Chapter 4
VoIP Security Issues
4.1 Denial-of-Service (DoS) in VoIP
Purpose:
The purpose of VoIP DoS attack is to exhaust network resources and interrupt VoIP operations through a flood of messages or by corrupting or degrading the quality of messages, thus preventing subscribers from effectively using the service.
Situation:
We must consider different scenario when studying DoS attacks:
In a typical situation of establishing a VoIP connection for voice conversation where end systems or/and gateway are targets. At first place subscribers try to establish a voice call conversation over a VoIP channel. VoIP services should be available to subscribers when requested. In order to manage the Media gateways deployed across the communications, some VoIP systems use control protocols (e.g. MGCP and Megaco/H.248) and security mechanism. VoIP secure gateways (VoIP-SGW) are developed in advance to make IP telephony protocols friendly for common firewall configuration.
In order to meet the unflawed communication level, a VoIP system must be having enough capability (i.e. routing, bandwidth, and QoS) that provide the VoIP system a high level proficiency of communication across the infrastructure.
A secure VoIP system implements an intrusion detection system (IDS), firewall on the phone itself to check the media packet flow, or perform authentication.
But at least a minimum set of defenses that filter unwelcome packets, for example a firewall, must be deployed.
Problem:
IP telephony subscribers need to be blocked from using VoIP services. The attack can be carried out taking advantage of the following vulnerabilities:
Solution:
Two basic standards are used for VoIP systems: H.323 and SIP. We consider here an attack in an H.232 environment. The SIP attack can be considered a variant of this pattern or a separate pattern. Likewise, specific Dos attacks against gateways will be analyzed from the supporting Megaco/H.248 protocol viewpoint.
Figure 5.1 shows the class diagram of the structure of an H.323 system. The Layer 2 Switch provides connectivity between H.323 components. The Gateway takes a voice call from a circuit-switched - Public Switched Telephone Network (PSTN) and places it on the IP network. The PSTN uses PBX switches and Analog Phones. The internet (IP network) contains Routers and Firewalls to filter traffic to the Terminal Devices. The gateway also queries the Gatekeeper via the Internet with caller/callee numbers and the gatekeeper translates them into routing numbers based upon service logic. The IP-PBX server acts like a call-processing manager providing call setup and routing the calls throughout the network to other voice devices. Softphones are applications installed in Terminal Devices (e.g. PCs or wireless devices).
One method to launch a DoS attack is to flood a server with repeated requests for legal service in an attempt to overload it. This may cause severe degradation or complete unavailability of the voice service.
A flooding attack can also be launched against IP phones and Gateways (e.g. a flood of “register” or “invite” events). With this form of DoS attacks, the target system is so busy processing packets from the attack that it will be unable to process legitimate packets, which will either be ignored or processed so slowly that the VoIP service is unusable. Attackers can also use the TCP SYN Flood attack (also known as resource starvation attack) to obtain similar results. This attack floods the port with synchronization packets, normally used to start a connection. In a Distributed DoS, multiple systems are used to generate a massive flood of packets. To launch a massive DDoS attack the hacker previously installs malicious software on compromised terminal devices (infected with a Trojan horse) that can be triggered at a later time (a.k.a. “zombies”) to send fake traffic to targeted VoIP components. Targeted DoS attacks are also possible where the attacker disrupts specific connections.
The class diagram of Figure 5.2 shows the structure for a DDoS attack in an H.323 architecture where any VoIP component can be a target for Dos. Classes Attack Control Mechanism and Zombie describe the software introduced by the attacker.
Note that the Zombie is just a terminal device in a different role.
The sequence diagram of Figure 5.3 shows the sequence of steps necessary to perform an instance of a DoS attack of the first type mentioned above. An attacker (internal or remote), with knowledge of a valid user name on a VoIP system, could generate enough call requests to over-whelm the IP-PBX server. An attacker may disrupt a subscriber's call attempt by sending specially crafted messages to his/her ISP server or IP PBX component, causing it to over allocate resources such that the caller receives a “service not available” (busy tone) message. This is an example of a targeted attack.
Similarly, out-of-sequence voice packets (such as receiving media packets before a session is accepted) or a very large phone number could open the way to Application Layer attacks (a.k.a. Attacks against Network Services). Buffer Overflow attacks might paralyze a VoIP number using repeated calling. For example, an attacker intermittently sends garbage (I.e. both the header and the payload are filled with random bytes corrupting the Callee's jitter buffer voice packets) to the callee's phone in between those of the caller's voice packets. Therefore the Callee's phone is so busy trying to process the increased packet flow that the jitter (delay variation) causes any conversation to be incomprehensible [MDPV01]
Figure 5.4 shows the class diagram of the structure of a Megaco/H.248 environment. Megaco/H.248 is the media gateway control protocol, this is a master-slave, transaction oriented protocol in which Media Gateway Controllers (MGC) control the operation of Media Gateways (MG) [VVDN02] VoIP media gateways are vulnerable to DoS because they accept signaling messages.
