VoIP Security

Methodology and Results

NGS Software Ltd
Barrie Dempster Senior Security Consultant barrie@ngssoftware.com
Agenda
Agenda

VoIP Security Issues

Assessment Methodology

Case Study: Asterisk

VoIP Security Issues
VoIP Security Issues
hy is VoIP such a !ro"lem # hy is VoIP such a !ro"lem #

If you take a systematic a!!roach to it$ it isn%t

Assessing VoIP systems is &uite different from the '!ro"e

and !arse( techni&ue commonly used on data"ases and we"
a!!lications)

It a!!ears this way as it%s multi*disci!line *

+ata networks$ ,oice networks and security knowledge

Con,ergence- Con,ergence-

.ne of the ma/or selling !oints "ut one of the "iggest issues
Goes against current network security "est !ractise)
0irewalls$ VPNs$ VLANS etc)) are focused on se!aration of traffic$ often to
se!arate into security "oundaries

Con,ergence not only makes administration easier$ it

makes hacking easier too

Voice traffic on a data network is o!en to attacks using tools and
techni&ues that ha,e "een used in the !ast on data networks
From the NIST Security considerations for Voice over IP systems:
The flexibility of V!" comes at a price# a$$e$ complexity in
securing %oice an$ $ata. Because V!" systems are connecte$ to
the $ata networ&' an$ share many of the same har$ware an$
software components' there are more ways for intru$ers to attac& a
V!" system than a con%entional %oice telephone system or "B(.)
A con,ergence &uote A con,ergence &uote
1he Main 1hreats 1he Main 1hreats

1oll 0raud

2a,esdro!!ing

Caller I+ S!oofing

+enial of Ser,ice

Another 2ntry Point

1oll 0raud 1oll 0raud

It%s easy

1he slightest misconfiguration can lead to toll fraud * Misconfiguration of

+ISA$ +efault !asswords and sim!le social engineering)

It%s !rofita"le
0ree use of ser,ices
Ser,ices can "e resold
.,erheads are low

It%s ha!!ening 3and has "een for a long time4

2a,esdro!!ing 2a,esdro!!ing
VoIP doesn%t introduce threats like this$ it does make them more likely
1raditional5non*VoIP5PS1N networks are not immune to ea,esdro!!ing
VoIP adds more !eers to the con,ersation
Coffee Sho!$ ISP$ VoIP !ro,ider
Misconfiguration and ,ulnera"ilities in any of these can e6!ose you
2ncry!tion is not used across the "oard in*fact$ ,ery few !ro,iders offer it as an
o!tion
VoIP ser,ices are "ecoming fragmented and incom!ati"le
Sky!e5Standard !rotocols5Su!ermarkets
1he solutions to this in,ol,e more software and more data mani!ulation)
+ata mani!ulation is a common source of ,ulnera"ilities)
Caller*I+ S!oofing Caller*I+ S!oofing
1here are a num"er of ways to do this
1his is another threat that e6isted "efore VoIP "ut /ust got easier
It%s still not an attack method that the general !u"lic are aware of
Many com!anies still use it as !art of an authentication mechanism
7ou now need no technical knowledge to s!oof Caller*I+)
A num"er of com!anies sell these ser,ices
+enial of Ser,ice +enial of Ser,ice
8!time on traditional tele!hony networks is generally ,ery high
It%s not easy to +oS someone
It%s not easy to hide your tracks when !erforming an attack
.nly a few com!anies control the access !oints
Ser,ice Le,els for tele!hony are more im!ortant than most IP !rotocols
2mergency ser,ices
Customers58sers are used to high ser,ice le,els
VoIP "rings IP%s !ro"lems to ,oice
IP has suffered many +oS ,ulnera"ilities
+doS is e6!ensi,e and difficult to com"at
Another 2ntry Point Another 2ntry Point

