VoIP Security:
Do Claims of Threats Justify Continued Research Efforts?
Jonathan Zar
Pingalo
VOIPSA
Eric Chen
NTT Information Sharing Platform Laboratories
VOIPSA
Lots of Activity
Industry Activity
VoIP Security Alliance – http://www.voipsa.org
“VOIPSA’s mission is to promote the current state of VoIP security research,
VoIP security education and awareness, and free VoIP testing
methodologies and tools.”
Membership includes:
Mitel, Avaya, Nortel, Siemens, Alcatel, Extreme Networks, NTT.
Now over 100 members on the Technical Board of Advisors
Projects: Threat Taxonomy, Security Requirements, Security Research, Best
Practices, Testing
Public “VOIPSEC” mailing list for discussion of VoIP security issues
“VoIP Security Threat Taxonomy” released in late 2005
VoIP Security Books
2004
2006
Increasing Industrial Importance
Well past the tipping point when new E1 favor IP provisioning
VoIP technologies have become foundational in 3GPP and ITU
Appear in 3G roadmaps
Appear in ITU roadmaps
Now several years into early market segments of mainstream consumer
VoIP adoption
Protocols widely used on all major IM platforms
Carrier offerings
Skype
Other solutions
With build out of NGN VoIP based protocols are diffusing widely
Within enterprise SIP trunking has started
Public Mindshare
telephone security
voip security
unified communications
Public Mindshare
(continued)
R&D Decisions Matter
Future results depend on allocations today
Allocations are based on perceived need
Misallocations are costly because its always a capital and labor
trade-off impacting the course of jobs, projects, and the results
from the investment
Key metrics are ROI based either:
True ROI where there is measurable financial return
Or proxy ROI where there is an alternative return such as:
Decision branches pruned
Patents applied or issued
Plenty of Need
6 Billion People ~ $5 Trillion Base of Pyramid Market
Gains Dramatically from ICT Investment
Base of Pyramid
Sources: C.K. Prahalad and World Resources Institute
Methodology
Mapped the risk space into a threat taxonomy
Created a corpus of data of threats and vulnerabilities
for the period from calendar Q4FY06 to Q2FY07
Included IMS, enterprise, and consumer risks from public and
proprietary sources
Included claims of threats to:
VoIP enabled applications and ancillary databases
real-time protocols and their implementations
enabling tools and software libraries
network equipment and transport
endpoint devices
Measured and classified the threats
VOIPSA VoIP Security Threat Taxonomy
Results of Discovery
11 Years of Automated Attacks
R&D Creates Wealth
New VoIP Attack/Security Tools
http://www.hackingvoip.com/
http://www.voipsa.org/Resources/tools.php
Zero Day Auctions Now Include VoIP
VoIP Services Theft Prosecution
Theft and Resale Of More Than 10 Million Minutes of VoIP Traffic
“Through a practice known as a “Brute Force” attack, [defendant] Pena and others
working with him acquired the proprietary codes established by VOIP telecom
providers to identify and accept authorized calls entering their networks for routing.
Having penetrated the networks of VOIP telephone service providers, Pena
programmed the third party’s computer networks to use the illegally obtained
proprietary prefix to route calls of customers of his companies.
By sending calls to the VOIP telephone service providers through the unsuspecting
third party’s networks, the VOIP telephone service providers were unable to identify
the true sender of the calls for billing purposes. Consequently, individual VOIP
Telecom Providers incurred aggregate routing costs of up to approximately $300,000
per provider, without being able to identify and bill Pena.”
