VoIP security: Implementation and Protocol Problems

VoIP Security

Implementa3on and Protocol Problems

Sean Heelan, ISSA Seminar, May 2009

Overview
• VoIP background info
• Finding and exploi3ng implementa3on related
bugs
• Finding and exploi3ng protocol related bugs
• Ques3ons!

VoIP Security ‐ Implementa3on and
5th May 2009 2
Protocol Problems

Who am I
• Graduate student in Computer Science
• Primarily interested in soNware veriﬁca3on
and program analysis

5th May 2009 3
Protocol Problems

VoIP Background Info

5th May 2009 4
Protocol Problems

Popularity of VoIP
• Why bother looking for security problems?
• ~50% of American businesses using it in some
form in 2008 (src. Computer Economics)
• Anyone here today?
• Home users – Skype, Gizmo, Blueface etc.

5th May 2009 5
Protocol Problems

Ambiguous graph 3me

5th May 2009 6
Protocol Problems

Protocols
• SIP
• SCCP
• H.225
• H.239
• H.245
• RTCP
• SDP
• MGCP
5th May 2009 7
Protocol Problems

Protocols
• IAX2
• Skype
• H.460
• H.450
• RTP
• STUN
• RSVP
• SS7
• ….and so on
5th May 2009 8
Protocol Problems

Protocols
• Why so many?
• Call setup, signalling, data transfer, route
nego3a3on, PSTN interoperability
• Each requiring a diﬀerent protocol and a
diﬀerent implementa3on
• Usually in C or C++

5th May 2009 9
Protocol Problems

Protocols
• More protocols == More ahack vectors
• Heterogeneous networks are good for an
ahacker and bad for an administrator
• Tes3ng eﬀorts are diluted across devices and
protocols
• No public tes3ng tools available for the
majority of the protocols men3oned

5th May 2009 10
Protocol Problems

VoIP: A hackers dream
• Integrates the voice communica3ons of an
organisa3on into an environment the ahacker
is familiar with
• Same protocols, tools and environments
• Open standards and accessible devices
• Scary as hell when you think about it – you
just moved your en3re comms infrastructure
to our playground
• Cheers!
5th May 2009 11
Protocol Problems

Ahacking the implementa3on

5th May 2009 12
Protocol Problems

Good ol’ memory corrup3on
Servers running on Windows, Linux or other
Unix
+ Phones running on a tradi3onal OS or oNen
embedded Linux
+ Wrihen in C/C++
= Buffer overflows, NULL pointers, infinite loops
and all their friends

5th May 2009 13
Protocol Problems

Finding the bugs
• Fuzzing ‐ a rather eﬀec3ve hammer for many a
nail
• Automa3cally genera3on/sending semi‐valid
requests to a target in the hope of crashing it
• Requires no understanding of the applica3on/
device internals
• Responsibly for the detec3on of a huge
percentage of security bugs
5th May 2009 14
Protocol Problems

Fuzzing in 2 minutes
• Genera3on based
• Muta3on based
• Extensions – Binary analysis, feedback loops,
debuggers

5th May 2009 15
Protocol Problems

Fuzzing example 1
INVITE sip:201@192.168.3.102 SIP/2.0
CSeq: 536870905 INVITE
Via: SIP/2.0/UDP 192.168.3.104:6060;branch=z9hG4bKmj1079uq
Content-Type: application/sdp
Content-Length: 378

s_static(“INVITE quot;)
s_string(“sip:201@192.168.3.102”)
s_static(” SIP/2.0 rnquot;)

INVITE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SIP/2.0
Content-Length: 378

5th May 2009 16
Protocol Problems

Fuzzing example 2
INVITE sip:201@192.168.3.102 SIP/2.0
Content-Length: 378

s_static(quot;Content-Length: quot;)
s_dword(378, fuzzable=True, format=“ascii”)
s_static(quot;rnquot;)

INVITE sip:201@192.168.3.102 SIP/2.0
Content-Length: 4294967296

5th May 2009 17
Protocol Problems

Building your own fuzzer
• Genera3onal fuzzing frameworks available –
Peach, Sulley, Fusil, Spike etc
• Map out the protocol in a high level
descrip3on language
• Auxiliary tools for crash detec3on and logging

5th May 2009 18
Protocol Problems

Feeling lazy?
• Free fuzzers for SIP – PROTOS, VoIPER
• Commercial fuzzers ‐ Codenomicon,
MuDynamics
• Use a generic fuzzer like GPF – takes a packet
capture and mutates it

5th May 2009 19
Protocol Problems

Does it work?

5th May 2009 20
Protocol Problems

And the award for epic fail goes to….