In this setting a Dos attack would occur at MGC when the attacker sends large amount of UDP packets to the protocol's default port 2944 or 2945, which keeps the MGC busy handling illegal messages, and finally blocks the normal service. An attacker can keep sending Service change or Audit capabilities command to a MG and thereby bring down the MG [SVID01]. Therefore, VoIP Gateways will not be able to initiate calls or maintain a voice call during a DoS attack. The audio quality will be affected as well. An alternative to launch DoS attacks is when an attacker redirects media sessions to a media gateway. The attack will overwhelm the voice component and prevent it from processing legitimate requests.
Signaling DoS attacks on media gateways con consume all available Time Division Multiplexing (TDM) bandwidth, preventing other outbound and inbound calls and affecting other sites that use TDM, On the other hand, due to the fact that VoIP media session are very sensitive to latency and jitter, DoS on media is a serious problem.
VoIP media, which is normally carried with RTP, is vulnerable to any attack that congests the network or slows the ability of an end device (phone or gateway) to process the packets in real time. An attacker with access to the portion of the network where media is present simply needs to inject large numbers of either RTP packets or high QoS packets, which will contend with the legitimate RTP packets [VVS01].
Consequences:
The success of this attack implies:
Possible sources of failure include:
4.2 Call Interception in VoIP:
Purpose:
The VoIP call interception pattern provides a way of monitoring voive packets of RTCP transmissions. This kind of attack is the equivalent of wiretapping in circuit switch telephone system.
Context:
Two or more subscribers are participating in a voice call conversation over VoIP channel, In public IP network such as the Internet, anyone can capture the packets meant for another user. In order to achieve confidentiality, enterprises may use encryption and decryption techniques when making or receiving VoIP calls. Since cryptographic algorithms are typically implemented in hardware, they are difficult to implement in VoIP, which is software-base. In VoIP network, transport-protocol based threats rely on a non-encrypted RTP stream [VIS03]. On the other hand, enterprises may route voice traffic over a private network using either point-to-point connections or a carrier-based IP VPN service. Two basic standards are used for VoIP systems: H323 and SIP. We consider here an attack in an H323 environment.
The SIP attack can be considered a variant of this pattern or a separate pattern.
Problem:
Solution:
VoIP Call interception gives attackers the ability to listen and record private phone conversation by interception both the signaling and the media stream. The attacker is also able to modify the content of the packets being intercepted acting as a man in the middle. In principle this threat affects both the signaling and the data depending on the ability of attacker of intercepting both [VST04].
Due to the fact that voice travels in packets over the data network, hackers can use data-sniffing and other hacking tools to identify, modify, store and play back unprotected voice communications traversing the network, thus violating confidentiality. A packet sniffer is a software application that users a network adapter card in promiscuous mode (a mode in which the network adapter card sends all packets received in the physical network wire to an application for processing) to capture all network packets that are sent across a particular collision domain. This packet sniffer application can reside in a general-purpose computer attached, for example, in a local area network [Fer05]. For example, the tool “voice over misconfigured Internet telephones” (a.k.a. “vomit”), takes an IP phone conversation trace captured by the UNIX tool tepdump, and reassembles it into a wave file which makes listening easy [DSCN01, SATT03] using MP3 or alternative audio files. The reassembled files can be collected later, emailed or otherwise sent on the eavesdropper. Figure 5.5 shows the sequence of the steps necessary to monitor a VoIP conversation.
Figure 5.5 Sequence diagram for a call interception
With tepdump, hackers can identify the IP and MAC address of the phone to be attacked. By using an Address Resolution Protocol (ARP) spoofing tool, the attacker could impersonate the local gateway and the IP phone on the network, creating a default gateway [DSCN01]. This allows RTP streams to and from the target IP phone to be monitored by the attacker.
The communication between the Gateway and Gatekeeper is equally vulnerable to call interception using the same techniques described for terminal devices. The RTP streams can be intercepted between the IP end-stations or between the Gateways and Gatekeeper (IP Trunk) [SATT03].
Likewise, the FragRouter tool would have to be enabled on the attacking machine so the data packets would reach their ultimate destination. If the hacker has access to the local switched segment, he may be able to intercept a call by inserting a phone into the voice segment with a spoofed Media Access Control (MAC) address, and assuming the target phone's identity.
Consequences
The success of this attack implies:
Possible sources of failure include:
4.3 Theft of Service in VoIP
Intent
The Theft of Service pattern provides an opportunity for attackers to gain access to the VoIP network by imitating subscribers and/or seizing control of terminal devices and performing free calls.
Situation:
The VoIP system should have adequate capability (i.e. routing, bandwidth, and QoS) to meet the peak communication load. The system may have a minimum set of perimeter defenses, e.g. a firewall. Some VoIP systems use control protocols (e.g. MGCP and Megaco/H.248) and security mechanisms, in order to manage the Media gateways deployed across the infrastructure as well as to make it difficult for an attacker to overcome system resources. In a converged network both the signaling and media traffic must be monitored. Similarly, secure VoIP implementations use cryptographic algorithms to protect the media packets. Theft of service attack (a.k.a. IP telephony fraud) is intended against service providers.
Problem
An unauthorized user wants to make expensive phone calls without paying for them. The attack can be carried out taking advantage of the following vulnerabilities:
Solution:
This attack could be accomplished using several techniques. An attacker may just simply want to place calls using an unattended IP phone or assuming the identity of the legitimate user of a terminal device. The attacker uses the identity of the owner (i.e. identity theft) without the owner's consent. She then charges the call to the owner's account. A more complex method is when the attacker places a rogue IP phone on the network or uses a breached VoIP gateway to make fraudulent calls.
In a service volume fraud, the attacker injects in the network more traffic than what declared in the session request in order to avoid paying for the used resources [VST04].Theft of service can also be perpetrated using falsified authentication credentials. A number of IP Telephony vendors authenticate their end points via Ethernet media access control addresses (MACs). MAC addresses are notoriously easy to spoof [SATT03]. An attacker might impersonate as an IP Telephony signaling server and “request” an end-device to perform authentication before dealing with its call request. Using the endpoint's IP Telephony network credentials the malicious party will be able to authenticate to any IP Telephony based server as well as to place free of charge phone calls.
Figure 7 shows the sequence of the steps necessary to commit theft of service in VoIP (Figure 1 shows the units involved). First, the attacker uses a brute force attack to find the special prefixes that Internet phone companies use to identify authorized calls to be routed over their networks. The attacker then looks for vulnerable ports and routers in private companies and gets their IP addresses. On finding vulnerable ports, she hacks into the network to get administrator names and passwords. The attacker then reprograms the routers to allow them to handle VoIP calls, and to masquerade the true source of the traffic. The attacker then routes her calls to the targeted network via the routers she has hacked, and then sends the calls from the targeted network to Internet phone service providers. She may also attach the access codes to the calls, so that the Internet phone providers believe they are legitimate calls. Finally, unauthorized calls will go through successfully and will be completed over the Internet phone provider networks.
Sequence diagram for theft of service attack
Another method of attack is by receiving an application in a spam email, or accidentally downloaded from the Internet. This application can direct the phone to call premium rate numbers by installing itself on a softphone (i.e. applications installed on user systems with speakers and microphones). Finally, the reduction in costs for Moves, Adds, and Changes (MAC) in an IP Telephony environment has led to the addition of daemons/services on many vendors IP Telephones. Some of the more popular services include HTTP, SNMP, and Telnet [SATT03]. Attackers may take advantage of the benefits of portability and accessibility introduced by VoIP to perform theft of service. “Hoteling” is one of the most popular features of VoIP, it consist of moving all the features, including address book, access abilities and personalized speed dial from one phone to another [SATT03]. When using “Hoteling”, the physical security of the IP phone is no longer enough.
Consequences:
The success of this attack implies:
Possible sources of failure include:
4.4 Call Hijacking in VoIP
Purpose:
The Call hijacking attack pattern is intended to direct a participant or participants of a VoIP call to a terminal device other than the intended recipient. The hacker is able to trick a remote user into believing one is talking to his/her intended recipient when in fact one is really talking to the hacker.
Situation:
Two or more call participants exchanging information (signaling information and the packetized voice) between them. This call related information is exposed to a number of possible attacks when traversing public IP networks such as the Internet.
Problem:
A Call traversing a converged network needs to be redirected to an unintended recipient. This attack can be carried out taking advantage of the following vulnerabilities:
Solution:
Although VoIP is implemented using various signaling protocols, we consider here an attack in an SIP environment. The H.323 attack can be considered a variant of this pattern or separate pattern. In a SIP environment, a proxy server is used to initiate calls on behalf of endpoints and control call routing. The proxy server also performs security functions such as authentication, authorization and network access control.
