Presentation - The Sys
Download
Report
Transcript Presentation - The Sys
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Why E.T. Can’t Phone Home?
Security Risk Factors with IP Telephony
Ofir Arkin
[email protected]
Founder, The Sys-Security Group
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Agenda
Introduction
What is IP Telephony?
– IP Telephony Protocols
– A Generic Call Setup Process
– Different IP Telephony Architecture
Security Issues With IP Telephony based Networks
What is at Risk? – Vulnerable targets with IP Telephony
based Networks
Closing Remarks
2
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Introduction
Privacy and Security are mandatory requirements with
any telephony based network
A certain level of security has been achieved with
traditional telephony based networks
IP Telephony based networks are the future of
Telecommunications
But IP Telephony introduces caveats and security
concerns which traditional telephony based networks
do not have to deal with, long forgotten about, or
learned to cope with
3
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Introduction
The risk factors associated with IP Telephony based
networks are far greater compared to traditional
telephony based networks
The risk factors are overshadowed by the
technological hype and the way IP Telephony
equipment manufactures pushes the technology to
the masses
In some cases IP Telephony based equipment is being
shipped although the manufacture is well aware of the
clear and present danger to the privacy and security of
the IP Telephony based network its equipment is part
of
4
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
What is IP Telephony?
Introduction
5
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
What is IP Telephony?
IP Telephony is a technology in which IP networks are
being used as the medium to transmit packetized
voice
IP Telephony has numerous deployment scenarios
and architectures in which the following terms are
usually associated with:
– Voice over IP (VoIP) – describes an IP Telephony deployment
where the IP network used as the medium to transmit voice traffic is
a managed IP network
– Voice on the Net (VON) or Internet Telephony – describes an IP
Telephony deployment where the IP network used as the medium to
transmit voice traffic is the Internet
6
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
What is IP Telephony?
With any IP Telephony based deployment scenario the
transport medium, the IP network, is able to carry data
as well as voice.
It is in contrast with the current Public Switched
Telephony Network (PSTN) where voice and data are
being carried on physically separated networks (with
some they are being transported on the same physical
medium)
The term Converged Network is used to describe
networks which carry both voice and data.
7
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
What is IP Telephony?
IP Telephony Protocols
8
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
The IP Telephony Protocols
Signaling Protocols, performs session management and
responsible for:
– Locating a user – The ability to locate the called party
– Session establishment – The ability to determine the availability of the
called party as well as its willingness to participate in a call. The called
party is able to accept a call, reject a call, or redirect the call to another
location or service
– Session setup negotiation – The ability of the communicating parties
to negotiate the set of parameters to be used during the session, this
includes, but not limited to, type of media, codec, sampling rate, etc.
– Modifying a session – The ability to change a session parameter(s)
during the call, such as the audio encoding, adding and/or removing a
call participant, etc.
– Tearing down a session – The ability to end a call (and the session)
9
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
The IP Telephony Protocols
Media Transport Protocols – are responsible for the
digitization, encoding (and decoding), packing,
packeting, reception, and ordering of voice and voice
samples
Like any other application that uses IP, IP Telephony
will make use of other protocols and technologies
which are associated and common with any IP based
network
10
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
What is IP Telephony?
A Generic Call Setup Process
11
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
A Generic Call Setup Process
The signaling protocol the IP
Phone uses, and the IP
Telephony based network
supports, will locate the
called party, either directly or
by using other signaling
servers on the network
THE SYS–SECURITY GROUP
The signaling protocol will be used
to determine the called party’s
availability and willingness to
participate in the call
If the called party accepts the call request the
signaling protocol is used to negotiate the set of
parameters to be used during the call (codec,
sampling rate, etc.) and a session will be
established between the call participants
12
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
A Generic Call Setup Process
During the call, when needed, the signaling
protocol will be used to change a call
parameter(s). The signaling protocol is also
responsible for tearing down the call.
THE SYS–SECURITY GROUP
Signaling information sent between
different participants of a call might
traverse through several signaling related
servers until it reaches another
participant(s), while the packetized voice
is usually sent directly between the call
participants.
Speech will be carried by a media transport protocol,
such as the Real-Time transport Protocol (RTP),
which will sample the human speech with the
appropriate codec according to the parameters
negotiated by the signaling protocol during the call
setup process. Some, but not all, of the media
transport protocol’s operation will be controlled by the
signaling protocol.
