Happy New Year! Welcome to 2014! We’re looking forward to more activity happening here at VOIPSA this year… stay tuned for more information! In the meantime, we hope that you all have a very secure 2014 without any major security issues with your VoIP and other communication systems!
We are unfortunately aware that the mail archives for the VOIPSEC mailing list have not been functioning for a long time. The list still does have occasional active conversations on it and anyone is welcome to subscribe. However, the archive on the list page as well as on the VOIPSA site page for the list has been broken for a while now. As part of our work updating the VOIPSA website I’ve been in touch with our hosting vendor to see about getting the archives back in action. Stay tuned….
The great folks at the Digium / Asterisk Security Team have issued two new security advisories that folks running Asterisk should pay attention to. They are:
AST-2013-006: Buffer Overflow When Receiving Odd Length 16 bit SMS Message – If you have Asterisk set up to receive SMS messages, it seems that a 16-bit SMS message of a certain size can cause the Asterisk server to have a buffer overflow and the system to crash. The fix is to upgrade to the latest version of Asterisk. It sounds like the only attack method is via SMS and so if you are not connecting SMS to Asterisk it would seem this advisory would not apply to you.
AST-2013-007: Asterisk Manager User Dialplan Permission Escalation – The Asterisk Manager Interface (AMI) allows you to control the operation of your Asterisk server through external applications or other systems. The Security Team notes that the AMI interface does allow for the execution of dialplan functions that can go beyond simply controlling Asterisk but can in fact issue shell commands to the underlying operating system. The new versions of Asterisk now include a new option in asterisk.conf called, amusingly, “live_dangerously”, that can be set to “no” to forbid the execution of these extra functions. They note that for backwards compatibility the default for this option is “yes” because there may be applications in use that rely on these shell functions. It would seem prudent, though, to see if you can set this to “no” to provide the highest level of system security.
I am not currently running any Asterisk systems myself but it would seem to me that a basic “security 101″ level you should also be making sure that access to that AMI port on your Asterisk server is restricted to only the systems running any applications that need that access.
In any event, if you are an Asterisk user and haven’t upgraded to the latest version, these security alerts may be a good reason to do so!
Are there large-scale attacks happening against VoIP and videoconferencing systems today? Or is it limited to one particular system? In a posting this morning to the VoiceOps mailing list, J. Oquendo wrote:
We have seen a larger than normal, if not, one of the largest attacks against some of our VoIP and video conferencing systems today. Initially, we fielded a report of a “system gone bad” followed by another, then another, and another. This has now carried on into some of our videoconference units (LifeSize).
Because our goal is to get telephony up and running, there was not much we could do via incident response, so I have little to add on attack vectors however, I will state that PBXNSIP has been the primary target, with about a dozen of these being hit pretty hard to the point I’ve had to block all, stop the software and re-start it.
Given that J. Oquendo has been around VoIP security circles for quite a few years now and worked on a number of different projects, I’m inclined to believe his account. Are any of you seeing increased attacks? If so, I think he’d certainly like to hear from you. If you’re not a member of the VoiceOps list, you might also want to join that list as it’s become quite a good resource for people involved in the operations of VoIP systems.
If you are an author here at Voice of VOIPSA and are wondering why you just received an email about a password change, I went through and reset all the passwords on our user accounts. There was no security issue – I just realized that some of the accounts have not been used for a long time and I had no idea about the strength of the passwords. If you want to login you’ll need to use the “Forgot my password” reset link to generate a link to a new password (or contact me and I can reset it). My apologies for any inconvenience.
P.S. In doing this, I found a really nice random password generator at: http://sandbox.coderlab.net/rpg/index.php
The great folks on Digium’s security team published two security advisories this week that could lead to remote crashes of an Asterisk server.
The first, AST-2013-004, Remote Crash From Late Arriving SIP ACK With SDP, has this description:
A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumes that the channel will always be present.
