knowledge of the Avaya Communication Servers and voic s. Gathering Information Footprinting

Public Website Research Phone Numbers Google can be used to find all phone numbers on an enterprise web site:  Type: “ site: Gathering Information Footprinting

Public Website Research Voice Mail By calling into some of these numbers, you can listen to the voice mail system and determine the vendor Check out our voice mail hacking database at:  Gathering Information Footprinting

Public Website Research Countermeasures It is difficult to control what is on your enterprise website, but it is a good idea to be aware of what is on it Try to limit amount of detail in job postings Remove technical detail from help desk web pages Gathering Information Footprinting

Google is incredibly good at finding details on the web:  Vendor press releases and case studies  Resumes of VoIP personnel  Mailing lists and user group postings  Web-based VoIP logins Google Hacking Introduction Gathering Information Footprinting

Vendors and enterprises may post press releases and case studies:  Type: “site:avaya.com case study” or “site:avaya.com company” Users place resumes on the Internet when searching for jobs  Search Monster for resumes for company employees Mailing lists and user group postings:    forums.cisco.com  forums.digium.com Google Hacking Gathering Information Footprinting

Some VoIP phones are accidentally exposed to the Internet Use Google to search for:  Type: inrul:”ccmuser/logon.asp”  Type: inurl:”ccmuser/logon.asp” site:example.com  Type: inurl:”NetworkConfiguration” cisco Google Hacking Web-Based VoIP Logins Gathering Information Footprinting

Google Hacking Web-Based VoIP Logins Gathering Information Footprinting

Determine what your exposure is Be sure to remove any VoIP phones which are visible to the Internet Disable the web servers on your IP phones There are services that can help you monitor your exposure:   ww.baytsp.com Google Hacking Countermeasures Gathering Information Footprinting

Google Hacking Countermeasures Attacking The Platform Cisco

Enterprises depend on DNS to route website visitors and external WHOIS searches can reveal IP addresses used by an enterprise WHOIS and DNS Introduction Gathering Information Footprinting

Use generic names where possible Disable anonymous zone transfers on your DNS servers WHOIS and DNS Countermeasures Gathering Information Footprinting

Steps taken by a hacker to identify IP addresses and hosts running VoIP Consists:  Host/device discovery  Port scanning and service discovery  Host/device identification Scanning Introduction Gathering Information Scanning

Consists of various techniques used to find hosts:  Ping sweeps  ARP pings  TCP ping scans  SNMP sweeps Host/Device Discovery Gathering Information Scanning

Host/Device Discovery Using nmap nmap -O -P Starting Nmap 4.01 ( ) at :03 CST Interesting ports on : (The 1671 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 23/tcp open telnet MAC Address: 00:0F:34:11:80:45 (Cisco Systems) Device type: VoIP phone Running: Cisco embedded OS details: Cisco IP phone (POS , PC030301) Interesting ports on : (The 1671 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http MAC Address: 00:15:62:86:BA:3E (Cisco Systems) Device type: VoIP phone|VoIP adapter Running: Cisco embedded OS details: Cisco VoIP Phone 7905/7912 or ATA 186 Analog Telephone Adapter Interesting ports on : (The 1671 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http MAC Address: 00:0E:08:DA:DA:17 (Sipura Technology) Device type: VoIP adapter Running: Sipura embedded OS details: Sipura SPA-841/1000/2000/3000 POTS VoIP gateway Gathering Information Scanning

Host/Device Discovery Ports SIP enabled devices will usually respond on UDP/TCP ports 5060 and 5061 SCCP enabled phones (Cisco) responds on UDP/TCP Sometimes you might see UDP or TCP port (VXWORKS remote debugging!) Gathering Information Scanning

Host/Device Discovery Ping Sweeps Gathering Information Scanning

Host/Device Discovery ARP Pings

Several tools available:  nmap  hping Host/Device Discovery TCP Ping Scans Gathering Information Scanning

