The purpose of this paper is to assist in forming the basics of a high level discussion into the potential areas where vulnerabilities can be inherited from when building VoIP systems.
The study of these vulnerabilities increases your understanding of them and once you understand them you will also have a better understanding of how to mitigate them.
A vulnerability is a weakness in a system that can result in harm to the system or its operations, especially when this weakness is exploited by a hostile person or organization or when it is present in conjunction with particular events or circumstances.
As VoIP is an IP based technology which utilizes the Internet it also inherits all associated IP vulnerabilities. The impact of these internet borne attacks is then multiplied by the VoIP architecture as it adds a number of additional weaknesses of its own.
Inherent Vulnerabilities are those which will always exist in a system as they are part of its very nature and therefore permanently characteristic of it. For example, if we build a castle with wooden walls, the walls will always be susceptible to fire. Therefore an inherent vulnerability of wooden walls is that they can be burnt down.
Acquired Vulnerabilities are those which only impact a system under certain specific conditions. For example if we build our castle with 50 feet tall stone walls we would expect to be reasonably secure, however if someone leaves the gate open we are now vulnerable again. The open gate being a perfect example of an acquired vulnerability.
Where do these vulnerabilities come from?
Your LAN; do you have Wi-Fi? Both WEP and WPA have been hacked.
Your Servers; are the drivers up to date or does that old NIC Card driver have a well known vulnerability?
Your Servers; are the Operating Systems fully patched and up to date or does your VoIP manufacturer recommend that you turn auto updates off?
Your Switches and Routers; are the operating systems up to date or are they subject to publicized vulnerabilities?
Your VoIP system; now that it is sat on the network it is susceptible to anything which has a detrimental effect on that network, such as broadcast storms.
Your VoIP handsets; voice is carried over UDP, so flooding the network with UDP packets usually causes all kinds of problems from handsets failing to an entire system crash.
VoIP protocols; SIP uses clear text allowing a potential attacker to sniff the packets and see who is talking to who, where your servers are, etc.
Encryption (or the lack of it); quite often voice is carried over RTP; this can be sniffed, stored and then played back with something as easily available as Wireshark.
Poor Architectural Design
Poor or inadequate architecture can lead to difficulties in the operation and security of a VoIP system. Firewalls are particularly vulnerable areas in a VoIP network as they require additional ports to be opened to facilitate VoIP traffic. Non VoIP-aware firewalls may lack dynamic interaction with VoIP so they simply leave a range of ports continually open for call activity.
Attacks against the underlying VoIP devices’ Operating System
VoIP devices such as IP phones, VoIP softphone, ICPs, Gateways, and Proxy servers inherit the vulnerabilities of the operating system or firmware that they run on. For instance, Cisco Call Manager is typically installed on Windows and the Avaya Call Manager on Linux. There are hundreds of remotely exploitable vulnerabilities in all flavours of Windows and Linux which can be attacked with simple “point-and-shoot” exploits which are readily available for download on the Internet. No matter how secure an actual VoIP application happens to be, this becomes moot if the underlying operating system is compromised.
Configuration Weaknesses in VoIP devices
Many of the VoIP devices in their default configuration may have a variety of exposed TCP and UDP ports. The default services running on the open ports may be vulnerable to DoS, buffer overflows or weak passwords, which may result in compromising the VoIP devices.
Many VoIP devices run Web servers for remote management purposes, which may be vulnerable to attacks ranging from information disclosure to buffer overflows.
Equally the software developer may be just too busy writing his code to check that he is using the latest version of his favourite web server which he bundles with his application. Therefore it is quite possible to install an application written in 2010 which utilizes a web server written in 2002!
If any of the open services are not configured with a password, a weak password, or a default password an attacker may acquire unauthorized access to that device.
IP Infrastructure Attacks
The availability of VoIP services depends on the availability of the IP infrastructure it resides on. Any Denial of Service (DoS) attacks such as SYN floods or other traffic surge attacks that exhaust network resources (e.g. bandwidth, router connection table, etc.) could severely impact VoIP communications. Even worms or zombie hosts scanning for other vulnerable servers could cause traffic surges.
VoIP protocols rely on TCP and UDP as transport mediums and hence are vulnerable to any low level attacks on these protocols such as session hijacking (TCP), malicious IP Fragmentation, spoofing (UDP), TCP RST window brute forcing, or a variety of IP protocol anomalies which may cause unpredictable behaviour in some VoIP business phone services.
Reconnaissance Attacks are a form of intelligence gathering where networks are probed to ascertain their vulnerabilities. Methods used to achieve this include call walking and port scanning and are the first action undertaken by an attacker when attempting to penetrate a network. A successful probe would determine the behaviour of the network’s equipment, users, and services that might be available to be exploited or disrupted. This information could then be used to launch a focused attack against the network.
