This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Voice-over-IP(VoIP) is getting very popular in the industry and is considered a better alternative to the traditional public-switched telephone network. VoIP networks are considered as cost efficient solutions for providing voice services and value added voice based services to both public and enterprise level users. Even though there are many benefits, VoIP systems are very vulnerable to threats. Since VoIP implements transmission of voice signals over data network, it is easier to attack and exploit these systems. VoIP will need extra security measures beyond the standard security that are meant for data network This research paper will introduce VoIP technology, its components and some VoIP functions. Later this paper describes of various types of attacks in VoIP system with specific attention to application layer protocol attacks. The paper also gives ideas about various defense measures that are still under research.
Voice over Internet Protocol or VoIP is a transmission technology where voice signals are converted into digital signals and are transmitted over any data network. With VoIP big and small enterprises can use their existing broadband internet connection to make phone calls instead of their traditional phones lines. This makes VoIP a very cost efficient solution to many enterprises. It also provides flexibility and many added features when compared to traditional analog phone systems. But all the benefits of VoIP system come at a price and that is security. Security and vulnerability of VoIP systems are becoming major concerns for those who plan to implement this technology in their network. Since VoIP is run over internet or data network it will need extra security measures to protect the system from threats specific to VoIP as well as those on internet. This paper first gives a brief introduction to VoIP technology and its components. Then the paper describes the security taxonomy in VoIP systems. Later the paper gives detailed explanation on some security threats that occur at the application layer, especially with SIP protocol. The last section of this paper describes some defense measures and some important topics for further research.
VoIP systems are vulnerable to different types of attacks. These attacks can be specific to VoIP systems or those common in data networks. These different kinds of attacks which affect the VoIP systems are identified and documented . Even though there are some defense measures against the data network threats, defense mechanisms for VoIP protocol specific threats are still evolving and are under research. Some suggestion to secure VoIP protocols are given in the document . This paper takes ideas from those suggestion and takes it one step further for future research.
Overview of VOIP technology
VoIP is the process of digitizing and transmitting voice signals using the Internet Protocol (IP) or other data networks. This allows users to use their existing broadband internet connection to make phone calls instead of their traditional analog phones. VoIP technology replaces circuit switch voice networks with IP based packet switched networks. Telephones or endpoints, gateway nodes, control nodes and an IP based network are the main components of the VoIP infrastructure .
There are four steps in the processing of data for VoIP systems and they are
Signaling: Creating, managing and terminating calls between endpoints is called signaling. In a VoIP network signaling can be achieved by exchange of IP datagram messages between the end points. VoIP networks make use of database services to map the end points and to translate the address if the endpoints use heterogeneous networks. Two end points establish a connection between each other by opening IP sessions between each other and this connection represents a multimedia stream transported in real time. Call termination happens when the communication is complete and the IP sessions and other network resources are released. Two main protocols that is used for signaling are H.323 and session initiation protocol (SIP) .
Encoding: Voice communication uses analog signals where as data networks use digital signals. So the voice signals have to be converted to digital ones before they are transmitted over data networks. Analog Voice signals can be converted to digital signals using coder-decoder (CODEC). CODECs also compress the data stream to save bandwidth .
Transport: Once the voice signals are converted into digital signals they are encapsulated into the data packets and transported over the internet. Real time transport protocol is used for this transportation. The relevant headers in the RTP packets help to reassemble the packets back to voice signals. Ordinary data transmission of these voice packets are performed by UDP protocol which carries these packets as payloads .
Gateway Control: Gateway is a network device that enables the interworking functions to bridge two or more heterogeneous networks. The IP network and the carrier channels like PSTN and ISDN are connected using gateway .
VoIP Security Taxonomy
Each and every component in a VoIP system are vulnerable to security threats and exploitations. Since VoIP is built over data networks these systems have to worry about threats in a PSTN network as well as those seen in the data networks. For example the control and gateway servers in a VoIP system are built on platforms like Windows which are very vulnerable to attacks. Apart from these, every dynamically configurable parameter of VoIP systems are potentially vulnerable points to attack. Information security risks can be broadly categorized into confidentiality, integrity, and availability threats. A confidentiality threat exposes the contents of the conversation between two people and also exposes the call data. Integrity threats question the identity of the caller, the message received or even the identity of the recipient. During availability threats the information and the services are not available for use when needed.
Eavesdropping is a confidentiality threat. The attacker is capable of secretly monitoring the signaling of the call or the data stream between the two end points but the attacker is not capable of altering the data itself. Later the details of the call can be used to replay the conversation or it can be used for other illegal purposes. Eavesdropping can include call pattern tracking, traffic capture and number harvesting, conversation reconstruction, voicemail reconstruction and fax reconstruction .
