Security challenges in hybrid telephony
Download
1 / 47

Security Challenges in Hybrid Telephony - PowerPoint PPT Presentation


  • 532 Views
  • Uploaded on

Security Challenges in Hybrid Telephony Richard Hovey Communications Systems Analysis Division February 8, 2007 Observations are my own and are not a reflection of views of CSAD or PSHSB. SS7 SIP DNS PBX Broadband Phone Service router IP PBX SSP Hybrid IP-TDM Telephony

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security Challenges in Hybrid Telephony' - albert


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security challenges in hybrid telephony l.jpg

Security Challenges inHybrid Telephony

Richard Hovey

Communications Systems Analysis Division

February 8, 2007

Observations are my own and

are not a reflection of views of CSAD or PSHSB.


Hybrid ip tdm telephony l.jpg

SS7

SIP

DNS

PBX

Broadband Phone Service

router

IP

PBX

SSP

Hybrid IP-TDM Telephony

Security Issues

Session Initiation Protocol (SIP)

SignalingInterop

Domain Name System Interop (DNS)

Routing Interop (BGP)

IP PBX

IP Network

TDM Network

Smartphone

Non-public – for Internal Use Only


Security challenges in hybrid telephony outline l.jpg
Security Challenges in Hybrid Telephony Outline

  • Perspectives on telecom convergence

    • "Very-Next" Generation c.2007-2010

  • Telephony on the commodity Internet

    • Tutorial: basic SIP signaling

    • SIP Security challenges

  • Hybrid Telephony IP – TDM

    • Tutorial: basic SS7 signaling; SIP – SS7 Interworking

    • SIP-SS7 security challenges

  • Emerging components & concerns

    • Open Source IP PBX

    • Smartphone

Non-public – for Internal Use Only


Security challenges in hybrid telephony advisory message l.jpg
Security Challenges in Hybrid Telephony Advisory Message

  • The Sky isn't exactly falling…

  • …but the Sea Level is rising.

  • Net effect: The Sky is getting closer.

CSAD Advisory System

Severe Risk of

Sky Falling

High Risk of

Sky Falling

Significant Risk of

Sky Falling

General Risk of

Sky Falling

Low Risk of

Sky Falling

Non-public – for Internal Use Only


Perspective on convergence very next generation residential broadband l.jpg

TDM phone net

TDM phone net

commodity Internet

Broadband

copper,

cable,

or fiber

satellite distribution

~headend

Perspective on Convergence Very-Next Generation Residential Broadband

  • Today: parallel access to distinct infrastructures

  • Future: common IP core infrastructure?

    • Vision of "Carrier ISPs"

    • First test: adoption of “NGN Release 1”

local servers

Non-public – for Internal Use Only


Tutorial ip ip telephony session initiation protocol signaling sip l.jpg

IP Network 1

IP Network 2

Control

Control

SIP

SIP

DNS

LOC

Switching

Router

IP Link

IP Link [Voice Path - RTP]

IP Link [Signaling Path - SDP]

Tutorial: IP-IP Telephony Session Initiation Protocol Signaling (SIP)

Non-public – for Internal Use Only


Tutorial ip ip telephony sip basics l.jpg
Tutorial: IP-IP Telephony SIP Basics

  • Session Initiation Protocol (SIP)

    • Text-based protocol with a readable syntax, similar to HTTP

    • Used for controlling multimedia sessions over IP (i.e., signaling)

    • Telephony is a type of audio-only multimedia session

  • INVITE message

    • Used to establish a session; analogous to ISUP IAM message

    • IP-IP phone example (Kevin calls Michael over Internet)

      INVITE sip:[email protected] SIP/2.0

      Via: SIP/2.0/UDP 165.135.228.98:5060

      Max-Forwards: 50

      To: Michael <sip:[email protected]>

      From: Kevin <sip:[email protected]>;tag=8055002911

      Content-type: application/sdp

      Content-length: 142

INVITE sip:[email protected] SIP/2.0

Via: SIP/2.0/UDP 165.135.228.98:5060

Max-Forwards: 50

To: Michael <sip:[email protected]>

From: Kevin <sip:[email protected]>;tag=8055002911

Content-type: application/sdp

Content-length: 142

Non-public – for Internal Use Only


Tutorial ip ip telephony session initiation protocol signaling sip8 l.jpg

DNS Query

❺LS Query

❹INVITE

SIP

SIP

DNS

LOC

❼Ringing

➑OK

Router

❷ INVITE

to: sip:[email protected]

