Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Overlooked VoIP Security Issues?

Cliff posted more than 8 years ago | from the missed-vulnerabilities dept.

42

penciling_in asks: "Voiponder is running an informative article identifying VoIP attacks, which are applicable to current systems but lack public awareness and are, for the most part, misunderstood. The author's primary purpose is to 'discuss two of the most well known attacks that can be carried out in current VoIP deployments. The first attack demonstrates the ability to hijack a user's VoIP Subscription and subsequent communications. The second attack looks at the ability to eavesdrop in to VoIP communications.' This leaves me begging the question: What other not-so-publicized VoIP security issues should companies be watching out for?"

cancel ×

42 comments

Sorry! There are no comments related to the filter you selected.

Links to tools (1)

TubeSteak (669689) | more than 8 years ago | (#15072688)

How nice of them to include links to the tools they used
http://www.vopsecurity.org/html/tools.html [vopsecurity.org]
SiVuS - The VoIP Vulnerability Scanner

SiVuS is the first publicly available vulnerability scanner for VoIP networks that use the SIP protocol...
>
http://www.vopsecurity.org.nyud.net:8090/sivus-1.0 9.exe [nyud.net]

And of course, Ethereal for packet sniffing.

It was probably a bad idea for them to link/host the spoofing tool.
I predict Slashdot will go wild with the easy-to-use GUI tool.

Re:Links to tools (1)

Yomer333 (918394) | more than 8 years ago | (#15072864)

Granted, a VOIP vulnerability scanner is a pretty focused tool, but how many Slashdot readers don't already use *insert your own packet capturing software here*?

Gasp! (4, Insightful)

Loonacy (459630) | more than 8 years ago | (#15072750)

An unencrypted protocol is susceptible to man-in-the-middle attacks? Who'da thunk?

Re:Gasp! (1)

uniqueUser (879166) | more than 8 years ago | (#15075529)

Correct me if I'm wrong, but how is the fact that the packets are not encrypted any different than cell phones? Are most cell phone data encrypted? If anyone knows about this, please post some information.

Re:Gasp! (1)

macdaddy (38372) | more than 8 years ago | (#15078803)

Aren't they encrypted? My current phone (Verizon XV6700) has an option in the wireless services menu called "Voice Privacy". My really old Nokia 6120i also had this option. I think my Nokia 638 had the same option as well. If that service isn't about encryption then does anyone know what it's for?

Re:Cell phone calls are encrypted (sort of) (1)

Puh (96627) | more than 8 years ago | (#15082682)

Check for example http://www.gsm-security.net/faq/gsm-encryption.sht ml [gsm-security.net]

So the calls are encrypted over the air, but the algorithm is weakened so that it is relatively easy to break. Inside the telco's network different rules of course apply .

Re:Gasp! (1)

bhiestand (157373) | more than 8 years ago | (#15082871)

Correct me if I'm wrong, but how is the fact that the packets are not encrypted any different than cell phones? Are most cell phone data encrypted? If anyone knows about this, please post some information.

Depends on where you live and what kind of service you have. In Georgia, you could be using a CDMA, GSM, or iDEN service. You could even have an older analog cell phone, in which case I'd recommend you get a new phone immediately. GSM in the US should be encrypted. I don't believe CDMA supports REAL encryption, but it'd probably be really hard [hankooki.com] (nothing's impossible) for someone to monitor. iDEN uses some very complex multiplexing as well as encryption for the voice channel. In other words, they're all pretty damned secure, but I'd be afraid to use any type of phone if I was on the FBI's most wanted list. If you're not sure which service you have:

CDMA = Sprint, Verizon, and most of the smaller carriers
GSM = Cingular/T-Mobile
iDEN = Nextel

Re:Gasp! (1)

bhiestand (157373) | more than 8 years ago | (#15082888)

Sorry, I forgot to get to my point. The point is that it's much easier for someone to be in the position to capture the packets going to and from your internet connection than it is for them to capture and break out an unencrypted-but-multiplexed signal transmitted from a low-power portable device. And did I mention that, by definition, they'd have to do it all over again once your cell phone switched cells?

