Voice of VOIPSA

As I mentioned previously (here and here), the “RUCUS” BOF about voice spam at IETF 71 in Philadelphia is one of great interest with its focus on voice spam, a.k.a. “SPam for Internet Telephony” or “SPIT”. Unfortunately BOF co-chair Hannes Tschofenig ran into a problem with his domain and had to move the page to a new URL: http://www.shingou.info/bof-rucus.html

If you saved the URL or sent it on to someone, you’ll need to update to using the new URL. If you didn’t visit the RUCUS page before, please do check it out - and feel free to join the RUCUS mailing list. Of course, if you can, please do join us in person in Philadelphia!

Technorati Tags:
spit, ietf, spam, rucus, standards, sip

Blue Box listener Frank Leonhardt clued us in to the fact that VoIP Hopper 0.9.9 was released back on February 19th. VoIP Hopper is a tool that allows you to “hop” between the data a voice VLANs (or any other VLANs) that was written primarily because the authors were tired of hearing people say that VLANs were a true security mechanism (Hint: They’re NOT!). We’ve written about it before and talked about on a Blue Box episode and a Telcom Junkies show and it is indeed an interesting test tool. Per the release notice, this version 0.9.9 has these new features:

• CDP Generator! VoIP Hopper can generate CDP packets in order to discover the Voice VLAN ID, as any IP Phone based on CDP would do. In this CDP spoof mode, VoIP Hopper will send two CDP packets in order to decipher the VVID, then it will iterate between sleeping for 60 seconds, and sending another packet. Not only is this faster than CDP sniffing, but it can also help bypass any mechanisms that rely on CDP for permitting access to the Voice VLAN.

• Voice VLAN Interface Delete: VoIP Hopper can delete the created Voice
  Interface

• MAC Address Spoof, then exit: VoIP Hopper can change the MAC Address of
  an interface offline and exit, without VLAN Hopping.

You can visit the VoIP Hopper site to learn more.

Technorati Tags:
voip, security, voip security, voip security tools, voip hopper, vlans

Want to learn more about the voip security aspects of peer-to-peer SIP? As I mentioned in the VOIPSEC mailing list last week, researchers from Huawei and the University of California recently released an Internet-Draft called “P2PSIP Security Analysis and Evaluation” which dives into an analysis of security issues in P2PSIP. It’s a good overview and one I’d strongly recommend to folks. (Note - you may want to read “P2PSIP Concepts” first to understand the language being used.)

Beyond the Internet-Draft, though, the researchers announced yesterday that their slides are now available (PPT) that go into the issues. These are being prepared from presentation at the upcoming IETF 71 meeting March 10-14 in Philadelphia, so if you are attending the event you’ll be able to hear the presentation yourself.

Peer-to-peer SIP is a fascinating area of current research and it’s good to see work like this being put into exploring the security aspects. Note - the researchers are looking for feedback so if you have comments on what you read, their contact information is in the Internet-Draft.

Technorati Tags:
SIP, IETF, security, voip security, SIP security, p2p, p2psip, peer-to-peer

Blue Box Podcast #76 is now available discussing Cisco, Skype and BT
vulnerabilities, when SIP looks like SPIT, VoIP security threat
predictions and the FBI forgets to pay their bills, plus listener
comments and more…

Jonathan and I recorded the show on January 22nd and I’m now *almost*
caught up with 1 main show still in the production queue (and about
10 special editions!)

Technorati Tags:
bluebox, blue box, voip, voip security, security

As mentioned previously, there is a new session planned for IETF 71 in March called “Reducing Unwanted Communications Using SIP“, a.k.a. “RUCUS”.

The RUCUS mailing list is now open for subscriptions and we encourage anyone interested in looking at how we address the issue of voice spam, aka “Spam for Internet Telephony” aka “SPIT” to join into the conversation.

