Security Challenges in Hybrid Telephony Richard Hovey Communications Systems Analysis Division...
-
date post
19-Dec-2015 -
Category
Documents
-
view
215 -
download
1
Transcript of Security Challenges in Hybrid Telephony Richard Hovey Communications Systems Analysis Division...
Security Challenges inHybrid Telephony
Richard HoveyCommunications Systems Analysis DivisionFebruary 8, 2007
Observations are my own and are not a reflection of views of CSAD or PSHSB.
February 8, 2007 Non-public – for Internal Use Only
2
SS7
SSP
Hybrid IP-TDM Telephony
router
Broadband Phone Service
SIPDNS
IPPBX
Routing Interop (BGP)
Smartphone
Session Initiation
Protocol (SIP)
SignalingInterop
IP PBX
Security Issues
Domain Name System
Interop (DNS)
TDM NetworkIP Network
PBX
February 8, 2007 Non-public – for Internal Use Only
3
Security Challenges in Hybrid Telephony Outline
1. Perspectives on telecom convergence• "Very-Next" Generation c.2007-2010
2. Telephony on the commodity Internet• Tutorial: basic SIP signaling• SIP Security challenges
3. Hybrid Telephony IP – TDM • Tutorial: basic SS7 signaling; SIP – SS7 Interworking• SIP-SS7 security challenges
4. Emerging components & concerns– Open Source IP PBX– Smartphone
February 8, 2007 Non-public – for Internal Use Only
4
Security Challenges in Hybrid Telephony Advisory Message
• The Sky isn't exactly falling…• …but the Sea Level is rising.• Net effect: The Sky is getting closer.
Severe Risk ofSky Falling
High Risk ofSky Falling
Low Risk ofSky Falling
General Risk ofSky Falling
Significant Risk ofSky Falling
CSAD Advisory System
February 8, 2007 Non-public – for Internal Use Only
5
TDM phone net
Broadbandcopper,cable,or fiber satellite distribution
Perspective on Convergence Very-Next Generation Residential Broadband
TDM phone net
commodity Internet
~headend
local servers
•Today: parallel access to distinct infrastructures•Future: common IP core infrastructure?
–Vision of "Carrier ISPs"–First test: adoption of “NGN Release 1”
February 8, 2007 Non-public – for Internal Use Only
6
Tutorial: IP-IP Telephony Session Initiation Protocol Signaling (SIP)
IP Network 1 IP Network 2
SIP
LOC
IP Link [Voice Path - RTP]
IP Link [Signaling Path - SDP]
IP Link
DNSSIP
Router
Switching
Control Control
February 8, 2007 Non-public – for Internal Use Only
7
Tutorial: IP-IP Telephony SIP Basics
• Session Initiation Protocol (SIP) – Text-based protocol with a readable syntax, similar to HTTP – Used for controlling multimedia sessions over IP (i.e., signaling)– Telephony is a type of audio-only multimedia session
• INVITE message– Used to establish a session; analogous to ISUP IAM message– IP-IP phone example (Kevin calls Michael over Internet)
INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP 165.135.228.98:5060Max-Forwards: 50To: Michael <sip:[email protected]>From: Kevin <sip:[email protected]>;tag=8055002911Content-type: application/sdpContent-length: 142
INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP 165.135.228.98:5060Max-Forwards: 50To: Michael <sip:[email protected]>From: Kevin <sip:[email protected]>;tag=8055002911Content-type: application/sdpContent-length: 142
February 8, 2007 Non-public – for Internal Use Only
8
Tutorial: IP-IP Telephony Session Initiation Protocol Signaling (SIP)
IP Link [Voice Path]
IP Link [Signaling Path]
IP Link
❶ Kevin "calls" Michael
❷ INVITE to: sip:[email protected]
❷
❸ DNS Query
❹ INVITE❺ LS Query
❻
❻ INVITE
❼ Ringing
➑ OK
LOC
SIP SIP
DNS
Router
➒ voice (RTP)
February 8, 2007 Non-public – for Internal Use Only
9
IP-based Telephony SIP Signaling -Challenges
SIP and Privacy (withholding identity)– Identity carried in SIP URI and optional Display Name
e.g., Kevin <sip:[email protected]>– Appears in numerous fields in SIP messages
e.g., From:, Contact:, Reply-to: – Identity Info also appears in
e.g., Via:, Call-Info:, User-Agent:, Organization:, Server:
– Some are functional and have to be included– Complicated by intermediary proxy servers that add headers
[and can examine the other header content]
February 8, 2007 Non-public – for Internal Use Only
10
IP-based Telephony SIP Signaling -Challenges
• Utility of protecting SIP with encryption?– i.e., protect SIP messages with IP Security (IPsec) at IP Layer
• Hop-by-hop impact on Call Set-up time is significant– Almost certainly unacceptable
No IPSec Proxy IPSec End-End IPSec
IP-IP 4.6 7.5 20.2
IP-TDM 7.6 9.5 21.8
TDM-IP 5.2 8.0 12.7
TDM-IP-TDM 6.9 9.3 14.3
• Once connected phone-phone, delay acceptable– About 10% (8 msec)
• Implications for NGN?
