VoIP Security Exposed: Perspectives of a "Hacker"

The IT Security World Conference is being held in San Francisco this week. I was able to attend one of the pre-conference workshops, titled VoIP Security Exposed. The presenter’s name was Eric Hacker. That is his real name. He swears it is his real name, and that he comes from a long line of hackers.

I’m going to give the main points of the seminar right now, and hold off a lengthier discussion until later:

• ITU-T X.805 was introduced as a framework for telecom security architecture. It seems that Lucent was heavily involved in developing this standard, so it is no surprise Eric used it to illustrate VoIP security threats and mitigation measures.


• A Session Border Controller (SBC) can be connected in parallel with an external firewall, or in series with it.


• Windows Messenger includes SIP capabilities, so it is a VoIP client that is often included by default with Windows XP. This means you have less control over softphone use than you may have thought.


• BYE messages in SIP can be forged, making an interesting denial-of-service attack against VoIP. The attacker can repeatedly hang up calls.


• Your firewall must understand Session Description Protocol (SDP) to effectively pass VoIP traffic. SDP tells the firewall which "pinholes" to open to allow the bearer RTP (voice) traffic through. There are no good open-source tools to test these ephemeral firewall rule exceptions.


• Voicemail sometimes uses SMTP or even POP/IMAP to support convergence. This introduces all the security flaws of these protocols into your VoIP application.


• Eric mentioned one case where an SBC uses a Java communication protocol for management. The protocol requires arbitrary ports, hence creating a security exposure.


• Firewalls often require version upgrades in order to support VoIP. these upgrades are non-trivial in a production environment.


• Traversing Network Address Translation is another issue. STUN and TURN are often suggested as solutions, but for different reasons don’t work well (Eric made some comments about academics designing protocols that fail in the field...). Either SIP extensions with a proxy, or a Back to Back User Agent (B2BUA) may work for handling NAT issues.


• End point devices (both PC-based softphones and hardware handsets) have their own security issues. Methods for downloading software and configuration updates may be insecure (e.g., TFTP), VLANs used to separate VoIP devices can be breached, and endpoint authentication requires a Public Key Infrastructure.


• A Man In The Middle (MITM) attack was mentioned as a high risk, enabling eavesdropping, endpoint spoofing, and call manipulation.

Wrapping up, Eric discussed the following tools for VoIP vulnerability testing:

• Sivus - Lots of unnecessary tests, hasn’t been updated in a while. Free.


• SFTF - More of a QA tool than a vulnerability testing tool. Code and tests are tightly coupled, requiring a Python programmer to use. Not updated since 2004. Free.


• SIPp - More of a QA tool than a vulnerability scanner. Tests are in XML hence easily extendable. Under active development. Free.


• SIP Bomber - Based on the original Protos suite. More of a QA tool. Not recently updated. Free.


• SipSak - really is a framework for testing SIP software than a security testing tool. Free.


• Codenomicon - The commercial (not free) version of Protos. A very good QA tool. Your SIP vendors should have used this one.


• VoIPSheild VoIPAudit - A basic vulnerability testing tool that has some promise (per Eric). Checks for vulnerabilities and for some policy compliance items. Commercial (not free)

Odds and ends

If you are looking for examples of security awareness videos, a good place is the educause Website. They held a security video contest with 64 entries. Winners took home a thousand dollar prize. The videos are posted on their site. While definitely applicable to academic environments, they still provide useful lessons for other organizations.


My book is now featured in the ISACA bookstore. Buy it! Be the first to review it for Amazon.com.





And evidence that the focus of computer crime (I hate the word "cybercrime") has shifted from the stereotypical adolescent hacker to organized crime comes from this Wired article.