13
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
What is IP Telephony?
Different IP Telephony Architectures
14
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Different IP Telephony based Architectures – A Carrier
A Carrier can use IP Telephony as part of its
infrastructure (i.e. core network) and/or as part of its
service offerings (in the U.S.A. we can name
WorldCom/MCI as an example).
Any telephony architecture which connects an IP
Telephony based network(s) with the PSTN has to
have elements which will translate signaling
information and packetized voice between the IP
Telephony IP network & the PSTN (and vice versa).
Therefore some gateways are introduced with the
architecture of a Carrier which utilizes IP Telephony
technology.
15
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Different IP Telephony based Architectures – A Carrier
A Media Gateway is a
network element which
converts audio signals
carried on telephone
circuits into data packets
carried in packet
switched networks, and
vice versa
A signaling gateway is a
network element which
converts SS#7 signaling
information from the
PSTN into formats
understood by the
network elements in the
IP network, and presents
an accurate view of the
elements of the IP
network to the SS#7
network (and vice versa)
A Media Gateway
Controller (MGC) is a
network element used to
control a Media Gateway
16
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Different IP Telephony based Architectures – A Carrier
Protocols used between
Media Gateway
Controllers to initiate a
session between users
(i.e. SIP)
Protocols used between
a Media Gateway and a
Signaling Gateway (i.e.
SCTP, M2UA, M3UA)
Protocols used between
a Media Gateway and
Media Gateway
Controllers (i.e. MGCP,
Megaco), are also known
as Gateway Control
Protocols (GCP)
Protocols used within the IP Network (i.e. SIP)
17
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Different IP Telephony based Architectures – A Carrier
A Carrier using IP Telephony as part of its core
network and/or service offerings would enjoy
significant cost savings resulting from:
– Lower equipment cost
– Lower bandwidth requirements
– The ability to introduce new services (and faster)
– Quick time-to-market
– Extreme Flexibility (compared with the PSTN; i.e. changing the
codec used)
18
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Different IP Telephony based Architectures (ITSP)
An Internet Telephony Service Provider (ITSP) belongs
to the new bread of telephony service providers.
An ITSP uses IP to provide low cost voice connections
through the combinations of the Internet, leased lines,
and the PSTN
An ITSP uses the Internet as the main transport
medium for carrying packetized voice and signaling
information to and from its subscribers.
19
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Different IP Telephony based Architectures (ITSP)
Both the ITSP and its subscribers will be connected to
the Internet; the ITSP via a fast dedicated link(s) while
the subscribers using their existing connections to
the Internet (dial-up, xDSL, etc.) via different Internet
Service Providers (ISPs).
A subscriber is able to use different methods in order
to place a call, all requiring the subscriber to present
its credentials before the call request will be
processed. A subscriber is able to use a softphone,
which is a telephony based application installed on a
PC, an IP Phone, or any other hardware based solution
(i.e. different phone adapters) to place the call.
20
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Different IP Telephony based Architectures (ITSP)
An Example
A voice gateway will translate the
packetized voice and signaling information
carried by IP-based protocols to
information that can be carried by
protocols used with traditional telephony
networks and vice versa
An ITSP’s infrastructure
includes support for
authentication, billing
and other required
features
The ITSP uses voice gateways placed in
different countries, and connected to the ITSP’s
IP backbone through leased lines, as hooks to
the local traditional telephony networks in the
countries the voice gateways are deployed in
21
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Different IP Telephony based Architectures (ITSP)
Because the Internet is its main medium to transmit
packetized voice, an ITSP does not have to build a full
blown telephony infrastructure and therefore enjoys
significantly lower maintenance costs compared with
traditional carriers enabling the ITSP to offer low cost
long distance and international phone calls rates.
The problem with the ITSP module of operation is the
usage of the Internet as “part” of the ITSP’s
infrastructure, and therefore the inability to ensure
quality of service (enough bandwidth, no congestion,
etc.) which might lead to a reduced quality of speech.
