Post on 28-Mar-2015
Voice Security
Interop 2009
Mark D. Collier
SecureLogix Corporation
www.securelogix.com
mark.collier@securelogix.com
Voice Security Introduction
» Voice security includes traditional and VoIP systems
» VoIP systems are vulnerable:
» The primary vendors are improving their systems, but..
» Security is rarely a major a consideration during deployment
» Platforms, network, and applications are vulnerable
» Many available VoIP attack tools
» Fortunately, the (mostly internal) threat is still moderate
» VoIP deployment is growing
» Greater integration with the data network
» Application threats remain the biggest issue
» SIP trunks will increase the threat
Traditional Voice Security
InternetConnection
Internet
PublicVoice
Network
TDMTrunks
TDMPhones
Servers/PCs
Modem
Fax
PBX
Modem
Traditional Voice Security
InternetConnection
Internet
PublicVoice
Network
TDMTrunks
TDMPhones
Servers/PCs
Modem
Fax
PBX
Modem
Internet AttacksScanning/DoSEmail SPAMWeb Attacks
Traditional Voice Security
InternetConnection
Internet
PublicVoice
Network
TDMTrunks
TDMPhones
Servers/PCs
Modem
Fax
PBX
Modem
Internet AttacksScanning/DoSEmail SPAMWeb Attacks
Firewall/IDPSEmail SPAM filter
Web security
Traditional Voice Security
InternetConnection
Internet
PublicVoice
Network
TDMTrunks
TDMPhones
Servers/PCs
Modem
Fax
PBX
Modem
Toll fraudSocial engineering
Harassing callsModem issues
Firewall/IDPSEmail SPAM filter
Web security
Traditional Voice Security
InternetConnection
Internet
PublicVoice
Network
TDMTrunks
TDMPhones
Servers/PCs
Modem
Fax
PBX
Modem
Toll fraudSocial engineering
Harassing callsModem issues
Voice Firewall
Firewall/IDPSEmail SPAM filter
Web security
Campus VoIP
InternetConnection
Internet
PublicVoice
Network
TDMTrunks
TDMPhones
Servers/PCs
Modem
Fax
IP PBX
CM
Gateway
DNS
CC Admin
TFTPDHCP
VM
DB
Voice VLAN
IP Phones
Data VLAN
Firewall/IDPSEmail SPAM filter
Web security
Voice Firewall
Campus VoIP
InternetConnection
Internet
PublicVoice
Network
TDMTrunks
TDMPhones
Servers/PCs
Modem
Fax
IP PBX
CM
Gateway
DNS
CC Admin
TFTPDHCP
VM
DB
Voice VLAN
IP Phones
Data VLAN
Firewall/IDPSEmail SPAM filter
Web security
Voice Firewall
Toll fraudSocial engineering
Harassing callsModem issues
Campus VoIP
InternetConnection
Internet
PublicVoice
Network
TDMTrunks
TDMPhones
Servers/PCs
Modem
Fax
IP PBX
CM
Gateway
DNS
CC Admin
TFTPDHCP
VM
DB
Voice VLAN
IP Phones
Data VLAN
Attacks CanOriginate From
The InternalNetwork
Toll fraudSocial engineering
Harassing callsModem issues
Firewall/IDPSEmail SPAM filter
Web security
Voice Firewall
SIP Trunks
InternetConnection
Internet
PublicVoice
Network
SIPTrunks
TDMPhones
Servers/PCs
Modem
Fax
IP PBX
CM
Gateway
DNS
CC Admin
TFTPDHCP
VM
DB
Voice VLAN
IP Phones
Data VLAN
Firewall/IDPSEmail SPAM filter
Web security
Voice Firewall
SIP Trunks
InternetConnection
Internet
PublicVoice
Network
SIPTrunks
TDMPhones
Servers/PCs
Modem
Fax
IP PBX
CM
Gateway
DNS
CC Admin
TFTPDHCP
VM
DB
Voice VLAN
IP Phones
Data VLAN
Toll fraudSocial engineering
Harassing callsModem issues
Voice Firewall
Firewall/IDPSEmail SPAM filter
Web security
SIP Trunks
InternetConnection
Internet
PublicVoice
Network
SIPTrunks
TDMPhones
Servers/PCs
Modem
Fax
IP PBX
CM
Gateway
DNS
CC Admin
TFTPDHCP
VM
DB
Voice VLAN
IP Phones
Data VLAN
ScanningFuzzing
Flood DoS
Toll fraudSocial engineering
Harassing callsModem issues
Voice Firewall
Firewall/IDPSEmail SPAM filter
Web security
SIP Trunks
InternetConnection
Internet
PublicVoice
Network
SIPTrunks
TDMPhones
Servers/PCs
Modem
Fax
IP PBX
CM
Gateway
DNS
CC Admin
TFTPDHCP
VM
DB
Voice VLAN
IP Phones
Data VLAN
ScanningFuzzing
Flood DoS
Toll fraudSocial engineering
Harassing callsModem issues
Voice FirewallSIP Firewall
Firewall/IDPSEmail SPAM filter
Web security