Host/Device Discovery SNMP Sweeps Gathering Information Scanning

Use firewalls and Intrusion Prevention Systems (IPSs) to block ping and TCP sweeps VLANs can help isolate ARP pings Ping sweeps can be blocked at the perimeter firewall Use secure (SNMPv3) version of SNMP Change SNMP public strings Host/Device Discovery Countermeasures Gathering Information Scanning

Consists of various techniques used to find open ports and services on hosts These ports can be targeted later nmap is the most commonly used tool for TCP SYN and UDP scans Port Scanning/Service Discovery Gathering Information Scanning

Using non-Internet routable IP addresses will prevent external scans Firewalls and IPSs can detect and possibly block scans VLANs can be used to partition the network to prevent scans from being effective Port Scanning/Service Discovery Countermeasures Gathering Information Scanning

After hosts are found and ports identified, the type of device can be determined Classifies host/device by operating system Network stack fingerprinting is a common technique for identifying hosts/devices nmap is commonly used for this purpose Host/Device Identification Gathering Information Scanning

Firewalls and IPSs can detect and possibly block scans Disable unnecessary ports and services on hosts Host/Device Identification Countermeasures Gathering Information Scanning

Involves testing open ports and services on hosts/devices to gather more information Includes running tools to determine if open services have known vulnerabilities Also involves scanning for VoIP-unique information such as phone numbers Includes gathering information from TFTP servers and SNMP Enumeration Introduction Gathering Information Enumeration

Vulnerability Testing Tools Gathering Information Enumeration

Vulnerability Testing Tools Gathering Information Enumeration

Vulnerability Testing Countermeasures Gathering Information Enumeration The best solution is to upgrade your applications and make sure you continually apply patches Some firewalls and IPSs can detect and mitigate vulnerability scans

SIP Enumeration Introduction Gathering Information Enumeration

SIP Enumeration Requests SIP RequestPurposeRFC Reference INVITEto initiate a conversationRFC 3261 BYEto terminate an existing connection between two users in a session RFC 3261 OPTIONSto determine the SIP messages and codecs that the UA or Server understands RFC 3261 REGISTERto register a location from a SIP user RFC 3261 ACKTo acknowledge a response from an INVITE request RFC 3261 CANCELto cancel a pending INVITE request, but does not affect a completed request (for instance, to stop the call setup if the phone is still ringing) RFC 3261 Gathering Information Enumeration

SIP Enumeration Responses SIP responses are 3-digit codes much like HTTP. The first digit indicates the category of the response:  1xx responses – information responses  2xx responses – successful responses  3xx responses – redirection responses  4xx responses – request failure responses  5xx responses – server failure responses  6xx responses – global failure responses Gathering Information Enumeration

SIP Enumeration Directory Scanning nc OPTIONS SIP/2.0 Via: SIP/2.0/TCP ;branch=4ivBcVj5ZnPYgb To: alice Content-Length: 0 SIP/ Not Found Via: SIP/2.0/TCP ;branch=4ivBcVj5ZnPYgb;received= To: alice Server: Sip EXpress router (0.9.6 (i386/linux)) Content-Length: 0 Warning: :5060 "Noisy feedback tells: pid=29801 req_src_ip= req_src_port= via_cnt==1" Gathering Information Enumeration

SIP Enumeration Directory Scanning Gathering Information Enumeration

SIP Enumeration Automated Directory Scanning Gathering Information Enumeration

TFTP Enumeration Introduction Almost all phones we tested use TFTP to download their configuration files The TFTP server is rarely well protected If you know or can guess the name of a configuration or firmware file, you can download it without even specifying a password The files are downloaded in the clear and can be easily sniffed Configuration files have usernames, passwords, IP addresses, etc. in them Gathering Information Enumeration

TFTP Enumeration Using TFTPBRUTE perl tftpbrute.pl brutefile.txt 100tftpbrute.pl,, V 0.1 TFTP file word database: brutefile.txt TFTP server Max processes 100 Processes are: 1 Processes are: 12 *** Found TFTP server remote filename : sip.cfg *** Found TFTP server remote filename : 46xxsettings.txt Processes are: 13 Processes are: 14 *** Found TFTP server remote filename : sip_4602D02A.txt *** Found TFTP server remote filename : XMLDefault.cnf.xml *** Found TFTP server remote filename : SipDefault.cnf Gathering Information Enumeration

