Someone

public text v1 · immutable
#2128705
·published 2012-03-16 11:08 UTC
Summary – Challenge and Defense in VoIP Infrastructures
Gustav Jibing(gustav.jibing@gmail.com) DS09

Introduction of VoIP technology
Voice over Internet Protocol (VoIP) is a technology which allows users to make phone calls on the Internet connection using their broadband instead of the traditional analog phone network (PSTN). Its purpose is to lower the cost for communication and increase the flexibility for both businesses and individuals. The infrastructure needed to make a call over the Internet network is devices such as telephones (end nodes), control nodes, gateway nodes, and the IP-based network. Calls can be made both in the intranet and on the Internet but can also call users on the public-switched network (PSTN) if you use a gateway. The IP network can utilize various media including Ethernet, Fiber and wireless. 
When a call between two nodes in being setup there are four steps to be taken before the session between the two nodes can start: signaling, encoding, transport and gateway control.
1.	Signaling: SIP is a commonly used signaling protocol and is used for setting up calls and manages connections between end-nodes.¨
2.	Encoding and transport: When the connection between two end-nodes is setup, the voice from each node that is to be transmitted has to be encoded into a digital form and segmented into a stream of packets. When the analog voice is encoded and compressed it takes up much less volume. Then the voice samples are transmitted over the Internet using a real-time transport protocol (RTP). RTP holds header information so that packets can be reassembled on the end of the transmission. UDP the carries the so called payload to the other end and the process is the reversed.
3.	Gateway Control: Makes sure the real-time conversation is either carried on the IP network or the PSTN whatever is needed.

Generic Security Concerns in VoIP
Here they go thru the basics of security concerns. First they say that security constraints include system assets, vulnerabilities and threats. These constraints are items that make security and problem for any information infrastructure. Secondly, security requirements are mechanisms, services and policies to put in place to counteract the security problems. By either eliminating or fixing them. Third, security management makes various decisions on tasks and operations regarding security tools, standards and legal regulations to support specific business functions and processes. Then they describe what attack could be done to what component, because all components in a VoIP system are vulnerable. The servers and gateways in a VoIP system are most often built on Linux and Windows. These operating systems are constantly under attack which means that the threats will also apply to the VoIP network. 
Then they categorize the different security problems depending on what they compromise on the VoIP system. These are confidentiality, integrity or availability. Confidentiality threats expose content of the conversation between the two users. But can also be exposure of dial numbers or call durations. Integrity means that the integrity of the caller can be tough to trust. Availability threats jeopardize the ability to make a call or receive one. Next they will go thru the different attacks more thoroughly and the different countermeasures that can be used for many of these attacks.  By deploying tools and security policies you can reduce the number of attacks on your system.

