Voice of VOIPSA

This afternoon at VoiceCon in San Francisco, Cullen Jennings (of Cisco and Area Director for the Real-time Applications and Infrastructure area of IETF) and Eric Rescorla (Network Resonance, security advisor to IETF RAI area and involved with TLS spec) gave a 3 hour tutorial on “SIP Security”.  Both Cullen and Eric (also known as “ekr”) are extremely involved with IETF efforts on securing SIP, so they were definitely the ones to do this presentation.

Cullen started out giving an overview of basic SIP and the issues within SIP that create challenges for security:  routing/retargeting, forking and media before SDP answer (”early media”).  Cullen gave the example for “early media” of getting the ringtone back, for instance, when you call someone in Europe.  Streaming early media also sets up the media path so that there is no clipping.  Lastly, some companies use early media in the PSTN to stream IVR msgs (FedEx, for example, plays the first 5 secs of their call center) and SIP needs to interoperate with those systems.  (Open question - what do you do when you get early media from two endpoints that were forked? )

Cullen went on to describe the threats to VoIP, which he nicely summarized on one slide: Toll Fraud, Eavesdropping, Learning private information, Session replay, Fake identity & impersonation, Hijacking calls, Media tampering, DoS, Spam.  He went on to elaborate on the different kinds of attackers.

Eric then stood up to give an overview of cryptography.  Eric, one of the fastest talkers I’ve met, walked us through symmetric encryption, digest authentication (let’s you authenticate without having to send password in the clear, because both ends know the password), the key management problem (typically the hardest aspect of any security system), public key cryptography, digital signatures and hashes.  Eric then went into a great step-by-step tutorial of how TLS is put together, starting with a basic channel security protocol and then talking about how to fix replay attacks, adding client authentication and adding in algorithm negotiation.  One of the best descriptions of TLS that I’ve yet seen.

Cullen came back up to talk about securing the signaling.  First he spoke about digest authentication and then got into TLS, pointing out that a major issue with TLS is the last hop.  Proxies can easily get signed certificates, but getting certs in all the phones is a challenge. Cullen spoke about SIP “outbound” (also see here), which is a proposal that is close to getting to an RFC that addresses the issue of phones not having certs by essentially having the phones create TLS connections to their local proxy first.  That last hop is now secured.

Cullen then moved into one of my favorite topics - identity.  He spoke of the new(er) Identity RFC, RFC 4474, which standardizes a mechanism for a proxy to cryptographically assert the identity of one of the proxy’s users.  The nice thing with SIP Identity is that you don’t need to modify the phones.  It’s all done in the server software.  SIP Identity looks to play an important role in efforts to combat SPIT, so it’s a key piece of the puzzle.

He continued into S/MIME and the problems with why it hasn’t really been widely deployed: users don’t have certs, no directory of certs and what about multiple handsets/devices?  He then described a proposal that is an Internet-Draft, “Certificate Management Service for SIP” (status here), that would provide a mechanism for exchanging certificates for end-to-end encryption.

Cullen concluded by discussing how SIP deals with privacy issues, such as how to make anonymous calls (such as those needed by women’s shelters, whistleblowers, national security).  The main recommendation is the need to have better anonymizing services to hide IP addresses in the From headers inside a SIP message.

Eric came up then to provide the last major segment around media encryption.  As we’ve written about here and discussed over on Blue Box, the major issue in securing media really comes down to dealing with key exchange.  Eric relayed the basic issues, the status of where the discussions are and then walked through the various solutions.  He outlined the problems of MIKEY, the attempted (and failed) solution with sdescriptions and then the basics of ZRTP and DTLS.  Eric, one of the people involved with the DTLS spec, gave a great overview of the DTLS spec and how it works.

Cullen came back up to wrap up the session with a comparison to the PSTN where he again stated his assertion that with VoIP we will wind up with far better security than that of the PSTN. He concluded saying that signaling security is mostly solved, RTP security is getting close, privacy works but does needs some work on location anonymous and that “security should and will be automatic.”

Back to telephony SPAM or SPIT again. Hannes Tschofenig noted on his blog the publication of an RFC draft on the use of CAPTCHAs in SIP.

For the uninitiated, CAPTCHA means “Completely Automated Public Turing Test to Tell Computers and Humans Apart”, or in other words an automated test of your humanity. In the context SPAM over Internet Telephony, the aim is to tell genuine human callers from ‘bots’ or software that aims to make our phones ring and play unwanted marketing messages at us.