22
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Different IP Telephony based Architectures (ITSP)
Some ITSPs are using the Internet to allow
subscribers to connect to the service, but uses local
International Telephone Carriers or other Carriers to
lease international phone lines
Still, the cost for the ITSP is significantly lower then
building its own infrastructure
The international leased line(s), and the SLA with the
Carrier, allows the ITSP to maintain a reasonable
quality-of-service
23
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Different IP Telephony based Architectures (ITSP)
Where ITSP Security Fails
MSN Voice.NET
(source – Cisco Systems)
24
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Different IP Telephony based Architectures – A
Corporate
Instead of running two separate networks for data and
voice, a corporate can use one IP based network to
run both. Usually the data and voice will be virtually
separated using technologies such as Virtual LANs
(VLANs).
Instead of using the traditional telephone network to
place calls between different corporate branches it is
possible to save the long-distance charges, imposed
by the PSTN, when using the same dedicated leased
lines (or VPNs over the Internet) used by an
organization to transmit data between its branches to
carry packetized voice as well.
25
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Different IP Telephony based Architectures – A
Corporate
Corporate employees working from remote offices will
be able to easily, remotely, connect to the corporate
data and voice network. It would enable remote
employees to receive and make phone calls at a
remote location if they are at the office using the same
phone number.
26
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Different IP Telephony based Architectures – A
Corporate
27
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Other Important Parameters with IP Telephony
Quality of Speech
Quality of Service
Availability
Scalability
28
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Security Issues With IP
Telephony based Networks
29
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Security Issues with IP Telephony-based Networks
IP Telephony allows the terms “Phreaker” and
“Hacker” to come closer then ever before because of
the convergence between Telephony and IP*.
Several characteristics of IP Telephony makes it easier
for a phreaker/hacker to try to compromise and/or
control different aspects or parts of an IP Telephony
based network.
The security threat associated with IP Telephony is far
greater than with regular telephone networks. It is
combined from a number of different factors that
needs to be evaluated before any deployment of IP
Telephony based solution.
30
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Security Issues with IP Telephony-based Networks
The Usage of the IP Protocol
– IP Telephony is using the IP protocol as the vessel for
carrying voice; therefore it inherits the known, and
unknown, security weaknesses that are associated with
the IP protocol
IP Networks Are Common
– IP networks are easily accessible allowing more people
to explore security issues, and for security issues to be
spread when found and published. This is unlike the
obscurity which characterizes the PSTN.
31
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Security Issues with IP Telephony-based Networks
The Signaling Information & Packetized Voice Share
the Same Network
– Unlike the PSTN, where the only part of the telephony
network both the signaling and voice will share is the
connection between the subscriber’s phone to its
telephony switch, where thereafter the signaling
information will be carried on a different network
physically separated from the voice* (the SS#7 network),
with IP Telephony no such isolation or physical
separation between signaling information and
packetized voice is available, increasing the risk level of
misuse.
32
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Security Issues with IP Telephony-based Networks
Voice & Data Share the Same Network
– With the PSTN voice and data are being carried on physically
separated networks.
– Although several technologies can be used to virtually
separate voice and data when they share the same IP network,
such as virtual LANs (VLANs), these technologies and other
measures might be bypassed and defeated increasing the risk
level of misuse.
– Interference (denial-of-service, jam, etc.) with the operation of
the voice network is possible utilizing the data network (and
vice versa), since both virtual networks will be sharing the
same network equipment.
– For example denial of service attacks launched from the data
network targeting shared network equipment such as a switch.
33
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Security Issues with IP Telephony-based Networks
The Placement of Intelligence
– With traditional telephone networks the phones are no more
than a “dumb terminal” where the telephony switch holds the
actual intelligence. The phones are able to interact only with
the telephony switch they are connected to.
– With some IP Telephony signaling protocols some, or all, of the
intelligence is located at the end-points (IP phones,
softphones, etc.).
– An end-point, using or supporting this type of a signaling
protocol(s), will have the appropriate functionality and ability to
interact with different IP Telephony components and services
as well as different networking components within the IP
Telephony based network.
– A malicious party can take advantage of this functionality…
34
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Security Issues with IP Telephony-based Networks
No Single Authority Controls an IP Medium
– Voice related traffic might traverse different providers
which their infrastructure security is questionable
(exactly like the PSTN)
The Nature of Speech
– Speech quality with IP Telephony is a function of several
key factors such as latency (delay), jitter (delay
variation), packet loss, and other.
