Forgot your password?
typodupeerror

Overlooked VoIP Security Issues? 42

Posted by Cliff
from the missed-vulnerabilities dept.
penciling_in asks: "Voiponder is running an informative article identifying VoIP attacks, which are applicable to current systems but lack public awareness and are, for the most part, misunderstood. The author's primary purpose is to 'discuss two of the most well known attacks that can be carried out in current VoIP deployments. The first attack demonstrates the ability to hijack a user's VoIP Subscription and subsequent communications. The second attack looks at the ability to eavesdrop in to VoIP communications.' This leaves me begging the question: What other not-so-publicized VoIP security issues should companies be watching out for?"
This discussion has been archived. No new comments can be posted.

Overlooked VoIP Security Issues?

Comments Filter:
  • How nice of them to include links to the tools they used
    http://www.vopsecurity.org/html/tools.html [vopsecurity.org]

    SiVuS - The VoIP Vulnerability Scanner

    SiVuS is the first publicly available vulnerability scanner for VoIP networks that use the SIP protocol...

    >
    http://www.vopsecurity.org.nyud.net:8090/sivus-1.0 9.exe [nyud.net]

    And of course, Ethereal for packet sniffing.

    It was probably a bad idea for them to link/host the spoofing tool.
    I predict Slashdot will go wild with the easy-to-use GUI tool.

  • Gasp! (Score:4, Insightful)

    by Loonacy (459630) on Wednesday April 05, 2006 @10:08PM (#15072750)
    An unencrypted protocol is susceptible to man-in-the-middle attacks? Who'da thunk?
    • Correct me if I'm wrong, but how is the fact that the packets are not encrypted any different than cell phones? Are most cell phone data encrypted? If anyone knows about this, please post some information.
      • Aren't they encrypted? My current phone (Verizon XV6700) has an option in the wireless services menu called "Voice Privacy". My really old Nokia 6120i also had this option. I think my Nokia 638 had the same option as well. If that service isn't about encryption then does anyone know what it's for?
      • Check for example http://www.gsm-security.net/faq/gsm-encryption.sht ml [gsm-security.net]

        So the calls are encrypted over the air, but the algorithm is weakened so that it is relatively easy to break. Inside the telco's network different rules of course apply .
      • Correct me if I'm wrong, but how is the fact that the packets are not encrypted any different than cell phones? Are most cell phone data encrypted? If anyone knows about this, please post some information.

        Depends on where you live and what kind of service you have. In Georgia, you could be using a CDMA, GSM, or iDEN service. You could even have an older analog cell phone, in which case I'd recommend you get a new phone immediately. GSM in the US should be encrypted. I don't believe CDMA supports REAL e

      • Sorry, I forgot to get to my point. The point is that it's much easier for someone to be in the position to capture the packets going to and from your internet connection than it is for them to capture and break out an unencrypted-but-multiplexed signal transmitted from a low-power portable device. And did I mention that, by definition, they'd have to do it all over again once your cell phone switched cells?

        Compare this to someone using VoIP on an insecure wifi connection in a starbucks, or a hotel where
  • No it doesn't, it leaves you asking the question.

    go ahead mod me down.
  • Uhh... (Score:3, Insightful)

    by isometrick (817436) on Wednesday April 05, 2006 @10:44PM (#15072885)
    On the first one (registration hijacking) we have 401 unauthorized and WWW-Authenticate (similar to HTTP digest authentication). So unless you know the peer's shared secret with the registrar, you're out of luck. As well as CSeq to prevent message replay.

    On the second one ... really? You can listen to completely unencrypted trivially compressed audio packets if you can sniff them? Duh. So you either rely on nobody being in the middle on a switched network, or you encrypt it.

    Is anyone in the biz really unaware of this?
    • Re:Uhh... (Score:1, Insightful)

      by isometrick (817436)
      Sorry to reply to myself.

      Further, if someone is directly in the middle of the link for your SIP conversation, use SIP over TLS and don't trust any unauthorized certs. Just like you would do with any other protocol.
  • If you are only running VOIP internally, it's not such a concern (although bandwidth management may be!), but it would suck to have some Russian grab your company by the nuts with a zombie attack on the pipe that feeds your VOIP server. Most companies out there would put down time on phone systems as a higher concern then evesdropping.

    -Rick
    • but it would suck to have some Russian grab your company by the nuts

      Eh? Didn't fear of "The Russians" die with Raegenism? Wolfowitz did a fine job on old Ronald - and you it would seem. Tom Clancy does keeps a few Russian snipers employed these days, but aside from this there's really there's not a whole lot scary about "The Russians" these days.

