[VOIPSEC] VoIP vulnerabilities summarization

sukery sukerry at 126.com
Wed Dec 14 06:40:57 CST 2005 

Hi Janne:
	thank you for your comment, I totally agree with what you said.
	I am a graduate student , our project is focused on VoIP security, we firstly study the vulnerabilities of voip related protocols(especially SIP), then define some attack senarios according to these vulnerabilities we discovered and realize all these attacks, finally we test our attack system on real voip networks ( supplied by an international famous voip manufacturer). the attacks includes:
	exception-packet attack against server
	dos attack against server
	disturbance call attack against endpoints
	pseudo call attack against endpoints
	call leaflet attack against endpoints
	sip passwork crack
	voice eavesdropping (and maybe voice replacement and voice disturbance) 
	voice broadcast & call leaflet attack against pstn terminals(via voip gateway)
	and maybe more

	I am very very sorry to say that due to the confidentiality of this project , I can not make our attack system public yet. that's the meaning of the sponsor of this project .
	anyway , I like to discuss with you as much as possible  :)
	

>Hi Sukery,
>
>I think you made a good summarization of the vulnerabilities and I agree
>with what you say.
>
>But I think several of the problems you mention can be solved by using
>TLS to protect the signalling and SRTP to protect the media as described
>in existing standards and drafts. These technologies may not be widely
>spread among existing implementations but they exist and your list
>provides some good reasons that may motivate others to follow. 
>
>I'm also interested in what tool you used.
>
>Cheers
>/Janne
>
>> 2.SIP reuses  authentication mechanism from HTTP protocol ,in fact
>Http
>> authentication is totally imperfect when applied to SIP protocol,for
>that
>> it is a single-direction authentication, which means that only the
>server
>> authenticates the endpoints,the endpoints do not authenticate the
>> server,this situation makes it easy to deceive endpoints because they
>do
>> not authenticate any entity in the network. Pseudo call (call someone
>with
>> a false user id) ,server impersontation are dangerous attacks due to
>this
>> vulnerability
>> 
>> 3. SIP communication is based on message transaction, however sip
>> transaction mechanism is quite complicated.for example, when  a
>stateful
>> proxy server receives a sip request message, it firstly computes the
>> transaction ID for this message,if the transaction ID is not existed
>> before, this request message is regarded as  a new message, the server
>> will do a lot things for this new message:  save this message, create
>a
>> finite statemachine for this message, construct a provisional response
>> message and send it back, save this response message,update the finite
>> statemachine, decide the next hop of this request message basing on
>the
>> complex routing rules,transfer the request message, create one or more
>> client transactions for the request message ...these steps surely
>consume
>> lots of CPU and memory resources.  as a result,the server is
>susceptible
>> to DoS Attacks when a hacker continually sends large quantities of SIP
>> request messages with different Call-ID
>> 
>> 4.Un-encrypted media stream such as RTP data is easy to be wiretapped
>> 
>> 5.almost all VoIP software has some code flows, in this case,even a
>> malicious packet may bring down the server, we call this packet
>exception
>> packet, in fact we have found exception packets againtst both sip
>servers
>> and h.323 servers
>> 
>> 6.voip endpoints are much more intellectualized than traditional PSTN
>> terminals,however,when this capability is abused,a lot of  malicious
>> network attacks appear:
>>      disturbance call
>> 	 call leaflet
>>      voice broadcast
>>      and more...
>> 
>> 
>> >Chris
>> >
>> >I'm pretty heavily involved in SIP standards development, and have
>been
>> for
>> >some time.  I talk regularly with the kind of folks that I think
>would
>> know
>> >if their stuff had been "hit".  I know about plenty of attacks on the
>> >underlying infrastructure, including the platform attacks.  I have
>NEVER
>> >heard even a whisper of an actual attack on VoIP equipment that used
>> >exploits specifically related to SIP (which I don't think is
>> substantially
>> >better or worse than other VoIP protocols).
>> >_______________________________________________
>> >Voipsec mailing list
>> >Voipsec at voipsa.org
>> >http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>> 
>> 
>>

More information about the Voipsec mailing list