Voice of VOIPSA

Blue Box Podcast #69 is now available for download. In this 46-minute episode, Jonathan and I discuss the Linksys SPA-941 vulnerability mentioned in the VOIPSEC list, a potential SIP DDoS, a new release of SIPVicious, a suggested Asterisk security roadmap, other VoIP security news, listener comments and more.

Today here at VoiceCon in San Francisco, Dave Endler and Mark Collier (both of whom are involved with VOIPSA) gave a 3-hour tutorial on “IP Telephony Security Threats and Countermeasures”.  For those who have read Dave and Mark’s “Hacking Exposed: VoIP” book, the tutorial followed the overall flow of the book.  They began with Dave talking about gathering information about a target, using scanning, enumeration, Google-hacking, etc.  Dave continued with talking about attacking the network through DoS, eavesdropping and then network interception – and the appropriate countermeasures to defend against the attacks.  After the break, Mark went into attacks against Avaya systems and appropriate countermeasures.  Dave followed with a similar section on attacks and countermeasures for Cisco systems.  Mark came back to talk about attacks against applications, fuzzing and ultimately social attacks such as SPIT and voice phishing.  Mark also spent a good amount of time talking about the various tools they developed as part of the book. Mark noted that they have updated the tools available on hackingvoip.com and will be making more updates in the coming months.

In his section on attacking Avaya systems, Mark Collier stressed a point we’ve made here on this blog:

“It’s great to have encryption enabled for signaling and voice and to buy phones that support it.  Encryption is great and I highly recommend it.  But if you don’t disable telnet or change default passwords, all that secure encryption really isn’t worth much.”

Indeed!

All in all a great session for folks looking for an introduction to VoIP security attacks and appropriate countermeasures.

There were a number of new tools released at the recent BlackHat and DEFCON conferences that I’ve just finished adding to the VoIPSA Security Tools List.

First, during the BlackHat Voice Services Security track, Himanshu Dwivedi & Zane Lackey spoke about attacks against H.323 and IAX. They released a number of tools including H225regreject, IAXHangup, IAXAuthJack, and IAX.Brute. Now you can easily launch many of the same attacks (as well as a few new ones) that you’ve known and loved from attacking SIP against both H.323 and IAX.

Next, Zane Lackey & Alex Garbutt debuted their RTPInject tool during the BlackHat turbo-talk track. It’s essentially a nice, pretty, easy to use GUI version of the RTP audio injection attack that I demoed last year at EUSecWest using the rtpinsertsound and rtpmixsound tools.

At DEFCON, Ian G. Harris released a tool called INTERSTATE which is a stateful protocol fuzzer for SIP.

Finally, I released my new RTP steganography tool, SteganRTP, at DEFCON. It uses steganographic data embedding techniques to create a covert channel in an RTP session’s audio payloads which it uses to transport it’s own custom communications protocol. The protocol provides user chat, file transfer, and remote shell access (if enabled).

All of the tools mentioned above can be found via the VoIPSA Security Tools List.

Blue Box Podcast #54 was posted about a week ago but with travel I didn’t cross-post it here… in this show, Jonathan and I talked a good bit about the new VoIP security tools list released by VOIPSA, the IETF meeting in Prague, Phil Zimmerman and ZRT, SPIT, the ETel conference and also talked a good bit about some articles circulating around about “how VoIP shouldn’t be used for teleworkers because of security”. Detailed show notes and links are available over on the Blue Box website.

I’m pleased to announce the public release of VOIPSA’s VoIP Security Tool List. The list was developed to address the current void of VoIP security testing resources and sites, for vendors and VoIP users alike. The list is separated into the following seven broad categories:

• VoIP Sniffing Tools
• VoIP Scanning and Enumeration Tools
• VoIP Packet Creation and Flooding Tools
• VoIP Fuzzing Tools
• VoIP Signaling Manipulation Tools
• VoIP Media Manipulation Tools
• Miscellaneous Tools

Special thanks to VOIPSA members Shawn Merdinger and Dustin Trammell who created the list and have graciously agreed to maintain it. For more information about the tools list, you can listen to Dan York and Jonathan Zar discuss it in Blue Box Podcast #54 and also with Shawn Merdinger in Blue Box Special Edition #16 available at http://www.blueboxpodcast.com.

One of the highlights of 3GSM Barcelona for me was visiting NEC at their stand, and to see their demonstrations in action. There was some discussion in the VoIP and security space over the last weeks about a server technology called VoIP SEAL that NEC were to demonstrate at the show, and I was keen to see this in action. VoIP SEAL is a system that attempts to defend a VoIP system against VoIP SPAM or SPIT (SPAM over Internet Telephony).

Luckily, at the time I visited the stand, Saverio Niccolini of NEC was there. Saverio is a prominent researcher for NEC, and was a speaker at the 3rd Annual VoIP Security Workshop last year, which I attended and wrote about here. It was great to meet up with Saverio, and he showed me the VoIP SEAL demo himself.

To briefly summarize the system, VoIP SEAL combines a number of different techniques to detect a suspicious VoIP call. Each module does a test and produces a score or index, and at the end the indices are weighted and combined to give an overall score that measures how ‘dangerous’ a call might be. For example, there are modules that can apply blacklist or whitelist logic; measure SIP INVITE rates; test reputation or check that different SIP URIs are not coming from the same IP address. So, each module is dedicated to measuring for a particular exploit or security aspect, and they can be combined in different ways, with different weights.

