[VOIPSEC] Soft Phone Vulnerabilities

Geoff Devine gdevine at cedarpointcom.com
Sat Jun 24 08:30:39 CDT 2006 

This really isn't the case.  The IMS P-CSCF acts as the admission
control point into the cellular operator's walled garden.  The network
topology on the managed IP network behind the P-CSCF is invisible from
the wild & wooly public internet.  To enforce the walled garden
approach, the operator can either port block the ports used for
signaling within the IMS core or use private network addresses for the
control plane.

You can steal service if you breech the physical security of the UICC
(the 3G version of a 2.5G SIM card) but the only point at which you can
ever signal in the 3GPP control plane is the P-CSCF.

With a soft client on a PC, it's certainly possible to create SIP
messages or message sequences that damage the IMS core.  The use of
SIGCOMP on the client/P-CSCF interface and strong enforcement of the SIP
profile rules at the P-CSCF should mitigate most of this risk but it's
always possible to find some SIP message encoding or SIP message
sequence that will kill some core element.  SIP is just too complex to
ever be able to get 100% test coverage.  Alan Turing proved this back in
1936 with his Halting Problem.

As I've tried to explain, you really can't directly attack the SIP
control plane in an IMS deployment but you can attack the data plane.  I
think operators will pretty much be forced to put SBCs at all the edges
of their network to police client media streams.  Otherwise, all the
devices in the IMS network that terminate media traffic end up being
vulnerable to denial of service attacks.  The P-CSCF ends up being a
full blown SBC providing walled garden access for both signaling and
media.

Geoff Devine
Chief Architect
Cedar Point Communications
-----------------------------------------------------------------------
It's important to note that this is about to no-longer be the case.  As
cellular carriers begin to deploy UMA and IMS systems, anyone with an
authorized SIM card (not hard to buy or steal), USB SIM reader ($30 from
various online merchants, I recommend the ACS brand readers), and some
hacked up software (a week or so worth of work) will be able to emulate
a cellular/wifi dual-mode user agent and will be able to attach to the
wifi access point and subsequently establish an IPSec SA with one of the
provider's SGWs.  At that point it's trivial to access the back-end
cellular network, because they have a legitimately authenticated tunnel
directly to it (sans any strict per-connection firewalling at the SGW).
All while sitting in their bathrobe 1/2-way around the world.

--
Dustin D. Trammell
VoIP Security Research
TippingPoint, a division of 3Com

More information about the Voipsec mailing list