Source: Telcordia
February 8, 2007 Non-public – for Internal Use Only
11
IP-based TelephonyVulnerabilities in SIP devices
• Dozens of vulnerabilities impacting IP-based telephony– Includes commodity Internet risks at other layers
• Attacks on vulnerabilities– can impact confidentiality, integrity, availability– can trigger device hangs, crashes, restarts
• Hundreds of SIP devices software implementations– both SIP phones and SIP Servers
• Next: some approaches to mitigating risks– Security thru obscurity – don’t reveal implementation– Security thru testing – use test tools to check implementation
February 8, 2007 Non-public – for Internal Use Only
12
IP-based Telephony IP Telephony Vulnerabilities by Protocol Layer
Layer Attack Vector Confidentiality
Integ-rity
Avail-ablity
Net Interface
Physical Attacks X X
ARP cache X X X
ARP flood X
MAC spoofing X X X
Internet
IP spoofing
Device X X X
Redirect Via IP spoof X X X
Malformed packets X X X
IP frag X X X
Jolt X
Transport
TCP/UDP flood X
TCP/UDP replay X X
Applicaition
TFTP server insertion X
DHCP server insertion X
DHCP starvation X
ICMP flood X Source: UC Boulder
Layer Attack Vector Confidentiality
Integ-rity
Avail-ablity
App. [cont]
SIP Registration Hijacking X X X
MGCP Hijack X X X
Message modification X X
RTP Insertion
Spoof via header X X X
Cancel / bye attack X
Malformed method X
Redirect method X X
RTP SDP redirect X
RTP payload X
RTP tampering X
Encryption X X X
Default configuration X X X
Unnecessary services X X X
Buffer overflow X X X
Legacy Network X X X
DNS Availability X
February 8, 2007 Non-public – for Internal Use Only
13
IP-based Telephony Security thru Obscurity?
• A vulnerable implementation becomes an explicit target– e.g., Windows vulnerabilities
• SIP standard defines a "User-Agent" field– announces software version– can turn it off so software details are not revealed
• But… turning off explicit identification doesn't really help– sufficient info in protocol responses to determine software– probing technique manipulates headers, log responses– each device has a unique fingerprint
• Does suggest some security improvements– e.g., don't respond to non-compliant messages– e.g., randomize fields and attributes
February 8, 2007 Non-public – for Internal Use Only
14
IP-based Telephony
Security thru Obscurity?