PBX Hosts and Gateways
Most service interceptions and eavesdropping attacks will usually require the compromise of a PC or server as a means of network access. Once compromised the host can facilitate this by sniffing voice packets to reveal information on calls, call duration, and call parameters.
A replay attack can be mounted against a VoIP phone services network by retransmitting a legitimate session so that the recipient device reprocesses the data. The basis of a replay attack is to capture a valid packet, which can then be replayed into the network. This generally causes the target network to respond and provide more traffic to capture, eventually providing enough information to move to packet spoofing and masquerading, or simply finding an entry point into the target network for eavesdropping.
For example a replay attack could be used to gain access to a network by capturing and replaying a valid user ID and password, even though the captured data is encrypted and the attacker was unable to decrypt it.
Packet Spoofing and Masquerading
- Packet spoofing uses IP packets with a false source address that may be used for:
- obscuring the origin of the packet
- implicating another site or host as the attack originator
- masquerading as a trusted host
- interception or hijacking of network traffic
- directing responses to another host or system
- undertaking man-in-the-middle spoofing attacks
A major risk associated with packet spoofing and masquerading is identity theft. For example a man-in-the-middle spoofing attack, as shown in the drawing below, can be launched when a person makes a call, which includes sensitive information. As a result of the attack they may speak to the intended recipient however, their call is being monitored by malicious users.
Denial of Service (DoS)
UDP Flood Attack
A UDP flood attack is initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the distant host will:
- Check for the application listening at that port;
- See that no application listens at that port;
- Reply with an ICMP Destination Unreachable packet.
Thus, for a large number of UDP packets, the target system will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients. The attacker may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach him, but in fact act as a secondary Denial of Service attack on the owner of the spoofed address.
SYN Flood Attack
TCP SYN flood attacks subvert the TCP connection three-way handshake in order to overwhelm a target with connection management. A standard TCP three-way handshake includes
- The TCP client sends a SYN packet to the server.
- The server replies with a SYN-ACK packet.
- The client sends an ACK packet back to the server.
The actual attack typically involves the attacker sending a flood of SYN packets with spoofed source IP addresses. The victim will then respond with a SYN-ACK to the unsuspecting or nonexistent spoofed source. To complete the TCP connection, the victim is then left waiting for a period of time for the ACK packet from the spoofed source. This is the crux of the attack because the final ACK is never sent, and subsequently the victim’s connection table quickly fills up and consumes all available resources with these invalid requests. The end result is that a server, phone, or router will not be able to distinguish between bogus DoS SYNs and legitimate SYNs related to actual VoIP connections.
VoIP Protocol Implementation Vulnerabilities
Fuzzing is a legitimate method of testing software systems for bugs and is accomplished by providing an application with semi-valid input to see what its reaction will be. This technique can be employed to exploit vulnerabilities in a target VoIP system and is achieved by sending messages so that the target system will assume the sent content is valid. In reality, the message is ‘broken’ or ‘fuzzed’, thus causing various failures to occur when the target system attempts to parse or process it. Resultant failures can include application delays, information leaks, and system crashes.
VoIP Application Level Attacks
Denial of Service (DoS)
DoS and Distributed Denial of Service (DDoS) attacks occur when a malicious user deliberately sends an exceedingly large amount of random messages to one or more VoIP end-points from either a single location (DoS) or from multiple locations (DDoS). Multiple locations are achieved through the use of zombies (compromised machines that could be woken upon request and used for malicious purposes). The DoS attack is successful when the amount of incoming messages exceeds the processing capacity of the target system, thereby exhausting system resources and thus, denying services to the end-users.
VoIP systems are especially vulnerable to DoS and DDoS attacks because of the high fundamental requirement that they place on QoS. Therefore less traffic or network disruption is required for a DoS attack to be successful when compared to mounting a DoS attack against a data network. A further consideration is needed where VoIP and data share the same network. Here the data network could also be subject to the same DoS attack. Examples of VoIP specific DoS attacks include the SIP INVITE attack and the SIP BYE attack.
SIP INVITE Attack
In SIP, the INVITE request is used to initiate a call. The INVITE request is key because it “kicks off” processing within the SIP proxy or phone. If a SIP proxy or phone can be tricked into accepting a flood of INVITE requests, a partial or full disruption of service can occur.
A number of attack scenarios exist for INVITE floods, targeted at both SIP proxies and phones.
SIP CANCEL Attack
During the call setup between user 1 and user 2, an attacker sends a crafted SIP packet with a “CANCEL” request to the proxy, which in turn cancel user 1’s “INVITE” request, ceasing the call set up process.