An interesting part of VoIP SEAL is that it can apply tests in two phases: firstly before answering the call and then after picking up. In the first phase, the ‘suspiciousness level’ of a call can be assessed, and if the level is low, the second phase can be skipped, simply connecting the call to the recipient. However, if the level passes a configured threshold, the call is diverted to a specialized answer machine that can apply further tests. Having this two-phase approach helps to minimize false positives, where genuine human callers get trapped in the system and can’t get through.

In phase 2, VoIP SEAL can measure the speech energy when a greeting or outgoing message is being played. For a genuine human caller, this energy should be low, as humans tend to listen rather than talk over greetings. A bot or SPAM application will behave differently, perhaps starting to stream audio continuously as soon as the media channel is available. There are more sophisticated audio CAPTCHA tests (Turing Tests) that can also be applied to attempt to tell the difference between a human and a bot. If the call is considered suspicious, it can just be allowed to play its message into a voicemail SPAM queue, and perhaps this queue would be periodically reviewed by an administrator to make sure that the VoIP SEAL was working effectively and not trapping too many real human callers.

If you want to hear more about VoIP SEAL, I recorded an interview with Saverio where he explains it in more detail. This interview will be coming up in a future edition of the Bluebox Podcast, run by two of our VOIPSA Chairs, Dan York and Jonathan Zar.

Voice SPAM is increasingly a problem, as the cost of making calls gets lower and lower in real terms.  I was interested to see that GrandCentral are taking steps to block Voice SPAM for their customers.  If you haven’t come across GrandCentral yet, they have an interesting product offering that alows you to have one telephone number from them, and have a single voicemail system and the ability to have inbound calls follow you to whatever fixed or mobile devices you are using at any moment.  They also have a lot of advanced features like color ringback (CRBT), call screening, and control via a web interface. 

We’ve talked here before about caller ID spoofing, i.e. that using various services you can lie about your source telephone number.  GrandCentral say on their blog that they know the caller’s number even if the caller ID is not displayed: I presume this means they’re using some good, old-fashioned SS7 signalling technology (rather than IP and SIP).  It will be interesting to see if a blacklisting approach works in the long term, since in the future spammers using VoIP technology to initiate SPAM will not be connected directly to today’s digital telephone networks, but instead will be using some kind of gateway to cross from VoIP to traditional networks.  Presumably once such a VoIP gateway gets blacklisted, the spammers will simply move to the next gateway with a change of IP address.

 

Blue Box Podcast #44 is now available for download. In this show, we cover the new SIP attack tools released by Mark Collier and Dave Endler, talk about the IETF meeting, ZRTP and Phil Zimmermann’s patent disclosure, Skype security issues, a war dialling script for Asterisk, listener comments and much more. Feedback is, as always, welcome.

David Endler and I posted several new tools on our “Hacking Exposed” website, www.hackingvoip.com. We also provided updates and better README files for some of the existing tools. Here is a quick summary of the new tools:

• rtpinsertsound/rtpmixsound – these tools take the contents of a .wav or tcpdump format file and insert or mix in the sound. These tools require access (sniffing of the VoIP traffic but not necessarily MITM) to the RTP stream, so they can properly craft sequence numbers, timestamps, etc. rtpinsertsound, with the right timing, can be used to add words or phrases to a conversation. rtpmixsound can be used to merge in background audio, like noise, sounds from a “gentlemans club”, curse words, etc., etc. These tools have been tested in a variety of vendor environments and work in pretty much any environment, where encryption isn’t used.
• redirectpoison – this tool works in a SIP signaling environment, to monitor for an INVITE request and respond with a SIP redirect response, causing the issuing system to direct a new INVITE to another location. This tool requires access to the SIP signaling, but does not require a MITM (Man-in-the-middle attack). We tested this tool with the Asterisk and SER SIP proxies, along with a variety of SIP phones.
• spitter – this tool works in conjunction with Asterisk, to set up a voice SPAM/SPIT generation platform. Once Asterisk is set up, spitter is used to schedule any number of calls, using your choice of audio files.

The tools come with README files, so they should be pretty easy to use. Please let us know what you think. We are particularly interested in results for the rtpxxxsound tools. A number of us “security experts” have been warning of these attacks, but this is the first set of tools I have seen that actually accomplish them.

According to news in PC Pro magazine, authorities in Switzerland have come up with an unorthodox plan to tackle call tapping of Skype and other VoIP users.  VoIP calls can be end-to-end encrypted, which means that tapping on the Internet itself is often not practical.  For example Skype use an undisclosed encryption algorithm and key exchange system.  Phil Zimmermann’s Zfone employs perfect secrecy so that the conversation cannot even be listened to later offline when the encryption key has been obtained.

So the Swiss plan?  Tap the calls on the PC, by means of installing some kind of trojan to tap into the audio stream before it is encrypted.  It would be installed either by the authorities or remotely by the ISP.

Now, this is a daft idea on so many different levels that it’s hard to know where to begin.  In an ordered society like Switzerland you could expect a high level of compliance with this kind of procedure.  Unfortunately, the ones that won’t comply (for example malevolent hackers; gangsters; terrorists) are probably the ones that you are most interested in gathering intelligence about.  Secondly, it’s a gift for criminals, since if you leave a backdoor open, the PC already compromised, then someone will likely exploit this for criminal purposes.

With the right software in place, audio could be relayed in from elsewhere, allowing criminals to make calls “on your phone”, possibly implicating you in a crime.  Similarly, audio could be relayed out, so that those outside the government service could tap your phone, a boon to tabloid newspapers and blackmailers.

Finally, in a world of ever more mobile users, is this approach even practical?  Mobile users with GPRS in their phone or PDA can connect to the Internet without even touching a Swiss ISP.  Crime doesn’t necessarily stop at borders these days, couldn’t criminals just be in and out of the country before the G-Man sneaks some tapping software onto their laptop?