SIP device fingerprints
Source: CMU & IBM Watson
February 8, 2007 Non-public – for Internal Use Only
15
IP-based Telephony Security thru Testing
• Commercially-available VoIP testing tools– “vulnerability scanners”
• Inject abnormalities into SIP messages– E.g., one tool: 4500 test cases…– …but only for SIP “INVITE” message
• Analysis of seven testing tools – based on lab tests of four tools; claims of three others– even combined, address less than half of known vulnerabilities
February 8, 2007 Non-public – for Internal Use Only
16
IP-based Telephony IP Telephony Vulnerabilities Addressed by Tools
Layer Attack Vector Addressed by ΣTools
Net Interface
Physical Attacks
ARP cache
ARP flood
MAC spoofing
Internet
IP spoofing X
Device X
Redirect Via IP spoof X
Malformed packets
IP frag
Jolt
Transport
TCP/UDP flood X
TCP/UDP replay
Application
TFTP server insertion
DHCP server insertion
DHCP starvation
ICMP floodSource: UC Boulder
Layer Attack Vector Addressed by ΣTools
App. [cont]
SIP Registration Hijacking X
MGCP Hijack
Message modification
RTP Insertion
Spoof via header X
Cancel / bye attack
Malformed method X
Redirect method X
RTP SDP redirect X
RTP payload X
RTP tampering X
Encryption X
Default configuration
Unnecessary services
Buffer overflow X
Legacy Network X
DNS Availability X
February 8, 2007 Non-public – for Internal Use Only
17
IP-based Telephony Denial of Service Attacks
• Background– Brute force attacks are much easier than clever exploits
• Attack targets– SIP infrastructure (SIP servers, Gateways)– Supporting services (DNS)– End points (SIP phones)
• Commercially available solutions for UDP/SYN flooding– But currently none for SIP
February 8, 2007 Non-public – for Internal Use Only
18
IP-based Telephony Denial of Service Attacks
• Carrier-class Analysis– Two types of attacks used: General and VoIP-specific– Bi-directional Speech grade-of-service metrics collected
• Results– VoIP-specific attacks effective at low rates against all devices
• No service – let alone grade of service - to record
– General attacks caused a wide-range of effects• Unexpected: all devices adversely affected by TCP SYN attacks
• Conclusions (November 2004): “Keep VoIP on private secured networks (off the public Internet)
where practical” “Design DDOS mitigation products to be VoIP-aware”
Sprint Adv. Tech. Labs
February 8, 2007 Non-public – for Internal Use Only
19
IP-based Telephony Denial of Service Attacks
Voice Quality during TCP SYN attack on a network element
acceptable quality▲
◄Attack Level20% of bandwidth
February 8, 2007 Non-public – for Internal Use Only
20
IP-based Telephony Denial of Service Attacks
Current carrier-class work• Addressing perimeter protection problem of VoIP service• Strategy – two detection and mitigation filters
– SIP: Rule-based detection and mitigation filters (only valid SIP) – Media: SIP-aware dynamic pinhole filtering (only signaled RTP)
February 8, 2007 Non-public – for Internal Use Only
21
Columbia U – Verizon Labs
IP-based Telephony Denial of Service Attacks
February 8, 2007 Non-public – for Internal Use Only
22
IP-based Telephony Denial of Service Attacks
Carrier-class Prototype• Rely on wire-speed, deep-packet inspection• 300 calls/second;10K-30K concurrent calls• Conclusion (October 2006):
“Need to generalize methodology to cover a broader range of cases and apply anomaly detection, pattern recognition and learning systems”
Columbia U – Verizon Labs
February 8, 2007 Non-public – for Internal Use Only
24
Tutorial: TDM-TDM TelephonyInter-exchange Signaling (SS7)ISDN User Part (ISUP) Protocol
W X
BA
Subscriber Line
Voice Trunk
Signaling Link
❶ dial digits
❷ Initial Address Message [IAM]
❷ IAM
❸ number idle?
❹ Address Complete Message [ACM]❹ ACM
❺ ring line, transmit Caller ID
❺ ring tone❻ connect to trunk
February 8, 2007 Non-public – for Internal Use Only
25
Tutorial: TDM-TDM TelephonyInitial Address Message (IAM)
Initial Address Message
Calling Party Number parameter
Charge Number parameter
Called Party Number parameter
February 8, 2007 Non-public – for Internal Use Only
26
Broadband Phone Service
Tutorial: IP-TDM Telephony
router
SSP
SIPDNS MGC
February 8, 2007 Non-public – for Internal Use Only
27
• Media Gateway Controller (MGC)– Also referred to as a "Softswitch" or "Call Agent"– Has logical interfaces facing both networks– Translates between SIP and ISUP messages– SS7 protocol Level 4 (e.g. "INVITE" "IAM“)
• Media Gateway (MG)– Has trunking interfaces facing both networks– Translates between IP and TDM voice streams (i.e. RTPT1)– MGC and MG can be merged in one box or kept separate
• Signaling Gateway (SG)– Performs mapping of Signaling Network Messages– SS7 protocol Level 3 – Level 3: controls congestion, balances loads, re-routes traffic
Tutorial: IP-TDM Telephony SIP to SS7
MGC
February 8, 2007 Non-public – for Internal Use Only
28
Questions wrt Media Gateway Controller: • How do they map fields? e.g. "INVITE" "IAM“?
