VoIP Security Issues
4.1 Denial-of-Service (DoS) in VoIP
The purpose of VoIP DoS attack is to exhaust network resources and interrupt VoIP operations through a flood of messages or by corrupting or degrading the quality of messages, thus preventing subscribers from effectively using the service.
We must consider different scenario when studying DoS attacks:
In a typical situation of establishing a VoIP connection for voice conversation where end systems or/and gateway are targets. At first place subscribers try to establish a voice call conversation over a VoIP channel. VoIP services should be available to subscribers when requested. In order to manage the Media gateways deployed across the communications, some VoIP systems use control protocols (e.g. MGCP and Megaco/H.248) and security mechanism. VoIP secure gateways (VoIP-SGW) are developed in advance to make IP telephony protocols friendly for common firewall configuration.
In order to meet the unflawed communication level, a VoIP system must be having enough capability (i.e. routing, bandwidth, and QoS) that provide the VoIP system a high level proficiency of communication across the infrastructure.
A secure VoIP system implements an intrusion detection system (IDS), firewall on the phone itself to check the media packet flow, or perform authentication.
But at least a minimum set of defenses that filter unwelcome packets, for example a firewall, must be deployed.
IP telephony subscribers need to be blocked from using VoIP services. The attack can be carried out taking advantage of the following vulnerabilities:
- VoIP security is in an initial phase at the moment, there is lack of expertise and security standards. Users might unintentionally expose the system. While there exist some basic countermeasures such as IDS and firewalls, administrator may not configure them appropriately
- Older firewalls cannot work interactively with VoIP and may leave open many more ports than VoIP actually uses for a transmission, leaving your machine vulnerable to hackers.
- Unit now VoIP has been developed and deployed focusing on functionality with less thought for security [SAV01]. That means that not vary advanced defenses are in place. For example, strong authentication is not common in VoIP.
- VoIP is vulnerable to DoS attacks which have not previously been a security issue with the circuit-switched telephony systems because of its analog nature.
- With the rush to implement new VoIP systems, features and standards, implementation flaws are common. IP PBXs include many layers of software that may contain vulnerabilities. Programming mistakes, such as not properly checking the size of the parameters of protocol request, when exploited, can result in the following issues. [VVS01]
- Remote access: An attacker obtaining remote (often administrator level) access.
- Malformed request DoS: A carefully crafted protocol request (a packet) exploiting a vulnerability which results in a partial or complete loss of function.
- Load-based DoS: A “flood” of legitimate requests overwhelming a system.
- As with any network-base service, enterprise VoIP must communicate with other components on a LAN and possibly over an untrusted network such as the internet, where packets are easy to intercept.
- Because RTP carries media, which must be delivered in real-time to be usable for an acceptable conversation, VoIP is vulnerable to DoS attacks that impact the quality delivery of audio such as those that affect jitter and delay.
- VoIP tools can offer very good cover traffic for DoS attacks because VoIP runs continuous media over IP packets [CRN01]
Two basic standards are used for VoIP systems: H.323 and SIP. We consider here an attack in an H.232 environment. The SIP attack can be considered a variant of this pattern or a separate pattern. Likewise, specific Dos attacks against gateways will be analyzed from the supporting Megaco/H.248 protocol viewpoint.
Figure 5.1 shows the class diagram of the structure of an H.323 system. The Layer 2 Switch provides connectivity between H.323 components. The Gateway takes a voice call from a circuit-switched - Public Switched Telephone Network (PSTN) and places it on the IP network. The PSTN uses PBX switches and Analog Phones. The internet (IP network) contains Routers and Firewalls to filter traffic to the Terminal Devices. The gateway also queries the Gatekeeper via the Internet with caller/callee numbers and the gatekeeper translates them into routing numbers based upon service logic. The IP-PBX server acts like a call-processing manager providing call setup and routing the calls throughout the network to other voice devices. Softphones are applications installed in Terminal Devices (e.g. PCs or wireless devices).
One method to launch a DoS attack is to flood a server with repeated requests for legal service in an attempt to overload it. This may cause severe degradation or complete unavailability of the voice service.
