SS7 Security On Techmeme? A Reminder About Interconnected Systems…

techmeme-ss7SS7 security issues reported on Techmeme?  I did a double-take yesterday and, as Jay Cuthrell noted on Twitter, wondered if this was a “ThrowbackThursday” taken to the extreme.  But no, there was indeed a report in the Washington Post about German security researchers discovering that aspects of SS7 signaling that could be used to listen to phone conversations and/or read text messages on mobile networks.  As the article notes:

The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.

The researchers noted that one of the attackers could get around existing encryption mechanisms used on mobile networks:

For calls or texts transmitted using strong encryption, such as is commonly used for advanced 3G connections, hackers could request through SS7 that each caller’s carrier release a temporary encryption key to unlock the communication after it has been recorded.

SS7, or Signalling System 7, is of course the dominant set of telephony signaling protocols used in the legacy Public Switched Telephone Network (PSTN) made up of today’s wired and wireless (mobile) telephone networks.  As such, we don’t write about SS7 hardly at all here on the VOIPSA blog as it is not related to VoIP.

However, there were three important thoughts to me coming out of this article:

1. VoIP can be more secure than the PSTN. The report mentions the encryption of the underlying 3G transport infrastructure being subverted.  However, with VoIP apps that are “Over-The-Top” (OTT) riding on the mobile data network, the encryption can happen from within the app on one mobile device all the way to the app on the other mobile device – or at least back to a central set of servers.  Now, there can be other security vulnerabilities with such a system, but the transport layer could at least be secured.

2. Telecommunication systems are only as secure as their weakest link – and are interconnected.  The bigger concern is of course that most of our telecom systems are all interconnected… and you can have the most secure VoIP system in the world, but if you wind up connecting to the PSTN – and specifically in this case to mobile PSTN networks – then you are open to exactly these kind of attacks.  Obviously if you are communicating only within an OTT “walled garden” where you only talk to others using the same OTT app you can be secure, but the moment you go out to the PSTN you are open to all the issues there.

3. Fixed lines are no safer if you talk to mobile users. The article ends with a German senator saying “When I really need a confidential conversation, I use a fixed-line phone“.  I don’t know about that.  For one thing, if the person you are calling is a mobile phone user, you are again open to these kind of attacks.  Secondly the Snowden revelations of the past year have certainly shown us that large agencies have the ability to listen in to communications on the networks of the PSTN.  If I absolutely want a confidential conversation, I’m personally going to use one of the VoIP applications that has end-to-end encryption. I’m NOT going to trust a fixed line any more than I would trust a mobile phone.

And I guess the final thought is of course that the legacy PSTN is full of security issues – they just aren’t necessarily as open to all to see because of the more closed nature of the traditional telephone networks.

A good reminder, though, that telephony security has always been a problem – and we need to ensure that both our VoIP and traditional networks have adequate security.

Meanwhile, it was rather fun to see SS7 mentioned on Techmeme… not something you’d expect to see!

Verizon Launches Voice Cypher Secure VoIP Mobile App… With A Government Backdoor

Verizon Wireless this week did something that initially seemed quite impressive – they launched “Voice Cypher”, an app available for iOS, Android and Blackberry that promises secure end-to-end encryption. It uses VoIP and is an “over-the-top” (OTT) app that works on any carrier.  If you read the marketing material on their web site, it all sounds great!  Indeed their “Learn More” page has all the right buzzwords and security lingo – and says quite clearly: Voice Cypher provides end-to-end encryption between callers, even if the call crosses over multiple networks.” They include the requisite network diagram that shows how it protects against all threats:

Verizon Wireless Voice Cypher

It turns out there’s just one small little detail … as reported by BloombergBusinessweek, the app comes complete with a backdoor so that Verizon could decrypt the phone calls if requested to do so by law enforcement!

As the Businessweek article states:

Cellcrypt and Verizon both say that law enforcement agencies will be able to access communications that take place over Voice Cypher, so long as they’re able to prove that there’s a legitimate law enforcement reason for doing so.

