Unblocking The Main Thread Solving ANRs and Frozen Frames
Alessio Pennasilico VoIP security
1. !
VoIP (in)Security
All your bases belong to us
Alessio L.R. Pennasilico
Phone/Fax +39 045 8271222 mayhem@alba.st
Verona, Milano, Roma
twitter: mayhemspp
http://www.alba.st/ FaceBook: alessio.pennasilico
Cagliari, 13 Giugno 2011
2. $ whois mayhem
Security Evangelist @
Board of Directors:
CLUSIT, ISSA Italian Chapter, Italian Linux Society, OpenBSD
Italian User Group, Metro Olografix, Sikurezza.org,
Spippolatori Hacker Club
Hacker’s Profiling Project, CrISTAL, Recursiva.org
Alessio L.R. Pennasilico 2
3. IT Security...
Un inutile impedimento
che rallenta le comuni
operazioni
e danneggia il business?
Alessio L.R. Pennasilico 3
4. IT Security...
O prevenzione e risposta ad eventi che
danneggerebbero il business in modo peggiore?
Alessio L.R. Pennasilico 4
5. Evoluzione
La tecnologia si evolve…
… e con essa anche le minacce!
Alessio L.R. Pennasilico 5
14. mayhem
everyone wants to know
something about me
Alessio L.R. Pennasilico 13
15. mayhem
it’s none of your business (KL)
Alessio L.R. Pennasilico 14
16. History
"They that can give up essential liberty
to obtain a little temporary safety
deserve neither liberty nor safety."
Benjamin Franklin, 1759
Alessio L.R. Pennasilico 15
24. Deployment
Faster, easier and cheaper to deploy
over national IP network infrastructure
Alessio L.R. Pennasilico 23
25. Services
Native advanced services
for every user
Fax2Mail,VoiceMail, IVR, text2speech
Alessio L.R. Pennasilico 24
26. Tools
Plenty of OpenSource Projects
full functionals and very mature
user, business and carrier oriented
Asterisk, FreeSwitch, OpenSER, OpenSBC
Alessio L.R. Pennasilico 25
27. Standards
Using standard protocols
it’s truly interoperable
SIP, H.323, IAX
Alessio L.R. Pennasilico 26
28. Integration
The PBX or the VoIP client
can interact with other applications
and use centralized data
billing, E.164,CRM integration
Alessio L.R. Pennasilico 27
29. Question
but what about security?
Alessio L.R. Pennasilico 28
31. Traditional Telephony
“I do it for one reason and one reason only.
I'm learning about a system. The phone
company is a System. A computer is a System,
do you understand? If I do what I do, it is only
to explore a system. Computers, systems,
that's my bag. The phone company is nothing
but a computer.”
Captain Crunch, “Secrets of the Little Blue Box“, 1971
(slide from Hacker's Profile Project, http://hpp.recursiva.org)
Alessio L.R. Pennasilico 30
32. Eavesdropping
“Unknowns tapped the mobile phones of about
100 Greek politicians and offices, including the
U.S. embassy in Athens and the Greek prime
minister.”
Bruce Schneier, his blog, 22nd June 2006
Greek wiretapping scandal
Alessio L.R. Pennasilico 31
33. First attacks ...
“A brute-force password attack was launched against a SIP-based
PBX in what appeared to be an attempt to guess passwords.
Queries were coming in about 10 per second. Extension/
identities were incrementing during each attempt, and it appeared
that a full range of extensions were cycled over and over with the
new password. The User-Agent: string was almost certainly
falsified.”
John Todd on VoIPSA mailinglist, May 24th 2006
Alessio L.R. Pennasilico 32
34. Frauds
“Edwin Andreas Pena, a 23 year old
Miami resident, was arrested by the
Federal government: he was involved in
a scheme to sell discounted Internet
phone service by breaking into other
Internet phone providers and routing
connections through their networks.”
The New York Times, June 7th 2006
Alessio L.R. Pennasilico 33
36. Robert Moore
“I'd say 85% of them were misconfigured
routers. They had the default passwords on
them: you would not believe the number of
routers that had 'admin' or 'Cisco0' as
passwords on them”.