Call Pattern tracking
Call pattern tracking is the unauthorized monitoring and analysis of VoIP traffic from or to any specific end points or network to get hold of any pattern in the calls made. Using this attacker can easily find vulnerable device, access information or any weak link in the network. The call pattern can also be used to determine who is calling who and when. Attacker can also use these patterns for future attacks like DOS attacks .
Number harvesting is the illegal collection of IDs that could be user names, email addresses, phone numbers, URLs or any other form of identifiers which represent nodes, entities, parties or organizations on a network. The attacker can make use of this information for toll fraud calls, spam calls, any service interruptions or even phishing .
Reconstruction threat means unauthorized monitoring, recording, storing and reconstruction of voice, video, text, fax or any other information passed between two entities. Reconstruction may include interpretation, translation or extraction of any type of communication without the consent of the parties involved 15].
Interception and Modification
This class of attacks is called man in the middle attack. The attacker can not only monitor the call details and the conversation but he can also modify them. So these attacks question both confidentiality and integrity of the information. Some of the interception and modification attacks are call black holing, call rerouting and media alteration.
Call Black Holing
Call black holing is any unauthorized method of deleting or refusing to pass any essential elements of protocol messages, in the middle of communication entities. The results of call black holing is delay in call setup, preventing or terminating a call connection etc .
If someone alters the direction of the call by changing the routing information any VoIP protocol is called call rerouting. Call rerouting result in excluding authorized entities or including unauthorized entities on the path of the call .
If the attacker intercepts the media of communication and modify any of the information so as to include illegitimate media, to degrade the quality of service or to remove certain information is called media alteration. The media being altered can be conversation, fax, text, video or any media integrated with voice. Two important types of media alteration are media injection and media degradation. Media injection is the unauthorized insertion of new media or replacement of any media from an active media channel. As a result the victim of this attack may hear noise, advertisements or even silence in between the conversation. On the other hand if the attacker intentionally manipulates the media to reduce the quality of service of the communication is called media degrading .
Denial of Service
Denial of service is a group of threats targeted to compromise the availability of the service or the system. These threats typically interrupt the VoIP services by overwhelming the target device with a large number of requests or by using malformed or spoofed messages. Different types of DOS threats are discussed below.
An attacker sends a large number of valid or invalid requests to a target system to degrade the performance or breakdown the system. The target system can be a VoIP user, server or even the fundamental infrastructure. The different methods of flooding are call request flooding, call registration flooding, call controller flooding, request looping and directory service flooding .
Protocol Fuzzing/ Malformed messages
An attacker creates and sends malformed or unanticipated messages to the target server or client to interrupt their services. Due to invalid format of the message the endpoint may crash, reboot or exhaust all the resources needed to service an incoming request. Protocol fuzzing confuses the target machine and every machine may react in different ways according to their implementation. The impacts of such attacks are infinite loop of parsing, buffer overflow attacks, system crash and inability to process normal messages. Weak protocol specification, lack of exception handling in the implementation and difficulty in the testing of malformed cases are the main causes for this attack .
An attacker can insert fake (spoofed) messages into the signaling path of certain and have these faked messages be accepted as real messages. This will interrupt the call processing system. Examples of this attack are call teardown and toll fraud. In a call teardown attack, the attacker obtains the session information from SIP dialogues and sends a SIP bye to the devices which will cause the session to terminate .
In this type of attack, the information exchanged between a VoIP endpoint and the network during a session are hijacked which leads to the interruption of VoIP services. Registration hijacking, server impersonation and media session hijacking are the popular types of call hijacking . In registration hijacking the attacker alters the registration messages of the victim to redirect signaling messages to another Endpoint. So the victim will not be able to make or receive any calls. In server impersonation the attacker impersonates the VoIP server and tricks the victims to send requests to the impersonated server. In media session hijacking the attacker hijacks the media session between two end points and sends spoofed messages to redirect the media to a different end point .
Application Layer Attacks Specific to VoIP
The threats against the VoIP systems can be broken down into more specific vectors and can be organized by the system layer where the attack occurs. This section concentrates on attacks that are more specific to VoIP applications and critical to the assurance of VoIP security. This section also describes cause and effects of these attacks and some common defense measures that can be taken against each of these attacks.
SIP Registration Hijacking
In SIP protocol, the user agent (VoIP phone) has to register itself with the SIP registrar (IP PBX). This will enable the registrar to direct inbound calls to the user agent. In registration hijacking the attacker masquerade as a valid user agent to the registrar and replaces the valid registration address with its own address. Thus the calls intended for the original user agent is forwarded to the attacker's user agent .