A flooding attack can also be launched against IP phones and Gateways (e.g. a flood of “register” or “invite” events). With this form of DoS attacks, the target system is so busy processing packets from the attack that it will be unable to process legitimate packets, which will either be ignored or processed so slowly that the VoIP service is unusable. Attackers can also use the TCP SYN Flood attack (also known as resource starvation attack) to obtain similar results. This attack floods the port with synchronization packets, normally used to start a connection. In a Distributed DoS, multiple systems are used to generate a massive flood of packets. To launch a massive DDoS attack the hacker previously installs malicious software on compromised terminal devices (infected with a Trojan horse) that can be triggered at a later time (a.k.a. “zombies”) to send fake traffic to targeted VoIP components. Targeted DoS attacks are also possible where the attacker disrupts specific connections.
The class diagram of Figure 5.2 shows the structure for a DDoS attack in an H.323 architecture where any VoIP component can be a target for Dos. Classes Attack Control Mechanism and Zombie describe the software introduced by the attacker.
Note that the Zombie is just a terminal device in a different role.
The sequence diagram of Figure 5.3 shows the sequence of steps necessary to perform an instance of a DoS attack of the first type mentioned above. An attacker (internal or remote), with knowledge of a valid user name on a VoIP system, could generate enough call requests to over-whelm the IP-PBX server. An attacker may disrupt a subscriber's call attempt by sending specially crafted messages to his/her ISP server or IP PBX component, causing it to over allocate resources such that the caller receives a “service not available” (busy tone) message. This is an example of a targeted attack.
Similarly, out-of-sequence voice packets (such as receiving media packets before a session is accepted) or a very large phone number could open the way to Application Layer attacks (a.k.a. Attacks against Network Services). Buffer Overflow attacks might paralyze a VoIP number using repeated calling. For example, an attacker intermittently sends garbage (I.e. both the header and the payload are filled with random bytes corrupting the Callee's jitter buffer voice packets) to the callee's phone in between those of the caller's voice packets. Therefore the Callee's phone is so busy trying to process the increased packet flow that the jitter (delay variation) causes any conversation to be incomprehensible [MDPV01]
Figure 5.4 shows the class diagram of the structure of a Megaco/H.248 environment. Megaco/H.248 is the media gateway control protocol, this is a master-slave, transaction oriented protocol in which Media Gateway Controllers (MGC) control the operation of Media Gateways (MG) [VVDN02] VoIP media gateways are vulnerable to DoS because they accept signaling messages.
In this setting a Dos attack would occur at MGC when the attacker sends large amount of UDP packets to the protocol's default port 2944 or 2945, which keeps the MGC busy handling illegal messages, and finally blocks the normal service. An attacker can keep sending Service change or Audit capabilities command to a MG and thereby bring down the MG [SVID01]. Therefore, VoIP Gateways will not be able to initiate calls or maintain a voice call during a DoS attack. The audio quality will be affected as well. An alternative to launch DoS attacks is when an attacker redirects media sessions to a media gateway. The attack will overwhelm the voice component and prevent it from processing legitimate requests.
Signaling DoS attacks on media gateways con consume all available Time Division Multiplexing (TDM) bandwidth, preventing other outbound and inbound calls and affecting other sites that use TDM, On the other hand, due to the fact that VoIP media session are very sensitive to latency and jitter, DoS on media is a serious problem.
VoIP media, which is normally carried with RTP, is vulnerable to any attack that congests the network or slows the ability of an end device (phone or gateway) to process the packets in real time. An attacker with access to the portion of the network where media is present simply needs to inject large numbers of either RTP packets or high QoS packets, which will contend with the legitimate RTP packets [VVS01].
The success of this attack implies:
- DoS can be especially damaging if key voice resources are targeted (e.g; media gateways).
- Flooding of the firewall can prevent it from properly managing parts for legitimate calls
- VoIP QoS can be degraded by jitter and delay and may become totally unusable.
- The Zombies in the targeted network can also be used as DoS launching points from which to attack anther network
Possible sources of failure include:
- Threats and attacks can be defined but are difficult to carry out in practice, mainly due to lack of knowledge and testing opportunities for attackers.
4.2 Call Interception in VoIP:
The VoIP call interception pattern provides a way of monitoring voive packets of RTCP transmissions. This kind of attack is the equivalent of wiretapping in circuit switch telephone system.
