Page 1
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 1/127
Interested in learningmore about security?
SANS Institute
InfoSec Reading RoomThis paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
VoIP Security Vulnerabilitiese advanced there have been subsequent efforts to keep those communications secret by one party, and toidentify the clear message by a second party....
Copyright SANS Institute
Author Retains Full Rights
A D
Page 2
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 2/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 1
VoIP Security Vulnerabilities
Aut hor : Davi d Per sky
Advi sor : J oey Ni em
Fal l 2007
Page 3
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 3/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 2
Outline
I . I nt r oducti on ...........................................................................................................3
I I . Secur i t y vul ner abi l i t i es t r ansi t i oni ng f r om POTS t o VoI P......4
I I I . Real Ti me Pr ot ocol ( RTP) ..............................................................................42
I V. Ast er i sk and I nt er - Ast er i sk Exchange ( I AX) ....................................50
V. Sessi on I ni t i at i on Pr ot ocol ( SI P) .........................................................58
VI . Skype .........................................................................................................................85
VI I . Ci sco VoI P ..............................................................................................................95
VI I I . Concl usi on............................................................................................................110
I X. Ref erences .............................................................................................................112
X. Appendi x .................................................................................................................120
XI . I mage Fi gur es .......................................................................................................124
Page 4
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 4/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 3
I. Introduction
Si nce t he dawn of t i me, humans have t r i ed t o communi cat e
wi t h eachother . As l anguages and di al ect s pr ospered, t he f orms
of communi cat i on became more advanced by usi ng l et t ers i n
var i ous al phabet s and wr i t i ng messages on paper s or l et t er s.
From t he Caeser ci pher t hat J ul i us Caesar used wher e l et t er s i n
encr ypt ed messages wer e act ual l y t hr ee l et t er s of f , t o t he Nazi s
i n WWI I who bui l t and used t he Eni gma machi ne t o encr ypt
mi l i t ar y communi cat i ons, t o SI P- TLS t o encr ypt VoI P
conver sat i ons, as f orms of communi cat i on have advanced t here
have been subsequent ef f or t s t o keep t hose communi cat i ons secr et
by one par t y, and t o i dent i f y t he cl ear message by a second
par t y.
Page 5
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 5/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 4
II. Security vulnerabilities transitioning from POTS to VoIP
The publ i c swi t ched t el ephone networ k ( PSTN) i s a gl obal
syst em of i nt er connect ed, var i ous si zed phone net wor ks t hat
pr ovi des user s t he abi l i t y t o car r y voi ce conver sat i ons wi t h
each other . “The most basi c ki nd of net work servi ce wi t h whi ch
we ar e f ami l i ar f r om chi l dhood i s cal l ed POTS ( Pl ai n Ol d
Tel ephone Servi ce) . Usi ng a pai r of t wi st ed copper wi r es, a
r esi dent i al phone i s connect ed t o a cent r al of f i ce ( CO) f r om
wher e a r esi dent i al cust omer can di al out i n t he PSTN or around
t he wor l d” ( Ramt eke 2001) . The PSTN at i t s bi r t h, st ar t ed
wi t hout t el ephone networks or exchanges. They were si mpl e one
t o one t el ephone l i nes connect i ng phones f r om one r oom t o
anot her , a busi ness t o a home, etc. As t i me went on and
busi nesses gr ew, pr i vat e br anch exchanges ( PBX) were desi gned,
and depl oyed i n of f i ce set t i ngs t o pr ovi de t he i ncr easi ng of
t el ephone l i nes, addi t i onal ser vi ces, and t o connect i nt er nal
cal l er s t hr ough t he PBX, over t r unk l i nes, t hr ough t he PSTN, and
event ual l y t o dest i nat i on cal l er s.
A POTS phone i s not VoI P hard phone, nor i s i t a PC.
However a POTS phone and the l i ne connect i ng to i t are
suscept i bl e t o vul ner abi l i t i es t hat woul d al l ow somebody
determi ned enough t o l i st en i n on your phone cal l s. When most
peopl e t hi nk of secur i t y and pr i vacy wi t h r espect t o POTS phones,
t hey i mmedi at el y thi nk of wi r e t appi ng and/ or i nt er cept i ng phone
cal l s. Under t he f eder al Communi cat i ons Assi st ance f or Law
Enf orcement Act ( CALEA) of 1994, car r i er s ar e r equi r ed t o have a
pr ocedur e and t echnol ogy i n pl ace f or i nt er cept i ng cal l s. Thi s
al so appl i es t o I nt er net t el ephone ser vi ce pr ovi der s ( I TSPs) . As
most coul d pr obabl y guess, t her e ar e general l y t wo methods of
r ecor di ng phone cal l i nf or mat i on; cal l pat t er n t r acki ng, whi ch
Page 6
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 6/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 5
i dent i f i es t he quant i t y of cal l s made, i ncl udi ng t i mes,
dur at i ons, and dest i nat i ons of phone cal l s. The second and mor e
f ear ed met hod woul d be t o recor d t he cont ent of t he phone cal l or
conver sat i on eavesdr oppi ng. Thi s i s par t i cul ar l y scar y due t o
t he f act t hat mul t i pl e banks, cr edi t car d compani es, and ot her
or gani zat i ons use voi ce syst ems t o access secur e account s, of t en
r equi r i ng a cal l er t o punch i n hi s/ her PI N, soci al secur i t y
number , or any ot her pr i vat e credent i al s wi t h a t ouch t one phone.
Dual - t one mul t i f r equency ( DTMF) t ones or t ouch t ones ar e used t o
ent er i n t hose secur e credent i al s. Ther e i s a si mpl e t ool cal l ed
DTMF Decoder ( www. pol ar - el ect r i c. com/ DTMF/ I ndex. ht ml ) t hat can be
used t o t r ansl at e capt ur ed t ones f r om a sound car d t o t he di gi t st hat wer e pr essed. Thi s i s because each di gi t t hat i s pr essed
sends a t one wi t hi n a gi ven f r equency r ange. Essent i al l y t he
f r equency ranges heard ar e mapped t o t he number s associ at ed t o
t hem. I t est ed t hi s wi t h a PC mi cr ophone pl aced near t he speaker
of my POTS cordl ess phone, whi l e di al i ng my mobi l e phone number .
Af t er r unni ng t he . wave f i l e capt ur ed t hr ough t he DTMF Decoder ,
my mobi l e phone number was di spl ayed as bei ng heard.
“The most common t ype of t ap i s a pen r egi st er ( ot herwi se
known as t r ap and t r ace) , whi ch pr oduces a l og, showi ng what
number s wer e cal l ed, and t he dates, t i mes and dur at i ons of
t he cal l s. The second t ype i nt er cept s t he cont ent of t he
cal l … The way i t wor ks i s t hat a car r i er t aps i nt o a di gi t al
swi t ch at i t s cent r al of f i ces or at an aggr egat i on poi nt and
pr ogr ams i n what number wi l l be t r aced or what cal l s wi l l be
i nt er cept ed. Once t he i nf or mat i on i s gat her ed, i t i s sent
vi a a pr i vat e l i nk pai d f or by l aw enf or cement t o t he agency
t hat r equest ed i t ” ( Gi t t l en, 2006) .
Page 7
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 7/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 6
Pl ease vi ew t he f ol l owi ng di agr am f or a vi sual
r epr esent at i on of t he above descr i pt i on:
Figure 1
Anot her POTS phone secur i t y i ssue t hat has car r i ed over t o
VoI P i s t he ar t of cal l er I D spoof i ng. On t he PSTN, wi t h usi ng
POTS or mobi l e phones, cal l er I D works i n t he f ol l owi ng met hod:
“Your l ocal phone company or cel l phone car r i er sends your
"Cal l i ng Par t y Number " ( CPN) wi t h ever y cal l , l i ke a retur n
address on an envel ope. Transmi t t ed al ong wi t h your CPN i s
a pr i vacy f l ag t hat t el l s t he t el ephone swi t ch at t he
r ecei vi ng end of t he cal l whet her or not t o shar e your
number wi t h t he r eci pi ent : i f you have bl ocki ng on your
l i ne, t he phone company you' r e di al i ng i nt o knows your
number , but won' t shar e i t wi t h t he per son you' r e cal l i ng”
( Poul sen, 2004) .
Page 8
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 8/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 7
There have been l egi t i mat e r easons why one woul d want t o
spoof one’ s cal l er I D. For exampl e, l et ’ s say t hat ABCbank ( f ake
bank name) has many t el ephone l i nes t hat ar e used by many
i nt er nal banker s t o pl ace out bound cal l s. Rat her t han havi ng
each number on t he dest i nat i on cal l er ’ s cal l er I D come up as a
uni que ABCbank number , i t makes more sense f or al l out bound cal l s
t o have one st andard sour ce t el ephone CPN. For t hi s t o work,
ABCbank must have a PBX wi t h many i nternal l i nes connect ed t o an
I SDN pr i mar y r at e i nt er f ace l i ne ( PRI ) . The ext er nal l y vi ewabl e
cal l er I D or CPN can be conf i gur ed t o map t o an i nt er nal
ext ensi on on t he PBX. Thi s i s si mi l ar i n t heor y t o I P net wor k
addr ess t r ansl at i on ( NAT) on a f i r ewal l or r out er . The f ol l owi ngi s a di agr am depi ct i ng t he above exampl e of ABCbank:
Figure 2
Page 9
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 9/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 8
Al ong wi t h CALEA as st at ed above, t her e i s l egi sl at i on i n
congr ess at t he t i me of wr i t i ng t hi s r epor t t hat at t empt s t o
st r engt hen t he aut hent i ci t y of cal l I D. I t i s H. R. 251: Tr ut h i n
Cal l er I D Act of 2007.
“Tr ut h i n Cal l er I D Act of 2007 - Amends t he Communi cat i ons
Act of 1934 t o make i t unl awf ul f or any per son i n t he Uni t ed
St ates, i n connect i on wi t h any t el ecommuni cat i on servi ce or
VOI P ( voi ce over I nt er net pr ot ocol ) ser vi ce, t o cause any
cal l er i dent i f i cat i on ser vi ce t o t r ansmi t mi sl eadi ng or
i naccur at e cal l er i dent i f i cat i on i nf or mat i on ( “spoof i ng”)
wi t h t he i nt ent t o def r aud or cause har m. Pr ohi bi t s
const r ui ng t hese pr ovi si ons t o pr event bl ocki ng cal l er
i dent i f i cat i on or t o aut hor i ze or pr ohi bi t l aw enf or cement
or U. S. i nt el l i gence agency act i vi t i es” ( Unknown, 2007) .
Thi s bi l l passed i n t he U. S. House of Representat i ves on
6/ 12/ 2007, and i t r emai ns i n t he U. S. Senat e. Ther e i s an
emergi ng new method f or pl aci ng phone cal l s, and t he
i nf r ast r uct ur e t hat i s needed f or i t . Whi l e on t he t opi c of
gover nment i t ' s i mpor t ant t o not e t hat as VoI P i s depl oyed i n
mor e f i nanci al and medi cal envi r onment s, an or gani zat i on’ s VoI P
i nf r ast r uct ur e wi l l l i kel y have t o be i n compl i ance wi t h f eder al
r egul at i ons such as SOX, GLBA, and HI PPA. Voi ce over i nt er net
pr ot ocol ( f r om now on r ef er r ed t o as “VoI P”) i s a met hod of
havi ng a voi ce conver sat i on t r avel acr oss a dat a net wor k
( I nt er net or pr i vat e net wor k) i n a packet swi t ched, r at her t han
ci r cui t swi t ched manner . "VoI P net wor ks car r y SS7- over - I P usi ngpr ot ocol s def i ned by Si gnal i ng Tr anspor t ( si gt r an) wor ki ng gr oup
of t he I nt er net Engi neer i ng Task For ce ( I ETF) , t he i nt er nat i onal
or gani zat i on responsi bl e f or r ecommendi ng I nt er net st andar ds"
( Per f ormance Technol ogi es, 2004) . However si nce t he maj or i t y of
cal l s t hr oughout t he wor l d st i l l t r avel over t he PSTN, t her e must
Page 10
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 10/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 9
be some poi nt where VoI P and the PSTN meet . "Gat eways and medi a
r esour ces are devi ces t hat conver t an I P Tel ephony cal l i nt o a
PSTN cal l . When an out si de cal l i s pl aced, t he gat eway or medi a
r esour ce i s one of t he f ew pl aces wi t hi n an I P Tel ephony net work
t o whi ch al l t he voi ce RTP st r eams f l ow ( RTP di scussed l at er ) "
( Ci sco, 2005) . Ther e ar e al so secur i t y consi der at i ons that must
be made at t hi s poi nt , but t hat wi l l be di scussed l at er . t her e
i s no si ngl e met hod or corr ect way i n depl oyi ng VoI P phone
servi ces i n t hat t he met hod i s dependent upon t he
envi r onment / pur pose i t wi l l be used i n/ f or . To i l l ust r at e
f ur t her , t he f ol l owi ng ar e a number of di agr ams depi ct i ng si mpl e
VoI P net works t hat woul d be used i n a SOHO ( Smal l Of f i ce HomeOf f i ce) envi r onment :
“
Figure 3
The l ast di agram of t he f our i s an i l l ust r at i on of t he most
t ypi cal cal l pat h when maki ng a cal l usi ng a VoI P phone servi ce
Page 11
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 11/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 10
provi der such as Vonage or SunRocket i n a SOHO envi r onment ” ( VoI P
Revi ew 2004) .
The di agr ams do not show how compl ex a l ar ger ent er pr i se VoI P
depl oyment may become.
“VoI P has f i nal l y come of age and i s bei ng r api dl y embr aced
acr oss most mar ket s as an al t er nat i ve t o t he t r adi t i onal
PSTN. VoI P i s a br oad t er m, descr i bi ng many di f f er ent t ypes
of appl i cat i ons ( har d phones, sof t phones, pr oxy server s,
i nst ant messagi ng cl i ent s, peer - t o- peer cl i ent s, et c. ) ,
i nst al l ed on a wi de var i et y of pl at f or ms ( Li nux, Wi ndows,
VxWor ks, mobi l e devi ces, PCs, et c) , and usi ng a wi de var i et yof bot h pr opr i et ar y and open pr ot ocol s ( SI P, RTP, H. 323,
MGCP, SCCP, Uni st i m, SRTP, ZRTP, et c. ) , t hat depends heavi l y
on your pr eexi st i ng dat a net wor k’ s i nf r ast r uct ur e and
ser vi ces ( r out er s, swi t ches, DNS, TFTP, DHCP, VPNs, VLANs,
et c. ) ” ( Endl er , 2007) .
Ther e i s a sl ew of var i ous propr i et ar y and open- sour ce, pai d
and f r ee VoI P sof t war e cl i ent s avai l abl e f or use. These ar e al socal l ed sof t phones. A f ew exampl es of t hese ar e:
• Skype
• Googl e t al k
• Yahoo Messenger
• ComunI P Cl i cVoz
• J abbi n
• Kcal l
A l ar ge l i st of t hese VoI P sof t war e cl i ent s and compar i sons of
t hei r var i ous capabi l i t i es can be f ound at
ht t p: / / en. wi ki pedi a. or g/ wi ki / Compar i son_of _VoI P_sof t war e and
ht t p: / / www. voi p- i nf o. or g/ wi ki - Open+Sour ce+VOI P+Sof t war e. For
Page 12
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 12/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 11
t hi s repor t , I wi l l di scuss the use and secur i t y vul ner abi l i t i es
r el at ed t o t he Skype VoI P f r eewar e appl i cat i on. Thi s however
wi l l be di scussed l at er on i n t hi s r epor t .
There ar e many di f f er ent t ypes of VoI P ser vi ces andt echnol ogi es avai l abl e t o t he publ i c. My r esear ch wi l l be
f ocused on i dent i f yi ng VoI P pr ot ocol s, por t s, enumer at i on
t echni ques, vul ner abi l i t i es, depl oyment s, ver si ons, appl i cat i ons,
at t acks t ool s and met hods, of t he f ol l owi ng VoI P ser vi ces:
• Real - Ti me Pr ot ocol ( RTP)
• I nt er - Ast er i sk Exchange ( I AX)
• Sessi on I ni t i at i on Pr ot ocol ( SI P)• Skype
• Ci sco VoI P
You wi l l see t hat RTP i s ment i oned i n many sect i ons of t hi s
r epor t si mpl y because i t i s so wi del y depl oyed i n var i ous VoI P
t echnol ogi es. Or gani zat i ons l ooki ng t o cut cost s on mai nt ai ni ng
l egacy phones, phone syst ems, and phone bi l l s ar e adopt i ng VoI P
at a f ast er pace, but di sr egar di ng t he secur i t y concer ns i nher enti n mul t i pl e VoI P r esour ces. VoI P i nher i t s many of t he same
t hr eat s t hat once f aced and st i l l do f ace dat a net wor k resour ces.
“Because of VoI P, f i r ewal l s may never be the same. New
r esear ch shows t hat organi zat i ons underest i mat e t he demands
t hat ent er pr i se VoI P secur i t y pl aces on exi st i ng f i r ewal l s,
and that t hose demands ar e al t er i ng t he l andscape of t he
f i r ewal l mar ket . Ar i z. - based r esear ch f i r m I nSt at i n J unesur veyed 220 I T pr of essi onal s f r om compani es of al l si zes,
and more t han 75% of r espondent s at compani es t hat have
i mpl ement ed VoI P pl an t o r epl ace t hei r secur i t y appl i ances
wi t hi n t he next year . That coul d f ur t her bol st er t he
Page 13
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 13/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 12
secur i t y appl i ance mar ket , whi ch I nSt at has f or ecast t o
ecl i pse $7 bi l l i on i n r evenue by 2009" ( Par i zo, 2005) .
However bef or e get t i ng i nt o t he speci f i cs of compar i ng t he
vul ner abi l i t i es r el at ed t o t he VoI P t opi cs above, I wi l l di scussmor e gener al VoI P secur i t y consi der at i ons. Thi s r epor t wi l l not
pr omote one VoI P t echnol ogy over another si nce each i s uni que i n
desi gn, has i t s own shar e of vul ner abi l i t i es, can be depl oyed
secur el y or i nsecur el y based on VoI P and exi st i ng pol i ci es,
pr ocedur es, and i nf r ast r uct ur e, and each met hod can be
f i nanci al l y benef i ci al t o or gani zat i ons of di f f er ent si zes. Thi s
r epor t i s al so not meant t o be an exhaust i ve l i st of al l
vul ner abi l i t i es expl oi t ed agai nst any VoI P t echnol ogy. The goal
of t hi s repor t i s t o i dent i f y secur i t y vul ner abi l i t i es and
consi der at i ons f or some of t he most popul ar VoI P t echnol ogi es
avai l abl e t oday. Si nce VoI P i s bei ng mor e wi del y depl oyed, gr eat
consi der at i on must be t aken t o i nt r oduce i t i n an or gani zat i on’ s
net wor k i nf r ast r uct ur e i n t he most secur e manner possi bl e.
Net wor k and secur i t y engi neer s must be vi gi l ant i n t hei r ef f or t s
t o secur el y depl oy VoI P. Ot her wi se, t he r et ur n on i nvest ment( ROI ) and cost savi ngs af f or ded by VoI P coul d be l ost i f t he new
VoI P i nf r ast r uct ur e i s hacked, r esul t i ng i n monet ar y l osses.
" I P phone crooks are l ear ni ng how t o rake i n t he dough. An
owner of t wo smal l Mi ami Voi ce over I P tel ephone compani es
was ar r est ed l ast week and charged wi t h maki ng mor e t han $1
mi l l i on by br eaki ng i nt o t hi r d- par t y VoI P ser vi ces and
r out i ng cal l s t hr ough t hei r l i nes. That l et hi m col l ect f r omcust omer s wi t hout payi ng any f ees t o r out e cal l s. . .
He pai d $20, 000 t o Spokane, Wash. , r esi dent Robert Moor e,
who hel ped Pena scan VoI P pr ovi der s f or secur i t y hol es wi t h
a code cr acki ng met hod cal l ed br ut e f orce. They sent t hese
Page 14
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 14/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 13
compani es mi l l i ons of t est cal l s, guessi ng at pr opr i et ar y
pr ef i xes encoded on packet headers used t o show t hat VoI P
cal l s ar e l egi t , unt i l t he r i ght one gave t hem access. The
t wo al so hacked i nt o comput er s at a Rye Br ook, N. Y. ,
i nvest ment company and set up ot her ser ver s t o make i t seem
l i ke t hey wer e sendi ng cal l s f r om t hi r d par t i es t hr ough mor e
t han 15 VoI P pr ovi der s. . . Those compani es have t o pay f or
access t o t he I nt er net ' s backbone, and t hey f ound t hemsel ves
wi t h up t o $300, 000 i n char ges f or access st ol en. . . "
( Hoover , 2006) .
Thi s speci f i c t ype of at t ack f or f i nanci al gai n t hat was
expl oi t ed i s r ef er r ed t o as ' VoI P t ol l f r aud' . Thi s i s t he
equi val ent of ‘ phr eaki ng’ t hat was per f or med agai nst car r i er
t el ecom syst ems i n t he past ( di scussed l at er ) . Due t o
or gani zat i ons depl oyi ng VoI P and bei ng l ax on VoI P secur i t y, i t
i s l i kel y t r i vi al t o r epl i cat e t he t ol l f r aud per f or med above
agai nst ot her organi zat i ons wi t h a VoI P i nf r ast r uct ur e. I n my
opi ni on, gr eat er l og anal ysi s pr ovi di ng cl ear er ‘ vi si on’ i nt o an
or gani zat i on’ s VoI P cal l s woul d af f or d net wor k secur i t y engi neer smor e scrut i ny i n def i ni ng what VoI P t r af f i c i s and i s not
accept abl e. Were a company t o empl oy a voi ce managed secur i t y
ser vi ces pr ovi der t hat coul d moni t or VoI P l ogs i n near r eal t i me,
t ol l f r aud scams such as t hi s woul d pr obabl y be st opped bef ore
t hey cause an or gani zat i on massi ve f i nanci al l oss.
The secur i t y of VoI P r esources, as wi t h ot her dat a r esour ces
on net wor ks, i s dependent par t l y upon an or gani zat i on’ s exi st i ngnet wor k i nf r ast r uct ur e t o mai nt ai n i t s secur i t y st r engt h. Thi s
i s i n r ef er ence t o bui l di ng secur i t y, r out er , f i r ewal l , host, and
OS secur i t y, passwor d pol i ci es, et c. Bef or e del vi ng i nt o t he
i nt r i caci es of var i ous VoI P vul ner abi l i t i es, I want t o st r ess
t hat any or gani zat i on want i ng t o secur e t hei r VoI P i nf r ast r uct ur e
Page 15
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 15/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 14
shoul d al so cont i nual l y pr omot e VoI P secur i t y awar eness t r ai ni ng.
J ust as t here ar e i nf or mat i on secur i t y t r ai ni ng sess i ons f or non-
I T st af f t o make t hem awar e of soci al engi neer i ng, not accept i ng
e- mai l at t achment s f r om unknown sender s or cl i cki ng on l i nks i n
e- mai l s, avoi di ng cl i cki ng on adwar e adds, et c. , si mi l ar t r ai ni ng
shoul d be i mpl ement ed f or VoI P secur i t y. Si mpl y put , t hi s i sn’ t
your grandmot her ’ s ol d r ot ary phone anymore…
The met hods of secur i ng VoI P phones and VoI P I P PBXs/ cal l
management ser ver s, i n some r espect s are not much di f f erent t hen
secur i ng dat a net wor ks. The physi cal gear must be r est r i ct ed t o
access by onl y aut hor i zed user s. J ust as wi t h secur i ng
conf i dent i al dat a, r i gor ous access cont r ol s must be i n pl ace t o
speci f i cal l y per mi t cer t ai n user s and phones f r om maki ng cal l s,
what ser vi ces ar e per mi t t ed, et c. and deny al l ot her s. Al so VoI P
phones and server s shoul d have the l atest patches and/ or f i r mware
updat es avai l abl e, and t hey shoul d be del i ver ed/ i nst al l ed vi a a
sound pat ch management pol i cy. However f i r ewal l s or VoI P network
edge devi ces must be VoI P pr otocol awar e. Af t er al l VoI P
secur i t y measur es have been t aken, an organi zat i on shoul d al sor egul ar l y i mpl ement 3r d par t y VoI P penet r at i on t est i ng.
VoI Pshi el d Syst ems i s a company t hat pr ovi des such servi ce
( www. voi pshi el d. com) . VoI P secur i t y shoul d not be an af t er -
t hought when depl oyi ng any si zed VoI P i nf r ast r uct ur e. J ust as
net wor k avai l abi l i t y and qual i t y of ser vi ce shoul d be desi gned
wi t h net wor k secur i t y i n mi nd, so too goes VoI P avai l abi l i t y,
QOS, and secur i t y.
Si mi l ar t o t he Conf i dent i al i t y, I nt egr i t y, and Avai l abi l i t y
( CI A) of voi ce, t he f ol l owi ng i s a cl ever way of r emember i ng VoI P
t hr eat cat egor i es:
Page 16
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 16/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 15
Figure 4 ( Mat erna, 2007)
Pr obabl y the best and f i r st t hi ng an or gani zat i on shoul d do
when depl oyi ng VoI P i s t o segment t hei r dat a and VoI P t r af f i ci nt o separ at e Vi r t ual Local Ar ea Net wor ks ( VLANs) . Al so i f VoI P
t r af f i c i s seen sour ci ng f r om a ‘ dat a onl y’ net wor k, t he host
pr oduci ng t he VoI P t r af f i c shoul d be i nvest i gat ed t o i dent i f y
what i s causi ng, i t si nce i t woul d be agai nst an or gani zat i on’ s
accept abl e use and/ or secur i t y pol i cy. That scenar i o, whi l e
hi ghl y benef i ci al f r om a secur i t y standpoi nt , coul d become
conf usi ng i f an or gani zat i on t hen depl oys wi r el ess VoI P phones.
The quest i on becomes, do you t hen depl oy separ at e access poi nt s
f or wi r el ess VoI P phones, separ at e access poi nt s f or wi r el ess
dat a? However t hat i s f or an or gani zat i on t o consi der i n a
r equest f or pr oposal , and i s out of t he scope of t hi s r epor t .
For t he dat a onl y t r af f i c, a st at ef ul f i r ewal l shoul d be used t o
Page 17
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 17/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 16
bl ock al l out bound t r af f i c f or known dest i nat i on VoI P ser vi ce
por t s. Al so, an I PS t hat i s not i n l i ne wi t h t r af f i c coul d be
used t o send TCP RST/ ACK or I CMP unreachabl e packet s t o i nternal
host s t hat ar e gener at i ng t he VoI P t r af f i c t hat i s mat chi ng any
VoI P I DS si gnat ur es. A r eason f or not put t i ng t he I PS i nl i ne
wi t h t he t r af f i c i s t o avoi d a si ngl e poi nt of f ai l ur e f or al l
voi ce conver sat i ons t o go t hr ough as wel l as bandwi dt h
consi der at i ons. Pl ease vi ew t he f ol l owi ng di agr am t o i l l ust r at e
t he VLAN separ at i on of dat a f r om VoI P t r af f i c:
Figure 5
As you can see, whi l e t he VoI P phones and t he PCs ar eshar i ng t he same physi cal l i nk net wor k cabl e t o t he swi t ch, t hey
ar e i n l ogi cal l y di f f er ent net wor ks (VLANS) due t o t he I EEE
802. 1q Et her net f r ame taggi ng that t he phone i s per f ormi ng, but
not per mi t t i ng i n t hr ough i t s PC Et her net i nt er f ace. Once VoI P
and dat a r esour ces have been segment ed i nt o di f f erent VLANS, t he
Page 18
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 18/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 17
best pr act i ce woul d be t o t est access t o ensur e t hat t he VoI P
VLANs cannot be used t o gai n access t o ot her dat a VLANS, and vi ce
ver sa si nce t here are many documented VLAN hoppi ng
vul nerabi l i t i es.
Some vendors such as Ci sco Syst ems i ncl ude aut hent i cat i on
and encr ypt i on measur es i n t hei r pr opr i et ary VoI P depl oyment s as
a means of secur i ng VoI P t r af f i c t o and f r om cal l manager
ser ver s, TFTP ser ver s, and VoI P phones. Thi s wi l l be di scussed i n
gr eat er det ai l i n t he Ci sco VoI P sect i on. Whi l e aut hent i cat i on
and encr ypt i on t o and f r om I P phones, and ot her VoI P server s i s
i mpor t ant , i t by no means achi eves t he obj ect i ve of secur i ng VoI P
r esour ces. Thi s i s because when most peopl e t hi nk of VoI P
phones, t hey thi nk of t he VoI P phone as onl y bei ng abl e t o
f unct i on as a phone, j ust l i ke a POTS phone. They over l ook the
f act t hat t he VoI P phone can possess a web management GUI , and
can be compr omi sed t o t hen at t ack other VoI P and dat a r esour ces,
wi t hout pl aci ng any cal l s.