Unfortunately, in this post-Snowden era I don’t know that many of us put a great amount of trust in our governments to only access communications with a “legitimate law enforcement reason”.  Or perhaps the concern is that what gets classified as “legitimate” can be widely construed to mean almost anything.

The article does point out that Verizon is bound by CALEA to provide lawful intercept  to the phone networks, but points out an interesting caveat that Verizon could have used:

Phone carriers like Verizon are required by U.S. law to build networks that can be wiretapped. But the legislation known as the Communications Assistance for Law Enforcement Act requires phone carriers to decrypt communications for the government only if they have designed their technology to make it possible to do so. If Verizon and Cellcrypt had structured their encryption so that neither company had the information necessary to decrypt the calls, they would not have been breaking the law.

A Verizon Wireless representative indicated that they believe government agencies looking for ways to protect sensitive information may be  customers of this service, as may be corporate customers concerned about leaking private information.

But… as we continue to hear more and more information about the massive amount of pervasive monitoring and surveillance by government agencies from many different governments around the world, you do have to wonder how safe those agencies and companies will feel with a “secure” solution that already comes with a backdoor.  The problem with a known backdoor is that even if you may trust Verizon Wireless to only allow legitimate law enforcement access… how do you know that some attacker may not be able to penetrate that backdoor?   The “secure end-to-end encryption” isn’t entirely secure.

Given that the service has a higher price tag of $45 per month per device, I do wonder how many businesses or agencies will actually embrace the service.

On reading about this Voice Cypher service, it certainly sounds quite interesting.  We need more secure voice solutions out there – and it’s very cool that Verizon Wireless is delivering this as an OTT mobile app that will work across different carriers.

It’s just too bad that it’s not truly “secure end-to-end”.  :-(

P.S. I also recorded an audio commentary on this same topic.

7 Asterisk VoIP Security Advisories Issued

Asterisk logoThe Digium / Asterisk Security Team has obviously been extremely busy ensuring that Asterisk is as secure as possible given that yesterday they released 7 security advisories, although only one of them (AST2014-16) was rated as “Critical”.  The others are rated as “Moderate” or “Minor” – but still are good reasons to upgrade to the latest versions of Asterisk.  The list of advisories is:

The issues are all fixed in the latest versions of Asterisk:

  • Asterisk Open Source 1.8.32.1, 11.14.1, 12.7.1, 13.0.1
  • Certified Asterisk 1.8.28-cert3, 11.6-cert8

Kudos to the Digium/Asterisk Security Team for the work they do in keeping Asterisk secure – and also for their openness in reporting the issues publicly!

Slides: Reboot the Open Realtime Revolution – #MoreCrypto (Fall 2014)

Olle Johansson is back with another set of excellent slides about VoIP security and the need to have “MoreCrypto” everywhere. It’s a great set of slides that talks about where we have come from and where we need to go.  Definitely check it out on SlideShare at: Reboot the Open Realtime Revolution – #MoreCrypto (Fall 2014) or in the embedded version below:

VoiceOps – Mitigating SIP Threats With SBC Policies, Auto-Blacklisting

Voice Ops mailing listThere’s a good discussion going on right now (September 2014) in the VoiceOps mailing list about how you can mitigate SIP threats by configuring the policies and settings on your session border controller (SBC).  It started out with a detailed question from Robert Nystrom asking about how to configure an Acme Packet SBC in the most secure manner and asking about how best to configure access control lists (ACLs).  Several answers can be seen in the VoiceOps archive from folks such as Ryan Delgrosso, Mark Lindsey, Jim Gast and Patrick McNeil, offering commentary and suggestions about how best to proceed.

If you are not already subscribed, the VoiceOps mailing list is a great resource.  As stated on the subscription page:

This list is for discussions related to managing voice networks, both traditional and IP.

The VOIP Operators’ Group (VOG) charter is to facilitate the creation, maintenance, and operations of Voice over Internet Protocol (VOIP) related networks, products, and services.