      Frankly a far more realistic fear is found between Americans and their own government... America is the place where the right to personal privacy extends about

      • Ask your boss if he would be more concerned with the government listening in on the company's VIOP calls, or if a Russian hacker spammed your voice mail system with a demand for $50,000 or the system would be shut down(dos'd)?

        It's a common enough occurrence in digital service providers. Get a zombie net together, threaten a company with a demand they can afford, shut them down for a day, then wait for the money. The same attack style that the RIAA uses against college students. Sure, losing $3k as a student
    • Okay, some mod need to learn the meaning of the word Redundant!

      -Rick
  • Oreka (Score:4, Informative)

    by henrih (966455) on Wednesday April 05, 2006 @11:40PM (#15073156)

    Disclaimer: I'm lead developer on Oreka.

    You can very easily record all RTP traffic on a given ethernet span to wav files on disk using a sniffing tool such as http://www.oreka.org/ [oreka.org]. Most people don't use encryption yet in the VoIP field. This will catch SIP, H.323 and Cisco Skinny traffic, i.e. most of the existing traffic except IAX (asterisk) type traffic.

    • as it's not a term of art.

      If you mean broadcast domain, you're wrong, at least in modern switched networks. If you can find someone still running on shared media (hubs) or unencrypted WLAN, then yes, all of the traffic is accessible. Otherwise, that RTP packet isn't going to appear at the switch port you're plugged into unless you have admin access to the switch, in which case there are more serious security issues if you're a bad guy.

      If you mean a SPAN (Switched Port ANalyzer, aka "mirror) port, that's

      • If you mean broadcast domain, you're wrong, at least in modern switched networks. If you can find someone still running on shared media (hubs) or unencrypted WLAN, then yes, all of the traffic is accessible. Otherwise, that RTP packet isn't going to appear at the switch port you're plugged into unless you have admin access to the switch

        Using ARP spoofing [wikipedia.org], you can sniff traffic of other machines on a switched network without needing admin access to the switch itself.

        • at least not more than a trickle out-of-order, one-side-of-the-conversation packets. It also requires knowledge of the MAC or IP address of the phone. Doing so will also cause very noticible network problems/interruptions beyond severe and immediately noticible sound quality issues with the VoIP conversation in progress.
  • by techno-vampire (666512) on Thursday April 06, 2006 @12:45AM (#15073462) Homepage
    The article assumes that VOIP software is going to be sending/receiving VOIP and nothing else. Imagine a trojan that looks for and infects VOIP software, then uses it to phone home and send any confidential info to the server using the VOIP ports. All your user names, passwords, credit card info. Next, it sends home a list of all files. The server checks for certain obvious possibilities (e.g., customer.db, address.db, etc.) and replies with instructions to have them sent as well. Identity theft, wholesale and automated.
    • And how would that differ from any other trojan?
      Sure, you'd want to infect something that's supposed to connect to the internet, so as to avoid outbound firewalls. But I don't see how VOIP software makes any better target than, say, a web browser.
      • But I don't see how VOIP software makes any better target than, say, a web browser.

        I never said it made a better target, and I didn't mean to imply it. What I was getting at is that VOIP is another target, and that this wasn't even mentioned in the article.

  • Securityschmurity (Score:5, Interesting)

    by thegrassyknowl (762218) on Thursday April 06, 2006 @02:24AM (#15073849)
    People have trusted their telephone lines for years.

    It's easy for someone to listen in on your phone call. All they need to do is be in a position of trust between your handset and the other person's handset. You wouldn't even know they were there. Do you really trust all the line techs and the people who run the telecoms networks not to snoop on you?

    Admittedly, it's not as easy to hijack a phone line unless you are in the same position of trust. VoIP makes stealing the connection a little easier. Software faults lead the way to security issues and the ability to break into VoIP servers or just do nasty things to the data on the wire.

    I liken VoIP to having a cordless phone on your line. With the right equipment I can sniff a corless phone call and play back the parts of it that tell the base station the handset wants to make a phone call. DECT is a littler harder, but apparantly still doable. If you're still using a 30MHz FM cordless phone then the right equipment is available for tens of dollars at your local rat shack!

    Phil Zimmermann recently released some encrypted VoIP software that solves the eavesdropping problem with a good level of security. I can imagine that phone companies and governments will soon be trying like shit to outlaw encrypted VoIP comms because it means all those wiretaps they are so fond of doing become useless.

