SlideShare a Scribd company logo

Hacking and Attacking VoIP Systems - What You Need To Know

Dan York
Dan York

Presentation by Dan York at AstriCon 2007 about how to secure VoIP systems with a focus on the Asterisk open source PBX. The presentation outlines the issues involved with VoIP security, the tools out there to attack/test VoIP systems, best practices to defend against attacks and ends with some specific security recommendations for Asterisk. Audio will soon be available at http://www.blueboxpodcast.com/ (and will be synced to this presentation).

Related slideshows

Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP Gateways
 
Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!
 
1 of 32
Download to read offline
Hacking and Attacking VoIP Systems What You Need To Worry About Dan York, CISSP VOIPSA Best Practices Chair September 27, 2007
Privacy Availability Compliance Confidence Mobility Cost Avoidance Business Continuity © 2007 VOIPSA and Owners as Marked p.
© 2007 VOIPSA and Owners as Marked p.
© 2007 VOIPSA and Owners as Marked p.
© 2007 VOIPSA and Owners as Marked p.
TDM security is relatively simple... PSTN Gateways TDM Switch Physical Wiring Voicemail © 2007 VOIPSA and Owners as Marked p.
VoIP security is more complex Desktop Operating PSTN E-mail PCs Systems Gateways Systems Network Web Firewalls Switches Servers Standards PDAs Voice over Wireless IP Devices Instant Messaging Directories Internet Databases Physical Voicemail Wiring © 2007 VOIPSA and Owners as Marked p.
What is the Industry Doing to Help? Security Vendors VoIP Vendors “The Sky Is Falling!” “Don’t Worry, Trust Us!” (Buy our products!) (Buy our products!) © 2007 VOIPSA and Owners as Marked p.
Voice Over IP Security Alliance (VOIPSA) • www.voipsa.org – 100 members from VoIP and security industries • VOIPSEC mailing list – www.voipsa.org/VOIPSEC/ • “Voice of VOIPSA” Blog – www.voipsa.org/blog • Blue Box: The VoIP Security Podcast – www.blueboxpodcast.com • VoIP Security Threat Taxonomy • Best Practices Project underway now Security Research Market and Social Classification Best Practices Outreach Objectives and Taxonomy of for VoIP Communication Constraints Security Threats Security of Findings Security System Testing Published Active Now Ongoing LEGEND © 2007 VOIPSA and Owners as Marked p.
VoIP Security
Security concerns in telephony are not new… Image courtesy of the Computer History Museum © 2007 VOIPSA and Owners as Marked p.
Nor are our attempts to protect against threats… Image courtesy of Mike Sandman – http://www.sandman.com/ © 2007 VOIPSA and Owners as Marked p.
Security Aspects of IP Telephony Media / Voice Manage TCP/IP Call ment Network Control PSTN Policy © 2007 VOIPSA and Owners as Marked p.
Media Eavesdropping Degraded Voice Quality Encryption Virtual LANs (VLANs) Packet Filtering © 2007 VOIPSA and Owners as Marked p.
Signaling Denial of Service Impersonation Toll Fraud Encryption Encrypted Phone Software Proper Programming © 2007 VOIPSA and Owners as Marked p.
Management Web Interfaces APIs! Phones! Encryption Change Default Passwords! Patches? We don’t need... © 2007 VOIPSA and Owners as Marked p.
PSTN © 2007 VOIPSA and Owners as Marked p.
LAN Internet © 2007 VOIPSA and Owners as Marked p.
What about SPIT? (“SPam over Internet Telephony”) • Makes for great headlines, but not yet a significant threat • Fear is script/tool that: –Iterates through calling SIP addresses: • 111@sip.company.com, 112@sip.company.com, … • Opens an audio stream if call is answered (by person or voicemail) –Steals VoIP credentials and uses account to make calls SPAM • Reality is that today such direct connections are generally not allowed • This will change as companies make greater use of SIP trunking and/or directly connect IP-PBX systems to the Internet (and allow incoming calls from any other IP endpoint) • Until that time, Telemarketers have to initiate unsolicited calls through the PSTN to reach their primary market: slows them down and adds cost © 2007 VOIPSA and Owners as Marked p.
The Challenge of SIP Trunking PSTN SIP Service Provider Internet IP-PBX LAN © 2007 VOIPSA and Owners as Marked p.
VoIP Security Tools