– The number of factors affecting speech quality, and the
different ways to stimulate those conditions, are far
greater with IP Telephony based networks than with the
PSTN.
35
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Security Issues with IP Telephony-based Networks
The IP Telephony based Network Components
– The IP Telephony Components
Combined from standard computer equipment, and in many cases
built using known operating systems, which are fully functional.
The IP Telephony components interact with other computer
systems on the IP network, and are more susceptible to a security
breach than the equipment combining the PSTN which is usually
proprietary equipment which also means its way of operation is
somewhat obscure.
– The Other Components
Other common components found in any other IP network –
networking components, network servers, etc.
They make another attack venue possible
36
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Security Issues with IP Telephony-based Networks
The IP Telephony-based Protocols
– Design without Security in mind
– Design Flaws with IP Telephony Protocols
The Supporting Protocols & Technologies
Physical Access
– Physical access to the wire, the network or to a network element(s) is
usually regarded as an end-of-game scenario, a potential for total
compromise.
– A malicious party gaining such a physical access will be able to have
several key advantages over a similar scenario with the PSTN.
– The advantage is a direct result of the way IP networks work, the
placement of intelligence with some IP Telephony based networks, and
the boundaries regarding physical security and access posed with the
PSTN.
37
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Security Issues with IP Telephony-based Networks
38
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Security Issues with IP Telephony-based Networks
Improper IP Telephony Network Designs
– Most of the current offered network designs for the
implementation of IP Telephony based networks do not
offer proper mechanisms to defeat several basic security
threats to IP Telephony.
– Example I: IP Telephony based elements are not being
authenticated to the network. This makes the work of the
new age phreaker easier; in some cases by plugging a
rogue device to the network, free phone calls can be
made
39
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Security Issues with IP Telephony-based Networks
Improper IP Telephony Network Designs
– Example II: In many IP Telephony based networks no
correlation is performed between an IP Phone’s (a
user’s) physical location to the network credentials it
uses.
– It is not sufficient that a network switch will be
configured to use “port security” and bind the port
connected to an IP Phone with the IP phone’s MAC
address.
– There should be a mechanism to correlate between the
credentials presented, the MAC address the phone is
using and the physical port on the network switch the IP
Phone is connected to
40
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Security Issues with IP Telephony-based Networks
Improper Adoption of Security Technologies from the IP world
–
An example with Virtual Private Networks
41
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Security Issues with IP Telephony-based Networks
Availability, or Why Low-Tech is Very Dangerous
– No Electricity? – No Service!
Subscribers at home are in danger
No Electricity – no 911 emergency services! (a violation of the E911
regulations in the U.S.A.)
– Redundancy
Equals $$$
Different IP Telephony Architectures
42
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Security Issues with IP Telephony-based Networks
Non-Trusted Identities
– Without proper network designs and configuration of an IP
Telephony based network, one cannot trust the identity of
another call participant.
– The user’s identity, the ‘Call-ID’ information (e.g. a phone
number or other means to identify a subscriber in an IP
Telephony based network), with IP Telephony based networks
is easily spoofed using one of a variety of methods.
– An identity related attack might occur anywhere along the
route signaling information is taking between call participants.
– A malicious party might use designated software to perform
digital impersonation, adding to the attacker’s arsenal of
available tools.
43
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
What is at Risk?
44
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
What is at Risk?
Everything is at risk.
With IP Telephony there is even a greater meaning to
the phrase that a security of a particular architecture
is good as its weakest link.
Multiple venues exist for a malicious party to choose
from in order to launch an attack against an IP
Telephony based network.
45
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
What is at Risk?
The most disturbing issue is the fact that in most
cases it is only the question of subverting one
network server or one IP Telephony element (e.g. IP
Phones) to achieve complete control over an IP
Telephony-based network or its functionality.
(*) For more information please see
http://www.sys-security.com/html/projects/VoIP.html
46
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks
A malicious party can take advantage of multiple attack
venues when targeting an IP Telephony-based network.