We would ask you to please read the group description prior to joining so that you understand what we are trying to do. The primary goal of this session in March in Philadelphia is to look to understand the architecture necessary to address the issue and identify the pieces of that architecture that may already be there or may need to be put in place.

Technorati Tags:
rucus, spit, spam, voice spam, voip, voip security, security, ietf, standards

Blue Box Special Edition #23 is now available for download. In this podcast I sat down with Bob Bradley from Sonus Networks to talk about their products and solutions, how they secure customers networks and how they are different from other similar products in the market. I believe you’ll find it an interesting and useful introduction to the company.

Technorati Tags:
voip, voip security, blue box, sonus

If any of you reading this are at the Mobile World Congress (formerly “3GSM”) in Barcelona, Spain, this week, VOIPSA Secretary (and Blue Box co-host) Jonathan Zar is there as well. If you are there, please do drop him an email as (schedule permitting) he is always interested to meet up with others interested in VoIP security.

Technorati Tags:
mobile world congress, 3gsm, jonathan zar, voip, voip security, voipsa

After a bit of a production hiatus, Jonathan and I are back with Blue Box Podcast #75 where we talk about the VoIP security news back in early January. We talked about the Asterisk vulnerability out then, the SANS white paper on VoIP security, several other news items and a ton of listener comments. More information is available in the show notes.

As we’ve discussed both here and on Blue Box, the issue of securing the keys for Secure RTP is one of the remaining challenges to have secure voice transmission in the open standards world of SIP. Out of the large number of proposals to secure the key exchange, “DTLS” emerged as the choice of the IETF… but it still had the issue that an endpoint needed to be sure of the authenticity of the other endpoint’s certificate. SIP Identity (RFC 4474) and a draft “Identity-Media” from Dan Wing addressed the authenticity issue but broke in some common network configurations. Now Kai Fisher has put out an Internet Draft called “End-to-End Security for DTLS-SRTP” that proposes a mechanism to address that. In the post to the SIP mailing list, Kai explains the motivation:

I have submitted a draft proposing a solution to secure a DTLS-SRTP handshake and hence SRTP end-to-end (in terms of end-domain to end-domain). As discussed during the last IETF meetings and analyzed by Dan’s Identity-Media draft, current solutions like SIP Identity do not protect the authenticity of the fingerprint end-to-end in certain inter-domain scenarios. For example, a modification of SDP m-/c-lines or the From header field by intermediaries breaks the SIP-Identity or Identity-Media signature and causes a re-signing by a domain different to the originating one. The draft proposes a solution for such scenarios without the need to re-sign during domain traversal and which preserves the original identity information.

The abstract to the draft provides more info:

The end-to-end security properties of DTLS-SRTP depend on the authenticity of the certificate fingerprint exchanged in the signalling channel. In current approaches the authenticity is protected by SIP-Identity or SIP-Identity-Media. These types of signatures are broken if intermediaries like Session Border Controllers in other domains change specific information of the SIP header or the SIP body. The end-to-end security property between the originating and terminating domain is lost if these intermediaries re-sign the SIP message and create a new identity signature using their own domain credentials.

This document defines a new signature type ‘Fingerprint-Identity’ which is exchanged in the signalling channel. Fingerprint-Identity covers only those elements of a SIP message necessary to authenticate the certificate fingerprint and to secure media end-to-end. It is independent from SIP-Identity and SIP-Identity-Media and can be applied in parallel to them.

More details can, of course, be found in the draft. As noted in the post to the SIP mailing list, Kai is looking for feedback. This is an important issue to get done - and to get done correctly - so we strongly urge people to take a look at the document and provide feedback if you see ways the proposal can be improved.

Technorati Tags:
SIP, SRTP, IETF, standards, sip security, voip security, security, DTLS

If you are using Skype on Windows, today would be a good day to upgrade! As noted in their release notice, this new version 3.6.0.248 includes a fix to the cross-site scripting vulnerability, along with a wide range of other fixes.

Technorati Tags:
skype, skype security, security