Figure - SIP Registration Hijacking .
Effects of registration hijacking
The compromised UA can lose all the inbound calls directed to it. The targeted UA can be an individual user, a group of users, a media gateway, Interactive voice response, an automated attendant or a voice mail. By hijacking a media gateway the attacker can block or manipulate all outbound calls .
Causes for SIP registration hijacking
UDP protocol which is a connection less protocol is used for SIP registration. This makes it easier for the attacker to formulate spoofed packets. SIP protocol specification does not mandate the SIP registrar to authenticate the user agents requesting registration. Even if an authentication mechanism is present, it is generally weak and easily compromised. The initial step in this attack is to determine register-able addresses .For an internal attacker this is quite an easy task as he is familiar with the address structure. An external attacker will make use of a scanner. The scanner sends various "SIP INVITES" and "SIP OPTIONS" requests to the SIP registrar and from the responses received the attacker will determine which addresses are valid and use them for hijacking. Once a valid UA's address has been determined the attacker sends a REGISTER request to the SIP registrar. This request is specially formulated in a way that the registrar removes all the bindings for the targeted UA. Once the targeted UA is unregistered the attacker sends request to register his UA with the registrar .
Defense measures against registration hijacking
First step to defend registration hijacking is to use strong authentication. Another step is to employ firewalls specific to VoIP which are capable of detecting and blocking attacks. The IETF recommended solution is to use strong passwords, Transport layer security (TLS) and MD5 digest authentication. Do not allow registration from external network or limit them to a small set of users .
SIP Bye/Cancel attack
According to the SIP protocol specification a session is terminated using a "BYE" message and an invitation to start a session is ended using "CANCEL" message. During SIP Bye attack, the attacker monitors the signaling of a call and sends a SIP message with BYE command to the participating user agents. This will tear down the ongoing conversation. Similarly the attacker can formulate a SIP CANCEL message and send it to a user agent to cancel any previous request initiated by the UA .
Figure - SIP Bye/Cancel Attack .
Effects of SIP Bye/Cancel attacks
The primary effect of these attacks is Denial of service to a user or a group of users. The attacker can send continuous Bye or Cancel messages to the victim which makes them unable to place or receive any calls. Starting from one user agent this can be extended to many users in the network which result in network wise disruption of service. Another drawback of this attack is that SIP proxy may not be aware of the calls being terminated and will not possess proper call records .
Causes for SIP Bye/Cancel attacks
The main cause of this attack is weak authentication in SIP implementation. To perform this attack, the attacker has to get hold of the current session parameters using a sniffer tool on the network .
Defense measures against SIP Bye/Cancel attacks
One way is to add strong authentication to any communication between the control node and the user agent. HTTP digest or TLS can be utilized to check the legitimacy of the BYE message. To protect the session critical parameters either TLS or IPSec can be used. The UA can make use of certificate based credentials to verify the incoming BYE/CANCEL messages are from a trusted node .
SIP Message Tampering
Message tampering occurs when an attacker captures and alters packets exchanged between SIP entities. The attacker can alter some or all the attributes in the message.
Effects of SIP message tampering
The main effect of message tampering is that the victims can be billed incorrectly for calls they did not make. Toll frauds are left undetected because of message tampering. The attacker masquerade as a caller and reroute a call via their UA. After the calls are redirected via their UAs, the attackers can snoop calls, block calls and send unexpected calls through the media gateways .
Causes for SIP message tampering
SIP messages are text based and so they are easily vulnerable to tampering attacks. Attackers can even tamper with the routing information .
Defense measures against SIP message tampering
By using transport layer security with UDP and TCP protocol, the SIP messages can be protected. Establish RTMM/ SIP firewalls to monitor the SIP messages. Make sure that the incoming "Via" headers and record routes correspond to your own domain .
Malformed SIP Command
SIP protocol implementation is very similar to that of HTTP protocol. It follows a text based request reply format. This makes SIP protocol very open ended and increases its flexibility to add on new features to it. But the main drawback to this is, it is very difficult to test whether the implementation processes all the valid requests or whether the implementation can recognize all invalid request accurately. As a result a complex message which is valid can be discarded by the system where as an invalid request can be processes. These vulnerabilities are exploited by an attacker to form malformed messages which are capable of degrading the systems performance or even shutting it down completely .
Effects of malformed SIP message
A number of malformed call setup messages are capable of crashing or rebooting an end point. These malformed messages can exhaust the end point resources. Some invalid request can take up a good amount of processing power and also overflow the message buffers eventually corrupting the processing engine. A threat called protocol fuzzing creates protocol packets which are not anticipated and contain malicious data. This threat can take protocol's implementation to a point of breaking them. PROTOS suite is a good example.