Two or more subscribers are participating in a voice call conversation over VoIP channel, In public IP network such as the Internet, anyone can capture the packets meant for another user. In order to achieve confidentiality, enterprises may use encryption and decryption techniques when making or receiving VoIP calls. Since cryptographic algorithms are typically implemented in hardware, they are difficult to implement in VoIP, which is software-base. In VoIP network, transport-protocol based threats rely on a non-encrypted RTP stream [VIS03]. On the other hand, enterprises may route voice traffic over a private network using either point-to-point connections or a carrier-based IP VPN service. Two basic standards are used for VoIP systems: H323 and SIP. We consider here an attack in an H323 environment.
The SIP attack can be considered a variant of this pattern or a separate pattern.
- A call that traverses in converged network needs to be intercepted. The attack can be carried out talking advantage of the following vulnerabilities.
- The Real Time Protocol (RTP) is not a complete protocol but rather a framework where vendors are provided implementation freedom according to their specific application profiles [VIS03]. This means that specific implementations may have diverse degrees of security.
- In RTP, information on the used codec is available in the header of every RTP packet, via the PT header field [VIS03]
- PC-based IP phones (a.k.a. Softphones) are applications installed on user systems (e.g. desktops) with speakers and microphones that reside in the data segment. It is possible for worms, viruses and other malicious software common on PCs to infect the voice segment in VoIP.
- In wireless VoIP (i.e. VoIPoW), publicly available software can be used to crack Wired Equivalent Privacy (WEP) products.
- As VoIP in a wireless environment operates on a converged (voice, data, and video) network, voice and video packets are subject to the same threats than those associated with data networks. Likewise, all the vulnerabilities that exist in a VoIP wired network apply to VoIPoW technologies plus the new risks introduced by weaknesses in wireless protocols.
- The tools used for call interception purpose can be downloaded freely on the internet, greatly increasing the potential of this type of attack.
- VoIP security is in an incipient phase at the moment, there is lack of expertise and security standards. Users might inadvertently expose the system. While there exist some basic countermeasures such as IDS and firewalls, administrators may not configure them appropriately.
- Unit now VoIP has been developed and deployed focusing on functionality with less thought for security [SAV01]. That means that not very advanced defenses are in place. For example, strong authentication is not common in VoIP.
- Because of the many nodes in packet network, call interception can be applied in many places.
- The transfer of voice data over public networks (i.e. the internet), facilitates the possibility of attacks on this technology.
- It is much easier to hack VoIP network hubs than traditional phone switches. Although hackers cannot intercept voice calls, they can have access to packets traversing the converged network.
- Anyone can record, duplicate and distribute to unintended parties voice calls over IP.
- IP Phones have become available for software developers. The increase in features and complexity comes however with a security cost: more application equal more avenues of attack [VST04].
- VoIP is vulnerable to call interception attacks which have not previously been a security issue with circuit-switched networks where tapping requires physical access to the system. Therefore tapping is a serious concern in IP telephony when compared with the traditional telephony environment.
VoIP Call interception gives attackers the ability to listen and record private phone conversation by interception both the signaling and the media stream. The attacker is also able to modify the content of the packets being intercepted acting as a man in the middle. In principle this threat affects both the signaling and the data depending on the ability of attacker of intercepting both [VST04].
Due to the fact that voice travels in packets over the data network, hackers can use data-sniffing and other hacking tools to identify, modify, store and play back unprotected voice communications traversing the network, thus violating confidentiality. A packet sniffer is a software application that users a network adapter card in promiscuous mode (a mode in which the network adapter card sends all packets received in the physical network wire to an application for processing) to capture all network packets that are sent across a particular collision domain. This packet sniffer application can reside in a general-purpose computer attached, for example, in a local area network [Fer05]. For example, the tool “voice over misconfigured Internet telephones” (a.k.a. “vomit”), takes an IP phone conversation trace captured by the UNIX tool tepdump, and reassembles it into a wave file which makes listening easy [DSCN01, SATT03] using MP3 or alternative audio files. The reassembled files can be collected later, emailed or otherwise sent on the eavesdropper. Figure 5.5 shows the sequence of the steps necessary to monitor a VoIP conversation.