The second, AST-2013-005, Remote Crash when Invalid SDP is sent in SIP Request, has this description:
A remotely exploitable crash vulnerability exists in the SIP channel driver if an invalid SDP is sent in a SIP request that defines media descriptions before connection information. The handling code incorrectly attempts to reference the socket address information even though that information has not yet been set.
My one critique of the security advisories is that they don’t contain any “mitigating circumstances” that explain the circumstances under which the vulnerabilities could be exploited. For instance, it would seem from reading the documents that at least in the first case there would need to be a successful SIP connection established first – and then ended – before the packet could be received that would cause the crash. Unfortunately I don’t personally know Asterisk’s internals well enough to comment on that.
Regardless, the fix here is to upgrade to the latest versions of Asterisk as documented in the security advisories.
Kudos to the Digium folks for issuing these advisories and continuing their clear process of letting people know about security within Asterisk.
This week the SIP Network Operators Conference (SIPNOC) takes place in Herndon, Virginia, and the SIPNOC agenda turns out to have a great focus on security as it relates to VoIP and IP-based communications in general. The security-related sessions include:
- The Growth of Robocalling SPIT
- Communications Service Providers and Threat Intelligence Sharing
- Panel Discussion: Anatomy of a VoIP DMZ
- VoIP Theft: Werewolf or Hydra
- Who are You Really Calling? How DNSSEC Can Help
There will also be a “VoIP Security Birds-of-a-feather (BOF)” session tomorrow evening where we’ll be sharing information about VoIP security issues and learning from each other about what issues people are seeing.
Sponsored by the SIP Forum, SIPNOC is an educational event that brings together primarily technical and operations staff from a wide range of telecommunications and VoIP service providers. It is not a trade show, i.e. there is no exhibit hall. It is just focused on providing educational sessions and networking opportunities.
I’ll be there at SIPNOC speaking about DNSSEC, IPv6 and moderating the VoIP security BOF and the VoIP DMZ panel . I look forward to meeting up again with many of the folks who have attended SIPNOC in the past years. The event is not livestreamed, but if you are in the DC area and want to attend, registration is still open.
If you are there at SIPNOC 2013, please do say hello!
The U.S. Department of Homeland Security recently issued a bulletin titled “TDoS Attacks on Public Safety Communications” and while it was “Law Enforcement Use Sensitive/For Official Use Only” a copy was obtained by Brian Krebs who wrote about it on his site and also published the DHS bulletin publicly.
This resulted in a small flurry of related articles that Mark Collier listed on his VoIP security blog. Most of the articles, unfortunately somewhat predictably, seem to be rehashes of Brian Krebs’ post and/or the DHS bulletin. However, the point is definitely solid – these are real attacks that are happening on call centers out there, including those operated by emergency services organizations. No one wants to be on the receiving end of hundreds (or thousands) of phone calls clogging up your call center and making it unusable for regular business.
The connection to VoIP is that made by Brian Krebs in his article:
According to a recent report from SecureLogix, a company that sells security services to call centers, free IP-PBX software such as Asterisk, as well as computer-based call generation tools and easy-to-access SIP services, are greatly lowering the barrier-to-entry for voice network attackers.
This is the key point. VoIP systems make these kind of attacks much easier to create. Anyone can take one of the various free VoIP servers and create a script that will generate a crazy number of phone calls. And of course the Caller-ID can be easily spoofed using the same servers. I’m sure there are already scripts out there that automate all of this for would-be attackers.
The challenge is then finding either a VoIP service provider (or “ITSP” or “SIP Service Provider”) who will let the attacker send out phone calls to the PSTN – or to find victims that allow incoming SIP connections (which means that attacks could come from any Internet connection). Or to find components of the SIP signaling infrastructure that have weak (or no) authentication and through which an attacker can send calls. For example, SIP gateways that allow incoming SIP calls with minimal (or easily spoofable) authentication.
It’s not necessarily easy to do, but VoIP systems do make it easier than it was in the past, largely because the attackers can obtain a degree of anonymity through masking their source, and also because of the automation of the calling possible through the systems.
