bh usa 07 dempster

8/12/2019 Bh Usa 07 Dempster

1/33

VoIP Security Methodology and Results

NGS Software Ltd Barrie Dempster Senior Security Consultant [email protected]


2/33

Agenda Agenda

VoIP Security Issues

Assessment Methodology

Case Study: Asterisk


3/33

VoIP Security IssuesVoIP Security Issues


4/33

hy is VoIP such a !ro"lem #hy is VoIP such a !ro"lem #

If you take a systematic a!!roach to it$ it isn%t

Assessing VoIP systems is &uite different from the '!ro"eand !arse( techni&ue commonly used on data"ases and we"a!!lications)

It a!!ears this way as it%s multi*disci!line *

+ata networks$ ,oice networks and security knowledge


5/33

Con,ergence-Con,ergence-

.ne of the ma/or selling !oints "ut one of the "iggest issues

Goes against current network security "est !ractise)0irewalls$ VPNs$ VLANS etc)) are focused on se!aration of traffic$ often tose!arate into security "oundaries

Con,ergence not only makes administration easier$ it

makes hacking easier too Voice traffic on a data network is o!en to attacks using tools andtechni&ues that ha,e "een used in the !ast on data networks


6/33

From the NIST Security considerations for Voice over IP systems:

The flexibility of V !" comes at a price# a$$e$ complexity insecuring %oice an$ $ata. Because V !" systems are connecte$ tothe $ata networ&' an$ share many of the same har$ware an$software components' there are more ways for intru$ers to attac& aV !" system than a con%entional %oice telephone system or "B(.)

A con,ergence &uote A con,ergence &uote


7/33

1he Main 1hreats1he Main 1hreats

1oll 0raud

2a,esdro!!ing

Caller I+ S!oofing

+enial of Ser,ice

Another 2ntry Point


8/33

1oll 0raud1oll 0raud

It%s easy 1he slightest misconfiguration can lead to toll fraud * Misconfiguration of+ISA$ +efault !asswords and sim!le social engineering)

It%s !rofita"le 0ree use of ser,ices Ser,ices can "e resold .,erheads are low

It%s ha!!ening 3and has "een for a long time4


9/33


10/33

Caller*I+ S!oofingCaller*I+ S!oofing

1here are a num"er of ways to do this

1his is another threat that e6isted "efore VoIP "ut /ust got easier

It%s still not an attack method that the general !u"lic are aware of Many com!anies still use it as !art of an authentication mechanism

7ou now need no technical knowledge to s!oof Caller*I+) A num"er of com!anies sell these ser,ices


11/33

+enial of Ser,ice+enial of Ser,ice

8!time on traditional tele!hony networks is generally ,ery high It%s not easy to +oS someone It%s not easy to hide your tracks when !erforming an attack .nly a few com!anies control the access !oints

Ser,ice Le,els for tele!hony are more im!ortant than most IP !rotocols 2mergency ser,ices Customers58sers are used to high ser,ice le,els

VoIP "rings IP%s !ro"lems to ,oice IP has suffered many +oS ,ulnera"ilities +doS is e6!ensi,e and difficult to com"at


12/33

Another 2ntry Point Another 2ntry Point VoIP "rings !ro"lems to the IP network as well

It%s as "ad as email$ IM clients and we" "rowsers3which is "ad-4

Com!licated5Numerous !rotocols Lots of ,ulnera"ilities already found

Attackers are finding more


13/33

MethodologyMethodology


14/33


15/33


16/33

So we "reak it down into com!onentsSo we "reak it down into com!onents

VoIP is made u! of a num"er of com!onents$ many of these are co,ered "ye6isting testing methodologies)

1he .!erating Platform

Configuration

VoIP Protocols

Su!!ort Protocols


17/33


18/33

ConfigurationConfiguration

9ow to assess configuration #

Scanning with war diallers and similar software is not enough

1he configuration also has to "e manually re,iewed$ "y checking theconfiguration file5data"ase)

Charting IV %s and call dialing !lans makes ,ulnera"ilities o",ious


19/33


+efault !asswords

still ram!ant in P;


20/33

VoIP ProtocolsVoIP Protocols

SIP5 1P5 1CP5MGCP5IA


21/33

Su!!ort ProtocolsSu!!ort Protocols

1he 'IP( com!onent in VoIP is slightly more than IP$ it e6tends to 1CP$8+P and su!!orting !rotocols like +9CP$+NS$ 101P etc)))

1hese !rotocols all ha,e their own issues

1hese !rotocols also ha,e some ideas for solutions 3eg)) IPsec$VPN%s$I+S5IPS$ firewalls etc))))4

Com"ined with VoIP increase the risk of some of the attacks that canoccur

A VoIP assessment can "e done as !art of an infrastructure assessmentor standalone "ut standalone assessments should ca,eat that ,alidity isde!endent on infrastructure assessments "eing !erformedinde!endantly)


22/33

Case Study: AsteriskCase Study: Asterisk


23/33

hy Asterisk as a study su"/ect #hy Asterisk as a study su"/ect #

It%s !o!ular

It%s freely a,aila"le

No additional hardware re&uired

It%s o!en source


24/33

Asterisk: .!erating Platform Asterisk: .!erating Platform

Network infrastructure 0irewalls will ha,e to "e configured to su!!ort Asterisk Mail ser,er configuration ;asic networking +NS$ 1CP$ 8+P$ IP etc)))

.!erating Systems uns on Linu6 so security issues relating to Linu6 a!!ly to Asterisk) Patching of the .S5Asterisk and other com!onents$ file !ermissions$ i!ta"les etc)))

+ata"ases5 e"ser,ices5C M Can ha,e a data"ase "ackend Commonly integrated with SugarC M 9as a num"er of we" front ends 3AsteriskN. $ 0reeP;


25/33

Asterisk: Vulnera"ilities = +enial of Ser,ice Asterisk: Vulnera"ilities = +enial of Ser,ice

Asterisk SIP Channel +ri,er 3chan>si!4 SIP Malformed 8+P Packet+oS

Asterisk Manager Interface Passwordless 8ser M+? Authentication +oS Asterisk Malformed SIP INVI12 e&uest +oS Asterisk Crafted SIP es!onse Code handle>res!onse 0unction +oS Asterisk Malformed SIP egister Packet emote +oS Asterisk SIP Channel +ri,er 8ns!ecified emote +oS Asterisk IAia6@ IA


26/33


27/33

Asterisk: Vulnera"ilities = Code 26ecution Asterisk: Vulnera"ilities = Code 26ecution

Asterisk 1) B S+P Parser chan>si!)c !rocess>sd! 0unction .,erflows

else if 33 sscanf*a' +T,- ax/ate0anagement#1s+' s2 DD E44 Ffound D Eif 3o!tion>de"ug H @4ast>log3L.G>+2;8G$ ateMangement: JsKn $ s4if 3-strcasecm!3s$ local1C0 44

!eert Bca!a"ility D T,- 3(4/3T54036375056T48 C384TC 9else if 3-strcasecm!3s$ transferred1C0 44!eert Bca!a"ility D T,- 3(4/3T54036375056T4T/36S 5/5D4TC 9****************************************************************************************************else if 3 *sscanf*a' +T,- ax:$p5C#1s+' s2 DD E44 Ffound D Eif 3o!tion>de"ug H @4ast>log3L.G>+2;8G$ 8+P 2C: JsKn $ s4if 3-strcasecm!3s$ t B8+P edundancy 44 F!eert Bca!a"ility D T,- 3(4:D"45C4/5D:6D36C;9ast>ud!tl>set>error>correction>scheme3!*Hud!tl$:D"T845// /4C //5CT! 64/5D:6D36C;29


28/33

Asterisk: Configuration Asterisk: Configuration

+efault !asswordsVery common on Asterisk$ as are easily guessa"le SIP !asswords

;ad dial !lan logic

+ial !lan logic in Asterisk can "ecome fairly com!le6 and the flat file format makes ithard to follow$ if the dial !lan isn%t documented 3and u!dated4 it can make it easy to

make mistakes) Common mistakes in Asterisk include gi,ing access to too manyconte6ts or too many o!tions in a !u"lic conte6t)

Call Control and monitoring Asterisk can "e configured 3Mi6Monitor4 to record calls to a file and these can often"e left with la6 !ermissions) Asterisk also has Intrude5;arge functionality withChanS!y) A misconfigured dial !lan can unintentionaly gi,e call monitoring a"ilities)

Accounting and ;illing1here are a ,ariety of o!tions for "illing with Asterisk$ they generally !lug in to

Asterisk using it%s Call +etail ecord files) 2ach of these has their own securityconsiderations)


29/33

Asterisk: VoIP Protocols Asterisk: VoIP Protocols

2ncry!tion o!tions #

e%,e already seen sim!le ,ulnera"ilities in the

im!lementations

0airly com!licated to configure

Assum!tions made "y the de,elo!ers


30/33

ConclusionConclusion


31/33


Practise safe con,ergence

A!!ly traditional network security logic to VoIP)

Check the VoIP !roducts for ,ulnera"ilities)

+on%t /ust scan$ audit as well-


32/33

here else can I get more information#here else can I get more information#

htt!:55www),oi!sa)org * 1he VoIP security alliance released a ,oi! threatta6onomy and ha,e an acti,e mailing list co,ering VoIP issues

htt!:5www)nist)go, * 8S centric "ut ha,e e6cellent tele!hony security

references

htt!:55www),oi!*info)org * Not !articularly security related "ut a goodsource of VoIP information)

htt!:55www)osstmm)org * 1he .!en Source Security 1esting MethodologyManual) 1he VoIP com!onent is currently under de,elo!ment)


33/33

http://www.ngssoftware.com/ Copyright 2006. Next Generation Security Software Lt . !"" other tra e mar#s are the property of their respecti$e owner% an are use in an e itoria" context without intent

Thank YouThank You

omments!"uestions #omments!"uestions #$arrie %em&ster ' (arrie)ngssoft*are+com$arrie %em&ster ' (arrie)ngssoft*are+com

bh usa 07 dempster

Documents