www.voipsa.org/Resources/tools.php www.hackingvoip.com © 2007 VOIPSA and Owners as Marked p.
© 2007 VOIPSA and Owners as Marked p.
Tools, tools, tools... • UDP Flooder • Asteroid • IAX Flooder • enumIAX • IAX Enumerator • iWar • ohrwurm RTP Fuzzer • StegRTP • RTP Flooder • VoiPong • INVITE Flooder • Web Interface for SIP Trace • AuthTool • SIPScan • BYE Teardown • SIPCrack • Redirect Poison • SiVuS • Registration Hijacker • SIPVicious Tool Suite • Registration Eraser • SIPBomber • RTP InsertSound • SIPsak • RTP MixSound • SIP bot • SPITTER © 2007 VOIPSA and Owners as Marked p.
Asterisk & Security
www.asterisk.org/security © 2007 VOIPSA and Owners as Marked p.
Security Suggestions for Asterisk 1. TLS-encrypted SIP • needs SIP over TCP first... 2. Secure RTP (SRTP) • there’s a patch 3. SRTP Key Exchange • sdescriptions now, DTLS or potentially ZRTP in the future If Asterisk is configured to use 4. Figure out the phone configuration mess IMAP as its backend storage for • so that the web servers on the phones can be disabled voicemail, then an e-mail sent to a • auto configuration is a start, but how secure are the config files? user with an invalid/corrupted MIME body will cause Asterisk to crash 5. Identity when the user listens to their • RFC 4474 (SIP Identity) voicemail using the phone. 6. Watch out for the APIs and the apps • always fun when a rolodex app can crash your phone system! 7. Toll fraud?? 8. Testing with tools? © 2007 VOIPSA and Owners as Marked p.
Resources
Security Links • VoIP Security Alliance - http://www.voipsa.org/ –Threat Taxonomy - http://www.voipsa.org/Activities/taxonomy.php –VOIPSEC email list - http://www.voipsa.org/VOIPSEC/ –Weblog - http://www.voipsa.org/blog/ –Security Tools list - http://www.voipsa.org/Resources/tools.php –Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com • NIST SP800-58, “Security Considerations for VoIP Systems” – http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf • Network Security Tools – http://sectools.org/ • Hacking Exposed VoIP site and tools – http://www.hackingvoip.com/ © 2007 VOIPSA and Owners as Marked p.
Q&eh? www.voipsa.org
Speaker Introduction – Dan York Dan York, CISSP, is the Best Practices Chair for the VOIP Security Alliance where he leads the project to develop and document a concise set of industry-wide best practices for security VoIP systems. He is also heading up VOIPSA's move into quot;social mediaquot; with the launch of the Voice of VOIPSA group weblog. Additionally, York is the producer of Blue Box: The VoIP Security Podcast where each week he and co-host Jonathan Zar discuss VoIP security news and interview people involved in the field. Most recently he served as Director of IP Technology reporting to the CTO of Mitel Corporation and focused on emerging VoIP technology and VoIP security. As chair of Mitel's Product Security Team, he coordinates the efforts of a cross-functional group to communicate both externally and internally on VoIP security issues, respond to customer inquiries related to security, investigate security vulnerability reports, and monitor security standards and trends. Previously, York served in Mitel Product Management bringing multiple products to market including Mitel's secure VoIP Teleworker Solution in 2003. His writing can also be found online at his weblog, Disruptive Telephony. © 2007 VOIPSA and Owners as Marked p.
Other Best Practices Media / Voice TCP/IP Manage Call Network • Network ment Control Policy PSTN –Networks should be evaluated for readiness to carry VoIP traffic. –Secure mechanisms should be used for traversal of firewalls. • Phone Sets –Set software loads should be encrypted and tamper-proof. –Sets should run the minimum of services required. –Connection of a set to the system must require an initial authentication and authorization. • Servers –Servers should be incorporated into appropriate patch management and anti-virus systems. –Sufficient backup power should be available to maintain operation of telephony devices (and necessary network infrastructure) in the event of a power failure. • Wireless –All wireless devices should implement WPA and/or WPA2 versus WEP. © 2007 VOIPSA and Owners as Marked p.

