1 / 75

VoIP The Next Generation of Phreaking Revision 1.1

VoIP The Next Generation of Phreaking Revision 1.1. Ofir Arkin Managing Security Architect. Overview An Introduction to VoIP Challenges Facing VoIP and their relation to Security Media Transport - Examining RTP , RTCP and Security

lajos
Download Presentation

VoIP The Next Generation of Phreaking Revision 1.1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. VoIPThe Next Generation of PhreakingRevision 1.1 Ofir Arkin Managing Security Architect

  2. Overview An Introduction to VoIP Challenges Facing VoIP and their relation to Security Media Transport - Examining RTP, RTCP and Security Signaling – The Session Initiation Protocol as an example “What a call worth If you can’t speak Mr. Anderson?” Examples with VoIP and Security Agenda

  3. “...It is no longer necessary to have a separate network for voice...” Overview The fact that IP is the vessel for voice transmission, inherits the security problems that comes along with the Internet Protocol. The security hazards are even more complex because of the nature of speech (voice quality), and other special conditions the VoIP technology needs to meet in order to fulfill its promise as a new emerging technology for carrying voice.

  4. Overview Some security issues arise from Media Transport protocols (RTP, RTCP, SCTP) being used to carry voice, some security issues arise from Signaling protocols (SIP, H.323, MEGACO, MGCP) and their respected architecture (the placement of the “intelligence”, as an example) which are being used, and other issues arise from the different components that combine a VoIP architecture. We will also examine supporting protocols, such as Quality of Service (QoS) protocols. We can even name physical security as another source for concern. VoIP has a wide range of deployment scenarios, hence a wide range of security problems reflecting these scenarios.

  5. A Definition of VoIP We can define VoIP simply as “the transport of voice traffic using the Internet Protocol”. Stating “using the Internet Protocol” associates the usage of the Internet in the mind of many people. But the matter of fact is that Internet Telephony is only a portion of VoIP, and VoIP has a broader definition. To remove any shreds of a debut we define VoIP as “the transport of voice traffic using the Internet Protocol utilizing any network”.

  6. Protocols Combining a VoIP Solution Protocol Types: • Signaling – Protocols in which Establish, Locate, Setup, Modify and Teardown sessions. • Media Transport – Protocols which transmit the voice samples. • Supporting (Services) – DNS, Location Servers, QoS, Routing Protocols,AAA…

  7. Protocols Combining a VoIP Solution The Location Service is being queries to check that the destination IP address represents a valid registered device, and for its IP Address DNS Server DNS Query for the IP Address of the SIP Proxy of the Destination Domain Location Service The INVITE is forwarded 4 2 3 A request is sent (SIP INVITE) to ESTABLISH a session SIP Proxy 5 The request is forwarded to the End-Device SIP Proxy 1 SIP IP Phone 6 Media Transport Destination device returns its IP Address to the originating device and a media connection is opened SIP IP Phone

  8. Examples for Protocols Combining a VoIP Solution – It is a Zoo Station • Signaling • SIP (IETF) • H.323 (ITU-T) • MGCP (IETF) • MEGACO • Media Transport • RTP and RTCP (IETF) • SCTP (IETF) • Supporting Services • DNS • Routing - TRIP (Telephony Routing over IP) • Quality of Service – RSVP, 802.1q

  9. Why Replacing the Current Infrastructure of Telephony? – A Carrier Perspective Two separate reasons:- Technology is Advancing: Circuit switching is not suitable to carry anything else than voice, it does not qualify as a suitable technology for the new world of multimedia communications (Video, Email, Instant Messaging, the World Wide Web, etc.). Traditional Telephony cannot provide, for example, the types of features that are needed by a contemporary business in the advancing age of e-Commerce. - The $ FactorSubscribers would still like to use the telephone for making and receiving phone calls, but they would also like to have the ability to use the telephone to interact easily with other applications, and to easily use new services.

  10. Why IP? Carrier Perspective – Lower Equipment Costs • Traditional Telephony: • Proprietary hardware, application software and operating system when purchasing a telephony switch. • One Vendor usually supplying the entire equipment for the whole network • The Vendor will also supply with training support and future development for its equipment. This will bind the operator with the supplier for a long term of time, since it is not cost effective to replace the equipment. It will also limit the opportunities for 3rd parties to develop new software applications for these systems.

  11. Why IP? Carrier Perspective – Lower Equipment Costs • IP: • In the IP world most of the equipment is standard computer equipment which is mass produced. This offers great flexibility for the purchasing party. One company can supply the hardware, another can supply the operating system, and another can develop special features. Several companies can be hired to supply different systems for the network. • Because of the distributed client server architecture of IP, operators have the ability to start small and grow.

  12. Why IP? Carrier Perspective – Lower bandwidth requirements Unlike traditional telephony that is limited to the usage of the ITU recommendation G.711 based codec, and therefore transport voice at the rate of 64kbps, VoIP can use other sophisticated coding algorithms that will enable speech to be transmitted at speeds such as 32kbps, 16kbps, 8kbps, 6.3kbps, or even 5.3kpbs. Some VoIP based protocols are also able to negotiate an accepted coder scheme to be used, enabling the usage of more than one coder scheme and the ability to introduce new coders in the future. Taking into account that a large portion of a carrier’s operational costs is it’s transmission capabilities, VoIP can significantly reduce bandwidth requirements to as little as one-eighth of what is used today in the circuit switched world, and therefore make a significant bandwidth and money savings.

  13. Why IP? Carrier Perspective • More business opportunities and revenue potential • “Show me the money Jerry!” • Introducing new services to Telephony subscribers • The time-to-market of new services • New Technology brings new comers to the market (good?) • Integrating Voice and Data applications

  14. Why IP? User Perspective – Corporate Users • One of the fastest growing markets for VoIPis theenterprise LAN. More and more enterprise LANs are carrying both Voice, Video and Data. More and more large organizations, especially in North America, are using IP based dedicated leased lines between different branches of the company to carry not only data but voice and video. Using this way, these companies are saving the costs of long distance calls using traditional telephony. The leased lines can also be used for video conferencing and for other usages that will bring significant cost savings for an organization.

  15. Why IP? User Perspective - Consumers Consumers might have several other reasons behind the usage of IP to carry voice, rather than a Carrier Grade Telephony Operator, or a corporate user. Lower Bandwidth Requirement – VoIP can use several sophisticated coding algorithms that will enable speech to be transmitted at speeds such as 32kbps, 16kbps, 8kbps, 6.3kbps, or even 5.3kpbs. VoIP based protocols are able to negotiate an accepted codec scheme to be used, enabling the usage of more than one coder scheme and the ability to introduce new codecs in the future. These abilities present the End-User of the ability to use the Internet and VoIP technology to make voice conversations with any other PC User connected to the Internet. This is also one of the usages of Internet Telephony.

  16. Why IP? User Perspective - Consumers Significant Cost Savings - For consumers the introduction of VoIP not only brings more added value services when they use their telephone. It also brings the opportunity to have significant cost savings in the cost of phone calls. Today consumers can use an ordinary telephone to connect to an Internet Telephone Service Provider(ITSP). The ITSP is using IP to provide low cost Voice/Fax connections through combinations of the Internet, leased lines, and the PSTN. All the ITSP has to do is to use an equipment to convert the voice to data, transport the data, and convert it back to voice. The cost reduction for the ITSP comes from the usage of the Internet as the voice transport vessel. The ITSP does not have to build a full blown telephony infrastructure.

  17. Why IP? User Perspective - Consumers ITSPs also connect PC users to traditional telephony users. Here the costs savings are even more considerable both to the ITSP and for the consumer (the ITSP is not required to pay for interconnect from the User side). Using such an ITSP service can reduce phone call costs considerably. For example, on calls made between the United Kingdom to Israel instead of paying 1.7GBP per minute with traditional telephony, paying only 0.055GBP per minute when using an ITSP.

  18. Challenges Facing VoIP • Speech Quality • Delay/Latency • Jitter • Packet Loss • Speech Coding Techniques • Network Availability, Reliability and Scalability [Carrier] • Managing Access and Prioritizing Traffic [Carrier] • Security [All]

  19. Problems Facing VoIP – Speech Quality Speech quality is affected by many different technical attributes. We can name, for example, the codec used, system latency, jitter, packet loss, and other. Usually the codec chosen will be an industry standard. Therefore latency becomes one of the most important attribute affecting voice quality.

  20. Problems Facing VoIP – Speech Quality Latency/Delay With VoIP we define latency as the interval it takes speech to exit the speaker’s mouth and reach the listener’s ear. This definition is also known as “one way latency” or “mouth-to-ear latency”. Typically latency is measured by milliseconds. The sum of the two one-way latency figures is also known as the round trip latency. ITU-T recommendation G.114 specifies that in order to have a good quality of voice, the round-trip delay should not exceed 300ms.

  21. Problems Facing VoIP – Speech Quality • We can name several reasons for delay with VoIP that are inherited from the usage of IP based networks: • Packetization/Voice Coding and Transmission Delay – The time it takes to pack and send a voice sample. • Handling Delay – The time it takes to process a packet. • Queuing Delay – The time it takes to be queued. • Convergence Delay – The time it takes to convert VoIP based traffic to its PSTN equivalent and vise versa.

  22. Problems Facing VoIP – Speech Quality: Jitter We can define jitter as delay variation. If we experience a delay in a conversation, there are methods to adjust this delay, provided that the delay is not too big. If the delay varies than adjusting the delay becomes a harder task.

  23. Problems Facing VoIP – Speech Quality: Packet Loss In order to have a high speech quality we need that little to none of the speech samples being transmitted from the speaker to the listener will be lost. However, with data networks it is expected, and common, to have packet loss. One of many reasons might be a congest network, and so on. With voice, we cannot use traditional retransmission mechanisms when packets are lost, since voice is delay sensitive. These retransmission mechanisms will introduce additional latency to the process (UDP vs. TCP). Time is needed to determine that a packet was lost, and time is needed to retransmit the missing packet. With VoIP we can suffer packet loss up to 5% of the traffic exchanged. But still the packets which were lost cannot be successive packets. If a packet is missing the listener’s system must carry on without that packet.

  24. Problems Facing VoIP – Speech Quality: Packet Loss Packet loss may affect codecs differently, since codecs compress the audio data in different ways. A codec which do little compression will loose a smaller portion of the audio compared to a codec which is using an advanced compression scheme to use less bandwidth. Therefore the affect on the voice quality will also be different. Another problem we can raise is the out of sequence arrival of voice sample carrying packets. We need to ensure that speech is received at the other end as transmitted. Otherwise packets will be presented to the listener out-of-order, or discarded… A way to deal with some of these problems is the usage of Quality of Service (QoS) based mechanisms (where you can…).

  25. Problems Facing VoIP – Speech Quality: Speech Coding Techniques If speech sounds synthetic, the latency prevention, bandwidth reduction and packet loss minimization techniques will be useless. The speech coding technique selected should reduce bandwidth while still maintaining a good quality of speech. We can make a rough statement and claim that the lower the bandwidth requirements of a certain codec, the lower the voice quality produced. Also, a better voice quality is usually using a more complex algorithm and therefore more processing power is needed. This does not mean that there are no codecs which produce a good quality of speech without high bandwidth requirements.

  26. Voice Quality with Internet Telephony With Internet Telephony voice quality issues are the most problematic to overcome. The problem is that the Internet is not a network where one can prioritize traffic or preserve bandwidth. We can name packet loss, congestion, delays, and reliability as other venues of troubles for voice quality, which adds to the overall problem of voice quality with Internet Telephony. We need not forget that with the Internet, which is a packet switched network, packets may take different routes to a destination. This means that voice samples may arrive out of order at the receiver side. It also increases the chances of packet loss.

  27. Problems Facing VoIP – Network Availability, Reliability and Scalability Carrier Grade Telephony networks are available 99.999% of the time. This means a downtime of only 5 minutes per year. Carrier Grade Telephone operators who wish to rely on VoIP based technology to offer telephony services are required to have the service available exactly as it is today – 99.999% of the time. Every time you will wish to use your VoIP based telephony service, you will have to have a service when picking up the telephone’s handset (a dial tone and the ability to complete a call). The VoIP core network is required to be resilient and redundant. For other parts of the network, it depends on the network architecture and infrastructure. There are numerous problems of availability at the edge of the network. These problems relate to the way the last mile in a VoIP based telephony network is built.

  28. Problems Facing VoIP – Network Availability, Reliability and Scalability A Carrier Grade VoIP network is required to be scalable and to support hundred of thousands of concurrent connections/calls as it is today with circuit switched telephony networks. A VoIP based network also needs to maintain the ability to grow with demand and to be scalable. As was mentioned in previous sections, a VoIP based network is able to start small and expend as demand for bandwidth and service increases.

  29. Problems Facing VoIP – Network Availability, Reliability and Scalability

  30. Problems Facing VoIP – Managing Access and Prioritizing Traffic With VoIP based networks Voice, Data, and Video share the same network. Voice and Data has their own quality requirements, and must not be treated the same way within the network. Bandwidth must be preserved to Voice, so whenever a subscriber wishes to place a call he will be able to do so, and the appropriate bandwidth will be assigned to its call. If large data transfers occur at the same time, priority must be given to the voice traffic over the data traffic. So voice traffic will not be queued back, and latency and packet loss will occur. This means that the most critical traffic, voice, will not be affected from a congested network. In order to be able to prioritize traffic and reserve bandwidth VoIP based networks will have to use quality of service (QoS) based solutions.

  31. Problems Facing VoIP – Security The wide availability of IP does not only contribute to the VoIP technology widespread, but also inherits the security hazards along with it. The fact that data and voice share the same network is the root of some of the security problems associated with VoIP. The fact that IP is the vessel for voice transmission, inherits the security problems that comes along with usage of the Internet Protocol. The security hazards are even more complex because of the nature of speech within VoIP networks, and other special conditions VoIP needs to meet. We can mention resource starvation attacks, session hijacks, and session manipulation, as examples of attacks on VoIP based networks resulting from the usage of IP for transporting voice.

  32. Problems Facing VoIP – Security Old school security problems are not the only security problems which VoIP is facing. Some security issues arise from media transport protocols being used to carry voice, some security issues arise from signaling protocols and their respective architectures (the placement of the “intelligence”, as an example) which are being used, and other issues arise from the different components that combine a VoIP architecture. Even supporting protocols, such as quality of service protocols have their security issues. We can even name physical security as another source of concern.

  33. Problems Facing VoIP – Security We need not to forget another major factor which is the fact that signaling and voice are sharing the same networks. Because most of the VoIP based signaling protocols are used in-band, another venue for trouble is opened. VoIP has a wide range of deployment scenarios, hence a wide range of security problems reflecting those scenarios.

  34. Problems Facing VoIP – Security Another concern with VoIP based networks is that an end-user maintains the ability not only to place a call, and interact with his own switch, but has the ability to interact with some other parts of the infrastructure as well. This includes other networking devices combining the network, protocols being used whether media transport protocols or signaling protocols, the TCP/IP protocol suite, etc. Some of the VoIP based protocols gives an end-user a broader options to interact with the network, not only using features, but also because the intelligence is at the edge (the telephone itself). Those risks put in danger network availability, and voice quality. Not even mentioning other issues such as fraud, and phreaking. There are a lot of constraints a carrier grade VoIP based operator needs to put on his VoIP based network in order to eliminate some of these risks.

  35. VoIP Security – What is at stake? Everything… From IP Phones to Core Routers through Media Gateways, SIP Proxies, Gatekeepers, Location Servers, Routers, Switches, VoIP based Firewalls… Any Equipment combining a VoIP infrastructure of some sort. Any Protocol used whether a signaling protocol (SIP, H.323, MEGACO, MGCP) or used to carry the voice samples (RTP, RTCP). Taking advantage of the protocols themselves is in my opinion the name of the game. Any TCP/IP protocol used

  36. VoIP Security – Physical Security With a 4th Generation Carrier the Last-Mile is the main concern: • The main concern is with Access to the Physical Wire (and to equipment). If achieved all is downhill from there (this holds true for any architecture using VoIP as well). • Equipment is likely to be stolen Routers and switches are nice decorations for a room. • Physical Tempering - “Cut the cord Luke”

  37. VoIP Security – Physical Security Voice Packet Shaping for QoS (DiffServ) Data Voice My Hub (is your Hub) Data Bypassing simple packet shaping mechanisms. Getting into the Voice VLAN: End-of-Game.

  38. VoIP Security – Physical Security Eavesdropping can be done easily if there is access to the wire, with no specialized equipment other than a hub, a knife, and a clipper. • Between the IP Phone (or Customer Premises Gateway) and the Switch • Between two switches With both scenarios we bypassed any QoS mechanism used.

  39. VoIP Security – Physical SecurityFree Phone Calls I am representing the physical address of the IP Phone I am representing the physical address of the Switch An “Advantage” Over Phreaking of this sort because the eavesdropper can also have free calls without the knowledge of the subscriber… Using Call-ID to differentiate between calls destined to the phreaker to the calls destined to the owner of the line.

  40. VoIP Security – Availability • Availability& Redundancy • No Electricity No Service. “G, here goes our Carrier Grade availability…” • Costs of redundancy, and UPSs for every switch and router at the last mile… • Denial-of-Service - Even more easy with VoIP, since you really do not need to be that smart and use too much traffic, but still you can cause outage in the whole network, a neighborhood, or a building, or on a single end-user.

  41. VoIP Security – Availability To perform a denial-of-service you might use several venues: • Flood (G what is new with that?) • Abuse the protocols themselves – Introduce denial-of-service conditions taking advantage over the protocols used to do VoIP (examples later). The type of devices one might target are, for example: • IP Phones (Easy) • Routers, Switches (depends on the equipment) • Signaling Gateways, Media Gateways, SIP Proxies… (Easy-Medium) • Any device in the path a call takes from a caller to a called party

  42. Media Transport–RTP Used by a receiver to detect packet loss (also can be used to restore packet sequence). Indicates the instant at which the first byte in the RTP payload was generated. The timestamp is used to place RTP packets in a correct timing order Identifies the source of an RTP stream

  43. Media Transport–RTP Security Issues • Denial of Service • The Way RTP Handles SSRC Collisions • Sending command using SSRC of another participant of a session. Result – The ability to drop users from a certain session • Claiming SSRC of a user Result: Transmission will stop, new selection of SSRC needs to take place and the transmission should resume. • Why shutdown when we can have some fun? – Same SSRC, higher sequence number, higher timestamp. The fake content will be played before the real one. This means that from now on we will be able to play what ever we wish to this side of the conversation since all the next transmissions of the other side will look “old” to the receiving party…

  44. Media Transport–RTP Security Issues • Dodge this - Changing of audio encoding during a session. This can be used to temper with Voice Quality, either using a low quality codec, or using a higher quality codec that will jam the pipe. • Encryption • DES – Breakable (like other technologies and products…) • If SIP is used the DES Key is sent in the clear with SDPs “k” parameter… • Actually introducing more delay and jitter, so who wants to use this anyway?

  45. Media Transport–RTP Security Issues Mix This You Foo (Tricking “Mixers” to mix whatever from wherever) Too much to handle for one IP Phone when receiving traffic from 3 sources at 64kbps Different link speeds connected to a conference

  46. Media Transport–RTP Security Issues • Changing a used codec in the middle of the session– sometimes happens automatically when the network suffers from congestion. By forging a voice codec change, not only reducing quality of voice, it might also introduce other problems as denial-of-service, crash of end systems, etc. • Eavesdropping – Since RTP identifies the codec being used (statically) or either using a “dynamic” identified codec it is easy to reconstruct the voice sampling (even in real time).

  47. Media Transport–RTCP Security Issues • Forging Reception Reports • Reporting more Packet Loss – Might lead to the usage of a poor quality codec with an adaptive system. • Report more Jitter - Might lead to the usage of a poor quality codec with an adaptive system. • Denial of Service • RTCP “BYE”, not in sync with the Signaling protocol. The Signaling protocol is not aware that there is no exchange of voice samples any more…

  48. SIP (Session Initiation Protocol) “The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol for creating, modifying and terminating sessions with one or more participants. These sessions include Internet multimedia conferences, Internet telephone calls and multimedia distribution. Members in a session can communicate via multicast or via a mesh of unicast relations, or a combination of these”. Taken from RFC 2543

  49. SIP Design & Methods • A client-server based protocol modeled after HTTP • Building Blocks are Requests and Responses • The Methods are: • INVITE – Session Setup • Initiate Sessions • Re-INVITEs used to change session state • ACK – Confirms INVITE sessions • BYE – Terminate Sessions • CANCEL –Pending session cancellation • OPTIONS – Capability and options Query • REGISTER – Binds Address to Location

  50. SIP Components SIP UAC – SIP User Agent Client SIP UAS – SIP User Agent Server UA – UAC + UAS SIP Proxy – Relays the Call Signaling without maintaining a state (although able to). Receives a request from a UA or another Proxy Server, and forwards or proxies the request to another location (The ACK and BYE are not required to go through the SIP Proxy Server). SIP Redirect – Receives a request from a UA or a Proxy. The Redirect Server will return a 3xy response stating the IP address the request should be sent to. SIP Registrar – Receives Registration requests, and keeps the user’s whereabouts using a Location Server.

More Related