Causes for malformed SIP message
As discussed earlier text-based specification of the protocol makes it very vulnerable to this attack. Poor testing against fuzzing is another cause.
Defense measures against malformed SIP message
Thorough testing against fuzzing, implementation of strong authentication and use of IPSec, TLS and S/MIME may provide security against this threat to an extent. Implementing digital signatures may also be useful .
RTP payload attack
The voice packets after encoding are carried between two end points using RTP protocol. In the RTP protocol the RTP header information is followed by the data payload. The payload contains the voice packet. The attacker can eavesdrop or change the payload of the RTP media stream between two end points using man in the middle attack .
Effects of RTP payload attack.
By eavesdropping the attacker can listen to the contents of the media stream. If he changes any content that will be media alteration. The attacker can alter the media by injecting illegal media into the stream or removing any legitimate content from the stream. As a result the end user may hear noises, silence or even advertisements between the conversations.
Causes for RTP payload attack.
RTP protocol is a modification of UDP protocol and is not secure enough to detect or prevent such attacks.
Defense measures against RTP payload attack.
A good way of preventing this attack is to use secure RTP (SRTP) protocol . In SRTP protocol the sender encrypts the message and sends in to the receiver. The encrypted packet travels through the network until it reaches the receiver who decrypts and manipulates the content.
The RTP packet headers contain fields for sequencing and timestaps. If these are changed the packets may not make any sense at the receivers end or they are unusable . Such manipulation of RTP packet information is called RTP tampering.
Effects of RTP tampering
Tampered RTP packets are capable of degrading the performance of a node or even crashing it. To make the node up and running again the node has to be restarted.
Causes for RTP tampering.
Just like in RTP payload attack the RTP protocol implementation is not secure enough to detect or prevent such attacks.
Defense measures against RTP tampering.
A good way of preventing this attack is to use secure RTP (SRTP) protocol . Using SRTP protocol the receiving end can determine whether the RTP packets have been modified. By separating the VoIP network from data network many such attacks can be reduced.
Emerging defense mechanisms and key research areas in VoIP
This section discuss about some of the very important defense mechanisms against VoIP attacks. These defense measures are capable of protecting VoIP systems from multiple types of attacks. Most of the defense measures discussed here is emerging slowly into commercial VoIP products and many of them need special researches in the future.
Port based authentication is implemented using the IEEE 802.1x . This provides port based network access control to devices which are connected to the internet. The implementation involves a network controller which restricts external devices from accessing the network the controlled port. If at all any external device wish to access the network for a particular service via a port they must authenticate themselves in order to get access to the network . This prevents rogue UA being added to the network. Since attackers UA cannot gain access to the VoIP network many kinds of attacks can be prevented using this method. SIP register attack, SIP Bye/Cancel attack, SIP message tampering, malformed message attacks, RTP payload attack etc are the few kinds of attack from which port authentication will give relief.
Separate VoIP traffic from data traffic
By separating data network from VoIP network a number of different attacks can be prevented as attackers will not able access the VoIP components even if they get access to the data networks weak links. This separation can be achieved by a technology called Virtual LAN or VLAN. In VLAN implementation allows only routing between devices that are on the same VLAN as configured by the administrator of the network. In this implementation there will be two LAN ports for VoIP. The VoIP phone will be connected to VoIP LAN using one port and the PC connected to this phone is placed on the data LAN through the other port. But the voice mail servers are placed on data network. There should some sort of connectivity between both the LAN networks. This connectivity is implemented using a SIP enabled firewall .
VoIP user agents contacts configuration servers to obtain configuration information. This configuration information is required to configure the VoIP UAs to get access into the VoIP system. But there is no guarantee that the phones get this configuration information from a trusted server. To make sure the configuration information from a trusted server, the vendor can configure the handsets before in hand with the public key of the different configuration servers . Another option is that the network administrator can configure this public key during handset installation. The connection between the UA and the servers must implement Transport Layer Security. Once this is done whenever a UA has to contact the configuration server, the authenticity of the server is checked using the public key of the UA and the private key of the server during TLS handshake. If the authentication is successful the UA will get the configuration information otherwise phone is not allowed to obtain the same .
VoIP technology has its own benefits and drawbacks. The main benefit of this technology is savings in cost and the main drawback being vulnerable to security threats. This paper describes many of the security threats occurring in VoIP networks and also gives insight to defense mechanisms against the same. If these threats are evaluated and secured the networks with the suggested defense mechanisms many enterprise can reap the benefits of VoIP networks.