More Related Content

Hacking and Attacking VoIP Systems - What You Need To Know

  • 1. Hacking and Attacking VoIP Systems What You Need To Worry About Dan York, CISSP VOIPSA Best Practices Chair September 27, 2007
  • 2. Privacy Availability Compliance Confidence Mobility Cost Avoidance Business Continuity © 2007 VOIPSA and Owners as Marked p.
  • 3. © 2007 VOIPSA and Owners as Marked p.
  • 4. © 2007 VOIPSA and Owners as Marked p.
  • 5. © 2007 VOIPSA and Owners as Marked p.
  • 6. TDM security is relatively simple... PSTN Gateways TDM Switch Physical Wiring Voicemail © 2007 VOIPSA and Owners as Marked p.
  • 7. VoIP security is more complex Desktop Operating PSTN E-mail PCs Systems Gateways Systems Network Web Firewalls Switches Servers Standards PDAs Voice over Wireless IP Devices Instant Messaging Directories Internet Databases Physical Voicemail Wiring © 2007 VOIPSA and Owners as Marked p.
  • 8. What is the Industry Doing to Help? Security Vendors VoIP Vendors “The Sky Is Falling!” “Don’t Worry, Trust Us!” (Buy our products!) (Buy our products!) © 2007 VOIPSA and Owners as Marked p.
  • 9. Voice Over IP Security Alliance (VOIPSA) • www.voipsa.org – 100 members from VoIP and security industries • VOIPSEC mailing list – www.voipsa.org/VOIPSEC/ • “Voice of VOIPSA” Blog – www.voipsa.org/blog • Blue Box: The VoIP Security Podcast – www.blueboxpodcast.com • VoIP Security Threat Taxonomy • Best Practices Project underway now Security Research Market and Social Classification Best Practices Outreach Objectives and Taxonomy of for VoIP Communication Constraints Security Threats Security of Findings Security System Testing Published Active Now Ongoing LEGEND © 2007 VOIPSA and Owners as Marked p.
  • 11. Security concerns in telephony are not new… Image courtesy of the Computer History Museum © 2007 VOIPSA and Owners as Marked p.
  • 12. Nor are our attempts to protect against threats… Image courtesy of Mike Sandman – http://www.sandman.com/ © 2007 VOIPSA and Owners as Marked p.
  • 13. Security Aspects of IP Telephony Media / Voice Manage TCP/IP Call ment Network Control PSTN Policy © 2007 VOIPSA and Owners as Marked p.
  • 14. Media Eavesdropping Degraded Voice Quality Encryption Virtual LANs (VLANs) Packet Filtering © 2007 VOIPSA and Owners as Marked p.
  • 15. Signaling Denial of Service Impersonation Toll Fraud Encryption Encrypted Phone Software Proper Programming © 2007 VOIPSA and Owners as Marked p.
  • 16. Management Web Interfaces APIs! Phones! Encryption Change Default Passwords! Patches? We don’t need... © 2007 VOIPSA and Owners as Marked p.
  • 17. PSTN © 2007 VOIPSA and Owners as Marked p.
  • 18. LAN Internet © 2007 VOIPSA and Owners as Marked p.
  • 19. What about SPIT? (“SPam over Internet Telephony”) • Makes for great headlines, but not yet a significant threat • Fear is script/tool that: –Iterates through calling SIP addresses: • 111@sip.company.com, 112@sip.company.com, … • Opens an audio stream if call is answered (by person or voicemail) –Steals VoIP credentials and uses account to make calls SPAM • Reality is that today such direct connections are generally not allowed • This will change as companies make greater use of SIP trunking and/or directly connect IP-PBX systems to the Internet (and allow incoming calls from any other IP endpoint) • Until that time, Telemarketers have to initiate unsolicited calls through the PSTN to reach their primary market: slows them down and adds cost © 2007 VOIPSA and Owners as Marked p.
  • 20. The Challenge of SIP Trunking PSTN SIP Service Provider Internet IP-PBX LAN © 2007 VOIPSA and Owners as Marked p.
  • 22. www.voipsa.org/Resources/tools.php www.hackingvoip.com © 2007 VOIPSA and Owners as Marked p.
  • 23. © 2007 VOIPSA and Owners as Marked p.
