1 / 21

VoIP 2

VoIP 2. Is free too Expensive? by Darren Bilby and Nick von Dadelszen. Different Types of VoIP. There are many different implementations of IP telephony: Skype MSN Firefly Cisco Office Asterix. VoIP Technology. Each type of VoIP uses different technology: Skype – Proprietary MSN – SIP

tameka
Download Presentation

VoIP 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VoIP 2 Is free too Expensive? by Darren Bilby and Nick von Dadelszen

  2. Different Types of VoIP • There are many different implementations of IP telephony: • Skype • MSN • Firefly • Cisco Office • Asterix

  3. VoIP Technology • Each type of VoIP uses different technology: • Skype – Proprietary • MSN – SIP • Firefly – IAX • Cisco – H.323, Skinny • Asterix – SIP, IAX2 • Others – MGCP • Most of these do not have security built-in so rely on network controls

  4. Attacks Against VoIP • Multiple attack avenues: • Standard traffic capture attacks • Traffic manipulation • Dynamic configuration attacks • Phone-based vulnerabilities • Management interface attacks

  5. Consequences of Attacks • Eavesdropping and recording phone calls • Active modification of phone calls • Call Tracking • Crashing phones • Denying phone service – Slammer? • VoIP Spamming • Free calls • Spoofing caller ID

  6. Capturing VoIP Data • Ethereal has built-in support for some VoIP protocols • Has the ability to capture VoIP traffic • Can dump some forms of VoIP traffic directly to WAV files. • Point and click hacking!

  7. Audio Capture

  8. VoIP Security Solutions • You must protect the network traffic • Separate data and voice traffic – VLANs • Ensure IPSEC or other VPN technology used over WAN links • IDS monitoring on the network – ARP inspection • Host Security • VOIP enabled firewalls • Excellent guidelines in Cisco SAFE documentation • Or wait for more secure protocols

  9. Skype – What Is It? • Proprietary VOIP system for calls over the Internet • Free and simple to use • Developed by the creators of KaZaA • Relies on P2P technology • Over 29 million users worldwide • Allows connections to regular phones through SkypeOut

  10. Skype Connection Details • Listens on a random port, 80 and 443 • Connects to known Supernodes stored in the registry • Must establish connection with login server to authenticate • NAT and Firewall traversal • Any Skype client with an Internet IP address and suitable bandwith/CPU may become a Supernode

  11. Skype Architecture Ref: "An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol“ Salman A. Baset and Henning Schulzrinne

  12. Skype Call Security • Skype claims to encrypt all voice traffic with 128-bit or better encryption • The encryption implementation used is proprietary and closed-source • It is unknown whether the Skype organisation has the ability to decrypt all voice traffic

  13. Other Skype Security Concerns • Same developers as KaZaA, known for spyware • Cannot stop client becoming a Supernode • Client allows file transfer, even through firewalls, an access path for malicious code, information leakage • Login server reliance

  14. Should You Use Skype? • If you can answer yes to four questions: • Are you willing to circumvent the perimeter controls of your network? • Do you trust the Skype developers to implement security correctly (being closed-source)? • Do you trust the ethics of the Skype developers? • Can you tolerate the Skype network being unavailable?

  15. Other VoIP Issues – Commercial Caller ID Spoofing • Multiple companies are now offering caller ID spoofing: - CovertCall - PI Phone - Star38 - Us Tracers - Camophone - Telespoof • Makes Social Engineering a lot easier • Many systems authenticate on CID

  16. Other VoIP Issues – New Attack Tools • New tools make finding vulnerabilities easier • SIP Bomber • PROTOS Test-Suite • SiVuS

  17. Good Sites For Learning More • Some good links for learning more about VoIP • http://www.voip-info.org/tiki-index.php?page=voip-info.org • http://www.vopsecurity.org/index.php

More Related