Figure 5.5 Sequence diagram for a call interception
With tepdump, hackers can identify the IP and MAC address of the phone to be attacked. By using an Address Resolution Protocol (ARP) spoofing tool, the attacker could impersonate the local gateway and the IP phone on the network, creating a default gateway [DSCN01]. This allows RTP streams to and from the target IP phone to be monitored by the attacker.
The communication between the Gateway and Gatekeeper is equally vulnerable to call interception using the same techniques described for terminal devices. The RTP streams can be intercepted between the IP end-stations or between the Gateways and Gatekeeper (IP Trunk) [SATT03].
Likewise, the FragRouter tool would have to be enabled on the attacking machine so the data packets would reach their ultimate destination. If the hacker has access to the local switched segment, he may be able to intercept a call by inserting a phone into the voice segment with a spoofed Media Access Control (MAC) address, and assuming the target phone's identity.
The success of this attack implies:
- It is possible to listen in on a conversation by intercepting the unencrypted media stream between the two terminal devices.
- Attackers may use telephone systems for divulging crucial information such as Social Security numbers, Credit Card numbers or other confidential information. Inside a company, eavesdropping could allow access to confidential business information.
- Hackers could capture the packets and decode their voice packet payload between two or more VoIP terminal devices.
- Due to the fact that voice travels in packets over the data network, hackers can use data-sniffing and other hacking tools to identify, modify, store and play back unprotected voice communications traversing the network, thus violating confidentiality and integrity.
- A hacker breaking into a VoIP trunk has access to many more calls than he would with traditional telephone tapping. Consequently, he has a much greater opportunity of obtaining useful information from tapping a VoIP data stream than from monitoring traditional phone systems.
- Call interception attacks result in the attacker being able to use the intercepted data for other malicious intents, such as: call pattern tracking, number harvesting, and conversation reconstruction [VST04].
- The interception and modification threat results in the attacker being able to modify the packets for malicious actions, examples are:
- Call blackholing - the attacker intentionally drops essential packets (e.g. INVITE) of the VoIP protocol resulting the call initiation to fail;
- Call rerouting - the attacker redirects the packets on a different path in order to include unauthorized nodes in the path or to exclude authorized ones from it;
- Conversation alteration - the attacker alters the packets in order to modify the conversation between two users;
- Conversation degrading - the attacker intentionally drops a selection of packets or modify the content of them with the objective of degrading the overall quality of the conversation [VST04].
Possible sources of failure include:
- Call Interception is somewhat limited because it would require physical access to the local network or remote access to a compromised host on the local network.
- Intercepting voice traffic as it crosses the Internet is more difficult because once the packetized voice hits the carrier; it becomes much harder to single out among other traffic.
- It is more difficult to intercept calls on VoIP networks than capturing and reading text messages on public networks.
4.3 Theft of Service in VoIP
The Theft of Service pattern provides an opportunity for attackers to gain access to the VoIP network by imitating subscribers and/or seizing control of terminal devices and performing free calls.
The VoIP system should have adequate capability (i.e. routing, bandwidth, and QoS) to meet the peak communication load. The system may have a minimum set of perimeter defenses, e.g. a firewall. Some VoIP systems use control protocols (e.g. MGCP and Megaco/H.248) and security mechanisms, in order to manage the Media gateways deployed across the infrastructure as well as to make it difficult for an attacker to overcome system resources. In a converged network both the signaling and media traffic must be monitored. Similarly, secure VoIP implementations use cryptographic algorithms to protect the media packets. Theft of service attack (a.k.a. IP telephony fraud) is intended against service providers.
An unauthorized user wants to make expensive phone calls without paying for them. The attack can be carried out taking advantage of the following vulnerabilities:
- Theft of service attacks may be caused by inadequate security mechanisms in VoIP, the insertion of malicious software that modifies the normal behavior of terminal devices, and the unauthorized connection of devices to the network.
- It is possible to charge calls to another user's account by using stolen user identification details.
- Phone usage and billing systems can be manipulated by fraudulent telephone users in order to make profit.
- The benefits of portability and accessibility introduced by IP Telephony have a downside of an increased risk of service theft [SATT03].
- When using “Hoteling,” the primary protection against theft of service in the traditional telephony environment, the physical security of the handset, is no longer enough [SATT03].
- Unattended IP telephone.
- Rogue telephones can be installed.
- MAC addresses are easy to spoof.