  • 24. Tools, tools, tools... • UDP Flooder • Asteroid • IAX Flooder • enumIAX • IAX Enumerator • iWar • ohrwurm RTP Fuzzer • StegRTP • RTP Flooder • VoiPong • INVITE Flooder • Web Interface for SIP Trace • AuthTool • SIPScan • BYE Teardown • SIPCrack • Redirect Poison • SiVuS • Registration Hijacker • SIPVicious Tool Suite • Registration Eraser • SIPBomber • RTP InsertSound • SIPsak • RTP MixSound • SIP bot • SPITTER © 2007 VOIPSA and Owners as Marked p.
  • 27. Security Suggestions for Asterisk 1. TLS-encrypted SIP • needs SIP over TCP first... 2. Secure RTP (SRTP) • there’s a patch 3. SRTP Key Exchange • sdescriptions now, DTLS or potentially ZRTP in the future If Asterisk is configured to use 4. Figure out the phone configuration mess IMAP as its backend storage for • so that the web servers on the phones can be disabled voicemail, then an e-mail sent to a • auto configuration is a start, but how secure are the config files? user with an invalid/corrupted MIME body will cause Asterisk to crash 5. Identity when the user listens to their • RFC 4474 (SIP Identity) voicemail using the phone. 6. Watch out for the APIs and the apps • always fun when a rolodex app can crash your phone system! 7. Toll fraud?? 8. Testing with tools? © 2007 VOIPSA and Owners as Marked p.
  • 29. Security Links • VoIP Security Alliance - http://www.voipsa.org/ –Threat Taxonomy - http://www.voipsa.org/Activities/taxonomy.php –VOIPSEC email list - http://www.voipsa.org/VOIPSEC/ –Weblog - http://www.voipsa.org/blog/ –Security Tools list - http://www.voipsa.org/Resources/tools.php –Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com • NIST SP800-58, “Security Considerations for VoIP Systems” – http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf • Network Security Tools – http://sectools.org/ • Hacking Exposed VoIP site and tools – http://www.hackingvoip.com/ © 2007 VOIPSA and Owners as Marked p.
  • 31. Speaker Introduction – Dan York Dan York, CISSP, is the Best Practices Chair for the VOIP Security Alliance where he leads the project to develop and document a concise set of industry-wide best practices for security VoIP systems. He is also heading up VOIPSA's move into quot;social mediaquot; with the launch of the Voice of VOIPSA group weblog. Additionally, York is the producer of Blue Box: The VoIP Security Podcast where each week he and co-host Jonathan Zar discuss VoIP security news and interview people involved in the field. Most recently he served as Director of IP Technology reporting to the CTO of Mitel Corporation and focused on emerging VoIP technology and VoIP security. As chair of Mitel's Product Security Team, he coordinates the efforts of a cross-functional group to communicate both externally and internally on VoIP security issues, respond to customer inquiries related to security, investigate security vulnerability reports, and monitor security standards and trends. Previously, York served in Mitel Product Management bringing multiple products to market including Mitel's secure VoIP Teleworker Solution in 2003. His writing can also be found online at his weblog, Disruptive Telephony. © 2007 VOIPSA and Owners as Marked p.
  • 32. Other Best Practices Media / Voice TCP/IP Manage Call Network • Network ment Control Policy PSTN –Networks should be evaluated for readiness to carry VoIP traffic. –Secure mechanisms should be used for traversal of firewalls. • Phone Sets –Set software loads should be encrypted and tamper-proof. –Sets should run the minimum of services required. –Connection of a set to the system must require an initial authentication and authorization. • Servers –Servers should be incorporated into appropriate patch management and anti-virus systems. –Sufficient backup power should be available to maintain operation of telephony devices (and necessary network infrastructure) in the event of a power failure. • Wireless –All wireless devices should implement WPA and/or WPA2 versus WEP. © 2007 VOIPSA and Owners as Marked p.