– e.g., "From:" "Calling Party Number“ and "Charge Number" • What call records do they maintain?
– significant implications for Authenticating source
Tutorial: IP-TDM Telephony SIP to SS7
MGC
February 8, 2007 Non-public – for Internal Use Only
29
• INVITE message– IP-to-Wireline phone example (Kevin calls Michael from Internet)
INVITE sip:[email protected];user=phone SIP/2.0Via: SIP/2.0/UDP client.kevin.fcc.gov:5060Max-Forwards: 50To: Michael <sip:[email protected];user=phone>From: Kevin <sip:+12024180100>;tag=8055002911Content-type: application/sdpContent-length: 142
Tutorial: IP-TDM Telephony SIP to SS7
February 8, 2007 Non-public – for Internal Use Only
30
Tutorial: IP-TDM Telephony SIP to SS7
• Signaling Gateway (SG) function– Performs mapping of signaling network messages– SS7 Level 3: congestion, balances loads, traffic re-routing
• Transporting SS7 over IP Network
IP
TDM
MGC
MGC STPSG
SS7IP
ISUP
M3UA
SCTP
IP
ISUP
MTP3
MTP2
MTP1
M3UA
SCTP
IP
(NIF)
MTP3
MTP2
MTP1
• Bottom line: SG can appear as an SS7 SP at the interface
February 8, 2007 Non-public – for Internal Use Only
31
Tutorial: IP-TDM Phone Service SIP-SS7 Signaling
Questions?
February 8, 2007 Non-public – for Internal Use Only
32
IP-TDM Phone ServiceSignaling Interworking Vulnerabilities
Background• New players (CLECs) increasing the number of SS7 access points• Signaling Gateway looks like another SS7 SP to an STP• Absence of message integrity and authentication in SS7
– Could use IPSec in hybrid environment – but ends at the SG
Recent Analysis (December 2006)• Hijacked or misbehaving SS7 nodes
– Open to Signaling Network Management (SNM) injects– Injections towards MGC can disrupt VoIP services
• Hijacked or misbehaving Signaling Gateway– Can affect functioning of SS7 network
“Threats arising in either network due to misprovisioned or malicious signaling nodes are not confined to that network alone but may affect the other network as well.” GMU - UNT
February 8, 2007 Non-public – for Internal Use Only
33
IP-TDM Phone ServiceSignaling Interworking Vulnerabilities
SS7 protocol layer and its management messages
SS7 network management messages in an IP network
Message Transfer Part Level 3: MTP3 SIGTRAN layer: M3UA
Signaling Network Management msgs:• Emergency Changeover Order• Changeover Order• Transfer Prohibited• Transfer Controlled• Transfer Restricted
At Signaling Gateway, M3UA provides interworking with MTP3 function by using ASP management messages:• Destination Restricted• Destination Unavailable• Signaling Congestion• Destination User Part Unavailable
Critical Management Messages in IP and SS7 networks – just SS7 level 3
February 8, 2007 Non-public – for Internal Use Only
34
IP-TDM Phone ServiceSignaling Interworking Vulnerabilities
• Only widely deployed security solution– Telcordia’s Gateway Screening Specification– Implemented at gateway STPs– Generally screens out only message headers– Doesn’t check content and structure of most signaling messages
• Commercial products to secure SS7 are emerging– Content-based and signal-sequence firewalls– Network Access Meditation (Sevis); – SS7 Security Gatekeeper (Verizon)
• Proposed: MTPSec to secure SS7 network layer
February 8, 2007 Non-public – for Internal Use Only
35
Open Source PBXBe Your Own Phone Company
AsteriskPBX
router
SSP
TerminationProvider
February 8, 2007 Non-public – for Internal Use Only
36
Be Your Own Phone CompanyAsterisk – Corporate PBX
February 8, 2007 Non-public – for Internal Use Only
37
Open Source PBX Spoofing - Service & Do-It-Yourself
AsteriskPBX
router
SSP
TerminationProvider
February 8, 2007 Non-public – for Internal Use Only
38
Be Your Own Phone Company Spoofing - Service & Do-It-Yourself
Things to know:– Can use standard SetCallerID(nnnnnnnnnn) command
• PBX-like; not efficient for per-call spoofing
– Asterisk software is easily patched to do Caller ID spoofing•Add the following lines to extension config file exten => 33,1,Answer exten => 33,2,AGI(cidspoof.agi)
•Download the cidspoof.agi script changing line 77 tothe correct username / hostname for VoIP service provider, and copy to /var/lib/asterisk/agi-bin/
•Start Asterisk•Call extension 33, enter number you wish to spoof from, followed by number you wish to spoof to.