TFTP Enumeration Countermeasures Gathering Information Enumeration It is difficult not to use TFTP, since it is so commonly used by VoIP vendors Some vendors offer more secure alternatives Firewalls can be used to restrict access to TFTP servers to valid devices

SNMP Enumeration Introduction SNMP is enabled by default on most IP PBXs and IP phones Simple SNMP sweeps will garner lots of useful information If you know the device type, you can use snmpwalk with the appropriate OID You can find the OID using Solarwinds MIB Default “passwords”, called community strings, are common Gathering Information Enumeration

SNMP Enumeration Solarwinds Gathering Information Enumeration

SNMP Enumeration snmpwalk ~]# snmpwalk -c public -v SNMPv2-SMI::enterprises = STRING: "Obsolete" SNMPv2-SMI::enterprises = STRING: "4620D01B" SNMPv2-SMI::enterprises = STRING: "AvayaCallserver" SNMPv2-SMI::enterprises = IpAddress: SNMPv2-SMI::enterprises = INTEGER: 1719 SNMPv2-SMI::enterprises = STRING: " " SNMPv2-SMI::enterprises = STRING: " " SNMPv2-SMI::enterprises = STRING: " " SNMPv2-SMI::enterprises = STRING: "00:04:0D:50:40:B0" SNMPv2-SMI::enterprises = STRING: "100" SNMPv2-SMI::enterprises = IpAddress: SNMPv2-SMI::enterprises = INTEGER: 0 SNMPv2-SMI::enterprises = INTEGER: 0 SNMPv2-SMI::enterprises = INTEGER: 0 SNMPv2-SMI::enterprises = STRING: " " SNMPv2-SMI::enterprises = IpAddress: SNMPv2-SMI::enterprises = IpAddress: SNMPv2-SMI::enterprises = INTEGER: 20 SNMPv2-SMI::enterprises = STRING: "503" Gathering Information Enumeration

Disable SNMP on any devices where it is not needed Change default public and private community strings Try to use SNMPv3, which supports authentication SNMP Enumeration Countermeasures Gathering Information Enumeration

The VoIP network and supporting infrastructure are vulnerable to attacks Most attacks will originate inside the network, once access is gained Attacks include:  Network infrastructure DoS  Network eavesdropping  Network and application interception Attacking The Network

Several attack vectors include:  Installing a simple wired hub  Wi-Fi sniffing  Compromising a network node  Compromising a VoIP phone  Compromising a switch  Compromising a proxy, gateway, or PC/softphone  ARP poisoning  Circumventing VLANs Attacking The Network Gaining Access

Some techniques for circumventing VLANs:  If MAC filtering is not used, you can disconnect a VoIP phone and connect a PC  Even if MAC filtering is used, you can easily spoof the MAC  Be especially cautious of VoIP phones in public areas (such as lobby phones) Attacking The Network Gaining Access

Some other VLAN attacks:  MAC flooding attack  802.1q and ISL tagging attack  Double-encapsulated 802.1q/Nested VLAN attack  Private VLAN attack  Spanning-tree protocol attack  VLAN trunking protocol attack Attacking The Network Gaining Access

The VoIP network and supporting infrastructure are vulnerable to attacks VoIP media/audio is particularly susceptible to any DoS attack which introduces latency and jitter Attacks include:  Flooding attacks  Network availability attacks  Supporting infrastructure attacks Network Infrastructure DoS Attacking The Network Network DoS

Flooding attacks generate so many packets at a target, that it is overwhelmed and can’t process legitimate requests Flooding Attacks Introduction Attacking The Network Network DoS

VoIP is much more sensitive to network issues than traditional data applications like web and  Network Latency – amount of time it takes for a packet to travel from the speaker to the listener  Jitter – occurs when the speaker sends packets at constant rates but they arrive at the listener at variable rates  Packet Loss – occurs under heavy load and oversubscription Mean Opinion Score – subjective quality of a conversation measured from 1 (unintelligible) to 5 (very clear) R-value – mathematical measurement from 1 (unintelligible) to 100 (very clear) Flooding Attacks Call Quality Attacking The Network Network DoS