VoIP "rings !ro"lems to the IP network as well

It%s as "ad as email$ IM clients and we" "rowsers

3which is "ad-4

Com!licated5Numerous !rotocols

Lots of ,ulnera"ilities already found

Attackers are finding more

Methodology
Methodology
9ow we look at it 9ow we look at it
1he issues "rought u! in VoIP security and throughout this !resentation
are not new and are not a sur!rise) 1ele!hony e6!erience and IP
e6!erience com"ined with a security focused mindset are enough to
com"at these issues)
1here is a lot of !u"lic co,erage of VoIP issues$ howe,er the a!!roach
to understanding and tackling the !ro"lem of VoIP security is similar in
conce!t to data"ase$ a!!lication$ network infrastructure and other areas
where security is an issue)
0ocusing 2fforts 0ocusing 2fforts
1he ma/ority of research focus at !resent is on the !rotocols and
encry!tion)
1his doesn%t address all of the ma/or threats
Attackers ha,e a different focus and security assessments should ha,e
this same focus
So we "reak it down into com!onents So we "reak it down into com!onents
VoIP is made u! of a num"er of com!onents$ many of these are co,ered "y
e6isting testing methodologies)
1he .!erating Platform
Configuration
VoIP Protocols
Su!!ort Protocols
.!erating Platform .!erating Platform
Network infrastructure
VoIP is su!!orted "y a num"er of de,ices
0irewalls and I+S%s for e6am!le must "e configured for VoIP
.!erating Systems
VoIP !roducts often run on their own self contained .S
Some are "ased on general !ur!ose .S%s 3Linu65indows4
+ata"ases5e"ser,ices5C:M
VoIP systems de!end on these for additional functions
8sed for call logging$ user information$ customer management etc)))

Vulnera"ilities in the VoIP !roduct itself-

Configuration Configuration
9ow to assess configuration #
Scanning with war diallers and similar software is not enough
1he configuration also has to "e manually re,iewed$ "y checking the
configuration file5data"ase)
Charting IV:%s and call dialing !lans makes ,ulnera"ilities o",ious
Configuration Configuration
+efault !asswords
still ram!ant in P;<%s
;ad dial !lan logic
8sers5Callers allowed to acces features5num"ers5e6tensions they shouldn%t "e a"le to
Call Control and monitoring
Can monitoring and recording functions "e a"used
Can forwarding su!!ort "e a"used
Accounting and ;illing
Sometimes integrated$ sometimes e6ternal su!!ort system$ "ut often ha,e easily
guessa"le account and access code as well as ,ulnera"ilities of their own
VoIP Protocols VoIP Protocols
SIP5:1P5:1CP5MGCP5IA<5Skinny etc)))))
1he "asic a!!roach to assessing a !rotocol im!lementation:
Authentication Methods
8nauthenticated Attacks
Authenticated Attacks
2ncry!tion5Signing o!tions
Su!!ort Protocols Su!!ort Protocols
1he 'IP( com!onent in VoIP is slightly more than IP$ it e6tends to 1CP$
8+P and su!!orting !rotocols like +9CP$+NS$ 101P etc)))
1hese !rotocols all ha,e their own issues
1hese !rotocols also ha,e some ideas for solutions 3eg)) IPsec$VPN%s$
I+S5IPS$ firewalls etc))))4
Com"ined with VoIP increase the risk of some of the attacks that can
occur
A VoIP assessment can "e done as !art of an infrastructure assessment
or standalone "ut standalone assessments should ca,eat that ,alidity is
de!endent on infrastructure assessments "eing !erformed
inde!endantly)
Case Study: Asterisk
Case Study: Asterisk
hy Asterisk as a study su"/ect # hy Asterisk as a study su"/ect #

It%s !o!ular

It%s freely a,aila"le

No additional hardware re&uired

It%s o!en source

Asterisk: .!erating Platform Asterisk: .!erating Platform
Network infrastructure
0irewalls will ha,e to "e configured to su!!ort Asterisk
Mail ser,er configuration
;asic networking +NS$ 1CP$ 8+P$ IP etc)))
.!erating Systems
:uns on Linu6 so security issues relating to Linu6 a!!ly to Asterisk)
Patching of the .S5Asterisk and other com!onents$ file !ermissions$ i!ta"les etc)))
+ata"ases5e"ser,ices5C:M
Can ha,e a data"ase "ackend
Commonly integrated with SugarC:M
9as a num"er of we" front ends 3AsteriskN.$ 0reeP;<51ri6;o6$ 0.P$ MeetMe4
Asterisk: Vulnera"ilities = +enial of Ser,ice Asterisk: Vulnera"ilities = +enial of Ser,ice

Asterisk SIP Channel +ri,er 3chan>si!4 SIP Malformed 8+P Packet

+oS

Asterisk Manager Interface Passwordless 8ser M+? Authentication +oS

Asterisk Malformed SIP INVI12 :e&uest +oS

Asterisk Crafted SIP :es!onse Code handle>res!onse 0unction +oS

Asterisk Malformed SIP :egister Packet :emote +oS

Asterisk SIP Channel +ri,er 8ns!ecified :emote +oS

Asterisk IA<@ Call :e&uest 0lood :emote +oS

Asterisk chan>ia6@ IA<@ Channel +ri,er 8ns!ecified +oS

Asterisk: Vulnera"ilities = Code 26ecution Asterisk: Vulnera"ilities = Code 26ecution