    I trust my VoIP provider, currently. I log into their SIP server which is at the other end of my DSL connection. They are also my ISP so I know my data never leaves their network except when it is put back on the PSTN. This also has advantages for downstream QoS (they implement it for their own SIP server) so I don't ever get dropouts.
    • I trust my VoIP provider, currently. I log into their SIP server which is at the other end of my DSL connection. They are also my ISP so I know my data never leaves their network except when it is put back on the PSTN.

      How do you know your VoIP provider are passing your call to the PSTN - it's likely in fact that they send it over the internet to someone else closer to the final call destination who makes that final link. That's especially true for international calls.

      What if the person you're calling has V

      • It sounds like the grandparent has Speakeasy as his/her isp. Speakeasy has a private network to ensure QoS and prioritization of voice traffic.

        I've heard the results -- VoIP over Speakeasy is far better and more consistent than, say, Vonage.
        • Um nope. Am in the land down-under. Have a local outfit (www.internode.on.net) as my ISP. Runs rings around most everyone else.

          And I know my ISP is putting my calls on the PSTN because I mostly make calls to PSTN numbers in my local calling area. Somewhere they have to end up on the Telstra network!
    • DECT is a littler harder, but apparantly still doable.
      Every encryption is 'doable', but saying it's just a little harder is an understatement.
      BTW: DECT is finally coming to the USA, which is a Good Thing(sm)
      • DECT isn't as secure as you may think. I never looked into it, but from what I've seen it's only designed to keep out casual snoopers, not someone with a small amount of computing power at their disposal.
  • Encryption (Score:2, Interesting)

    by mishehu (712452)
    The potential problem is that encryption of the voice stream adds latency to the transmission of the stream. Optimally you want 150 ms or less to pass in transmission, otherwise Bad Things can occur.

    That being said, we have just switched Freeswitch [freeswitch.org] to use SRTP in the past few days, which appears to support keyed transport. Does anybody else have experience using this library and can tell about your experience encrypting SIP and/or RTP with it?
    • We have 3 offices running Asterisk boxes for our softswitches. They all can dial each other's extensions directly, and we have all IAX2 traffic running over our IPSec tunnels... Its a no brainer. Besides the handsets, that is the only voip we use. We have never had problems with latency (and yes, we use diff ISPs at each location. One is Internet America [What a joke], another is a T1 from The Planet, and the last is dsl from Speakeasy). In over a year of this system being installed, we have never had
  • In 2000, I worked on a project that was doing voip soft switch software for company that was funded by Cisco and some of the most obvious things I noticed about the protocol was that being UDP based it was trivial to do things like make the phone ring, spoof caller ID, etc... Most large firms really don't care about security until it directly effects them... Security is like this wrapper that gets put on later after weaknesses are found, when in reality security is something that should be thought of in th
  • Other than having the convenience of not needing an antenna, the security of most VoIP installations are as secure as your typical wireless networks without encryption.

    If you want to secure your VoIP, there are products available from some of the equipment manufacturers that will do encryption in hardware. Even without that, if you have a way to set up a VPN tunnel the packets will essentially be encrypted from an external point of view.
  • Many VoIP phones, in particular 802.11b/g handsets, have serious software vulnerabilities out-of-the-box ranging from hardcoded credentials, remote debugging access left in from development, vulnerable applications (like embedded webservers), and other issues. My personal research and evaluations on these VoIP wifi phones have documented several of these vulnerabilities across multiple vendors' phones, take a look here: http://www.security.nnov.ru/source12976.html [security.nnov.ru] Crypto is a start, but if attackers can s
  • penciling_in asks: "... This leaves me begging the question: What other not-so-publicized VoIP security issues should companies be watching out for?"

    There are a wide range of security issues related to VoIP, although many if not most of them actually are the standard threats relating to the underlying data networks. One place to learn more is the VoIP Security Alliance [voipsa.org] which last fall released a threat taxonomy [voipsa.org] that outlined threats to VoIP.

    You may also find of value our weekly podcast on the subject

  • Let me start out by saying I love VoIP. I use it at home
    I have installed three Asterisk servers at three different
    companies over the last two years. I have told everyone I
    know that VoIP is the way of the future.

    That said, VoIP is an emerging technology and as such its
    security limitations are not fully understood nor are they
    fully mediated.

    Take BroadVoice (wonderful company, by the way), for
    instance. They allow you to bring your own device unlike
    so many other VoIP companies. You can use Asterisk with
    them or

A sheet of paper is an ink-lined plane. -- Willard Espy, "An Almanac of Words at Play"

Working...