Transcript Company Profile - Security

VoIP 2
Is free too Expensive?
by Darren Bilby and Nick von Dadelszen
Copyright Security-Assessment.com 2005
Different Types of VoIP
• There are many different implementations of IP
telephony:
–
–
–
–
–
Skype
MSN
Firefly
Cisco Office
Asterix
Copyright Security-Assessment.com 2005
VoIP Technology
• Each type of VoIP uses different technology:
–
–
–
–
–
–
Skype – Proprietary
MSN – SIP
Firefly – IAX
Cisco – H.323, Skinny
Asterix – SIP, IAX2
Others – MGCP
• Most of these do not have security built-in so rely
on network controls
Copyright Security-Assessment.com 2005
Attacks Against VoIP
• Multiple attack avenues:
–
–
–
–
–
Standard traffic capture attacks
Traffic manipulation
Dynamic configuration attacks
Phone-based vulnerabilities
Management interface attacks
Copyright Security-Assessment.com 2005
Consequences of Attacks
•
•
•
•
•
•
•
•
Eavesdropping and recording phone calls
Active modification of phone calls
Call Tracking
Crashing phones
Denying phone service – Slammer?
VoIP Spamming
Free calls
Spoofing caller ID
Copyright Security-Assessment.com 2005
Capturing VoIP Data
• Ethereal has built-in support for some VoIP
protocols
• Has the ability to capture VoIP traffic
• Can dump some forms of VoIP traffic directly to
WAV files.
• Point and click hacking!
Copyright Security-Assessment.com 2005
Copyright Security-Assessment.com 2005
Copyright Security-Assessment.com 2005
Copyright Security-Assessment.com 2005
Audio Capture
Copyright Security-Assessment.com 2005
VoIP Security Solutions
• You must protect the network traffic
– Separate data and voice traffic – VLANs
– Ensure IPSEC or other VPN technology used over
WAN links
– IDS monitoring on the network – ARP inspection
– Host Security
– VOIP enabled firewalls
– Excellent guidelines in Cisco SAFE documentation
• Or wait for more secure protocols
Copyright Security-Assessment.com 2005
Skype – What Is It?
• Proprietary VOIP system for calls over the
Internet
• Free and simple to use
• Developed by the creators of KaZaA
• Relies on P2P technology
• Over 29 million users worldwide
• Allows connections to regular phones through
SkypeOut
Copyright Security-Assessment.com 2005
Skype Connection Details
• Listens on a random port, 80 and 443
• Connects to known Supernodes stored in the
registry
• Must establish connection with login server to
authenticate
• NAT and Firewall traversal
• Any Skype client with an Internet IP address and
suitable bandwith/CPU may become a Supernode
Copyright Security-Assessment.com 2005
Skype Architecture
Ref: "An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol“
Salman A. Baset and Henning Schulzrinne
Copyright Security-Assessment.com 2005
Skype Call Security
• Skype claims to encrypt all voice traffic with 128bit or better encryption
• The encryption implementation used is proprietary
and closed-source
• It is unknown whether the Skype organisation has
the ability to decrypt all voice traffic
Copyright Security-Assessment.com 2005
Other Skype Security Concerns
• Same developers as KaZaA, known for spyware
• Cannot stop client becoming a Supernode
• Client allows file transfer, even through firewalls,
an access path for malicious code, information
leakage
• Login server reliance
Copyright Security-Assessment.com 2005
Should You Use Skype?
• If you can answer yes to four questions:
– Are you willing to circumvent the perimeter controls
of your network?
– Do you trust the Skype developers to implement
security correctly (being closed-source)?
– Do you trust the ethics of the Skype developers?
– Can you tolerate the Skype network being
unavailable?
Copyright Security-Assessment.com 2005
Other VoIP Issues – Commercial Caller ID
Spoofing
• Multiple companies are now offering caller ID
spoofing:
- CovertCall
- Star38
- Camophone
- PI Phone
- Us Tracers
- Telespoof
• Makes Social Engineering a lot easier
• Many systems authenticate on CID
Copyright Security-Assessment.com 2005
Other VoIP Issues – New Attack Tools
• New tools make finding vulnerabilities easier
– SIP Bomber
– PROTOS Test-Suite
– SiVuS
Copyright Security-Assessment.com 2005
Copyright Security-Assessment.com 2005
Good Sites For Learning More
• Some good links for learning more about VoIP
– http://www.voip-info.org/tiki-index.php?page=voipinfo.org
– http://www.vopsecurity.org/index.php
Copyright Security-Assessment.com 2005