Some of the choices are laid out there, for example a system (corporate PBX for example) could challenge an incoming call, by playing a sound, then asking you to describe the sound. Or in the case of a video call, show you a picture and ask you to describe it in words before connecting the call. A moment’s examination would allow a human to conclude “teapot”, where a computer looking at a cartoon or photo teapot would need to expend a lot of CPU to reach the same result.

Ok, you may say that computers are so smart now that they can recognize pictures, or do automatic speech recognition (speech to text) remarkably well. This is true, to a degree, but the fact is that clever CAPTHCAs will demand heavy processing on the attacker’s side, and this works against what they are trying to do. After all, they want to implement systems that can make thousands of calls per hour at low cost. If we increase the cost of the calls by adding a quarter of a second of CPU to each call, then we give the telephony spammers a capacity problem, and force them to spend much more on server machines. By making SPAM an economic problem once again, we can raise the barriers to entry.

The draft text can be found here, and Hannes’s blog is here.

Technorati Tags: SPIT, SPAM, CAPTCHA

One aspect of VoIP security that keeps coming to my attention in recent weeks is that of location privacy, or in other words, does the call recipient (or others ‘listening on the line’) know where you are?

At a VON Europe panel this week, Cullen Jennings, Distinguished Engineer at Cisco, was talking about peer-to-peer (P2P) SIP, and how the P2P approach definitely helps with location privacy. He gave the example of emergency procedures in the USA, which require the country’s President and Vice President to be in different physical locations from each other yet still be able to communicate. At the same time, they must prevent eavesdropping enemies from locating the Vice President physically.

I said that ‘P2P helps’, but perhaps I should say ‘can help’, with the right systems in place. In the UK last week, Sky News ran a story about how criminals might use encrypted VoIP to run circles around the police, due to the difficulty of tapping and listening to the calls. I hope to be able to write in more detail in the next few weeks why this is basically untrue, but the information I have received is that the VoIP providers “can be very helpful” to the police in these cases. Even if a VoIP stream cannot be decrypted, it is often possible to obtain a list of times, durations, and IP addresses that can easily provide both location and evidence. Also, if a VoIP call breaks out onto the PSTN, a service offered by many or most VoIP telcos, then once again you have a location (albeit the call destination rather than the source), and you have the opportunity to monitor the call.

No-one likes to think that all their calls are being tracked, or that their location is known at all times, but of course in democratic countries we assume that there are enough checks and balances to ensure that this information is available to few and will not be abused. At the same time, criminals and terrorists should not assume that new technologies like VoIP and IM give them a cloak of anonymity, because this is definitely not the case.

As systems become increasingly interconnected, how do we prevent Spam for Internet Telephony, a.k.a. “SPIT” or “VoIP spam”. As we talked about in this blog and on the Blue Box podcast, SPIT today is not really a huge issue because the PSTN serves as a de facto firewall between companies/entities.  But as we move toward increasing interconnection and to the point where a random SIP user could make a SIP connection across the Internet to any other random SIP user, we definitely do have to worry about SPIT and how to prevent it.

Within the IETF, a group has been working on the issue and now has two documents available for review:

• A Framework for Reducing Spam for Internet Telephony
• Requirements for Authorization Policies to tackle Spam for Internet    Telephony and Unwanted Traffic

This is the initial release of both documents and the authors are definitely seeking feedback.  Speaking of the authors, they include many of the names we have mentioned here in the past involved with VoIP security within the IETF space:  Hannes Tschofenig of Nokia Siemens, Henning Shulzrinne of Columbia University, Dan Wing of Cisco, Jonathan Rosenberg of Cisco and David Schwartz of Kayote.  (Geoffrey Dawirs of University of Namur and Thomas Froment of Alcatel-Lucent are also authors of one, but I don’t believe we’ve spoken of either of them here before.)  They are definitely people who understand the space and have put some thought into it.

I would encourage everyone to take a look at those documents and send in feedback, either to the IETF mailing lists or directly to Hannes Tschofenig (editor of both docs).  We have an opportunity here to make sure that interconnected VoIP does NOT become the utter cesspool of spam that email has become.  Let’s make sure we do it right!

The papers are in and the conference agenda is now published.