Different IP Telephony based architectures will have
different risk factors, but all will share the same vulnerable
targets which are discussed within this section:
– The information exchanged between call participants
– Identities (spoofing)
– IP Telephony elements
– IP Telephony functionality
– Network elements, Servers, Hosts, and IP functionality within
the IP Network
47
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks,
The information exchanged between call participants
One of the most valuable information sources for a
malicious party is the information exchanged between
call participants – the signaling information,
controlling various aspects of a call, and the
packetized voice.
The call related information exchanged between call
participants is exposed to a number of possible
attacks. First and foremost the information exchanged
between call participants can be eavesdropped (rough
devices in the network, specialized software, etc.),
altered, jammed, and actively modified.
48
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks,
The information exchanged between call participants
The outcome of this type of attacks might lead to:
– “Call Tracking”, logging of the source and destination of all
numbers being called.
– “Call Hijacking”, direct a participant or participants of a call to
a node not representing an intended recipient.
– Availability related issues (i.e. denial of service)
– Privacy breaches, such as the ability to record the
conversation, or even being a part of it unknowingly to the call
participants, and
– Other outcomes
49
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks,
The information exchanged between call participants
Usually physical access to the wire (or to the equipment)
will be required to perform this type of attacks.
But several scenarios exist for a malicious party to produce
the same results, or even a better outcome, when
compromising one of the network servers, and/or one of the
IP Telephony entities within an IP Telephony network.
50
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks,
The information exchanged between call participants
Unauthorized Access gained to a
SIP Proxy server
A malicious party will easily collect (and
might also modify) information about all
signaling information exchanged between
different call participants utilizing the
compromised server
Example: Compromising a SIP Proxy
51
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks,
The information exchanged between call participants
A malicious party might target different parts of an IP
Telephony based network in order to gain physical access
to the wire.
With IP Telephony based networks the ‘last mile’ and the
‘local loop’ are not the only targets for gaining physical
access to the wire, but nearly the entire network.
Physical access to the wire can be achieved in creative
ways taking advantage of the wrong access technologies
which a provider of IP Telephony services might use.
One good example is Broadband Wireless Access networks
using the Local Multipoint Distribution Service (LMDS)
technology.
52
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks,
The information exchanged between call participants
If encryption will be used between the Base Station to the residential transceiver
it will cripple the connection so badly several LMDS equipment manufactures
admit it is useless (price vs. performance vs. available bandwidth) when
encryption is enabled.
If the link between the Base Station to the residential transceiver will not be
encrypted, than any malicious party using the right equipment will be able to
gain access to all call information passing through
53
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks,
Spoofing Identities
By spoofing one or more of the following identities: a call
participant, IP Telephony entity (an end-point IP Telephony
device, an IP Telephony based server, etc.), network
server(s) or any other network element within the IP
network, a malicious party might be able to perform:
– “Call Hijacking”, call requests that will be redirected to another node
instead of the intended node representing the destined participant.
This might be achieved by impersonating to an end-point, registering
as the destined participant with a ‘registration’ service, redirecting call
requests using a signaling protocol response code(s), manipulating
outgoing call requests by impersonating to an IP Telephony entity (e.g.
server), etc.
– Hijacking of the signaling path, by adding a rough device to the route
the signaling information takes between call participants.
54
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks,
Spoofing Identities
– Active modifications of either the signaling information or the
media exchanged between call participants
– Availability related attacks, for example, call requests that will
be rejected
– Integrity and authenticity problems – The real legitimate user,
which a call destined to its end-point, was hijacked, denying
the conversation ever took place
55
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks,
Spoofing Identities
– “Toll Fraud”,
A malicious party might impersonate to an IP Telephony based
server and “request” an end-device to perform authentication
before dealing with its requests.
IP-PBX subversion (much more interesting then doing the same
things from the PSTN)
Using the end-point’s IP Telephony network credentials the
malicious party will be able to authenticate to any IP Telephony
based server, place free of charge phone calls, as well as the ability
to perform any other functionality the end-point’s credentials
allows within the IP Telephony based network (e.g. registering as
the destined participant with a ‘registration’ service, performing
“Call Hijacking”, etc.).
56
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks,
Spoofing Identities
57
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks, IP
Telephony Elements
Any network device with IP telephony functionality
might be a target for an attack.
If a malicious party will be able to compromise such a
device an attacker will usually gain such privileges
that will allow him to control any aspect of the IP
Telephony related device’s functionality.