Compare this to someone using VoIP on an insecure wifi connection in a starbucks, or a hotel where anyone else plugged in can sniff the packets. Of course the best is when someone uses one of those old analog cordless phones hooked up to their VoIP adapter. Radio Shack has been selling scanners that can pick those up for years...

This leaves me begging the question (1, Insightful)

Holi (250190) | more than 8 years ago | (#15072819)

No it doesn't, it leaves you asking the question.

go ahead mod me down.

Uhh... (2, Insightful)

isometrick (817436) | more than 8 years ago | (#15072885)

On the first one (registration hijacking) we have 401 unauthorized and WWW-Authenticate (similar to HTTP digest authentication). So unless you know the peer's shared secret with the registrar, you're out of luck. As well as CSeq to prevent message replay.

On the second one ... really? You can listen to completely unencrypted trivially compressed audio packets if you can sniff them? Duh. So you either rely on nobody being in the middle on a switched network, or you encrypt it.

Is anyone in the biz really unaware of this?

Re:Uhh... (1, Insightful)

isometrick (817436) | more than 8 years ago | (#15072943)

Sorry to reply to myself.

Further, if someone is directly in the middle of the link for your SIP conversation, use SIP over TLS and don't trust any unauthorized certs. Just like you would do with any other protocol.

Bzzzt!!! (0)

Anonymous Coward | more than 8 years ago | (#15075629)

Further, if someone is directly in the middle of the link for your SIP conversation,

You don't have to be directly in the middle, you need only be in the logical middle. Switched networks offer no security.

use SIP over TLS and don't trust any unauthorized certs.

Except that the SIP protocol doesn't have a TLS specification. Sure you could run SIP over TLS but, the other end of the convertation would also have to be talking TLS. This might work if you are running your own network with a couple of Asterisk servers but, how do you get an IP hardphone to talk TLS? How do you get Vonage, SpeakEasy, VoicePulse, et al to talk TLS?

If they are talking SIP, then TLS is out of the equation. That's the whole point of this. SIP is totally insecure and destined to fail. The SIP VoIP world is already barreling down the tracks but, no one seems to want to accept that the bridge ahead is out!

Any type of DOS attack (1, Redundant)

RingDev (879105) | more than 8 years ago | (#15073001)

If you are only running VOIP internally, it's not such a concern (although bandwidth management may be!), but it would suck to have some Russian grab your company by the nuts with a zombie attack on the pipe that feeds your VOIP server. Most companies out there would put down time on phone systems as a higher concern then evesdropping.

-Rick

Re:Any type of DOS attack (1)

delire (809063) | more than 8 years ago | (#15073184)

but it would suck to have some Russian grab your company by the nuts
Eh? Didn't fear of "The Russians" die with Raegenism? Wolfowitz did a fine job on old Ronald - and you it would seem. Tom Clancy does keeps a few Russian snipers employed these days, but aside from this there's really there's not a whole lot scary about "The Russians" these days.

Frankly a far more realistic fear is found between Americans and their own government... America is the place where the right to personal privacy extends about as far as your local drugstore and it's in America that legislation to personal privacy is being rewritten daily - thank Jacob they don't need to type that stuff out.

It could safely be said, if you want more privacy, move from America to Russia.

Re:Any type of DOS attack (2, Interesting)

RingDev (879105) | more than 8 years ago | (#15073237)

Ask your boss if he would be more concerned with the government listening in on the company's VIOP calls, or if a Russian hacker spammed your voice mail system with a demand for $50,000 or the system would be shut down(dos'd)?

It's a common enough occurrence in digital service providers. Get a zombie net together, threaten a company with a demand they can afford, shut them down for a day, then wait for the money. The same attack style that the RIAA uses against college students. Sure, losing $3k as a student (or $50k as a company) sucks, but you can survive it, and it's significantly cheaper then trying to fight it.

