• No results found

Vulnerabilities in SOHO VoIP Gateways

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Vulnerabilities in SOHO VoIP Gateways"

Copied!
20
0
0

Loading.... (view fulltext now)

Download now ( 20 Page )

Full text

(1)

Vulnerabilities in SOHO

VoIP Gateways

Is grandma safe?

Peter Thermos

(2)

Purpose of the study

• VoIP subscription is growing and therefore

security concerns

• None of the vendors or providers mentioned

security (why? Purposefully left out due to

known problems, subscribers not asking for

security?)

• Preliminary evaluation of SOHO VoIP gateways

• A snapshot in time

(3)

Objectives

• Tested 3 “as deployed” services/devices using

traditional vulnerability assessment methodology

• What vulnerabilities may exist (i.e. DoS, buffer

overflow)?

• What class of vulnerabilities/attacks can be

exploited remotely (i.e. configuration, buffer

overflows, SPIT)?

(4)

Methodology

• Traditional Vulnerability Assessment

Methods (i.e. discovery, evaluation and

analysis, test, verify, document)

• Areas of focus

– Manageability

– Node Security

– Signaling

(5)

Targets of Evaluation

SP-1: Maintains a VoIP infrastructure and has ubiquitous presence through

existing ISP’s (Internet Service Providers, including DSL/Cable) in North America.

Furthermore, this service provider plans to establish global presence.

SP-2: This service provider has been an incumbent telecommunications carrier

(including PSTN and wireless), therefore taking advantage of their existing

switched infrastructure to route calls. Their VoIP presence, at the moment, is

limited to the US.

SP-3: This service provider maintains a VoIP infrastructure that offers VoIP service

to residents within a local region (i.e. State not National). They are low cost

(6)

ToE and device mapping

Service Provider Voice Gateway Protocols Used

SP-1

VG-1

SIP/RTP

SP-2

VG-2

MGCP/RTP

(7)
(8)

Findings

(1 of 4)

• Management

– Administrative sessions are protected with

userid/password only. No SSL capability thus

credentials and configuration commands can

be intercepted and in some cases replayed.

– Role based controls is limited (one role for all

administration/management)

(9)

Findings

(2 of 4)

• Node Security

– Open Ports on external interface allow various

attacks including DoS and unauthorized

access and management.

– Default credentials allow attackers to remotely

compromise poorly configured devices.

(10)

Findings

(3 of 4)

• Signaling

– Registration and call/presence/identity

hijacking;

– Denial of Service

– Implementation issues (e.g. buffer overflows)

discovered through robustness testing.

(11)
(12)
(13)

Presence Hijacking – Register Request

REGISTER sip:216.115.25.57 SIP/2.0

Via: SIP/2.0/UDP 192.168.1.6;branch=xajB6FLTEHIcd0 From: 732-835-0102 <sip:12125550102@voip-service-provider.net:5061>;tag=5e374a8bad1f7c5x1 To: 732-835-0102 <sip:12125550102@voip-service-provider.net:5061> Call-ID: QTEv5G5dOHYc@192.168.1.2 CSeq: 123456 REGISTER Contact: 2125550102 <sip:12125550102@192.168.1.3:5061>; Digest username="12125550102",realm="216.1.2.5",nonce="716917624", uri="sip:voip-service-provider.net:5061",algorithm=MD5, response="43e001d2ef807f1e2c96e78adfd50bf7" Max_forwards: 70

User Agent: 001217E57E31 VoIP-Router/RT31P2-2.0.13(LIVd) Content-Type: application/sdp

Subject: SiVuS Test Expires: 7200

(14)

Provider Response

Dear Peter Thermos,

Thank you for contacting customer care.

In response to your email, no this is not possible. We are more secure than a

regular phone line. While I see that you have a log of SIP messages from your own

account, this is not the same as re-routing and listening to someone else's calls.

I hope that I have resolved your problem. Do not hesitate to contact us if you need

further assistance.

Sincerely,

Dave S.

(15)

Caller-ID Demo

(16)
(17)

Findings

(4 of 4)

• Media

– Eavesdropping (sensitive information captured

including credit card numbers and pins)

– Voice quality degradation and media

manipulation

(18)

General observations

• Security through obscurity - Use of port

5061 for SIP/UDP

• Firewalling capability to restrict

connections from specific nodes (i.e. VG-2

provides a firewall capability).

(19)

Conclusions -

Is grandma Safe?

No, and worse she's likely to get very annoyed at the poor availablity

and annoying VoIP SPAM from marketers and VoIP Joyriders

• Current security posture of SOHO gateways is not

adequate

• As attacks against VoIP subscribers increase in the next

3 years what do we do to protect against them?

(20)

Recommendations

• Architecture

– Routing Controls/Network Segmentation to provide a

level of protection for VoIP subscribers (i.e. SBC/DPI)

• Robust implementations

• Security Requirements

– IETF, ATIS, ITU

– Initiatives such as VoPSecurity Forum and VoIPSA

may help.

References

Download now ( PDF - 20 Page - 638.80 KB )

Related documents

Contents. 2 V85 Desktop VoIP Phone Quick Start Guide YML771 Rev1

VoIP service providers offer various levels of VoIP service up to a full-service VoIP plan which provides for ‘gateway’ access to the PSTN network, allowing you to make and

Feasibility study on automatic detection of contraindications of medicines in package leaflet

Panaudojus analizės metu surinktą informaciją, buvo sukurta sistema, kuri naudodama sukurtą daiktavardinių frazių paieškos algoritmą, išorinius morfologinės analizės

Dialectics and contradictions in public procurement of information systems

A related research focus would be on how public authorities can apply policy goals and how these goals influence different phases of the procurement process, especially the

Regionalism revisited in the post Arab Spring Middle East

Studying the intensity and variety of transnational interactions as opposed to worsening inter-state cooperation in the context of weakening territorial nation states, scholars

Distributed Atomic Polarizabilities of Amino Acids and their Hydrogen-Bonded Aggregates

With the purpose of rational design of optical materials, distributed atomic polarizabilities of amino acid molecules and their hydrogen-bonded aggregates are calculated in order

How To Use Voip Systems Usa, Llc For Free

Terms of Service Page VoIP Systems USA,LLC 3 harmless VoIP Systems USA, LLC, its officers, directors, employees, affiliates and agents and any other service provider

Using wearable physiological sensors for affect-aware intelligent tutoring systems

Features extracted from recordings acquired from 27 individuals while answering twenty questions from the Oxford Quick Placement Test were used to train machine learning models for

Long-term issues and supportive care needs of adolescent and young adult childhood brain tumour survivors and their caregivers: A systematic review.

This systematic review revealed that AYA brain tumour survivors can encounter various social, cognitive, physical, psychological and spiritual issues which have