Author Archives: Martyn Davies

About Martyn Davies

Martyn is Principal Consultant for Weird Crater, a telecom and software consultancy.

VoIP Security and the Service Provider

I recently had the opportunity to sit down with David Cargill, member of the council at the ITSPA trade association (www.itspa.org.uk). David is chairing the VoIP Security committee at ITSPA, and I wanted to ask him about that.

MD: Firstly, tell me something about ITSPA, and its goals?

DC:
The Internet Telephony Service Providers’ Association was formed in 2004 to represent UK based network operators, service providers and other businesses involved in VoIP services. ITSPA members supply to business and residential consumers within the UK and across the European Union. ITSPA aims to promote competition and self-regulation in order to encourage the development of a flourishing and innovative VoIP industry.

MD:
You’ve recently formed a VoIP Security committee; what was the spark that drove you to do that?

DC: Industrial-grade scanners are now operating around the clock to find and exploit IP-PBX’s and VoIP handsets that are not secured. The majority of these are operated by low level fraudsters which can be stopped by taking fairly simple security measures.

The Security Committee was setup with two primary aims: firstly to collate and share information on relevant security issues to ITSPA members, and secondly to produce and distribute Best Practice Papers on key security issues to ITSPA Members as well as to existing and potential VoIP customers.

MD: What are the main threats that you are focusing on?

DC: We’re currently focusing on hacking of IP-PBX’s and VoIP telephones.

MD: Are these the main problems perceived by customers, and is this driven by them?

DC: When you mention VoIP security, most people think about Eavesdropping. While hackers can eavesdrop on media streams and intercept VoIP packets, eavesdropping is not simple, whereas hacking into unsecured IP-PBX’s is not only simple, it can be done using free tools downloaded from the internet.

Many VoIP users don’t seem to be concerned with security until they have been hacked, the driver for this is that while ITSPA members have systems for protection from exploits for their core systems, often their downstream customers do not. For example a reseller of an ITSPA member, sells SIP trunks to an end user who then downloads free PBX software, like Asterisk, and gets the system online. The system is then hacked resulting in a large phone bill for the end user and customer service problems for the reseller and service provider.

MD: And what actions are you taking? Is it mainly an exercise in education for partners and customers?

DC: Yes it is. The strength of ITSPA is that we’re getting input from across the VoIP industry, enabling Service Providers to pool their knowledge and experience for the common good. So internally within ITSPA service providers are sharing information on new exploits as well as the external drive to raise awareness of the threats and solutions to partners and customers.

MD: Will the committee go on to tackle further VoIP Security issues?

DC: The barbarians are at the gates, 24/7 and we need to be vigilant. The ITSPA Security Committee is planning a pro-active program to keep its members and the wider VoIP community up to date with key security issues as they develop.

MD: Overall would you say that security is more of a problem for VoIP than for conventional voice services?

DC: No, PBX’s have been targeted by hackers for years, starting with people who could whistle the right tones into a handset in the 1960’s. The difference now is that IP-PBX’s can be downloaded for free, so it’s a problem of scale and understanding, as the number of the hackers has increased exponentially and many IP-PBX’s are setup by people with little understanding of VoIP let alone network security.

It’s also worth mentioning that many ITSPA members provide Hosted VoIP services, where in effect they operate the PBX in the cloud on behalf of their customers and ensure that the service is run securely. Customers of reputable Hosted VoIP services are not at risk of being hacked by fraudsters looking to make free calls.

MD: Is your initiative open for other service providers that want to get involved?

DC: At this stage it’s an ITSPA initiative with news and updates to be posted on the ITSPA Directory (http://directory.itspa.org.uk) but if anyone would like to get involved or would like further information they should contact us at admin@itspa.org.uk

David Cargill is CTO of Coms plc and an ITSPA council member.

The NSA’s Crypto Museum

Enigma Machine

I was interested last week to discover that the USA has its own Museum of Cryptography. The National Cryptologic Museum is run by the National Security Agency in Fort Meade, Maryland. Curiously, the building used to be a motel, quite literally in Fort Meade’s backyard, but was annexed by the NSA when it came up for sale.

Over the last few years I have been a regular visitor to our own British equivalent, Bletchley Park, which is both a cryptography museum and also houses a historical collection of computers. If you’re in the UK, or visiting (Bletchley is about an hour North of London), then I would highly recommend a visit. Bletchley Park is an estate with a victorian manor house, and during World War II it was the scene of operations of the UK’s codebreakers, including computer pioneer Alan Turing.