“Some of t he methods of at t acki ng VoI P resour ces are deni al
of ser vi ce at t acks ( DOS) , man- i n- t he- mi ddl e at t acks, cal l
f l oodi ng, eavesdr oppi ng, VoI P f uzzi ng, si gnal i ng and audi o
mani pul at i on, voi ce SPAM ( cal l ed ‘ SPI T’ ) , and al so voi ce phi shi ng
at t acks” ( Endl er , 2007) . Al l of t he ment i oned at t acks t hr eat en
t he busi ness cri t i cal voi ce conver sat i ons, as wel l as t he
secur i t y of ot her conf i dent i al dat a. One can onl y i magi ne t he
f ear and anger t hat woul d ar i se i f an or gani zat i on’ s VoI P
i nf r ast r uctur e f el l under a deni al or di st r i but ed deni al of ser vi ce at t ack, especi al l y dur i ng an emer gency. I t i s l i kel y
t hat t he Qual i t y of Ser vi ce ( QOS) of voi ce cal l s woul d be so
degr aded that user s’ voi ce conver sat i ons woul d be choppy and f ul l
of st at i c when t r yi ng t o di al emer gency ser vi ces. Thankf ul l y i n
t oday’ s wor l d, wi t h most peopl e owni ng a mobi l e phone, t he i mpact
Page 19
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 19/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 18
of a DDOS woul d be subst ant i al , but i nt er nal user s woul d st i l l be
abl e t o make voi ce cal l s f r om t hei r mobi l e phones t hat ar e
connect ed t o t hei r wi r el ess car r i er . Si nce VoI P, j ust l i ke dat a,
uses I P packet s, i t woul d be possi bl e t o hack i nt o and VoI P
server wher e l ogs ar e st ored and modi f y t hem. Thi s coul d al l ow
an at t acker t o add f ake l ogs such as t housands of l ong di st ance
cal l s made f r om a speci f i c i nt er nal user . Thi s i s an exampl e
wher e a di sgr unt l ed f ormer empl oy woul d want t o get back at a
supervi sor who f i r ed t he empl oyee.
When depl oyi ng and t r yi ng t o secur e a VoI P i nf r ast r uct ur e,
one must r emember t hat phone cal l s ar e not si mpl y uni cast , one-
t o- one voi ce conver sat i ons. Mul t i pl e cal l scenar i os must be
expect ed, pl anned f or , and secur ed:
• Uni cast Peer - t o- Peer Cal l s
Thi s i s t he st andar d one- t o- one cal l most peopl e t hi nk of
r el at ed t o POTS phones. Wi t h VoI P, t hi s woul d/ coul d be a SI P
or H. 323 based cal l t hat i s set up. RTP t r af f i c woul d have t o
be encr ypt ed bet ween t wo par t i es.
• Mul t i cast One- t o- f ew Cal l s
An exampl e of t hi s woul d be a t hr ee- part y conf er ence cal l ,
wher e t he i ni t i al cal l er di al s t he second, and t hen t hi r d
par t y, and est abl i shes t he secur i t y f or al l voi ce t r af f i c.
Thi s can be def i ned as a smal l hub and spoke t opol ogy cal l .
RTP t r af f i c woul d have t o be encrypt ed bet ween one and t wo
par t i es.
Page 20
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 20/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 19
• Mul t i cast One- t o- Many or Many- t o- Many Cal l s
An exampl e of t hi s woul d be a company- wi de conf erence cal l .
Thi s conf er ence cal l may or may not i ncl ude a cent r al
poi nt / i ni t i at or t hat def i nes secur i t y par amet er s. Mul t i pl e
si t es, wi t h mul t i pl e VoI P conf er ence and r egul ar phones woul d
be i ncl uded i n t he cal l . Thi s can be def i ned as a l ar ge hub
and spoke or a l ar ge spoke- t o- spoke t opol ogy cal l . RTP t r af f i c
woul d have t o be encr ypt ed between mul t i pl e par t i es.
The t hree cal l scenar i os above exi st t oday f or POTS phones,
t hrough PBXs, over t he PSTN and t hey must al so be desi gned,
depl oyed, and secur ed i n any VoI P i mpl ement at i on. The f ol l owi ng
are t hr ee di agr ams depi ct i ng t he above t hr ee expl ai ned cal lscenar i os:
Figure 6
Page 21
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 21/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 20
Figure 7
Page 22
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 22/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 21
Figure 8
J ust as any count r y woul d pl an an at t ack bef or e i nvadi ng
anot her count r y, successf ul l y expl oi t i ng or hacki ng a VoI P
r esour ce ( net wor k, ser ver , har d/ sof t phone, et c) r equi r esr econnai ssance t o be per f or med t o f oot pr i nt , or i dent i f y what t he
posi t i on of t he ‘ enemy/ vi cti m’ i s. I t i s al so i mpor t ant t o
under st and t hat expl oi t s t hat used t o be ef f ect i ve ( but no l onger
ar e) at at t acki ng dat a on I P net wor ks, can have di f f er ent r esul t s
when t arget ed at VoI P r esour ces.
“For i nst ance, a SYN f l ood deni al of ser vi ce at t ack agai nst
your organi zat i on’ s r out er mi ght mean t hat web br owsi ng i s al i t t l e sl ow f or i nt er nal user s. Whi l e t he ver y same SYN f l ood
agai nst a VoI P network or VoI P devi ce mi ght mean t hat voi ce
conver sat i ons ar e uni nt el l i gi bl e because of j i t t er or cal l s
cannot be pl aced because of net work l atency” ( Endl er , 2007) .
Rat her t han br ut e f or ci ng or per f or mi ng VoI P expl oi t at t empt s f or
vul ner abi l i t i es agai nst a VoI P r esour ce, i t makes sense t o f i r st
go f or t he l ow hangi ng f r ui t ( AKA, pr obi ng t he under l yi ng
i nf r ast r uct ur e such as t he VoI P server ’ s weak passwor d, t el net
daemon enabl ed, l ow pat chi ng, et c. ) . A si mpl e way of i dent i f yi ng
what t ype of network devi ces a company uses i n t hei r
i nf r ast r uct ur e i s r esear chi ng t he publ i c domai n. That means
r esearchi ng on the company’ s websi t e f or new pr oduct use, open
net wor k/ voi ce engi neer posi t i ons avai l abl e wi t h a f ocus on one
VoI P vender vs. anot her ( Ci sco vs. Avaya vs. Ast er i sk, et c. ) .
Thi s i nf or mat i on can of t en al so be f ound by spendi ng a f ewmi nut es r esear chi ng on t he Googl e sear ch engi ne. Whi l e i t i s
necessary f or an or gani zat i on t o adver t i se open posi t i ons i n t he
I T depar t ment t o meet st af f i ng needs, i t i s al so a vul ner abi l i t y
of l eavi ng t hat i nf or mat i on i n t he publ i c domai n. I t t ook me
l ess t han one mi nut e t o per f orm an advanced sear ch f or t he
Page 23
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 23/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 22
keywords “Ci sco VoI P” and “Bank” t o i dent i f y t hat Bank of Amer i ca
i s wi del y depl oyi ng Ci sco VoI P:
Figure 9 I f you r ead t he ar t i cl e car ef ul l y, i t al so st at es that
Boei ng, For d, and even t he Depar t ment of Def ense ar e empl oyi ng
Ci sco VoI P. What i s even a gr eat er t r easur e t r ove of i nf or mat i on
i s t hat t he ar t i cl e speci f i cal l y l ays out whi ch of t he Ci sco
devi ces ar e bei ng used f or t he depl oyment s. “The speci f i c
equi pment t hat r ecei ved cer t i f i cat i on i ncl udes Ci sco Cat al yst
3550, 4500 and 6500 swi t ches; Ci sco 2600 and 3700 gat eways; and
Cal l Manager 3. 3 cal l pr ocessi ng sof t war e”
( ht t p: / / bl og. t mcnet . com/ bl og/ r i ch- t ehr ani / ci sco- voi p- success- dod-
and- bank- of - amer i ca. ht ml ) . As such, any det ermi ned hacker t hat
woul d want t o di sr upt or hack VoI P servi ces f or t he Bank of
Amer i ca, Boei ng, Ford, or even t he DoD, now knows t hat he/ she
Page 24
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 24/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 23
coul d expl oi t any of t he vul ner abi l i t i es of t he above devi ces.
As you can see, t hi s i s a r at her t r i vi al met hod of i dent i f yi ng
pi eces of an or gani zat i on’ s net wor k i nf r ast r uct ur e f or f ut ur e
expl oi t at i on. Anot her r el at ed met hod of i dent i f yi ng what VoI P
har dwar e/ sof t war e servi ces an or gani zat i on empl oys i s t o read
r esumes of peopl e who have wor ked t her e. Those r esumes may of t en
i ncl ude det ai l ed i nf or mat i on on VoI P resour ces depl oyed i n the
per son’ s pr i or j ob.
Many net work devi ces, both data and voi ce, t ypi cal l y have a
web based GUI , whi ch i s used f or admi ni st r at i ve management .
However cl umsy net wor k admi ni st r at or s wi l l f or get f ul l y and
f ool i shl y connect t hese VoI P phones t o the net work, and have t hem
be accessi bl e f r om t he I nt er net , wi t h t he web i nt er f ace enabl ed.
The f ol l owi ng i s an exampl e of a Ci sco VoI P phone t hat I f ound
connect ed t o t he I nt er net wi t h i t s web i nt er f ace enabl ed:
Figure 10
Page 25
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 25/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 24
Figure 11
There i s no good r eason why any Ci sco VoI P phone shoul d be
l ef t i n a DMZ wi t h a publ i cal l y r out abl e I P addr ess. To pr ot ect
t he i nnocent or gani zat i on wi t h t hei r f or get f ul ness, I have f uzzedout i nf or mat i on t hat coul d be used t o hack t hi s I P phone, and
ot her r esour ces of t hei r i nf r ast r uct ur e. I f ound t hi s Ci sco VoI P
phone by t ypi ng t he f ol l owi ng i nt o Googl e’ s sear ch engi ne:
i nur l : ”Net wor kConf i gur at i on” Ci sco. As you can see f r om t he
above t wo i mages, a Ci sco VoI P phone l ef t hangi ng on t he I nt ernet
wi t h t he web management i nt er f ace enabl ed i s al so a t r easur e
t r ove of i nf or mat i on. From t he devi ce i nf or mat i on page, a
pot ent i al at t acker can now see t he speci f i c I P phone i n use, t he
MAC addr ess, host name, I OS ver si on, ser i al number , et c. From t he
net wor k conf i gur at i on page, an at t acker can see t he I P addr ess,
MAC addr ess, subnet mask, t f t p ser ver addr ess ( whi ch you coul d
t hen hack t o st eal / change/ del et e conf i gur at i ons si nce Ci sco VoI P
Page 26
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 26/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 25
phones quer y t he t f t p server s upon boot up) , Ci sco cal l manager
addr esses, and ot her i nf or mat i on t hat coul d not f i t i nt o t he
scr eenshot . From her e you coul d t hen r esear ch vul ner abi l i t i es
r eport ed f or t he Ci sco I P- phone 7960 ser i es and pr obe t he phone
f or t hem. Ci sco VoI P phone vul ner abi l i t i es wi l l be di scussed
l at er on i n t he Ci sco sect i on. I t woul d al so be r at her easy f or
an at t acker t o f i r e up Nessus or any ot her vul ner abi l i t y scanner ,
and pr obe the or gani zat i on’ s I nt er net accessi bl e TFTP, DNS, cal l
manager ser ver s, and t hei r bor der r out er . However af t er
obt ai ni ng t he I P addr esses seen, t hose can t hen be used t o
per f orm “who i s” and r ever se DNS quer i es t o i dent i f y what
organi zat i on t he I P addr esses bel ong t o. A qui ck NMAP ( NMAPexpl ai ned l at er ) ver si on scan, wi t hout i ni t i al I CMP pi ng pr obes,
f or por t s 1- 1024, of t he VoI P phone’ s I P addr ess f ound onl y por t
HTTP: 80/ t cp open:
Figure 12
Two f ol l ow up exampl es of cl umsi ness woul d be not onl y
l eavi ng a VoI P phone’ s HTTP management GUI enabl ed, but i f doi ng
so, not changi ng t he I P phone’ s def aul t passwor d. Thi s, al ong
wi t h changi ng a user ’ s def aul t voi cemai l passwor d f r om l i kel y
hi s/ her phone extensi on, ar e si mpl e st eps t o pr event i ng
addi t i onal at t ack vect or s. Ther e ar e many websi t es on t he
Page 27
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 27/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 26
I nt er net t hat l i st def aul t user names and passwor ds f or VoI P
devi ces. The Uni den UI P1868P VoI P phone “by def aul t has t he web
admi n i nt er f ace use a password wi t h a val ue equal s t o "admi n"
( wi t hout quot at i on mar ks) . Al so, t her e i s no username r equi r ed;
onl y passwor d i s r equi r ed. Thi s means t hat t he secur i t y of t he
devi ce ul t i mat el y r el i es on knowi ng one st r i ng of char act er s,
r at her t han t wo ( username/ password) ” ( Unknown, 2006) . Anot her
exampl e of a VoI P phone I f ound t hat had the web management GUI
enabl ed, and was connect ed t o t he I nt ernet was a Pol ycom
SoundPoi nt phone:
Figure 13
Thankf ul l y f or t he or gani zat i on owni ng t he Pol ycom phone
seen above, cur i ous hacker s at t empt i ng t o vi ew t he net work
conf i gur at i on i nf or mat i on ar e at l east pr ompt ed wi t h a user name
and password. When I t est ed t he phone by t r yi ng t o l ogon wi t h a
r andom user name and password, I pr oduced a l ogon f ai l ur e t hat
Page 28
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 28/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 27
r ender ed a HTTP 401 unaut hor i zed r esponse. Thi s user name and
password pr ompt coul d of cour se be br ut e f orced. Fr om t he
or gani zat i on’ s per spect i ve, t o pr ot ect agai nst br ut e f or ce l ogon
at t empt s t hey woul d have t o empl oy possi bl y a host or network
based I PS, wi t h a t hr eshol d of f ai l ed l ogon at t empt s unt i l t he
of f endi ng ext er nal I P addr ess was t empor ar i l y bl ocked. I n doi ng
my resear ch, I coul d f i nd no good r eason f or a VoI P phone to be
r eachabl e f r om t he I nt er net wi t h a publ i cal l y r out abl e I P
addr ess. I f an or gani zat i on and i t s net wor k of syst em
admi ni st r at or s concl ude t hat al l VoI P phones shoul d have t hei r
web GUI s enabl ed f or management pur poses, at t he ver y l east t he
def aul t user names and passwor ds shoul d be changed.
An at t acker t hat has t he obj ect i ve of hacki ng an
or gani zat i on’ s VoI P i nf r ast r uct ur e shoul d not nar r ow hi s ef f or t s
t o j ust devi ces r unni ng VoI P ser vi ces.
“I t behooves hi m t o i dent i f y and map out ot her cor e net wor k
devi ces, i ncl udi ng r out ers and VPN gat eways, web, TFTP, DNS,
DHCP, and RADI US ser ver s, f i r ewal l s, I PSs, et c. For
i nst ance, i f an at t acker wer e abl e to l ocat e and knock down
your t f t p ser ver , sever al model s of phones t r yi ng t o
downl oad conf i gur at i on f i l es on boot up mi ght cr ash or
st al l ” ( Endl er , 2007) .
Goi ng back t o t he war anal ogy, j ust as a commander prepares
f or an at t ack by i dent i f yi ng how many t r oops t he enemy has, and
what t hei r weaknesses ar e, somebody want i ng t o at t ack an
or gani zat i on’ s VoI P r esour ces must i dent i f y l i ve/ l i st eni ng t ar get
I P addr esses. One of ways t hat t hi s can be done i s by per f ormi ng
I CMP echo r equest s ( t ype: 8 code: 0) t o t he or gani zat i on’ s t ar get
I P addr esses. I f t he or gani zat i on i sn’ t bl ocki ng al l i nbound
I CMP t r af f i c by a packet f i l t er i ng r out er , stat ef ul f i r ewal l ,
Page 29
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 29/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 28
et c. t hen t he t ar get ed host s wi l l l i kel y r espond wi t h I CMP echo
r epl i es ( t ype: 0 code: 0) . Keepi ng t r ack of t he t ar get ed host s
t hat r espond, a hacker now has a l i st of l i ve host s f or f ut ur e
enumer at i on, and event ual l y possi bl e expl oi t at i on. Now you coul d
manual l y t r y and I CMP pi ng one speci f i c dest i nat i on I P addr ess,
and i f your pl an of at t ack i s onl y t wo one t ar get , t hen t hat
woul d be suf f i ci ent . However t o successf ul l y and ef f i ci ent l y
i dent i f y l i ve/ l i st eni ng host s as wel l as whi ch dest i nat i on por t s
are open/ accept i ng connect i ons, I r ecommend usi ng a r obust
scanni ng t ool ; par t i cul ar l y one r eads a t ar get I P addr ess l i st
f r om f i l e. Ther e ar e many f r ee net wor k host and devi ce di scover y
scanni ng t ool s avai l abl e on t he I nt er net . Each of t he f ol l owi ngt ool s di f f er s sl i ght l y i n desi gn, however al l ar e gr eat f or host
di scover y, and some a gr eat er f or vul ner abi l i t y scanni ng
( Nessus) :
• NMAP
• Fpi ng
• Hpi ng
• Super scan• Nessus
• Sol ar wi nds ( not f r ee)
A qui ck search on a sear ch engi ne wi l l pr oduce a l arge
amount of document at i on on how t o use each of t he above t ool s as
wel l as l i nks on where t o downl oad t hem. There are ot her
scanni ng t ool s t hat ar e desi gned t o speci f i cal l y t ar get cer t ai n
VoI P pr ot ocol s/ ser vi ces; however I wi l l ment i on t hem l at er i nt hi s repor t . J ust as ther e ar e cer t ai n har dwar e wi r et appi ng
t ool s avai l abl e t o t r acki ng and l i st eni ng t o POTS phone
conver sat i ons, t her e ar e al so many f r eewar e t ool s avai l abl e t o
‘ sni f f ’ , modi f y, and at t ack VoI P t r af f i c. The f ol l owi ng ar e a
f ew popul ar VoI P sni f f i ng t ool s:
Page 30
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 30/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 29
• Vomi t ( Voi ce over mi sconf i gur ed I nt er net t el ephones) - Can be
used wi t h t cpdump t o conver t RTP st r eams i nt o . wav f i l es.
• Or eka – “Or eka i s a modul ar and cr oss- pl at f or m syst em f or
r ecor di ng and r et r i eval of audi o st r eams. The pr oj ect cur r ent l y
suppor t s VoI P and sound devi ce based capt ur e. Recor di ngs
met adata can be st ored i n any mai nst r eam database. Ret r i eval of
capt ur ed sessi ons i s web based” ( Sour cef orge, 2005) .
• VoI Pong – “Ut i l i t y whi ch det ect s al l Voi ce over I P cal l s on a
pi pel i ne, and f or t hose whi ch ar e G711 encoded, dumps act ual
conver sat i on t o separ at e wave f i l es. I t suppor t s SI P, H323,
Ci sco' s Ski nny Cl i ent Protocol , RTP and RTCP…Produces r eal . Wav
f i l es f or di r ect audi o hear i ng, et c. ” ( Bal aban, 2004) .
The Voi ce over I P Secur i t y Al l i ance ( VoI PSA) i s an
or gani zat i on t hat was cr eat ed t o pr ovi de i nsi ght and exper t i se t o
vendor neut r al VoI P secur i t y. They mai nt ai n a l i st of l i nks t o
var i ous VoI P secur i t y t ool s t hat can be used f or sni f f i ng,
scanni ng and enumer at i on, packet cr eat i on and f l oodi ng, f uzzi ng,
si gnal i ng and medi a mani pul at i on, and ot her mi scel l aneous t ool s.
Thi s l i st can be f ound atht t p: / / www. voi psa. or g/ Resour ces/ t ool s. php. I have used some of
t he t ool s i n my resear ch, however t hey wi l l be di scussed i n
sect i ons ahead. Ret ur ni ng t o enumer at i on, once a l i st of
l i ve/ act i ve I P addr esses has been gener ated, t he next st ep must
be t o por t scan each one of t hem t o i dent i f y open por t s and
ser vi ces r unni ng. NMAP, as i ncl uded above, i s an excel l ent f r ee
t ool f or por t scanni ng. J ust t o br i ef l y ment i on some VoI P
ser vi ce por t s, SI P uses por t s 5060/ t cp and udp f or VoI P t r af f i c.
Por t 5061/ t cp i s used f or VoI P runni ng over Tr anspor t Layer
Secur i t y ( TLS) . Skype uses many r andom t cp por t s. I nt er -
Ast er i sk Exchange ( I AX) uses por t 4569/ udp.
Page 31
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 31/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 30
An ef f ect i ve and t r i vi al met hod of enumer at i ng appl i cat i ons
and servi ces on a VoI P net work ( data al so) i s banner gr abbi ng.
The Net cat t ool , cr eat ed Sour cef or ge, i s hel pf ul i n per f or mi ng
manual banner grabbi ng. I t can al so be used as a por t scanner
and t o set up backdoor connect i ons. I r an Net cat agai nst my t est
SI P ser ver and was abl e t o est abl i sh a connect i on. I al so r an
Net cat agai nst t he Ci sco VoI P phone f or por t s HTTP: 80/ t cp and
SI P: 5060/ t cp, t hat I f ound hangi ng on t he I nt er net ear l i er .
However , i n t he i nt er est of not crossi ng t he l i ne, I di d not
at t empt t o upl oad any f i l es t o i t :
Figure 14
Usi ng Net cat wi t h t he ‘ - u’ opt i ons al l ows t he scanner t o
servi ce check UDP port s, as was t he case wi t h pr obi ng t he f uzzed
out I nt er net f ound Ci sco Uni f i ed Cal l Manager and t f t p server
l i st eni ng on por t t f t p: 69/ udp. Whi l e banner gr abbi ng i n and of
i t sel f does not compr omi se a VoI P r esour ce t ar get , i t does
i dent i f y t he ser vi ce/ ver si on r unni ng, whi ch woul d be usef ul
i nf or mat i on t o an at t acker t hat woul d f i nd an un- pat ched VoI P
phone of VoI P PBX.
Ent er pr i se VoI P r el i es si gni f i cant l y on ser vi ces such as
LDAP, DNS, RADI US, TFTP, et c. I f an at t acker coul d f i nd a TFTP
Page 32
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 32/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 31
server l ef t unsecur ed i n an organi zat i on’ s DMZ, si nce TFTP does
not pr ovi de any t ype of aut hent i cat i on, t he conf i gur at i on f i l es
of var i ous VoI P phones and ot her cr i t i cal devi ces l i ke r out er s,
swi t ches, f i r ewal l s, can be pul l ed t o the at t acker ’ s machi ne.
For exampl e, each t i me a Ci sco 7912 VoI P phone boot s up, i t
quer i es t he l ocal TFTP ser ver f or t he SI PDef ual t . cnf t o l oad
( Unknown/ Ci sco, 2006) . However because of TFTP bei ng i nherent l y
i nsecur e due t o t r af f i c not bei ng encrypt ed, i t ' s f ai r l y easy t o
i dent i f y al l t he di f f er ent conf i gur at i on f i l es ser ved on an
or gani zat i on’ s TFTP ser ver wi t hout at t acki ng i t . However t hi s i s
dependent upon t he at t acker bei ng abl e t o sni f f t r af f i c on t he
TFTP ser ver ’ s networ k. I f an at t acker woul d be abl e t o overwhel ma swi t ch by f l oodi ng i t wi t h ARPs, t hen t he swi t ch woul d f ai l
open t ur ni ng i t essent i al l y i nt o a hub. Al l VLAN conf i gur at i ons
woul d be i gnor ed and al l swi t ch por t s woul d r ecei ve copi es of al l
packet s. The at t acker coul d t hen r un a t cpdump or Wi r eshark
( f or mer l y Et her eal ) packet capt ur e j ust f or TFTP t r af f i c. Agai n,
si nce TFTP i s sent i n cl ear t ext , t he conf i gur at i on f i l es ser ved
on t he server woul d be vi si bl e, and t he at t acker coul d t hen
r equest t hem hi msel f . Goi ng back t o t he Ci sco VoI P phone wi t h
t he HTTP GUI enabl ed f ound i n t he exampl e above, an at t acker
coul d easi l y use t f t p t o pul l t he SI PDef aul t . cnf conf i gur at i on
f i l e t o r eveal var i ous ext ensi ons, user names, passwor ds, et c.
No conf i gur at i on f i l es wer e t r ansf er r ed f r om any of t he t f t p
ser ver s f ound whi l e sear chi ng f or t hem f or t hi s r epor t . The best
pr act i ce f or secur i ng t f t p ser ver s necessar y f or t he successf uloper at i on of VoI P r esour ces woul d be t o appl y a l ayer ed secur i t y
appr oach such as i ncl udi ng host based f i r ewal l s on t f t p ser ver s
and speci f i cal l y def i ni ng t he I P addr ess r anges per mi t t ed t o
‘ GET’ f i l es f r om t he t f t p ser ver , and t o deny al l ot her s.
Page 33
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 33/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 32
However t hi s can be easi l y ci r cumvent ed vi a spoof i ng one’ s sour ce
I P addr ess.
Si mpl e Net work Management Prot ocol or SNMP i s an appl i cat i on
l ayer pr otocol t hat i s used t o exchange var i ous t ypes of
management i nf ormat i on bet ween r out er s, swi t ches, f i r ewal l s,
server s, and other var i ous devi ces used on a net work such as VoI P
phones bot h wi r ed and wi r el ess. SNMP ver si on 1 and 2 are
i nher ent l y i nsecur e si nce t hey use cl ear t ext communi t y st r i ngs
or passwords f or aut hent i cat i on. SNMPv3, as def i ned i n RFC 3411,
however empl oys t he use of 3DES and AES encr ypt i on and
aut hent i cat i on f or t he exchange of management t r af f i c. SNMPv1 i s
wi del y suppor t ed by most VoI P phones f or f unct i onal i t y andbackwards compat i bi l i t y pur poses. However most VoI P phones come
wi t h SNMPv1 daemons enabl ed and net work admi ni st r at or s cl umsi l y
f orget t o change t he def aul t SNMP communi t y st r i ng. An exampl e
of t hi s i s t he US- CERT/ NI ST CVE- 2005- 3722, wher e i t i s not ed that
t he SNMP v1/ v2c daemon i n Hi t achi I P5000 VOI P WI FI Phone 1. 5. 6
al l ows r emot e at t acker s t o gai n r ead or wr i t e access t o syst em
conf i gur at i on usi ng ar bi t r ar y SNMP credent i al s. Thi s
vul ner abi l i t y woul d al l ow unaut hor i zed access, par t i al
conf i dent i al i t y, i nt egr i t y, and avai l abi l i t y vi ol at i on, al l ow
unaut hor i zed di scl osur e of i nf or mat i on , and al l ow a di sr upt i on
of ser vi ce. ” Upon f ur t her r esear ch, t he f ol l owi ng was f ound:
1) The phone has an undocumented open por t 3390/ t cp t hat al l ows
access t o the Uni dat a Shel l upon connect i on. The servi ce
r epor t edl y cannot be di sabl ed and can pot ent i al l y be expl oi t ed
t o gai n access t o sensi t i ve i nf or mat i on and t o cause a DoS.
2) The phone has a hardcoded admi ni st r at i ve passwor d of "0000" .
Thi s may be expl oi t ed by a user wi t h physi cal access t o t he
phone t o modi f y the phone' s conf i gur at i on.
Page 34
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 34/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 33
3) The def aul t i ndex page of t he phone' s HTTP ser ver ( 8080/ t cp)
di scl oses i nf or mat i on l i ke phone sof t war e ver si ons, phone MAC
addr ess, I P addr ess and rout i ng i nf or mat i on.
4) The vul nerabi l i t i es have been r epor t ed i n f i r mwar e ver si ons
pr i or t o 2. 0. 1.
Fi xes f or t hese pr obl ems were added i n t he updat ed f i r mware
ver si on 2. 0. 1 or l at er wher e an admi ni st r at or was t hen st r ongl y
encour aged t o change t he passwords ASAP ( Merdi nger , 2005) . A
si mi l ar SNMP vul ner abi l i t y was f ound i n US- CERT/ NI ST CVE- 2005-
3803 f or t he Ci sco 7920 Wi r el ess I P Phone, f i r mware ver si on 2. 0
and ear l i er .
Dur i ng my r esear ch I f ound t hat are pl ent y of pi eces of
document at i on not i ng t he def aul t SNMP communi t y st r i ngs used on
devi ces out of t he box. One such websi t e whi ch I br owsed t o was
ht t p: / / www. phenoel i t - us. or g/ dpl / dpl . ht ml . The di sabl i ng of
SNMPv1 and v2 daemons on VoI P phones where possi bl e, and usei ng
SNMPv3 woul d be opt i mal f or al l VoI P devi ces.
Al l net wor k devi ces are suscept i bl e t o deni al and
di st r i but ed deni al of ser vi ce at t acks i ncl udi ng VoI P r esour ces.
However even i f t he DOS or DDOS i s not t arget ed agai nst an
i nt er nal VoI P r esour ce ( phone, pr oxy ser ver , et c. ) , f l oodi ng t he
i nt er nal net wor ks ( r out er s, swi t ches, f i r ewal l s et c. ) wi t h
j unk/ non- busi ness packet s woul d st i l l degr ade t he QOS of VoI P.
The DOS at t acks can i ncl ude TCP SYN scans, I CMP f l oods ( i f I CMP
i s permi t t ed) . When t argeted agai nst a SI P PBX by t he means of
sendi ng many I NVI TE, REGI STER, and BYE r equest s si mul t aneousl y,
t hi s coul d hal t al l VoI P cal l ser vi ce. Ther e ar e var i ous vendor s
t hat sel l appl i ances t hat can be depl oyed at t he per i met er or
cor e of a net wor k to det ect , t hr eshol d, or bl ock i nf ect ed host
Page 35
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 35/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 34
out bound DOS or ext er nal i nbound DOS such as Arbor Net wor ks,
Mi r age Networ ks, and Ti ppi ngPoi nt ( Endl er , 2007) .
I n t he past as or gani zat i ons began i ncr easi ngl y usi ng e-
mai l , SPAM e- mai l s became mor e pr eval ent i n sol i ci t i ng t he
r eci pi ent s t o cl i ck on l i nks t o mor t gage, er ect i l e dysf unct i on,
medi cal ser vi ces, debt consol i dat i on, and ot her si t es t o r ecei ve
di scount s. Si mi l ar l y, VoI P pr eval ence i nt o t he ent er pr i se and at
home i s i ncr easi ng voi ce SPAM or SPAM over I nt er net Tel ephony
( SPI T) .