➒voice (RTP)

❻INVITE

IP Link

IP Link [Voice Path]

IP Link [Signaling Path]

Tutorial: IP-IP Telephony Session Initiation Protocol Signaling (SIP)

❶Kevin "calls"

Michael

Non-public – for Internal Use Only


Ip based telephony sip signaling challenges l.jpg
IP-based Telephony SIP Signaling -Challenges

SIP and Privacy (withholding identity)

  • Identity carried in SIP URI and optional Display Name

    e.g.,Kevin <sip:[email protected]>

  • Appears in numerous fields in SIP messages

    e.g.,From:, Contact:, Reply-to:

  • Identity Info also appears in

    e.g.,Via:, Call-Info:, User-Agent:, Organization:, Server:

  • Some are functional and have to be included

  • Complicated by intermediary proxy servers that add headers

    [and can examine the other header content]

Non-public – for Internal Use Only


Ip based telephony sip signaling challenges10 l.jpg
IP-based Telephony SIP Signaling -Challenges

  • Utility of protecting SIP with encryption?

    • i.e., protect SIP messages with IP Security (IPsec) at IP Layer

  • Hop-by-hop impact on Call Set-up time is significant

    • Almost certainly unacceptable

Source: Telcordia

  • Once connected phone-phone, delay acceptable

    • About 10% (8 msec)

  • Implications for NGN?

Non-public – for Internal Use Only


Ip based telephony vulnerabilities in sip devices l.jpg
IP-based TelephonyVulnerabilities in SIP devices

  • Dozens of vulnerabilities impacting IP-based telephony

    • Includes commodity Internet risks at other layers

  • Attacks on vulnerabilities

    • can impact confidentiality, integrity, availability

    • can trigger device hangs, crashes, restarts

  • Hundreds of SIP devices software implementations

    • both SIP phones and SIP Servers

  • Next: some approaches to mitigating risks

    • Security thru obscurity – don’t reveal implementation

    • Security thru testing – use test tools to check implementation

Non-public – for Internal Use Only


Ip based telephony ip telephony vulnerabilities by protocol layer l.jpg
IP-based Telephony IP Telephony Vulnerabilities by Protocol Layer

Source: UC Boulder

Non-public – for Internal Use Only


Ip based telephony security thru obscurity l.jpg
IP-based Telephony Security thru Obscurity?

  • A vulnerable implementation becomes an explicit target

    • e.g., Windows vulnerabilities

  • SIP standard defines a "User-Agent" field

    • announces software version

    • can turn it off so software details are not revealed

  • But… turning off explicit identification doesn't really help

    • sufficient info in protocol responses to determine software

    • probing technique manipulates headers, log responses

    • each device has a unique fingerprint

  • Does suggest some security improvements

    • e.g., don't respond to non-compliant messages

    • e.g., randomize fields and attributes

Non-public – for Internal Use Only


Ip based telephony security thru obscurity14 l.jpg
IP-based Telephony Security thru Obscurity?

SIP device fingerprints

Source: CMU & IBM Watson

Non-public – for Internal Use Only


Ip based telephony security thru testing l.jpg
IP-based Telephony Security thru Testing

  • Commercially-available VoIP testing tools

    • “vulnerability scanners”

  • Inject abnormalities into SIP messages

    • E.g., one tool: 4500 test cases…

    • …but only for SIP “INVITE” message

  • Analysis of seven testing tools

    • based on lab tests of four tools; claims of three others

    • even combined, address less than half of known vulnerabilities

Non-public – for Internal Use Only


Ip based telephony ip telephony vulnerabilities addressed by tools l.jpg
IP-based Telephony IP Telephony Vulnerabilities Addressed by Tools

Source: UC Boulder

Non-public – for Internal Use Only


Ip based telephony denial of service attacks l.jpg
IP-based Telephony Denial of Service Attacks

  • Background

    • Brute force attacks are much easier than clever exploits

  • Attack targets

    • SIP infrastructure (SIP servers, Gateways)

    • Supporting services (DNS)

    • End points (SIP phones)

  • Commercially available solutions for UDP/SYN flooding

    • But currently none for SIP

Non-public – for Internal Use Only


Ip based telephony denial of service attacks18 l.jpg
IP-based Telephony Denial of Service Attacks