Software applications (wireshark, adventnet, Wildpackets, etc.) Hardware Appliances (Aglient, Empirix, Qovia,, etc.) Integrated router and switches (e.g. Cisco QoS Policy Manager) Flooding Attacks Call Quality Attacking The Network Network DoS

Some types of floods are:  UDP floods  TCP SYN floods  ICMP and Smurf floods  Worm and virus oversubscription side effect  QoS manipulation  Application flooding Flooding Attacks Types of Floods Attacking The Network Network DoS

Layer 2 and 3 QoS mechanisms are commonly used to give priority to VoIP media (and signaling) Use rate limiting in network switches Use anti-DoS/DDoS products Some vendors have DoS support in their products (in newer versions of software) Flooding Attacks Countermeasures Attacking The Network Network DoS

This type of attack involves an attacker trying to crash the underlying operating system:  Fuzzing involves sending malformed packets, which exploit a weakness in software  Packet fragmentation  Buffer overflows Network Availability Attacks Attacking The Network Network DoS

A network IPS is an inline device that detects and blocks attacks Some firewalls also offer this capability Host based IPS software also provides this capability Network Availability Attacks Countermeasures Attacking The Network Network DoS

VoIP systems rely heavily on supporting services such as DHCP, DNS, TFTP, etc. DHCP exhaustion is an example, where a hacker uses up all the IP addresses, denying service to VoIP phones DNS cache poisoning involves tricking a DNS server into using a fake DNS response Supporting Infrastructure Attacks Attacking The Network Network DoS

Configure DHCP servers not to lease addresses to unknown MAC addresses DNS servers should be configured to analyze info from non-authoritative servers and dropping any response not related to queries Supporting Infrastructure Attacks Countermeasures Attacking The Network Network DoS

VoIP signaling, media, and configuration files are vulnerable to eavesdropping Attacks include:  TFTP configuration file sniffing  Number harvesting and call pattern tracking  Conversation eavesdropping Network Eavesdropping Introduction Attacking The Network Eavesdropping

TFTP files are transmitted in the clear and can be sniffed One easy way is to connect a hub to a VoIP phone, reboot it, and capture the file By sniffing signaling, it is possible to build a directory of numbers and track calling patterns voipong automates the process of logging all calls TFTP/Numbers/Call Patterns Attacking The Network Eavesdropping

Conversation Recording Wireshark Attacking The Network Eavesdropping

Conversation Recording Wireshark

Attacking The Network Eavesdropping Conversation Recording Cain And Abel

Other tools include:  vomit  Voipong  voipcrack (not public)  DTMF decoder Conversation Recording Other Tools Attacking The Network Eavesdropping

Place the TFTP server on the same VLAN as the VoIP phones and use a firewall to ensure that only VoIP phones communicate with it Use encryption:  Many vendors offer encryption for signaling  Use the Transport Layer Security (TLS) for signaling  Many vendors offer encryption for media  Use Secure Real-time Transport Protocol (SRTP)  Use ZRTP  Use proprietary encryption if you have to Network Eavesdropping Countermeasures Attacking The Network Eavesdropping

The VoIP network is vulnerable to Man-In-The-Middle (MITM) attacks, allowing:  Eavesdropping on the conversation  Causing a DoS condition  Altering the conversation by omitting, replaying, or inserting media  Redirecting calls Attacks include:  Network-level interception  Application-level interception Network/Application Interception Introduction Attacking The Network Net/App Interception

The most common network-level MITM attack is ARP poisoning Involves tricking a host into thinking the MAC address of the attacker is the intended address There are a number of tools available to support ARP poisoning:  Cain and Abel  ettercap  Dsniff  hunt Network Interception ARP Poisoning Attacking The Network Net/App Interception