58
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks, IP
Telephony Elements
End Device
– The Cisco SIP-based IP Phone 7960 (and Cisco’s design
of IP Telephony networks)
– Pingtel xpressa SIP-based IP Phones
59
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks, IP
Telephony Elements – Cisco SIP-based IP Phone 7960
60
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks, IP
Telephony Elements – Cisco SIP-based IP Phone 7960
61
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks, IP
Telephony Elements – Cisco SIP-based IP Phone 7960
The following sequence of events takes place when a Cisco
SIP-based IP Phone 7960 boots & connected to a Cisco 6500
switch:
– The firmware image stored in the Flash memory of the IP
Phone is loaded.
– The IP Phone receives from the Cisco switch, via CDP, the
VLAN tag to use.
– The IP Phone configures its IP related settings, either by DHCP
or from its manually configured settings stored in its Flash
memory. These settings include the IP Phone’s IP address, the
address of the TFTP server (if any), DNS settings, etc.
62
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks, IP
Telephony Elements – Cisco SIP-based IP Phone 7960
– The IP Phone confirms that it is running the latest
firmware image. This is done by comparing its current
firmware version against the firmware images stored on
the root directory of the TFTP server.
– The IP Phone configures its SIP settings. If the IP Phone
is using a TFTP server, the settings will be extracted
from configuration files stored on it (generic to all and a
specific one), otherwise local settings from Flash
memory will be used.
– If the configuration files the IP Phone retrieved from the
TFTP server refer to a different image version than what
the IP Phone is using, it will perform a firmware upgrade.
The IP Phone will download the required firmware image
from the TFTP server, write the image to its Flash
memory and then reboot.
63
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks, IP
Telephony Elements – Cisco SIP-based IP Phone 7960
TFTP based attacks have several stages:
– Download the default configuration file from the TFTP
server
– Gain knowledge of the MAC addresses used by IP
Phones on the network
Abuse the network, or
Use remote telnet access to the IP Phone
– Download the IP Phones specific configuration files from
the TFTP server
64
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks, IP
Telephony Elements – Cisco SIP-based IP Phone 7960
Abuse the Network
– If a malicious party is connected to the same distribution
switch(s) as the IP Phones, the malicious party can gain
knowledge of the MAC addresses of the IP Phones
because a frame containing a reply from an answering
device will also carry its MAC address.
– Some possible techniques for retrieving this information
include: SIP INVITE request sweep; “ping sweep”;
combining ARP attacks with sniffing the wire; misconfiguration issues, etc.
65
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks, IP
Telephony Elements – Cisco SIP-based IP Phone 7960
Abuse remote telnet access to the IP Phone
– A malicious party, having remote access to the IP Phone via
telnet, could use the command ‘show network’ to receive
information about all of the following:
Phone platform
DHCP server
IP address and subnet mask
Default gateway
IP address of the TFTP server
MAC address
Domain name, and
Phone name
66
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks, IP
Telephony Elements – Cisco SIP-based IP Phone 7960
Download the IP Phone’s specific configuration file
from the TFTP server
– The MAC address of an IP Phone will probably be used to
construct the filename of the specific configuration of the IP
Phone. The malicious party merely needs to examine the
‘tftp_cfg_dir’ parameter within the generic configuration file to
determine where the specific configuration files are stored.
Retrieving the file is readily accomplished as TFTP is an
unauthenticated protocol.
– The most important information stored within the specific
configuration file is the credentials used by the Cisco IP
Phone’s user(s) to authenticate to the IP Telephony network.
These parameters are found under the ‘line’ configuration
parameters: ‘linex_authname’ and ‘linex_password’.
67
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks, IP
Telephony Elements – Cisco SIP-based IP Phone 7960
If there is no Telnet access to the IP Phone than it is
also possible to:
– Brute Force Filenames on the TFTP Server
– Re-Enabling the Telnet Service
– Manipulating the Cisco SIP-based IP Phone 7960 Firmware
Image
The firmware image for the Cisco SIP-based IP Phone 7960 is
downloaded and installed without authentication. The firmware
image is not signed in any way to verify that it is valid. Any image
with a higher version number than the current one is implicitly
trusted. Complicating matters, no authorization from the user is
required before a new firmware image is installed. The combination
of the lack of authentication and authorization of the firmware
image means that an attacker with write access to the TFTP server
is capable of completely controlling all aspects of the IP Phone.