This attack could be accomplished using several techniques. An attacker may just simply want to place calls using an unattended IP phone or assuming the identity of the legitimate user of a terminal device. The attacker uses the identity of the owner (i.e. identity theft) without the owner's consent. She then charges the call to the owner's account. A more complex method is when the attacker places a rogue IP phone on the network or uses a breached VoIP gateway to make fraudulent calls.
In a service volume fraud, the attacker injects in the network more traffic than what declared in the session request in order to avoid paying for the used resources [VST04].Theft of service can also be perpetrated using falsified authentication credentials. A number of IP Telephony vendors authenticate their end points via Ethernet media access control addresses (MACs). MAC addresses are notoriously easy to spoof [SATT03]. An attacker might impersonate as an IP Telephony signaling server and “request” an end-device to perform authentication before dealing with its call request. Using the endpoint's IP Telephony network credentials the malicious party will be able to authenticate to any IP Telephony based server as well as to place free of charge phone calls.
Figure 7 shows the sequence of the steps necessary to commit theft of service in VoIP (Figure 1 shows the units involved). First, the attacker uses a brute force attack to find the special prefixes that Internet phone companies use to identify authorized calls to be routed over their networks. The attacker then looks for vulnerable ports and routers in private companies and gets their IP addresses. On finding vulnerable ports, she hacks into the network to get administrator names and passwords. The attacker then reprograms the routers to allow them to handle VoIP calls, and to masquerade the true source of the traffic. The attacker then routes her calls to the targeted network via the routers she has hacked, and then sends the calls from the targeted network to Internet phone service providers. She may also attach the access codes to the calls, so that the Internet phone providers believe they are legitimate calls. Finally, unauthorized calls will go through successfully and will be completed over the Internet phone provider networks.
Sequence diagram for theft of service attack
Another method of attack is by receiving an application in a spam email, or accidentally downloaded from the Internet. This application can direct the phone to call premium rate numbers by installing itself on a softphone (i.e. applications installed on user systems with speakers and microphones). Finally, the reduction in costs for Moves, Adds, and Changes (MAC) in an IP Telephony environment has led to the addition of daemons/services on many vendors IP Telephones. Some of the more popular services include HTTP, SNMP, and Telnet [SATT03]. Attackers may take advantage of the benefits of portability and accessibility introduced by VoIP to perform theft of service. “Hoteling” is one of the most popular features of VoIP, it consist of moving all the features, including address book, access abilities and personalized speed dial from one phone to another [SATT03]. When using “Hoteling”, the physical security of the IP phone is no longer enough.
The success of this attack implies:
- In order to make expensive calls to premium rate numbers, rogue devices could be attached to an organization's network without the user's knowledge.
- Weaknesses in wireless security policies could also be exploited by rogue devices.
- Unauthorized phone calls will seem to originate from subscribers inside the attacked VoIP network.
- Attackers could also steal minutes from VoIP service providers and resell them on the black market.
- Attackers will be able to register for unauthorized services taking advantage of the virtual communication paths in IP networks.
- In IP telephony, premium rate numbers will be dialed automatically.
Possible sources of failure include:
- Threats and attacks can be defined and theorized but are difficult to carry out in practice, mainly due to the lack of knowledge and testing opportunities for attackers.
4.4 Call Hijacking in VoIP
The Call hijacking attack pattern is intended to direct a participant or participants of a VoIP call to a terminal device other than the intended recipient. The hacker is able to trick a remote user into believing one is talking to his/her intended recipient when in fact one is really talking to the hacker.
Two or more call participants exchanging information (signaling information and the packetized voice) between them. This call related information is exposed to a number of possible attacks when traversing public IP networks such as the Internet.
A Call traversing a converged network needs to be redirected to an unintended recipient. This attack can be carried out taking advantage of the following vulnerabilities:
- SIP messages have no built-in means to insure integrity. SIP does offer limited built-in security.
- SIP is a technology still in development; it does not provide security built in capabilities. This protocol does not support integrity of the message contents.
- Sniffing tools are more effective when using SIP, which is text-based protocol.
- Registration in SIP is normally performed using UDP, which makes it easier to proof requests. Authentication is often not required and if present, it's usually weak [BVIS01].
- When authentication in SIP is used, it is not strong.
- Failed registrations are not always logged. SIP proxies will not normally detect directory scanning and registration hijacking attempts [BVIS01].