DOS is an attack that affects the availability. This means that the phone service will not operate as it would normally. People might not be able to make or receive calls. This means that a certain business might not work as it should.
Eavesdropping Affect the confidentiality of a call between two users. By monitoring the conversation secretly and receive the voice data from both parties in a call. This data can then later be used by the attacker. Not only voice data can be stolen but also Fax documents and bank and credit card passwords used during interactive voice response sessions by listening to the DTMF tones.
Alteration of Voice Steam Affect Confidentiality and Integrity by using a man-in-the-middle attack. The attacker is able to listen to the conversation between the two victims and may also alter the communication, and switch out just small portions of a conversation such as a word. E.g. switch a “no” to “yes” or “buy” to “sell”
Toll Fraud The attacker receives money by having a large volume of calls placed to a phone number that has a large fee associated with connecting with that number. Let’s say the attacker makes someone call a number a number with these fees many times. The victim then gets to pay high fees to the owner of the number and the attacker. This is a type of attack that is placed in the integrity category.
Redirection of Call A big feature with VoIP is the flexibility to have a single phone number redirected to wherever the owner of that number is present. But this brings up potential problems, because an attacker can redirect the victim to whatever number of their choice. The attacker can use this to his advantage and impersonate the victim by having their calls redirected to the attackers’ telephone. This attack affects the integrity of the victims and the confidentiality of the call.
Accounting Data manipulation, the accounting database (CDR) contain information about calls and what time the call was taking place and duration of the call. If the attacker gets access to this database he could possibly e.g. remove calls that have been done to avoid paying for them. 
Caller Identification (ID) Impersonation, the attacker uses a spoofed identity to place calls or receive them. The attackers’ phone then registers as normally with the phone system. This can be done to impersonate the victim and the integrity is affected.
Unwanted Calls and Messages (SPIT) SPIT is almost like SPAM but instead a farm of servers that have lists of phone numbers. Messages are then sent out on these numbers and played at high volume or kept in the victims’ voice mail box. This is a serious threat to the adoption of VoIP.
More attacks in more detail
SIP message modification, the attacker intercepts the UDP and TCP media transportation and changes information in the SIP message to change directions of calls. To prevent this you have to use TLS on the UDP and TCP stream.
SIP Cancel/Bye attack means that the attacker continuously sends SIP messages with the cancel or bye command. This stops the victim from being able to place or receive calls. Good authentication between the user agent(program) and the server prevents this from happening.
SIP redirect The redirect server can be very vulnerable and it can be exploited by the attacker. This means the attacker steal calls from a victim or disable the phone network. To disable the phone network the attacker could redirect the all users’ phone numbers to a number that doesn’t exist or a null device. Moving to a more robust authentication system such as TLS with strong passwords will protect against attacks such as the SIP redirect.
RTP Payload By using a man in the middle attack between two nodes, an attacker can inspect or modify the payload of the voice message carried. This then becomes eavesdropping on the conversation. The attacker can then ruin the call for the two nodes. By using the secure RTP (SRTP) protocol this type of attack can be prevented. The packets are then encrypted by the sender and decrypted by the receiver.
RTP tampering Means that the attacker manipulates the sequence number and timestamp fields in the header of the RTP packet. This means the packets won’t arrive in the right order and make the conversation bad or crash the receiving node. Again SRTP is the solution to this by allowing the receiving node to determine if the RTP header has been modified. So the packet will be discarded before processed.




Other attacks General to the IP data networks
1. Physical attacks By physically intercepting the devices and mediums the attacker can greatly impact the availability. The cables and devices should be locked in and not be available to anyone but the administrator. 
2. Address Resolution Protocol (ARP) cache poison  The attacker sends false ARP packets to make associations of the attackers MAC address and another IP address in the ARP cache of the victim node. This will masquerade the attacker as either a node or endpoint within the VoIP system.
3. MAC spoofing The attacker uses the same MAC address as an already registered user. This will make the attacker seem as if he is already configured and authorized.
4. IP spoofing The attacker makes it seem as if a malicious message was sent from a trusted user and the attacker gains unauthorized access to a computer or a network. 
5. Malformed packet The attacker explicitly sends packets constructed with a ﬂaw in the network protocol to nodes within the system. Processing the packet unleashes the ﬂaw in the protocol stack and either degrades or disables the nodes’ ability to handle further trafﬁc for VoIPcalls.
6. TCP SYN flood The attacker generates a large number of packets with random source addresses and the TCP SYN ﬂag set, requesting allocation of a buffer at the receiving node. The VoIP signaling protocols (H.323 and SIP) rely on the TCP transport for communication between nodes.
7. TCP or UDP replay The hacker capture packets and extract authentication info, voice conversations or DTMF. This data can be used to create a new connection which allows the attacker to register a device using another devices identification.
8.Trivial File transfer protocol (TFTP) server insertion TFTP is used by devices to update their software from a server. The attacker can place a false server on the network. This server can hold hoax configurations, such as the phone number and the ID of another handset and can cause billing fraud.
9. Dynamic Host Conﬁguration Protocol (DHCP) Starvation By ﬂooding the local network with DHCP requests for randomly generated MAC addresses, an attacker can deplete the available pool of IP addresses in the DHCP server. Then, this attack will prevent a node from obtaining an IP address and subsequently contacting any of the other VoIP servers within the system.
10. Internet Control Message Protocol (ICMP) Flood Similar to a TCP or UDP ﬂood, by overwhelming a node with a large volume of incoming ICMP packets, the performance of the node is either degraded or taken ofﬂine.
11. Buffer Overﬂow Attack These attacks exploit ﬂaws in software that attempts to store more data in a buffer than it was intended to hold. The data then overﬂows into adjacent buffers or code to hijack the program for the use by the attacker. Buffer overﬂow attacks could be used against the phone devices and the control nodes in a VoIP network.
12. OS Attack Many known and unknown vulnerabilities exist in operating system (OS) platforms where the control nodes and gateways in a VoIP network reside with. VoIP phones can be deployed as softphones on desktop or notebook personal computers.
13. Viruses and Malware Just as the vulnerabilities in the OS platforms can be exploited by an attacker, so can susceptibility to viruses and malware.
14. CDR Database attack CDR are stored in commercial databases by the control nodes to log call activity. Care should be put into the design of the network to isolate the database from the signaling trafﬁc by placing the database on a separate LAN or VLAN.