“SPI T i s not a pr obl em r i ght now because, whi l e t her e i s a
f ai r amount of VoI P depl oyed and t he amount i s cer t ai nl y
gr owi ng, most of i t i s pr esent i n di sconnect ed i nt er nal VoI P
depl oyment s. Whi l e ent er pr i ses have a f ai r amount of VoI P,
i t i s uncommon t o connect t hese depl oyment s t o ot hers.
Ci r cui t - swi t ches access and t he PSTN cont i nue t o be t he
pr i mar y i nt er connect s bet ween ent er pr i ses… Over t i me, mor e
ent er pr i ses wi l l i nt er connect t hemsel ves vi a VoI P, most
l i kel y thr ough SI P t r unks t o ser vi ce pr ovi der s and/ or t he
I nt er net ” ( Endl er , 2007) .
Whi l e e- mai l SPAM i s a nui sance r equi r i ng r eci pi ent s t o del et e
t he e- mai l s and update SPAM f i l t ers, SPI T woul d consume much more
t i me of r eci pi ent s by havi ng t o answer t he phone and l i st en, i f
even f or shor t per i ods of t i me. Thi s wi l l consi der abl y cut i nt o
empl oyee pr oduct i vi t y, and si nce t he cal l er I D can be spoof ed,
t he r eci pi ent may wel l t hi nk i t ’ s a l egi t i mat e sour ce cal l i ng.
Whi l e sendi ng SPAM i s vi r t ual l y f r ee, a SPI T i nf r ast r uctur e cost s
money t o set up i n t erms of buyi ng a PC or ser ver t o run SER or
Ast er i sk, as wel l as pur chasi ng SI P t r unki ng ser vi ces f r om an
I TSP. Fur t her r esear ch l ead me t o t he
www. hacki ngvoi p. com/ sec_t ool s. ht ml websi t e t hat pr ovi des a f r ee
SPI T t ool cal l ed ‘ SPI TTER’ . Anot her SPI T pr oduci ng t ool f ound
Page 36
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 36/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 35
onl i ne was ‘ Tel eYapper ’ , t hat wor ks i n conj unct i on wi t h t r i xbox
( ht t p: / / ner dvi t t l es. com/ i ndex. php?p=113) .
SPI T wi l l most l i kel y not be sour ced i nt er nal l y wi t hi n an
ent er pr i se net work, unl ess of cour se t her e i s a compr omi sed or
r ogue SI P pr oxy usi ng t he or gani zat i on’ s net wor k t o send SPI T
out bound t o t he next vi ct i ms. VoI Pshi el d syst ems sel l s a pr oduct
cal l ed ‘ VoI Pbl ock TM Ant i - SPI T ( Voi ce Spam) ” t hat cl ai ms t o be
ef f ect i ve at mi t i gat i ng SPI T t hr eat s by whi t e/ bl ack l i st i ng based
of f of user f eedback, empl oyi ng t he use of a cor r el at i on engi nes
and ant i - spi t pol i ci es
( ht t p: / / www. voi pshi el d. com/ pr oduct s/ voi pbl ock. ht ml ) . Thi s
pr oduct i s desi gned t o si t i nl i ne wi t h a SI P pr oxy t o st op SPI Tt r af f i c bef or e i t r eaches t he pr oxy, si mi l ar t o snor t i nl i ne I PS.
Wi t hout bei ng abl e t o downl oad i t and t est f or mysel f , I cannot
t est t o see i f t he pr oduct i s ef f ect i ve at st oppi ng t hr eat s as i t
cl ai ms t o.
“Voi ce phi shi ng or vi shi ng, i nvol ves an at t acker set t i ng up
a f ake i nt er act i ve voi ce r esponse syst em ( I VR) t o t r i ck vi ct i ms
i nt o ent er i ng sensi t i ve i nf or mat i on such as account , PI N, and
soci al secur i t y number s, or any aut hent i cat i on i nf o t hat i s used
t o ver i f y your i dent i t y” ( Endl er , 2007) . Vi shi ng, j ust l i ke
phi shi ng and ot her exi st i ng soci al engi neer i ng t hr eat s r el y on
t he vi cti m t o t r ust t he sour ce. Whet her i t i s l i nks or
at t achment s i n e- mai l s, suspi ci ous f axes, I Ms f r om peopl e you
don’ t know, et c. , i f t he t r ust and l ook of aut hent i ci t y i s
mai nt ai ned t o a cer t ai n degr ee, t hen vul ner abi l i t i es l i ke t hi s
wi l l pers i s t :“More t han 1, 000 peopl e i n t he J ef f er son Ci t y ar ea r ecei ved
a pr er ecor ded phone message Wednesday t hat sought cust omer
i nf or mat i on and cl ai med t o be f r om “Cent r al Tr ust Bank”- a
name Cent r al Bank does not go by - and, i n f act , showed
Cent r al Bank' s cust omer servi ce l i ne on cal l er I D syst ems.
Page 37
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 37/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 36
The f r audul ent at t empt t o obt ai n peopl e' s i nf or mat i on by
l ur i ng t hem wi t h an “account deact i vat i on” t hr eat was deal t
wi t h qui ckl y by Cent r al Bank, J ef f er son Ci t y Pol i ce
Depar t ment and empl oyees, sai d Dan West hues, seni or vi ce
pr esi dent of r et ai l banki ng. By Thur sday mor ni ng, mor e t han
400 concer ned cust omer s had not i f i ed Cent r al Bank of t he
si t uat i on. The l at est scam agai n pr ompt ed of f i ci al s t o war n
peopl e not gi ve out pi n number s or account number s f or
credi t car ds, debi t car ds or bank account s t o ent i t i es t hat
al r eady have t hem" ( Br ooks, 2007) . Fundament al l y f or t hi s t o wor k i n a somewhat anonymous way f or
t he at t acker , he woul d have t o have compromi sed a r emot e PC orr emot e SI P pr oxy. Tr i xbox, f or mer l y cal l ed Ast er i sk@Home, i s a
SOHO ver si on of t he f r ee Ast er i sk VoI P PBX. I f an at t acker coul d
copy t he t r i xbox . i so f i l e t o t he compr omi sed host and i nst al l
i t , he coul d pot ent i al l y have a wor ki ng r emot e VoI P PBX/ I VR. A
1- 800 number coul d be pur chased f r om any random I TSP such as
Fr eedomVoi ce or Si xt el ( ht t p: / / t ol l f r ee. f r eddomvoi ce. com/ ) ,
( ht t p: / / s i xtel . net / ) . That ‘ 800’ number woul d r out e cal l s t o
your r ogue Ast er i sk pr oxy ser ver . For t hi s real i st i cal l y t o
work, t he f i r ewal l r ul es bet ween t he I nt er net and t he compr omi sed
host woul d have t o per mi t t he VoI P t r af f i c t o your new r ogue
Ast er i sk pr oxy. The t r i xbox I VR syst em coul d be conf i gur ed, and
t hen t he voi ce response messages f or vi ct i ms t o hear must be
r ecor ded. Whi l e t hi s i s al l possi bl e and f easi bl e, i f an
or gani zat i on i s moni t or i ng f i r ewal l , VoI P, and ot her l ogs
cl osel y, t hen t hi s suspi ci ous acti vi t y f r om t he r ogue ast er i skser ver woul d be br i ef . Thi s t opi c al so goes back t o
user / empl oyee VoI P secur i t y awar eness t o not t r ust cal l er s as
much and t o ver i f y i ndependent l y what t hey ar e sayi ng ( i dent i f y
phone number s, e- mai l s, et c. i ndependent l y) .
Page 38
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 38/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 37
"Much i n keepi ng wi t h t he t heme of Bl ack Hat , where honest
i s not t he best pol i cy but t he onl y pol i cy, i Sec Par t ner s
secur i t y exper t s Hi manshu Dwi vedi and Zane Lackey t ook t he
st age t o del i ver t he bad news: VoI P syst ems based on H. 323
and t he I nt er Ast er i sk eXchange ( I AX) pr ot ocol s can be
f ai r l y easy compromi sed and brought down" ( Messmer , 2007) .
Navi gat i ng t o www. i secpar t ner s. com/ voi p_t ool s. ht ml br i ngs
you t o a si t e cont ai ni ng mul t i pl e VoI P secur i t y t ool s; some f or
audi t i ng use and some f or expl oi t at i on use:
• VSAP
VSAP i s an aut omat ed quest i on/ answer t ool t o audi t t he secur i t yof VoI P net wor ks ( SI P/ H. 323/ RTP) . I t pr ovi des secur i t y t opi cs and
audi t quest i ons f or t he end user t o compl et e. Once al l t he
quest i ons are answer ed, VSAP wi l l show al l sat i sf act or y and
unsat i sf act or y r esponses and di spl ay a f i nal scor e.
• RTP I nj ecti on Fi l es
RTP i nj ect i on f i l es can be used wi t h nemesi s, a packet i nj ect i on
t ool , f or a var i et y of at t acks on VoI P net wor ks usi ng RTP.
At t acks f i l es i ncl ude Fl ood, BYE, and Deni al of Ser vi ce.
• I AXHangup
The I AXHangup i s a t ool i s used t o di sconnect I AX cal l s. I t f i r st
moni t or s t he net wor k i n or der t o det er mi ne i f a cal l i s t aki ng
pl ace. Once a cal l has been i dent i f i ed, i t t hen i nj ect s a HANGUP
cont r ol f r ame i nt o t he cal l .
• I AXAut hJ ack
Page 39
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 39/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 38
I AXAut hJ ack i s a t ool used t o act i vel y per f or m an aut hent i cat i on
downgr ade at t ack and f orce an endpoi nt t o reveal i t s password i n
pl ai nt ext over t he net wor k. I t per f or ms t hi s at t ack by sni f f i ng
t he net wor k f or t r af f i c i ndi cat i ng t hat a r egi st r at i on i s t aki ng
pl ace, and t hen i nj ect i ng a REGAUTH speci f yi ng t hat t he endpoi nt
shoul d aut hent i cat e i n pl ai nt ext r at her t han MD5 or RSA.
These t ool s shoul d be used car ef ul l y and can be used i n a VoI P
penet r at i on t est agai nst an or gani zat i on' s VoI P i nf r ast r uct ur e.
At t acker s have been dr eadf ul l y successf ul at empl oyi ng cr oss
si t e scri pt i ng at t acks ( XSS) t o gai n conf i dent i al i nf or mat i on
f r om vi ct i ms f r om dat a r esour ces. As expect ed i t was onl y a
mat t er of t i me unt i l a XSS vul ner abi l i t y woul d be f ound andexpl oi t ed agai nst a VoI P phone. The new US- CERT/ NI ST CVE- 2007-
5411 det ai l s a “Cr oss- si t e scri pt i ng ( XSS) vul ner abi l i t y i n t he
Li nksys SPA941 VoI P Phone wi t h f i r mware 5. 1. 8 al l ows r emot e
at t acker s t o i nj ect ar bi t r ar y web scr i pt or HTML vi a t he From
header i n a SI P message. " The Secur i t yFocus page pr ovi ded
gr eat er det ai l s on t hi s expl oi t :
“Li nksys SPA941 devi ces ar e pr one t o HTML- i nj ect i on
vul ner abi l i t y because t he bui l t - i n web ser ver f ai l s t o
pr oper l y sani t i ze user - suppl i ed i nput bef or e usi ng i t i n
dynami cal l y gener ated cont ent . At t acker - suppl i ed HTML and
scr i pt code woul d execut e i n t he cont ext of t he af f ect ed
websi t e, pot ent i al l y al l owi ng an at t acker t o st eal cooki e-
based aut hent i cat i on cr edent i al s or t o cont r ol how t he si t e
i s r ender ed t o the user ; ot her at t acks are al so possi bl e”
( St at e, 2007) . Thi s i s vul nerabi l i t y f al l s i nt o t he cat egor y i nsecure
pr ogr ammi ng wi t hout i nput val i dat i on j ust as so many ot her
vul ner abi l i t i es have been due t o, and accor di ng t o Secur i t yFocus,
t her e i s no r emedy avai l abl e as of Oct ober 2007 f or or gani zat i ons
Page 40
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 40/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 39
usi ng t hi s phone. Wi t h f ur t her r esear chi ng t hi s, I f ound t he
expl oi t i ve SI P I NVI TE message i n quest i on:
I NVI TE si p: h@192. 168. 1. 3 SI P/ 2. 0
Vi a: SI P/ 2. 0/ UDP 192. 168. 1. 9: 5060; r por t To: si p: h@192. 168. 1. 3Fr om: "<scri pt >al er t ( ' hack' ) </ scri pt >"" nat r aj "<si p: nat r aj @l or i a. f r >; t ag=002f 000cCal l - I D: 401010907@192. 168. 1. 9CSeq: 4857 I NVI TECont ent - Type: appl i cat i on/ sdpSubj ect : s i p: nat r aj @l or i a. f rCont act : "nat r aj " <si p: 192. 168. 1. 9: 5060; t r anspor t =udp>Cont ent - Lengt h: 214
v=0o=r oot 47650 47650 I N I P4 192. 168. 1. 9s=sessi onc=I N I P4 192. 168. 1. 9t =0 0m=audi o 5070 RTP/ AVP 3 0 110 5a=r t pmap: 3 GSM/ 8000/ 1a=r t pmap: 0 PCMU/ 8000/ 1a=r t pmap: 110 speex/ 8000/ 1a=r t pmap: 5 DVI 4/ 8000/ 1( St at e, 2007) .
As you can see, t he ‘ Fr om: ’ header cont ai ns a scr i pt . Due
t o t he l ack of i nput val i dat i on, at t acker s ar e abl e t o modi f y t he
‘ From: ’ header s t o i ncl ude scr i pt s or spoof cal l er I D number s ( as
di scussed l at er ) . Ther e ar e l i kel y ot her such XSS expl oi t s
agai nst VoI P phone web ser ver s t hat have not yet been r epor t ed
but wi l l be over t i me. Anot her f r i ght eni ng pr ospect i ve VoI P vul ner abi l i t y i s t hat
of VoI P SI P botnet s. Bots ar e zombi e PCs t hat have been i nf ect ed
wi t h some sor t of mal ware and unbeknownst t o t he owner , i s under
cont r ol of a bot her der or command and cont r ol ser ver . The bot
her der cont r ol s t he bot s t hr ough a cont r ol channel such as
I nt er net Rel ay Chat ( I RC) , or peer - t o- peer ( P2P) net wor ks.
Page 41
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 41/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 40
“I n j ust ei ght mont hs t he St or m wor m has i nf ect ed mor e t han
20 mi l l i on comput er s and bui l t a zombi e army - - or botnet - -
capabl e of l aunchi ng DDoS at t acks t hat coul d be used agai nst any
or gani zat i on or even damage cr i t i cal i nf r ast r uct ur e, accor di ng t o
secur i t y exper t s” ( Tung, 2007) . As you can see, t her e i s a
l egi t i mat e f ear her e t hat i f St or m Wor m can i nf ect mi l l i ons of
PCs, t hat VoI P SI P phones wi l l al so become i nf ect ed and j oi n
ot her bot s i n at t acks agai nst dat a and/ or VoI P resour ces
t hr oughout t he wor l d. As such, devi ce l ogs shoul d be al ways
scrut i ni zed t o bl ock of f endi ng ext er nal I P addr ess at t he SI P
f i r ewal l / edge devi ce when t hey ar e made aware of .
"On a l ar ger l evel , t hough, i t ’ s j ust a power f ul r emi ndert hat t he bot net t hr eat i s ver y r eal out t her e. And t he
quest i on i s… coul d your I P t el ephony i nf r ast r uct ur e
wi t hst and a bot net at t ack? I s your l ar ger I T i nf r ast r uct ur e
up t o wi t hst andi ng some degr ee of an at t ack? Do you have
mul t i pl e VoI P gateways? Coul d you r out e ar ound poi nt s on
your i nf r ast r uct ur e t hat wer e bei ng at t acked? Do you (gasp)
have TDM t r unks t hat coul d work as backups? I don’ t know i f
anyone i n Est oni a has had t hei r I P tel ephony di sr upt ed by
bot net s, but odds are i f t he at t acks ar e as bad as bei ng
r epor t ed, some compani es pr obabl y di d. What wi l l you do t o
ensure your company’ s I P communi cat i on i sn’ t di sr upt ed
shoul d bot net s come cal l i ng?" ( Yor k, 2007) .
A SI P bot net coul d be order ed t o per f orm DDoS at t acks agai nst any
or gani zat i on’ s SI P i nf r ast r uct ur e vi a I NVI TE and REGI STER, and
BYE request s subsequent l y over whel mi ng t he SI P i nf r ast r uct ur ei ncl udi ng SI P f i r ewal l s and VI PSs.
Unr el at ed t o VoI P bot net s, an i nt er est i ng vul ner abi l i t y was
f ound det ai l ed i n US- CERT/ NI ST CVE- 2007- 3047 not i ng t hat “The
Vonage VoI P Tel ephone Adapt er has a def aul t admi ni st r at or
user name "user " and password "user , " whi ch al l ows r emot e
Page 42
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 42/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 41
at t acker s t o obt ai n admi ni st r at i ve access”. Fur t her r esear ch
l ead me t o t he Secur i t yFocus websi t e det ai l i ng t hi s vul ner abi l i t y
f ur t her :
“The Vonage VoI P Tel ephone Adapt er devi ce i s, by def aul t ,
accessi bl e f r om t he WLAN/ i nt er net . The pr oduct shi ps wi t h
t he def aul t username of ' user ' and def aul t password of
' user ' t o access the admi ni st r at i ve backend. User s ar e
suggest ed t o updat e t hei r passwords i mmedi at el y. An
at t acker coul d cause a deni al - of - ser vi ce by upl oadi ng br oken
f i r mwar e to t he devi ce, or by const ant l y reboot i ng t he
devi ce” ( Mar t i nel l i , 2007) .
Gi ven t he pr eval ence of Vonage ( not r esear ched i n t hi sr epor t ) i nt o t he SOHO mar ket , t her e ar e l i kel y st i l l t housands of
t hese adapt er s i n t hei r def aul t ‘ out of box’ conf i gur at i on, t hus
al l owi ng at t acker s t he abi l i t y t o cal l har vest and eavesdr op on
conver sat i ons. Thi s i s si mi l ar t o t he l ax ef f or t of t he aver age
per son t o secur e t hei r Wi - Fi r out er ‘ out of box’ .
Page 43
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 43/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 42
III. Real Time Protocol (RTP)
Real - Ti me Pr ot ocol or RTP, i s used f or audi o pur poses, and
i s document ed i n RFC 3550 as an I ETF st andar d. “RTP provi des
end- t o- end net wor k t r anspor t f unct i ons sui t abl e f or appl i cat i ons
t r ansmi t t i ng r eal - t i me dat a, such as audi o, vi deo or si mul at i on
dat a, over mul t i cast or uni cast net wor k servi ces. However bef or e
t he RTP voi ce cal l can be exchanged, each cal l er must know how t o
r each t he cal l ee( s) and ot her i mpor t ant cal l i nf or mat i on, such as
what codecs wi l l be used/ suppor t ed. The sessi on t o i dent i f y t hi s
i nf or mat i on can be est abl i shed usi ng SI P, wher eby a SI P pr oxy
ser ver wi l l pr ovi de l ocat i on i nf or mat i on of / t o bot h cal l er s.Dur i ng t he SI P sessi on, Sessi on Descr i pt i on Pr ot ocol ( SDP)
messages wi l l be exchanged t o t el l al l cal l er s what dest i nat i on
I P addr ess t o send packet s t o, what port s t o open f or RTP and
RTCP, and what codec to use ( SDP wi l l be di scussed i n gr eat er
det ai l l at er on) . However t he act ual RTP voi ce cal l wi l l not
t r aver se or be pr oxi ed t hr ough t he SI P pr oxy server . The RTP
voi ce sessi on wi l l be di r ect l y bet ween t he t wo VoI P phones. I t
i s i mpor t ant t o i dent i f y t hese separ at i ons i n f unct i onal i t y si nce
a pot ent i al at t acker knows t hat he can t ar get hi s r econnai ssance
and expl oi t s agai nst vul ner abi l i t i es i n any of t he above ( SI P,
SDP, RTP, and RTCP) i n t he ef f or t s of modi f yi ng, degr adi ng, or
per f or mi ng deni al of ser vi ce at t acks agai nst VoI P cal l s. The
f ol l owi ng i s a si mpl e di agr am t o i l l ust r at e t he expl ai ned
f unct i onal i t y:
Page 44
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 44/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 43
Figure 15
(ht t p: / / bl og. l i t hi umbl ue. com/ 2007/ 07/ under st andi ng- r el at i onshi p-
between- si p. ht ml )
There i s some consi derat i on t hat must be t aken when def i ni ng
t he I P addr ess t o cont act i n t he SDP message i n t erms of NATt r aver sal , but t hat wi l l be di scussed l at er on i n t he SI P
sect i on. RTP does not addr ess r esour ce r eservat i on and does not
guar ant ee qual i t y- of - ser vi ce f or r eal - t i me ser vi ces”
( Schul zr i nne, Casner , Freder i ck, J acobson, 2003) . Whi l e RTP i s
used f or t he actual data/ voi ce audi o exchange, RTCP i s used t o
moni t or t he QOS of t he audi o, and t o exchange cont r ol i nf ormat i on
t o cal l er s i n a sessi on. Accor di ng t o I ANA, por t 5004/ udp has
been seen used f or RTP, and port 5005/ udp used f or RTCP t r af f i c
( di scussed l at er ) . However accor di ng t o RFC 3550, RTP and RTCP
t r af f i c i s not bound t o t hese por t s, al t hough t hey may be
conf i gur ed by def aul t on some VoI P phones.
“For UDP and si mi l ar prot ocol s, RTP SHOULD use an even
dest i nat i on por t number and t he cor r espondi ng RTCP st r eam
SHOULD use t he next hi gher ( odd) dest i nat i on por t number .For appl i cat i ons t hat t ake a si ngl e por t number as a
parameter and der i ve t he RTP and RTCP por t pai r f r om t hat
number , i f an odd number i s suppl i ed then t he appl i cat i on
SHOULD r epl ace t hat number wi t h t he next l ower ( even) number
Page 45
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 45/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 44
t o use as t he base of t he por t pai r . ” ( Schul zr i nne, Casner ,
Freder i ck, J acobson, 2003)
Si nce the 1- 1024 por t r ange i s used f or wel l known ser vi ces, and
many Li nux di st r i but i on oper at i ng syst ems aut omat i cal l y assi gn
por t s i n the 1024- 5000 r ange f or var i ous ser vi ces, r esear ch shows
t he br oad range of dynami cal l y sel ect ed RTP and RTCP por t s
begi nni ng at 5000/ udp, wi t h no di st i nct end r ange. Thi s
knowl edge i s usef ul t o an at t acker si nce a mor e t ar get ed/ smal l er
r ange of port s can be scanned agai nst a t arget VoI P phone t o
i dent i f y act i ve/ open RTP and RTCP port s. Si nce RTP uses UDP f or
f ast er audi o del i ver y due t o l ess over head when compared t o TCP,t here must be some method of keepi ng t r ack of packet s. The f i r st
12 byt es of every RTP header are present i n RTP st r eam. However
l i ke TCP, RTP al so uses t i me st amps, and sequence number s t o
uni quel y i dent i f y each RTP packet and r econst r uct t he voi ce
conver sat i on on t he r ecei vi ng end( s) . The r el at i onshi p of RTP
and RTCP usi ng one por t f or dat a/ audi o exchange, and a second
por t f or dat a/ audi o cont r ol , i s si mi l ar t o FTP ( Fi l e Tr ansf er
Pr ot ocol ) wher e t he i ni t i al connect i on i s est abl i shed t o t he por t
FTP: 21/ t cp, and t hen a second connect i on i s est abl i shed on
FTP: 20/ t cp f or t he data t o be exchanged.
“The audi o conf er enci ng appl i cat i on used by each conf er ence
par t i ci pant sends audi o dat a i n smal l chunks of , say, 20 ms
dur at i on. Each chunk of audi o dat a i s pr eceded by an RTP
header ; RTP header and dat a ar e i n tur n contai ned i n a UDPpacket . The RTP header i ndi cates what t ype of audi o
encodi ng ( such as PCM, ADPCM or LPC) i s cont ai ned i n each
packet so t hat senders can change t he encodi ng dur i ng a
conf erence, f or exampl e, t o accommodat e a new par t i ci pant
t hat i s connect ed t hr ough a l ow- bandwi dt h l i nk or r eact t o
Page 46
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 46/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 45
i ndi cat i ons of net work congest i on… RTCP moni t ors t he QOS t o
convey i nf or mat i on cal l i ni t i at or s and r ecei ver s. ”
( Schul zr i nne, Casner , Freder i ck, J acobson, 2003)
Whi l e SI P and H. 323 can be used t o bui l d sessi ons f r om end
poi nt t o end poi nt , both use RTP t o send t he actual medi a. VoI P
and speci f i cal l y RTP ar e suscept i bl e to Man I n The Mi ddl e (MI TM)
at t acks. Wi t h r egards t o RTP, “t he pr esence of t he sequence
number , t i mest amp, and synchr oni zat i on sour ce i dent i f i er ( SSRC)
makes i t di f f i cul t f or an at t acker t o i nj ect mal i ci ous RTP
packet s i nt o a st r eam. The at t acker needs t o be per f ormi ng a
MI TM at t ack or be abl e t o moni t or t he packet s so t hat t hemal i ci ous packet s i ncl ude t he necessary SSRC, sequence number ,
and t i mest amp” ( Endl er , 2007) . Gener al l y speaki ng, when
i nj ect i ng mal i ci ous packet s i nt o a TCP connect i on, i f t he I P
addr esses, sequence number s, pr ot ocol s, f l ags, por t s, et c. do not
mat ch, t hen t he out of sequence packet s wi l l be dropped. However
wi t h RTP, t he MI TM woul d have t o be abl e t o sni f f t he sequence
numbers, synchr oni zat i on sour ce numbers, and t i mest amps. Wi t hout
t hi s encr ypt i on, a voi ce cal l coul d be ‘ Fuzzed’ or degr aded i f i t
f al l s vi ct i m t o a MI TM at t ack, wher e t he at t acker woul d i nj ect
packet s wi t h al t er ed sequence number s, synchr oni zat i on sour ce
numbers, and t i me st amps t hereby degr adi ng t he voi ce qual i t y.
ARP cache poi soni ng seems t o be t he met hod of choi ce f or
execut i ng a MI TM at t ack. Assumi ng t he mal i ci ous user has
acqui r ed access t o a PC on t he same net wor k as t he VoI P phone and
VoI P pr oxy, t hi s can be per f ormed by t he at t acker usi ng an ARPcache poi soni ng t ool such as Cai n and Abel t o send out gr atui t ous
ARP packet s t o al l t he VoI P phones and t he VoI P pr oxy t o change
t he MAC/ I P addr ess mappi ngs. Thi s i s a l ayer 2 at t ack whi ch
means t hat even i f t he VoI P t r af f i c bet ween the phone and VoI P
pr oxy i s encrypt ed, i t can st i l l be r edi r ect ed t hr ough t he
Page 47
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 47/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 46
mal i ci ous PC, and t hen f orwarded t o t he VoI P pr oxy as l ong. How
t he sni f f ed t r af f i c woul d be al l cypher t ext . Thi s wi l l cont i nue
t o work as l ong as t he VoI P phone and pr oxy cont i nue t o t hi nk
t hat t hat dest i nat i on MAC addr ess i n t he Et her net f r ames i s t he
ot her . The l i kel i hood of t hi s happeni ng i s r emot e seei ng as how
t he ‘ man i n t he mi ddl e’ woul d have t o sni f f i ng t he cal l set up
f r om t he sour ce phone/ cal l er , or sour ce dat a cent er ( r out er
upl i nk por t or I DS SPAN por t , et c) , or I nt er net / I SP l eased
net wor k l i ne, or dest i nat i on dat a cent er ( r out er upl i nk por t or
I DS SPAN por t , et c) , or dest i nat i on phone/ cal l er , not t o ment i on
t he f act t hat i f t he voi ce cal l becomes over whel med wi t h st at i c,
t he cal l ers coul d si mpl y hang up and cal l agai n. As you can see,t he l i kel i hood of t hi s happeni ng i s ver y smal l . When compar ed
wi t h dat a, especi al l y aut omat ed t r af f i c, t her e i s no human
l i st eni ng t o i dent i f y i f somet hi ng i s goi ng wr ong. One coul d
onl y i magi ne t he surpr i se when a VoI P cal l usi ng RTP woul d be i n
pr ogr ess, and dur i ng mi dsent ence, t he dest i nat i on cal l er woul d
al l of a sudden hear somebody el se’ s voi ce… The f ol l owi ng i s a
di agr am depi ct i ng t he exampl e:
Page 48
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 48/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 47
Figure 16
The RTP i nj ect i on of / r epl aci ng audi o coul d al so occur vi a a
SI P r ogue pr oxy at t ack ( di scussed l at er ) . Whi l e an I PSec VPN
woul d encr ypt al l of t he RTP packet s ( onl y t he new l ayer 3 I P
header woul d r emai n vi si bl e wi t h ESP conf i gur ed) , ef f ect i vel y
causi ng somebody sni f f i ng/ l i st eni ng t o voi ce t o recei ve
cypher t ext , t he sol ut i on does not scal e wel l si nce i t i s not
dynami c enough due t o t he many connect i ons and NAT t r aver sal s
t hat wi l l be necessar y al ong wi t h a PKI i nf r ast r uct ur e. Secur e
Real - Ti me Pr ot ocol ( SRTP) , as def i ned i n RFC 3711, pr ovi des a
f r amework f or secur i ng RTP packet s by pr ovi di ng encr ypt i on,
aut hent i cat i on, and pr ot ect i on agai nst r epl ay at t acks:
“SRTP can achi eve hi gh t hroughput and l ow packet expansi on.