There’s plenty of meat here for those interested in VoIP Security, with  talks on intrustion detection and prevention, SIP security architecture, SIP fuzzing and DoS prevention.  Jeff Pulver will deliver the keynote, and many of the speakers are the same people that create such interesting discussion trails on the Voipsec list anchored on this site.

If you’re in New York  July 19th/20th, it’s going to be a great session.  Registration is open here.

According to Silicon.com, Ivan Krstić, Director of Security Architecture for the One Laptop Per Child project, used a keynote speech at AusCERT 2007 to criticize the architecture of modern operating systems, which allow every application to run with maximum access rights to the machine.

This is of course a topic that exercises many security managers these days, since there are so many things that a multimedia PC can do today, including playing, recording and editing music & video; creating and editing images and text; phoning, instant messaging and video calling. What is more there are vast numbers of applications that can be rapidly bought and downloaded from the Internet, giving near instant on-demand installation of nearly any type of application. For convenience, most users run in administrator mode all the time, as it avoids answering pesky questions when we want to install and gratify our need for new software.

Many VoIP users run softphones on their PCs. Softphones are cheap, and can be extremely convenient to use. They also create new possibilities, like being able to record calls or teleconferences without spending a lot of money on recording hardware and software. From a security point-of-view, of course, this is a risk, since the softphone can control all the facilities of your PC, has access to the disk drive, and could potentially record audio, or perhaps even all LAN traffic, without you knowing. From a LAN architectural point of view, some experts say that you should use VLANs, so that VoIP phone handsets and PCs cannot interact with each others’ traffic. This would avoid a PC being able to initiate SIP calls (if, say, a malicious user wanted to run some SIP scanning software on a machine), but if you want the convenience of running softphones, then the PCs must be able to make SIP calls, so really VLANs are out.

So once again it really comes down to security versus convenience. We can lock down PCs completely and make them “safe”, but then you could argue that users will be less productive, if the IS department must get involved whenever any new thing will be installed. At the other end of the scale, letting users install everything they want, from wherever, whenever they feel like it, is a recipe for a security disaster. It’s a balance, and that is one of the reasons that security is a difficult area.

To talk about the One Laptop Per Child project for a moment, this is an effort to build a $100 laptop (the XO) that can be made in the millions to provide to school children everywhere. If you haven’t heard of this before, I strongly recommend that you watch the video from TED 2006 where Nicholas Negroponte explains what they are trying to do. A very worthwhile project and this video is 18 minutes of gold dust. Describing one of their pilot projects in a remote village Cambodia, Negroponte says of the children with their laptops: “They only know Skype, they’ve never heard of telephony.”

A story: ZZZ Telemarketing (not a real name) is locked in a heated fight with their bitter rival, YYY Telemarketing (also not a real name), to win a very large lead generation contract with Customer X. Customer X has decided to run a test pitting the two companies against each other for a week to see who can generate the most leads. The ZZZ CEO has said to his staff that it is “do or die” for the company. If they fail to win the contract, they will have to shut down - they need to do “whatever it takes” to win over YYY. A ZZZ staffer discovers that part of why YYY has consistently underbid them is because they are using SIP trunks to reduce their PSTN connection costs. But the staffer also discovers that YYY is using very cheap voice service providers who run over the public Internet with no security.

Discreet inquiries are made in the dark corners of the Internet. A large sum of money is exchanged through third-parties. The test begins on Monday and both firms are off in their own buildings rapidly calling. But at a designated time on Tuesday, a bot-herder somewhere out on the Internet connects to an IRC chat room and enters a line of text. Moments after the Enter key is pressed, “bots” on tens of thousands of zombie PCs wake up and start slamming the SIP servers at YYY and its providers with enormous numbers of bogus SIP messages, each of which require processing. Effectively all outbound (and inbound) PSTN connections grind to a halt. YYY IT staff try desperately to stop the attack but don’t have any real knowledge of how to defend against these attacks. Because the attacks paralyzed YYY’s SIP server but left their Internet connection still usable, their ISP won’t help and says it is a problem for their telephony providers. Those providers, of course, are preoccupied trying to fight off the the attack themselves. Meanwhile, hidden out on the net, the bot-herder watches the attempts and simply brings more botnets online as some nodes are successfully shut down or blocked.