End-point Vulnerabilities
Testing of hard phones, wi-fi phones, and terminal adapters
shows that many have weak security:
open ports, default passwords, weak provisioning, weak cryptography
defective software
low tolerance for fuzzing and flooding
Few systems in the field are verified by design
In general there are no standards for robustness. Nor are they
even good metrics for such a concept
Senao SI-7800H VoIP wireless phone
wdbrpc debug service UDP/17185
Clipcomm CPW-100E VoIP wireless handset phone
open debug service TCP/60023
ZyXel P2000W (Version 2) VoIP wireless phone
undocumented port UDP/9090
ACT P202S VoIP wireless phone
multiple undocumented ports/services
MPM HP-180W VoIP wireless desktop phone
undocumented port UDP/9090
UTstarcom F1000 VoIP Wifi phone
Multiple vulnerabilities
Cisco Unified IP Phone
SSH server with hard coded default user account and default password that is
used for debugging
Linksys WIP 330 VoIP wireless phone crash
from Nmap scan
Cisco 7905 VoIP phone
crashing from dsniff arpspoof
Clipcomm CP-100E
Undocumented open port TCP/60023 allows remote access to two debugging
accounts: Clip and USH
Hitachi WIP-5000
HTTP index page discloses software version, phone MAC address, IP address
and routing
HTTP no default login credentials
SNMP enabled, read/write using any credentials
Undocumented open port TCP/3390 Unidata Shell
Hardcoded admin login “0000” on device keypad
Senao SI-680H VoIP Wifi phone
undocumented open port
Zyxel P2000W (Version1) VoIP Wifi phone
multiple vulnerabilities
GrandStream GXP-2000 VoIP Desktop Phonw
multiple undocumented UDP ports and DoS
PolyCom IP-301 VoIP Desktop Phone HTTP
server DoS and undocumented TCP port 42
Linksys SPA-921 VoIP Desktop Phone
HTTP server DoS
Results of Analysis
Root Causes
Presumptive and Eager
Commits
Incomplete
Exception Handling
Inadequate
Input Validation
Incomplete Coverage
Defective Coverage
Poor
Auditability
Course Virtual
Protection
Weak
Identification
Data
Structures
Non-reversible
Routing
Promiscuous
Routing
Routing
Non-abelian
Non-atomic
Authentication
Non-transitive
Processes
Costly
Enforcement
Trust
Semantics
Logic
Protocol and
Application
Vulnerabilities
Key Findings
Q:
How important is this field?
A:
Quite important. The infrastructure for modern telecommunications
and enterprise peering is at risk.
Q:
Who are the customers for R&D?
A:
Industry and government for the benefit of the public.
Q:
What are the needs?
A:
Robust design for all devices that touch the traffic.
Improvements in the root causes areas that contribute to defects.
Increased investment focused in specific areas as recommended.
Regulatory support for transitional QA investment tariffs.
Q:
Do the facts support continued research?
Key Findings
(continued)
Q:
What do the risks tell us?
A:
That communication software, including embedded software, and
micro devices with compiled logic are vulnerable to at least 14
root cause defects and will be under sustained and malicious
attack.
Q:
How does learning inform decision makers?
A:
Digital communications are prone to increasing compromise.
The risks threaten both commerce and national security.
The art of quality for communication software across the entire
industry is substantially less than what is considered acceptable
by the public everywhere in the manufacture of articles of
Many Technical Opportunities
End-point Security
Protocol Stability
RT Transactional Security
Robust Implementations
Metrics and Methods
Authentication and Admissions
for interconnecting with other carriers
for DoS prevention
for Phishing countermeasures
Trust Logic
Multiparty Signaling
Payload Security
Micro transactions
OSS/BSS Extensions
Security
Transactions
Advertising
Commercial Zero Defects
Incumbents
New Large Entrants
Open Source
Multi-tenant Hosted Systems
Privacy
Where to Focus
Global Test-bed Project
Need
Create a global carrier peering test-bed for service validation and QA
Attractive for entrepreneurs building new user communities and inviting
to researchers in quality assurance and security
Distinct from regulated network, internal network, or honey-pots
Project
Network contribution and establishment
Developer programs for S/W, H/W, QA, pen-testing, and Web 3.0
Management, operations, and regulatory clearance
Benefit
Effective public large scale test-bed
End Point Security Project
Need
MANY terminal adapters and end-points
(of all types)
have weak security
Carriers are surrounded by these devices many of which could, if
compromised, open the core network to the attack
In general there are no standards to ensure end-point security or
improve goods in the supply chain
Project
Define a roadmap for security standards for end-points
Increase the ability of suppliers to source compliant goods
Step-by-step raise the bar on quality
Benefit
Defect reduction across the value chain from end-points
Practical and significant improvement in system reliability
Secure IMS Billing Project
Need
Support for secure advertising, micropayment, presence, location, or
transaction billing
Current CDR information is already vulnerable: the next generation
billing models will require more detail and hence more security
VoIP and IMS security research and OSS/BSS research is required in
collaboration to assure the public that future generation billing systems
can be trusted
Project
Collaborate on new service delivery billing elements, workflows and
enabled security of data and data exchange
Generate the learning and input for standards to assure the public
Benefit
Privacy Commerce Project
Need
The public consistently polls in favor of privacy interests and is willing to
pay for some measure of privacy either in fees or benefits
Industry sector regulation of privacy worldwide increases year-by-year
Missing are the market enablers for a commercial market in IMS based
privacy solutions
Project
Explicate the technical requirements for general privacy solutions
Enable the technical infrastructure
Benefit
ROI to drive carrier adoption of S/W and H/W enablers
Discussion
Please Join Us For Q&A