Voice of VOIPSA

Over on the Blue Box site, I’m pleased to announce that I uploaded Blue Box Video Edition #1, our very first experiment with adding a video component to the podcast.  In this 5-minute video, I was out at VoiceCon San Francisco last week and interviewed Sachin Joglekar from Sipera Systems about the SIP softphone exploit they first demonstrated at Black Hat.  Comments and opinions are definitely welcome.  Would you like to see more of these type of videos?

Click To Play

Just to show that VoIP security is not all about SIP, researchers Himanshu Dwivedi and Zane Lackey from iSEC Partners have produced some interesting material on vulnerabilities in IAX, which they just presented at the recent Black Hat conference. IAX (pronounced eeks) as you may know, is a proprietary protocol often used to connect together Asterisk servers for the purposes of call routing. Implementors say that it is simpler than SIP, and also tunnels through firewalls better than SIP, thanks to a ‘VPN like’ approach that tunnels signalling and media together down the same pipe.

iSEC came up with a number of novel attacks including exploiting authentication problems with the use of MD5 hashes; man-in-the-middle and DoS. They have a very nice paper here that describes their attacks in detail, and they have also made available some code (in Python) that you can use for your own experimentation.

Not stopping at IAX, they also had a go at the granddaddy of VoIP protocols, H.323, and have published a couple of attack tools there too. It’s enough to keep you busy all Summer long.

More: Black Hat USA 2007 abstracts
iSECPartners

Last week the folks at Digium released 4 security advisories on their www.asterisk.org/security web site.  They are:

• ASA-2007-014 - Stack Buffer Overflow in IAX2 channel driver
• ASA-2007-015 - Remote Crash Vulnerability in IAX2 Channel Driver
• ASA-2007-016 - Remote Crash Vulnerability in Skinny channel driver (note that the advisory PDF is actually at this link versus the one currently on their web page - UPDATE: The ASA-2007-016 web page has been fixed.)
• ASA-2007-017 - Remote Crash Vulnerability in STUN implementation

There are fixes for all the issues (basically, to upgrade to the current release of the Asterisk stream you are using) and if you are using Asterisk (or a derivative of Asterisk) we would encourage you to read these advisories and take the recommended actions.

On a side note, it’s definitely been great to see the changes Digium has brought to reporting security issues with Asterisk.  First was the security portal at www.asterisk.org/security and then starting in April were these well done security advisory documents.  Kudos to Kevin Fleming and the rest of the developer team there.  (Thanks also to Kevin for starting to post these advisories to the VOIPSEC mailing list.)

I previously reported that the Wired Equivalent Privacy (WEP) encryption scheme could be broken in 3 minutes.  Now researchers have reduced this to 1 minute, the most effective attack yet.  Visit the Bruce Schneier blog for the link to the paper in PDF format.  It’s really time to upgrade or reconfigure that home network.

Blue Box Podcast #54 was posted about a week ago but with travel I didn’t cross-post it here… in this show, Jonathan and I talked a good bit about the new VoIP security tools list released by VOIPSA, the IETF meeting in Prague, Phil Zimmerman and ZRT, SPIT, the ETel conference and also talked a good bit about some articles circulating around about “how VoIP shouldn’t be used for teleworkers because of security”. Detailed show notes and links are available over on the Blue Box website.

I was intrigued by a talk advertised for the upcoming Black Hat Europe 2007 conference about hacking SS7.  Philippe Langlois will talk about SCTPscan - Finding entry points to SS7 Networks & Telecommunication Backbones, and as he says:

“SCTP is the protocol used to carry all telecom signalling information on IP according to the SIGTRAN protocol suite. It’s the foundation, as TCP is the foundation for the web and email.”

SS7 has been largely a secret world, a private network of networks for signaling voice calls across all the world’s cellcos and telcos.  In traditional SS7, all the links are achieved with T1 or E1 pipes, and there’s no opportunity to get access to this signalling backbone. 

However, SIGTRAN effectively uses an IP network as a transport system for signalling, doing away with the need for T1/E1 links and specialized hardware.  SCTP is a protocol that is used instead of TCP or UDP for this purpose.  So from a hacker point of view, SCTP is a pipe that can be exploited and scanned in order to get access to telco resources.

Increasingly, with NGNs being interconnected with traditional networks, tools like SIGTRAN will be used to allow different IP architectures to co-exist, so as Langlois implies, a hacker can write special tools that spoof higher protocol layers like M3UA, ISUP and TCAP to explore or interfere with the operation of SS7.  This is a potential danger because normally a high degree of trust exists between different SS7 network operators, and when they interconnect they do so in the understanding that each party will “behave nicely”.