5th May 2009 21
Protocol Problems

Memory corrup3on summary
• Fuzzers make it simple to ﬁnd bugs
• Trivial to ﬁnd DoS condi3ons
• Currently no public exploits that remotely
execute malicious code on hard‐phones
• Exploi3ng vulnerabili3es in soN‐phones is
much easier, diho for servers running on
tradi3onal opera3ng systems

5th May 2009 22
Protocol Problems

So hard‐phones are safe then?
• Not quite …
• Run a variety of services along with the VoIP
core
• Web server, TFTP server/client, terminal
admin console
• Introduces every ahack vector available
against these services

5th May 2009 23
Protocol Problems

Web service ahacks
• Most hard‐phones provide a web based admin
interface, as do many servers
• Notoriously security agnos3c
• XSS, CSRF, SQL injec3on, default/no passwords,
authen3ca3on bypass

“Cisco Uniﬁed Communica7ons Manager is vulnerable to
a SQL Injec7on aBack in the parameter key of the
admin and user interface pages. A successful aBack
could allow an authen7cated aBacker to access
informa7on such as usernames and password hashes
that are stored in the database.” – Cisco 2008
5th May 2009 24
Protocol Problems

Web ahack example
• Snom 320 VoIP phones
• Admin interface accepts unauthorized POST
data
• Admin interface can also be used to make calls
• GNUCi3zen.org combined the above two
‘features’ for remote surveillance

5th May 2009 25
Protocol Problems

GNUCi3zen.org – Snom 320 ahack
• Ahacker scans for vulnerable devices by
checking for remotely accessible signature
ﬁles
• Ahacker sends POST to vic3m’s IP with data:
NUMBER=ATTACKERNUM
• Ahacker answers the incoming call
• Vulnerable device uses inbuilt receiver to
capture ambient sound and send to the
ahacker
5th May 2009 26
Protocol Problems

Finding web service bugs
• Simple to automate
• Standard tools for ﬁnding SQL, CSRF and XSS
bugs – w3af ahack framework
• Using SIP packets as an injec3on vector – XSS
in log data
• Far easier to ﬁnd and exploit a bug in a web
interface than to create a reliable memory
corrup3on exploit
5th May 2009 27
Protocol Problems

Ahacking the protocols

5th May 2009 28
Protocol Problems

Ahacking the protocols
• Authen3ca3on
• Authoriza3on
• Encryp3on
• Same approach as every TCP/IP based service

5th May 2009 29
Protocol Problems

Ahacking the protocols ‐ discovery
• Many VoIP protocols are TCP based and run on
standard ports – nmap
• Specialist tools available for certain protocols
– SIPVicious, iaxscan – Can scan thousands of
hosts an hour
• Scanning random hosts turns up hoards of
easily accessible servers

5th May 2009 30
Protocol Problems

Ahacking the protocols ‐
authen3ca3on
• SIP and IAX2 – 2 step authen3ca3on by default
• What does that mean? – We can enumerate valid
accounts ﬁrst and then crack passwords
• Account discovery search space
– Two step auth = X*X
– Single step auth = XX
Where X is the size of the username/password pool
• We’d shoot a web developer that did this but
apparently it’s OK for VoIP
5th May 2009 31
Protocol Problems

Ahacking the protocols ‐
authen3ca3on
• Many networks s3ll use 3 or 4 digit usernames
and passwords
• SIPVicious/iaxscan can check all possible
combina3ons in minutes

5th May 2009 32
Protocol Problems

Ahacking the protocols ‐ sniffing
• Not en3rely a protocol level problem
• Intercepted communica3ons can be easily
reconstructed into audio/video files –
wireshark, UCSniff
• VLAN hopping – exploi3ng networks that rely
on layer 2 protocols to allow access to the
voice LAN – Voip Hopper

5th May 2009 33
Protocol Problems

Taking the trunk
• Stealing individual accounts is fun and all but
how about stealing the phone company?
• Requires admin access to an accessible router
or switch
• How?
• Straight through the front door

5th May 2009 34
Protocol Problems

Taking the trunk
• Robert Moore – 2007, stole 10 million minutes
worth of talk 3me
• Step 1: Bought informa3on on corporate IP
addresses for $800
• Step 2: Scanned for accessible VoIP routers and
switches
• Step 3: Scanned for default passwords and
unpatched Cisco boxes
• Step 4: Proﬁt! (Or jail in Mr. Moore’s case)

5th May 2009 35
Protocol Problems

Taking the trunk
• “70% of all the companies he scanned were
insecure, and 45% to 50% of VoIP providers were
insecure”
• “I'd say 85% of them were misconﬁgured routers.
They had the default passwords on themquot;
• “The telecoms we couldn't get into had access
lists or boxes we couldn't get into because of
strong passwords.”
‐ Source: http://www.informationweek.com
5th May 2009 36
Protocol Problems

Ahacking the protocols ‐ summary
• Essen3ally the same oﬀence/defence we’ve
had for years
• Discovery, enumera3on and exploita3on
follow roughly the same paherns as most
other TCP/IP services
• Protec3ng against these problems is the same
struggle with password management, access
lists and updates

5th May 2009 37
Protocol Problems

Ques3on Time!
http://seanhn.wordpress.com

5th May 2009 38
Protocol Problems

VoIP security: Implementation and Protocol Problems

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (17)

Similar to VoIP security: Implementation and Protocol Problems

Similar to VoIP security: Implementation and Protocol Problems (20)

Recently uploaded

Recently uploaded (20)

VoIP security: Implementation and Protocol Problems