68
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks, IP
Telephony Elements – Cisco SIP-based IP Phone 7960
Physical Access to the Cisco SIP-based IP Phone 7960
– A malicious party with unauthorized physical access to a Cisco
SIP-based IP Phone 7960 is able to reconfigure the IP Phone’s
‘Network Settings’, and the ‘SIP Settings’, using the IP Phone’s
user interface. Access to the settings is achieved using a key
combination: ‘**#’ (star, star hash).
– If physical access to the Cisco SIP-based IP Phone 7960 is
gained then all is possible (i.e. rebooting the phone, retrieving
the MAC address, etc.)
69
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks, IP
Telephony Elements
IP Telephony Servers
Viruses, Worms, Malicious Code
– Example, Nimda and Cisco’s Call Manager
70
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Vulnerable Targets with IP Telephony-based Networks, IP
Telephony Functionality
A malicious entity might choose to target a certain
functionality provided by an IP Telephony entity.
By attacking the particular functionality an attacker
might be able to subvert the IP Telephony network’s
functionality or interfere with its availability.
71
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Example Solutions
72
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Solutions for Network Infrastructure
Layer 2 (Enterprise)
– A network switch an IP Phone is connected to must have ‘security
intelligence’
– IP Phones needs to ignore GARPs (gartitus ARP)
Devices pretending to be the switch will be ignored (another MAC address)
Devices pretending to be the IP phone will be ignored if the IP phone will switch IP
address automatically and will let the Telephony-based network and elements know
about it
– A network switch that binds IP addresses and MAC addresses should not
replace entries when other connected devices pretend to be the IP phone in
which is connected on another port of the device (should be easy). The
switch must maintain this state even if DHCP is involved.
Layer 3
– Limit access to the network by using authentication to the network (802.1x)
73
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Solutions Identity, Integrity & General Privacy
The use of:
– 802.1x (Authentication of devices to the infrastructure)
– Digital Certificates (Identity)
– Encryption! Encryption! Encryption?!?! (Integrity, Privacy)
Use secure signaling (using TLS or IPSEC)
Use SRTP (the RTP payload is encrypted)
74
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Solutions Identity, Integrity & General Privacy
The use of:
– Harden the IP Telephony-based Elements
Harden the IP Telephone
– Limit what a user can do with its IP Phone
– Digitally sign IP phone images
Harden the IP Telephony-based servers
– Harden the Operating System
– Apply ‘Hot Fixes’
And there are other solutions…
75
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Conclusion
Securing an IP Telephony based solution is not a trivial task.
One must evaluate the security risks associated with an IP
Telephony based solution, and try to find a proper remedy
before any deployment. Asking the right questions during
(and before) the design phase will save later
embarrassments when the IP Telephony based solution will
be deployed and operational.
It is crucial to understand the different threats with IP
Telephony. New technologies and their first
implementations usually suffer from poor security. It usually
takes several design cycles for a new technology until an
adequate level of security is achieved.
IP Telephony is still not at that stage in its development.
76
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Questions?
77
O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P
©2002–2004
THE SYS–SECURITY GROUP
Resources
Advisories
– Arkin Ofir, “More Vulnerabilities with Pingtel xpressa SIP-based IP
Phones”, August 2002. Available from: http://www.syssecurity.com/archive/advisories/More_Vulnerabilities_with_Pingtel_xpr
essa_Phones.pdf
– Arkin Ofir & Anderson Josh, “Multiple Vulnerabilities with Pingtel
xpressa SIP Phones”, July 2002. Available from: http://www.syssecurity.com/archive/advisories/a071202-1.txt
Papers
– Arkin Ofir, “Security Risk Factors with IP Telephony based Networks”,
November 2002. Available from: http://www.syssecurity.com/archive/papers/Security_Risk_Factors_with_IP_Telephon
y_based_Networks.pdf
– Arkin Ofir, “The Cisco IP Phones Compromise”, September 2002.
Available from: http://www.syssecurity.com/archive/papers/The_Trivial_Cisco_IP_Phones_Compromi
se.pdf
78