2. The Sipera Approach
• Learn
Sipera VIPER™ lab concentrates all its efforts on Vulnerability Research to
learn about different kinds of unique threats in SIP/IMS/UMA networks and UA
• Verify
Sipera LAVA™ tool emulate thousands of attacks to verify above threats.
• Protect
Sipera IPCS™ products combines VPN, Firewall, IPS etc functionality for VoIP
systems in a single device to protect and enable unified communications.
November 23, 2007 Sipera Proprietary & Confidential 2
3. Talk Outline
1. VoIP Overview
2. VoIP protocols
3. SIP Protocol Analysis
4. Weaknesses in VoIP Protocols
5. Attack Vectors
6. Conclusion
7. Demo
November 23, 2007 Sipera Proprietary & Confidential 3
4. VoIP Overview
• What is VoIP?
VoIP is an IP telephony service which converts analog data signals into digital
signals and carries it over internet.
• Why VoIP?
Cost Effective
Flexible and Easy implementation
Advance Services
November 23, 2007 Sipera Proprietary & Confidential 4
5. VoIP Protocols
• H.323
• Session Initiation Protocol ( SIP )
• Skinny Client Control Protocol ( SCCP )
• Media Gateway Control Protocol ( MGCP )
November 23, 2007 Sipera Proprietary & Confidential 5
6. SIP Protocol Overview
• SIP stands for Session Initiation Protocol
SIP is signaling protocol
Plain-Text like HTTP
Supports encryption like HTTPS
Supports TLS
Supports encryption of VoIP Media Data
• SIP Components
User Agent Client ( UAC )
User Agent Server ( UAS )
November 23, 2007 Sipera Proprietary & Confidential 6
7. SIP Architecture
Server: abc.com Server: xyz.com
joe@abc.com john@abc.com alice@xyz.com veronica@xyz.com
How call are made between to VoIP Phones
November 23, 2007 Sipera Proprietary & Confidential 7
8. SIP Call Flow
Call Flow: How the whole session looks like.
November 23, 2007 Sipera Proprietary & Confidential 8
9. Weaknesses and Vulnerabilities in SIP
• UAS/UAC identity disclosure
• Username/Password cracking
• Eavesdropping
• Data Mangling
• SIP call Setup, Routing and Termination
November 23, 2007 Sipera Proprietary & Confidential 9
10. Attack Vectors
• UAS/UAC identity disclosure
Similar to Banner Grabbing.
Users Enumeration
• Username/Password cracking
Call/Toll Fraud
Spamming
November 23, 2007 Sipera Proprietary & Confidential 10
11. Attack Vectors
• Eavesdropping
Spying
Mass Password Discovery
• Data Mangling
Phishing
Spam Over Internet Telephony
QoS Degradation
November 23, 2007 Sipera Proprietary & Confidential 11
12. Attack Vectors
• SIP call Setup, Routing and Termination
Fake REGISTER and INVITE
Active Eavesdropping
Fake REGISTER, BYE and CANCEL
• Denial of Service Attack ( DoS )
Flooding ( INVITE, REGISTER, SUBSCRIBE, BYE … et al )
Stealth DoS
Call Jamming
Distributed DoS ( DDoS )
November 23, 2007 Sipera Proprietary & Confidential 12
13. DEMONSTRATION
Witness your desk phone getting 0w||3d !!
Thank You ☺
November 23, 2007 Sipera Proprietary & Confidential 13