Late on Wednesday at a designated time, the bot-herder enters the IRC room again and enters another command. All bots immediately cease their attacks. YYY can now make calls, but in their desperate attempts to restore connectivity the YYY IT staff has made such a mess of their network that it takes them until extremely late in the evening to return full service. Thursday morning YYY is back in full operation, but it’s too late to overtake ZZZ’s head start. ZZZ wins the test and the contract. (And YYY’s lawyers desperately search for some way to pin this on ZZZ.)

Is this just a piece of creative fiction? (or a nightmare?)

Today, probably yes… but last week the first steps toward bringing about the reality appeared in the VOIPSEC mailing list when a group of academic researchers announced the availability of a “VoIP bot” for testing automated attacks against VoIP systems that use the SIP protocol. While the researchers indicated they were making it available to aid in the efforts to develop effective tools to prevent attacks, the cold, hard reality is that the same tool and code can be used for attacks by those out operating botnets for malicious purposes. Deploy it on hundreds (or thousands) of zombie computers and an attacker potentially has a great way to execute a distributed denial of service (DDOS) against a company with, for example, a SIP trunk across the public Internet. Thereby potentially shutting down that company’s access to the PSTN. No inbound or outbound phone calls for the duration of the attack.

Welcome to the era of VoIP botnets.

With all the VoIP security tools out there, we knew it was only a matter of time before this occurred, but now the proverbial genie has been let out of the bottle. (or is it “bot-tle”?)

REALITY CHECK #1 - Now, before anyone cues the song “It’s the End of the World as We Know It” and starts to rip out their VoIP deployment, let’s be clear that this bot only affects systems using the SIP protocol. Given that the vast majority of corporate/enterprise VoIP deployments today occur with proprietary protocols (and this is true of all the main VoIP vendors), this news has little immediate impact on that segment of the market. However, most all enterprise vendors are now supporting SIP phones and/or SIP trunks - and so this definitely will be a concern in the future. In the PSTN line replacement market, though, there certainly are a good number of service providers offering SIP connections/trunks. If they are doing that across the public Internet (versus their own network where they can better control traffic) then this is definitely something of concern to them.

REALITY CHECK #2 - Let’s also be clear that there is no massive botnet out there right now out there waiting to kill all your SIP trunks or SIP sets (that we know of). What was released was a “proof-of-concept” that showed in a very basic way what could be done. The real threat is that attackers could modify the code, improve/tweak it, and start to deploy it out there in larger botnets. If we don’t look at ways to address the issues raised here, it will, though, become a more serious issue.

With those statements out of the way, let’s look at what this proof-of-concept bot does. First, as shown on the README page, you connect to an IRC server and create a chat room/channel. You then install the software onto a PC and run it (it’s a Java JAR file), providing the name of the IRC server and channel to which you are connected. You then simply start executing SIP attack commands. If you start up several instances of the bot connecting to the same IRC channel, you can issue commands that are implemented by all your bots.

Simple. Easy. (Scared yet?)

So what does it do? Well, here are the commands:

• spit - sends an audio file to a specified SIP address
• dos - sends successive SIP invites to a SIP address for a specified period of time
• scan - takes a list of possible user names and sends a SIP INVITE for each one (trying to determine what SIP usernames are used)
• crack - if you know SIP user names (potentially from ’scan’) you can try to crack the password
• register - if you know a SIP username and password, the bot will send a SIP REGISTER packet

A limited command set today, but the researchers indicate they will be refining it - and the source code is now out there for anyone to obtain and modify. And for something like a DOS (or DDOS) this could be effective. I only installed one bot on my test network, but I did see that it did generate a large number of packets against a SIP server I have running here. You could see the power of multiplying that.

So with the genie out of the bottle, what do we as VoIP security professionals do about it?