A similar attack is the SIP BYE attack in which a “BYE” request is sent instead of the “CANCEL” request. This also terminates the targeted call.
Call Hijacking & Redirection
Call hijacking and redirection occurs when a call intended for one user is redirected to another. To achieve this, an attacker only needs to have knowledge of the user’s authentication credentials in order to impersonate and receive all calls intended for that user. Methods including spoofing of a node, man-in-the-middle attacks, and manipulation of call requests using signalling response codes make call hijacking and redirection relatively easy to instigate. Further to this, VoIP features including call forwarding and ‘follow-me’ also help facilitate the ability to route calls to specific phone numbers.
Call hijacking and redirection can also be used for financial gain. For example, call hijacking can be targeted by cyber-criminals who resell the calls. This is sometimes used as a money laundering channel from which organisations would only see an increase in bandwidth usage together with increased costs. Similarly, call redirection may also transit another system to collect data for later analysis or simply as a revenue gathering mechanism. In this case, the consequences may include the loss of sensitive information and service disruption.
Call hijacking was recently discovered in Miami by the US Federal government. In this particular case Edwin Pena sold discounted Internet phone services by hacking into other Internet phone providers and piggybacking connections through their networks unbeknown to them. In one three-week period a particular Internet phone provider received about 500,000 calls that were made to look like they had come from the investment company Rye Brook. Because of this, the victimized Internet phone provider was left having to pay $300,000 in connection fees for routing the phone traffic to other carriers without receiving any revenue for the calls.
Eavesdropping is the unauthorized interception of voice packets or Real Time Protocol (RTP) media streams, and the decoding of signaling messages. It is a relatively simple attack to administer and tools such as network protocol analyses, sniffers and packet capture tools are freely available on the Internet. Wireshark is an example of a tool that can be used to capture VoIP traffic and reconstruct VoIP conversations.
RTP Injection Attack
Within SIP the voice payload is carried via the Real Time Transport Protocol (RTP). This protocol runs on top of the UDP protocol in order to transmit the payload. The RTP protocol does not provide an encryption or authentication mechanism to the transmitted media. Therefore an attacker would be able to monitor the INVITE message request between two SIP endpoints to determine their IP addresses and port numbers that the RTP stream is being sent between.
Once these details are known the attacker can start sending streams of RTP packets to the appropriate IP address and port number. This results in one of the callers receiving the injected RTP stream rather than the actual conversation.
There are readily available tools, on the internet, to both replace an RTP Stream like RTPInject while others like RTP MixSound mix in a second audio stream with the original RTP stream.
One type of masquerading is based on the manipulation of Caller ID (CID), which is used to identify the caller before answering, and is known as CID spoofing. The CID is based on reported information from different carrier switches and is specified by the switch administrator in a VoIP environment. This allows an attacker to spoof their CID information with a text string or phone number they specify and could be used to give credibility to various malicious users undertaking social engineering attacks.
In addition to this, the option for CID privacy (i.e. the ability to obscure your phone number from the CID display) is not possible with VoIP, since the phone number is included in the SIP and H.323 header. This allows any attacker with an IP packet sniffer, such as tcpdump, to discover the remote caller’s phone number, even if their number has been marked as private by their service provider. Further, there are a number of CID spoofing service providers in the US that, for a small fee, allow users to choose the number they are calling from.
A recent example of CID spoofing was reported by SpoofCard.com, which is a company that sells enhanced calling cards that provide the CID spoofing ability. Coincidently 50 customer’s accounts were cancelled, including Paris Hilton’s, due to customers abusing the CID spoofing feature to break into other peoples voice-mail accounts, listen to their messages, and even change the targeted user’s greetings.
Phone impersonation occurs due to the weak authentication process attributed to VoIP. There are two major contributors that consolidate this fact. Firstly, there is a limited human interface available for VoIP phones, limiting users to the selection of a numeric PIN for their password in lieu of a strong password based on the entire ASCII character set. Secondly, and this is related to the SIP standard, the authentication mechanism is based on the MD5 algorithm. An attacker who can sniff the entire SIP authentication exchange cannot observe the password sent in plain text, but can observe enough information to mount an offline dictionary attack against the password. The combination of these weaknesses allows passwords to be easily obtained by an attacker and then used to impersonate a phone or user.
Maybe when people are designing VoIP networks they should pay as much attention to security as they do to latency and jitter?
Regular vulnerability analysis should be undertaken of your business phone systems. However I would caution against testing on live systems due to the possibility of crashing your VoIP network. Anything more that basic testing should be carried out under lab conditions. If you do not have your own lab then go to a reputable company and have them conduct the analysis for you.