February 8, 2007 Non-public – for Internal Use Only
39
Open Source PBX
• Authentication concerns (CPN, BTN)– manipulation now much cheaper– isolation from traceability much greater
February 8, 2007 Non-public – for Internal Use Only
40
Smartphone SecurityGeneral Outlook
• Virus problem seems relatively small and manageable…– Cell phone carriers have strong incentives to keep under control
– Cell phone carriers have good control points (e.g., gateways)
– Incidents to date haven't been widespread or fast spreading
– Many categorized as low-threat "proof of concept"
• Q: "Is the Sky Falling?"
A: "Probably not; not at the moment."
• “But the ocean…”
February 8, 2007 Non-public – for Internal Use Only
41
Smartphone Security General Outlook
• But… cell phones are an increasingly attractive target– Applications becoming more PC-like; e.g., email attachments
(smart phones make up about 5% of cell phones)– Operating System uniformity increases appeal to hackers
(i.e., Symbian, PocketPC, PalmOS dominate smart phones)– Standard Markup Languages create openings (e.g., java scripts)– Phones increasingly carry sensitive info (e.g., business info)– Phones increasingly can make small financial charges
• by accepting "reverse SMS" micropayment charges• i.e., there's a direct link to money
• Potential impact of viruses seems high
February 8, 2007 Non-public – for Internal Use Only
42
Smartphone Security General Outlook
Q: “What can mobile viruses do?”• Spread via Bluetooth, MMS • Send SMS messages • Infect files • Enable remote control of the smartphone • Modify or replace icons or system applications • Install “false” or non-operational fonts and applications • Combat antivirus programs • Install other malicious programs • Block memory cards • Steal data
February 8, 2007 Non-public – for Internal Use Only
43
Smartphone Security Symbian OS…
• Dominant smartphone OS (50% of phones shipped)• Allows user to install untrusted code
– post-installation antivirus software not as mature as PC
• Once installed code has access to all resources– extract phone numbers, email– send SMS, MMS, email; make HTTP connections– dial numbers; connect via Bluetooth
• Possible to avoid detection– run in background (server); wait for long idles; delete logs– user unaware of filesystem
• Possible to avoid removal, short of reflashing
February 8, 2007 Non-public – for Internal Use Only
44
Smartphone Security Bluetooth…
• Devices– 13% of phones sold worldwide in 2004; 4% in U.S.
• Distances– Nominal range is 10 meters (often boosted to 100m) – Hijacking phones has been demonstrated at over a mile
• Suggested cipher vulnerabilities– [see Wetzel]
• Observation– a "personal networking standard" vulnerable to personal
misjudgments and oversights
February 8, 2007 Non-public – for Internal Use Only
45
Smartphone Security Creating the Conditions for a Perfect Storm?
Internet PSTN
Bluetooth
February 8, 2007 Non-public – for Internal Use Only
46
Smartphone SecurityEvolution
• By early 2005 main types of mobile viruses had evolved– Very few in last 18-24 months are truly original
• Now 31 families, 170 variants.• MMS will eventually become common method of propagation
Increase of known mobile malware variants
6/2004 ▲
February 8, 2007 Non-public – for Internal Use Only
47
Service ProvidersCyber Security Practice
Background• History
– Network Reliability & Interoperability Council (NRIC) – NRIC VI & VII: assembled Cybersecurity Best Practices– applicable as appropriate; voluntary, …– more of a checklist where one would like a culture
• Stipulation– Technical complexity; industry's superior expertise & resources– Regulation may not result in adoption of underlying philosophy
February 8, 2007 Non-public – for Internal Use Only
48
Service ProvidersCyber Security Practice
• Question– Are ISP businesses "Markets for Lemons" wrt security?
• asymmetric information > willingness to pay only average price
• above average security will be driven out of the market?
• Challenge– Are there approaches to improving security and reliability of
infrastructure that benefit both users and providers?– What are the incentives?– Are ISP businesses dynamics and industry sectors different?