Network Interception ARP Poisoning Attacking The Network Net/App Interception

Network Interception ARP Poisoning Attacking The Network Net/App Interception

Network Interception ARP Poisoning Attacking The Network Net/App Interception

Network Interception Countermeasures Attacking The Network Net/App Interception Some countermeasures for ARP poisoning are:  Static OS mappings  Switch port security  Proper use of VLANs  Signaling encryption/authentication  ARP poisoning detection tools, such as arpwatch

Application Interception Introduction Attacking The Network Net/App Interception It is also possible to perform a MITM attack at the application layer Some possible ways to perform this attack include:  Registration hijacking  Redirection attacks  VoIP phone reconfiguration  Inserting a bridge via physical network access

User Attacker Proxy Attacker Places Themselves Between Proxies Or Proxy/UA Application Interception Attacking The Network Net/App Interception

Application Interception Countermeasures Attacking The Network Net/App Interception Some countermeasures to application-level interception are:  Use VLANs for separation  Use TCP/IP  Use signaling encryption/authentication (such as TLS)  Enable authentication for requests  Deploy SIP firewalls to protect SIP proxies from attacks

This section describes unique attacks against specific VoIP vendor platforms, including:  Avaya  Cisco Attacking The Platform

The Avaya Communication Manager is Avaya’s enterprise- class offering Offers strong security, but some default configuration should be changed Avaya uses Linux and VxWorks as the underlying operating system on many components, which is arguably more secure than Windows Avaya Communication Manager Attacking The Platform Avaya

Avaya Communication Manager Attacking The Platform Avaya

Open Ports Attacking The Platform Avaya

Open Ports Attacking The Platform Avaya

Open Ports Attacking The Platform Avaya

Open Ports Attacking The Platform Avaya

Open Ports Attacking The Platform Avaya

Open Ports Attacking The Platform Avaya

Open Ports Countermeasures Attacking The Platform Avaya

Open Ports Countermeasures Attacking The Platform Avaya

SNMP and TFTP Attacking The Platform Avaya Avaya uses TFTP and SNMP In 3.0, SNMP is enabled by default on the IP PBX and IP phones Some components ship with default public and private community strings

SNMP and TFTP Countermeasures Attacking The Platform Avaya Use the same countermeasures as before Avaya provides a secure copy feature as an alternative to TFTP Communication Manager 4.0 disables SNMP by default Version 2.6 for IP phones does not ship with default community strings

Flooding Attacks Attacking The Platform Avaya We used udpflood and tcpsynflood to perform DoS attacks against various components Unfortunately, these attacks were very disruptive

Flooding Attacks Countermeasures Attacking The Platform Avaya Use the same countermeasures as before Avaya C-LAN cards provide some level of DoS mitigation Newer IP phone software provides better DoS mitigation

Miscellaneous Security Issues Attacking The Platform Avaya Avaya signaling and media are vulnerable to eavesdropping Avaya uses some default passwords on key IP PBX components Password recommendations for IP phones are weak By default, Avaya IP phones can be reconfigured when booted

Miscellaneous Security Issues Countermeasures Attacking The Platform Avaya Avaya supports proprietary encryption for signaling and media. SRTP will be supported in Communication Manager 4.0 Default passwords should be changed to strong values Local access to the IP phone can be controlled with a password

The Cisco Unified Call Manager is Cisco’s enterprise class offering Offers strong security, but requires some configuration Version 4.1 is based on Windows. Version 5.0 is based on Linux A Must Read Document is the Solution Reference Network Design (SRND) for Voice communications. ( Includes great deployment scenarios and security use cases (lobby phone, desktop phone, call manager encryption how-to, etc.) Cisco Unified Call Manager Attacking The Platform Avaya

Cisco Introduction Attacking The Platform Cisco

Cisco Discovery Protocol – Cisco’s proprietary layer 2 network management protocol. Contains juicy information that is broadcast on the entire segment – Disable it! Cisco Discovery Protocol Attacking The Platform Cisco

Cisco Unified Call Manager requires a large number of open ports Port Scanning Attacking The Platform Cisco