  • Carrier-class Analysis

    • Two types of attacks used: General and VoIP-specific

    • Bi-directional Speech grade-of-service metrics collected

  • Results

    • VoIP-specific attacks effective at low rates against all devices

      • No service – let alone grade of service - to record

    • General attacks caused a wide-range of effects

      • Unexpected: all devices adversely affected by TCP SYN attacks

  • Conclusions (November 2004):

    “Keep VoIP on private secured networks (off the public Internet) where practical”

    “Design DDOS mitigation products to be VoIP-aware”

Sprint Adv. Tech. Labs

Non-public – for Internal Use Only


Ip based telephony denial of service attacks19 l.jpg

acceptable quality

IP-based Telephony Denial of Service Attacks

Voice Quality during TCP SYN attack on a network element

◄Attack Level

20% of bandwidth

Non-public – for Internal Use Only


Ip based telephony denial of service attacks20 l.jpg
IP-based Telephony Denial of Service Attacks

Current carrier-class work

  • Addressing perimeter protection problem of VoIP service

  • Strategy – two detection and mitigation filters

    • SIP: Rule-based detection and mitigation filters (only valid SIP)

    • Media: SIP-aware dynamic pinhole filtering (only signaled RTP)

Non-public – for Internal Use Only


Ip based telephony denial of service attacks21 l.jpg
IP-based Telephony Denial of Service Attacks

Columbia U – Verizon Labs

Non-public – for Internal Use Only


Ip based telephony denial of service attacks22 l.jpg
IP-based Telephony Denial of Service Attacks

Carrier-class Prototype

  • Rely on wire-speed, deep-packet inspection

  • 300 calls/second;10K-30K concurrent calls

  • Conclusion (October 2006):

    “Need to generalize methodology to cover a broader range of cases and apply anomaly detection, pattern recognition and learning systems”

Columbia U – Verizon Labs

Non-public – for Internal Use Only


Tutorial tdm tdm telephony inter exchange signaling ss7 isdn user part isup protocol l.jpg

Address Complete

Message [ACM]

❷IAM

❹ACM

❷ Initial Address

Message [IAM]

❺ring tone

❺ring line,

transmit

Caller ID

Tutorial: TDM-TDM TelephonyInter-exchange Signaling (SS7)ISDN User Part (ISUP) Protocol

W

X

❸number idle?

❶dial digits

B

A

❻ connect to trunk

Subscriber Line

Voice Trunk

Signaling Link

Non-public – for Internal Use Only


Tutorial tdm tdm telephony initial address message iam l.jpg

Called Party Number parameter

Initial Address Message

Calling Party Number parameter

Charge Number parameter

Tutorial: TDM-TDM TelephonyInitial Address Message (IAM)

Non-public – for Internal Use Only


Tutorial ip tdm telephony l.jpg

SIP

DNS

Broadband Phone Service

router

SSP

Tutorial: IP-TDM Telephony

MGC

Non-public – for Internal Use Only


Tutorial ip tdm telephony sip to ss7 l.jpg

MGC

Tutorial: IP-TDM TelephonySIP to SS7

  • Media Gateway Controller (MGC)

    • Also referred to as a "Softswitch" or "Call Agent"

    • Has logical interfaces facing both networks

    • Translates between SIP and ISUP messages

    • SS7 protocol Level 4 (e.g. "INVITE"  "IAM“)

  • Media Gateway (MG)

    • Has trunking interfaces facing both networks

    • Translates between IP and TDM voice streams (i.e. RTPT1)

    • MGC and MG can be merged in one box or kept separate

  • Signaling Gateway (SG)

    • Performs mapping of Signaling Network Messages

    • SS7 protocol Level 3

    • Level 3: controls congestion, balances loads, re-routes traffic

Non-public – for Internal Use Only


Tutorial ip tdm telephony sip to ss727 l.jpg

MGC

Tutorial: IP-TDM TelephonySIP to SS7

Questions wrt Media Gateway Controller:

  • How do they map fields? e.g. "INVITE"  "IAM“?

    • e.g., "From:" "Calling Party Number“ and "Charge Number"

  • What call records do they maintain?