-Rick

Re:Any type of DOS attack (0, Redundant)

RingDev (879105) | more than 8 years ago | (#15075329)

Okay, some mod need to learn the meaning of the word Redundant!

-Rick

Oreka (4, Informative)

henrih (966455) | more than 8 years ago | (#15073156)

Disclaimer: I'm lead developer on Oreka.

You can very easily record all RTP traffic on a given ethernet span to wav files on disk using a sniffing tool such as http://www.oreka.org/ [oreka.org] . Most people don't use encryption yet in the VoIP field. This will catch SIP, H.323 and Cisco Skinny traffic, i.e. most of the existing traffic except IAX (asterisk) type traffic.

Define "Ethernet span..." (1)

msauve (701917) | more than 8 years ago | (#15074616)

as it's not a term of art.

If you mean broadcast domain, you're wrong, at least in modern switched networks. If you can find someone still running on shared media (hubs) or unencrypted WLAN, then yes, all of the traffic is accessible. Otherwise, that RTP packet isn't going to appear at the switch port you're plugged into unless you have admin access to the switch, in which case there are more serious security issues if you're a bad guy.

If you mean a SPAN (Switched Port ANalyzer, aka "mirror) port, that's a specialized situation and access to a SPAN port by an untrusted user again represents a more serious security threat than just seeing RTP traffic.

Re:Define "Ethernet span..." (1)

!equal (938339) | more than 8 years ago | (#15074936)

If you mean broadcast domain, you're wrong, at least in modern switched networks. If you can find someone still running on shared media (hubs) or unencrypted WLAN, then yes, all of the traffic is accessible. Otherwise, that RTP packet isn't going to appear at the switch port you're plugged into unless you have admin access to the switch

Using ARP spoofing [wikipedia.org] , you can sniff traffic of other machines on a switched network without needing admin access to the switch itself.

No, you can't... (1)

msauve (701917) | more than 8 years ago | (#15076002)

at least not more than a trickle out-of-order, one-side-of-the-conversation packets. It also requires knowledge of the MAC or IP address of the phone. Doing so will also cause very noticible network problems/interruptions beyond severe and immediately noticible sound quality issues with the VoIP conversation in progress.

You Have A Lot To Learn (0)

Anonymous Coward | more than 8 years ago | (#15076643)

You have a lot to learn. The technique that he referred to and even linked to is trivial, common and totally effective. Even Cisco dropped the BS line that switching provided security several years ago.

LOL. An AC... (1)

msauve (701917) | more than 8 years ago | (#15077234)

with his head up his ass. Who'da thunk?

If you do ARP spoofing, the switch will merely update its FDB to indicate the MAC moved to a different port, and will stop forwarding to the port of the real host. You cannot use ARP spoofing to cause the same packets to appear on bothports on a properly implemented switch, a packet will be sent to one or the other. Therefore:

1. As soon as you start doing ARP spoofing, packets bound for the real VoIP client will go to the sniffer and not the client, causing severe voice quality problems and notifying the user of a network issue.

2. As soon as the real host sends another packet, it will again start receiving packets, and the sniffer will not, making it impossible to capture a full stream.

3. If you flood spoofs fast enough, you might receive most of the packets - but since the real user would not, there's not going to be much interesting conversation going on, maybe a few "hello? are you there?" before one end or the other disconnects.

4. If you try to spoof both ends (i.e. the host and the hosts gateway), both ends will experience severe audio degradation. You'll just hear them disconnect.

5. You really have no clue how real networks work, do you?

There might be an opportunity for a man in the middle attack, but that is not what the original post was claiming to do. To do so would require spoofing not only the VoIP host, but spoofing the gateway for all hosts, something which would not produce consistent results and unlikely to succeed without being quickly noticed.

Yes, it's technically a security problem because packets are ending up with the bad guy. Real world, there's not much a bad guy can use it for, except DOS, which they could do even on encrypted communications.