SRTP pr oves t o be a sui t abl e pr otect i on f or het er ogeneous
envi r onment s ( mi x of wi r ed and wi r el ess net works) . To get
Page 49
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 49/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 48
such f eat ur es, def aul t t r ansf or ms are descr i bed, based on an
addi t i ve st r eam ci pher f or encr ypt i on, a keyed- hash based
f unct i on f or message aut hent i cat i on, and an " i mpl i ci t " i ndex
f or sequenci ng/ synchr oni zat i on based on t he RTP sequence
number f or SRTP and an i ndex number f or Secure RTCP ( SRTCP) .
( Baugher , McGr ew, Ci sco Syst ems, Nasl und, Car r ara, Nor r man,
2004)
Thi s i s si mi l ar t o I PSec VPN f unct i onal i t y, and can be
combi ned wi t h i t f or added encr ypt i on and aut hent i cat i on when
t r aver si ng bet ween mul t i pl e or gani zat i on si t es ( al t hough not
necessary) . J ust as RTP and RTCP use t wo separat e por t s t o sendt r af f i c, SRTP and SRTCP woul d be used t o encr ypt bot h
r espect i vel y. Thi s becomes i mpor t ant due aut hent i cat i on needs i n
t erms of ensur i ng t he i nt egr i t y of sequence numbers and QOS
communi cat i ons.
“SRTP and SRTCP use t wo t ypes of keys: sessi on keys and
mast er keys. By a "sessi on key" , we mean a key whi ch i s
used di r ect l y i n a crypt ogr aphi c tr ansf or m ( e. g. , encrypt i on
or message authent i cat i on) , and by a "mast er key" , we mean a
r andom bi t st r i ng (gi ven by t he key management pr otocol )
f r om whi ch sessi on keys ar e der i ved i n a cr ypt ogr aphi cal l y
secure way. The mast er key( s) and ot her par ameters i n t he
cr ypt ogr aphi c cont ext ar e provi ded by key management
mechani sms ext ernal t o SRTP such as MI KEY, KEYMGT, and
SDMS; " however t he key management por t i on i s beyond t hescope of t hi s report . ( Baugher , McGr ew, Ci sco Syst ems,
Nasl und, Car r ara, Nor r man, 2004)
I n t he ef f or t t o secur e RTP and RTCP, one woul d al so want
t o def end agai nst ‘ r epl ay’ at t acks whi ch coul d be per f or med by a
Page 50
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 50/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 49
hacker sni f f i ng t he t r af f i c st r eam and t hen i nj ect i ng ol d or
‘ r epl ayi ng’ packet s. Al l SRTP and SRTCP sender s and r ecei ver s,
whi l e usi ng i nt egr i t y pr ot ect i on/ aut hent i cat i on keep a r epl ay
l i st , whi ch can be used t o compar e i ncomi ng sequence number s of
RTP and RTCP packet s, t o t he sequence numbers of RTP and RTCP
packet s al r eady recei ved wi t hi n a sl i di ng wi ndow si ze of at l east
64 byt es.
Page 51
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 51/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 50
IV. Asterisk and Inter-Asterisk Exchange (IAX)
I nt er - Ast er i sk Exchange ( From now on cal l ed ‘ I AX’ ) i s a cal l
cont r ol pr ot ocol t hat was desi gned f or use wi t h Ast er i sk.
“Ast er i sk i f a f ul l - f eat ur ed I P PBX i n sof t war e. I t was
pr i mar i l y devel oped on t he GNU/ Li nux f or x86, but i t al so runs on
ot her OSs, i ncl udi ng BSD, and MAC… Ast er i sk provi des voi cemai l ,
di r ect or y ser vi ces, conf er enci ng, i nt er act i ve Voi ce Response
( I VR) , and ot her f eat ur es” ( Endl er , 2007) . A good anal ogy when
r ef er r i ng t o Ast er i sk i s t hat j ust as t he open- sour ced, Li nux
based sof t war e f i r ewal l I Pt abl es i s an al t er nat i ve t o Ci sco’ s
pr opr i et ar y PI X, ASA, and FWSM f i r ewal l s, Ast er i sk i s t he open-sour ced, Li nux based sof t war e I P PBX as an al t er nat i ve t o Ci sco’ s
pr opr i et ar y Uni f i ed Cal l Manager . Ast er i sk gener al l y uses SI P as
i t s cal l sessi on set up pr ot ocol . Ast er i sk, unl i ke Ci sco’ s
Uni f i ed Cal l Manager or Avaya’ s Communi cat i on Manager , does not
have to run on a pr opr i et ary medi a ser ver and i t can be
conf i gur ed wi t h speci f i c l i ne car ds t o suppor t l egacy equi pment
and phones. As such, t he al l ows or gani zat i ons t o gr adual l y
i nt r oduce VoI P depl oyment s i nt o thei r i nf r ast r uct ur e whi l e
r et ai ni ng wel l t est ed and guarant eed QOS abi l i t i es of POTS and
PBXs. Ast er i sk support s SI P, H. 323, I AX, SCCP, and MGCP ( Medi a
Gat eway Cont r ol Prot ocol , al t hough research i n many web f orums
i ndi cat es gr eat di f f i cul t i es i n get t i ng Ast er i sk t o wor k wi t h
MGCP) . Ast er i sk support s SI P by i mpl ement i ng bot h t he SI P
r egi st r ar and t he SI P pr oxy ser ver , whi ch wi l l bot h be di scussed
i n t he SI P secti on of t hi s r epor t . Essent i al l y speaki ng, I nt erAst er i sk Exchange i s used f or communi cat i ons bet ween mul t i pl e
Ast er i sk I P PBXs. From t he I AX2: I nt er - Ast er i sk eXchange Ver si on
2 dr af t - guy- i ax- 03, whi ch i s a ‘ wor k i n pr ogr ess’ , “I AX2 i s an
"al l i n one" pr ot ocol f or handl i ng mul t i medi a i n I P net wor ks. I t
combi nes bot h cont r ol and medi a ser vi ces i n t he same pr ot ocol .
Page 52
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 52/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 51
I n addi t i on, I AX2 uses a si ngl e UDP dat a st r eam on a st at i c por t
gr eat l y si mpl i f yi ng Net wor k Addr ess Tr ansl at i on ( NAT) gat eway
t r aver sal , el i mi nat i ng t he need f or ot her pr ot ocol s t o wor k
around NAT, and si mpl i f yi ng network and f i r ewal l management ”
( Unknown, 2007) .
I AX2 usi ng por t 4569/ udp f or bot h medi a and si gnal i ng i s i n
cont r ast , t o FTP usi ng por t 21/ t cp f or cont r ol / set t i ng up
connect i ons, and usi ng por t 20/ t cp f or dat a exchange. Ast er i sk
was or i gi nal l y desi gned f or smal l er VoI P depl oyment s, wi t hout t he
ent erpr i se market i n mi nd. However t he I AX ver si on 1 has been
depr ecat ed and r epl aced wi t h I AX2 ( st i l l r ef er r ed t o as I AX) .
The r eason f or t hi s was due t o wast ed bandwi dt h by havi ngmul t i pl e connect i ons f or medi a and si gnal i ng when an Ast er i sk
VoI P PBX woul d handl e many cal l s. An exampl e showi ng how
Ast er i sk wi t h I AX2 scal es wel l i s t hat I AX2 suppor t s t he t r unki ng
or mul t i pl exi ng of mul t i pl e phone cal l s t o t he same dest i nat i on
over a si ngl e I P dat agr am. Whi l e t hi s f unct i onal i t y i s
benef i ci al i n ter ms of l ower i ng bandwi dt h consumpt i on, i f not
encrypt ed and aut hent i cat ed, an at t acker sni f f i ng t hi s t r af f i c
bef ore and af t er t he VPN woul d be abl e t o see r equest s i n cl ear
t ext . The f ol l owi ng di agr am i l l ust r at es t he bandwi dt h savi ngs by
t hi s i mpl ement at i on:
Page 53
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 53/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 52
Figure 17
I n t he exampl e above, t her e i s an or gani zat i on wi t h of f i ces
i n New Yor k and Chi cago. Each of f i ce uses and Ast er i sk VoI P PBX
f or voi ce t r af f i c i n separ at e Ast er i sk domai ns. An I PSec VPNconnect i on i s set up bet ween both si t es so t hat dat a and voi ce can
be exchanged i n bot h di r ect i ons. I n t hi s exampl e, t her e ar e
mul t i pl e cal l s, at bot h si t es, t hat ar e si mul t aneousl y sendi ng
and r ecei vi ng voi ce t r af f i c. When a cal l er i n Chi cago pi cks up
hi s SI P VoI P phone and r ecei ves a di al t one, t he cal l er i s
al r eady r egi st er ed as a user agent t o t he SI P Pr oxy, whi ch i s
r unni ng on t he Ast er i sk VoI P PBX. When t he Chi cago cal l er di al s
a NY cal l er ’ s number / ext ensi on, t he r equest i s sent f i r st t o t he
Chi Ast er i sk SI P pr oxy ser ver . The Chi Ast er i sk SI P pr oxy ser ver
r ecei ves t he r equest and l ooks i n t he ext ensi ons. conf f i l e t o
i dent i f y how and wher e t o f or war d t he VoI P t r af f i c. I f t he
Ast er i sk VoI P PBX sees i n t he ext ensi ons. conf f i l e t hat t he
Page 54
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 54/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 53
dest i nat i on number / extensi on i s not a Chi cago ext ensi on, but a NY
ext ensi on, t he Di al ( ) appl i cat i on’ s par amet er s i nst r uct t he
Ast er i sk ser ver t o connect t he cal l t hr ough an I AX2 channel t o
t he Ast er i sk VoI P PBX i n t he NY of f i ce/ domai n. The di al scr i pt s
i n t he ext ensi ons. conf f i l e poi nt t o t he i ax. conf f i l e f or
connect i ng t o t he NY Ast er i sk PBX ( Endl er , 2007) . Taki ng i nt o
consi der at i on t hat on any busi ness day, mul t i pl e user s f r om one
of f i ce woul d be cal l i ng user s i n t he ot her of f i ce, you can see
how bui l di ng and t ear i ng down al l of t hese cal l s can become
r esour ce and bandwi dt h i nt ensi ve. So i nst ead of t he Chi ast er i sk
bui l di ng separ at e connect i ons f or each Chi sour ced cal l dest i ned
t o an NY cal l er , usi ng I AX2 t r unki ng, t he same I P dat agr am i sused cont ai ni ng SRTP ( secur e audi o) and SRTCP ( secure or
cont r ol / QOS) . Thi s savi ngs of over head t r af f i c, i f done so
secur el y usi ng SI P- TLS, SRTP, and SRTCP, woul d be benef i ci al
si nce t he I P header s of al l t he dat agr ams wi l l have the same
sour ce and dest i nat i on I P addr esses. Bandwi dt h i s saved t hi s way
by ut i l i zi ng I AX2’ s t r unki ng mode bet ween mul t i pl e Ast er i sk VoI P
PBXs.
As ment i oned ear l i er , t he ext ensi ons. conf f i l e i s t he f i l e
mai nt ai ned by t he Ast er i sk VoI P PBX t o know how t o f orward VoI P
t r af f i c. However care must be t aken t o conf i gur e t he scr i pt s i n
t hi s conf i gur at i on f i l e secur el y so t hat somebody coul d not
expl oi t t he weakness of t he conf i gur at i on f i l e and make cal l s f or
f r ee. I n t he ext ensi ons. conf f i l e, t her e ar e di f f er ent
‘ cont ext s’ or sect i ons of scri pt s t hat ar e used t o def i ne
Ast er i sk handl es i nt er nal , l ocal , out bound cal l s, and i nboundcal l s f r om ot her Ast er i sk VoI P PBX domai ns l i ke an or gani zat i on
wi t h mul t i pl e si t es. Ther e ar e cer t ai n cont ext s t hat have
speci al meani ng t o Ast er i sk such as [ def aul t ] and [ i nt er nal ] .
However ot hers can be def i ned by a user such as [ l ocal ]
( ext ensi ons t o l ocal phones at an Ast er i sk si t e) , [ out bound]
Page 55
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 55/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 54
( poi nt i ng t o 2nd or 3r d Ast er i sk domai n, or PSTN) , and [ i nbound
from1. 1. 1. 1] ( f r om anot her Ast er i sk domai n) . I n an
ext ensi ons. conf f i l e, t he [ i nt er nal ] cont ext i s pr ovi ded out bound
cal l i ng pr i vi l eges. So i f one wer e t o mer ge t he [ l ocal ] cont ext
wi t h t he [ i nt er nal ] cont ext , an i nbound cal l er f r om t he PSTN
coul d t hen be abl e t o get a di al t one, and pl ace cal l s f or f r ee
( Endl er , 2007) . A ‘ phr eaker ’ i s a t er m used t o descr i be a per son
t hat t est s t el ecommuni cat i ons equi pment t o i dent i f y ‘ hol es’ of
vul ner abi l i t i es, i n an ef f or t t o make f r ee out bound cal l s,
sour ced f r om and char ged t o t he t ar get organi zat i on. Thi s i s
si mi l ar t o t he modern day hacker who pr obes t arget s on t he
I nt er net f or vul ner abi l i t i es f or f ut ur e expl oi t at i on. Ther e i sal so an Ast er i sk VoI P manager t hat can be enabl ed on an Ast er i sk
VoI P PBX.
“The Ast er i sk Manager al l ows a cl i ent pr ogr am t o connect t o
an Ast er i sk i nst ance and i ssue commands or r ead PBX event s
over a TCP/ I P st r eam. I nt egr at or s wi l l f i nd t hi s
par t i cul ar l y usef ul when t r yi ng t o t r ack t he st at e of a
t el ephony cl i ent i nsi de Ast er i sk, and di r ect i ng t hat cl i ent
based on cust om ( and possi bl y dynami c) r ul es. I n or der t o
access t he Ast er i sk Manager f unct i onal i t y a user needs t o
est abl i sh a sessi on by openi ng a TCP/ I P connect i on t o t he
l i st eni ng por t ( usual l y 5038/ t cp) of t he Ast er i sk i nst ance
and l oggi ng i nt o the manager usi ng t he ' Logi n' act i on. Thi s
r equi r es a pr evi ousl y est abl i shed user account on t he
Ast er i sk ser ver . User account s ar e conf i gur ed i n
/ et c/ ast er i sk/ manager . conf . A user account consi st s of aset of per mi t t ed I P host s, an aut hent i cat i on secr et
( passwor d) , and a l i st of gr ant ed per mi ssi ons” ( J ouani n,
2007) .
Page 56
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 56/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 55
Thi s Ast er i sk manager pr ovi des a ‘ mi l e hi gh’ vi ew i nt o voi ce
communi cat i ons i nsi de an or gani zat i on ( or at l east t he cal l
pr ocessi ng by t hat par t i cul ar Ast er i sk VoI P PBX) . I n Ast er i sk
ver si ons pr i or t o1. 4, t he l ogon aut hent i cat i on, command packet s
sent t o t he Ast er i sk Management I nt er f ace ( AMI ) , and t el ephone
st ate packet s wer e sent unencr ypt ed over por t 5038/ t cp. Thi s
means t hat a mal i ci ous user sni f f i ng f or t hi s t r af f i c coul d see
l ogon cr edent i al s f or t he pur poses of f ut ur e l ogon and mi schi ef .
He coul d al so gl ean mor e i nf ormat i on about t r af f i c f l ows t o and
f r om t hat Ast er i sk VoI P PBX. To secur e t hi s t ype of management
t r af f i c Ast ManProxy has been devel oped. Ast ManProxy i s a pr oxy
management server t hat i s used t o connect t o mul t i pl e Ast er i skVoI P PBX management i nt er f aces.
“I t i s desi gned t o handl e communi cat i on wi t h mul t i pl e
Ast er i sk ser ver s and t o act as a si ngl e poi nt of cont act f or
appl i cat i ons. Ast ManPr oxy suppor t s mul t i pl e i nput / out put
f ormat s, i ncl udi ng St andard, XML, CSV, and HTTP, HTTPS and
SSL… Many ot her f eat ur es have been added, i ncl udi ng a new
aut hent i cat i on l ayer and suppor t f or t he Act i on: Chal l enge
MD5 aut hent i cat i on met hod. SSL i s now suppor t ed, so you can
encrypt f r om cl i ent pr oxy ast er i sk, end- t o- end.
Tal ki ng t o Ast er i sk vi a SSL r equi r es t hat you ar e r unni ng an
SSL- capabl e ver si on of Ast er i sk”. Accor di ng t o Ast er i sk bug
f or ums, t her e has al so been secur e socket l ayer / t r anspor t
l ayer secur i t y ( SSL/ TLS) suppor t bui l t i nt o Ast er i sk 1. 6.
Usi ng St unnel and openSSL l i br ar i es i n combi nat i on wi t h t he
Ast ManProxy, t hi s al l ows a user HTTPS: 443/ t cp access t o each
Ast er i sk VoI P PBX ( Tr oy, 2007) .
Page 57
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 57/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 56
One of t he r ecent vul ner abi l i t i es i dent i f i ed t o Ast er i sk
i mpl ement at i ons was noted i n US- CERT/ NI ST CVE- 2007- 1594. “The
handl e_r esponse f unct i on i n chan_si p. c i n Ast er i sk bef or e 1. 2. 17
and 1. 4. x bef or e 1. 4. 2 al l ows r emot e at t acker s t o cause a deni al
of servi ce ( cr ash) vi a a SI P Response code 0 i n a SI P packet . ”
Fur t her r esear chi ng t hi s vul ner abi l i t y l ead me t o t he
Ast er i sk/ Di gi um bug f or um t hat i ncl uded not es f r om t he per son
r epor t i ng t he bug. The scenar i o whi ch l eads to t hi s
vul ner abi l i t y was a user pl aci ng a cal l f r om t hei r SI P phone,
t hr ough t hei r Ast er i sk SI P pr oxy, t hr ough t he PSTN, t o t hei r
mobi l e phone. When t he mobi l e phone r ang, t he cal l was rej ected,
and a SI P r esponse code 0 was sent causi ng the Ast er i sk ser ver t osegf aul t ( qwert y1979, 2007) . Thi s seemed st r ange t o me si nce per
RFC 2543, SI P responses ar e t hr ee- di gi t codes r angi ng f r om 1xx t o
appr oxi matel y 6xx. Thus t hi s was an i nval i d r esponse code
causi ng t he cr ash. Thi s can be cat egor i zed as vul ner abi l i t y due
t o l ack of i nput val i dat i on. I nput val i dat i on l ogi c woul d have
onl y accept ed t hr ee di gi t s r esponse codes r angi ng f r om 100- 600,
and droppi ng a response code of 0.
Anot her Ast er i sk vul ner abi l i t y f ound was not ed i n US-
CERT/ NI ST CVE- 2007- 1561. “The channel dr i ver i n Ast er i sk bef or e
1. 2. 17 and 1. 4. x bef or e 1. 4. 2 al l ows r emot e at t acker s t o cause a
deni al of servi ce ( cr ash) vi a a SI P I NVI TE message wi t h an SDP
cont ai ni ng one val i d and one i nval i d I P addr ess. ” Fur t her
r esear ch l ead me t o ht t p: / / www. secur i t yf ocus. com/ bi d/ 23031/ i nf o,
al so det ai l ed t hat Ast er i sk i s pr one to thi s r emot e DOS at t ack,
whi ch pr event s l egi t i mat e user s f r om bei ng abl e t o pl ace cal l s.
Or gani zat i ons usi ng Ast er i sk wer e ur ged t o r epl ace vul ner abl e
ver si ons wi t h Ast er i sk 1. 2. 17 and/ or 1. 4. 2 ( Abdel nur , 2007) .
Page 58
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 58/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 57
Fi nal l y a t hi r d r ecent vul ner abi l i t y r epor t ed f or t he
Ast er i sk VoI P PBX i s det ai l ed i n US- CERT/ NI ST 2007- 4455 not i ng
t hat “The SI P channel dr i ver ( chan_si p) i n Ast er i sk Open Sour ce
1. 4. x bef or e 1. 4. 11, Ast er i skNOW bef or e bet a7, Ast er i sk Appl i ance
Devel oper Ki t 0. x bef or e 0. 8. 0, and s800i ( Ast er i sk Appl i ance)
1. x bef or e 1. 0. 3 al l ows r emot e at t acker s t o cause a deni al of
servi ce ( memor y exhaust i on) vi a a SI P di al og t hat causes a l ar ge
number of hi st or y ent r i es t o be cr eat ed. ”
“The handl i ng of SI P di al og hi st or y was broken dur i ng t he
devel opment of Ast er i sk 1. 4. Regar dl ess of whet her
r ecor di ng SI P di al og hi st or y i s t ur ned on or of f , t he
hi st or y i s st i l l r ecor ded i n memor y. Fur t her mor e, t her e i s
no upper l i mi t on how many hi st or y i t ems wi l l be st or ed f or
a gi ven SI P di al og. I t i s possi bl e f or an at t acker t o use
up al l of t he syst em' s memor y by creat i ng a SI P di al og t hat
r ecor ds many ent r i es i n t he hi st or y and never ends. I t i s
al so wor t h not i ng f or t he sake of doi ng t he mat h t o
cal cul at e what i t woul d t ake t o expl oi t t hi s t hat each SI P
hi st or y ent r y wi l l t ake up a maxi mum of 88 bytes.
The f i x t hat has been added t o chan_si p i s t o r est or e t he
f unct i onal i t y wher e SI P di al og hi st or y i s not r ecor ded i n
memory i f i t i s not enabl ed. Fur t hermore, a maxi mum of 50
ent r i es i n t he hi st or y wi l l be st or ed f or each di al og when
r ecor di ng hi st or y i s tur ned on. The onl y way t o avoi d t hi s
pr obl em i n af f ected ver si ons of Ast er i sk i s t o di sabl e
chan_si p. I f chan_si p i s bei ng used, t he syst em must be
upgr aded t o a ver si on t hat has t hi s i ssue r esol ved”
( Mol denauer , 2007) .
Page 59
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 59/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 58
V. Session Initiation Protocol (SIP)
SI P i s an appl i cat i on l ayer pr ot ocol used f or est abl i shi ng,
mani pul at i ng, and t ear i ng down cal l sessi ons bet ween one or more
cal l ers . SI P does not car r y t he voi ce audi o i t sel f f r om t he
sour ce cal l er t o t he dest i nat i on. Si mi l ar t o how a websi t e i s
i dent i f i ed by i t s URL ( Uni f or med Resour ce Locat or ) , a user or
cal l er i s i dent i f i ed by hi s URI ( Uni f or m Resour ce I dent i f i er ) .
Ther e i s a gener al f or mat of a URI :
Si p: user : passwor d@host : por t ; ur i - par amet er s?header s
The SI P URI i s i mpor t ant t o know and underst and si nce t hemodi f i cat i on and i nser t i on of URI s i nt o t he SI P ‘ From: ’ header
wi l l be br ought up l ater on. Some exampl es of URI s t hat one
woul d f i nd r egi st er ed t o a SI P pr oxy ser ver ar e t he f ol l owi ng:
• SI P: r ober t @l ondon. com
• SI P: 8411234567@whoami . com
• SI P: r ober t : secr et wor d@l ondon. com; t r anspor t =t cp
• SI P: +1- 841- 123- 4567”1234@gat eway. com; user =phone • SI P: r ober t @147. 16. 15. 7: 5060
• SI P: l ondoncom; met hod=REGI STER?t o=r ober t %40l ondon. com
• SI P: r ober t ; day=f r i day@l ondon. com
( Endl er , 2007)
Bef or e di scussi ng how SI P i s used, t he devi ces necessar y,
and a t ypi cal cal l f l ow, t he var i ous el ement s of SI P ar chi t ect ur e
must be i dent i f i ed:
• User Agents (UA ) – Any cl i ent appl i cat i on or devi ce t hat
i ni t i at es a SI P connect i on, such as an I P phone, PC sof t phone,
PC i nst ant messagi ng cl i ent , or mobi l e devi ce. The user agent
can al so be a gat eway t hat i nt er act s wi t h t he PSTN.
Page 60
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 60/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 59
• Proxy Server – A pr oxy ser ver i s a ser ver t hat r ecei ves SI P
r equest s f r om var i ous user agent s and r out es t hem t o the
appr opr i at e next hop. A t ypi cal cal l t r aver ses at l east t wo
pr oxi es bef or e reachi ng t he i ndeed cal l ee
• Redirect Server – Somet i mes i t i s bet t er t o of f l oad t he
pr ocessi ng l oad on pr oxy server s by i nt r oduci ng a r edi r ect
ser ver . A r edi r ect ser ver di r ect s i ncomi ng r equest f r om ot her
cl i ent s t o cont act an al t er nat e set of URI s.
• Registrar Server – A ser ver t hat pr ocesses t he REGI STER
r equest s. The r egi st r ar pr ocesses REGI STER r equest s f r om users
and maps t hei r SI P URI t o t hei r cur r ent l ocat i on ( I P addr ess,
user name, por t , et c) . For i nst ance, si p: bi l l @abchacksus. commi ght be mapped to somet hi ng l i ke si p: bi l l @192. 168. 1. 100: 5060.
• Location server – The l ocat i on ser ver i s used by a r edi r ect
ser ver or a pr oxy ser ver t o f i nd t he dest i nat i on cal l er ’ s
possi bl e l ocat i on. Thi s f unct i on i s most of t en per f or med by
t he r egi st r ar ser ver . ( Endl er , 2007)
I t i s i mpor t ant t o i dent i f y al l t he var i ous el ement s i n a
SI P i nf r ast r uct ur e and under st and t hei r desi gned f unct i onal i t y. That way an at t acker coul d pot ent i al l y expl oi t vul nerabi l i t i es i n
one el ement t o f ur t her at t ack el ement s. Pl ease vi ew t he
f ol l owi ng di agr am f or a vi sual r epr esent at i on of al l possi bl e SI P
VoI P r esour ces t hat can be depl oyed i n an envi r onment . Thi s
di agr am al so shows a hi gh avai l abi l i t y ( HA) f i r ewal l sol ut i on
t hat i s not necessar y f or successf ul use of SI P, but i s a best
pr act i ce f or gr eat er avai l abi l i t y f or dat a and VoI P r esour ces:
Visual Example:
Page 61
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 61/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 60
Figure 18
Some of t he most popul ar used VoI P PBXs t hat i mpl ement SI P
ar e Ast er i sk and SI P Expr ess Rout er ( SER) . Si nce SI P r esponses
( RFC 2543) are ver y si mi l ar t o HTTP response codes, i t makes i t
easi er t o send st i mul us t r af f i c and i dent i f y the r esponse when
enumer at i ng a SI P VoI P net work. J ust as t her e are var i ous TCP
f l ags t hat ar e used i n bui l di ng a connect i on an exchangi ng dat a,
SI P i mpl ement s var i ous r equest t ypes t o bui l d a sessi on:
SIP Requests – RFC 3261
• I NVI TE – I ni t i at es a conver sat i on.
• BYE – Termi nat es an exi st i ng connect i on between 2 user s i n a
sessi on.
• OPTI ONS – Det ermi nes t he SI P messages and codecs t hat t he UA or
server under st ands.
• REGI STER – Regi st er s a l ocat i on f r om a SI P user .
Page 62
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 62/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 61
• ACK – Acknowl edges a r esponse f r om an i nvi t e request .
• CANCEL – Cancel s a pendi ng I NVI TE r equest , but does not st op
compl et ed connect i ons ( ex: St ops cal l set up i f phone i s st i l l
r i ngi ng) .
• REFER – Transf er s cal l s and cont act s t o exter nal r esour ces.
• SUBSCRI BE – I ndi cat es t he desi r e f or f ut ur e NOTI FY r equest s.
• NOTI FY – Provi des i nf o about a st at e change t hat i s not r el at ed
t o a speci f i c sessi on.
Now t hat al l t he types of SI P request s have been not ed, some of
t he above SI P r equest s can be modi f i ed and t est ed t o enumerat e
SI P resour ces f or t he pur pose of gai ni ng a worki ng knowl edge of
val i d tar get usernames or ext ensi ons.
Somethi ng t o keep i n mi nd when enumerat i ng val i d and i nval i d
ext ensi ons i n a VoI P i nf r ast r uct ur e i s t hat some SI P pr oxy
ser ver s may r espond sl i ght l y di f f er ent l y t o ot her s, t o st i mul us
t est messages. For exampl e, t he SI P Expr ess Rout er or ‘ SER’ , may
r espond t o st i mul us wi t h a di f f er ent SI P er r or code t han an
Ast er i sk VoI P PBX r unni ng as a SI P pr oxy woul d. When a SI P UA
connect s t o a net wor k, t he f i r st t hi ng i t does i s send REGI STER
messages t o r egi st er wi t h t he SI P pr oxy or r egi st r ar ser ver so
t hat t he SI P pr oxy can be quer i ed by ot her SI P UAs t r yi ng t o f i nd
t he new UA, and pr ovi de l ocat i on i nf or mat i on t o r out e t he cal l s.
I ncl uded i n t hi s r egi st er message i s t he VoI P phone’ s I P addr ess
as pr ovi ded by DHCP. Thi s r egi st r at i on pr ocess i s wor t h
pr obi ng/ enumer at i ng so as t o i dent i f y what ext ensi ons/ usernames
ar e avai l abl e. The r i sk her e i s that a mal i ci ous user coul dconnect an unaut hor i zed SI P phone/ UA t o t he net work, i dent i f y an
aut hor i zed ext ensi on/ username by usi ng an aut omat ed REGI STER
scanni ng t ool , and r egi st er as one of t he val i d ext ensi ons t o
gai n f ul l cal l i ng pr i vi l eges. Not onl y woul d t her e be an
unaut hor i zed UA r egi st er ed wi t h t he SI P pr oxy, but t he at t acker
Page 63
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 63/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 62
woul d be i mpersonat i ng an organi zat i on’ s empl oyee/ UA phone whi l e
at t acki ng ot her r esour ces. Thi s i s ref er r ed t o as REGI STER
hi j acki ng, and wi l l be di scussed i n gr eat er det ai l shor t l y.
