The State Of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoIP Security?” Dan York, CISSP Chair, VoIP Security Alliance October 5, 2011
Nov 22, 2014
The State Of VoIP Security, a.k.a.��
“Does Anyone Really Give A _____ About VoIP Security?”
Dan York, CISSP�Chair, VoIP Security Alliance
October 5, 2011
© 2011 VOIPSA http://www.flickr.com/photos/willpate/46488553/
© 2011 VOIPSA
Does Anyone Really �Give A _____ About�
VoIP Security?
© 2011 VOIPSA
Does Anyone Really �Give A _____ About�
VoIP Unified Communications Security?
© 2011 VOIPSA
Technical Solutions
© 2011 VOIPSA
Widely Deployed
© 2011 VOIPSA
TLS-Encrypted SIP
© 2011 VOIPSA
Secure RTP (SRTP)
© 2011 VOIPSA
MORE Secure�Than PSTN
© 2011 VOIPSA http://www.flickr.com/photos/mattblaze/2275723713/
© 2011 VOIPSA
MORE Secure�Than Ever Before
© 2011 VOIPSA
Almost All Venders�Have Support
© 2011 VOIPSA
Almost All Customers�Don’t Turn It On
© 2011 VOIPSA
Why Not?
© 2011 VOIPSA
Complexity
© 2011 VOIPSA
PBX
Voicemail Physical Wiring
PSTN Gateways
Fingerpointing, a.k.a. “One Throat To Choke”
© 2011 VOIPSA
Physical Wiring
IP Network
IP-PBX
Voicemail
PSTN Gateways
Mobile Devices
IM Networks
Web Servers
Email Servers
Desktop PCs
Operating Systems
Firewalls
Internet
Directory Servers
VoIP
CRM Systems
Social Networks
Database Servers
Application Servers
Fingerpointing - 2011
Session Border
Controllers
© 2011 VOIPSA
“UC”
© 2011 VOIPSA
Debugging
© 2011 VOIPSA
Turn It Back On?
© 2011 VOIPSA
SIP Is So Simple, Right?
© 2011 VOIPSA
Riiiiiigggghhhttt… (Fingerpointing Redux)
© 2011 VOIPSA
Evolution
© 2011 VOIPSA
Carrier
PSTN
Carrier
Carrier Carrier
Carrier
Carrier Carrier
The Old Boys’ Club
© 2011 VOIPSA © 2010 VOIPSA and Owners as Marked
ITSP
PSTN
ITSP
ITSP ITSP
ITSP
ITSP ITSP ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP ITSP
ITSP
ITSP
ITSP
ITSP ITSP
ITSP ITSP
ITSP
ITSP
The Wild West…
© 2011 VOIPSA
Evolution of Attacks
© 2011 VOIPSA
DoS
© 2011 VOIPSA
DDoS
© 2011 VOIPSA
Fraud
© 2011 VOIPSA
If 1 Is Good, Why Not 3?
© 2011 VOIPSA
Geography
© 2011 VOIPSA
Internet LAN
© 2011 VOIPSA
UC System
Corp HQ
Internet Firewall Home Firewall
IP Phone
PC
Home
© 2011 VOIPSA
UC System
Corp HQ
Internet Firewall WiFi Café
Router
Mobile UC
client
Laptop UC
client
Mobile Data
Network
© 2011 VOIPSA
IM
Corp HQ
Corporate Network
Presence
Call Control
IVR IM
Office A
Presence
Call Control
Voicemail IM
Office B
Presence
Call Control
PSTN
Conferencing
Internet
© 2011 VOIPSA
© 2011 VOIPSA
Benefits (for us… and for attackers)
© 2011 VOIPSA
DDoS�(the old-fashioned kind)�
(Asterisk & Amazon EC2, anyone?)
© 2011 VOIPSA
SPIT�(“SPam for Internet Telephony”)
SPAM
© 2011 VOIPSA
Complexity
© 2011 VOIPSA
Physical Wiring
IP Network
IP-PBX
Voicemail
PSTN Gateways
Mobile Devices
IM Networks
Web Servers
Email Servers
Desktop PCs
Operating Systems
Firewalls
Internet
Directory Servers
VoIP
CRM Systems
Social Networks
Database Servers
Application Servers
Fingerpointing - 2011
Session Border
Controllers
© 2011 VOIPSA
The Device Formerly�Known As A�
“Phone”
© 2011 VOIPSA
Mobility
© 2011 VOIPSA
RTCWEB / WebRTC
© 2011 VOIPSA
Complexity
© 2011 VOIPSA
Physical Wiring
IP Network
IP-PBX
Voicemail
PSTN Gateways
Mobile Devices
IM Networks
Web Servers
Email Servers
Desktop PCs
Operating Systems
Firewalls
Internet
Directory Servers
VoIP
CRM Systems
Social Networks
Database Servers
Application Servers
Fingerpointing - 2011
Session Border
Controllers
© 2011 VOIPSA
Interoperability
© 2011 VOIPSA
“The Hitchiker’s Guide�To SIP”
© 2011 VOIPSA
Forgotten�Simple Things
© 2011 VOIPSA
Biggest Financial Threat?
© 2011 VOIPSA
Toll Fraud
© 2011 VOIPSA
IT Security 101
© 2011 VOIPSA
PIN = “1234”
© 2011 VOIPSA
Password = “password”
© 2011 VOIPSA
Default password list
© 2011 VOIPSA
VoIP = bits
© 2011 VOIPSA
IT Security 101
© 2011 VOIPSA
Does Anyone Really �Give A _____ About�
VoIP Security?
© 2011 VOIPSA
WHEN Will They Care?
© 2011 VOIPSA
EVENT
© 2011 VOIPSA
Identity Theft
© 2011 VOIPSA
Celebrity
© 2011 VOIPSA
Trusted Leader
© 2011 VOIPSA
“VoIP Is Insecure!!!”
© 2011 VOIPSA
“VoIP Is Insecure!!!” Stupidly deployed
^
© 2011 VOIPSA
“VoIP Is Insecure!!!”
© 2011 VOIPSA
Cover Your ____
© 2011 VOIPSA
SOLUTIONS?
© 2011 VOIPSA
IT Security 101
© 2011 VOIPSA
Audit, Audit, Audit
© 2011 VOIPSA
Enable What You Have
© 2011 VOIPSA
Interoperability
© 2011 VOIPSA
www.sipit.net
© 2011 VOIPSA
Identity
© 2011 VOIPSA
Simplicity
© 2011 VOIPSA
Fabric
© 2011 VOIPSA
Air
© 2011 VOIPSA
© 2011 VOIPSA
Secure By Default
© 2011 VOIPSA
Education
© 2011 VOIPSA
What is the Industry Doing to Help?
Security Vendors
“The Sky Is Falling!” (Buy our products!)
VoIP Vendors
“Don’t Worry, Trust Us!” (Buy our products!)
© 2011 VOIPSA
www.voipsa.org/Resources/tools.php
© 2011 VOIPSA
Security Links
• VoIP Security Alliance - http://www.voipsa.org/ – Threat Taxonomy - http://www.voipsa.org/Activities/taxonomy.php – VOIPSEC email list - http://www.voipsa.org/VOIPSEC/ – Weblog - http://www.voipsa.org/blog/ – Security Tools list - http://www.voipsa.org/Resources/tools.php – Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com
• NIST SP800-58, “Security Considerations for VoIP Systems” – http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf
• Network Security Tools – http://sectools.org/
• Hacking Exposed VoIP site and tools – http://www.hackingvoip.com/
• Seven Deadliest Unified Communications Attacks – http://www.7ducattacks.com/
© 2011 VOIPSA
Thank You For�Giving A _____
© 2011 VOIPSA
Dan York - [email protected]�+1-802-735-1624 DisruptiveTelephony.com danyork.com�twitter.com/danyork
Thank you! Q & eh?
www.voipsa.org 7ducattacks.com
blueboxpodcast.com