[VOIPSEC] Why a secure keyechange for media encryption?

[Vijay K. Gurbani]

Michael Prochaska wrote:
> hi,
> i'm a student and are working on my diploma thesis (VOIP security with 
> open standards)at the moment.
> in my eyes there are the following vulnarabilities / problems for 
> signaling:
> 
> - SPIT
> - unauthorised use of account
> - identity forgery
> - session highjacking
> - loss of anonymity
> - replay
> 
> and the following vulnarabilities for the media stream:
> 
> - replay
> - eavesdropping
> 
> any additions are welcome :-)

At one point in time, we had taken the VOIPSA's "VoIP Security
and Privacy Threat Taxonomy", Public Release 1.0, October 2005 and
added some new threats to produce the following updated list of
15 vulnerabilities in VoIP (sorry, it is rather long):

1. Misrepresenting Authority & Rights:
     * Presentation of a false authority as if it were true
       with the intent to mislead.
     * Presentation of a password, key or certificate of another.
     * Unauthorized creation or modification of subscriber service-
       related information (e.g., authentication info, session keys).
     * Unauthorized acquisition of subscriber service-related
       information (e.g., authentication info, session keys).
     * Replay attacks involving signaling.
     * Circumvention of conditional access.

2. Theft of Service:
     * Unlawful taking of a benefit of a service provider intended
       to deprive the service provider of lawful revenue.
     * Unauthorized deletion or alteration of billing records.
     * Unauthorized bypass of lawful billing systems.
     * Unauthorized billing.

3. Eavesdropping:
     * Call Pattern Tracking to discover identity, affiliation,
       presence and usage.
     * Traffic Capture - unauthorized recording of traffic including
       packet recording, packet logging and packet snooping.
     * Unauthorized access to subscriber media stream.
     * Number Harvesting - unauthorized means of capturing identity
       that enables subsequent unauthorized communication and theft
       of information.  Consists of the collection of IDs, which
       may be numbers, strings, URLs, etc.
     * Media Reconstruction - unauthorized monitoring, recording,
       storage, reconstruction, recognition, interpretation,
       translation, and/or feature extraction of any portion of a
       video communication including identity, presence or status.

4. Interception & Modification:
     * Call Black Holing - unauthorized dropping, absorbing or
       refusing to pass IP or another essential component of a VoIP
       protocol which has the effect of preventing or terminating a
       communication.
     * Call Rerouting - unauthorized redirection of IP or another
       essential component of a VoIP protocol which has the effect
       of diverting communication.  Can result in the inclusion of
       unauthorized nodes, corresponding to unauthorized parties,
       into a call flow and may have the effect of excluding
       authorized nodes and authorized parties.
     * Conversation Impersonation & Hijacking - the injection,
       deletion, addition, removal, substitution or replacement or
       other modification of any portion of a communication with
       information that alters any of its content and/or the
       identity, presence or status of any of its parties.
     * False Caller Identification - the signaling of an untrue
       identity or presence.

5. DNS-Specific Attacks:
     * Packet interception – MiTM attacks, eavesdropping on
       requests and responses, eavesdropping on requests combined
       with spoofed responses that beat the real response back to the
       resolver).
     * ID guessing and query prediction – Injecting bogus responses
       based on guessing the DNS transaction ID (16-bit field) and
       QNAMEs and QTYPEs.
     * Cache poisoning – Injecting bogus data in the victim’s cache
       causing subsequent DNS queries to go to a server of the
       attacker’s choosing.
     * Betrayal by trusted servers – Variation of the packet
       interception attack, except that the client voluntarily send
       the request to the compromised DNS server that got configured
       into a client machine as a result of PPP or DHCP.
     * Denial of Service – DNS servers can be used as DoS amplifiers,
       since DNS response packets may be larger than the query packets.