Figure 5.8 shows the components for a SIP-based network, User Agents (UAs), are combinations of User Agent Client (UAC) and User Agent Servers (UAS). The UA is the phone and the register server receives registrations and requests updates to the location server, which keep track of the UA's. A UAC is responsible for initiating a call by sending a URL-addressed INVITE to the intended recipient. A UAS receives requests and sends back responses. The UAC and UAS are identified by SIP addresses. The proxy server is connected to VoIP gateway (to make possible a call from a regular telephone to an IP phone) and to other proxy servers. The registrar and location server may be integrated in the proxy server. The rest of the VoIP architecture is similar to Figure 5.1 and represented by a UML package. Once the call has been established, the RTP media streams ow between the end stations directly.
Call Hijacking in VoIP requires breaking into a converged network and interception packets being sent between two or more subscribers participating in voice call conversation (please refer to Call Interception attack pattern). After the IP address or phone number of either party is discovered, malicious users can user this information to hijack the call.
This attack is achieved by impersonating a legitimate UA to a SIP register substituting a legitimate IP address with an attacker IP address. The attacker then manipulates the registration associated with the victims SIP URI [VIS03].
In this way, by manipulating outgoing call requests, the attacker is able to substitute a legitimate IP address (of either party) in the header (e.g. the “Form” header of a SIP request) of the intercepted packet with her own address.
The hijacking attack can be also be done by performing a DoS attack against the user's device deregistering the user. Generating a registration race-condition in which the attacker sends repeatedly REGISTER requests in a shorter timeframe (such as ever 15 seconds) in order to override the legitimate user's registration request [TAAC01].
The class diagram of Figure 5.9 shows the structure for a VoIP Call Hijacking attack in SIP architecture. The sequence diagram of Figure 5.10 shows the sequence of steps necessary to perform this type of attack. The hijack begins with the attacker sending a specially crafted REGISTER request to the target proxy/register, to unbind all existing registrations. If the server requires authentication, it replies to the REGISTER requests with a challenge. Once all legitimate contacts have been deleted, the attacker sends a second REGISTER message containing new Contact header line with the attacker's address [BVIS01].
Registration hijacking can also be performed by intercepting and editing REGISTER requests sent between a valid UA and registrar. This attack is possible, but is less of concern than the attack described above [BVIS01].Likewise; the attacker can spoof a SIP response, indicating to the caller that the called party has moved to a rogue SIP address, and hijack the call.
Consequences:
The success of this attack implies:
Possible sources of failure include:
4.5 IP Spoofing in VoIP
Purpose:
The VoIP Spoofing pattern is intended to allow hackers (internal or external), to masquerade a legitimate terminal device.
Situation:
Two or more subscribers are participating in a voice call conversation over a VoIP cannel that may be intercepted. In public IP networks such as the Internet, anyone can capture the packets meant for another user.
Problem:
An attacker needs to trick a remote user into believing one is talking to his/her intended recipient when in fact they are really talking to the hacker. The attack can be carried out taking advantage of the following vulnerabilities:
Solution:
IP spoofing gives attackers the ability to generate an IP packet with an IP source address other than its own. There are two methods of doing this. The hacker can use either an IP address that is within the range of trusted IP addresses for a network or an authorized external trusted IP address that has access to specified resources on a network.
With user identification based in the IP layer and the IP layer easily tampered with, it is easy for unauthorized users to impersonate legitimate ones by marking packets sent over these networks with a “borrowed” IP address. These abuses of services and benefits (e.g. making international calls) occur at the expense of legitimate users, who are often completely unsuspecting until the bill arrives long after the abuser has disappeared [FA01].
IP spoofing is possible because the routing of VoIP packets is based only on the destination address. Due to the fact that that touting mechanism is not based on source addresses, when the packet is delivered to its destination address, the attacker address is that of source and not of the original sender.
An IP Softphone can spoof the functionality and appearance of an IP hardphone to the call processing platform. Using tools such as SMAC (Spoof MAC) witch allows users to change MAC address for almost any Network Interface Cards (NIC) on the Windows 2000 and XP systems, the IP softphone can be configured quite easily to assume the full functionality and rights of any extension given only the MAC address of that extension [SATT03].
Some voice mail systems use Caller ID to authenticate administrative access to individual voice mail accounts. IF the Caller ID of an inbound call matches the number assigned to the telephone associated with the voice mailbox, the system assumes that the call is originating from that phone, and call is routed to the voice mailbox with administrative privileges. Caller ID can be readily spoofed using freely available PBX software and a H.323/VoIP gateway service, and possibly via other methods. Caller ID should not be trusted for authentication. [VMS06]
Consequence:
The success of this attack implies:
Possible sources of failure include:
VoIP Security Service. (2017, Jun 26).
Retrieved December 12, 2024 , from
https://studydriver.com/voip-security-service/
A professional writer will make a clear, mistake-free paper for you!
Get help with your assignmentPlease check your inbox
Hi!
I'm Amy :)
I can help you save hours on your homework. Let's start by finding a writer.
Find Writer