September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston

September 19, 2006speermint interim2 VoIP as an Application VoIP is an Internet Application Subject to both voice specific AND Internet attacks –E.g. flooding DoS attack could be INVITEs or TCP SYN packets Need to secure each layer independently –Defense in Depth This Presentation uses VOIPSA ( “VoIP Security and Privacy Threat Taxonomy” as outline

September 19, 2006speermint interim3 Eavesdropping Threats Call Pattern Tracking –Besides signaling, DNS queries can reveal information Traffic Capture –Number Harvesting E.g. ENUM with Contact URIs or AORs with identifying information –Conversation Reconstruction If Perfect Forward Secrecy (PFS) is not used, content can be stored for later decryption –Voic Reconstruction Current low levels of authentication –Fax Reconstruction –Video Reconstruction –Text Reconstruction

September 19, 2006speermint interim4 Interception and Modification Call Black Holing –Authentication of responses critical Call Rerouting –How many intermediaries Fax Alteration Conversation Alteration –Authentication of RFC 2833 DTMF tones Conversation Degrading –RTCP protection as well as RTP Conversation Impersonation and Hijacking –Human to human authentication a la ZRTP False Caller Identification –Trivial in PSTN today, commonplace in –Who is asserting identity as important as what identity is being asserted See RFC 4474 to see how to do this correctly

September 19, 2006speermint interim5 Intentional Interruption of Service Denial of Service –Centralized servers make for better DoS targets (e.g. SBCs) –Request Flooding User Call Flooding User Call Flooding Overflowing to Other Devices –Overload voice mail storage Endpoint Request Flooding Endpoint Request Flooding after Call Setup Call Controller Flooding Request Looping –Setting Max-Forwards to 69 Directory Service Flooding –DNS and ARP poisoning

September 19, 2006speermint interim6 Interruption of Service Continued –Malformed Requests and Messages Disabling Endpoints with Invalid Requests Injecting Invalid Media into Call Processor Malformed Protocol Messages –For SIP, see RFC 4475 Torture Tests –QoS Abuse QoS can easily work both ways… –Spoofed Messages Faked Call Teardown Message Faked Response –Call Hijacking Registration Hijacking –Digest does not provide registration authentication Media Session Hijacking Server Masquerading

September 19, 2006speermint interim7 –Network Services DoS –Underlying Operating System/Firmware DoS –Distributed Denial of Service Use ICE for media authorization to avoid accidental media DoS Other Interruptions of Service –Loss of Power –Resource Exhaustion –Performance Latency and Metrics Interruption of Service Continued

September 19, 2006speermint interim8 Non-Technical Threats Social Threats –Misrepresentation Misrepresenting Identity Misrepresenting Authority Misrepresenting Rights Misrepresenting Content –Theft of Services –Unwanted Contact Harrassment Extortion Unwanted Lawful Content Including VoIP SPAM and Other Subjectively Offensive Content Service Abuse Physical Intrusion

September 19, 2006speermint interim9 Selected SIP Specific Topics ACK and CANCEL can not be authenticated by challenge –Require Offer/Answer in INVITE/200 OK –Ignore CANCELs Non-symmetric routing makes response authentication extremely difficult –Use rport or connection-reuse Certificates are good unless –Not properly validated –Not properly correlated to host names

September 19, 2006speermint interim10 Summary VoIP is a new application –New is not good in security terms… VoIP devices and software are new Security standards are still being developed in IETF –Secure RTP media –Usage of Secure SIP and TLS VoIP threats are much more Internet than PSTN