210 likes | 406 Views
VoIP 2. Is free too Expensive? by Darren Bilby and Nick von Dadelszen. Different Types of VoIP. There are many different implementations of IP telephony: Skype MSN Firefly Cisco Office Asterix. VoIP Technology. Each type of VoIP uses different technology: Skype – Proprietary MSN – SIP
E N D
VoIP 2 Is free too Expensive? by Darren Bilby and Nick von Dadelszen
Different Types of VoIP • There are many different implementations of IP telephony: • Skype • MSN • Firefly • Cisco Office • Asterix
VoIP Technology • Each type of VoIP uses different technology: • Skype – Proprietary • MSN – SIP • Firefly – IAX • Cisco – H.323, Skinny • Asterix – SIP, IAX2 • Others – MGCP • Most of these do not have security built-in so rely on network controls
Attacks Against VoIP • Multiple attack avenues: • Standard traffic capture attacks • Traffic manipulation • Dynamic configuration attacks • Phone-based vulnerabilities • Management interface attacks
Consequences of Attacks • Eavesdropping and recording phone calls • Active modification of phone calls • Call Tracking • Crashing phones • Denying phone service – Slammer? • VoIP Spamming • Free calls • Spoofing caller ID
Capturing VoIP Data • Ethereal has built-in support for some VoIP protocols • Has the ability to capture VoIP traffic • Can dump some forms of VoIP traffic directly to WAV files. • Point and click hacking!
VoIP Security Solutions • You must protect the network traffic • Separate data and voice traffic – VLANs • Ensure IPSEC or other VPN technology used over WAN links • IDS monitoring on the network – ARP inspection • Host Security • VOIP enabled firewalls • Excellent guidelines in Cisco SAFE documentation • Or wait for more secure protocols
Skype – What Is It? • Proprietary VOIP system for calls over the Internet • Free and simple to use • Developed by the creators of KaZaA • Relies on P2P technology • Over 29 million users worldwide • Allows connections to regular phones through SkypeOut
Skype Connection Details • Listens on a random port, 80 and 443 • Connects to known Supernodes stored in the registry • Must establish connection with login server to authenticate • NAT and Firewall traversal • Any Skype client with an Internet IP address and suitable bandwith/CPU may become a Supernode
Skype Architecture Ref: "An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol“ Salman A. Baset and Henning Schulzrinne
Skype Call Security • Skype claims to encrypt all voice traffic with 128-bit or better encryption • The encryption implementation used is proprietary and closed-source • It is unknown whether the Skype organisation has the ability to decrypt all voice traffic
Other Skype Security Concerns • Same developers as KaZaA, known for spyware • Cannot stop client becoming a Supernode • Client allows file transfer, even through firewalls, an access path for malicious code, information leakage • Login server reliance
Should You Use Skype? • If you can answer yes to four questions: • Are you willing to circumvent the perimeter controls of your network? • Do you trust the Skype developers to implement security correctly (being closed-source)? • Do you trust the ethics of the Skype developers? • Can you tolerate the Skype network being unavailable?
Other VoIP Issues – Commercial Caller ID Spoofing • Multiple companies are now offering caller ID spoofing: - CovertCall - PI Phone - Star38 - Us Tracers - Camophone - Telespoof • Makes Social Engineering a lot easier • Many systems authenticate on CID
Other VoIP Issues – New Attack Tools • New tools make finding vulnerabilities easier • SIP Bomber • PROTOS Test-Suite • SiVuS
Good Sites For Learning More • Some good links for learning more about VoIP • http://www.voip-info.org/tiki-index.php?page=voip-info.org • http://www.vopsecurity.org/index.php