Defense Vectors in VoIP and key research topics
In this section they describe the most important defense mechanisms. The first mechanism they mention is port authentication. This stops many attacks because the attacker cannot access the network for their node. However when we leave the private network and enter Internet, this benefit diminishes. Following the key defense mechanisms will be presented. 
Separation of VoIP and Data traffic 
Separating the trafﬁc can prevent a number of attacks as PCs and workstations cannot be used by attackers as an easy entry into the VoIP network. This separation is performed using VLAN technology. Then only the devices on the same VLAN can communicate with each other. Voice mail is often kept on the data network and thus the VoIP call controlling server needs connectivity to the voice mail server. To create a secure line between these servers a SIP-ware stateful firewall has to be installed.
Configuration Authentication
The VoIP phones need basic conﬁguration information to get into the VoIP system. Conﬁguring the phones provides a classic bootstrap problem where obtaining conﬁguration information from an untrusted source can build into further problems. In the article they suggest you use a key on the device and the same one on the server. The phone or device then makes a DHCP request to the server and obtains an IP address and the IP address of the configuration server. Then a TLS connection between them is setup and the key on the device and server are checked if they match. If they don’t match the configuration file won’t be loaded. But if it will be transferred over the TLS connection, using FTP.
Signaling Authentication
The IP security (IPSec) protocol provides mechanisms for both authentication and encryption, so that an attacker can’t spoof the MAC address or IP address of a phone during the SIP registration. IPSec has three different mechanisms for establishing keys. First one is to manually put keys on each phone. Second is to utilize a certification authority (CA). The third choice is to utilize the DNS secure (DNSSec) protocol. IPSec consists of a number of related protocols. 
By utilizing the IPSec connectionless authentication header (AH) protocol between the phone and the server, the integrity of the call can be maintained. The AH protocol also guarantees the integrity of themessage, allowing the receiver to detect that information in the payload has been tampered with.
AH will also stop the phone from responding to commands from a spoofed call manager.
Media Encryption
SRTP (secure) was developed to protect the contents of the voice conversation from eavesdropping. It gives more authentication and confidentiality services for the payload that is being carried by the RTP protocol. Its’ purpose is also to lower the overhead by minimizing the number of keys that must be shared between two nodes. The session keys also provide encryption for the messages sent via the SRTP protocol and containing voice data. IPSec, using the Internet key exchange (IKE), provides a mechanism for two nodes to exchange keys. Also a secure tunnel can be established using IPSec. This can be used on trunks, that run in a nonsecure network,  between organizations. 

Industry Case Studies
Here they start by saying that there are different vendors within the VoIP market. The two manufacturers they mention are Cisco and Nortel. Basically what they talk about in this section was what the two companies thought was most important to think about when setting up a VoIP network and also gave their opinion on how the data should be separated from the voice data In the article is says that Cisco is strongly against softphones because not even the most flexible firewall can protect the call manager from PC based attacks. But Nortel says that if softphones must be used they should be put on the datasegment and not the voice segment. Other than that they think similarly but Cisco still provided with more tips than Nortel.

Conclusion
The article has gone thru the different challenges that a VoIP network can face and what countermeasures that needs to be done to stop them. In the future they would like that more research being put into strengthening the security mechanisms. Technology that can handle attacks on VoIP protocols such as SIP and RTP should be given more priority. But they also say that they have witnessed development of standards for VoIP. Like IPSec for VPN networks which is finding its’ way into VoIP solutions.