I’ll offer several suggestions (and certainly welcome more as comments to the post):

1. Play with this proof-of-concept bot - In order to defend against something, we need to understand it. Grab this one now and start understanding how it works…. before larger botnets targeting VoIP do actually get out there.
2. Understand what SIP security options you have - If you are using SIP in your VoIP infrastructure (either for phones or for trunking) understand what options you have for securing the SIP signaling. Can you encrypt the SIP signaling? Can you only accept connections from specific endpoints? Talk to you vendors and service providers. With either of those options you would greatly reduce (if not eliminate) the impact of a botnet attack.
3. Ask your SIP service provider if they support secure SIP connections (and if not, when they will) - As we have ranted here and on the Blue Box podcast, service providers offering SIP connections over the public Internet without securing those connections are, in my opinion, playing a dangerous game and are most likely the first to be affected by something like this.
4. Test, test and re-test your SIP systems, phones and other endpoints - The VoIP security tools are out there to test your implementation. What are you waiting for? Test anything with a SIP connection (obviously your own devices or with the permission of the owner). Report any issues to the vendors (and if the vendor doesn’t respond, contact us here at VOIPSA and we’ll see if we can put you in touch with someone).
5. Participate in IETF efforts to better secure SIP - As I wrote last week, there are definitely areas of SIP security that need to be improved within the IETF. We need to get better support all around for TLS-encrypted SIP (aka “SIPS”). We need to solve the SRTP key exchange problem. We need to make get NAT traversal mechanisms like ICE fully standardized. We need vendors and service providers to implement existing RFCs… and we need to reach closure on other issues. Join the SIP, SIPPING and RTPSEC mailing lists. Comment on existing Internet-Drafts or contribute new ones.
6. Understand “botnets” and what network defenses you can use - Botnets are not new. There is a great amount of info out there already (some pointers here, here, here and here). Talk to others in the field and see what defenses you can use within your existing network infrastructure.
7. Ensure you aren’t a source of zombie computers - It goes without saying that just in general you should already be employing mechanisms to ensure that spyware/malware isn’t being installed on your computers. Anti-virus is part of that, as are things like ensuring that all computers are up-to-date on patches.
8. Don’t panic - As I said at the beginning, we are not aware of any massive botnets out there targeting SIP (at least today… check back tomorrow). This is just yet one more thing to add to our list of many other things to be considered as we look at how to secure VoIP.

Going back to my story at the top, YYY might not have had the problems if their SIP server were set to reject all packets that did not originate from their service providers… or if they had required encryption with mutual authentication so that spoofed IP addresses couldn’t affect things… or if…

The reality is that there are solutions out there today that will go far in blunting the effect of these type of attacks. We just need to be sure that we are using and improving those solutions… if we don’t… well… then we will be cueing up that song!

Other comments or suggestions?

Last week, SIPit chair Robert Sparks posted the results of a SIP interoperability survey to the IETF SIP mailing list coming out of the recent SIPit 20 event held in April. For those not familiar with “SIPit” events, they are week-long events sponsored by the SIP Forum held twice a year where vendors bring together their SIP products to test interoperability between their various products and implementations. This particular event, the 20th, was hosted by Alcatel Lucent in Antwerp, Belgium. 67 vendor teams participated, of which 59 completed the web-based survey that generated this data.

The full results of the survey make for interesting reading, but I thought I’d pull out some of the security-related items. First up, SIPS (aka TLS-encrypted SIP):

There was a lot of (understandable) confusion about what to do with sips:. Most implementations that could handle TLS are not yet trying to handle sips:. The few that did try to do something sane with sips: are watching the discussion on the SIP mailing list. In any case, there was not a set of implementors present who felt sips was sufficiently specified and would be unhappy if the definition changed. I also didn’t find anyone who felt an existing deployment would suffer from any change to the definition.

Next up, NAT traversal and STUN/TURN/ICE:

When asked about STUN support, the client implementations replied:
8% I implement all the client requirements of draft-ietf-behave- rfc3489bis
6% I implement some, but not all, of the client requirements of draft-ietf-behave-rfc3498bis
4% I implement all of the client requirements of RFC3489
14% I implement some, but not all, of the client requirements of RFC3489
60% I do not implement STUN as a client
8% Other

There were several STUN servers and at least two TURN servers. We had more TURN clients this time, and successfully exercised TURN. Three implementations claimed support for ICE, but no interoperability was reported (I suspect there were versioning issues that couldn’t be overcome in the time-scale of the event). There was one ice-tcp implementation present.

And the big one of most interest to me personally (and with my emphasis added):

There were 9 SRTP endpoints (down from 12 at the last event). Only 4 of those used sdes.
Interoperability after key exchange was lower than at SIPit 19.
There was only one RTP over DTLS implementation present.

Anyone doubt that we still have a good bit of work to do??

As I mentioned, the full survey results are definitely worth a read if you are interested in SIP interoperability.