Alessio L.R. Pennasilico 34
37. Robert Moore
"It's so easy a
caveman can do it!"
“I'd say 85% of them were misconfigured
routers. They had the default passwords on
them: you would not believe the number of
routers that had 'admin' or 'Cisco0' as
passwords on them”.
Alessio L.R. Pennasilico 34
38. VoIP Risks
Telephones had always been seen as secure,
because they use proprietary hardware,
proprietary protocols, and are disconnected from
the other devices.
Alessio L.R. Pennasilico 35
39. VoIP Risks
Telephones had always been seen as secure,
because they use proprietary hardware,
proprietary protocols, and are disconnected from
the other devices.
VoIP multiply traditional telephony
risks for IP network risks.
Alessio L.R. Pennasilico 35
41. Protect us!
End user has no way to protect himself: he has to adhere
to its carrier configuration.
Providers and companies implementing a VoIP
infrastructure should take care of their customers’
security and privacy.
Alessio L.R. Pennasilico 37
42. SPIT
SPAM over Internet Telephony will become an
emergency.
Low cost of VoIP calls, widespreading of human and tech
resources, use of recorded messages, high revenues even on
low purchases make SPIT an attractive business.
Alessio L.R. Pennasilico 38
43. Vishing
Voice Phishing is a typical fraud against end users,
available thanks to VoIP characteristics.
Cheapness of this technology permit to deploy this
attack on a large scale, integrating some “old style”
attacks (e.g. wardialing, caller id spoofing).
This fraud is based on user’s trust in “telephone device”
and trust in caller identity.
Alessio L.R. Pennasilico 39
44. Risks
Denial of Service (DoS), eavesdropping, identity theft, toll
fraud,Vishing, SPIT are real risks.
There are dozens of free, OpenSource, downloadable
tools that are specific to test/attack VoIP protocols and
devices.
Alessio L.R. Pennasilico 40
45. Risks
Denial of Service (DoS), eavesdropping, identity theft, toll
fraud,Vishing, SPIT are real risks.
There are dozens of free, OpenSource, downloadable
tools that are specific to test/attack VoIP protocols and
devices.
We can use them to secure our
infrastructure!
Alessio L.R. Pennasilico 40
46. How does a
phone call works?
http://www.alba.st/
48. Power up the phone ...
Alessio L.R. Pennasilico 43
49. Power up the phone ...
VoIP phones execute some actions at bootstrap,
many of these vulnerable to different legacy
attacks:
Alessio L.R. Pennasilico 43
50. Power up the phone ...
VoIP phones execute some actions at bootstrap,
many of these vulnerable to different legacy
attacks:
• Phones obtain IP address from a DHCP server
Alessio L.R. Pennasilico 43
51. Power up the phone ...
VoIP phones execute some actions at bootstrap,
many of these vulnerable to different legacy
attacks:
• Phones obtain IP address from a DHCP server
• DHCP furnishes the TFTP server address to the phone
Alessio L.R. Pennasilico 43
52. Power up the phone ...
VoIP phones execute some actions at bootstrap,
many of these vulnerable to different legacy
attacks:
• Phones obtain IP address from a DHCP server
• DHCP furnishes the TFTP server address to the phone
• Phones download the firmware from the TFTP server
Alessio L.R. Pennasilico 43
53. Power up the phone ...
VoIP phones execute some actions at bootstrap,
many of these vulnerable to different legacy
attacks:
• Phones obtain IP address from a DHCP server
• DHCP furnishes the TFTP server address to the phone
• Phones download the firmware from the TFTP server
• Phones download configuration from the TFTP server
Alessio L.R. Pennasilico 43
54. Power up the phone ...
VoIP phones execute some actions at bootstrap,
many of these vulnerable to different legacy
attacks:
• Phones obtain IP address from a DHCP server
• DHCP furnishes the TFTP server address to the phone
• Phones download the firmware from the TFTP server
• Phones download configuration from the TFTP server
• Phones authenticate on the VoIP server
Alessio L.R. Pennasilico 43
55. ...and start a call.
