Category Archives: VoIP Vulnerabilities

Remote eavesdropping vulnerability with Grandstream SIP phone – now slashdotted

Back on August 22nd, Radu State from the Madynes research group in France posted a security advisory to the VOIPSEC mailing list, “Remote eavesdropping with SIP Phone GXV-3000“.  He also posted it to full-disclosure and several other lists.  As he writes:

While playing with the SIP Madynes stateful fuzzer, we have realized that some SIP stack engines have serious bugs allowing to an attacker to automatically make a remote phone accept the call without ringing and without asking the user to take the phone from the hook, such that the attacker might be able to listen to all conversations that take place in the remote room without being noticed.

The Madynes team also included the perl exploit script in the advisory as well, enabling someone wishing to test this to easily execute the attack.   They indicate that they have found this vulnerability in several SIP stacks and that they can disclose the vulnerability with the Grandstream phone as Grandstream was apparently notified of this issue back in May.  They indicate that “fixed software will be available from the vendor” – however as of today, Grandstream’s firmware page is still showing the same load as that found to be vulnerable by the researchers.  Unless I missed it, I can’t seem to find any page on Grandstream’s site dealing with security issues.

The reason I mention this here, partly, is because the issue was slashdotted, based on the Sûnnet Beskerming article “Listen to SIP Phones Even When They are on the Hook“.

If you use Grandstream phones, I would suggest you should be contacting Grandstream to find out when a fix may be available.  If you a producer of SIP phones, you might want to have a look at the exploit, which seems to be fairly straightforward, and see if your phones are vulnerable.

Blue Box Video Edition #01: SIP softphone exploit demonstration by Sipera Systems at VoiceCon San Francisco 2007

Over on the Blue Box site, I’m pleased to announce that I uploaded Blue Box Video Edition #1, our very first experiment with adding a video component to the podcast.  In this 5-minute video, I was out at VoiceCon San Francisco last week and interviewed Sachin Joglekar from Sipera Systems about the SIP softphone exploit they first demonstrated at Black Hat.  Comments and opinions are definitely welcome.  Would you like to see more of these type of videos?

How to Break Asterisk

Just to show that VoIP security is not all about SIP, researchers Himanshu Dwivedi and Zane Lackey from iSEC Partners have produced some interesting material on vulnerabilities in IAX, which they just presented at the recent Black Hat conference. IAX (pronounced eeks) as you may know, is a proprietary protocol often used to connect together Asterisk servers for the purposes of call routing. Implementors say that it is simpler than SIP, and also tunnels through firewalls better than SIP, thanks to a ‘VPN like’ approach that tunnels signalling and media together down the same pipe.

iSEC came up with a number of novel attacks including exploiting authentication problems with the use of MD5 hashes; man-in-the-middle and DoS. They have a very nice paper here that describes their attacks in detail, and they have also made available some code (in Python) that you can use for your own experimentation.

Not stopping at IAX, they also had a go at the granddaddy of VoIP protocols, H.323, and have published a couple of attack tools there too. It’s enough to keep you busy all Summer long.

More: Black Hat USA 2007 abstracts
iSECPartners

Four Asterisk security vulnerabilities released

image Last week the folks at Digium released 4 security advisories on their www.asterisk.org/security web site.  They are:

There are fixes for all the issues (basically, to upgrade to the current release of the Asterisk stream you are using) and if you are using Asterisk (or a derivative of Asterisk) we would encourage you to read these advisories and take the recommended actions.

On a side note, it’s definitely been great to see the changes Digium has brought to reporting security issues with Asterisk.  First was the security portal at www.asterisk.org/security and then starting in April were these well done security advisory documents.  Kudos to Kevin Fleming and the rest of the developer team there.  (Thanks also to Kevin for starting to post these advisories to the VOIPSEC mailing list.)

Blue Box #54 – new VoIP security tools list, teleworker FUD, Phil Zimmermann, ETel feedback, SPIT, IETF

Blue Box Podcast #54 was posted about a week ago but with travel I didn’t cross-post it here… in this show, Jonathan and I talked a good bit about the new VoIP security tools list released by VOIPSA, the IETF meeting in Prague, Phil Zimmerman and ZRT, SPIT, the ETel conference and also talked a good bit about some articles circulating around about “how VoIP shouldn’t be used for teleworkers because of security”. Detailed show notes and links are available over on the Blue Box website.

New Hacking for Traditional Networks

I was intrigued by a talk advertised for the upcoming Black Hat Europe 2007 conference about hacking SS7.  Philippe Langlois will talk about SCTPscan – Finding entry points to SS7 Networks & Telecommunication Backbones, and as he says:

“SCTP is the protocol used to carry all telecom signalling information on IP according to the SIGTRAN protocol suite. It’s the foundation, as TCP is the foundation for the web and email.”