Another met hod of i dent i f yi ng usernames/ ext ensi ons i s t operf orm I NVI TE user name enumerat i on. However bef ore di scussi ng
t hat , t he SI P I NVI TE cal l f l ow must be under st ood. The f ol l owi ng
i s a si mpl e di agr am t hat depi ct s I NVI TE cal l f l ow. The di agr am
i s s i mpl e because r eal wor l d depl oyment s woul d have the SI P
messages l i kel y t r aver si ng mul t i pl e SI P pr oxi es:
Figure 19
( ht t p: / / www. packet i zer . com/ voi p/ si p/ paper s/ under st andi ng_si p_voi p
/ s i p_cal l _f l ow. png)
" I NVI TE scanni ng i s t he noi si est and l east st eal t hy met hodf or SI P username enumer at i on because i t i nvol ves actual l y
r i ngi ng t he t ar get ' s phones. Even af t er nor mal busi ness
hour s, mi ssed cal l s ar e usual l y l ogged on the phones and on
t he tar get SI P pr oxy, so t her e' s a f ai r amount of t r ace back
evi dence l ef t behi nd" ( Endl er , 2007) .
Page 64
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 64/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 63
As such, t he I NVI TE user name enumerat i ng quer i es t he SI P
pr oxy t o i dent i f y user name/ extensi on f or mat t i ng, and t o i dent i f y
whi ch l egi t i mat e user s ar e al r eady r egi st er ed. I f t he URI of t he
UA you ar e sendi ng I NVI TE messages t o doesn’ t exi st , or i sn’ t
r egi st er ed, t hen t he SI P pr oxy woul d r espond t o your r equest wi t h
a ‘ SI P/ 2. 0 404 Not Found’ r esponse ( si mi l ar t o br owsi ng t o a web
page t hat no l onger exi st s) .
Anot her t ype of enumerat i on scan avai l abl e i s an OPTI ONS
scan. SI P OPTI ONS messages ar e used t o det ermi ne t he SI P
messages and codecs that t he UA or server underst ands. So i f an
at t acker cr af t s t hese OPTI ONS message packet s t argeted t o a gi ven
UA, and t he UA i s r egi st er ed, t he at t acker woul d r ecei ve a SI P
‘ 200’ code response as wel l as t he i nf or mat i on as t o what SI P
messages and codecs t he t arget suppor t s. SI PSCAN, whi ch i s one
of t he SI P user name enumerat i ng f r eeware tool s f ound on t he
VoI PSA websi t e, i s a gr eat t ool f or per f or mi ng t he above
enumerat i ons.
Goi ng back t o t he REGI STER
user name enumerat i on sect i on above,
REGI STER hi j acki ng woul d al l ow an
unaut hor i zed UA t o i mpersonat e an
aut hor i zed UA, and woul d cause
i nbound cal l s t o t he aut hor i zed UA t o
be rout ed t o t he unaut hor i zed UA, as
wel l as pr ovi di ng f ul l cal l i ng
pr i vi l eges. Now t hat theunaut hor i zed UA i s r egi st er ed, i t
t hen coul d be used f or VoI P vi shi ng
or SPI T at t acks. The di agr am bel ow
depi ct s t he REGI STER hi j acki ng
scenar i o.
Page 65
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 65/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 64
Figure 20 ( Col l i er , 2005)
These REGI STER hi j acki ng at t acks can be mi t i gat ed by onl y
i mpl ement i ng SI P pr oxi es or Regi st r ar s t hat chal l enge REGI STER
r equest s f or passwords and use at l east MD5, but pr ef er abl y SHA1
aut hent i cat i on. The aut hent i cat i on measur es out l i ned i n RFC 4474
as wel l as t he f ol l owi ng st eps shoul d be t aken t o pr event
REGI STER hi j acki ng:
• Det ect and al er t upon di r ect ory scanni ng at t empt s.
• Det ect and al er t upon any f ai l ed aut hent i cat i on at t empt s;
speci f i cal l y upon any at t empt s t o use di ct i onar i es t o guess
passwor ds. To t hr eshol d f ai l ed l ogons t o 5x, 10x, 20x, and 50x
i s suggest ed t o pr event f al se posi t i ves.
• Log al l REGI STER r equest s.
• Al ert upon any unusual pat t ern of REGI STER r equest s.• I f t he UAs bei ng used do not ever use a REGI STER r equest t o
r emove val i d cont act s, det ect and bl ock any use of t hi s
r equest .
• Li mi t REGI STER r equest s t o an est abl i shed user ‘ whi t e l i st ’ .
Page 66
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 66/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 65
• Act as a pr oxy and pr ovi de st r ong aut hent i cat i on f or r egi st r ar s
t hat l ack t he abi l i t y t o do so t hemsel ves. ( Col l i er , 2005)
J ust l i ke dat a networ k i nt r usi on detect i on/ prevent i on
syst ems have been br oadl y i mpl ement ed to gai n ‘ vi si on’ i nt o andsecur e an organi zat i on’ s net works, so t o have VoI P net work
i nt r usi on det ect i on/ pr event i on syst ems been depl oyed. VoI P
I DS/ I PS al so cont ai n VoI P si gnat ur es can coul d det ect t he br oad
and noi sy REGI STER, I NVI TE, and OPTI ON scanni ng. These VoI P I DSs
can have al l VoI P packet s copi ed t o the I DS sni f f i ng i nt er f ace
vi a a SPAN sessi on. Or t he VoI P I DS coul d be pl aced i nl i ne wi t h
t he VoI P packet s comi ng i nt o a SI P pr oxy server and on a SI P
t r unk l i ne goi ng t o I TSP. Ther e are a number of vendors and VoI P
managed secur i t y ser vi ce pr ovi der s compet i ng wi t h var i ous
sol ut i ons:
• Secur eLogi x – www. secur el ogi x. com
• Si per a – www. si pera. com
• I ngat e – www. i ngat e. com
• Bor der war e – www. bor der war e. com
Thi s t hen l eads i nt o how an or gani zat i on’ s VoI P
i nf r ast r uct ur e secur el y connect s t o the r est of t he wor l d so that
an or gani zat i on can cal l out bound, and t he wor l d can cal l
i nbound, i nst ead of j ust havi ng cal l s pl aced i nt er nal l y. An
or gani zat i on can connect t hei r SI P VoI P i nf r ast r uct ur e t o an I TSP
vi a a SI P t r unk, and have t hat SI P t r unk t er mi nat e i nt o some sor t
of SI P capabl e f i r ewal l or edge devi ce.
“SI P t r unk secur i t y i s essent i al f or t he pr ot ect i on of VoI P
net works. Many ent erpr i ses depl oy SI P t r unks t o save money
by peer i ng t he ent er pr i se VoI P net wor k wi t h t he car r i er
net work. Rather t han usi ng t he PSTN, t hese ent er pr i ses use
Page 67
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 67/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 66
t he same connect i on f or al l t hei r communi cat i on. Ent er pr i ses
may al so use SI P t r unks t o create f eder at i ons bet ween
t hemsel ves and peer t hei r VoI P net works wi t h each other t o
bypass t he car r i er al t oget her . These SI P t r unks ar e
vul ner abl e t o st andar d si gnal i ng and medi a secur i t y i ssues,
but are suscept i bl e t o demarcat i on and peer i ng i ssues as
wel l . Mor e pot ent i al t hr eat s can exi st as ent er pr i ses
f eder at e and t r ust ot her s t o pr ovi de aut hent i cat i on”
( Si per a, 2006)
Pl ease r evi ew t he f ol l owi ng di agr am:
Figure 21 ( Si per a, 2006) The di agram above i s a ‘ mi l e hi gh’ l ook i nt o t he SI P t r unk
connect i vi t y bet ween an or gani zat i on t o t he I TSP, as wel l as
Si per a’ s SI P t r unk secur i t y sol ut i on. I s i s mor e secur e f or an
I TSP that an or gani zat i on woul d buy VoI P SI P t r unk ser vi ce f r om,
Page 68
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 68/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 67
t o r out er t he t r af f i c f r om SI P t r unks t hr ough t he pr ovi der ’ s
backbone net wor ks and not t he publ i c I nt er net . I t i s at t he VoI P
I DS/ I PS where medi a and si gnal i ng mani pul at i on can be detect ed
wi t h pr oper VoI P I DS si gnat ur es, and a mal i ci ous i nt er nal or
exter nal host coul d be ‘ shunned’ or t empor ar i l y bl ocked. As an
added bonus t he Si pera I PCS sol ut i on pr ovi des a VoI P VPN where
r eal i st i cal l y speaki ng, a tel ewor ker wor ki ng f r om home wi t h a
VoI P phone coul d di al an or gani zat i on’ s i nt er nal ext ensi ons, have
t he SI P sessi on est abl i shed bet ween cal l er s wi t h t he SRTP voi ce
st r eam and SRTCP cont r ol t o f ol l ow. I t s i mpor t ant t o r emember
t hat even t hough t he VoI P cal l bet ween t he t el eworker ’ s VoI P
phone, and t he or gani zat i on’ s SI P f i r ewal l / VPN/ edge devi ce i sencr ypt ed and aut hent i cat ed, wi t hout SI P- TLS and SRTP bei ng used,
once t he VoI P packet s are decr ypt ed and r out ed i nt er nal l y i n t he
or gani zat i on, t hey woul d be sent i n cl ear t ext and coul d st i l l
f al l t o i nt er nal at t acks. Thus t he need f or end- t o- end
encrypt i on and aut hent i cat i on st i l l r emai ns.
I f an or gani zat i on deci des not t o use a SI P t r unk t o connect
t o an I TSP al ong wi t h ot her organi zat i ons, t o connect andt r ansl at e i t s i nt er nal VoI P i nf r ast r uct ur e t o t he PSTN, i t must
use a Medi a Gat eway Cont r ol l er ( MGC) . Conver sel y, i t i s al so at
t hat poi nt wher e ext er nal cal l er s voi ce/ si gnal i ng get s t r ansl at ed
and f orwarded t o t he SI P pr oxy. Medi a gateway cont r ol l er s most l y
use t he Medi a Gat eway Cont r ol Prot ocol , whi ch compl ement s SI P
( Techf aq, 2006) . A medi a gat eway coul d be a Ci sco I OS r out er
wi t h anal og or di gi t al voi ce por t s. Medi a gat eway cont r ol l er s
can be cl assi f i ed dependi ng on t he connect i vi t y t hey pr ovi de.
For exampl e, a medi a gateway cont r ol l er t hat t er mi nates t r unks
connect i ng t o t he tel ephone net work can be ref er r ed t o as a
t r unki ng gat eway. However f ur t her di scussi on of t he i ssues
Page 69
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 69/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 68
i nvol ved i n si gnal i ng t r ansl at i on wi t h medi a gat eway cont r ol l er s
and MGCP can be f ound by readi ng RFC 3435.
A SI P sessi on must be est abl i shed bef or e t he cal l i ng par t i es
begi n exchangi ng RTP medi a ( audi o voi ce) , and RTCP ( cont r ol )packet s. I nf ormat i on on how t o i ni t i ate RTP st r eams ( exchange
voi ce) bet ween cal l er s i s pr ovi ded i n SDP ( Sessi on Descr i pt i on
Prot ocol ) messages, whi ch i s exchanged among SI P UA’ s i n t he cal l
sessi on est abl i shment .
As an exampl e of i dent i f yi ng VoI P servi ces r unni ng by usi ng
NMAP t o t ar get a VoI P SI P pr oxy ser ver , I i nst al l ed a f r eewar e I P
PBX VoI P sof t ware on a t est wi ndows host . The f r eeware pr ogr amused f or t est i ng was 3CX VoI P, whi ch can be f ound at
ht t p: / / www. 3cx. com/ VOI P/ voi p- phone. ht ml . The f ol l owi ng i s a
scr eenshot of a shor t NMAP scan per f ormed f r om one host agai nst
t he dummy Wi ndows XP x64 host r unni ng t he 3CX SI P proxy ser ver :
Figure 22
For t he t est t o ver i f y i f t he SI P VoI P por t s 5060/ t cp and
5061/ t cp were open, I per f or med a si mpl e NMAP SYN scan, whi ch
onl y sends TCP packet s t o por t s 5060 and 5061 wi t h t he SYN f l ag
Page 70
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 70/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 69
set . For t hi s test , on t he SI P pr oxy ser ver ’ s host based
f i r ewal l , I have expl i ci t l y per mi t t ed i nbound TCP packet s t o por t
5060, but bl ocked por t SI P- TLS: 5061/ t cp. As you can see f r om t he
scan, por t 5060/ t cp i s open and 5061/ t cp i s not . To del ve deeper
i nt o NMAP scanni ng of VoI P devi ces, an at t acker can per f or m an
NMAP scan by ‘ st ack f i nger pr i nt i ng’ , or at t empt i ng t o i dent i f y
t he OS r unni ng on t he t arget I P. For exampl e, t her e may be a
case wher e an at t acker woul d NMAP scan a SI P pr oxy ser ver r unni ng
SI P expr ess r out er t o i dent i f y t he under l yi ng OS. Fol l owi ng t he
exampl e, l et us say that t he at t acker was abl e t o det er mi ne t he
SI P expr ess r out er ver si on, and saw t hat i t was pat ched wi t h t he
l at est updat es. However t he at t acker al so f ound SSH por t 22/ t cpopen dur i ng hi s r econnai ssance, and ther e may have been a recent
vul ner abi l i t y made publ i c about t he way Li nux di st r i but i on ‘ x’
handl es SSH connect i on at t empt s. I f t he at t acker coul d
successf ul l y expl oi t t he SSH vul ner abi l i t y on t he SI P ser ver and
gai n cont r ol of i t , t hen he j ust bypassed havi ng t o expl oi t any
vul ner abi l i t i es t o t he VoI P SI P appl i cat i on i t sel f .
The spoof i ng of cal l er I D numbers as di scussed ear l i er , hasbeen occur r i ng f or some t i me now wi t h POTS phones, PBXs, t hrough
t he PSTN. However as VoI P depl oyment s have i ncreased bot h i n
homes and or gani zat i ons, so t oo has VoI P cal l er I D spoof i ng
become mor e pr eval ent . Spoof i ng one’ s cal l er I D i s si mi l ar t o
spoof i ng one’ s sour ce I P addr ess i n t hat t he act i on i s not
act ual l y an at t ack. However i t i s meant t o obf uscat e t he t r ue
sour ce of what i s t o come. As ment i oned above, t here are SI P
i nvi t e messages, and i n t hose messages exi st s a Fr om: URI header .
The f ol l owi ng i s an exampl e of made up Fr om header :
Fr om: I RS Government <si p: 18773879134@i r s. gov>; t ag=2398576017
Page 71
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 71/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 70
I t i s t he “I RS Gover nment ” por t i on t hat woul d be seen on t he
dest i nat i on cal l er ’ s cal l er I D screen. Some f r eewar e t ool s on
t he I nt er net t hat woul d al l ow you t o modi f y the ‘ From: ’ header t o
spoof your cal l er I D ar e ‘ I nvi t ef l ood’ , ‘ Spi t t er ’ , and ‘ Si Vus’ .
“RFC 3261 r equi r es suppor t f or di gest aut hent i cat i on. When
coupl ed wi t h t he use of TLS bet ween each SI P user agent and
SI P pr oxy, di gest aut hent i cat i on can be used t o secur el y
aut hent i cate t he user agent . Next , when t hi s user agent
sends a cal l t o anot her domai n, i t s i dent i t y can be
asser t ed. Thi s appr oach enhances aut hent i cat i on, but onl y
pr ovi des hop- by- hop secur i t y, and i t br eaks down i f any
par t i ci pat i ng pr oxy does not suppor t TLS and/ or i s not
t r ust ed. ” ( Endl er , 2007) .
SI P- TLS: 5061/ t cp i s used t o encr ypt ed SI P messages between
SI P el ement s i n a VoI P i nf r ast r uct ur e. RFC 4474 al so di scusses
t he end- t o- end encr ypt i on and aut hent i cat i on i n gr eat er det ai l .
I t det ai l s est abl i shi ng an aut hent i cat i on ser vi ce t hat woul d
assur e t he dest i nat i on cal l er s t hat t he per son cal l i ng t hem was
aut hor i zed t o popul at e t he ‘ From: ’ header wi t h t he ‘ r et ur n
addr ess’ URI . Thi s aut hent i cat i on woul d t ake pl ace f r om t he
i ni t i al I NVI TE r equest by a possi bl e aut hent i cat i on pr oxy ser ver
or SI P pr oxy ser ver al so per f or mi ng t hi s r ol e. A hash f unct i on
woul d be per f ormed on t he ‘ Fr om: ’ header f i el d and ot her headers.
The hash woul d be si gned wi t h t he di gi t al cer t i f i cat e, and t he
i nf or mat i on woul d be st or ed i n a new SI P header f i el d cal l ed
‘ I dent i t y’ header . Al ong wi t h t hat , an addi t i onal header cal l ed‘ I dent i t y- I nf o’ t o i nf or m t he dest i nat i on cal l er on how t o
acqui r e t he si gni ng cer t i f i cat e used ( Pet er son, J enni ngs, 2006) .
Pl ease vi ew appendi x one i n t he appendi x sect i on at t he end of
t hi s r epor t f or a det ai l ed exampl e. Whi l e these pr oposal s woul d
be ef f ect i ve pr ovi di ng much gr eat aut hent i cat i on, t hi s woul d have
Page 72
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 72/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 71
t o be i mpl ement ed acr oss al l or gani zat i ons, ser vi ce pr ovi der s,
gover nment s, et c. , t o be ef f ect i ve. Thi s i s si mi l ar t o DNS SEC
wher eby secur i t y pr oposal s and f unct i onal i t y exi st s, however i t
i s not i mpl ement ed on t he l ar ge scal e necessar y t o be ef f ect i ve.
There have been many i ssues r egar di ng t he NAT t r aversal of
VoI P t r af f i c. Thi s has been par t i cul ar l y t r oubl esome f or SI P
i mpl ement at i ons as NAT has been known to ‘ br eak’ i t , peer - t o- peer
appl i cat i ons, and ot her s. Thi s i s i n par t due t o VoI P prot ocol s
handl i ng cal l si gnal i ng suf f i ci ent l y, but t hen r andomi zi ng t he
port used t o send the audi o.
“At f i r st , f or bot h t he cal l i ng and t he cal l ed par t yever yt hi ng wi l l appear j ust f i ne. The cal l ed par t y wi l l see
t he cal l i ng par t y' s Cal l er I D and t he t el ephone wi l l r i ng
whi l e t he cal l i ng par t y wi l l hear a ri ngi ng f eedback tone at
t he ot her end. When t he cal l ed part y pi cks up t he tel ephone,
bot h t he r i ngi ng and t he associ at ed r i ngi ng f eedback t one at
t he ot her end wi l l st op as one woul d expect . However , t he
cal l i ng par t y wi l l not hear t he cal l ed par t y ( one way audi o)
and t he cal l ed par t y may not hear t he cal l i ng par t y ei t her
( no audi o) . ( j ht 2, 2007)
Thi s i s al so due t o a VoI P phone user i n one of f i ce want i ng
t o cal l a VoI P phone user i n a di f f er ent of f i ce, wi t h t he packet s
t r aver si ng t he I nt er net whi l e NAT i s bei ng per f or med, and t he
sour ce VoI P phone not knowi ng t he publ i cal l y r out abl e dest i nat i on
I P addr ess/ por t t o send packet s t o. Bot h VoI P phones ar e behi nd
a NAT pol i cy on t he or gani zat i on’ s f i r ewal l . A f easi bl e, yet
i mpr act i cal sol ut i on woul d be t o conf i gur e uni que st at i c one- t o-
one NAT t r ansl at i ons f or each of an or gani zat i on’ s i nt er nal l y
addr essed VoI P phones. Whi l e t hi s i s possi bl e, i t i s not
pr act i cal f or an or gani zat i on t hat has mul t i pl e si t es, wi t h
Page 73
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 73/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 72
hundr eds of empl oyees at each si t e, wi t h each of t hem havi ng
t hei r own VoI P phone. To per f or m such an i mpr act i cal sol ut i on on
such a l arge scal e woul d r equi r e an or gani zat i on t o secur e
mul t i pl e cl ass B si zed publ i c addr essed net wor ks ( or at l east
mul t i pl e cont i guous cl ass C net wor ks super net t ed t oget her ) . As
such, wor kar ounds such as STUN, TURN, and B2BUA wer e desi gned.
However i t t ur ns out t hat STUN ( Si mpl e Tr aver sal of User Datagr am
Protocol t hr ough NAT) , TURN ( Traver sal usi ng Rel ay NAT) , and
ot her such pr ot ocol s used i ndi vi dual l y do not sol ve t he UDP NAT
t r aver sal pr obl em.
“I nt er act i ve Connect i vi t y Est abl i shment ( I CE) i s a t echni que
f or NAT t r aversal f or UDP- based medi a st r eams ( t hough I CE
can be extended to handl e ot her t r anspor t pr ot ocol s, such as
TCP [ I - Di et - mmusi c- i ce- t cp] ) est abl i shed by t he of f er / answer
model . I CE i s an extensi on t o t he of f er / answer model , and
wor ks by i ncl udi ng a mul t i pl i ci t y of I P addr esses and por t s
i n SDP of f er s and answers, whi ch are t hen t est ed f or
connect i vi t y by peer - t o- peer connect i vi t y checks. The I P
addr esses and port s i ncl uded i n t he SDP and t he connect i vi t ychecks ar e per f or med usi ng STUN and TURN” ( Rosenberg, 2007)
– Work i n pr ogr ess.
I CE, STUN, and or TURN server s si t i n an organi zat i on’ s DMZ
and t r y i dent i f y t he publ i cal l y NAT’ d I P/ por t i s f or an i nt er nal
VoI P phone sendi ng out bound t r af f i c. A st r ong backi ng f or t he
uni ver sal use of I CE was pr ovi ded when Mi cr osof t and Ci sco
announced t hei r suppor t f or i t ( Unknown, 2005) . Essent i al l y I CE
t r i es t o f i nd as many socket s or ‘ candi dat es’ ( I P/ por t )
combi nat i ons t hat can be used t o r out e t r af f i c between t he t wo
VoI P phones. I t does thi s by per f ormi ng STUN connect i vi t y checks
of t he ‘ candi dat es’ . Thankf ul l y each STUN connect i vi t y check i s
Page 74
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 74/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 73
aut hent i cat ed wi t h a message aut hent i cat i on code (hash) comput ed
usi ng a key exchanged i n t he si gnal i ng channel . I f not f or t hat ,
t hen t hi s pr ocess opens i t sel f up t o mul t i pl e vul ner abi l i t i es
t hat can be expl oi t ed by a var i et y of ways, by an at t acker
f ool i ng user agent s about t he candi dat es, essent i al l y hi j acki ng
t he pr ocess:
• Fal se I nval i d
An at t acker can f ool a pai r of agent s i nt o t hi nki ng a candi dat e
pai r i s i nval i d, when i t i sn' t . Thi s can be used t o cause an
agent t o pr ef er a di f f er ent candi dat e ( such as one i nj ect ed by
t he at t acker ) , or t o di sr upt a cal l by f or ci ng al l candi dat es
t o f ai l .
• Fal se Val i d
An at t acker can f ool a pai r of agent s i nt o t hi nki ng a
candi dat e pai r i s val i d, when i t i sn' t . Thi s can cause an
agent t o pr oceed wi t h a sessi on, but t hen not be abl e to
r ecei ve any medi a.
• Fal se Peer - Ref l exi ve Candi dat e
An at t acker can cause an agent t o di scover a new peer r ef l exi ve
candi dat e, when i t shoul dn' t have.
Thi s can be used t o r edi r ect medi a st r eams t o a DoS t ar get or
t o t he at t acker , f or eavesdr oppi ng or ot her pur poses.
( Rosenberg, 2007) – Work i n pr ogr ess.
A cheaper and easi er met hod of ci r cumvent i ng t he VoI P UDP
NAT t r aver sal pr obl em i s t o conf i gur e an or gani zat i on’ s SI P pr oxy
t o B2BUA ( Back t o Back User Agent ) mode. Basi cal l y i nst ead of
t he SI P pr oxy, t hat si t s i n t he DMZ wi t h a publ i cal l y r out abl e I P
addr ess, onl y bui l di ng sessi ons f or UAs and t hen backi ng of f , t he
Page 75
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 75/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 74
SI P pr oxy wi l l t ur n i nt o a UA i t sel f . To t he sour ce UA t he SI P
pr oxy wi l l st i l l pr ovi de the same ser vi ces of accept i ng REGI STER,
I NVI TE, and OPTI ON messages. However t he SI P pr oxy wi l l actual l y
pr oxy t he RTP and RTCP sessi ons t o t he dest i nat i on SI P pr oxy. I n
t hat pr ocess, t he ext er nal i nt er f ace of t he SI P pr oxy act s as a
UA, essent i al l y pr et endi ng t o be t he VoI P phone cal l i ng i t sel f .
The dest i nat i on B2BUA conf i gured SI P proxy, t hat al so si t s i n t he
DMZ wi t h a publ i cal l y r out abl e I P addr ess, accept s t he pr oxi ed
RTP and RTCP sessi ons f r om t he sour ce, si nce t hey wer e def i ned
pr i or i n t he SDP messages of t he SI P sessi on. Af t er t he
dest i nat i on B2BUA SI P pr oxy recei ves t he RTP and RTCP st r eams, i t
t hen act s as j ust a SI P pr oxy agai n and f orwards t he voi ce andcont r ol t r af f i c t o t he dest i nat i on VoI P phone. The f ol l owi ng i s
a di agr am depi ct i ng t he expl ai ned f unct i onal i t y:
Figure 23
( ht t p: / / bl og. l i t hi umbl ue. com/ 2007/ 07/ under st andi ng- r el at i onshi p-
between- si p. ht ml )
Thi s l eads t o SI P r ogue appl i cat i on at t acks . “By t r i cki ng SI P
pr oxi es and SI P phones i nt o t al ki ng t o r ogue appl i cat i ons i t i s
possi bl e t o vi ew and modi f y both si gnal i ng and medi a…
• Rogue SI P B2BUA
A r ogue appl i cat i on t hat per f or med l i ke a UA. Thi s appl i cat i on
can get bet ween a SI P pr oxy and a SI P phone or t wo SI P phones.
• Rogue SI P pr oxy
Page 76
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 76/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 75
A r ogue appl i cat i on t hat per f or ms l i ke a SI P pr oxy. Thi s
appl i cat i on can get between a SI P pr oxy and a SI P phone or t wo
SI P pr oxi es. ” ( Endl er , 2007) .
As expl ai ned ear l i er , si nce a SI P B2BUA handl es bot h
si gnal i ng and medi a (SI P, RTP, RTCP) , t he devi ce i s i nl i ne wi t h
t he dat a, al l owi ng i t t o sni f f and modi f y t r af f i c. Thi s i s of
cour se i f SI P- TLS f or encrypt i on and aut hent i cat i on i sn’ t used
f or al l SI P r esour ces. Whi l e t hi s i s a t hr eat i f an at t acker
coul d si l ence ( vi a DOS, et c. ) t he l egi t i mat e SI P pr oxy t o handl e
sessi ons bet ween t wo UAs i n a net wor k, t hi s t hr eat i s especi al l y
more danger ous i f t he SI P r ogue pr oxy i s pl aced i nl i ne bet weent wo ot her SI P pr oxi es provi ded they don’ t encr ypt and
aut hent i cat e t r af f i c. Thi s woul d t hen al l ow t he at t acker
cont r ol l i ng t he r ogue SI P pr oxy t o t r ack, l i st en t o, t ear down,
or even r edi r ect cal l s t o vi shi ng voi cemai l syst ems. The
f ol l owi ng i s a di agr am of onl y the r ogue SI P pr oxy wi t hi n a VoI P
net work scenar i o:
Page 77
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 77/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 76
Figure 24
To r esear ch VoI P SI P hard phone vul nerabi l i t i es associ at ed
wi t h speci f i c hard phones, I pur chased t wo Gr andst r eam Budget one
102 ( BT- 102) VoI P phones t hat support SI P wi t h f i r mware ver si on
1. 0. 8. 33. These VoI P phones pr ovi de t he f ol l owi ng:
• SI P 2. 0 (RFC 3261) , TCP/ UDP/ I P, RTP/ RTCP, HTTP, I CMP, ARP/ RARP,
DNS, DHCP, NTP, PPPoE, STUN, TFTP, et c.
• Support st andard encr ypt i on and aut hent i cat i on ( DI GEST usi ng
MD5, MD5- sess)
• Suppor t f or Layer 2 ( 802. 1Q VLAN, 802. 1p) and Layer 3 QoS ( ToS,
Di f f Ser v, MPLS)• Suppor t aut omat ed NAT t r aversal wi t hout manual mani pul at i on of
f i r ewal l / NAT
• Provi de easy conf i gur at i on t hr ough manual oper at i on ( phone
keypad) , Web i nt er f ace or
aut omat ed cent r al i zed conf i gur at i on f i l e vi a TFTP or HTTP.
Page 78
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 78/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 77
• Suppor t f i r mware upgrade vi a TFTP or HTTP. ( Gr andst r eam, 2005)
Bot h phones come wi t h t wo RJ - 45 Et her net i nt er f aces. I
connect ed t he t wo phones t o my Bel ki n SOHO Wi - Fi r out er / swi t ch.