In the Internet world, of course, there is no guarantee of “niceness”, and SIGTRAN links need to be locked down with tools like firewalls.  In an ideal world, SCTP would be only protocol allowed through on SIGTRAN links, and furthermore each party should have checks on the source addresses that are allowed to send messages and interact with SS7 service elements.  You would normally expect that SIGTRAN links (into SS7 backbones) could not be accessed or routed to from anywhere on the public network, but of course routing and Ethernet switching errors can occur, accidentally connecting segments that should not be.

However, SS7 has some advantages on its side in this war.  Firstly, it is a complex set of protocols, and most hackers will not have any “hands-on” experience that will help them find weaknesses in the network.  Also, SS7 networks in practice use a system called global title addressing, which means that co-operating networks can use each others’ services without needing to know the internal construction of the network.  This will work to defeat outsiders from understanding how a network is put together.

Whatever the pros and cons, we should not be complacent, and I’m sure the traditional telcos will not be, since money is at stake. We can be sure in the Internet that anything that can be hacked, someone will try to hack it.  

 

In a recent Rich Tehrani blog entry, he touched on the subject of a type of email phishing attack termed Spear Phishing.  For those that have not heard the term before, Rich describes it:

“In a recent US example, a phisher bluffed his way into the network of a port authority by spoofing an internal email address. Once on the inside, with an apparently genuine email identity, he was able to fool employees into revealing passwords for applications.

This sort of attack has been termed ‘spear’ phishing, designed to bamboozle unsuspecting ‘colleagues’ into revealing information that will give the perpetrator access into secure areas of corporate networks. “

This type of attack is possible because many email services either don’t insist on any kind of authentication, or because they do not look the ‘from’ email address you specify and check that it is consistent with your actual service-provided email address.  This is one of the weaknesses of today’s email system that makes life so easy for spammers.

Unfortunately, Spear Phishing also applies to VoIP, since in many cases VoIP services can be fooled into using and displaying a false caller ID number.  So you can imagine the scenario:  You are sitting at your office desk, and a call comes in to your desk phone.  The number on the display is 400, and that this is the extension you normally call to reach the IT help desk.  It’s definitely not an ‘outside’ number.  You pick-up and although you didn’t know that the IT help desk now has a technician called ‘Steve’, perhaps if he knows one other bit of corroborating information, this will be enough to make to accept that he is bona fide.  In the conversation that follows, he might tell you that Mike from Sales called him, can you tell him where Mike is?  Of course, if he knows that Mike sits near you, you might be tempted to believe that Steve is for real.  Bingo.  Now maybe you’re ready to tell him something secret?

Of course this kind of confidence trick is nothing new, but just using new tools to achieve the same goal.  The defence?  Well if you have the slightest doubt of someone’s veracity, you could offer to call them back, and do not use any information they have given you to do it.  For example, call someone else you know in the help desk, and ask them about ‘Steve’.  “Steve who?”

 

 

 

Over on VoIP News there’s a piece about some of the VoIP threats and possible responses to them. John Edwards talks about Denial of Service; Toll Fraud; VoIP Spam and Phishing.

Dean Elwood, one of the founders of voipuser.org (a free VoIP service provider and online magazine) recently wrote an interesting article called “How To Build A Voip Network: 7 rules for the VoIP entrepreneur in 2007.“  It’s a great read from someone with experience of creating value from a VoIP service, rather than the usual marketing “talking head”.  It also raises some interesting VoIP security questions, including Session Border Controllers, Lawful Intercept, Denial of Service and confidentiality.

At the IP’06 event in London recently, I heard Tom Cross of Internet Security Solutions present on VoIP Security, and some of types of threats to VoIP phones.  Those of you that have listened to the Bluebox Podcast will have heard Dan York, Jonathan Zar and Shawn Merdinger talk about the threats to phone handsets before.  Some of these devices ship from the factory in an unsafe state, with security holes like remote configuration backdoors and TFTP servers running on the phone.  Often if there are usernames and passwords they can be weak combinations like ‘1′ and 1′ or ‘root’ with no password.  Often users do not know that these back doors are open, and the software does not force you to change from default or factory passwords.

The cost of not closing these security holes is that someone could remotely hack into the phone, and once in control of the phone could trace or record phone calls; mount a denial-of-service attack such as repeatedly reboot the phone; or hijack the phone in order to make calls at your cost.  So Tom’s advice was to make sure that VoIP phones are not accessible to the Internet, so they can’t be attacked from outside.

In many ways the PBX is a dinosaur these days, since it is solving problems we no longer have.  For example VoIP phones have built in dialling directories, so we don’t need a special abbreviated dialling system inside the company; VoIP softphones can have their own voicemail functionality, so we don’t need the PBX to do that.  Also traditionally, the PBX has been the device that shares out and manages the expensive, limited resources, the telco trunk lines, and increasingly PBXes don’t need to do that either, often sitting just on a LAN or LANs.  However, thinking about Tom’s words, the security aspect is a whole new reason to buy PBXes, as any device that can limit the exposure of SIP phones to attack is going to be of benefit.