480 likes | 640 Views
Voice/VoIP/SIP Security Hacker Halted 2010 Mark D. Collier SecureLogix Corporation www.securelogix.com mark.collier@securelogix.com. Discussion Outline. Introduction Discussion of the current threat level Application/social attacks Internal/campus VoIP attacks
E N D
Voice/VoIP/SIP Security Hacker Halted 2010 Mark D. Collier SecureLogix Corporation www.securelogix.com mark.collier@securelogix.com
Discussion Outline • Introduction • Discussion of the current threat level • Application/social attacks • Internal/campus VoIP attacks • Session Initiation Protocol (SIP) attacks • Best practices
About SecureLogix • SecureLogix: • Voice/VoIP/UC security and management solution company • Security solutions for SIP and traditional voice networks • Security applications available now on Cisco ISRs • About me: • Author of Hacking Exposed: VoIP • Author of SANS 540 course on VoIP security • www.voipsecurityblog.com • Author of many SIP and RTP-based “attack” tools
Voice/VoIP Security Introduction • Voice/VoIP systems are vulnerable: • VoIP platforms, network, protocols, and applications are vulnerable • Many available VoIP attack tools • The vendors continue to improve security • Security is not a major consideration during deployment • Fortunately, the threat to VoIP systems is still moderate: • Most deployments are strictly campus/internal deployments • Limited incentive to attack systems • Most access to public networks is still through traditional trunking • Application/social threats remain the biggest issue • SIP trunking and UC “may” change the threat
Traditional Voice Security High Threat Toll fraud/Social engineering Modems Medium Threat Harassing Calls/TDoS TDMPhones PBX TDMTrunks PublicVoiceNetwork Modem Voice Firewall Fax InternetConnection Modem Internet Servers/PCs
Internal/Campus VoIP Security IP PBX High Threat Toll fraud/Social eng Modems Medium Threat Harassing Calls/TDoS TDMPhones TDMTrunks PublicVoiceNetwork CM VM CC Admin Modem Voice Firewall Fax Gateway DB TFTPDHCP DNS Low Threat LAN OriginatedAttacks Voice VLAN IP Phones InternetConnection Data VLAN Internet Servers/PCs
SIP Trunks IP PBX High Threat Toll fraud/Social eng Modems Medium Threat Harassing Calls/TDoS TDMPhones SIPTrunks PublicVoiceNetwork PublicVoiceNetwork PublicVoiceNetwork CM VM CC Admin Modem Voice Firewall CUBE Fax Gateway DB TFTPDHCP DNS Low Threat Scanning Fuzzing Flood DoS Voice VLAN IP Phones InternetConnection Data VLAN Internet Servers/PCs
Network VoIP Increases the Threat High Threat TDoS/Harassing Calls Toll Fraud Social engineering Modems TDMPhones PBX TDMTrunks PublicVoiceNetwork PublicVoiceNetwork Modem Voice Firewall Medium Threat Voice Phishing Voice SPAM Fax InternetConnection Modem Internet Servers/PCs
UC Changes IP PBX TDMPhones SIPTrunks PublicVoiceNetwork CM VM CC Admin Modem Voice Firewall CUBE Fax Gateway DB TFTPDHCP DNS More Social Networking Greater Integration More trafficOver Public Networks IP Phones Internet Servers/PCs
IP Phone Vulnerabilities Application/Social Attacks • These issues are present whether or not VoIP is used • VoIP is making these attacks easier to execute • Toll fraud • Harassing callers and Telephony Denial of Service (DoS) • Social engineering • Voice Phishing (Vishing) • Voice SPAM
IP Phone Vulnerabilities Toll Fraud • Toll fraud is theft of voice service • This threat has been around for many years, but is getting worse • It is still very expensive to make international calls to many countries • VoIP is making this issue worse – toll fraud is one of the few incentives to attack VoIP • Enterprise toll fraud consists of minor misuse and dial-through fraud • Minor misuse occurs when employees abuse toll services • Users abuse phones that have limited or no calling restrictions
IP Phone Vulnerabilities Toll Fraud • Damaging toll fraud occurs when an attacker finds vulnerable DISA or other service that allows an inbound caller to obtain unrestricted outbound dial tone • Attackers find these services/passwords by scanning or from an internal user • Can also happen with some VoIP systems • Attacker sells the call in number and password to anyone they can • Often starts over a weekend when it is less likely to be noticed
Modems Harassing Calls/Denial Of Service (DoS) • Traditionally, harassing calls were generated by individuals • VoIP makes it easy to generate many calls and harass targets • If enough calls are generated, a DoS condition occurs • This type of DoS appears as actual completed calls, with some sort of audio • This is different than the commonly discussed “Invite Floods”, because the target can be using any type of trunking • Depending on the volume and target, the impact can range from annoyance, harassment, to outright DoS • The attacks may be used to mask other types of attacks (fraud, social engineering ,etc).