Cisco IOS has a great feature called “autosecure” that”  disables a slew of services (finger, http, ICMP, source routing, etc.)  enables some services (password encryption, TCP synwait-time, logging, etc.).  And locks down the router and switch (enables only ssh, blocks private address blocks from traversing, enables netflow, etc.) Port Scanning Countermeasures Attacking The Platform Cisco

Network Flooding Countermeasures:  Another great feature from Cisco is AutoQos, a new IOS feature ( auto qos command).  Enables Quality of Service for VoIP traffic across every Cisco router and switch  Scavenger class QoS also a relatively new Cisco strategy – rate shape all bursty non-VoIP traffic Flooding Countermeasures Attacking The Platform Cisco

Patch Management is key – use the Cisco Voice Technology Group Subscription Tool ( bin/Software/Newsbuilder/Builder/VOICE.cgi) DoS and OS Exploitation Countermeasures Attacking The Platform Cisco

Eavesdropping and Interception Countermeasures:  Enable port security on Cisco Switches to help mitigate ARP Spoofing  Enable Dynamic ARP inspection to thwart ARP Spoofing  Dynamically restrict Ethernet port access with 802.1x port authentication  Enable DHCP Snooping to prevent DHCP Spoofing  Configure IP source guard on Switches Eavesdropping and Interception Countermeasures Attacking The Platform Cisco

Eavesdropping and Interception Countermeasures:  Configure VTP Transparent Mode  Change the default Native VLAN Value to thwart VLAN hopping  Disable Dynamic Trunk Protocol (DTP) to thwart VLAN Hopping Eavesdropping and Interception Countermeasures Attacking The Platform Cisco

Eavesdropping and Interception Countermeasures:  Activate authentication and encryption of the signaling and media streams  Skinny over TLS  SRTP  Requires creating and distributing certificates on phones Attacking The Platform Cisco Eavesdropping and Interception Countermeasures

VoIP systems are vulnerable to application attacks against the various VoIP protocols Attacks include:  Fuzzing attacks  Flood-based DoS  Signaling and media manipulation Attacking The Application

Fuzzing describes attacks where malformed packets are sent to a VoIP system in an attempt to crash it Research has shown that VoIP systems, especially those employing SIP, are vulnerable to fuzzing attacks There are many public domain tools available for fuzzing:  Protos suite  Asteroid  Fuzzy Packet  NastySIP  Scapy Fuzzing Introduction Attacking The Application Fuzzing  SipBomber  SFTF  SIP Proxy  SIPp  SIPsak

INVITE SIP/2.0 Via: SIP/2.0/UDP :6060 From: UserAgent To: 6713 Call-ID: Cseq: 1 INVITE Subject: VovidaINVITE Contact: Content-Type: application/sdp Content-Length: 168 Attacking The Application Fuzzing Fuzzing Example

INVITE SIP/2.0 Via: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaa… From: UserAgent To: 6713 Call-ID: Cseq: 1 INVITE Subject: VovidaINVITE Contact: Content-Type: application/sdp Content-Length: 168 Attacking The Application Fuzzing Fuzzing Example

There are many public domain tools available for fuzzing:  Protos suite  Asteroid  Fuzzy Packet  NastySIP  Scapy Fuzzing Public Domain Tools Attacking The Application Fuzzing  SipBomber  SFTF  SIP Proxy  SIPp  SIPsak

There are some commercial tools available:  Beyond Security BeStorm  Codenomicon  MuSecurity Mu-4000 Security Analyzer  Security Innovation Hydra  Sipera Systems LAVA tools Fuzzing Commercial Tools Attacking The Application Fuzzing

Make sure your vendor has tested their systems for fuzzing attacks Consider running your own tests An VoIP-aware IPS can monitor for and block fuzzing attacks Fuzzing Countermeasures Attacking The Application Fuzzing

Describes an attack where a flood of packets overwhelms a target, such as a SIP proxy or phone Attacking The Application Flood-Based DoS Flood-Based DoS Introduction

Several tools are available to generate floods at the application layer:  rtpflood – generates a flood of RTP packets  inviteflood – generates a flood of SIP INVITE packets  SiVuS – a tool which a GUI that enables a variety of flood- based attacks Virtually every device we tested was susceptible to these attacks Attacking The Application Flood-Based DoS Flood-Based DoS