You Ignorant Twat!!! (0)

Anonymous Coward | more than 8 years ago | (#15077539)

You don't arp spoof a switch or the VoIP host, for the very reasons you stated. You arp poison the gateway/router, you dumbass!

To do so would require spoofing not only the VoIP host, but spoofing the gateway for all hosts, something which would not produce consistent results and unlikely to succeed without being quickly noticed.

Ever tried it? Poison the gateway for a single host like the PBX/Call Manager or, more simply, an individual phone. Works just fine for me. No one notices in the VoIP call as only a packet or two possibly gets dropped when you initially hijack the connection. From that point forward you are privy to their SIP registration credentials or to the call stream itself. When done you can either "re-poison" the gateway with legitimate arp information, thus quietly returning packet flow to normal and no one's the wiser, or you can be mean and just disconnect your "gateway" severing their connection for a few seconds. Their call is dropped and by time anyone tries to figure out what happened, it's all back to normal.

Just because you don't know how, or don't believe it can be done, doesn't mean that I'm not doing it.

Real world, there's not much a bad guy can use it for, except DOS,

How dense are you, really? SIP credentials, the contents of the voice stream, surely you could figure out what to do with those. If not, RTFA!

There's an unspoken assumption here. (2, Insightful)

techno-vampire (666512) | more than 8 years ago | (#15073462)

The article assumes that VOIP software is going to be sending/receiving VOIP and nothing else. Imagine a trojan that looks for and infects VOIP software, then uses it to phone home and send any confidential info to the server using the VOIP ports. All your user names, passwords, credit card info. Next, it sends home a list of all files. The server checks for certain obvious possibilities (e.g., customer.db, address.db, etc.) and replies with instructions to have them sent as well. Identity theft, wholesale and automated.

Re:There's an unspoken assumption here. (1)

CryoPenguin (242131) | more than 8 years ago | (#15074466)

And how would that differ from any other trojan?
Sure, you'd want to infect something that's supposed to connect to the internet, so as to avoid outbound firewalls. But I don't see how VOIP software makes any better target than, say, a web browser.

Re:There's an unspoken assumption here. (1)

techno-vampire (666512) | more than 8 years ago | (#15077784)

But I don't see how VOIP software makes any better target than, say, a web browser.

I never said it made a better target, and I didn't mean to imply it. What I was getting at is that VOIP is another target, and that this wasn't even mentioned in the article.

Securityschmurity (5, Interesting)

thegrassyknowl (762218) | more than 8 years ago | (#15073849)

People have trusted their telephone lines for years.

It's easy for someone to listen in on your phone call. All they need to do is be in a position of trust between your handset and the other person's handset. You wouldn't even know they were there. Do you really trust all the line techs and the people who run the telecoms networks not to snoop on you?

Admittedly, it's not as easy to hijack a phone line unless you are in the same position of trust. VoIP makes stealing the connection a little easier. Software faults lead the way to security issues and the ability to break into VoIP servers or just do nasty things to the data on the wire.

I liken VoIP to having a cordless phone on your line. With the right equipment I can sniff a corless phone call and play back the parts of it that tell the base station the handset wants to make a phone call. DECT is a littler harder, but apparantly still doable. If you're still using a 30MHz FM cordless phone then the right equipment is available for tens of dollars at your local rat shack!

Phil Zimmermann recently released some encrypted VoIP software that solves the eavesdropping problem with a good level of security. I can imagine that phone companies and governments will soon be trying like shit to outlaw encrypted VoIP comms because it means all those wiretaps they are so fond of doing become useless.

I trust my VoIP provider, currently. I log into their SIP server which is at the other end of my DSL connection. They are also my ISP so I know my data never leaves their network except when it is put back on the PSTN. This also has advantages for downstream QoS (they implement it for their own SIP server) so I don't ever get dropouts.

Re:Securityschmurity (1)

Albanach (527650) | more than 8 years ago | (#15074941)

I trust my VoIP provider, currently. I log into their SIP server which is at the other end of my DSL connection. They are also my ISP so I know my data never leaves their network except when it is put back on the PSTN.
How do you know your VoIP provider are passing your call to the PSTN - it's likely in fact that they send it over the internet to someone else closer to the final call destination who makes that final link. That's especially true for international calls.