SecureLogix corporate confidential. 080508
» IP PBX:
» Server platforms
» Various gateway cards
» Adjunct systems
» Network:
» Switches, routers, firewalls
» Shared links
» VLAN configurations
» Endpoints:
» IP phones and softphones
» Protocol Issues (SIP):
Many Components in VoIP
SecureLogix corporate confidential. 080508
Vulnerabilities At Many Layers
General PurposeOperating System
Network Stack(IP, UDP, TCP)
VoIPProtocols
ServicesTFTP, SNMP, DHCP, DB,Web Server
Voice Application
Worms/VirusesTargeting The
Operating System
Trivial DoS AttacksMITM Attacks
TFTP Brute Force AttackSNMP Enumeration
DHCP StarvationSQL Attacks
Flood DoSFuzzing
Application Attacks
Poor ConfigurationWeak Passwords
Insecure Management Insecure Architecture
IP PBX Vulnerabilities
SecureLogix corporate confidential. 080508
IP PBX
CM
Gateway
DNS
CC Admin
TFTPDHCP
VM
DB
Eavesdropping ResourceStarvation
PhysicalAttacks
SPITPhishing
TollFraud
Modems
DoSFloods
UnauthorizedAccess
FuzzingDoS
Sniffing
IP PBX Vulnerabilities
SecureLogix corporate confidential. 080508
IP PBX
CM
Gateway
DNS
CC Admin
TFTPDHCP
VM
DB
Other CommonServices
DHCPDNS
SNMP
WebServer
RTP
TDMInterfaces
UnderlyingOS
ManagementInterfaces
TFTPSignaling
NetworkStacks
SQL
IP PBX Vulnerabilities
SecureLogix corporate confidential. 080508
Network Vulnerabilities
» The network can also be attacked:
» Platform attacks
» DoS
» Shared link saturation
» Eavesdropping
» Incorrect VLAN configuration
» Man-in-the-middle attacks
Network Vulnerabilities
SecureLogix corporate confidential. 080508
IP Phone Vulnerabilities
» IP phones can also be attacked:
» Physical access
» Poor passwords
» Signaling/media
» DoS
» Unnecessary services
IP Phone Vulnerabilities
SecureLogix corporate confidential. 080508
IP Phone Vulnerabilities
» Directory Scanning
» Fuzzing
» Flood-based Denial of Service (DoS)
» Registration manipulation
» Call termination
» RTP manipulation
Protocol Vulnerabilities (SIP)
1. INVITE derek@tpti (spoofed source IP)
Proxy Server
Send INVITEs/OPTIONs/REGISTERSTo Scan For IP Phones
Send INVITEs/OPTIONs/REGISTERSTo Scan For IP Phones
Directory Scanning
Proxy Server
Location Server
Malformed SIP
Malformed SIP
Malformed SIP
Fuzzing
1. INVITE derek@tpti (spoofed source IP)
Proxy Server
Send 1000000 INVITEsSend enough INVITEs to Ring All Phones
Send 1000000 INVITEsSend enough INVITEs to Ring All Phones
Flood-based DoS
Location Server
Registrar
2. “To contact sip:derek@tpti.com Use sip:derek@11.5.6.7 for 60 minutes”
derek’sPhone
1. REGISTER sip:derek@tpti.com Contact <sip:derek@11.5.6.7> Expires: 3600
3. 200 OK
4. “To contact sip:derek@tpti.com Use sip:mugatu@11.5.6.8 for 30 minutes”
3. REGISTER sip:derek@tpti.com Contact < mugatu@11.5.6.8 > Expires: 1800
Registration Manipulation
7. 200 OK
6. INVITE derek@11.5.6.7
8. RTP Conversation
9. SIP BYE derek@11.5.6.7
7. SIP CANCEL derek@11.5.6.7
Call Termination
RTP Tunneling
RTP Manipulation
SecureLogix corporate confidential. 080508
IP Phone Vulnerabilities
» Toll fraud
» Minor misuse
» Dial through fraud
» Social engineering
» Harassing callers
» Various modem issues
» Poorly secured modems used for remote access
» ISP modems
Application Issues
SecureLogix corporate confidential. 080508
IP Phone Vulnerabilities
» Develop a voice/VoIP security policy
» Address application issues at the perimeter
» Prioritize security during VoIP deployments
» Consider a VoIP security assessment
» Follow good basic data network security for internal network
» Deploy SIP security when using SIP trunks
Best Practices
SecureLogix corporate confidential. 080508
IP Phone Vulnerabilities
» www.voipsa.org
» www.blueboxpadcast.com
» www.securelogix.com
» www.voipsecurityblog.com
» Vendor sites
Resources
Questions?