Upon boot up, as expect ed t he phones were br oadcast i ng DHCP
Di scover packet s t o r equest an I P addr ess, however I had t o
expl i ci t l y per mi t t he phones’ MAC addr esses on t he r out er whi l e
mai nt ai n MAC addr ess f i l t er i ng. Navi gat i ng t hr ough t he LCD menu
I was abl e t o ver i f y t hat t he VoI P phones had been assi gned an I P
addr ess as wel l as see t he subnet mask, DNS ser ver , and def aul t
gat eway conf i gur ed. Upon i dent i f yi ng t he I P addr esses of t he
phones, I i mmedi at el y t est ed net wor k connect i vi t y vi a I CMP pi ng
f r om a test PC on t he LAN:
Figure 25
I al so t hen r an var i ous NMAP scans t o ver i f y
servi ces/ por t s/ ver si ons t hat wer e open and r unni ng out of t he
box. I per f ormed NMAP SYN scan f or al l por t number s:
Page 79
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 79/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 78
Figure 26
As you can see, a si mpl e NMAP scan was abl e t o i dent i f y t he
VoI P manuf act urer Gr andst r eam. Accor di ng t o t he GS- 102 pdf
manual , t he t wo RJ - 45 port s of BT102 i s act ual l y a 10Base- T mi ni -
Hub t hat al l ows t he user t o shar e or sni f f t he net wor k usi ng
anot her dat a devi ce l i ke PC. So t he net wor k cabl e f r om t he PC
connect s i nt o t he ‘ PC’ l abel ed i nt er f ace on t he phone, and t he
phone’ s net wor k cabl e pl ugs i nt o the ‘ LAN’ l abel ed i nt er f ace, and
t o t he SOHO r out er / swi t ch. Test i ng t he hub f unct i onal i t y wor ked
j ust f i ne. I pl ugged my t est l apt op i nt o t he VoI P phone, and t heVoI P phone cabl e i nt o my SOHO r out er / swi t ch. I was abl e t o
i mmedi at el y r ecei ve and I P addr ess vi a DHCP, and t hen br owse t he
web. To f ur t her t est hub f unct i onal i t y, I st ar t ed a Wi r eshar k
packet capt ur e on t he t est l apt op ( 192. 168. 2. 2) , t hat was pl ugged
i nt o t he BS- 102 VoI P phone ( 192. 168. 2. 6) hub. I appl i ed a packet
capt ur e f i l t er f or I P 192. 168. 2. 6. Fr om a di f f er ent PC
( 192. 168. 2. 5) , I r an an NMAP X- mas scan ( nmap –sX 192. 168. 1. 6)
agai nst t he BS- 102 VoI P phone.
Page 80
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 80/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 79
Figure 27
As you can see, t he packet capt ur e on l apt op 192. 168. 2. 2
i nter f ace saw t he NMAP X- mas scan agai nst t he BS- 102:
Page 81
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 81/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 80
Figure 28
Si nce the NMAP scan showed t he VoI P phone’ s HTTP servi ce
open wi t h a web ser ver r unni ng, I opened up my br owser , ent ered
t he VoI P phone’ s I P addr ess of 192. 168. 2. 6 as t he URL, and
arr i ved at t he HTTP l ogon pr ompt . A qui ck Googl e sear ch f or
‘ gr andst r eam budgetone 102 password’ showed t he def aul t
Admi ni st r ator password f or t he HTTP l ogon t o be ‘ admi n’ :
Figure 29
Thi s page al l ows whoever has access t o i t t o change t he
Admi ni st r at or passwor d, t he SI P pr oxy server I P addr ess t o
potent i al l y i mpl ement a r ogue SI P pr oxy server , t he out bound
pr oxy I P addr ess, et c. Ther e i s however a ‘ l ock keypad’ updat e
f eat ur e t hat di sabl es a user f r om updat i ng t he phone
conf i gur at i on vi a keypad. Ther e was al so a def aul t user account
t hat was created wi t h t he password ‘ user ’ :
Page 82
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 82/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 81
Figure 30
The user account had dr amat i cal l y l ess conf i gur at i on opt i ons
as one woul d expect . I f t he user ’ s PC were t o become i nf ect ed by
some sor t of wor m or ot her mal war e, an at t acker coul d per f or m a
Wi r eshar k packet capt ur e on t he PC’ s i nt er f ace and see al l SI P
and RTP t r af f i c comi ng to t he phone, si nce t he phone’ s hub woul d
si mpl y send a copy of t he Et her net f r ame t o t he PC. Thi s woul d
al l ow t he at t acker t o per f or m cal l pat t er n t r acki ng, number
har vest i ng, and conver sat i on eavesdr oppi ng and/ or anal ysi s.
To set up an i nt er nal VoI P net wor k I i nst al l ed t he 3CX VoI P SI P
pr oxy ser ver ( ht t p: / / www. 3cx. com/ phone- syst em/ ) on a t est ser ver .
The f ol l owi ng i s a scr eenshot of t he management GUI :
Page 83
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 83/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 82
Figure 31
I al so opened por t s SI P: 5060/ t cp and udp, and SI P-
TLS: 5061/ t cp and udp on t he ser ver ’ s f i r ewal l t o permi t t he SI P
sessi on bui l di ng. I def i ned ext ensi ons 106 and 107 f or t he l ef t
and r i ght phone r espect i vel y. Af t er def i ni ng t he SI P pr oxy I P
addr ess, and SI P user I P, I was abl e t o cal l f r om one VoI P
ext ensi on t o t he ot her . Whi l e doi ng so, I al so per f or med a
packet capt ur e so as t o vi ew t he SI P messages as wel l as t he RTP
sessi on bet ween t he t wo cal l s usi ng t he G. 711 codec:
Figure 32
As you can see f r om t he bi di r ect i onal RTP st r eams, por t s 5004
wer e used f or t he RTP st r eams per I ANA port speci f i cat i ons.
Page 84
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 84/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 83
Figure 33
As you can see f r om f i gur es 25 and 26, al l sequence and SSRC
( synchr oni zat i on sour ce i dent i f i er ) number s wer e sent i n cl ear
text.
Figure 34
Page 85
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 85/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 84
To act ual l y hear t he RTP sess i on,
i nst al l ed and used Or eka ( di scussed above) .
Or eka al so cont ai ned l ogs of t he RTP
sessi on, and I was abl e t o pl ay t he GSM
audi o f ormat t ed f i l e and hear my voi ce as
wel l as DTMF t ones f r om phone number s
pressed t hrough my Wi namp medi a pl ayer :
Or eka i s a power f ul t ool . I f an
at t acker were t o compromi se a PC wi t h the
same set up I t est ed, he coul d then upl oad
Or eka t o t he i nf ect ed host t o capt ur e cal l
and audi o l ogs. He coul d al so t hen wr i t e ascr i pt t o send t he RTP st r eam and audi o
l ogs t o hi s PC f or l i st eni ng and r evi ew.
I want ed t o st r ess t est t he audi o QOS
of t he VoI P phones whi l e bei ng heavi l y scanned. As such, I setup
t wo t est PCs t o si mul t aneousl y per f or m i nvi t ef l oods and Nessus
scans agai nst bot h BS- 102 phones, NMAP –sX scans agai nst bot h
phones, and cont i nual I CMP pi ngs agai nst both phones. The cal l
was al r eady set up bef ore I began scanni ng both phones. I not i ced
a ver y smal l amount of st at i c on t he l i ne dur i ng t he scans,
however i t by no means made t he voi ce cl ar i t y i ndi scerni bl e.
Unf or t unatel y my l i mi t ed resour ces ( not enough PCs, smal l swi t ch)
l i mi t ed t he number of packet s I coul d t hr ow agai nst t hese phones.
To t r ul y DOS or DDOS t hem, one woul d need a swi t ch wi t h at l east
24 port s, wi t h 22 of t he host s scanni ng t he 2 BS- 102 VoI P SI P
phones.
Page 86
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 86/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 85
VI. Skype
Skype i s a sof t phone, whi ch means i t s a sof t ware VoI P
appl i cat i on phone t hat r uns on a PC. Skype, al ong wi t h other
sof t phones, r equi r e ei t her a headset or a mi cr ophone wi t h speaks
t o have a successf ul conver sat i on. However t her e are al so many
USB hard phones ( corded and cor dl ess) t hat can be pl ugged i nt o a
PC t hat wi l l use t he Skype appl i cat i on. Skype i s not a good
candi dat e f or ent er pr i se use si nce i t communi cat es i n a P2P
f ashi on, si mi l ar l y t o the P2P KaZaA sof t war e ( same f ounder s) .
Whi l e some ent er pr i se or gani zat i ons may desi r e a sof t phone
sol ut i on i n a VoI P i mpl ement at i on, t her e are sof t phones made by
l arge vendors such as Ci sco' s I P Communi cator , Avaya' s I P
sof t phone, and 3Com' s NBX sof t phone, t hat are bet t er choi ces i n
t er ms of cost cut t i ng and i nt egr at i on wi t h ot her VoI P resour ces.
A l ar ge benef i t t o opt i ng f or a separ at e VoI P har d phone as
opposed t o a sof t phone l i ke Skype i s t he di f f er ence i n secur i t y
vul ner abi l i t i es. However Skype VoI P, as ot her f or ms of VoI P, has
had t he pr obl em of UDP NAT t r aver sal t hr ough f i r ewal l s.
As such, "Skype uses var i ant s of STUN and TURN, whi ch bot h
f aci l i t at e communi cat i ons bet ween f i r ewal l ed net wor k addr ess
spaces ( STUN and TURN di scussed ear l i er ) . As st ated
ear l i er , i f an at t acker can compr omi se a user ' s PC wi t h t he
pl et hor a of at t ack t ool s f r eel y avai l abl e on t he I nt er net ,
t hen anythi ng r unni ng on t hat PC vi r t ual l y be consi der ed
compr omi sed. I n f act , some r oot ki t s al l ow an at t acker t o
t urn on t he vi ct i m' s mi cr ophone on t he compromi sed comput er
and r ecord ever yt hi ng ( even backgr ound noi se) ( Endl er ,
2007) .
Page 87
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 87/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 86
What i s of even gr eater concer n i s t hat wi t h Skype or any
sof t phone f or t hat mat t er , t her e i s no l onger a l ogi cal VLAN
separat i on of VoI P and data r esour ces ( phones and PCs) . Wi t h
t hat bei ng t he case, an at t acker coul d compr omi se a PC, t o t hen
f ur t her compr omi se ot her t he PCs of other empl oyees and l i st en i n
on t hei r VoI P conver sat i ons. Skype' s met hod of connect i ng cal l s
al so poses a t r emendous secur i t y ri sk f or al l user s such as
consumers, home user s, and t he empl oyees i n t he ent erpr i se.
"I f di r ect communi cat i on f r om t he cal l er f ai l s, t hen t he
i nt ended Skype r eci pi ent t r i es i nst ead t o connect back t o
t he cal l er . I f bot h at t empt s at di r ect connecti on f ai l ,
t hen ot her i nt ermedi at e Skype user s who ar e reachabl e by
bot h host s at t empt t o r out e t he cal l . These r el ay host s ar e
cal l ed super nodes, and any Skype user may at any t i me be
el evat ed t o super node st at us, accor di ng t o t he l at est
ver si on of t he Skype pr i vacy agr eement " ( Endl er , 2007) .
Get t i ng t o t he act ual secur i t y of t he cal l s bei ng made,
t here have been concerns about pr i vacy of Skype- t o- Skype and
Skype- t o- pot s cal l s. Dr . Tom Ber son f r om Anagr am Labor at or i es,
per f ormed a revi ew of Skype encr ypt i on.
"The cr ypt ogr aphi c pr i mi t i ves used i n Skype ar e: t he AES
bl ock ci pher , t he RSA publ i c- key cr ypt osyst em, t he I SO 9796-
2 si gnat ur e paddi ng scheme, t he SHA- 1 hash f unct i on, and t he
RC4 st r eam ci pher . Skype oper at es a cer t i f i cat e aut hor i t y
f or user names and aut hor i zat i ons. Di gi t al si gnat ur es
creat ed by t hi s aut hor i t y ar e t he basi s of i dent i t y i n
Skype. Skype nodes ent er i ng i nt o a sessi on cor r ect l y ver i f y
t he i dent i t y of t hei r peer . I t i s i nf easi bl e f or an
at t acker t o spoof a Skype i dent i t y at or bel ow t he sessi on
l ayer . " ( Ber son, 2005) .
Page 88
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 88/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 87
Whi l e Skype' s cr ypt osyst em may be suf f i ci ent l y secur e t o
af f ord pr i vacy f or t he masses, r esear cher s f r om EADS at t he RECON
( Reverse Engi neer i ng Conf erence) i n 2006 were abl e to ci r cumvent
some of t he ant i - debuggi ng t echni ques of Skype and al so di scover
a vul ner abi l i t y i n t he Skype appl i cat i on i t sel f " ( Endl er , 2007) .
Cl osed sour ce/ pr opr i et ar y pr ot ocol s have rarel y, i f ever been
i mper vi ous t o vul ner abi l i t i es ( I E Ci sco' s CDP, SCCP, Mi crosof t ' s
Net BI OS, Net BEUI , et c) .
The f ol l owi ng i s a packet capt ure I per f or med whi l e pl aci ng a
cal l f r om t he Skype VoI P ver si on 3. 5. 0. 229 to my home POTS phone:
Figure35
As you can see i n t hat packet capt ur e, i n t hi s par t i cul ar cal l ,
t he sour ce port r emai ned 13590/ udp, and the dest i nat i on port
r emai ned 12340/ udp. As st ated ear l i er , Skype r andomi zes port s
Page 89
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 89/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 88
and i s ver y aggr essi ve about connect i ng cal l s by t r yi ng any
possi bl e por t / pr ot ocol combi nat i on.
For an organi zat i on or a home user want i ng t o i dent i f y whi ch
PCs have t he Skype VoI P appl i cat i on i nst al l ed, t her e i s af r eewar e t ool cal l ed ' SkypeKi l l er ' , whi ch can be downl oaded at
ht t p: / / www. skypeki l l er . com/ . To t est t he f uncti onal i t y of
SkypeKi l l er , I downl oaded i t ont o the Wi ndows XP t est PC used t o
per f or m t he Skype cal l s ear l i er . Ther e wer e a f ew smal l
conf i gur at i ons t o set , however once I sel ect ed ' execut e' ,
Skypeki l l er i mmedi at el y f ound Skype di r ect or i es, f i l es, and keys:
Figure 36
Figure 37
Page 90
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 90/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 89
I t woul d t hen be t he mi ssi on of t he net wor k secur i t y
admi ni st r ator t o l ocat e t he machi nes and have t he Skype VoI P
appl i cat i on r emoved.
Accor di ng t o t he Skype websi t e' s f i r ewal l page, i f not est hat i deal condi t i ons f or Skype t o wor k ar e t o open al l out bound
por t s 1- 65535 TCP and UDP; and i t al so ment i ons t hat Skype can
r un on por t s HTTP: 80/ t cp and HTTPS: 443/ t cp ( Skype, 2006) . As
such, Skype i s di f f i cul t t o f i l t er at a l ayer s 3 and 4 on a
st at ef ul f i r ewal l or r out er si nce out bound HTTP and HTTPS access
must be per mi t t ed f or web t r af f i c. As such at t empt s t o i dent i f y
Skype t r af f i c have f ocused at t he appl i cat i on l ayer . Ther e have
been var i ous Snor t si gnat ur es wr i t t en t o hel p i dent i f y Skype at
t he appl i cat i on l ayer , gi ven t hat si gnat ur es cannot be wr i t t en
f or dest i nat i on I P/ por t / pr ot ocol si nce i t s l i kel y that Skype uses
r ound r obi n DNS/ I P f or i t s cal l ser ver s.
"Soni cWal l and Checkpoi nt have both added f eatur es t o t hei r
f i r ewal l set t hat supposedl y al l ow Skype f i l t er i ng. . . Akoni x
al so market s a devi ce cal l ed L7 Skype Manager , whi ch
pur port s t o be abl e t o l og and enf orce Skype usage i n t he
net wor k. Al l of t hese pr oduct cl ai ms however , ar e f ol l owi ng
a movi ng target , as each new maj or ver si on of Skype t ends t o
i ncr ease t he amount of payl oad obf uscat i on i n order t o evade
t hese types of t echnol ogi es" ( Endl er , 2007) .
However r ather t han spend t housands of dol l ars f or a
pr opr i et ary devi ce and depend on a thi r d part y vendor t o depl oy
new si gnFat ur e to at t empt t o detect new Skype versi ons, I n my
opi ni on I woul d r at her use Snor t wi t h open- sour ce si gnat ur es.
Accor di ng to Sour cef i r e, t hey have bui l t a new Snor t Skype
pr epr ocessor t hat was r el eased under t he VRT l i cense on 8/ 13/ 2007
i n ver si on 2. 7. 0. 1, whi ch shoul d be ef f ect i ve at det ect i ng Skype
Page 91
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 91/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 90
t r af f i c. Si nce Skype aut omat i cal l y checks back wi t h i t ' s Skype
home ser ver s t o get t he l at est ver si on, i t i s at t hi s unencr ypt ed
ver si on check where Skype can be detected host host s pur el y f r om
net wor k t r af f i c.
Figure 38
ht t p: / / www. snor t . or g/ pub- bi n/ si gs- sear ch. cgi ?si d=skype
As you can see, Snort SI DS 5692- 6001 are var i ous s i gnatur e
i ncl uded t o hel p det ect Skype at var i ous poi nt s of Skype
oper at i ons such as get t i ng t he l at est ver si on, cl i ent l ogi n,
cl i ent st ar t up, et c. The f ol l owi ng ar e some of t he Snor t I DS
Skype si gnat ur es f ound i n t he publ i c r eal m:
"
al er t t cp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS
( msg: "BLEEDI NG- EDGE Pol i cy Skype VOI P Checki ng Versi on
( St ar t up) "; ur i cont ent : "/ ui / "; nocase;ur i cont ent : "/ en/ get l at est ver si on?ver ="; nocase; cl asst ype: pol i cy-
vi ol at i on; r ef er ence: ur l , ht t p: / / www1. cs. col umbi a. edu/ ~l i br ar y/ TR-
r eposi t or y/ r epor t s/ r epor t s- 2004/ cucs- 039- 04. pdf ; si d: 2001595;
r ev: 1; )
Page 92
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 92/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 91
al er t t cp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS
( msg: "BLEEDI NG- EDGE Pol i cy Skype VOI P Report i ng I nst al l " ;
ur i cont ent : "/ ui / "; nocase; u r i cont ent : "/ en/ i nst al l ed"; nocase;
cl asst ype: pol i cy- vi ol at i on;
r ef er ence: ur l , ht t p: / / www1. cs. col umbi a. edu/ ~l i br ar y/ TR-
r eposi t or y/ r epor t s/ r epor t s- 2004/ cucs- 039- 04. pdf ; si d: 2001596;r ev: 1; )
" ( J onkman, 2005) .
These si gnat ures shoul d be somewhat successf ul ant
i dent i f yi ng Skype usage on a sour ce host when Skype i s bei ng
i nst al l ed or a ver si on check. Concur r ent l y t her e have al so been
some poor l y wr i t t en Snor t I DS si gnat ur e t hat ar e out on t he
publ i c r eal m t hat shoul d be avoi ded:
"al er t i p $HOME_NET any - > 195. 215. 8. 141 any ( msg: "BLEEDI NG- EDGE
P2P VOI P Skype VoI P Logi n" ; cl asst ype: pol i cy- vi ol at i on;
si d: 9999988; r ev: 1; )
al er t t cp $HOME_NET any - > any 33033 ( msg: "BLEEDI NG- EDGE P2P VOI P
Skype VoI P Logi n"; cl asst ype: pol i cy- vi ol at i on; si d: 9999989;
r ev: 1; )
al er t udp $HOME_NET any - > any 33033 ( msg: "BLEEDI NG- EDGE P2P VOI P
Skype VoI P Logi n"; cl asst ype: pol i cy- vi ol at i on; si d: 9999990;
r ev: 1; )
al er t i p $HOME_NET any - > 80. 160. 91. 28 any ( msg: "BLEEDI NG- EDGE
P2P VOI P Skype VoI P Event " ; cl asst ype: pol i cy- vi ol at i on;
si d: 9999991; r ev: 1; )
al er t i p $HOME_NET any - > 212. 72. 49. 142 any (msg: "BLEEDI NG- EDGE
P2P VOI P Skype VoI P Event " ; cl asst ype: pol i cy- vi ol at i on;si d: 9999992; r ev: 1; )
" ( Net wor k Secur i t y Ar chi ve, 2005) .
Unf ort unatel y t hese are poor l y si gnatur es because on some of t hem
t her e ar e st at i c I P addr ess and por t s. Whi l e a Skype server may
Page 93
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 93/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 92
have at some poi nt used I P addr ess 80. 160. 91. 28, t he l i kel i hood
of t hat I P bei ng used agai n i s sl i m t o none. The same goes f or
t he si gnat ur es al er t i ng t o dest i nat i on por t 33033/ udp. I t s
l i kel y that one of t he Skype ver si on i n t he past used t hat por t
more f r equent l y and t hat ' s why t her e wer e more hi t s and l ogs f or
t hat si gnat ur e. Upon r esear chi ng Skype vul ner abi l i t i es, I came
across t he Secuni a page f or Secuni a Advi sor y SA27934, whi ch not ed
a newl y f ound Skype vul ner abi l i t y.
"The vul ner abi l i t y i s caused due t o a boundar y er r or i n
Skype4COM. dl l wi t hi n t he "skype4com" URI handl er when
pr ocessi ng shor t st r i ngs. Thi s can be expl oi t ed t o cause a
l i mi t ed heap- based buf f er over f l ow as a l onger st r i ng may be
copi ed i nt o a heap- based buf f er pr evi ousl y al l ocat ed based
on t he l engt h of t he suppl i ed URI . Successf ul expl oi t at i on
al l ows execut i on of ar bi t r ar y code when a user e. g. vi si t s a
mal i ci ous websi t e. The vul ner abi l i t y i s conf i r med i n Skype
3. 5. 0. 239. Ot her ver si ons pri or t o 3. 6. 0. 216 may al so be
af f ect ed" ( Secuni a, 2007) .
Thi s heap- based buf f er over f l ow expl oi t coul d be used t o
compr omi se a host r unni ng Skype and use i t as a st eppi ng st one t o
at t ack ot her net wor k resour ces as wel l as l i st en i n t o VoI P
conver sat i ons. A newl y r epor t ed vul ner abi l i t y f or Skype Wi ndows
user s i s al so spr eadi ng.
"Skype has l ear ned that a comput er vi r us cal l ed
“w32/ Ramex. A” i s af f ect i ng user s of Skype f or Wi ndows.
Users whose comput er s are i nf ect ed wi t h t hi s vi r us wi l l send
a chat message t o other Skype users aski ng t hem t o cl i ck on
a web l i nk t hat can i nf ect t he comput er of t he per son who
r ecei ves t he message. User s r ecei ve a message whi ch appears
Page 94
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 94/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 93
t o be f r om someone on t hei r cont act l i st , aski ng t hem t o
cl i ck a l i nk. The messages are "cl ever l y wr i t t en" t o appear
l i ke t ypi cal chat messages, and appear t o cont ai n a l i nk t o
a J PEG i mage. The l i nk act ual l y poi nt s to an execut abl e
f i l e; i f Wi ndows- based user s cl i ck t he l i nk ( and gi ve
per mi ssi on t o save or r un a . scr f i l e) t he user ' s comput er
wi l l be i nf ect ed wi t h t he w32/ Ramex. A worm. The worm uses
Skype' s publ i c API t o access t he user ' s comput er " ( Skype,
2007)
I per sonal l y have not yet encount er ed t hi s worm because I
am not user of Skype i n my f r ee t i me. However wi t h t hi s
vul ner abi l i t y out i n t he wi l d, t he best pr act i ce f or al l Skype
users woul d be t r eat downl oad l i nks i n Skype messages t he same
as t hose i n e- mai l ; even f r om t r ust ed sour ces, i nst al l i ng
pr ogr ams f r om l i nks i n messages i s danger ous and shoul d be
avoi ded. Fur t her r esear ch l ead me t o f i nd var i ant s of t hi s wor m
wi t h t he names ' Pykspa. d' , ' Pyks- 5' , ' Pykse. A' , and ' Ski pi ' .
The f ol l owi ng i s Symant ec' s summar y of t hi s vul nerabi l i t y:
"W32. Pykspa. D i s a worm t hat spreads t hr ough Skype I nst ant
Messenger and r emovabl e dr i ves. I t al so di sabl es access t o
secur i t y- r el at ed Web si t es by modi f yi ng t he host s f i l e and
ends processes whi ch may be secur i t y- r el ated. . . When
W32. Pykspa. D i s execut ed, i t di spl ays t he %Wi ndi r %\ Soap
Bubbl es. bmp gr aphi c f i l e, i f i t al r eady exi st s on t he
compromi sed comput er . The worm cr eat es t he f ol l owi ng mutex
so t hat onl y one i nst ance of t he wor m r uns at a t i me:
pyksp2. 0. 0. 3gM- 2oo8&- 825190¬
Next , t he wor m opens and di spl ays t he f ol l owi ng f i l e:
%Wi ndi r %\ Soap Bubbl es. bmp
Page 95
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 95/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 94
The wor m changes t he st at us of t he Skype user t o DND ( DoNot Di st ur b) .
I t t hen copi es i t sel f t o t he f ol l owi ng f i l es:
• %Syst em%\ msht ml dat 32. exe• %Syst em%\ sdr i vew32. exe• %Syst em%\ wi nl gcvers. exe• %Syst em%\ wndr i vs32. exe
" ( Ki er nan, Symant ec, 2007) .
As you can see, t he pr eval ence of Skype use has subsequent l y
ampl i f i ed t he quant i t y and i nsi di ousness of wor ms spr eadi ng
t hr ough Skype cal l s and chats.
"Whi l e sof t phone- based servi ces have yet t o r eal l y penet r at e
t he ent er pr i se mar ket , many I M/ VoI P cl i ent s are used act i vel y by
i ndi vi dual s wi t hi n t he ent er pr i se i t sel f . Thi s causes an
i nt er est i ng di l emma f or I T admi ni st r at or s who need t o pr event
t hose appl i cat i on f r om openi ng up addi t i onal r i sks wi t hi n t he
envi r onment , whi l e t r yi ng t o mai nt ai n cont r ol over net wor k
bandwi dt h" ( Endl er , 2007) .
Page 96
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 96/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 95
VII. Cisco VoIP
Ci sco pr ovi des a wi de var i et y of VoI P resour ces r angi ng f r om
Li nksys SOHO VoI P rout er s t o l ar ge ent er pr i se, mul t i - si t e,
cl ust er i ng of cal l manager s. Ci sco’ s Uni f i ed Cal l Manager i s
sof t war e based j ust l i ke SER and Ast er i sk. However unl i ke SER
and Ast er i sk, t he Cal l Manager sof t war e i s depl oyed on Ci sco
pr opr i et ary har dwar e appl i ances.
“The 5. x br anch i s a maj or depar t ur e f r om t he t r adi t i onal
Wi ndows- based 3. x and 4. x i nst al l at i ons i n t hat t he Cal l Manager
sof t war e act ual l y r uns on a Li nux appl i ance i nst ead of a MCS.
Whi l e users of t he 3. x and 4. x Cal l Manager had f ai r l y open
access t o t he under l yi ng Wi ndows Server 2003 or Mi cr osof t
Wi ndows 2000 Server , t he 5. x Li nux appl i ances ar e l ocked down
wi t h onl y a management i nt er f ace f or more admi ni st r at i ve
f unct i ons” ( Endl er , 2007) .
Ski nny Cl i ent Cont r ol Prot ocol or SCCP, as ment i oned
ear l i er , i s Ci sco’ s pr opr i et ar y si gnal i ng pr ot ocol bet ween t he
Cal l Manager ( s) and VoI P phones ( si mi l ar t o H. 323) . A Ci sco VoI P
phone i s al so of t en cal l ed a ‘ Ski nny cl i ent ’ . SCCP uses por t
2000/ t cp f or unencr ypt ed communi cat i ons and Ski nny Cl i ent Cont r ol
Protocol Secur e ( SCCPS) uses port 2443/ t cp f or encr ypt i on bet ween
t he VoI P phone and cal l manager ( Lewi s, 2004) . Si mi l ar t o SI P,
SCCP i s used t o handl e cal l sessi ons, whi l e Ci sco VoI P uses RTP
f or t he audi o st r eam. A SI P UA phone i s mor e i nt el l i gent and
l ess of a dummy t er mi nal compared t o Ci sco Ski nny cl i ent s i n
t er ms of bei ng abl e to pr ovi de a di al t one when t he phone i s
r emoved f r om t he cradl e, bei ng abl e to l i ght up t he LCD menu
scr een, et c. To expl ai n cal l set up vul ner abi l i t i es l at er on, I
Page 97
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 97/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 96
must f i r st br i ef l y expl ai n t he Ci sco Uni f i ed Cal l Manager met hod
of bui l di ng cal l s t hr ough SCCP message exchanges:
Figure 39
Sadl y, my f i nanci al r esour ces are l i mi t ed and I coul d not
pur chase t wo Ci sco VoI P phones and a Uni f i ed Cal l Manager ser ver
t o bui l d a cal l bet ween t wo Ski nny cl i ent s. However by
r esear chi ng t hi s f ur t her I was abl e t o l ocat e a Wi r eshar k pcap
t r ace of SCCP messages bei ng exchange i n the above scenar i o.