What if the person you're calling has VoIP - your call would then be routed over the internet to their VoIP provider and then to their home / office, all without your knowledge.

Re:Securityschmurity (1)

mr_death (106532) | more than 8 years ago | (#15080940)

It sounds like the grandparent has Speakeasy as his/her isp. Speakeasy has a private network to ensure QoS and prioritization of voice traffic.

I've heard the results -- VoIP over Speakeasy is far better and more consistent than, say, Vonage.

Re:Securityschmurity (1)

thegrassyknowl (762218) | more than 8 years ago | (#15088649)

Um nope. Am in the land down-under. Have a local outfit (www.internode.on.net) as my ISP. Runs rings around most everyone else.

And I know my ISP is putting my calls on the PSTN because I mostly make calls to PSTN numbers in my local calling area. Somewhere they have to end up on the Telstra network!

Re:Securityschmurity (1)

4way (519502) | more than 8 years ago | (#15082730)

DECT is a littler harder, but apparantly still doable.
Every encryption is 'doable', but saying it's just a little harder is an understatement.
BTW: DECT is finally coming to the USA, which is a Good Thing(sm)

Re:Securityschmurity (1)

thegrassyknowl (762218) | more than 8 years ago | (#15088668)

DECT isn't as secure as you may think. I never looked into it, but from what I've seen it's only designed to keep out casual snoopers, not someone with a small amount of computing power at their disposal.

Encryption (2, Interesting)

mishehu (712452) | more than 8 years ago | (#15074888)

The potential problem is that encryption of the voice stream adds latency to the transmission of the stream. Optimally you want 150 ms or less to pass in transmission, otherwise Bad Things can occur.

That being said, we have just switched Freeswitch [freeswitch.org] to use SRTP in the past few days, which appears to support keyed transport. Does anybody else have experience using this library and can tell about your experience encrypting SIP and/or RTP with it?

Re:Encryption (1)

cjunky (89004) | more than 8 years ago | (#15075023)

We have 3 offices running Asterisk boxes for our softswitches. They all can dial each other's extensions directly, and we have all IAX2 traffic running over our IPSec tunnels... Its a no brainer. Besides the handsets, that is the only voip we use. We have never had problems with latency (and yes, we use diff ISPs at each location. One is Internet America [What a joke], another is a T1 from The Planet, and the last is dsl from Speakeasy). In over a year of this system being installed, we have never had a latency problem, even with the ipsec (We use Openbsd 3.6/3.7 for all our endpoints).

voip security (1)

NynexNinja (379583) | more than 8 years ago | (#15074988)

In 2000, I worked on a project that was doing voip soft switch software for company that was funded by Cisco and some of the most obvious things I noticed about the protocol was that being UDP based it was trivial to do things like make the phone ring, spoof caller ID, etc... Most large firms really don't care about security until it directly effects them... Security is like this wrapper that gets put on later after weaknesses are found, when in reality security is something that should be thought of in the design stages, especially when you're talking about network protocols that you're expecting to have user supplied data being delivered to the client/server.

New book on this subject (0)

Anonymous Coward | more than 8 years ago | (#15075125)

Just ran across a book that came out this last week on this, its currently being shipped, so not sure of the actual content yet, but it looks good:
Practical VoIP Security [amazon.com] on Amazon.com

No different than wireless networking (1)

sacremon (244448) | more than 8 years ago | (#15075277)

Other than having the convenience of not needing an antenna, the security of most VoIP installations are as secure as your typical wireless networks without encryption.

If you want to secure your VoIP, there are products available from some of the equipment manufacturers that will do encryption in hardware. Even without that, if you have a way to set up a VPN tunnel the packets will essentially be encrypted from an external point of view.