Attacking The Application Flood-Based DoS Flood-Based DoS SiVuS

There are several countermeasures you can use for flood- based DoS:  Use VLANs to separate networks  Use TCP and TLS for SIP connections  Use rate limiting in switches  Enable authentication for requests  Use SIP firewalls/IPSs to monitor and block attacks Flood-Based DoS Countermeasures Attacking The Application Flood-Based DoS

In SIP and RTP, there are a number of attacks possible, which exploit the protocol:  Registration removal/addition  Registration hijacking  Redirection attacks  Session teardown  SIP phone reboot  RTP insertion/mixing Attacking The Application Sig/Media Manipulation Signaling/Media Manipulation Introduction

Proxy User Proxy Attacker User Attacker Erases Or Adds Bogus Registrations, Causing Calls to be Dropped Or Sent to the Wrong Address Registration Removal/Addition Attacking The Application Sig/Media Manipulation

Proxy User Proxy Attacker Hijacked Media Hijacked Session User Registration Hijacking Attacking The Application Sig/Media Manipulation

Registration Hijacking Attacking The Application Sig/Media Manipulation

Inbound Calls Are Redirected Attacker Proxy User Attacker Sends “301/302 – Moved” Message User Redirection Attacks Attacking The Application Sig/Media Manipulation

Attacker Sends BYE Messages To UAs Attacker Proxy User Session Teardown Attacking The Application Sig/Media Manipulation

Attacker Sends check-sync Messages To UA Attacker Proxy User IP Phone Reboot Attacking The Application Sig/Media Manipulation

Attacker Sees Packets And Inserts/Mixes In New Audio Attacker Proxy User Audio Insertion/Mixing Attacking The Application Sig/Media Manipulation

Some countermeasures for signaling and media manipulation include:  Use digest authentication where possible  Use TCP and TLS where possible  Use SIP-aware firewalls/IPSs to monitor for and block attacks  Use audio encryption to prevent RTP injection/mixing Attacking The Application Sig/Media Manipulation Signaling/Media Manipulation Countermeasures

There are a couple of evolving social threats that will affect enterprises:  Voice SPAM or SPAM over Internet Telephony (SPIT)  Voice phishing Social Attacks

Voice SPAM refers to bulk, automatically generated, unsolicited phone calls Similar to telemarketing, but occurring at the frequency of SPAM Not an issue yet, but will become prevalent when:  The network makes it very inexpensive or free to generate calls  Attackers have access to VoIP networks that allow generation of a large number of calls It is easy to set up a voice SPAM operation, using Asterisk, tools like “spitter”, and free VoIP access Voice SPAM Introduction Social Attacks Voice SPAM

Voice SPAM has the potential to be very disruptive because:  Voice calls tend to interrupt a user more than  Calls arrive in realtime and the content can’t be analyzed to determine it is voice SPAM  Even calls saved to voice mail must be converted from audio to text, which is an imperfect process  There isn’t any capability in the protocols that looks like it will address Voice SPAM Voice SPAM Social Attacks Voice SPAM

Some potential countermeasures for voice SPAM are:  Authenticated identity movements, which may help to identify callers  Legal measures Enterprise voice SPAM filters:  Black lists/white lists  Approval systems  Audio content filtering  Turing tests Voice SPAM Countermeasures Social Attacks Voice SPAM

VoIP Phishing Introduction Similar to phishing, but with a phone number delivered though or voice When the victim dials the number, the recording requests entry of personal information The hacker comes back later and retrieves the touch tones or other information Social Attacks Phishing

VoIP Phishing Example “Hi, this is Bob from Bank of America calling. Sorry I missed you. If you could give us a call back at we have an urgent issue to discuss with you about your bank account.” Hello. This is Bank of America. So we may best serve you, please enter your account number followed by your PIN. Social Attacks Phishing

VoIP Phishing Example Social Attacks Phishing

VoIP Phishing Countermeasures Traditional spam/phishing countermeasures come in to play here. Educating users is a key Social Attacks Phishing