    • significant implications for Authenticating source

Non-public – for Internal Use Only


Tutorial ip tdm telephony sip to ss728 l.jpg
Tutorial: IP-TDM TelephonySIP to SS7

  • INVITE message

    • IP-to-Wireline phone example (Kevin calls Michael from Internet)

      INVITE sip:[email protected];user=phone SIP/2.0Via: SIP/2.0/UDP client.kevin.fcc.gov:5060Max-Forwards: 50To: Michael <sip:[email protected];user=phone>From: Kevin <sip:+12024180100>;tag=8055002911Content-type: application/sdpContent-length: 142

Non-public – for Internal Use Only


Tutorial ip tdm telephony sip to ss729 l.jpg

IP

SS7

STP

SG

MGC

MGC

(NIF)

ISUP

ISUP

M3UA

MTP3

M3UA

MTP3

MTP2

SCTP

MTP2

SCTP

MTP1

IP

IP

MTP1

Tutorial: IP-TDM Telephony SIP to SS7

IP

  • Signaling Gateway (SG) function

    • Performs mapping of signaling network messages

    • SS7 Level 3: congestion, balances loads, traffic re-routing

  • Transporting SS7 over IP Network

TDM

  • Bottom line: SG can appear as an SS7 SP at the interface

Non-public – for Internal Use Only


Tutorial ip tdm phone service sip ss7 signaling l.jpg
Tutorial: IP-TDM Phone ServiceSIP-SS7 Signaling

Questions?

Non-public – for Internal Use Only


Ip tdm phone service signaling interworking vulnerabilities l.jpg
IP-TDM Phone ServiceSignaling Interworking Vulnerabilities

Background

  • New players (CLECs) increasing the number of SS7 access points

  • Signaling Gateway looks like another SS7 SP to an STP

  • Absence of message integrity and authentication in SS7

    • Could use IPSec in hybrid environment – but ends at the SG

      Recent Analysis (December 2006)

  • Hijacked or misbehaving SS7 nodes

    • Open to Signaling Network Management (SNM) injects

    • Injections towards MGC can disrupt VoIP services

  • Hijacked or misbehaving Signaling Gateway

    • Can affect functioning of SS7 network

      “Threats arising in either network due to misprovisioned or malicious signaling nodes are not confined to that network alone but may affect the other network as well.”

GMU - UNT

Non-public – for Internal Use Only


Ip tdm phone service signaling interworking vulnerabilities32 l.jpg
IP-TDM Phone ServiceSignaling Interworking Vulnerabilities

Critical Management Messages in IP and SS7 networks – just SS7 level 3

Non-public – for Internal Use Only


Ip tdm phone service signaling interworking vulnerabilities33 l.jpg
IP-TDM Phone ServiceSignaling Interworking Vulnerabilities

  • Only widely deployed security solution

    • Telcordia’s Gateway Screening Specification

    • Implemented at gateway STPs

    • Generally screens out only message headers

    • Doesn’t check content and structure of most signaling messages

  • Commercial products to secure SS7 are emerging

    • Content-based and signal-sequence firewalls

    • Network Access Meditation (Sevis);

    • SS7 Security Gatekeeper (Verizon)

  • Proposed: MTPSec to secure SS7 network layer

Non-public – for Internal Use Only


Open source pbx be your own phone company l.jpg

Termination

Provider

router

SSP

Asterisk

PBX

Open Source PBXBe Your Own Phone Company

Non-public – for Internal Use Only


Be your own phone company asterisk corporate pbx l.jpg
Be Your Own Phone CompanyAsterisk – Corporate PBX

Non-public – for Internal Use Only


Open source pbx spoofing service do it yourself l.jpg

Termination

Provider

router

Asterisk

PBX

SSP

Open Source PBX Spoofing - Service & Do-It-Yourself

Non-public – for Internal Use Only


Be your own phone company spoofing service do it yourself l.jpg
Be Your Own Phone CompanySpoofing - Service & Do-It-Yourself

Things to know:

  • Can use standard SetCallerID(nnnnnnnnnn) command

    • PBX-like; not efficient for per-call spoofing

  • Asterisk software is easily patched to do Caller ID spoofing

    • Add the following lines to extension config file exten => 33,1,Answer exten => 33,2,AGI(cidspoof.agi)

    • Download the cidspoof.agi script changing line 77 tothe correct username / hostname for VoIP service provider, and copy to /var/lib/asterisk/agi-bin/

    • Start Asterisk

    • Call extension 33, enter number you wish to spoof from, followed by number you wish to spoof to.

Non-public – for Internal Use Only


Open source pbx l.jpg
Open Source PBX

  • Authentication concerns (CPN, BTN)

    • manipulation now much cheaper

    • isolation from traceability much greater

Non-public – for Internal Use Only


Smartphone security general outlook l.jpg
Smartphone SecurityGeneral Outlook

  • Virus problem seems relatively small and manageable…

    • Cell phone carriers have strong incentives to keep under control

    • Cell phone carriers have good control points (e.g., gateways)

    • Incidents to date haven't been widespread or fast spreading

    • Many categorized as low-threat "proof of concept"

  • Q: "Is the Sky Falling?"

    A: "Probably not; not at the moment."

  • “But the ocean…”

Non-public – for Internal Use Only


Smartphone security general outlook40 l.jpg
Smartphone Security General Outlook

  • But… cell phones are an increasingly attractive target

    • Applications becoming more PC-like; e.g., email attachments(smart phones make up about 5% of cell phones)

    • Operating System uniformity increases appeal to hackers (i.e., Symbian, PocketPC, PalmOS dominate smart phones)

    • Standard Markup Languages create openings (e.g., java scripts)

    • Phones increasingly carry sensitive info (e.g., business info)

    • Phones increasingly can make small financial charges

      • by accepting "reverse SMS" micropayment charges

      • i.e., there's a direct link to money

  • Potential impact of viruses seems high

Non-public – for Internal Use Only


Smartphone security general outlook41 l.jpg
Smartphone Security General Outlook

Q: “What can mobile viruses do?”

  • Spread via Bluetooth, MMS

  • Send SMS messages

  • Infect files

  • Enable remote control of the smartphone

  • Modify or replace icons or system applications

  • Install “false” or non-operational fonts and applications

  • Combat antivirus programs

  • Install other malicious programs

  • Block memory cards

  • Steal data

Non-public – for Internal Use Only


Smartphone security symbian os l.jpg
Smartphone Security Symbian OS…

  • Dominant smartphone OS (50% of phones shipped)

  • Allows user to install untrusted code

    • post-installation antivirus software not as mature as PC

  • Once installed code has access to all resources

    • extract phone numbers, email

    • send SMS, MMS, email; make HTTP connections

    • dial numbers; connect via Bluetooth

  • Possible to avoid detection

    • run in background (server); wait for long idles; delete logs

    • user unaware of filesystem

  • Possible to avoid removal, short of reflashing

Non-public – for Internal Use Only


Smartphone security bluetooth l.jpg
Smartphone Security Bluetooth…

  • Devices

    • 13% of phones sold worldwide in 2004; 4% in U.S.

  • Distances

    • Nominal range is 10 meters (often boosted to 100m)

    • Hijacking phones has been demonstrated at over a mile

  • Suggested cipher vulnerabilities

    • [see Wetzel]

  • Observation

    • a "personal networking standard" vulnerable to personal misjudgments and oversights

Non-public – for Internal Use Only


Smartphone security creating the conditions for a perfect storm l.jpg

PSTN

Smartphone Security Creating the Conditions for a Perfect Storm?

Internet

Bluetooth

Non-public – for Internal Use Only


Smartphone security evolution l.jpg
Smartphone SecurityEvolution

  • By early 2005 main types of mobile viruses had evolved

    • Very few in last 18-24 months are truly original

  • Now 31 families, 170 variants.

  • MMS will eventually become common method of propagation

Increase of known mobile malware variants

6/2004 ▲

Non-public – for Internal Use Only


Service providers cyber security practice l.jpg
Service ProvidersCyber Security Practice

Background

  • History

    • Network Reliability & Interoperability Council (NRIC)

    • NRIC VI & VII: assembled Cybersecurity Best Practices

    • applicable as appropriate; voluntary, …

    • more of a checklist where one would like a culture

  • Stipulation

    • Technical complexity; industry's superior expertise & resources

    • Regulation may not result in adoption of underlying philosophy

Non-public – for Internal Use Only


Service providers cyber security practice47 l.jpg
Service ProvidersCyber Security Practice

  • Question

    • Are ISP businesses "Markets for Lemons" wrt security?

      • asymmetric information > willingness to pay only average price

      • above average security will be driven out of the market?

  • Challenge

    • Are there approaches to improving security and reliability of infrastructure that benefit both users and providers?

    • What are the incentives?

    • Are ISP businesses dynamics and industry sectors different?

Non-public – for Internal Use Only


ad