Duh. (0)

Anonymous Coward | more than 8 years ago | (#15079421)

In This Post-911 World(tm) (tired of hearing that yet?) the privacy of landline telephone conversations is fatally broken For Your Own Security(tm).

So just how stupid would you have to be to think that VoIP is secure?

Many VoIP phones have vulnerabilities... (1)

shawn_merdinger (966748) | more than 8 years ago | (#15081961)

Many VoIP phones, in particular 802.11b/g handsets, have serious software vulnerabilities out-of-the-box ranging from hardcoded credentials, remote debugging access left in from development, vulnerable applications (like embedded webservers), and other issues. My personal research and evaluations on these VoIP wifi phones have documented several of these vulnerabilities across multiple vendors' phones, take a look here: http://www.security.nnov.ru/source12976.html [security.nnov.ru] Crypto is a start, but if attackers can simply telnet to a open port on the phone and conduct low-level debugging, make calls, etc...well, that's a problem. Thanks, Shawn Merdinger, Independent Security Researcher

Some resources to learn more about VoIP Security (1)

dyork (200234) | more than 8 years ago | (#15084914)

penciling_in asks: "... This leaves me begging the question: What other not-so-publicized VoIP security issues should companies be watching out for?"

There are a wide range of security issues related to VoIP, although many if not most of them actually are the standard threats relating to the underlying data networks. One place to learn more is the VoIP Security Alliance [voipsa.org] which last fall released a threat taxonomy [voipsa.org] that outlined threats to VoIP.

You may also find of value our weekly podcast on the subject, "Blue Box: The VoIP Security Podcast", available at http://www.blueboxpodcast.com/ [blueboxpodcast.com] . We provide detailed show notes with links to all the various VoIP security-related articles and items we talk about, many of which you may find useful to learn more on the subject.

There is also a wealth of information available in the VOIPSEC [voipsa.org] e-mail discussion list (that is hosted by VOIPSA).

Regards, Dan

Theft of VoIP Service Is Easy (1)

InitZero (14837) | more than 8 years ago | (#15086638)

Let me start out by saying I love VoIP. I use it at home
I have installed three Asterisk servers at three different
companies over the last two years. I have told everyone I
know that VoIP is the way of the future.

That said, VoIP is an emerging technology and as such its
security limitations are not fully understood nor are they
fully mediated.

Take BroadVoice (wonderful company, by the way), for
instance. They allow you to bring your own device unlike
so many other VoIP companies. You can use Asterisk with
them or just about any other SIP device. In my case, I use
Cisco phones. All you have to do to configure your phone
is tell it the location of the BroadVoice TFTP site. It
picks up its configuration -- and account information --
from the TFTP site.

Very easy, right? Very insecure, too.

With just a MAC address of a BroadVoice SIP device, you
an connect to the BroadVoice TFTP site, grab a configuration
file and then start making calls with someone else's account.

No problem, you say. With MAC addresses being globally
uniquie (more or less) and rarely sniffable off the local
network, it seems pretty unlikely that anyone would be able
to leverage a MAC address to get an account. It's not like
you can do an 'mget *' from their TFTP server, stealing all
their accounts.

Except that you can go to your local consumer electronics
store and check out the shelf with the retail BroadVoice
Start-Up Kit. When I bought mine, the MAC address was on
the outside of every box. I imagine it still is. What if
I wrote down a couple dozen MACs then waited a couple
weeks for them to be bought and activated. With those MACs
and a TFTP download of the configuration file, I could
make outbound calls on their dime.

And that's just one way to get a SIP MAC. I bet I could
come up with a couple dozen more.

While I'm sure Peter's methods are valid, if I were stealing
someone's service, I wouldn't do it by sniffing packets. I'd
just grab their MAC and figure out where their phone gets
its configuration file from.

Don't let VoIP's immaturity scare you away, though. Once
these VoIP providers get hit a time or two, we'll get a more
secure solution. Better yet, maybe some smart hackers can
come up with a better solution before VoIP gets burned. This
is tool cool and useful of a technology to go away.

Matt
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>