Similar to the North American Network Operators’ Group (NANOG), The Voice Operators’ Group seeks to assist in the creation of a robust, stable and growing VOIP ecosystem.

While the topics are definitely not all about security, I would encourage you to join the list if you do anything with the operation of VoIP networks – or if you are just curious to learn more about such networks.

Working On Restoring VOIPSEC Mailing List Archive Functionality

We are unfortunately aware that the mail archives for the VOIPSEC mailing list have not been functioning for a long time.  The list still does have occasional active conversations on it and anyone is welcome to subscribe. However, the archive on the list page as well as on the VOIPSA site page for the list has been broken for a while now.  As part of our work updating the VOIPSA website I’ve been in touch with our hosting vendor to see about getting the archives back in action.  Stay tuned….

Two New Asterisk Security Vulnerabilities Related To SMS And AMI

Asterisk logoThe great folks at the Digium / Asterisk Security Team have issued two new security advisories that folks running Asterisk should pay attention to.  They are:

AST-2013-006: Buffer Overflow When Receiving Odd Length 16 bit SMS Message – If you have Asterisk set up to receive SMS messages, it seems that a 16-bit SMS message of a certain size can cause the Asterisk server to have a buffer overflow and the system to crash.  The fix is to upgrade to the latest version of Asterisk.  It sounds like the only attack method is via SMS and so if you are not connecting SMS to Asterisk it would seem this advisory would not apply to you.

AST-2013-007: Asterisk Manager User Dialplan Permission Escalation – The Asterisk Manager Interface (AMI) allows you to control the operation of your Asterisk server through external applications or other systems.  The Security Team notes that the AMI interface does allow for the execution of dialplan functions that can go beyond simply controlling Asterisk but can in fact issue shell commands to the underlying operating system.  The new versions of Asterisk now include a new option in asterisk.conf called, amusingly, “live_dangerously”, that can be set to “no” to forbid the execution of these extra functions.  They note that for backwards compatibility the default for this option is “yes” because there may be applications in use that rely on these shell functions.  It would seem prudent, though, to see if you can set this to “no” to provide the highest level of system security.

I am not currently running any Asterisk systems myself but it would seem to me that a basic “security 101″ level you should also be making sure that access to that AMI port on your Asterisk server is restricted to only the systems running any applications that need that access.

In any event, if you are an Asterisk user and haven’t upgraded to the latest version, these security alerts may be a good reason to do so!

Large-scale Attacks Against VoIP and Videoconferencing Happening Today?

Voice Ops mailing listAre there large-scale attacks happening against VoIP and videoconferencing systems today?  Or is it limited to one particular system?  In a posting this morning to the VoiceOps mailing list, J. Oquendo wrote:

We have seen a larger than normal, if not, one of the largest attacks against some of our VoIP and video conferencing systems today. Initially, we fielded a report of a “system gone bad” followed by another, then another, and another. This has now carried on into some of our videoconference units (LifeSize).

Because our goal is to get telephony up and running, there was not much we could do via incident response, so I have little to add on attack vectors however, I will state that PBXNSIP has been the primary target, with about a dozen of these being hit pretty hard to the point I’ve had to block all, stop the software and re-start it.

Given that J. Oquendo has been around VoIP security circles for quite a few years now and worked on a number of different projects, I’m inclined to believe his account.  Are any of you seeing increased attacks?   If so, I think he’d certainly like to hear from you.  If you’re not a member of the VoiceOps list, you might also want to join that list as it’s become quite a good resource for people involved in the operations of VoIP systems.

Administrative Update: Resetting user passwords for authors

If you are an author here at Voice of VOIPSA and are wondering why you just received an email about a password change, I went through and reset all the passwords on our user accounts. There was no security issue – I just realized that some of the accounts have not been used for a long time and I had no idea about the strength of the passwords.  If you want to login you’ll need to use the “Forgot my password” reset link to generate a link to a new password (or contact me and I can reset it).  My apologies for any inconvenience.

P.S. In doing this, I found a really nice random password generator at: http://sandbox.coderlab.net/rpg/index.php