It sounds like Bletchley and the NSA’s museum have many things in common, both exhibiting the (in)famous German Enigma coding machine, and both having Cray supercomputers on display. I will certainly put the National Cryptologic Museum on my list of places to visit the next time I’m in the Washington area.

New Threats, Old Friends

On a lightning visit to the Infosec show in London, I chanced to meet with Ari Takanen of Codenomicon (fuzzing and quality assurance experts). Ari has a new book out: “Fuzzing for Software Security Testing and Quality Assurance”, from Artech House, available at Amazon.com and (as they say) all good bookstores. Of course, just because there’s a credit crunch doesn’t mean that security is any less of a problem, and it doesn’t mean that software defects are any the better. It sounds like Codenomicon have a pretty good market niche.

Enigma Machine

Facetime were talking about their new Unfied Security Gateway. This appliance goes beyond URL blocking and reporting, and implements reporting for VoIP and Skype, and the whole range of IM and P2P applications. In addition they have some pretty granular tools for finding out what the usage of social sites like Facebook (FB) and Myspace, and the resulting bandwidth usage might be. You can even drill down into the subsections being used (apps, music etc), which will be useful as increasingly FB is used for legitimate messaging and networking purposes in business. Facetime’s “special guest” on the stand was an original Engima encryption device, brought down from Bletchley Park (a.k.a “Station X”), the UK’s premier code-breaking museum. This is a refurbished and fully working Enigma, and on the Facetime stand they were even allowing us to have a go. I can report that it is satisfyingly mechanical to use.

AEP were also there showing some high-grade encryption equipment for enabling remote sites with access to secure systems. Law enforcement and government customers have a legal duty to protect the data that they handle, which and even remote users (or temporary sites) must protect data from snooping. Data at rest is a particular risk, and UK government agencies have embarrassingly lost large numbers of laptops and pen drives in recent years. It’s safer to leave the data in the secure site (rather than the USB stick) and access it over secure links when needed. The AEP solution fits into a laptop bag, and enables a team of people to share secure data and VoIP links to a central site, routed over any convenient satellite, 3G or WAN links.

The Infosec show is still on today and tomorrow at Earls Court exhibition centre in London.

Making Phones Theft-Proof

Of course you can’t stop criminals from stealing mobile phones; they’re small, they’re expensive and there are many channels (online and offline) for selling the handsets on. However, it should be possible to make the things useless once stolen, to make resale difficult or impossible, ultimately reducing the demand for theft.

The Design Council in the UK are currently running a competition to generate ideas to make mobile phones safer, with the best idea receiving support to the tune of £100,000 to develop the idea further. This seems to me a whole lot better way to raise money than appearing on Dragons Den for a ritual butt-kicking and dilution of your share capital.

As I discovered to my cost at the recent Mobile World Congress in Barcelona, mobile phone crime is rife, and a barbarian horde of dark ages proportions is seemingly there working the city for February. I heard tales of muggings, crews targetting group dinners in restaurants, and of course pickpockets. One friend of mine had an experience in the Metro with one guy blocking his way, while another tried to slip a hand into his pocket from the other side. My friend is over 2m tall, and looks more like an international rugby player than a telco geek, and probably could have wiped the floor with both of them at the same time. Some of these teams have no fear.

In my case, my Nokia smartphone disappeared never to return. They got no satisfaction from the SIM card (which was PIN-locked), but sadly I had disabled coded locking on the handset itself, making it a useful asset, possibly worth £70 on Ebay. Just look for smartphones with no cables, no charger, no manual; guess where they came from?

Incidentally, my phone was marked with a label from yougetitback.com, a worthwhile property registration and return service. Sadly in this case, the phone didn’t fall into the hands of “friendlies”, but rather those of WeHaveNickedYourPhone.com.

Of course with smartphones the problems don’t stop with your cellco contract being exposed to call fraud, or the sale of the handset itself. The phone also contains signup information in applications, and the data itself. In my case, several applications were installed including Skype, Truphone and Gizmo. A lot of VoIP apps have the capability to connect out to the PSTN using some kind of pre-pay balance, which of course could also be at the mercy of a crim once he gets his hands on your smartphone.

With the proliferation of app-stores, many handsets may also be ready to provide “free” downloads to the enterprising criminal. In general, there is a lot of industry work going into making mobile phones into “wallets” that can be used for a whole variety of micro-payments, for example car parking fees. In addition there maybe DRM-locked content that is in the handset when stolen; it has a monetary value, and yet is difficult claim on insurance.

Smartphones can potentially have a lot of different apps loaded, and if we are lazy we mght have them setup (for our own convenience) to logon automatically to countless online systems. The risk is not only financial, but also opening you to impersonation and data theft, via a variety of online services that you access from your phone.

We certainly need to think hard about the way we use services and the way we buy using our mobile handsets. PIN-codes, passwords, time-locks and encryption are tools that we should have enabled, even though it means more inconvenience for us to make calls, lookup our location and so on. I hope the £100K Design Council bursary generates some good ideas, and for my barbarian friends that visit Barcelona each February, let me wish you failure and humiliation in your every venture.

Amusingly, at the time my phone was stolen, I was running a number of location applications including Palringo, Buddycloud and I think also Google Latitude (and yes, it does run hot with all the apps running!). A friend suggested that we go and look-up where the handset travelled to, and then put the Police on to them! Sadly, in this case the crim was not so dumb, and had already powered-off the phone. That would have been sweet revenge indeed.

Oyster not all it’s Cracked-up to be

Some Dutch researchers recently illustrated once again that “security by obscurity” is not a good way to secure systems. Transport for London (TFL) have for some years been running a prepay card system called the “Oyster Card”. The Oyster Card is an RFID card that you wave over a sensor at the start and end of your train trip, which takes money from your prepay account with TFL. Oyster offers a preferential rate, cheaper than paper tickets, and has had a very high take-up rate with London commuters and residents.

However, the system has now been cracked. At the heart of the Oyster card is a chip called the Mifare Classic, which uses a secret algorithm. Some Dutch researchers decided to target this system, and have discovered how this works. As a demonstration, they used their knowledge to create their own card, which they used to travel around free on the London Underground for a day.

Their interest in the Oyster Card probably stems from the fact that the same Mifare Classic chip is also used in access cards used to secure Government buildings in the Netherlands. In a rather nice demonstration of the separation of powers working in a democratic country, they now have leave from a Dutch judge to publish details of how the Mifare algorithm works, which they will be doing at a security conference in the coming October. This would not have been the outcome that the Dutch government would want, since they now have to take extra steps to secure buildings with more security personnel.

But “hushing the problem up” is not a solution in the security world. The problems don’t go away when you punish the researchers. For every ethical hacker there are probably another two Black-Hats who want to sell the information to those that could profit from free travel in London, or access to Dutch Government property.

Does VoIP Exist?

This was a question I asked at the recent VON conference in San Jose, CA. Of course we talk a lot here about VoIP Security, but actually if we take a step back, is VoIP itself any longer a meaningfully separate concept? The thing is that technology moves on, and maybe some people care whether they are connected via cable or ADSL, but pretty much, the average Joe is happy that “broadband” is magic that provides fast Internet. Today there’s still talk about “WiFi” as a distinct technology, but WiMax, LTE and mobile broadband (EVDO, UMTS etc) are on the rise, and within a couple of years, we’re all likely to have forgotten which technology we’re using to connect to the Internet.

So my thesis is that IP is so very intrinsic to the nature of all telecoms today, that it’s probably not even worth using “Vo” any longer. Why should I say that? Well firstly, SS7, the mainstay of today’s international telecoms network, in many cases uses IP to carry the signalling traffic, using the protocol family known as Sigtran. In traditional telecoms, media and signalling has long been split, with SS7 connecting the calls, and a parallel network of E1/T1 links carrying the voice calls. The long established estrangement of media and signalling continues into the NGN world, with signalling now mostly meaning SIP, and the media usually RTP, but there is still a world of choice. When SS7 meets SIP we can often find ISUP (the call control protocol most widely used by telecoms incumbents) being tunnelled using protocols like SIP-I and its twin (in the iron mask) SIP-T. In the “legit” SS7 community we find that BICC (Bearer Independent Call Control) allows us to connect calls in a way familiar to all fans of ISUP, and yet the calls themselves don’t need to be 64k bearer channels any more, but can also be the IP-friendly RTP streams.

This is not a fashion, but simply an evolution. Today, when telcos federate, it is largely using traditional TDM lines, and traditional SS7 protocols. But this is changing: it’s very cheap and convenient to interconnect using Sigtran, and there is much talk about how to connect calls using “codec free” operation: that is, to pipe the audio unchanged from end to end, to optimize audio quality and bandwidth usage. The GSM Association are promoting a system called IPX, which will allow mobile carriers to interconnect using IP, such that not only signalling and media are seamlessly interconnected (via a private intranet), but also settlement data will automatically be exchanged, so that every telco knows what they owe to every other party.