Thi s pcap f i l e i s made avai l abl e f or f r ee f or al l t o vi ew at :
Page 98
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 98/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 97
Figure 40
( ht t p: / / www. hacki ngvoi p. com/ t r aces/ ski nny. pcap)
As you saw above i n f i gur es 10 and 11, i t i s f ai r l y easy t o f i nd
Ci sco VoI P phones l ef t hangi ng on t he I nt er net wi t h a publ i cal l y
r out abl e I P addr ess. The best pr act i ce f or al l or gani zat i ons
wi t h a Ci sco VoI P depl oyment i s t o di sabl e al l web server s on
VoI P phones. That conf i gur at i on change can be made i n t he Ci sco
Uni f i ed Cal l Manager Admi ni st r at i on page f or al l phones. Anot her
Googl e hacki ng sear ch ef f ect i ve i n f i ndi ng Ci sco Uni f i ed Cal l
Manager s wi t h a publ i cal l y rout abl e I P addr ess i s t o ent er
“i nt i t l e: ”Ci sco Cal l Manager User Opt i ons Log On”. That sear ch
r et ur ned a l i nk t o a Cal l Manager , whi ch woul d al l ow an at t acker
t o f ur t her pr obe t he ser ver :
Page 99
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 99/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 98
Figure 41
A qui ck NMAP versi on scan of por t s 0- 2100 showed onl y por t s
HTTP: 80/ t cp and HTTPS: 443/ t cp t o be open, and t he ser ver al so
r esponded t o I CMP pi ngs. Al l Ci sco devi ces come wi t h t he
pr opr i et ar y Ci sco Di scover y Pr ot ocol ( CDP) , whi ch i s a l ayer 2
net wor k management prot ocol . Whi l e hi ghl y benef i ci al f r om amanagement / conf i gur at i on perspect i ve f or VoI P phones and any
ot her devi ces, t he CDP t r af f i c i s sent unencr ypt ed and
br oadcast ed. As such, a per son wi t h i nsi de physi cal access t o an
or gani zat i on and an Et her net por t coul d sni f f t he cl ear t ext
br oadcast t r af f i c. CDP shoul d ei t her be di sabl ed or mi ni mal l y
used when needed.
“I t ’ s a good i dea to di sabl e as many def aul t ser vi ces aspossi bl e on your VoI P devi ces t o avoi d gi vi ng away too much
i nf or mat i on about your i nf r ast r uct ur e; however , t hi s i s not
r eal l y an opt i on on Cal l Manager 5. x ser ver s as Ci sco has l ocked
t hem down much mor e t han t he 4. x predecessor s r unni ng on Wi ndows”
( Endl er , 2007) .
Page 100
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 100/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 99
Thi s appl i es t o di sabl i ng unnecessar y ser vi ce on Ci sco VoI P
phones as wel l . Thi s i s r ef er ence t o t he PC por t on t he VoI P
phone.
"The phone has t he abi l i t y to t ur n on or t ur n of f t he por t
on t he back of t he phone, t o whi ch a PC woul d nor mal l y be
connect ed. Thi s f eat ur e can be used as a cont r ol poi nt t o
access t he net wor k i f t hat t ype of cont r ol i s necessary.
Dependi ng on the secur i t y pol i cy and pl acement of t he
phones, t he PC por t on t he back of any gi ven phone mi ght
have t o be di sabl ed. Di sabl i ng t hi s por t woul d pr event a
devi ce f r om pl uggi ng i nt o t he back of t he phone and get t i ng
net work access t hr ough t he phone i t sel f . A phone i n a
common area such as a l obby woul d t ypi cal l y have i t s por t
di sabl ed. Most compani es woul d not want someone t o get i nto
t he net work on a non- cont r ol l ed port because physi cal
secur i t y i s ver y weak i n a l obby" ( Ci sco, 2005) .
A secur i t y pol i cy must be def i ned t o i dent i f y whi ch PC VoI P
Phone por t s ar e per mi t t ed t o be open ( I E of f i ce wher e necessaryf or empl oyee access) . Whi l e t hi s makes t hi s make sense i n t he
l obby scenar i o, an at t acker coul d st i l l unpl ug t he cabl e f r om t he
et her net por t on t he wal l and connect a PC t o t hat por t . I f t he
cor r espondi ng swi t ch permi t s onl y t he VoI P phones MAC addr ess t o
send et her net f r ames f r om t hat swi t ch por t , t hen the at t acker
woul d have t o spoof t he VoI P phone' s MAC address as t he source
MAC i n t he f r ame t o bypass t hat def ense. Fur t her count ermeasur es
t o t hat i ncl ude Dynami c ARP I nspect i on ( DAI ) i n conj unct i on wi t h
DHCP Snoopi ng, I P Sour ce Guard ( I PSG) whi ch dynami cal l y cr eat es
an ACL based on t he cont ent s of t he DHCP Snoopi ng t abl e t o
pr event sour ce I P spoof i ng, as wel l as t he al ways necessary VLAN
VoI P/ dat a separ at i on. Fur t her i nf or mat i on on t hose f eat ur e set s
Page 101
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 101/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 100
as beyond t he scope of t hi s r epor t , but coul d be f ound at
ht t p: / / www. ci sco. com/ en/ US/ pr oduct s/ sw/ voi cesw/ ps556/ pr oduct s_i mp
l ement at i on_desi gn_gui de_chapt er09186a008063742b. html #wp1046685.
I n an ent er pr i se wi t h mul t i pl e si t es nat i onal l y andgl obal l y, wi t h hundr eds of empl oyees at each si t e, r unni ng t wo
separate cabl es t o each empl oyee' s desk f or separate VoI P phone
and PC data access por t s may be i mpr act i cal f r om a f i nanci al
st andpoi nt ( cost of mor e swi t ches, pat ch panel s, cabl es, condui t ,
UPS power , cool i ng, et c. ) . Most i f not al l VoI P phones come wi t h
a PC dat a por t , as expl ai ned above. Wi t h t hat bei ng t he case,
t her e i s no l onger a physi cal net wor k separ at i on, but t her e must
be a l ogi cal VoI P and PC VLAN separ at i on. Essent i al l y, bot h t he
PC data and VoI P VLAN access must be al l owed f r om t he si ngl e
physi cal swi t ch port used by both t he VoI P phone and PC
Figure 42
ht t p: / / st at i c. f l i ckr . com/ 75/ 202787091_8a25a60e7e_b. j pg
"Bef or e t he phone has i t s I P addr ess, t he phone det er mi nes
whi ch VLAN i t shoul d be i n by means of t he Ci sco Di scover y
Pr ot ocol ( CDP) negot i at i on ( i f CDP enabl ed) t hat t akes pl ace
Page 102
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 102/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 101
bet ween t he phone and t he swi t ch. Thi s negot i at i on al l ows
t he phone to send packets wi t h 802. 1q t ags t o t he swi t ch i n
a "voi ce VLAN" so t hat t he voi ce dat a and al l ot her dat a
comi ng f r om t he PC behi nd t he phone are separat ed f r om each
ot her at Layer 2. . . Because t her e ar e t wo VLANs f r om t he
swi t ch t o the phone, t he phone needs t o pr ot ect t he voi ce
VLAN f r om any unwant ed access. The phones can prevent
unwant ed access i nt o t he voi ce VLAN f r om t he back of t he
phone. A f eat ur e cal l PC Voi ce VLAN Access pr event s any
access t o the voi ce VLAN f r om t he PC port on t he back of t he
phone. When di sabl ed, t hi s f eat ur e does not al l ow t he
devi ces pl ugged i nt o t he PC por t on t he phone to "j ump"VLANs and get ont o t he voi ce VLAN by sendi ng 802. 1q t agged
i nf or mat i on dest i ned f or t he voi ce VLAN t o t he PC por t on
t he back of t he phone. The f eatur e oper ates one of t wo
ways, dependi ng on t he phone t hat i s bei ng conf i gur ed. On
t he more advanced phones, t he phone wi l l bl ock any t r af f i c
dest i ned f or t he voi ce VLAN t hat i s sent i nt o t he PC por t on
t he back of t he phone" ( Ci sco, 2005)
Figure 43
( Ci sco, 2005) .
Page 103
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 103/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 102
( See f i gur e 5 above al so) These i ssues appl y t o al l VoI P phones
usi ng any VoI P pr ot ocol ( SI P, H. 323, SCCP, et c. ) , not j ust Ci sco
because t hi s i s a l ower l ayer secur i t y i ssue.
As wi t h most other VoI P phones, t he Ci sco VoI Pi nf r ast r uct ur e al so pr ovi des SNMP f or management pur poses, whi ch
shoul d be st r i ct l y cont r ol l ed vi a SNMPv3 wi t h encr ypt i on. I f v1
or v2 must be used, t hen st r ong communi t y st r i ng passwords shoul d
be used. Si mi l ar l y f or management pur poses, Vi r t ual Net work
Comput i ng or VNC ( Real VNC) comes bundl ed i n t he Cal l Manager 4. x
( Wi ndows) , and al l ows f or r emote upgr ades, patches, et c. VNC i s
si mi l ar i n f unct i onal i t y t o r emot e deskt op ( RDP) ser vi ces and
PCAnywhere. However t here have been vul nerabi l i t i es f ound f or
aut hent i cat i on bypassi ng.
As document ed i n US- CERT VU#117929, "The Real VNC Server
f ai l s t o pr oper l y aut hent i cat e cl i ent s. When a Real VNC cl i ent
connect s t o a Real VNC server , t he server pr ovi des a l i st of
suppor t ed aut hent i cat i on met hods. By desi gn, t he cl i ent t hen
sel ect s a met hod f r om t he l i st . Due t o an i mpl ement at i on f l aw, i f
t he cl i ent speci f i es t hat no ( nul l ) aut hent i cat i on shoul d be
used, t he server accept s t hi s met hod and aut hent i cates t he
cl i ent , whet her or not nul l aut hent i cat i on was of f er ed by t he
server " ( Gennar i , 2006) .
Any VNC ser ver / cl i ent admi ni st r at i on used f or ei t her Ci sco
Uni f i ed Cal l Manager 4. x (wi ndows) or 5. x ( Li nux) f al l s under
gr eat er t hr eat due t o VNC br ut e f or ce t ool s such as ' VNCr ack' ,
whi ch i s f r ee t o downl oad at ht t p: / / www. phenoel i t -
us. or g/ f r / t ool s. ht ml . The best pr act i ces however are t o r emove
or di sabl e VNC ser vi ces especi al l y si nce 99% of t he l i nux
admi ni st r at i on can be done vi a t he shel l t o connect ed t o t he
Cal l Manager . Pat ch management as wi t h any ot her devi ce i s
Page 104
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 104/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 103
necessary and must be per f ormed i n a t i mel y manner . Whet her t he
pat ches ar e f or vul ner abi l i t y updat es or f unct i onal i t y updat es,
Ci sco has pr ovi ded a ni ce t ool ( t o pai d subscr i ber s onl y) t hat i s
avai l abl e at ht t p: / / www. ci sco. com/ cgi -
bi n/ Sof t war e/ Newsbui l der / Bui l der / VOI CE. cgi . From t her e an
admi ni st r at or can def i ne whi ch el ement s of a Ci sco VoI P
i nf r ast r uct ur e ar e bei ng used, and t o be not i f i ed when t her e ar e
pat ches f or t hem.
"Ci sco t ook t he Mi cr osof t Wi ndows 2000- based Cal l Manager ,
cur r ent l y r el ease 4. 1( 3) , and—over t he l ast t wo year s—por t ed
ever y bi t of t he code over t o r un on Li nux. Then i t bui l t - i n SI P
cal l cont r ol , i n t he f or m of a back- t o- back SI P user agent , and
mapped as many Ski nny f eat ur es t o SI P st andards and dr af t s as i t
r easonabl y coul d. . . Ci sco del i ver s Cal l Manager 5. 0 al r eady
i nst al l ed on Li nux, on t he vendor ’ s MCS ser i es of ser ver s. Li nux
i s wi del y r egar ded as gener al l y mor e secur e, and of t en bet t er
per f or mi ng, t han Wi ndows as an I P- PBX cal l cont r ol pl at f or m"
( Mi er , 2006) .
I f an organi zat i on deci des t o cont i nue usi ng t he Wi ndows OS
based Cal l Managers ( 4. x) even i n the f ace of never endi ng Wi ndows
vul ner abi l i t i es i n t he wi l d, t hen Ci sco al so pr ovi des t he
i nst al l at i on of t hei r host based I DS/ I PS ( HI PS) .
"Ci sco Secur i t y Agent pr ovi des i nt r usi on det ect i on and
pr event i on f or t he Ci sco Uni f i ed Cal l Manager cl ust er . Ci sco
Syst ems pr ovi des i t f r ee of char ge as a st andal one secur i t y
agent f or use wi t h server s i n t he Ci sco Uni f i ed Cal l Manager
voi ce cl ust er . The agent pr ovi des Wi ndows pl at f or m secur i t y
t hat i s based on a t est ed secur i t y r ul es set ( pol i cy) , whi ch has
r i gor ous l evel s of host i nt r usi on det ect i on and pr event i on. The
agent cont r ol s syst em oper at i ons by usi ng a pol i cy t hat al l ows
Page 105
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 105/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 104
or deni es speci f i c syst em act i ons bef or e syst em r esour ces ar e
accessed. Thi s pr ocess occur s t r anspar ent l y and does not hi nder
over al l syst em per f or mance. ( Ci sco, 2005) "
However any CSA depl oyment shoul d be i n conj unct i on wi t h
net wor k f i r ewal l s and I PSs t o st r i ct l y per mi t onl y t he ser vi ces
necessary f or VoI P f unct i onal i t y on t he Cal l Manager . Wi t h
Ci sco' s i mpl ement at i on of SI P and ot her ' Pr esence' f eat ur es on
t he Ci sco Uni f i ed Communi cat i ons Manager ( CUCM) , f ormer l y
Cal l Manager , and Ci sco Uni f i ed Pr esence Ser ver ( CUPS) , as wel l as
t he i mpl ement at i on of SI P on new VoI P phones, t hese ser ver s can
al so f al l vi cti m t o SI P based at t acks and vul ner abi l i t i es
i ncl udi ng I NVI TE and REGI STER f l oods. However t her e are i mmense
benef i t s such as usi ng SI P- TLS bet ween SI P resour ces al ong wi t h
SRTP and STRCP, not t o ment i on t hat open sour ce benef i t s of an
or gani zat i on bei ng abl e to use non- Ci sco SI P suppor t i ng phones.
For al l SI P based at t acks t ar get i ng Ci sco Uni f i ed Cal l Manager s
and Ci sco VoI P SI P user agent s, pl ease vi ew t he SI P sect i on of
t hi s r epor t .
There have been mul t i pl e vul nerabi l i t i es r eport ed t ar get i ng
Ci sco' s VoI P r esour ces i n var i ous ways. Whi l e I woul d pr ef er t o
onl y st i ck t o vul ner abi l i t i es t o t he l at est l i nux based Ci sco
Uni f i ed Cal l Manager s, I am cer t ai n t hat t her e ar e many
or gani zat i ons st i l l r unni ng t he 3. x and 4. x Wi ndows based
Cal l Manager s t hat ar e suscept i bl e t o mul t i pl e vul ner abi l i t i es.
US- CERT/ NI ST CVE- 206- 5277 det ai l s a Cer t i f i cat e Tr ust Li st ( CTL)
vul ner abi l i t y t o t he Ci sco Uni f i ed Communi cat i ons Manager ( CUCM,
f or mer l y Cal l Manager ) .
Fur t her r esear ch l ead me I BM' s I SS t hr eat page nothi ng t hat
t he "Ci sco Cal l Manager i s vul ner abl e t o an of f - by- one er r or ,
whi ch al l ows f or a one- byt e heap- buf f er over f l ow wi t hi n t he
Page 106
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 106/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 105
CTLPr ovi der . exe component of Cal l Manager . By sendi ng speci al l y-
craf t ed packet s, an at t acker i s abl e t o t r i gger t he heap
over f l ow, whi ch causes bot h a deni al of servi ce condi t i on and
enabl es t he at t acker t o compr omi se t he Cal l Manager server . Some
of t he af f ect ed pl at f or ms ar e:
• Ci sco Uni f i ed Cal l Manager 3. 3 ver si ons pr i or t o 3. 3( 5) SR3
• Ci sco Uni f i ed Cal l Manager 4. 1 ver si ons pr i or t o 4. 1( 3) SR5
• Ci sco Uni f i ed Cal l Manager 4. 2 ver si ons pr i or t o 4. 2( 3) SR2
• Ci sco Uni f i ed Communi cat i ons Manager 4. 3 ver si ons pr i or t o
4. 3( 1) SR1
• Ci sco Uni f i ed Cal l Manager 5. 0 and Communi cat i ons Manager 5. 1
ver si ons pr i or t o 5. 1( 2) " ( I BM I SS, 2007) .
Al so, a common cr oss si t e scr i pt i ng ( XSS) vul ner abi l i t y was
f ound af f ect i ng t he Ci sco Cal l Manager 4. 1.
"The web i nt er f ace of t he appl i cat i on f ai l s t o pr oper l y
sani t i ze dat a suppl i ed by t he sear ch- f or m bef or e di spl ayi ng
i t back t o t he user . Though sever al f i l t er s ar e i n pl ace
t o pr event t he i nj ect i on of <scr i pt > Tags or act i onhandl er s such as "oncl i ck" or " onmouseover " , i t i s possi bl e
t o i nj ect ht ml - code i ncl udi ng common at t r i but es. Thi s
al l ows t he embeddi ng of exter nal r ef er ences, e. g. i mages or
f l ash r esour ces. . . Thi s vul ner abi l i t y may be expl oi t ed by
t r i cki ng aut hent i cat ed user s i nt o cl i cki ng a craf t ed l i nk
i n or der t o conduct ar bi t r ar y web- based at t acks. . . The
vul ner abi l i t y al so al l ows an at t acker t o use t he "st yl e"-
at t r i but e on any tag t o conduct ar bi t r ar y web- based
at t acks. . . Ser ver - si de i nput val i dat i on shoul d be i mpr oved
t o pr event t he i nj ect i on of unaut hor i zed code" ( Ruef ,
Fr i edl i , 2006) .
Page 107
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 107/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 106
Ci sco has upgr aded the af f ect ed Cal l Manager ver si ons and
wi t h pat ches t hat ar e i ncor por at ed i n 4. 2( 3) sr 2, 3. 3( 5) sr 3,
4. 1( 3) sr 5 and 4. 3( 1) sr 1. Whi l e any or gani zat i on usi ng t he
af f ect ed Cal l Manager s shoul d absol ut el y per f or m t he upgr ades
pr ovi ded, I DS si gnat ur es can be wr i t t en f or an I DS sni f f i ng or
an I PS i nl i ne wi t h t he Cal l Manager t o dr op any packet s wi t h t he
<scr i pt > t ag f ound.
There i s another i nt er est i ng vul nerabi l i t y t hat I f ound
r egardi ng the Ci sco I P Phones 7940 and 7960, t hat was det ai l ed i n
US- CERT/ NI ST CVE- 2007- 4459. " The Ci sco I P Phone 7940 wi t h P0S3-
08- 6- 00 f i r mware al l ows r emot e at t acker s t o cause a deni al of
ser vi ce ( devi ce r eboot ) vi a ( 1) a cer t ai n sequence of 10 i nval i dSI P I NVI TE and OPTI ONS messages; or ( 2) a cer t ai n i nval i d SI P
I NVI TE message t hat cont ai ns a remote t ag, f ol l owed by a cer t ai n
set of t wo r el at ed SI P OPTI ONS messages" ( US- CERT/ NI ST, 2007) .
Fur t her r esear ch l ead me t o t he rel ated Secur i t yFocus web page
det ai l i ng t he same vul ner abi l i t y, and pr ovi di ng a pr oof of
concept pear l scr i pt f or t he expl oi t per f or med:
" #! / usr/ bi n/ per l
use I O: : Socket : : I NET;
di e "Usage $0 <dst > <por t > <user name>" unl ess ( $ARGV[ 2] ) ;
$socket =new I O: : Socket : : I NET- >new( PeerPor t =>$ARGV[ 1] ,
Prot o=>' udp' ,
Peer Addr=>$ARGV[ 0] ) ;
$msg = " I NVI TE si p: $ARGV[ 2] \ @$ARGV[ 0] SI P/ 2. 0\ r \ nVi a:SI P/ 2. 0/ UDP\ t 192. 168. 1. 2; r por t ; br anch=00\ r \ nFrom:<si p: gaspar i n\ @192. 168. 1. 2>; t ag=00\ r \ nTo:
Page 108
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 108/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 107
<si p: $ARGV[ 2] \ @$ARGV[ 0] >; t ag=00\ r \ nCal l - I D:et \ @192. 168. 1. 2\ r \ nCSeq: 10I NVI TE\ r \ nCont ent - Lengt h: 0\ r \ n\ r \ n"; ;
$socket - >send($msg) ;
sl eep( 1) ;
$msg ="OPTI ONS si p: $ARGV[ 2] \ @$ARGV[ 0] SI P/ 2. 0\ r \ nVi a:SI P/ 2. 0/ UDP192. 168. 1. 2; r por t ; br anch=01\ r \ nFr om:<si p: gaspar i n\ @192. 168. 1. 2>; t ag=01\ r \ nTo:<si p: $ARGV[ 2] \ @$ARGV[ 0] >\ r \ nCal l - I D: et \ @192. 168. 1. 2\ r \ nCSeq: 11OPTI ONS\ r \ nCont ent - Lengt h: 0\ r \ n\ r \ n" ;
$socket - >send($msg) ;
sl eep( 1) ;
$msg ="OPTI ONS si p: $ARGV[ 2] \ @$ARGV[ 0] SI P/ 2. 0\ r \ nVi a:SI P/ 2. 0/ UDP192. 168. 1. 2; r por t ; br anch=02\ r \ nFr om:<si p: gaspar i n\ @192. 168. 1. 2>; t ag=02\ r \ nTo:<si p: $ARGV[ 2] \ @$ARGV[ 0] >\ r \ nCal l - I D: et \ @192. 168. 1. 2\ r \ nCSeq: 12OPTI ONS\ r \ nCont ent - Lengt h: 0\ r \ n\ r \ n" ;
$socket - >send($msg) ;" ( Secur i t yFocus, Madynes r esear ch t eam, 2007)
As you can see, t here are argument s i ncl uded i n t he SI P
I NVI TE and OPTI ON messages t hat were sent . Thi s was due t o a
l ack of i nput val i dat i on on t he accept ance of t he messages f or
t he i ncomi ng SI P header of t he packet , and as such, can cause a
deni al of servi ce t o t he phones i n quest i on. The second pr oof of
concept scr i pt made avai l abl e by Secur i t yFocus can by f ound by
navi gat i ng t o
ht t p: / / downl oads. secur i t yf ocus. com/ vul ner abi l i t i es/ expl oi t s/ ci sco
_7940_dos1. pl . Ci sco has not ed t hat upgr ades t o t he f i r mwar e on
both t he CP- 7960 and 7940 phones t o 8. 7( 0) pat ches t hi s
vul ner abi l i t y.
Page 109
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 109/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 108
I al so f ound t wo ot her i nt er est i ng vul ner abi l i t i es r epor t ed
f or t he Ci sco Uni f i ed Cal l Manager .
"Ci sco Uni f i ed Cal l Manager ( CUCM) 5. 0. has Command Li ne
I nt er f ace ( CLI ) and Sessi on I ni t i at i on Pr ot ocol ( SI P)r el at ed vul ner abi l i t i es. . . The Cal l Manager CLI pr ovi des a
backup management i nt er f ace t o t he syst em i n or der t o
di agnose and t r oubl eshoot t he pr i mar y HTTPS- based management
i nt er f aces. The CLI , whi ch r uns as t he r oot user , cont ai ns
t wo vul ner abi l i t i es i n t he par si ng of commands. The f i r st
vul ner abi l i t y may al l ow an aut hent i cat ed CUCM admi ni st r at or
t o execut e ar bi t r ar y oper at i ng syst em pr ogr ams as t he r oot
user . The second vul ner abi l i t y may al l ow out put r edi r ect i on
of a command to a f i l e or a f ol der speci f i ed on t he command
l i ne.
There i s al so a buf f er over f l ow vul nerabi l i t y i n t he
pr ocessi ng of l ong host names cont ai ned i n a SI P request
whi ch may resul t i n ar bi t r ar y code execut i on or cause a
deni al of ser vi ce. These vul ner abi l i t i es onl y af f ect Ci sco
Uni f i ed Cal l Manager 5. 0" ( Ci sco, 2006)
Ci sco has patched t hese vul ner abi l i t i es and recommends users
t o upgr ade t o CUCM ver si on 5. 0( 4) or a l at er r el ease. A si mpl e
Googl e sear ch f or ' Ci sco VoI P vul ner abi l i t i es' wi l l a mul t i t ude
of var i ous vul ner abi l i t i es f ound. I t i s a near cer t ai nt y t hat
mor e vul ner abi l i t i es wi l l be f ound t o f ut ur e r el eases of CUCM and
CUPS. Wi t h t hat bei ng t he case, t he best pr act i ce f or an
organi zat i on woul d be t o i mmedi atel y upgr ade ol der ver si on of
Ci sco Cal l Manager i f Wi ndows i s st i l l t he base OS, and depl oy
Snor t i nl i ne I PS i n f r ont of t he Cal l Manager . I woul d veer away
f r om Ci sco I DS/ I PS f or t he si mpl e r eason t hat i f a zer o- day
at t ack expl oi t i s made publ i c, an or gani zat i on must wai t f or
Page 110
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 110/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 109
Ci sco t o pr ovi de si gnat ur e pack updat es cont ai ni ng t he si gnat ur es
Vs. si mpl y t est i ng and wr i t i ng your own Snor t si gnat ur e
i mmedi at el y.
Page 111
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 111/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 110
VIII. Conclusion
As you can see, t her e i s a wi de var i et y of var i ous VoI P
t echnol ogi es t hat ar e vul ner abl e t o a mul t i t ude of di f f er ent
at t acks. The I nt er net was not or i gi nal l y desi gned wi t h secur i t y
i n mi nd and nor was t he PSTN. They wer e bot h or i gi nal l y bui l t t o
si mpl y work. The secur i t y aspect was an af t er t hought and as
such, t her e has been t hi s seemi ngl y endl ess game of cat and mouse
bet ween net work secur i t y engi neer s and vendors f i xi ng
vul ner abi l i t i es, bl ocki ng mal i ci ous host s, Vs. hacker s f i ndi ng
and expl oi t i ng more. Wi t h t hat i n mi nd, one wonder s why al l t he
var i ous VoI P t echnol ogi es avai l abl e wer e not at bi r t h desi gnedwi t h gr eat er secur i t y i n mi nd. Had t he engi neer s who desi gned
VoI P pr ot ocol s sat down wi t h secur i t y engi neer s at t he dr awi ng
boar ds, i t ' s l i kel y ther e woul d be consi der abl y l ess VoI P
vul ner abi l i t i es now, and l ess t o come i n t he f ut ur e. VoI P
vul ner abi l i t i es wi l l i ncrease due t o t he si mpl e i ncreased use of
VoI P, mor e poor l y wr i t t en, buggy, and i nsecur e code, user er r or ,
and t he decr eased use of POTS and t he PSTN. They ar e bei ng
expl oi t ed now and wi l l cont i nue t o be expl oi t ed i n t he f ut ur e f or
var i ous pur poses, and by di f f er ent peopl e such as scr i pt ki ddi es
t hat mer el y want s t o have f un, t he el i t e hacker s t hat do i t f or
pr i de or f i nanci al benef i t , or an enemy count r y' s mi l i t ar y f or
st r at egi c advancement . For t he home user i mpl ement i ng VoI P,
t her e wi l l be f i nanci al savi ngs at t he cost of a l ower qual i t y of
servi ce, l ess voi ce and dat a secur i t y, and t he need t o power your
modem and r out er t o make a cal l speci f i cal l y dur i ng a powerout age. For t he ent er pr i se, t her e wi l l be f i nanci al savi ngs i n
t er ms of phone bi l l cost s, t he i ncreased abi l i t y t o have
empl oyees t el ewor k, and i ncr ease i n pr oduct i vi t y, al so at t he
cost of l ess dat a and voi ce secur i t y, compl i ance wi t h st at e and
f eder al r egul at i ons f or t he pr i vacy of voi ce i n t he f i nanci al and
Page 112
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 112/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 111
medi cal f i el ds, and hi gher secur i t y t r ai ni ng budget ar y cost s t o
t r ai n empl oyees t o be l ess t r ust f ul of t hei r VoI P phones.
Page 113
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 113/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 112
IX. References
APA St yl e:
1) Endl er , Davi d (2007) . Hacking exposed voIP:Voice over IP
security secrets & solutions. New Yor k, NY: McGr aw- Hi l l .
2) Ramt eke, T ( 2001) . Networks: Second edition. New J er sey:
Prent i ce- Hal l , I nc. .
3) Unknown, ( 2003) . VoI P Ser vi ces - Br oadband Phone Company
Pr ovi der s - VoI P Pr ovi der s. Ret r i eved Oct ober 05, 2007, f r om
VoI P 101 Web si t e: ht t p: / / www. voi pr evi ew. or g/ 101. aspx
4) Gi t t l en, S ( 2006, Febr uar y 13) . How do t he f eds t ap phone l i nes
- Network wor l d. Ret r i eved Sept ember 10, 2007, f r omHow do t he
f eds t ap phone l i nes? Web si t e:
ht t p: / / www. networkwor l d. com/ news/ 2006/ 021306-
wi r etap. ht ml ?page=1
5) Per f or mance Technol ogi es, ( 2004) . Si gnal i ng i n Swi t ched Ci r cui t
Net wor ks. Ret r i eved November 1, 2007, f r om SS7/ I P I nt er wor ki ng
Tut or i al - Si gnal i ng Web si t e:
ht t p: / / www. pt . com/ t ut or i al s/ i pt el ephony/ t ut or i al _voi p_si gnal i ng
. html
6) Poul sen, K ( 2004 J ul y 7) . VoI P Hacks gut cal l er I D. Ret r i eved
Sept ember 13, 2007, f r omSecur i t y Focus Web si t e:
ht t p: / / www. secur i t yf ocus. com/ news/ 9061
7) Sour cef or ge, ( 2005) . Or eka. Ret r i eved November 10, 2007, f r om
Or eka: Audi o st r eams r ecor di ng and r et r i eval Web si t e:
ht t p: / / or eka. sour cef or ge. net /
8) Bal aban, M ( 2004) . What i s VoI Pong. Ret r i eved November 2, 2007,
f r om VoI Pong - Voi ce over I P ( VOI P) Sni f f er and cal l det ect or
Web si t e:
ht t p: / / www. ender uni x. or g/ voi pong/ i ndex. php?sect=mai n =en
9) Unknown, ( 2007, J une) . I ANA Regi st r at i on f or I AX Enumser vi ce.