- Since the data packets do not flow over a dedicated connection for the duration of a session, an adversary could manipulate the routing of packets and cause delay in certain paths forcing the packets to take a path chosen by the adversary. [ITVP01].
- The signaling messages are sent in the clear, which allows an attacker to collect, modify and replay them as they wish.
- Attackers who successfully perform Call Interception attacks can compromise wireless networks with improperly configured access points.
Although VoIP is implemented using various signaling protocols, we consider here an attack in an SIP environment. The H.323 attack can be considered a variant of this pattern or separate pattern. In a SIP environment, a proxy server is used to initiate calls on behalf of endpoints and control call routing. The proxy server also performs security functions such as authentication, authorization and network access control.
Figure 5.8 shows the components for a SIP-based network, User Agents (UAs), are combinations of User Agent Client (UAC) and User Agent Servers (UAS). The UA is the phone and the register server receives registrations and requests updates to the location server, which keep track of the UA's. A UAC is responsible for initiating a call by sending a URL-addressed INVITE to the intended recipient. A UAS receives requests and sends back responses. The UAC and UAS are identified by SIP addresses. The proxy server is connected to VoIP gateway (to make possible a call from a regular telephone to an IP phone) and to other proxy servers. The registrar and location server may be integrated in the proxy server. The rest of the VoIP architecture is similar to Figure 5.1 and represented by a UML package. Once the call has been established, the RTP media streams ow between the end stations directly.
Call Hijacking in VoIP requires breaking into a converged network and interception packets being sent between two or more subscribers participating in voice call conversation (please refer to Call Interception attack pattern). After the IP address or phone number of either party is discovered, malicious users can user this information to hijack the call.
This attack is achieved by impersonating a legitimate UA to a SIP register substituting a legitimate IP address with an attacker IP address. The attacker then manipulates the registration associated with the victims SIP URI [VIS03].
In this way, by manipulating outgoing call requests, the attacker is able to substitute a legitimate IP address (of either party) in the header (e.g. the “Form” header of a SIP request) of the intercepted packet with her own address.
The hijacking attack can be also be done by performing a DoS attack against the user's device deregistering the user. Generating a registration race-condition in which the attacker sends repeatedly REGISTER requests in a shorter timeframe (such as ever 15 seconds) in order to override the legitimate user's registration request [TAAC01].
The class diagram of Figure 5.9 shows the structure for a VoIP Call Hijacking attack in SIP architecture. The sequence diagram of Figure 5.10 shows the sequence of steps necessary to perform this type of attack. The hijack begins with the attacker sending a specially crafted REGISTER request to the target proxy/register, to unbind all existing registrations. If the server requires authentication, it replies to the REGISTER requests with a challenge. Once all legitimate contacts have been deleted, the attacker sends a second REGISTER message containing new Contact header line with the attacker's address [BVIS01].
Registration hijacking can also be performed by intercepting and editing REGISTER requests sent between a valid UA and registrar. This attack is possible, but is less of concern than the attack described above [BVIS01].Likewise; the attacker can spoof a SIP response, indicating to the caller that the called party has moved to a rogue SIP address, and hijack the call.
The success of this attack implies:
- This attack causes all the victim's calls to be received by the attacker or other unauthorized parties. Call hijacking can result in violation of confidentiality to the legitimate endpoint.
- By performing call hijack in VoIP, an attacker has complete control (i.e. manipulating, blocking, conferencing, and recording) of the call and has access to all SIP messages.
- The attacker's station can also capture authentication or other call related information. Likewise it can masquerade as a voice mail system opening a channel to the attacker.
- By hijacking the call, the attacker can also perform a Man-In-The-Middle (MITM) attack, where it transparently sits between the calling and called UAs, able to collect and modify both the signaling and media. Another type of MITM attack involves redirection of an inbound call to a media gateway, generation toll fraud [BVIS01].
- This attack can be successful even if the remote SIP proxy server requires authentication of user registration, because the SIP messages are transmitted in the clear and can be captured, modified and replayed.
- Through call hijacking, the attacker can perform various attacks including theft of service in VoIP or message tampering. It will also enhance the DoS vulnerability which will make the user's device useless.
- When this attack is applied to a VoIP network, the Quality of Service (QoS) may be diminished to a noticeable level [ITVP01].
Possible sources of failure include:
- Successful attacks require that the fake responses coming from the attacker station contains the right header content to be accepted as legitimate. Some fields are especially hard to estimate or intercept and thus mirror [VIS03].
4.5 IP Spoofing in VoIP
The VoIP Spoofing pattern is intended to allow hackers (internal or external), to masquerade a legitimate terminal device.
Two or more subscribers are participating in a voice call conversation over a VoIP cannel that may be intercepted. In public IP networks such as the Internet, anyone can capture the packets meant for another user.
An attacker needs to trick a remote user into believing one is talking to his/her intended recipient when in fact they are really talking to the hacker. The attack can be carried out taking advantage of the following vulnerabilities:
- VoIP devices such as IP phones, Gatekeepers, gateways and Proxy servers inherit the same vulnerabilities of the operation system or firmware [VS05] on top of which they run.
- Many SIP implementations still user the Universal Datagram Protocol (UDP) for transporting SIP messages, which is an unreliable form of packet transfer. UDP does not use re-transmission or sequence numbers, so it is easier for an attacker to spoof UDP packets [BVIS01].
- Attackers may take advantage of the connectionless nature of the UDP protocol to spoof registration requests.
IP spoofing gives attackers the ability to generate an IP packet with an IP source address other than its own. There are two methods of doing this. The hacker can use either an IP address that is within the range of trusted IP addresses for a network or an authorized external trusted IP address that has access to specified resources on a network.
With user identification based in the IP layer and the IP layer easily tampered with, it is easy for unauthorized users to impersonate legitimate ones by marking packets sent over these networks with a “borrowed” IP address. These abuses of services and benefits (e.g. making international calls) occur at the expense of legitimate users, who are often completely unsuspecting until the bill arrives long after the abuser has disappeared [FA01].
IP spoofing is possible because the routing of VoIP packets is based only on the destination address. Due to the fact that that touting mechanism is not based on source addresses, when the packet is delivered to its destination address, the attacker address is that of source and not of the original sender.
An IP Softphone can spoof the functionality and appearance of an IP hardphone to the call processing platform. Using tools such as SMAC (Spoof MAC) witch allows users to change MAC address for almost any Network Interface Cards (NIC) on the Windows 2000 and XP systems, the IP softphone can be configured quite easily to assume the full functionality and rights of any extension given only the MAC address of that extension [SATT03].
Some voice mail systems use Caller ID to authenticate administrative access to individual voice mail accounts. IF the Caller ID of an inbound call matches the number assigned to the telephone associated with the voice mailbox, the system assumes that the call is originating from that phone, and call is routed to the voice mailbox with administrative privileges. Caller ID can be readily spoofed using freely available PBX software and a H.323/VoIP gateway service, and possibly via other methods. Caller ID should not be trusted for authentication. [VMS06]
The success of this attack implies:
- Attackers can hide their identity for launching DoS attacks. Call hijacking and theft of service can also be accomplished using IP spoofing.
- When using this attack pattern, malicious users can bypass authentication and filtering in order to cause information leak, data modification, and arbitrary code execution.
- Without spoof mitigation filter a hacker might be able to spoof the address of the IP-PBX and UDP flood the entire voice segment [FA01].
- Attackers will obtain access to sensitive logging data and routing information form subscribers; even if they are not capable of interception VoIP calls.
- IP spoofing attacks against VoIPoW networks makes other type of attacks possible. Attackers can establish itself as routing node and perform call interception for example.
- By using IP spoofing, attackers can take advantage of trust relationships based on the caller IP address.
- IP spoofing can also be used to gain important VoIP logging information in order to modify a call session.
- When spoofing weak authenticated voicemail systems, attackers can listen to and deleted messages, modify the greeting, and perform other administrative functions [VMS06].
Possible sources of failure include:
- The Transmission Control Protocol (TCP) is a connection oriented. Guaranteed-delivery transport. TCP is more secure than UDP, because it involves a negotiated setup and tear down, sequence numbers, and retransmissions for lost packets [BVIS01].
- Successful attacks require that the forged responses coming from the attacker machines contains the right header content to be accepted as legitimate. Some header fields are especially hard to estimate or intercept and thus mirror [VIS03].