If I may press my point further, in many projects the traditional TDM core is being removed in favour of a big SIP router surrounded by a ring of session border controllers (SBCs). One major factor in these projects is that the customers are still today 80/20 connected via traditional E1/T1 or SS7 networks, which means that part of the magic is a media gateway that knows how to talk both SS7 and SIP. So SIP networks have TDM customers, and your Granny may already be using IP without even knowing it.

So does VoIP exist? When IP is such a fundamental tool in what we know as “legacy” telco networks, perhaps it does not. Consequently does VoIP Security exist? Well as we’ve often discussed here at the VoIPSA blog before, when you start moving voice traffic over your IP network, then you have all the voice system vulnerabilities plus all the IP vulnerabilities that just arrived at your doorstep. Perhaps actually the truth is that nearly all voice is already VoIP, so VoIP security is not just an enterprise concern, but is actually a core issue for every telco on the planet.

Voice Phishing – According to Squawkbox

For some weeks, Alec Saunders, ace blogger and iotum founder has been running a podcast experiment via Facebook. Iotum have created a free conference call application on Facebook (which works rather well in fact), and to showcase its use Alec and friends use the conference facility to record a daily podcast show called Squawkbox, talking about topical news in tech.

Today’s show was on the subject of voice phishing, a favourite topic of some of our friends here at VOIPSA. In fact, VOIPSA board members Dan York and Jonathan Zar (also the Blue Box Podcast team) were on Alec’s call today. So if you’ve time to give it a listen, it’s an interesting discussion, and it can be found here.

Breaking Ciphers on a 5.8MHz Pentium?

The UK’s National Codes Centre recently ran a competition for amateur codebreakers to try their hands on breaking one of the original WW2 codes (Lorenz Cipher) using modern PC hardware. The National Codes Centre at Bletchley Park (known as “Station X” during the war) is a museum and heritage site for early computing as well as codebreaking. In a nice irony, the winner of the competition was a German programmer, Joachim Schueth, who ran his software on a 1.4 GHz laptop with NetBSD as the O/S, beating the original Colossus codebreaker by a factor of hours. The original Colossus could break the code in 3 hours and 15 minutes, whereas Schueth’s code took just 46 seconds.

On the performance difference, Schueth himself said: “My laptop digested ciphertext at a speed of 1.2 million characters per second – 240 times faster than Colossus. If you scale the CPU frequency by that factor, you get an equivalent clock of 5.8 MHz for Colossus. That is a remarkable speed for a computer built in 1944. Even 40 years later many computers did not reach that speed. So the Cipher Challenge would have been very much closer had it taken place 20 years ago.” That’s right, not GHz, but MHz. The original Colossus was not so much a Pentium, but rather a Z80.

At Bletchley Park, they have a working Colossus which was lovingly rebuilt over many years by a team of enthusiasts, with help from some of the original designers. The Colossus MKII can be seen working by visitors to Bletchley Park.

Colossus Redux

Bletchley Park is the UK’s mecca for people interested in the history of code breaking, and in particular the codes of World War 2. Bletchley Park (in WW2 known as “Station X”) was the home of the code breakers, and where early computing pioneers like Alan Turing worked on the science of breaking cyphers.

This week, a team of volunteers led by Tony Sale completed a 14 year project to rebuild Colossus, one of the code-breaking computers used at Bletchley Park. After the war the machines were dismantled and even the plans destroyed by order of the military, so the Colossus had to be painstakingly remembered and reconstructed, with the help of some of the original engineers that built it. Tony Sale has had a long association with Bletchley Park, and also with remembering and rebuilding the most important antique computers in the British history of computing.

Although the Colossus was somewhat single-minded in its operation, its use of valves as electronic switches paved the way for the general-purpose computers of the 1940s and 50s, and of course the work they did at Bletchley paved the way for the use of encryption technologies that we use today in data and voice applications across the Internet.

Link: Silicon.com report on the Colossus rebuilt.

VoIP Hacker Goes to Jail

Some time back we reported here about the Pena/Moore case, where a duo stole VoIP services and then sold them on to third parties, who thought they were buying a legitimate service. Pena went on the run, and I believe is still missing. The techie of the duo, Robert Moore is now off to prison. Information Week have an interview with him here.