Defending against a TDoS is not the easiest, particularly when the attackers can use spoofed Caller IDs to hide their origin. Here is a place where VoIP actually helps because if the calls are coming in over IP, firewalls and other network monitoring tools can be used to recognize patterns and potentially identify and block sources of the attacks. There are companies such as SecureLogix (whose CTO is Mark Collier, whom I linked to earlier) who do sell products and services to help address these threats. As we increasingly move to IP-based communications there will no doubt be many more companies and service providers offering such services.
We as an industry do need to do what we can to help people understand both the threat posed by these attacks, and also the mitigations and possible solutions.
In the meantime, expect more people to be talking about this issue due to this DHS bulletin and the surrounding attention in the media.
What do you think? What should be done within the VoIP vendor/organization community? What are good steps to promote to defend against TDoS attacks?
Should we still be talking about “VoIP security”? Or should we be using some other language?
Back when we started VOIPSA in 2005, “voice over IP (VoIP)” was the term we all were using, but as we look at what kind of activities come next, we’re starting to wonder if we should be talking about “communications security” a bit differently.
For starters, in the past 8 years we’ve moved far beyond simply “voice” into video over IP, text messaging over IP, data sharing over IP… all within a single communications session. Is that still “VoIP”?
Beyond that, we’ve seen a range of other terms coming into usage, including:
- unified communications (UC)
- real-time communications (RTC)
- cloud communications
- IP communications
and many more. Plus new technologies are out that have pushed “VoIP” beyond its traditional proprietary protocols and the open standard of the Session Initiation Protocol (SIP). We’ve seen the strong emergence of XMPP (Jabber) and its related “Jingle” protocol. We’ve seen the explosion of interest in the WebRTC / RTCWEB protocols and tools.
Are all of those “VoIP”? Or are they something more?
Should we be talking about…
- UC security?
- real-time communications security?
- IP communications security?
Or perhaps just plain old “communications security”? (or is that too generic?) I’ve seen some people talking about “SIP security”, but now that is specific to a single protocol.
Or is “VoIP security” still an okay term to use?
What do you think? What do you use? What do you hear vendors and others using? How should we be talking about securing all these many ways we have to communicate now over IP networks?
Please do let us know either as comments here or out on social networks. (Thanks!)
This morning The Next Web reported on an exploit where Skype’s password reset web page could be used to hijack a user’s Skype account using only the password associated with the account. So… if you could guess someone’s email address (which can often be found through a Google search), you could effectively take over their Skype account.
Microsoft/Skype has DISABLED this feature while they investigate further so it appears that for the moment the security risk is limited.
However, it may be wise to watch closely the email account associated with your Skype ID for the next bit to see if any random password reset messages are sent to your account. Odds are that attackers will be sniffing around trying to see if there is any other way to exploit the apparent vulnerability.
The Next Web team reports that they were able to reproduce the attack on two Skype accounts of willing victims, confirming that the vulnerability was indeed real. They also reported the issue to Skype and worked with folks there.
The vulnerability is interesting in that it shows the complexity of modern communication applications. Skype is for the most part a desktop/mobile application, but yet it does rely on a centralized cloud-based service for authentication/passwords, etc. A vulnerability in the web interface for that central service then weakens the security of the overall system.
The “good” news for Microsoft/Skype is that because this appears to be a vulnerability in the web interface of the centralized system, this is probably something relatively easy for them to fix – and without requiring any client updates.
Kudos to Microsoft/Skype for reacting quickly to minimize the risk and we look forward to the issue being addressed.
UPDATE #1: Skype has issued a brief statement on their “heartbeat” web site with the same text that has been quoted in several articles.
UPDATE #2: The Verge has an article out now where many people in the comments are suggesting you change the email address associated with your Skype account to something less likely to be guessed. While Microsoft seems to have removed the immediate attack vector and this change is no longer critical to do, it may be something some of you may want to consider.
UPDATE #3: There’s a long Hacker News thread on this issue that also includes a link to an article walking through the exploit step-by-step as well as walking through links to protect your account. Note that because of the steps Microsoft has taken the exploit steps no longer work.