Modems Telephony Denial of Service • FBI announcement this year • TDoS used to overwhelm consumer phones while fraud was being committed • TDoS also occurred at many large enterprises in their contact centers • Calls were designed to dwell in IVRs and generate traffic • Primary incentive was traffic pumping/skimming • Attacks became more sophisticated as time went on • Expect these attacks to become more common, sophisticated, and damaging
IP Phone Vulnerabilities Social Engineering • Social engineering involves an attacker who manipulates inexperienced users in order to gain confidential information • This threat has been around for many years, but is getting worse • The target is often call centers • VoIP may be making the issue worse, because it makes it easier to spoof caller ID and make free calls • Attackers call in and hope to talk with inexperienced users • Attackers also call in multiple times, each time trying to get an additional bit of information • Once an attacker gets a piece of information, it is often easier to get more
Voice Phishing (Vishing) • Similar to email phishing, but with a phone number delivered though email or voice • When the victim dials the number, the recording requests entry of personal information • VoIP and tools such as Asterisk or Trixbox make setting up thisattack much easier
Voice SPAM • Voice SPAM refers to bulk, automatically generated, unsolicited phone calls • Similar to telemarketing, but occurring at the frequency of email SPAM • Attackers have access to VoIP networks that allow generation of a large number of calls • It is easy to set up a voice SPAM operation, using Asterisk, tools like “spitter”, and free VoIP access • Attack execution is similar to harassing calling/DoS
Application Attacks Countermeasures • Educate users on proper response • Use PBX features to control access to DISA and toll calls • Closely monitor CDR • Obtain visibility into what is happening across all sites • Work with your service provider • Perform a trunk/external traffic assessment to determine if any attacks are ongoing • Deploy voice firewalls to monitor for and mitigate attacks (on all types of trunks)
Internal/Campus Attacks • Gathering information • IP PBX: • Server platforms • Various gateway cards • Adjunct systems • Network: • Switches, routers, firewalls • Shared links • VLAN configurations • Endpoints: • IP phones and softphones
Gathering Information • First step in gathering information prior to an attack • Footprinting does not require network access • An enterprise website often contains useful information • Google is very good at finding details on the web: • Vendor press releases and case studies • Resumes of VoIP personnel • Mailing lists and user group postings • Web-based VoIP logins
Scanning • Process of finding VoIP hosts and running services • The first step is gaining access to the network: • Insider access • Malware delivered via email, trojan, etc. • Non-secure wireless, modems, etc. • Poorly secured “public” device like a lobby phone • Compromised network device • VLANs are pretty easy to overcome • Its possible to hook up a lap top and spoof IP and MAC addresses
Scanning • Once network access is obtained, next step is to scan for VoIP hosts • nmap is commonly used for this purpose • After hosts are found, scans are used to find running services • After hosts are found and ports identified, the type of device can be determined • Network stack fingerprinting is a common technique for identifying hosts/devices
Scanning (Signaling Ports) • SIP enabled devices will usually respond on UDP/TCP ports 5060 and 5061 • H.323 devices use multiple ports, including TCP 1720, UDP 1719 • SCCP phones (Cisco) use UDP/TCP 2000-2001 • Unistim (nortel) uses UDP/TCP 5000 • MGCP devices use UDP 2427
Enumeration • Involves testing open ports and services on hosts to gather more information • Includes running tools to determine if open services have known vulnerabilities • Also involves scanning for VoIP-unique information such as phone numbers • Includes gathering information from TFTP servers and SNMP
Enumeration • SNMP is enabled by default on most IP PBXs and IP phones • If you know the device type, you can use snmpwalk with the appropriate OID • You can find the OID using Solarwinds MIB • Default “passwords”, called community strings, are common
