Vulnerabilities in SOHO
VoIP Gateways
Is grandma safe?
Peter Thermos
Purpose of the study
• VoIP subscription is growing and therefore
security concerns
• None of the vendors or providers mentioned
security (why? Purposefully left out due to
known problems, subscribers not asking for
security?)
• Preliminary evaluation of SOHO VoIP gateways
• A snapshot in time
Objectives
• Tested 3 “as deployed” services/devices using
traditional vulnerability assessment methodology
• What vulnerabilities may exist (i.e. DoS, buffer
overflow)?
• What class of vulnerabilities/attacks can be
exploited remotely (i.e. configuration, buffer
overflows, SPIT)?
Methodology
• Traditional Vulnerability Assessment
Methods (i.e. discovery, evaluation and
analysis, test, verify, document)
• Areas of focus
– Manageability
– Node Security
– Signaling
Targets of Evaluation
SP-1: Maintains a VoIP infrastructure and has ubiquitous presence through
existing ISP’s (Internet Service Providers, including DSL/Cable) in North America.
Furthermore, this service provider plans to establish global presence.
SP-2: This service provider has been an incumbent telecommunications carrier
(including PSTN and wireless), therefore taking advantage of their existing
switched infrastructure to route calls. Their VoIP presence, at the moment, is
limited to the US.
SP-3: This service provider maintains a VoIP infrastructure that offers VoIP service
to residents within a local region (i.e. State not National). They are low cost
ToE and device mapping
Service Provider Voice Gateway Protocols Used
SP-1
VG-1
SIP/RTP
SP-2
VG-2
MGCP/RTP
Findings
(1 of 4)
• Management
– Administrative sessions are protected with
userid/password only. No SSL capability thus
credentials and configuration commands can
be intercepted and in some cases replayed.
– Role based controls is limited (one role for all
administration/management)
Findings
(2 of 4)
• Node Security
– Open Ports on external interface allow various
attacks including DoS and unauthorized
access and management.
– Default credentials allow attackers to remotely
compromise poorly configured devices.
Findings
(3 of 4)
• Signaling
– Registration and call/presence/identity
hijacking;
– Denial of Service
– Implementation issues (e.g. buffer overflows)
discovered through robustness testing.
Presence Hijacking – Register Request
REGISTER sip:216.115.25.57 SIP/2.0Via: SIP/2.0/UDP 192.168.1.6;branch=xajB6FLTEHIcd0 From: 732-835-0102 <sip:12125550102@voip-service-provider.net:5061>;tag=5e374a8bad1f7c5x1 To: 732-835-0102 <sip:12125550102@voip-service-provider.net:5061> Call-ID: QTEv5G5dOHYc@192.168.1.2 CSeq: 123456 REGISTER Contact: 2125550102 <sip:12125550102@192.168.1.3:5061>; Digest username="12125550102",realm="216.1.2.5",nonce="716917624", uri="sip:voip-service-provider.net:5061",algorithm=MD5, response="43e001d2ef807f1e2c96e78adfd50bf7" Max_forwards: 70
User Agent: 001217E57E31 VoIP-Router/RT31P2-2.0.13(LIVd) Content-Type: application/sdp
Subject: SiVuS Test Expires: 7200