6. Request Flooding:
     * User Call Flooding (potentially overflowing to network
       elements) - DoS attack on a user endpoint by sending a
       large number of valid requests causing interruption of service,
       some of which may impact network elements as well.
     * Endpoint Request Flooding (before and after call setup) - DoS
       attack on a user endpoint by sending a large number of
       valid/invalid call setup messages (e.g., SIP INVITEs) or call
       control messages (e.g., SIP RE-INVITEs) which could cause the
       the endpoint to crash, reboot, or exhaust resources including
       the UA.
     * Call Controller Flooding (includes Request Looping) - User
       Call Flooding and Endpoint Request Flooding scenarios cause
       VoIP call controller to crash, reboot, or exhaust all resources.
     * Directory Service Flooding - sending a large number of valid
       queries to the DNS server that causes it to crash, reboot, or
       exhaust all resources.

7. Malformed Requests & Messages:
     * Disabling Endpoints with Invalid Requests - DoS attack on
       the endpoint by sending a number of invalid call setup messages
       (e.g., SIP ACKs when none are expected) that could  cause the
       endpoint to crash, reboot, or exhaust all resources.
     * Malformed Protocol Messages - sending of malformed signaling
       messages (e.g., messages with overflow or underflow) to the
       VoIP controller that degrades its performance to the point of
       being unable to process normal messages as well as setup and
       tear down calls.  For example the PROTOS suite of software
       developed by the University of OULU in Finland.
     * Attacker can potentially use IP fragmentation to bypass
       firewall rules: (1) tiny fragment attack, (2) overlapping
       fragment attack.

8. Spoofed Messages:
     * Faked Call Teardown Message - DoS attack that disrupts service
       by causing a session to end prematurely.  For example, a
       spoofed SIP BYE message causes the receiving UA and VoIP
       controller to teardown a session prematurely.
     * Faked Response - DoS attack that disrupts service by denying the
       delivery of a call.  For example, sending a spoofed SIP BUSY
       HERE or error response message to an incoming call.

9. Call Hijacking:
     * Registration Hijacking - DoS attack that prevents an
       authorized endpoint from making or receiving calls by altering
       registration messages to redirect signaling messages to another
       endpoint.
     * Media Session Hijacking - sending a spoofed SIP redirect message
       to the calling endpoint that results in sending the call to
       another endpoint.
     * Server Masquerading - DoS attack by impersonation of a VoIP
       call controller causes the user endpoint to send requests to the
       masqueraded server resulting in the inability to receive VoIP
       service.

10. Underlying Operating System/Firmware DoS:
     * Vulnerabilities of the operating system or firmware that the
       UA and VoIP controllers run on.
     * "Point-and-shoot" exploits freely available for download on
       the Internet.

11. Compromise of Installed Software or Service-Related Data:
     * Installation of hidden malware into network attached
       computers and using this malware to launch a Denial of Service
       attack.
     * Malware insertion.
     * Unauthorized installation, alteration of deletion of
       production software.
     * Unauthorized disclosure, creation, modification, or deletion
       of service-related data (e.g., subscriber information,
       DNS/ENUM entries, system logs, billing information, etc.)

12. Resource Exhaustion:
     * Deficiencies in software or hardware that cause depletion of
       memory resource (e.g., buffers) in a host.
     * Deficiencies in software or hardware that consumes most of
       CPU resources in a host.
     * Hardware or software errors that limit available bandwidth
       of a communication link.
     * Deficiencies in software or hardware that generate
       unnecessary messages reducing bandwidth resources.

13. Unauthorized Network Scans and Probes:
     * Port scanning/ping sweeps.  Attacker can run publicly available
       scanning software to target hosts.  Services on the hosts
       monitoring the ports will respond, potentially providing
       information to the attacker.
     * Vulnerability scanning (e.g., nessus), network mapping (e.g.,
       NMAP).

14. Invasion of Subscriber Privacy
     * Unauthorized disclosure of subscriber capabilities.
     * Unauthorized disclosure of subscriber's presence.
     * Unauthorized disclosure of subscriber's network usage or
       activities (e.g., who called, when called, etc.).
     * Replay attacks involving media (re-playing captured media for
       malicious gains, or invading privacy by replaying media for
       personal use).

15. Compromise of Subscriber Application Data
     * Unauthorized disclosure, creation, modification, deletion
       of data created and/or used by subscriber-accessible
       applications.

- vijay
-- 
Vijay K. Gurbani  vkg@{lucent.com,research.bell-labs.com,acm.org}
Bell Laboratories, Lucent Technologies, Inc.
2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA)