Cable Datacom News
High-Speed Data VoIP Video Multimedia Home Networking Business Services Service Control
OSS Metro Optical NGNA CDN Blog Industry Directory Sponsors Subscribe About Us Home
Search the Site
Site Resources
CDN Blog
Industry Directory
Industry Calendar
White Papers
Discussion Forum
Career Center
Back Issues
Site Index
About CDN
Subscribe
Sponsors

High Speed Data
Overview
FAQs
Vendors
Market Stats

Cable VoIP
Overview
CMS Vendors
MG Vendors
MTA Vendors

Digital Video
Overview
STB Vendors
Edge QAM Vendors
Video Processing
VOD Vendors

Multimedia
OverviewVendors

Business Services
OverviewVendors

Cable OSS
OverviewVendors

Service Control
OverviewVendors

Metro Optical
OverviewVendors

NGNA
OverviewVendors

HomeNets
OverviewVendors

SEPTEMBER 2004

Print this storyEmail this story

Time To Get Serious About VoIP Security
Integrating Voice and Data Traffic Also Could Compromise IP Telephone Service Reliability

SEPTEMBER 01, 2004

Special to Cable Datacom News by Rohit Dhamankar, TippingPoint Technologies

Voice-over-IP (VoIP) technology has come of age and is quickly gaining momentum on broadband networks. Competitive providers such as Vonage and AT&T are leveraging cable modem connections to offer voice services using Session Initiation Protocol (SIP), without the direct participation of MSOs. And now, leading MSOs such as Cablevision Systems, Time Warner Cable and Charter Communications are beginning commercial rollouts of their own IP voice services using PacketCable infrastructure.

Rather than relying on a separate circuit-switched infrastructure, VoIP packetizes phone calls for delivery through the same cable modem connections and backbones that deliver broadband Internet traffic, creating significant bandwidth and operating efficiencies. However, this means VoIP traffic is also prone to the same cyber threats that plague data networks today. These include denial-of-service (DoS) attacks, worms, viruses, and hacker exploitation. In addition to these traditional network security and availability concerns, there are also a plethora of new VoIP protocols that have yet to undergo detailed security analysis and scrutiny.

The challenge of VoIP security is not new. History has shown that advances and trends in information technology (e.g. TCP/IP, wireless 802.11, Web services, etc.) typically outpace the corresponding realistic security requirements. Such requirements are often tackled only after these technologies have been widely adopted and deployed.

Introduction

VoIP technology in general refers to the set of software, hardware and industry standards that enable "voice" to be transported using the Internet Protocol (IP). The technology has been initially welcomed by many broadband service providers who plan on offering telephony services to their customers for several reasons:

  • VoIP phone bills are typically cheaper than traditional phone bills to the consumer.
  • VoIP networks offer providers easier management and reduction in operating costs for a combined network for voice and data.
  • VoIP technology is rich with features to support next-generation multimedia applications.

However, despite the seemingly overwhelming advantages of VoIP compared to the Public Switched Telephone Network (PSTN), there are stringent and mandatory requirements that VoIP providers and the technology itself must live up to:

  • For service providers, a VoIP network must provide emergency services like 911 at all times, and have a similar uptime (99.995%) as the traditional phone network.
  • To make the end-user experience of a phone call over the IP network comparable to the traditional phone call, VoIP networks must guarantee a quality of service (QoS) similar to traditional phone systems. This implies that the VoIP implementations must effectively deal with lost voice packets and voice packets arriving out-of-order, which are a common occurrence in a typical IP network.
  • The VoIP network must also guarantee that any communication between the end parties in a call cannot be intercepted or modified by a malicious third party. It should be difficult for a hacker to conduct a man-in-the-middle attack between the end parties.
  • The VoIP implementation should enforce user authentication and not allow any unauthorized party to make or disrupt phone calls.

Along with the aforementioned requirements, the convergence of voice and data networks only serves to exacerbate and magnify the security risks of today's prevalent cyber attacks. Successful attacks against a combined voice and data network can totally cripple a service provider and result in irate customers or lost revenue. An attacker or terrorist capable of compromising the VoIP infrastructure could even potentially manipulate the SS7 signaling interconnection to disrupt services on the PSTN.

Many important security issues -- such as authentication, authorization, confidentiality, integrity and non-repudiation -- are specifically addressed within the cable industry's PacketCable security specifications. However, protecting VoIP networks, like protecting data networks, also requires keeping the infrastructure servers completely up-to-date with patches for the latest vulnerabilities. Unfortunately, the trend of shrinking vulnerability-to-exploit windows presents a daunting challenge for administrators trying to patch hundreds of servers and switches, and potentially millions of customer premises endpoints. Worse, due to availability concerns in a VoIP network, maintenance windows for normal upgrades and patching may be few and far between. Thus, defense strategies that include "virtual patching" are needed to protect VoIP networks.

VoIP Building Blocks

There are a variety of devices, protocols and configurations seen in typical broadband VoIP deployments today. In cable networks, the NCS and SIP protocols are most often used to transmit call signaling messages between infrastructure servers and customer premises equipment. NCS, which stands for Network Call Signaling, is a protocol developed by PacketCable specifically for communication between a service provider's soft switch and the terminal adapter devices at the cable customer premises. SIP (Session Initiation Protocol) was developed by the IETF to be a highly flexible protocol that can be used in a variety of deployment architectures. For example, SIP can be used to make calls between a PC and a traditional phone, a PC and another PC, a traditional phone and another traditional phone, a VoIP phone and another PC, and a traditional phone and a VoIP phone. Further, SIP is an important technology for enabling the feature-rich multimedia services that can make one service provider's VoIP offering more attractive to customers than another.

The physical elements that are present in a typical service provider's VoIP deployment include:

  • IP Phone Adapters: In a PacketCable environment, a Multimedia Terminal Adapter (MTA) converts voice into data packets. The MTA can be either standalone (S-MTA) or an embedded (E-MTA) in the cable modem. Traditional phones can be connected to MTA devices to place and receive calls. Similarly, in a SIP deployment, a SIP adapter performs the necessary data conversion and call signaling functions.

  • VoIP Telephone: In a SIP environment, specialized VoIP phones may be used rather than an adapter. The phone is capable of converting voice into data packets and may also have advanced features like Web browsing, instant messaging and multi-media conferencing. In addition, "soft phones" can be used, where the soft phone is a software application running on a PC outfitted with a sound card and microphone.

  • Call Management Server (CMS): The CMS is the core of the service provider's VoIP infrastructure. The CMS provides the overall call control "intelligence" and is responsible for controlling and managing all of the other devices, including the customer endpoints and PSTN gateways. The CMS is a software application that runs on a dedicated server. The functionality is typically provided by a product known as a "soft switch."

  • Gateway: The gateway is a network device or set of devices that connect the VoIP network to the PSTN. In most service provider deployments, the gateway consists of three distinct components: the media gateway (MG), which handles conversion of voice data; the signaling gateway (SG), which provides an SS7 interconnection for call signaling; and the media gateway controller (MGC), which controls both MG and SG. Note that the MGC is often co-located with the CMS.

  • Optional and Support Elements: MultiPoint Control Units for conferencing, feature servers for providing multimedia services, backend services for provisioning and tracking of call endpoints, authentication servers, billing systems, etc.

Session Initiation Protocol

The Session Initiation Protocol (SIP) was defined by the Internet Engineering Task Force (IETF) for creating, modifying and terminating sessions between two or more "intelligent" participants. These sessions are not limited to VoIP calls. The SIP protocol is a text-based protocol similar to HTTP. By using a smart endpoint, it allows VoIP to be delivered independent of the physical access network. A SIP deployment typically uses a proxy server to initiate calls on behalf of the endpoint (a user or VoIP phone), and a location server to track an endpoint's location.

PacketCable NCS

NCS is a protocol specific to PacketCable that is a profile of the MGCP protocol (Media Gateway Control Protocol) described in RFC 3435. NCS is a master-slave protocol that is used by the CMS to control the MTAs at the customer premises. Unlike SIP, where "intelligence" is distributed amongst the communicating parties, NCS confines all call control intelligence to the CMS while the MTA acts as a "dumb" endpoint. The CMS explicitly instructs the MTA to send notifications when certain events occur, such as the phone going off-hook or the user dialing digits. In turn, the CMS orchestrates PSTN gateways and other systems to enable the call and passes explicit instructions to the MTAs regarding the setup and teardown of voice channels.

VoIP Security Threat Scenarios

A VoIP deployment faces a variety of threats from different networking layers, as well as from different areas of trust from within the network. For instance, an attacker can try to compromise a VoIP gateway, spur a denial-of-service attack to the soft switch, exploit vulnerability in a vendor's SIP protocol implementation or try to hijack VoIP calls through traditional TCP hijacking, ARP spoofing, or application manipulation. The attacks against a VoIP network can be categorized as follows:

  1. Attacks against the underlying VoIP devices' operating system: VoIP devices such as IP phones, soft switches, gateways, and proxy servers inherit the same vulnerabilities of the operating system or firmware they run on top of, such as Windows, Linux, Solaris or Cisco IOS. There are hundreds of remotely exploitable vulnerabilities in flavors of Windows and Linux operating systems for which there are numerous "point-and-shoot" exploits freely available for download on the Internet. No matter how secure an actual VoIP application happens to be, the situation becomes moot if the underlying operating system is compromised.

  2. Configuration Weaknesses in VoIP devices: Many VoIP devices in their default configuration have a variety of exposed TCP and UDP ports. The default services running on the open ports may be vulnerable to DoS, buffer overflows or authentication bypass, which may result in compromising the VoIP device. For example, many VoIP devices run Web servers for remote management purposes, which may be vulnerable to attacks ranging from information disclosure to SQL injection to buffer overflows. If any of the open services use weak or no authentication, an attacker may acquire unauthorized access to the device. Additionally, the SNMP services used for remote management may be vulnerable to reconnaissance attacks or buffer overflows. Finally, many VoIP devices are configured to periodically download a configuration file from a server through TFTP or other mechanisms. An attacker could potentially divert or spoof this connection and trick the device into downloading a malicious configuration file.

  3. IP Infrastructure Attacks: The availability of VoIP services directly depends on the availability of the IP infrastructure they ride upon. Any distributed DoS (DDoS) attacks such as SYN floods or other traffic surge attacks that exhaust network resources (e.g. bandwidth, router connection table, etc.) could severely impact all VoIP communications. Even worms or zombie hosts scanning for other vulnerable servers could cause unintentional traffic surges and severely impact the availability of VoIP services. Many VoIP protocols rely on TCP/IP and UDP/IP as transport mediums and hence are vulnerable to transport- and network-level attacks on these protocols, such as session hijacking (TCP), malicious IP Fragmentation, spoofing (UDP), TCP RST window brute forcing, and a variety of IP protocol anomalies that may cause unpredictable behavior in some VoIP services.

  4. VoIP Protocol Implementation Vulnerabilities: Functional protocol testing (also called "fuzzing" or "black box testing") is a method of finding vulnerabilities by creating different types of malformed packets involving a particular protocol and sending these packets to a system under test. The test packets contain data that push the limits of the protocol specification to trigger an implementation error in the protocol handling code. Hundreds or thousands of different anomalous packets are sent to the target system and the target is monitored for any abnormal behavior (crash, resource consumption, etc.). These test methods have already led to the discovery of a wide variety of serious vulnerabilities in vendor implementations of VoIP products. For example, the University of Finland's PROTOS group developed a fuzzer tool that exposed a number of flaws in various vendors' SIP implementations.

  5. VoIP Application Level Attacks: At the application level, there are a variety of VoIP specific attacks that can be performed to disrupt or manipulate service. Some specific examples include:
  • Denial of Service: By spoofing his identity, an attacker may cause a denial-of-service (DoS) in SIP-based VoIP networks by sending a "CANCEL" or "BYE" message to either of the communicating parties to end the call. Since SIP is UDP based, sending a spoofed ICMP "port unreachable" message to the calling party could also result in disruption of communications.

  • Call Hijacking: An attacker can spoof a particular type of SIP response that tells the caller that the called party has moved to a rogue IP address, and hijack the call.

  • Resource Exhaustion: A DHCP-based DoS attack could starve the network of IP addresses by exhausting the IP address pool of a DHCP server in a VoIP network.

  • Eavesdropping: An attacker with local access to the VoIP LAN could potentially sniff the network traffic and decipher the voice conversations. A tool named VOMIT (voice over misconfigured internet telephones) can be downloaded to easily perform this attack.

  • Toll Fraud: An attacker can impersonate a valid user/IP phone and use the VoIP network for making free long distance calls.

The Future of VoIP Security

VoIP technology is still at the early stage of adoption, and attacks against deployments have been largely unheard of or undetected. As VoIP increases in popularity with consumers and the number of subscribers rises, so does the potential for harm from a cyber attack.

The 2004 CSI/FBI computer crime and security survey states that denial-of-service attacks are now the most expensive problem for organizations, with insider network abuse ranked third. This does not bode well for ensuring availability of VoIP networks without a proactive way to detect and block these attacks. It will become easier for attackers to infect and control a large number of zombie "bots" by continuing to exploit the vulnerabilities in the widely deployed Windows and Linux platforms. It has been reported that the wildly successful strain of Agobot worms at one time had infected hundred of thousands of Windows systems, allowing groups of hackers to launch distributed attacks. A recent DDoS attack on Akamai's DNS infrastructure is estimated to have involved over 15,000 compromised zombie hosts worldwide. The attack significantly impacted the availability of the Akamai network.

Undoubtedly, there are many vulnerabilities yet to be discovered in the implementations of the many different VoIP protocols in use today. It will be important to prevent these as-yet-undiscovered vulnerabilities from being exploited by enforcing selective conformance of VoIP protocols to their specifications and providing proactive zero-day protection. We can expect to see more VoIP application- and protocol-level attacks as attackers become savvier to the technology and begin to recognize the target value of a service provider's VoIP infrastructure (e.g. the SS7 interconnection). Further, as VoIP becomes more widely deployed in residential areas, attackers gain easier access to test the limits of a provider's security mechanisms. Going forward, it becomes critically important for network administrators to track calls, devices, users, and sessions and to enforce a strong security policy that prevents abuse of the VoIP network.

VoIP Security via Intrusion Prevention

Much like firewalls in any IT infrastructure today, Intrusion Prevention technology is a required component in any VoIP deployment. It is used to prevent DDoS floods, viruses, worms, buffer overflows and many other network protocol and application-level attacks against the IP infrastructure in general and against VoIP devices in particular. The Intrusion Prevention solution works by sitting inline on a network, examining the VoIP protocol messages at wire speed, and then blocking any anomalous packets or known attacks.

TippingPoint has established the VoIP Security Research Lab as a nerve center for VoIP security testing. The company is eager to work with VoIP vendors and customers in analyzing weaknesses in VoIP architectures, discovering new vulnerabilities through functional protocol testing, educating and training, as well as presenting security research.

Rohit Dhamankar is a senior security engineer at TippingPoint, where he focuses on vulnerability research and TippingPoint's Digital Vaccine development for the company's Intrusion Prevention Systems. In addition, he authors the weekly SANS @RISK newsletter, and is on the editorial board for the 2004 SANS Top-20. He got a start in the information and network security field at Cisco Systems, where he worked as a software developer for Cisco's Secure Intrusion Detection System. He holds an M.S. in Electrical Engineering from UT, Austin and an M.Sc in Physics from the Indian Institute of Technology, Kanpur (India).

NEXT STORY

Print this storyEmail this story

High-Speed Data VoIP Video Multimedia Home Networking Business Services Service Control
OSS Metro Optical NGNA CDN Blog Industry Directory Sponsors Subscribe About Us Home
Footer