SS7 has been largely a secret world, a private network of networks for signaling voice calls across all the world’s cellcos and telcos.  In traditional SS7, all the links are achieved with T1 or E1 pipes, and there’s no opportunity to get access to this signalling backbone. 

However, SIGTRAN effectively uses an IP network as a transport system for signalling, doing away with the need for T1/E1 links and specialized hardware.  SCTP is a protocol that is used instead of TCP or UDP for this purpose.  So from a hacker point of view, SCTP is a pipe that can be exploited and scanned in order to get access to telco resources.

Increasingly, with NGNs being interconnected with traditional networks, tools like SIGTRAN will be used to allow different IP architectures to co-exist, so as Langlois implies, a hacker can write special tools that spoof higher protocol layers like M3UA, ISUP and TCAP to explore or interfere with the operation of SS7.  This is a potential danger because normally a high degree of trust exists between different SS7 network operators, and when they interconnect they do so in the understanding that each party will “behave nicely”.

In the Internet world, of course, there is no guarantee of “niceness”, and SIGTRAN links need to be locked down with tools like firewalls.  In an ideal world, SCTP would be only protocol allowed through on SIGTRAN links, and furthermore each party should have checks on the source addresses that are allowed to send messages and interact with SS7 service elements.  You would normally expect that SIGTRAN links (into SS7 backbones) could not be accessed or routed to from anywhere on the public network, but of course routing and Ethernet switching errors can occur, accidentally connecting segments that should not be.

However, SS7 has some advantages on its side in this war.  Firstly, it is a complex set of protocols, and most hackers will not have any “hands-on” experience that will help them find weaknesses in the network.  Also, SS7 networks in practice use a system called global title addressing, which means that co-operating networks can use each others’ services without needing to know the internal construction of the network.  This will work to defeat outsiders from understanding how a network is put together.

Whatever the pros and cons, we should not be complacent, and I’m sure the traditional telcos will not be, since money is at stake. We can be sure in the Internet that anything that can be hacked, someone will try to hack it.  

 

Learning to Distrust Steve

In a recent Rich Tehrani blog entry, he touched on the subject of a type of email phishing attack termed Spear Phishing.  For those that have not heard the term before, Rich describes it:

“In a recent US example, a phisher bluffed his way into the network of a port authority by spoofing an internal email address. Once on the inside, with an apparently genuine email identity, he was able to fool employees into revealing passwords for applications.

This sort of attack has been termed ‘spear’ phishing, designed to bamboozle unsuspecting ‘colleagues’ into revealing information that will give the perpetrator access into secure areas of corporate networks. “

This type of attack is possible because many email services either don’t insist on any kind of authentication, or because they do not look the ‘from’ email address you specify and check that it is consistent with your actual service-provided email address.  This is one of the weaknesses of today’s email system that makes life so easy for spammers.

Unfortunately, Spear Phishing also applies to VoIP, since in many cases VoIP services can be fooled into using and displaying a false caller ID number.  So you can imagine the scenario:  You are sitting at your office desk, and a call comes in to your desk phone.  The number on the display is 400, and that this is the extension you normally call to reach the IT help desk.  It’s definitely not an ‘outside’ number.  You pick-up and although you didn’t know that the IT help desk now has a technician called ‘Steve’, perhaps if he knows one other bit of corroborating information, this will be enough to make to accept that he is bona fide.  In the conversation that follows, he might tell you that Mike from Sales called him, can you tell him where Mike is?  Of course, if he knows that Mike sits near you, you might be tempted to believe that Steve is for real.  Bingo.  Now maybe you’re ready to tell him something secret?

Of course this kind of confidence trick is nothing new, but just using new tools to achieve the same goal.  The defence?  Well if you have the slightest doubt of someone’s veracity, you could offer to call them back, and do not use any information they have given you to do it.  For example, call someone else you know in the help desk, and ask them about ‘Steve’.  “Steve who?”

 

 

 

Building a VoIP Network

Dean Elwood, one of the founders of voipuser.org (a free VoIP service provider and online magazine) recently wrote an interesting article called “How To Build A Voip Network: 7 rules for the VoIP entrepreneur in 2007.“  It’s a great read from someone with experience of creating value from a VoIP service, rather than the usual marketing “talking head”.  It also raises some interesting VoIP security questions, including Session Border Controllers, Lawful Intercept, Denial of Service and confidentiality.