Security in IP telephony (VoIP) David Andersson Erik Martinsson.
-
Upload
rolf-white -
Category
Documents
-
view
215 -
download
1
Transcript of Security in IP telephony (VoIP) David Andersson Erik Martinsson.
![Page 1: Security in IP telephony (VoIP) David Andersson Erik Martinsson.](https://reader036.fdocuments.us/reader036/viewer/2022082709/56649d955503460f94a7e6cb/html5/thumbnails/1.jpg)
Security in IP telephony (VoIP)
David AnderssonErik Martinsson
![Page 2: Security in IP telephony (VoIP) David Andersson Erik Martinsson.](https://reader036.fdocuments.us/reader036/viewer/2022082709/56649d955503460f94a7e6cb/html5/thumbnails/2.jpg)
Background
• VoIP is becoming very popular- money to be saved!- new features
• Not trivial to implement (QoS, availability, security)
• Services released with focus only on functionality
![Page 3: Security in IP telephony (VoIP) David Andersson Erik Martinsson.](https://reader036.fdocuments.us/reader036/viewer/2022082709/56649d955503460f94a7e6cb/html5/thumbnails/3.jpg)
Goals
• Get an overview of VoIP
• Find out about the security threats
• Relevance to language-based security?
• Study some attacks against VoIP
![Page 4: Security in IP telephony (VoIP) David Andersson Erik Martinsson.](https://reader036.fdocuments.us/reader036/viewer/2022082709/56649d955503460f94a7e6cb/html5/thumbnails/4.jpg)
What we have done
• Learned about VoIP technology- common network setups- protocols
• Evaluation of VoIP threats
• Studying and testing some attacks
• Skype
![Page 5: Security in IP telephony (VoIP) David Andersson Erik Martinsson.](https://reader036.fdocuments.us/reader036/viewer/2022082709/56649d955503460f94a7e6cb/html5/thumbnails/5.jpg)
A Network Setup
![Page 6: Security in IP telephony (VoIP) David Andersson Erik Martinsson.](https://reader036.fdocuments.us/reader036/viewer/2022082709/56649d955503460f94a7e6cb/html5/thumbnails/6.jpg)
Protocols
• SIP and RTP most common
• Both open and defined by IETF
• RTP flexible media transfer protocol
• SIP is an initialization protocol
• SIP uses text based messages
• SIP reuses many existing standards
![Page 7: Security in IP telephony (VoIP) David Andersson Erik Martinsson.](https://reader036.fdocuments.us/reader036/viewer/2022082709/56649d955503460f94a7e6cb/html5/thumbnails/7.jpg)
Security: VoIP vs POTS
• Very different networks trying to achieve the same goals
• POTS is physically difficult to attack
• VoIP has more security features but is open for attacks over the entire world through the Internet
![Page 8: Security in IP telephony (VoIP) David Andersson Erik Martinsson.](https://reader036.fdocuments.us/reader036/viewer/2022082709/56649d955503460f94a7e6cb/html5/thumbnails/8.jpg)
Security: Threats
• VOIPSA (VoIP Security Alliance) has made an extensive list of threats
• A mixture of threats in POTS and in IP-networks
![Page 9: Security in IP telephony (VoIP) David Andersson Erik Martinsson.](https://reader036.fdocuments.us/reader036/viewer/2022082709/56649d955503460f94a7e6cb/html5/thumbnails/9.jpg)
Security: Language-Based?
• VoIP is a complex system
• Secure networking has well known solutions, but…
• …end-devices are hard to control
• The key to securing VoIP is to secure the clients!
![Page 10: Security in IP telephony (VoIP) David Andersson Erik Martinsson.](https://reader036.fdocuments.us/reader036/viewer/2022082709/56649d955503460f94a7e6cb/html5/thumbnails/10.jpg)
Attacks
• SIP-attacks:- Bombing- Cancel/Bye- Call hijacking
• RTP eavesdropping
![Page 11: Security in IP telephony (VoIP) David Andersson Erik Martinsson.](https://reader036.fdocuments.us/reader036/viewer/2022082709/56649d955503460f94a7e6cb/html5/thumbnails/11.jpg)
Attacks: SIP
• Possible to generate SIP packets with i.e. SiVus (The VoIP Vulnerability Scanner)
• Attacks must be done within timeframe of a call or sometimes during the initial handshake
• Software for real-time attack is needed
![Page 12: Security in IP telephony (VoIP) David Andersson Erik Martinsson.](https://reader036.fdocuments.us/reader036/viewer/2022082709/56649d955503460f94a7e6cb/html5/thumbnails/12.jpg)
Attacks: sniffing RTP
• Ethereal can analyze RTP and find media streams
• Open codecs are easily decoded
• We could playback entire conversations!
![Page 13: Security in IP telephony (VoIP) David Andersson Erik Martinsson.](https://reader036.fdocuments.us/reader036/viewer/2022082709/56649d955503460f94a7e6cb/html5/thumbnails/13.jpg)
Skype
• Most popular VoIP software today
• Proprietary protocol
• Information sent without using the software
• Secure channel (VoIP, IM, File transfer)
• Impossible to distinguish betweem VoIP, IM or File transfers
![Page 14: Security in IP telephony (VoIP) David Andersson Erik Martinsson.](https://reader036.fdocuments.us/reader036/viewer/2022082709/56649d955503460f94a7e6cb/html5/thumbnails/14.jpg)
Evaluation
• VoIP is usually not very secure!!
• Use with caution until otherwise is proved
• Our goals reached