Monthly Archives: January 2008

VoiceCon Orlando to offer “SIP Security” talk

Over on his new No Jitter blog, Eric Krapf notes in his SIP Security post that at VoiceCon Orlando they will be running a SIP security talk again:

“As SIP continues to seep into the mainstream, more attention is being paid to security issues, especially in public IP networks/the Internet. At VoiceCon Orlando in March, we’re bringing back Cullen Jennings and Eric Rescorla to once again give their ‘SIP Security’ tutorial, which offers enterprises a jump on many of the key issues.”

Long-time readers will remember that I wrote about Cullen & Eric’s appearance at VoiceCon San Francisco back in August and I am glad to see they’ll be back again in Orlando. Since I’ll be down there at VoiceCon Orlando, I’ll look forward to seeing them both again (and yes, I’ll probably sit in their presentation again :-).

Eric also reviews a couple of the ETSI security presentations I recently mentioned, giving a better glimpse than I did here! 🙂

Technorati Tags:
, , , , , ,

More ETSI Security Workshop presentations now available online

Previously I mentioned that Hannes Tschofenig had a presentation up about SIP security that he gave at the ETSI Security Workshop early this month. We were contacted by folks at ETSI to let us know that all the workshop presentations are now available online. I haven’t looked through them yet, but the workshop agenda looked good to I am looking forward to checking these presos out. Thanks to ETSI for making them publicly available.

Technorati Tags:
, , , ,

Amusing Vulnerability in the BT Home Hub

Building upon a previously reported (and still un-patched!) vulnerability in the BT Home Hub which allows HTTP authentication to be bypassed, the folks over at GNUCitizen recently announced a way to leverage that vulnerability to cause the Hub to steal or hijack VoIP calls if the BT customer is also using the BT Broadband Talk service:

If the victim visits our evil proof-of-concept webpage, his/her browser sends a HTTP request to the BT Home Hub’s web interface. After this, the Home Hub starts a VoIP/telephone connection to the recipient’s phone number specified in the exploit page. This is what the attack looks like: the victim’s VoIP telephone starts ringing and shows an external call message on the LCD screen along with the recipient’s phone number. However, what’s interesting is that from the point of view of the victim, it looks like he/she is receiving a phone call from the number shown on the screen, but in fact he/she is calling that number!

At the heart of the vulnerability is the fact that to the victim it appears that they are receiving a call when in fact they are actually the party placing the call. Essentially, this vulnerability can be leveraged to perform a number of attacks utilizing the BT Home Hub, such as annoyance or prank calls like the scenario described above where two unwitting people believe that each has called the other when they are connected, advanced phishing attacks such as causing the user to believe their Bank has called them, or even toll fraud in some cases where the user could be made to call pay services.

For users of the BT Home Hub and Talk Service, you can demo the exploit for yourself by visiting GNUCitizen’s Proof-of-Concept web page.

More VoIP security talks next week at Internet Telephony Expo in Miami

After I pointed out that I’ll be speaking next week at Internet Telephony Expoin Miami, I realized that I should have also pointed out that there is are other talks about VoIP security (in order of the schedule):

I’ll probably only be able to get to the last one but will try to post a report here (and perhaps record it if I get appropriate permissions).

(If anyone attends either of the first two talks and would like to provide a brief writeup for this blog about what was discussed, we’d be glad to post it.)

Technorati Tags:
, , , , ,

VoIP Security talk at Ingate SIP Trunking Seminar Series next week in Miami

button_Miami08.gifIf any of you will be in Miami next week for Internet Telephony Expo, I will be speaking on VOIPSA’s behalf at Ingate’s SIP Trunking Seminar Series held in conjunction with IT Expo. Predictably, my session from 8:30-9:45am on Thursday, January 24th is titled “Seminar/myth 1: VoIP is not secure“. Should be fun.

If you are going to be down at IT Expo, do check out the full schedule for Ingate’s SIP Trunking Seminar Series. They have a good range of speakers and the seminars are free.

If any of you are attending either IT Expo or the SIP Trunking Seminar Series, please do drop a note as I’m always interested in meeting readers.

Technorati Tags:
, , , ,

“Hacking and Attacking VoIP Systems” – Slides from my Astricon 2007 presentation about Asterisk and VoIP security

Back at the end of September, I gave a presentation down at Astricon 2007 called “Hacking and Attacking VoIP Systems: What you need to know” which talked generically about VoIP security and then got into some specific suggestions for securing Asterisk (which I posted on this blog). A number of folks have asked for the slides… and so here they are:

If you’ve seen other presentations I’ve given, it’s a fairly typical presentation of mine with the addition of Asterisk-specific information toward the end.