Asterisk 1)AB S+P Parser chan>si!)c !rocess>sd! 0unction

.,erflows

Asterisk !"65!"6>ael)c 26tension Language 3A2L4 Generation

eakness Ar"itrary 26tension 26ecution

Asterisk Skinny Channel +ri,er get>in!ut 0unction :emote .,erflow

Asterisk MGCP Malformed A82P :es!onse 9andling :emote

.,erflow

Asterisk :ecord34 A!!lication :emote 0ormat String

Asterisk CP2G Image Processing .,erflow

Asterisk Manager CLI Command .,erflow

Asterisk: Vulnera"ilities = Code 26ecution Asterisk: Vulnera"ilities = Code 26ecution
Asterisk 1)AB S+P Parser chan>si!)c !rocess>sd! 0unction .,erflows
else if 33sscanf*a' +T,-.ax/ate0anagement#1s+' s2 DD E44 F
found D EG
if 3o!tion>de"ug H @4
ast>log3L.G>+2;8G$ I:ateMangement: JsKnI$ s4G
if 3-strcasecm!3s$ Ilocal1C0I44
!eertABca!a"ility LD T,-.3(4/3T54036375056T48C384TC.9
else if 3-strcasecm!3s$ Itransferred1C0I44
!eertABca!a"ility LD T,-.3(4/3T54036375056T4T/36S.5/5D4TC.9
****************************************************************************************************
else if 3*sscanf*a' +T,-.ax:$p5C#1s+' s2 DD E44 F
found D EG
if 3o!tion>de"ug H @4
ast>log3L.G>+2;8G$ I8+P 2C: JsKnI$ s4G
if 3-strcasecm!3s$ ItAB8+P:edundancyI44 F
!eertABca!a"ility LD T,-.3(4:D"45C4/5D:6D36C;9
ast>ud!tl>set>error>correction>scheme3!*Hud!tl$
:D"T845///4C//5CT!64/5D:6D36C;29
Asterisk: Configuration Asterisk: Configuration
+efault !asswords
Very common on Asterisk$ as are easily guessa"le SIP !asswords
;ad dial !lan logic
+ial !lan logic in Asterisk can "ecome fairly com!le6 and the flat file format makes it
hard to follow$ if the dial !lan isn%t documented 3and u!dated4 it can make it easy to
make mistakes) Common mistakes in Asterisk include gi,ing access to too many
conte6ts or too many o!tions in a !u"lic conte6t)
Call Control and monitoring
Asterisk can "e configured 3Mi6Monitor4 to record calls to a file and these can often
"e left with la6 !ermissions) Asterisk also has Intrude5;arge functionality with
ChanS!y) A misconfigured dial !lan can unintentionaly gi,e call monitoring a"ilities)
Accounting and ;illing
1here are a ,ariety of o!tions for "illing with Asterisk$ they generally !lug in to
Asterisk using it%s Call +etail :ecord files) 2ach of these has their own security
considerations)
Asterisk: VoIP Protocols Asterisk: VoIP Protocols

2ncry!tion o!tions #

e%,e already seen sim!le ,ulnera"ilities in the

im!lementations

0airly com!licated to configure

Assum!tions made "y the de,elo!ers

Conclusion
Conclusion
Configuration Configuration

Practise safe con,ergence

A!!ly traditional network security logic to VoIP)

Check the VoIP !roducts for ,ulnera"ilities)

+on%t /ust scan$ audit as well-

here else can I get more information# here else can I get more information#
htt!:55www),oi!sa)org * 1he VoIP security alliance released a ,oi! threat
ta6onomy and ha,e an acti,e mailing list co,ering VoIP issues
htt!:5www)nist)go, * 8S centric "ut ha,e e6cellent tele!hony security
references
htt!:55www),oi!*info)org * Not !articularly security related "ut a good
source of VoIP information)
htt!:55www)osstmm)org * 1he .!en Source Security 1esting Methodology
Manual) 1he VoIP com!onent is currently under de,elo!ment)
http://www.ngssoftware.com/
Copyright 2006. Next Generation Security Software Lt. !"" other trae mar#s are the property of their respecti$e owner% an are use in an eitoria" context without intent of infringement.
Thank You
Thank You
omments!"uestions #
omments!"uestions #
$arrie %em&ster ' (arrie)ngssoft*are+com $arrie %em&ster ' (arrie)ngssoft*are+com