When bootstrap is complete the phone exchanges
some information with the server, to describe its
status and inform the VoIP PBX about calls status
(signaling).
When a call is answered a new traffic flow of UDP
packets starts, carrying our voice. This is called RTP
and can be established between end points or
between each SIP-UA and its server.
Alessio L.R. Pennasilico 44
56. What can I do? :)
DHCP Spoofing -> TFTP redirect
TFTP Spoofing -> OS substitution
TFTP Queries -> obtain configurations
Password Sniffing
PBX Spoofing -> negotiate auth
RTP Traffic in clear
Alessio L.R. Pennasilico 45
62. Inter-VLAN routing
You need at least a L3 device
Can be a Firewall with ACL
A VoIP protocols aware firewall is much more
effective
Alessio L.R. Pennasilico 51
63. AAA
Authentication
Authorization
Accounting
Do you have all 3 A ?
Alessio L.R. Pennasilico 52
67. mis-configuration
0039081XXXXXXX
“Press 1 for commercial office,
2 for sales dept, 3 to access the search menu,
9 to talk with an operator”
3 0 0456152498
“Alba S.T. buon giorno, come posso esserle utile?”
Alessio L.R. Pennasilico 56
68. “clever” devices
Many network devices supports security feature
to mitigate known attacks:
✓ gratuitous ARP block
✓ DHCP snooping
✓ flood detection
✓ QoS support
✓ …
Alessio L.R. Pennasilico 57
69. Power over Ethernet
Is you switch under an UPS?
How long is your UPS able to stand
on-battery powering phones?
Alessio L.R. Pennasilico 58
70. Quality of Service
Security feature?
Can preserve the VoIP traffic from being delayed /
dropped
...needed...
Alessio L.R. Pennasilico 59
71. Redudancy
Is it a security feature, or just about business
continuity?
Don’t know, but you need it :)
Alessio L.R. Pennasilico 60
72. Training
Security is unsuccessfully if you do not teach
people what to do, how to use the new
technology you give them, the importance of data
they’re managing.
Alessio L.R. Pennasilico 61
73. Tools to test your
infrastructures...
http://www.alba.st/
74. Ettercap
The Man in the Middle attack suite. Multiplatform,
usable from console or in a window manager.
Ettercap allows to perform all typical layer 2 tests to
understand how vulnerable our switched network is
if not correctly protected.
Keywords: arp spoofing, arp poisoning, hijacking, sniffing, decoding,
dns spoofing, dos, flood.
http://ettercap.sourceforge.net/
Alessio L.R. Pennasilico 63
76. Vomit
Voice Over Misconfigured Internet Telephones, from
a standard tcpdump log trace, can create a wave file
with the audio conversation intercepted on the
monitored network.
It supports MGCP protocol with G.711 codec and
works only on Linux.
./vomit -r elisa.dump | waveplay -S 8000 -B 16 -C 1
Alessio L.R. Pennasilico 65
77. Wireshark
Multiplatform Sniffer, with a lot of decoders that
allows to manage the intercepted traffic.
Wireshark can identify and decode both signaling
and RTP traffic and shows all information needed for
a successive analysis.
http://www.wireshark.org/
Alessio L.R. Pennasilico 66
79. Oreka
Available for Windows and Linux, supports Cisco Call
Manager, Lucent APX8000, Avaya, S8500, Siemens
HiPath,VocalData, Sylantro and Asterisk SIP channel
protocols.
Eavesdrops and records RTP part of phone calls.
Simple, intuitive, accessible through a web interface,
based on a MySQL database.
http://oreka.sourceforge.net/
Alessio L.R. Pennasilico 68
80. Ohrwurm
“Ear worm” is an RTP fuzzer. It sends a large amount
of requests, with different combinations of
parameters, some correct and some with few or no
sense, to interprete the answers and identify
anomalies..
Anomalies are often the launchpad to discover a bug
or some implementation defect.
http://mazzoo.de/blog/2006/08/25#ohrwurm
Alessio L.R. Pennasilico 69
81. SipSak
SIP Swiss Army Knife permits to interact with any SIP
device, forging ad-hoc SIP traffic to gather
information on its target features and behaviour.
http://sipsak.org/
Alessio L.R. Pennasilico 70
82. Smap
By merging nmap and SipSak, this project realizes a
new specific tool, a program able to detect all SIP
devices in the network and produce a report for
each one.
This will permit us to obtain a map of VoIP devices,
with their features, brand and model.
http://www.wormulon.net/index.php?/archives/1125-smap-released.html
Alessio L.R. Pennasilico 71
83. SiVus
It’s a SIP security scanner: it verifies characteristics of
scan targets and compares them against a database
of known misconfigurations or bugs.
This database is increasing
in a very impressive way …
http://www.vopsecurity.org/html/tools.html
Alessio L.R. Pennasilico 72
84. SipVicious
SIPVicious is an integrated suite that allows to scan,
enumerate, and crack SIP accounts.
svmap - this is a sip scanner. Lists SIP devices found on an IP range
svwar - identifies active extensions on a PBX
svcrack - an online password cracker for SIP PBX
svreport - manages sessions and exports reports to various formats
Alessio L.R. Pennasilico 73
90. Conclusions
✓ Pay attention to risk analysis and planning!
✓ Divide in multiple VLAN
✓ Implement QoS
✓ Be extremely careful in AAA
✓ Use cryptography! (TLS, SRTP)
✓ Use “clever” devices
(can mitigate mitm, garp, spoofing, flooding and other known attacks)
✓ Application level Firewall
✓ Avoid single point of failure
✓ Periodic security test
Alessio L.R. Pennasilico 79
92. VoIP explosion
“Mobile VoIP Users
to Nearly 139 Million by 2014
Says In-Stat”
Alessio L.R. Pennasilico 81
93. Conclusioni
VoIP can be secure
Alessio L.R. Pennasilico 82
94. Conclusioni
more secure
than traditional telephony
Alessio L.R. Pennasilico 83
95. Conclusioni
it depends on us
Alessio L.R. Pennasilico 84
96. !
These slides are
written by Alessio L.R.
Pennasilico aka
mayhem. They are
subjected to Creative
Commons Attribution-
ShareAlike-2.5
version; you can copy,
modify, or sell them.
“Please” cite your
source and use the
same licence :)
Alessio L.R. Pennasilico
Phone/Fax +39 045 8271222 mayhem@alba.st
Verona, Milano, Roma
twitter: mayhemspp
http://www.alba.st/ FaceBook: alessio.pennasilico
Cagliari, 13 Giugno 2011
97. !
Domande? These slides are
written by Alessio L.R.
Pennasilico aka
mayhem. They are
subjected to Creative
Commons Attribution-
ShareAlike-2.5
version; you can copy,
modify, or sell them.
“Please” cite your
source and use the
same licence :)
Alessio L.R. Pennasilico
Phone/Fax +39 045 8271222 mayhem@alba.st
Verona, Milano, Roma
twitter: mayhemspp
http://www.alba.st/ FaceBook: alessio.pennasilico
Cagliari, 13 Giugno 2011
98. !
These slides are
written by Alessio L.R.
Pennasilico aka
mayhem. They are
subjected to Creative
Commons Attribution-
ShareAlike-2.5
Grazie dell’attenzione!
version; you can copy,
modify, or sell them.
“Please” cite your
source and use the
same licence :)
Alessio L.R. Pennasilico
Phone/Fax +39 045 8271222 mayhem@alba.st
Verona, Milano, Roma
twitter: mayhemspp
http://www.alba.st/ FaceBook: alessio.pennasilico
Cagliari, 13 Giugno 2011
99. Quote del Video
Il nostro mondo non è più dominato dalle armi,
dall'energia, dai soldi; è dominato da piccoli uno e zero,
da bit e da dati, tutto è solo elettronica.
C'è una guerra là fuori, amico mio. Una guerra mondiale.
E non ha la minima importanza chi ha più pallottole, ha
importanza chi controlla le informazioni. Ciò che si
vede, si sente, come lavoriamo, cosa pensiamo, si basa
tutto sull'informazione!
Alessio L.R. Pennasilico 86