Enumeration • Almost all phones use TFTP to download their configuration files • The TFTP server is rarely well protected • If you know or can guess the name of a configuration or firmware file, you can download it without even specifying a password • The files are downloaded in the clear and can be easily sniffed • Configuration files have usernames, passwords, IP addresses, etc. in them
Network Vulnerabilities Network Vulnerabilities • The VoIP network and supporting infrastructure are vulnerable to attacks • DoS floods are particularly effective • VoIP media/audio is particularly susceptible to any DoS attack which introduces latency and jitter • Attacks against supporting infrastructure services, such as DHCP, TFTP, DNS, are also possible • Any direct attack against a network element (IP PBX, switch, router, gateway, etc.) can affect VoIP service • Possible to eavesdrop, exploit VLAN configuration, and perform MITM attacks
Network Vulnerabilities Network DoS • Some types of floods are: • UDP floods • TCP SYN floods • ICMP and Smurf floods • Worm and virus oversubscription side effect • QoS manipulation • Application flooding (INVITE floods, REGISTER floods) • Shared links with large amounts of traffic are especially vulnerable
Network Vulnerabilities Network Infrastructure DoS • VoIP systems rely heavily on supporting services such as DHCP, DNS, TFTP, etc. • DHCP exhaustion is an example, where a hacker uses up all the IP addresses, denying service to VoIP phones • DNS cache poisoning involves tricking a DNS server into using a fake DNS response
Network Vulnerabilities Eavesdropping • VoIP signaling and media are very vulnerable to eavesdropping
Network Vulnerabilities Network Interception • The VoIP network is vulnerable to Man-In-The-Middle (MITM) attacks, allowing: • Eavesdropping on the conversation • Causing a DoS condition • Altering the conversation by omitting, replaying, or inserting media • Redirecting calls
IP Phone Vulnerabilities IP Phone Vulnerabilities • IP phones can also be attacked: • Physical access • Poor passwords • Signaling/media • DoS • Unnecessary services
Internal/Campus Attacks Countermeasures • Follow best practices for good internal network security • Limit publically available information • Disable unnecessary services on all VoIP platforms • Maintain patches • Monitor network activity and maintain logs • Consider using encryption for signaling and audio • Consider secure protocols for administration, file transfer, etc.
IP Phone Vulnerabilities Session Initiation Protocol (SIP) Attacks • Very important, since SIP is becoming more commonly used • Directory Scanning • Fuzzing • Flood-based Denial of Service (DoS) • Registration manipulation • Call termination • RTP tunneling and manipulation
SIP Security IP PBX TDMPhones SIPTrunks PublicVoiceNetwork PublicVoiceNetwork PublicVoiceNetwork CM VM CC Admin Modem Voice Firewall CUBE Fax Gateway DB TFTPDHCP DNS Scanning Fuzzing Flood DoS Voice VLAN SIP Phones InternetConnection Data VLAN Internet Servers/PCs
Directory Scanning 1. INVITE derek@tpti (spoofed source IP) Proxy Server Send INVITEs/OPTIONs/REGISTERS To Scan For IP Phones
Fuzzing/Malformed Messages Redirect Server Malformed SIP Malformed SIP SIP Proxy/PBX Malformed SIP
Flood-based DoS 1. INVITE derek@tpti (spoofed source IP) Proxy Server Send 1000000 INVITEs Ring All Phones
Registration Manipulation Location Server 3. REGISTER sip:derek@tpti.com Contact < hacker@11.5.6.8> Expires: 1800 2. “To contact sip:derek@tpti.com Use sip:derek@11.5.6.7 for 60 minutes” 4. “To contact sip:derek@tpti.com Use sip:hacker@11.5.6.8for 30 minutes” 1. REGISTER sip:derek@tpti.com Contact <sip:derek@11.5.6.7> Expires: 3600 3. 200 OK Registrar derek’s Phone
Call Termination 6. INVITE derek@11.5.6.7 7. 200 OK 8. RTP Conversation 7. SIP CANCEL derek@11.5.6.7 9. SIP BYE derek@11.5.6.7
IP Phone Vulnerabilities SIP Attacks Countermeasures • Secure registration with authentication • Consider encryption for signaling and audio • Deploy SIP-aware firewalls (CUBE) on SIP trunks • Continue to deploy voice firewalls on SIP trunks for application security issues
IP Phone Vulnerabilities Overall Best Practices • Develop a voice/VoIP security policy • Address application issues at the perimeter • Prioritize security during VoIP deployments • Follow good basic data network security for internal network • Consider a perimeter and VoIP security assessment • Deploy SIP security when using SIP trunks
IP Phone Vulnerabilities Resources • www.voipsa.org • www.blueboxpadcast.com • www.securelogix.com • www.voipsecurityblog.com • Vendor sites