Comments are, of course, welcome.

P.S. And yes, there is an audio recording of this presentation which I will, eventually, get up as a Blue Box podcast.

Technorati Tags:
, , , , , ,

Can legitimate SIP traffic be mistaken for SPIT? How do you differentiate?

Within the IETF there’s been a bit of discussion in the past months
about voice spam/SPIT and just recently RFC 5039 from Jonathan
Rosenberg and Cullen Jennings was published that specifically
addresses the issue of SIP and Spam.

The RFC is an excellent summary of the current thinking about the
SPIT problem and potential solutions to address it. If you haven’t
read the document, I would *highly* recommend it.

A concern I had, though, was that it did not appear to me that
existing documents address the issue of what SPIT could look like at
a network level. For instance, if a network administrator monitoring
network traffic suddenly saw a large flood of SIP INVITE packets
coming into his/her network, it could be:

1. a telemarketer/spammer launching a flood of SIP connections to
deliver SPIT;
2. an attacker launching a DoS attack through one of the various SIP
attack tools out there; or
3. a legitimate notification system starting to notify a range of SIP
endpoints.

I could very easily see existing network tools that look at traffic
and perform anomaly detection (and potentially source suppression)
being modified to suppress large flows of SIP traffic. This last case
of legitimate traffic concerned me and so I put together an Internet-
Draft talking about the types of legitimate systems
that might
generate a significant volume of traffic that could resemble SPIT (or
a DoS attack).

I put the document out primarily to stimulate discussion. Are these
legitimate scenarios being addressed in current thinking about
SPIT? If not, my point really is that they need to be considered.

Comments about the document are very definitely welcome. Are there other scenarios I
should include? Am I accurate? Am I overstating the case? or what?

Technorati Tags:
, , , , ,

An excellent overview of SIP security issues at the 3rd ETSI Security Workshop

Hannes Tschofenig is over at the 3rd ETSI Security Workshop in France this week and yesterday gave a talk about SIP security. He has now posted the slides to his blog – My Slides from the 3rd ETSI Security Workshop:

Yesterday I gave my presentation at the 3rd ETSI Security Workshop. My presentation title was ‘IETF Security’ and that is obviously pretty fuzzy. After looking on the agenda I decided that the most useful topic to speak about would be SIP identity management and media security. In case you are interested in this topic, please take a look at the following slide set.

His slide set does give an excellent overview of security issues in SIP, the various RFCs and approaches, etc. As he mentions, he focuses on identity and media security. A great contribution to the ongoing dialog on these issues. In fact, much of the workshop agenda looks quite intriguing. It will be interesting to see if other presenters make their slides available or if conclusions are posted anywhere.

Note to other presenters: If you do put your slides up somewhere, we’re glad to link to them here. In fact, if you use SlideShare (or a similar service), we’ll be glad to embed the presentations directly in this blog.

Technorati Tags:
, , , , , ,

IETF seeking feedback on “Requirements from SIP Session Border Controller Deployments”

ietflogo.jpgThe IETF leadership recently announced that they are seeking final comments on an Internet-Draft called “Requirements from SIP Session Border Controller Deployments” (current draft also available here) as they decide whether to move this document to an Informational RFC. The abstract of the document is as follows:

This document describes functions implemented in Session Initiation Protocol (SIP) intermediaries known as Session Border Controllers (SBCs). The goal of this document is to describe the commonly provided functions of SBCs. A special focus is given to those practices that are viewed to be in conflict with SIP architectural principles. This document also explores the underlying requirements of network operators that have led to the use of these functions and practices in order to identify protocol requirements and determine whether those requirements are satisfied by existing specifications or additional standards work is required.

If you work with SBCs, use them in your networks, or work for a SBC vendor, now is a good time to ensure that this document captures the requirements you have for deploying SBCs. Once finalized as an Informational RFC, the idea is that it will be used to assist in the potential creation of new SIP-related standards or the modification of existing standards. Now is the time to voice your opinion (and the note from the IETF explains how to do that). Comments have been requested to be received by January 16, 2008.

Technorati Tags:
, , , , , ,

Blue Box Podcast #73 now available for download

MD_bluebox157-2.jpgBlue Box Podcast#73 is now available for download. In this show, Jonathan and I discuss SIP security issues at IETF 70, Skype security, vulnerabilities in Cisco and Nokia phones, Vietnam’s cyberdissidents, VoIP security news, listener comments and more..

Technorati Tags:
, , ,