Ret r i eved Oct ober 21, 2007, f r om I ETF Web si t e:
Page 114
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 114/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 113
ht t p: / / www. i et f . or g/ i nt er net - dr af t s/ dr af t - guy- i ax- 03. t xt - Wor k
i n pr ogr ess.
10) J ouani n, Y ( 2007, November 10) . Ast er i sk manager API .
Ret r i eved Oct ober 24, 2007, f r om Ast er i sk manager API - voi p-
i nf o. or g Web si t e: ht t p: / / www. voi p- i nf o. or g/ wi ki -
Ast er i sk+manager+API
11) Tr oy, D ( 2007, Oct ober 1) . Ast ManProxy. Ret r i eved Oct ober
24, 2007, f r om voi p- i nf o. or g Web si t e: ht t p: / / www. voi p-
i nf o. or g/ wi ki / vi ew/ Ast ManPr oxy
12) Thermos, Pet er ( 2007, August 13) . Threat s i n VoI P. Ret r i eved
November 1, 2007, f r om Thr eat s i n VoI P Web si t e:
ht t p: / / www. ent er pr i sei t pl anet . com/ secur i t y/ f eat ur es/ ar t i cl e. php/ 3694056
13) Schul zr i nne, H ( 2003, J ul y) . RTP: A Tr anspor t Pr ot ocol f or
Real - Ti me Appl i cat i ons. Ret r i eved November 1, 2007, f r om RTP: A
Tr anspor t Pr ot ocol f or Real - Ti me Appl i cat i ons Web si t e:
ht t p: / / www. r f c- edi t or . or g/ r f c/ r f c3550. t xt
14) Baugher , M ( 2004, March) . The Secur e Real - t i me Transpor t
Protocol ( SRTP) . Ret r i eved November 2, 2007, f r om The Secur e
Real - t i me Tr anspor t Pr ot ocol ( SRTP) Web si t e:
ht t p: / / www. i et f . or g/ r f c/ r f c3711. t xt
15) Unknown, ( 2007) . H. R. 251: Tr ut h i n Cal l er I D Act of 2007.
Ret r i eved November 4, 2007, f r om Govt r ack. us Web si t e:
ht t p: / / www. govt r ack. us/ congr ess/ bi l l . xpd?t ab=mai n&bi l l =h110- 251
16) Unknown, ( 2006, Febr uary 19) . Uni den UI P1868P ( VoI P
Phone/ Gat eway) Def aul t Password. Ret r i eved November 7, 2007,
f r om Secur i Team™ - Uni den UI P1868P ( VoI P Phone/ Gat eway) Def aul tPasswor d Web si t e:
ht t p: / / www. secur i t eam. com/ secur i t ynews/ 5HP0E2KHPE. ht ml
17) Unknown, ( 2005) . AOH : : Def aul t Passwords. Ret r i eved
November 6, 2007, f r om AOH : : Def aul t Passwords f or Avaya Web
si te: ht t p: / / ar t of hacki ng. com/ et c/ passwd- avaya. ht m
Page 115
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 115/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 114
18) j ht 2, ( 2007, November ) . NAT and VOI P. Ret r i eved November 7,
2007, f r om voi p- i nf o. or g Web si t e: ht t p: / / www. voi p-
i nf o. org/ wi ki - NAT+and+VOI P
19) Rosenber g, J ( 2003, Mar ch) . STUN - Si mpl e Tr aver sal of
User Datagr am Pr otocol ( UDP) Thr ough Network Addr ess
Tr ansl at or s ( NATs) . Ret r i eved November 7, 2007, f r om STUN -
Si mpl e Tr aver sal of User Dat agr am Prot ocol ( UDP) Thr ough
Net wor k Addr ess Tr ansl at or s ( NATs) . Web si t e:
ht t p: / / www. i et f . or g/ r f c/ r f c3489. t xt
20) Rosenber g, J ( 2007, Oct ober ) . I nt er act i ve Connect i vi t y
Est abl i shment ( I CE) : A Prot ocol f or Net wor k. Ret r i eved November
15, 2007, f r om I nt er act i ve Connect i vi t y Est abl i shment ( I CE) : AProt ocol f or Net wor k Web si t e:
ht t p: / / t ool s. i et f . or g/ ht ml / dr af t - i et f - mmusi c- i ce- 19 - Wor k i n
pr ogr ess.
21) Unknown, ( 2005, November 9) . Mi cr osof t and Ci sco Syst ems
Announce Support f or I CE Methodol ogy t o Del i ver End- t o- End
Medi a Connect i ons Acr oss NATs. Ret r i eved November 16, 2007,
f r om Mi crosof t Web si t e:
ht t p: / / www. mi cr osof t . com/ pr esspass/ pr ess/ 2005/ nov05/ 11-
09I CENATPR. mspx
22) Messmer , E ( 2007) . Bl ack Hat pr obes hacker expl oi t s. VoI P
secur i t y hol es, vi r t ual i zat i on r oot ki t s, and bot net s ar e hot
t opi cs . . Network World . 24, 12- 13.
23) Col l i er , M ( 2005, J une 1) . VoI P Vul ner abi l i t i es –
Regi st r at i on Hi j acki ng. Ret r i eved November 15, 2007, f r om VoI P
Vul ner abi l i t i es – Regi st r at i on Hi j acki ng Web si t e:ht t p: / / downl oad. secur el ogi x. com/ l i br ar y/ Regi st r at i on_hi j acki ng_
060105. pdf
24) Techf aq, ( 2006) . What i s MGCP?. Ret r i eved November 28, 2007,
f r om What i s MGCP? Web si t e: ht t p: / / www. t ech- f aq. com/ mgcp. sht ml
Page 116
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 116/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 115
25) Si per a, ( 2006) . SI P Tr unk Secur i t y. Ret r i eved November 17,
2007, f r om Si per a - SI P Tr unk Secur i t y Sol ut i ons Web si t e:
ht t p: / / www. si per a. com/ i ndex. php?act i on=sol ut i ons, apps_si pt r unk
26) Unknown/ Ci sco, ( 2006, Sept ember 21) . Conver t i ng a Ci sco
7940/ 7960 SCCP Phone t o a SI P Phone and t he Reverse Process.
Ret r i eved November 11, 2007, f r omConver t i ng a Ci sco 7940/ 7960
SCCP Phone t o a SI P Phone and the Rever se Process Web si t e:
ht t p: / / www. ci sco. com/ war p/ publ i c/ 788/ voi p/ handset _t o_si p. ht ml
27) Merdi nger , S ( 2005, November 17) . Vul nerabi l i t y Summary CVE-
2005- 3722. Ret r i eved November 18, 2007, f r omHi t achi
Wi r el essI P5000 I P Phone Mul t i pl e Vul ner abi l i t i es Web si t e:
ht t p: / / secuni a. com/ advi sor i es/ 17628 28) Unknown/ qwert y1979, ( 2007, March 18) . 0009313: Ast er i sk
segf aul t s upon r ecei pt of a cer t ai n SI P packet ( SI P Response
code 0) . Ret r i eved December 1, 2007, f r om 0009313: Ast er i sk
segf aul t s upon r ecei pt of a cer t ai n SI P packet ( SI P Response
code 0) Web si t e: ht t p: / / bugs. di gi um. com/ vi ew. php?i d=9313
29) Abdel nur , H ( 2007, Mar ch 19) . Ast er i sk SI P I nvi t e Message
Remot e Deni al of Ser vi ce Vul ner abi l i t y. Ret r i eved November 21,
2007, f r om Ast er i sk SI P I nvi t e Message Remot e Deni al of Ser vi ce
Vul ner abi l i t y Web si t e:
ht t p: / / www. secur i t yf ocus. com/ bi d/ 23031/ i nf o
30) Gr andst r eam, ( 2005) . Budgetone- 100 ser i es User Manual .
Ret r i eved November 28, 2007, f r omBudgetone- 100 ser i es User
Manual Web si t e:
www. grandst r eam. com/ user _manual s/ budget one100. pdf
31) Par i zo, E ( 2005, Sept ember 12) . VoI P t ur ns up t he heat onf i r ewal l s. Ret r i eved December 1, 2007, f r om VoI P t ur ns up t he
heat on f i r ewal l s Web si t e:
ht t p: / / sear chvoi p. t echt ar get . com/ or i gi nal Cont ent / 0, 289142, si d66
_gci 1123877, 00. ht ml
Page 117
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 117/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 116
32) Hoover , J ( 2006, J une 8) . VoI P Secur i t y Al er t : Hacker s
St ar t At t acki ng For Cash. Ret r i eved December 2, 2007, f r om VoI P
Secur i t y Al er t : Hacker s St ar t At t acki ng For Cash Web si t e:
ht t p: / / www. i nf or mat i onweek. com/ showAr t i cl e. j ht ml ?ar t i cl eI D=1887
02963
33) Mat er na, B ( 2007, Oct ober 23) . A pr act i cal gui de t o l ocki ng
down VoI P. RSA Conference Europe, Ret r i eved December 3, 2007,
f rom ht t p: / / www. voi pshi el d. com/ news/ r ecent - pr ess- cover age. ht ml
34) Br ooks, M ( 2007, Mar ch 1) . Scam t o st eal per sonal
i nf ormat i on shows bank on cal l er I D. Ret r i eved December 2,
2007, f r omNews Tr i bune Web si t e:
ht t p: / / www. newst r i bune. com/ ar t i cl es/ 2007/ 03/ 01/ news_l ocal / 305l ocal 02cbscam. t xt
35) J onkman, M ( 2005, December 16) . secur i t y. i ds. snor t . si gs.
Ret r i eved November 9, 2007, f r om secur i t y. i ds. snor t . si gs Web
si te: ht t p: / / osdi r . com/ ml / secur i t y. i ds. snor t . si gs/ 2004-
12/ msg00099. ht ml
36) Tung, L ( 2007, August 20) . Stor m wor m bot net t hreatens
nat i onal secur i t y?. Ret r i eved December 3, 2007, f r om St or m wor m
bot net t hr eat ens nat i onal secur i t y? Web si t e:
ht t p: / / www. zdnet . com. au/ news/ secur i t y/ soa/ St or m- wor m- bot net -
t hr eat ens- nat i onal - secur i t y- / 0, 130061744, 339281305, 00. ht m
37) York, D ( 2007, May 21) . VoI P/ I P Tel ephony i n Est oni a:
Di sr upt ed by Bot net s?. Ret r i eved December 3, 2007, f r om VoI P/ I P
Tel ephony i n Est oni a: Di sr upt ed by Bot net s? Web si t e:
ht t p: / / www. ci r cl ei d. com/ post s/ voi p_i p_t el ephony_est oni a_bot net s
/ 38) Mol denauer , J ( 2007, August 21) . Resour ce Exhaust i on
vul ner abi l i t y i n SI P channel dr i ver . Ret r i eved December 3,
2007, f r om Ast er i sk Pr oj ect Secur i t y Advi sor y - AST- 2007- 020
Web si t e: ht t p: / / downl oads. di gi um. com/ pub/ asa/ AST- 2007- 020. ht ml
Page 118
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 118/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 117
39) Mar t i nel l i , J ( 2007, J une 5) . Vonage VoI P Tel ephone Adapt er
Def aul t Mi sconf i gur at i on. Ret r i eved December 2, 2007, f r om
Vonage VoI P Tel ephone Adapt er Def aul t Mi sconf i gur at i on Web
si te:
ht t p: / / www. secur i t yf ocus. com/ ar chi ve/ 1/ ar chi ve/ 1/ 470443/ 100/ 0/ t
hreaded
40) Ber son, T ( 2005, Oct ober 18) . Skype Secur i t y Eval uat i on.
Ret r i eved November 21, 2007, f r omSkype Secur i t y Eval uat i on Web
si te: ht t p: / / www. skype. com/ secur i t y/ f i l es/ 2005-
031%20secur i t y%20eval uat i on. pdf
41) Gennar i , J ( 2006, May 16) . Real VNC Ser ver does not val i dat e
cl i ent aut hent i cat i on met hod. Ret r i eved December 2, 2007, f r omVul nerabi l i t y Not e VU#117929 Web si t e:
ht t p: / / www. kb. cer t . or g/ vul s/ i d/ 117929
42) Mi er , E ( 2006, Mar 01) . Ci sco Cal l Manager 5. 0: Sol i dl y SI P.
Ret r i eved December 2, 2007, f r om Ci sco Cal l Manager 5. 0: Sol i dl y
SI P Web si t e:
ht t p: / / www. bcr . com/ equi pment / pr oduct _r evi ews/ ci sco_cal l manager _
5. 0: _sol i dl y_si p_20060301987. ht m
43) Ci sco, ( 2005) . I nst al l i ng Ci sco Secur i t y Agent f or Ci sco
Cal l Manager . Ret r i eved November 22, 2007, f r om I nst al l i ng Ci sco
Secur i t y Agent f or Ci sco Cal l Manager Web si t e:
ht t p: / / www. ci sco. com/ en/ US/ docs/ voi ce_i p_comm/ cucm/ csa_t oken_i d
s/ csa_ccmg. html #wp49143
44) Ci sco, ( 2005) . Voi ce Secur i t y. Ret r i eved November 25, 2007,
f r omCi sco Uni f i ed Communi cat i ons SRND Based on Ci sco Uni f i ed
Communi cat i ons Manager 5. x Web si t e:ht t p: / / www. ci sco. com/ en/ US/ pr oduct s/ sw/ voi cesw/ ps556/ pr oduct s_i
mpl ement at i on_desi gn_gui de_chapt er 09186a008063742b. html #wp10466
85
45) Lewi s, M ( 2006) . Tel ephony Prot ocol s. Ret r i eved December 8,
2007, f r om CCI E Voi ce Exam Qui ck Ref er ence Sheet s. Web si t e:
Page 119
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 119/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 118
www. ci scopr ess. com/ cont ent / i mages/ 9781587053337/ excer pt s/ 158705
3330_Excer pt . pdf
46) I BM I SS, ( 2007, J ul y 11) . Ci sco Cal l Manager CTLPr ovi der . exe
Remote Code Execut i on. Ret r i eved November 26, 2007, f r om Ci sco
Cal l Manager CTLProvi der . exe Remote Code Execut i on Web si t e:
ht t p: / / www. i ss. net / t hr eat s/ 270. ht ml
47) US- CERT/ NI ST, ( 2007, August 21) . Vul nerabi l i t y Summary CVE-
2007- 4459. Ret r i eved December 1, 2007, f r om Vul ner abi l i t y
Summar y CVE- 2007- 4459 Web si t e:
ht t p: / / nvd. ni st . gov/ nvd. cf m?cvename=CVE- 2007- 4459
48) Ci sco, ( 2006, J ul y 12) . Ci sco Secur i t y Advi sor y: Mul t i pl e
Ci sco Uni f i ed Cal l Manager Vul ner abi l i t i es. Ret r i eved December2, 2007, f r om Ci sco Secur i t y Advi sor y: Mul t i pl e Ci sco Uni f i ed
Cal l Manager Vul ner abi l i t i es Web si t e:
ht t p: / / www. ci sco. com/ war p/ publ i c/ 707/ ci sco- sa- 20060712-
cucm. sht ml
49) Skype, ( 2006) . Skype and f i r ewal l s. Ret r i eved December 1,
2007, f r om Skype and f i r ewal l s Web si t e:
ht t p: / / www. skype. com/ hel p/ gui des/ f i r ewal l s/ t echni cal . ht ml
50) Secuni a, ( 2007, December 7) . Skype skype4com URI Handl er
Buf f er Over f l ow. Ret r i eved December 7, 2007, f r om Skype
skype4com URI Handl er Buf f er Over f l ow Web si t e:
ht t p: / / secuni a. com/ advi sor i es/ 27934/
51) Net wor k Secur i t y Ar chi ve, ( 2005, Apr i l 20) . Net wor k Secur i t y
Ar chi ve. Ret r i eved November 15, 2007, f r om Net wor k Secur i t y
Ar chi ve Web si t e:
ht t p: / / www. net wor ksecur i t yar chi ve. or g/ ht ml / Snor t -Si gnatur es/ 2005- 04/ msg00059. ht ml
52) Skype, ( 2007, Sept ember 10) . On t he worm t hat af f ect s Skype
f or Wi ndows user s. Ret r i eved December 1, 2007, f r omOn t he worm
t hat af f ect s Skype f or Wi ndows user s Web si t e:
Page 120
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 120/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 119
ht t p: / / hear t beat . skype. com/ 2007/ 09/ t he_wor m_t hat _af f ect s_skype_
f o. ht ml
53) Ki ernan, S ( 2007, Sept ember 10) . W32. Pykspa. D. Ret r i eved
December 1, 2007, f r om W32. Pykspa. D Web si t e:
ht t p: / / www. symant ec. com/ secur i t y_r esponse/ wr i t eup. j sp?doci d=200
7- 091011- 2911- 99&t abi d=2
Page 121
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 121/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 120
X. Appendix
1) “Consi der t he f ol l owi ng pr i vat e key and cer t i f i cat e pai r
assi gned t o ' at l ant a. exampl e. com' ( r ender ed i n Opens' f ormat ) .
- - - - - BEGI N RSA PRI VATE KEY- - - - -
MI I CXQI BAAKBgQDPPMBt HVoPkXV+Z6j q1Lsgf TELVWpy2BVUf f J MPH06LL0cJ SQO
aI eVzI oj zWt pauB7I yl ZKl Aj B5f 429t RuoUi edCwMLKbl WAqZt 6eHWpCNZJ 7l ONc
I Ewnmh2nAccKk83Lp/ VH3t gAS/ 43DQoX2sndnYh+g8522Pzwg7EGWspzzwI DAQAB
…
…
- - - - - END RSA PRI VATE KEY- - - - -
- - - - - BEGI N CERTI FI CATE- - - - -
MI I C3TCCAkagAwI BAgI BADANBgkqhki G9w0BAQUFADBZMQswCQYDVQQGEwJ VUzEL
MAkGA1UECAwCR0ExEDAOBgNVBAcMB0F0bGFudGExDTALBgNVBAoMBEl FVEYxHDAa
BgNVBAMME2F0bGFudGEuZXhhbXBsZS5j b20wHhcNMDUxMDI 0MDYzNj A2WhcNMDYx
…
…
- - - - - END CERTI FI CATE- - - - -
A user of at l ant a. exampl e. com, Al i ce, want s t o send an I NVI TE t obob@bi l oxi . exampl e. or g. She t her ef or e cr eat es t he f ol l owi ngI NVI TE r equest , whi ch she f or war ds t o t he at l ant a. exampl e. or gpr oxy ser ver t hat i nst ant i at es t he aut hent i cat i on ser vi ce r ol e:
I NVI TE si p: bob@bi l oxi . exampl e. or g SI P/ 2. 0
Vi a: SI P/ 2. 0/ TLSpc33. at l ant a. exampl e. com; branch=z9hG4bKnashds8
To: Bob <si p: bob@bi l oxi . exampl e. or g>
From: Al i ce<si p: al i ce@at l ant a. exampl e. com>; t ag=1928301774
Cal l - I D: a84b4c76e66710
Page 122
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 122/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 121
CSeq: 314159 I NVI TE
Max- Forwards: 70
Dat e: Thu, 21 Feb 2002 13: 02: 03 GMT
Cont act : <si p: al i ce@pc33. at l ant a. exampl e. com>Cont ent - Type: appl i cat i on/ sdp
Cont ent - Lengt h: 147
v=0
o=User A 2890844526 2890844526 I N I P4pc33. at l ant a. exampl e. com
s=Sessi on SDP
c=I N I P4 pc33. at l ant a. exampl e. com
t =0 0
m=audi o 49172 RTP/ AVP 0
a=r t pmap: 0 PCMU/ 8000
When the aut hent i cat i on ser vi ce r ecei ves t he I NVI TE, i t
aut hent i cat es Al i ce by sendi ng a 407 r esponse. As a r esul t ,
Al i ce adds an Aut hor i zat i on header t o her r equest , and r esends t o
t he at l ant a. exampl e. com aut hent i cat i on ser vi ce. Now t hat t he
ser vi ce i s sur e of Al i ce' s i dent i t y, i t cal cul at es an I dent i t y
header f or t he r equest . The canoni cal st r i ng over whi ch t he
i dent i t y si gnat ur e wi l l be gener at ed i s t he f ol l owi ng ( not e t hat
t he f i r st l i ne wr aps because of RFC edi t or i al convent i ons) :
si p: al i ce@at l ant a. exampl e. com| si p: bob@bi l oxi . exampl e. or g|
a84b4c76e66710| 314159 I NVI TE| Thu, 21 Feb 2002 13: 02: 03 GMT|
si p: al i ce@pc33. at l ant a. exampl e. com| v=0
o=User A 2890844526 2890844526 I N I P4 pc33. at l anta. exampl e. com
s=Sessi on SDP
Page 123
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 123/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 122
c=I N I P4 pc33. at l ant a. exampl e. com
t =0 0
m=audi o 49172 RTP/ AVP 0
a=r t pmap: 0 PCMU/ 8000
The r esul t i ng si gnat ure ( sha1Wi t hRsaEncr ypt i on) usi ng t he pr i vat eRSA key gi ven above, wi t h base64 encodi ng, i s t he f ol l owi ng:
ZYNBbHC00VMZr2kZt 6VmCvPonWJ MGvQTBDqghoWeLxJ f zB2a1pxAr 3VgrB0SsSAa
i f sRdi OPoQZYOy2wr VghuhcsMbHWUSFxI 6p6q5TOQXHMmz6uEo3svJ sSH49t hyGn
FVcnyaZ++yRl BYYQTLqWzJ +KVhPKbf U/ pr yhVn9Yc6U=
Accor di ngl y, t he at l ant a. exampl e. com aut hent i cat i on ser vi ce wi l lcr eat e an I dent i t y header cont ai ni ng t hat base64 si gnat ur e st r i ng( 175 byt es) . I t wi l l al so add an HTTPS URL wher e i t s cer t i f i cat ei s made avai l abl e. Wi t h t hose t wo headers added, t he messagel ooks l i ke t he f ol l owi ng:
I NVI TE si p: bob@bi l oxi . exampl e. or g SI P/ 2. 0
Vi a: SI P/ 2. 0/ TLSpc33. at l ant a. exampl e. com; branch=z9hG4bKnashds8
To: Bob <si p: bob@bi l oxi . exampl e. or g>
Fr om: Al i ce <si p: al i ce@at l ant a. exampl e. com>; t ag=1928301774
Cal l - I D: a84b4c76e66710
CSeq: 314159 I NVI TE
Max- For wards: 70
Dat e: Thu, 21 Feb 2002 13: 02: 03 GMT
Cont act : <si p: al i ce@pc33. at l ant a. exampl e. com>
I dent i t y:
"ZYNBbHC00VMZr2kZt 6VmCvPonWJ MGvQTBDqghoWeLxJ f zB2a1pxAr 3VgrB0SsSAa
i f sRdi OPoQZYOy2wr VghuhcsMbHWUSFxI 6p6q5TOQXHMmz6uEo3svJ sSH49t hyGn
Page 124
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 124/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 123
FVcnyaZ++yRl BYYQTLqWzJ +KVhPKbf U/ pr yhVn9Yc6U="
I dent i t y- I nf o:<ht t ps: / / at l ant a. exampl e. com/ at l ant a. cer >; al g=r sa- sha1
Cont ent - Type: appl i cat i on/ sdp
Cont ent - Lengt h: 147
v=0
o=User A 2890844526 2890844526 I N I P4 pc33. at l anta. exampl e. com
s=Sessi on SDP
c=I N I P4 pc33. at l ant a. exampl e. com
t =0 0
m=audi o 49172 RTP/ AVP 0
a=r t pmap: 0 PCMU/ 8000
at l ant a. exampl e. com t hen f orwards t he r equest normal l y. When Bob
r ecei ves t he r equest , i f he does not al r eady know t he cer t i f i cat e
of at l ant a. exampl e. com, he der ef er ences t he URL i n t he I dent i t y-
I nf o header t o acqui r e t he cer t i f i cat e. Bob t hen gener at es the
same canoni cal st r i ng gi ven above, f r om t he same header s of t heSI P r equest . Usi ng t hi s canoni cal st r i ng, t he si gned di gest i n
t he I dent i t y header , and t he cer t i f i cat e di scover ed by
der ef er enci ng t he I dent i t y- I nf o header , Bob can ver i f y t hat t he
gi ven set of headers and t he message body have not been modi f i ed.
( Pet er son, J enni ngs, 2006) .
Page 125
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 125/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 124
XI. Image Figures
1) Law enf orcement wi r e t appi ng.
2) Legi t i mat e bank cal l er i d spoof i ng.
3) Var i ous VoI P SOHO sol ut i ons.4) RSA VoI P t hr eat cat egor i es.
5) VoI P and dat a VLAN separ at i on.
6) Uni cast cal l scenar i o.
7) Mul t i cast one- t o- f ew cal l scenar i o.
8) Mul t i cast many- t o- many cal l scenar i o.
9) Ci sco VoI P i nf or mat i on f ound on speci f i c or gani zat i ons.
10)
Ci sco VoI P phone web server net work conf i gur at i on I .11) Ci sco VoI P phone web server net wor k conf i gur at i on I I .
12) NMAP of VoI P phone wi t h open/ r unni ng web ser ver f ound.
13) Pol ycom VoI P phone wi t h open/ r unni ng web ser ver f ound.
14) Netcat scans per f ormed agai nst Ci sco VoI P phone.
15) Separ at i on of RTP and SI P f unct i onal i t y.
16) Cl ear t ext RTP eavesdr oppi ng/ i nj ect i on/ f uzzi ng.
17)
I AX bandwi dt h savi ngs/ consol i dat i on.18) SI P i nf r ast r uct ur e el ement s.
19) SI P I NVI TE cal l set up.
20) SI P REGI STER hi j acki ng.
21) Si per a SI P t r unk secur i t y sol ut i on.
22) NMAP scan of SI P Proxy.
23) SI P Pr oxy server i n B2BUA mode pr oxyi ng RTP t r af f i c.
24) SI P Rogue pr oxy wi t hi n VoI P network.
25) BS- 102 VoI P phone I CMP pi ngs.
26) BS- 102 VoI P phone NMAP scans.
27) VoI P test network di agr am.
28) BS- 102 VoI P phone NMAP Wi r eshark packet capt ure.
29) BS- 102 VoI P phone web ser ver GUI ( Admi ni st r at or ) .
Page 126
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 126/127
VoI P Secur i t y Vul ner abi l i t i es
Davi d Per sky 125
30) BS- 102 VoI P phone web ser ver GUI ( User ) .
31) 3CX SI P Proxy ser ver GUI .
32) BS- 102 VoI P RTP bi di r ect i onal RTP st r eams.
33) BS- 102 VoI P RTP st r eam anal ysi s.
34) BS- 102 VoI P RTP sessi ons cal l packet capt ur e.
35) Skype cal l packet capt ur e.
36) SkypeKi l l er GUI .
37) SkypeKi l l er CLI .
38) Snor t Skype SI DS.
39) SCCP Cal l set up messages exchange.
40) SCCP Wi r eshark sessi on set up packet capt ur e.
41) Ci sco Cal l manager l ogon scr een.
42) Ci sco VoI P - Separate VoI P and data port
43) Ci sco VoI P phone st oppi ng VLAN j umpi ng.
Page 127
8/22/2019 Voip Security Vulnerabilities 2036
http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 127/127
Last Updated: October 23rd, 2012
Upcoming SANS TrainingClick Here for a full list of all Upcoming SANS Events by Location
SANS Chicago 2012 Chicago, ILUS Oct 27, 2012 - Nov 05, 2012 Live Event
SANS South Africa 2012 Johannesburg, ZA Oct 29, 2012 - Nov 06, 2012 Live Event
SANS Bangalore 2012 Bangalore, IN Oct 29, 2012 - Nov 03, 2012 Live Event
SANS Tokyo Autumn 2012 Tokyo, JP Nov 05, 2012 - Nov 10, 2012 Live Event
SANS Korea 2012 Seoul, KR Nov 05, 2012 - Nov 13, 2012 Live Event
FOR526 Beta Denver, COUS Nov 05, 2012 - Nov 09, 2012 Live Event
SANS San Diego 2012 San Diego, CAUS Nov 12, 2012 - Nov 17, 2012 Live Event
SANS Sydney 2012 Sydney, AU Nov 12, 2012 - Nov 20, 2012 Live Event
SANS London 2012 London, GB Nov 26, 2012 - Dec 03, 2012 Live Event
SANS San Antonio 2012 San Antonio, TXUS Nov 27, 2012 - Dec 02, 2012 Live Event
European SCADA and Process Control System Security Summit2012
Barcelona, ES Dec 05, 2012 - Dec 11, 2012 Live Event
SANS Cyber Defense Initiative 2012 Washington, DCUS Dec 07, 2012 - Dec 16, 2012 Live Event
SANS Egypt 2012 Cairo, EG Dec 08, 2012 - Dec 20, 2012 Live Event
Mobile Device Security Summit 2013 Anaheim, CAUS Jan 07, 2013 - Jan 14, 2013 Live Event
Virtualization and Cloud Computing Summit 2013 Anaheim, CAUS Jan 07, 2013 - Jan 14, 2013 Live Event
SEC528: SANS Training Program for the CompTIA NewAdvanced Security Practitioner Certification
Washington, DCUS Jan 07, 2013 - Jan 11, 2013 Live Event
SANS Security East 2013 New Orleans, LAUS Jan 16, 2013 - Jan 23, 2013 Live Event
SANS South Africa 2012 - Cape Town OnlineZA Oct 26, 2012 - Oct 27, 2012 Live Event
SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced