• No results found

IPTCOMM 2008 Heidelberg. VoIP Security: Do Claims of Threats Justify Continued Research Efforts? Jonathan Zar. Pingalo VOIPSA

N/A
N/A
Protected

Academic year: 2021

Share "IPTCOMM 2008 Heidelberg. VoIP Security: Do Claims of Threats Justify Continued Research Efforts? Jonathan Zar. Pingalo VOIPSA"

Copied!
35
0
0

Loading.... (view fulltext now)

Full text

(1)

VoIP Security:

Do Claims of Threats Justify Continued Research Efforts?

Jonathan Zar

Pingalo

VOIPSA

Eric Chen

NTT Information Sharing Platform Laboratories

VOIPSA

(2)

Lots of Activity

(3)

Industry Activity

VoIP Security Alliance – http://www.voipsa.org

“VOIPSA’s mission is to promote the current state of VoIP security research,

VoIP security education and awareness, and free VoIP testing

methodologies and tools.”

Membership includes:

Mitel, Avaya, Nortel, Siemens, Alcatel, Extreme Networks, NTT.

Now over 100 members on the Technical Board of Advisors

Projects: Threat Taxonomy, Security Requirements, Security Research, Best

Practices, Testing

Public “VOIPSEC” mailing list for discussion of VoIP security issues

“VoIP Security Threat Taxonomy” released in late 2005

(4)
(5)

VoIP Security Books

2004

2006

(6)
(7)

Increasing Industrial Importance

Well past the tipping point when new E1 favor IP provisioning

VoIP technologies have become foundational in 3GPP and ITU

Appear in 3G roadmaps

Appear in ITU roadmaps

Now several years into early market segments of mainstream consumer

VoIP adoption

Protocols widely used on all major IM platforms

Carrier offerings

Skype

Other solutions

With build out of NGN VoIP based protocols are diffusing widely

Within enterprise SIP trunking has started

(8)

Public Mindshare

(9)

telephone security

voip security

unified communications

Public Mindshare

(continued)

(10)

R&D Decisions Matter

Future results depend on allocations today

Allocations are based on perceived need

Misallocations are costly because its always a capital and labor

trade-off impacting the course of jobs, projects, and the results

from the investment

Key metrics are ROI based either:

True ROI where there is measurable financial return

Or proxy ROI where there is an alternative return such as:

Decision branches pruned

Patents applied or issued

(11)

Plenty of Need

6 Billion People ~ $5 Trillion Base of Pyramid Market

Gains Dramatically from ICT Investment

Base of Pyramid

Sources: C.K. Prahalad and World Resources Institute

(12)

Methodology

Mapped the risk space into a threat taxonomy

Created a corpus of data of threats and vulnerabilities

for the period from calendar Q4FY06 to Q2FY07

Included IMS, enterprise, and consumer risks from public and

proprietary sources

Included claims of threats to:

VoIP enabled applications and ancillary databases

real-time protocols and their implementations

enabling tools and software libraries

network equipment and transport

endpoint devices

Measured and classified the threats

(13)

VOIPSA VoIP Security Threat Taxonomy

(14)

Results of Discovery

(15)
(16)

11 Years of Automated Attacks

(17)

R&D Creates Wealth

(18)

New VoIP Attack/Security Tools

http://www.hackingvoip.com/

http://www.voipsa.org/Resources/tools.php

(19)

Zero Day Auctions Now Include VoIP

(20)

VoIP Services Theft Prosecution

Theft and Resale Of More Than 10 Million Minutes of VoIP Traffic

“Through a practice known as a “Brute Force” attack, [defendant] Pena and others

working with him acquired the proprietary codes established by VOIP telecom

providers to identify and accept authorized calls entering their networks for routing.

Having penetrated the networks of VOIP telephone service providers, Pena

programmed the third party’s computer networks to use the illegally obtained

proprietary prefix to route calls of customers of his companies.

By sending calls to the VOIP telephone service providers through the unsuspecting

third party’s networks, the VOIP telephone service providers were unable to identify

the true sender of the calls for billing purposes. Consequently, individual VOIP

Telecom Providers incurred aggregate routing costs of up to approximately $300,000

per provider, without being able to identify and bill Pena.”

(21)

End-point Vulnerabilities

Testing of hard phones, wi-fi phones, and terminal adapters

shows that many have weak security:

open ports, default passwords, weak provisioning, weak cryptography

defective software

low tolerance for fuzzing and flooding

Few systems in the field are verified by design

In general there are no standards for robustness. Nor are they

even good metrics for such a concept

(22)

Senao SI-7800H VoIP wireless phone

wdbrpc debug service UDP/17185

Clipcomm CPW-100E VoIP wireless handset phone

open debug service TCP/60023

ZyXel P2000W (Version 2) VoIP wireless phone

undocumented port UDP/9090

ACT P202S VoIP wireless phone

multiple undocumented ports/services

MPM HP-180W VoIP wireless desktop phone

undocumented port UDP/9090

UTstarcom F1000 VoIP Wifi phone

Multiple vulnerabilities

(23)

Cisco Unified IP Phone

SSH server with hard coded default user account and default password that is

used for debugging

Linksys WIP 330 VoIP wireless phone crash

from Nmap scan

Cisco 7905 VoIP phone

crashing from dsniff arpspoof

Clipcomm CP-100E

Undocumented open port TCP/60023 allows remote access to two debugging

accounts: Clip and USH

Hitachi WIP-5000

HTTP index page discloses software version, phone MAC address, IP address

and routing

HTTP no default login credentials

SNMP enabled, read/write using any credentials

Undocumented open port TCP/3390 Unidata Shell

Hardcoded admin login “0000” on device keypad

(24)

Senao SI-680H VoIP Wifi phone

undocumented open port

Zyxel P2000W (Version1) VoIP Wifi phone

multiple vulnerabilities

GrandStream GXP-2000 VoIP Desktop Phonw

multiple undocumented UDP ports and DoS

PolyCom IP-301 VoIP Desktop Phone HTTP

server DoS and undocumented TCP port 42

Linksys SPA-921 VoIP Desktop Phone

HTTP server DoS

(25)

Results of Analysis

(26)

Root Causes

Presumptive and Eager

Commits

Incomplete

Exception Handling

Inadequate

Input Validation

Incomplete Coverage

Defective Coverage

Poor

Auditability

Course Virtual

Protection

Weak

Identification

Data

Structures

Non-reversible

Routing

Promiscuous

Routing

Routing

Non-abelian

Non-atomic

Authentication

Non-transitive

Processes

Costly

Enforcement

Trust

Semantics

Logic

Protocol and

Application

Vulnerabilities

(27)

Key Findings

Q:

How important is this field?

A:

Quite important. The infrastructure for modern telecommunications

and enterprise peering is at risk.

Q:

Who are the customers for R&D?

A:

Industry and government for the benefit of the public.

Q:

What are the needs?

A:

Robust design for all devices that touch the traffic.

Improvements in the root causes areas that contribute to defects.

Increased investment focused in specific areas as recommended.

Regulatory support for transitional QA investment tariffs.

Q:

Do the facts support continued research?

(28)

Key Findings

(continued)

Q:

What do the risks tell us?

A:

That communication software, including embedded software, and

micro devices with compiled logic are vulnerable to at least 14

root cause defects and will be under sustained and malicious

attack.

Q:

How does learning inform decision makers?

A:

Digital communications are prone to increasing compromise.

The risks threaten both commerce and national security.

The art of quality for communication software across the entire

industry is substantially less than what is considered acceptable

by the public everywhere in the manufacture of articles of

(29)

Many Technical Opportunities

End-point Security

Protocol Stability

RT Transactional Security

Robust Implementations

Metrics and Methods

Authentication and Admissions

for interconnecting with other carriers

for DoS prevention

for Phishing countermeasures

Trust Logic

Multiparty Signaling

Payload Security

Micro transactions

OSS/BSS Extensions

Security

Transactions

Advertising

Commercial Zero Defects

Incumbents

New Large Entrants

Open Source

Multi-tenant Hosted Systems

Privacy

(30)

Where to Focus

(31)

Global Test-bed Project

Need

Create a global carrier peering test-bed for service validation and QA

Attractive for entrepreneurs building new user communities and inviting

to researchers in quality assurance and security

Distinct from regulated network, internal network, or honey-pots

Project

Network contribution and establishment

Developer programs for S/W, H/W, QA, pen-testing, and Web 3.0

Management, operations, and regulatory clearance

Benefit

Effective public large scale test-bed

(32)

End Point Security Project

Need

MANY terminal adapters and end-points

(of all types)

have weak security

Carriers are surrounded by these devices many of which could, if

compromised, open the core network to the attack

In general there are no standards to ensure end-point security or

improve goods in the supply chain

Project

Define a roadmap for security standards for end-points

Increase the ability of suppliers to source compliant goods

Step-by-step raise the bar on quality

Benefit

Defect reduction across the value chain from end-points

Practical and significant improvement in system reliability

(33)

Secure IMS Billing Project

Need

Support for secure advertising, micropayment, presence, location, or

transaction billing

Current CDR information is already vulnerable: the next generation

billing models will require more detail and hence more security

VoIP and IMS security research and OSS/BSS research is required in

collaboration to assure the public that future generation billing systems

can be trusted

Project

Collaborate on new service delivery billing elements, workflows and

enabled security of data and data exchange

Generate the learning and input for standards to assure the public

Benefit

(34)

Privacy Commerce Project

Need

The public consistently polls in favor of privacy interests and is willing to

pay for some measure of privacy either in fees or benefits

Industry sector regulation of privacy worldwide increases year-by-year

Missing are the market enablers for a commercial market in IMS based

privacy solutions

Project

Explicate the technical requirements for general privacy solutions

Enable the technical infrastructure

Benefit

ROI to drive carrier adoption of S/W and H/W enablers

(35)

Discussion

Please Join Us For Q&A

References

Related documents

• The real winners in life are the people who look at every situation with an expectation that they can make it work or make it better. • The future you see is the future

Accordingly, this study developed a theoretical model with propositions from a social capital-quality performance of agricultural products paradigm for examining and comparing the

You need not remit the CENVAT to the excise department immediately, so maintain the credit account for transaction type DLFC as an excise duty interim account. This will be set

Materials Safety Data Sheets (MSDS) and product labels are available upon request and can be obtained from any Cytec Engineered Materials Office.. Cytec Engineered Materials (CEM)

Rod>Cone Dysfunction Stationary Progressive Syndromic Non-Syndromic Bardet-Beidl (BBS) Usher Joubert Senior-Loken Retinitis Pigmentosa (RP) Leber Congenital

Testimonial literature allows for those within the group of people affected by trauma to rally around their experience while simultaneously creating a context for other groups

By controlling for baseline child BMI Z-scores, the findings indicate that mothers who use more verbal and physical restriction in a feeding interaction away from the home when

As depicted in Figure 7, below, we estimate that if LPI providers set their rates to produce a 55% loss ratio in 2012, then the Enterprises would have reimbursed their servicers $202