Session 5: Securing VoIP

Question 1

Mention three examples of communication methods for early telephone systems. What kind of attacks were these vulnerable to?

Answer 1

• in-band signaling
• first pulse
• dial-tone signals

These methods were used in older telephonesystems, and exposed to “phreaking” attacks. This means flooding (DoSing) the telephone system with outbound calls. Can increase cost and affect availability.

Question 2

When and how did telephone communication and calls go digital?

Answer 2

Increased data demand and multiplexing of calls led to the Integrated Services Digital Network (ISDN) in 1980s.

Question 3

What is the SS7 protocol?

Answer 3

The SS7 protocol familiy (Signal System 7) is an international telecommunication standard, introduces in the 1970s.

Question 4

Mention some SS7 vulnerabilities

Answer 4

• No authentication
• Signaling can be used to track mobile phone location
• call forwarding and interception
• Removal of temporary encryption key
• attackers can hijack 2FA by setting up fake telecoms provider using SS7 to re-direct calls.

Question 5

What requirements do VoIP need to satisfy?

Answer 5

• Retain interoperability with global PSTN/POTS (Public switched telephone networks / Plain old telephone service)
• provide control and coordination and support
• provide sufficient performance and QoS

Different protocol versions of VoIP:

• SIP (Session Initiation Protocol). Dominant control and signaling protocol
• SIGTRAN: Transport of Q.931 (ISDN) signalling over IP
• H.323: catch-all standard for Q.931 signalling. Used over mixed networks with both auio and video.
• H.248: Media Gateway protocol separate H.323 signalling control into a media gateway controller (MGC). Can be complementary to SIP and H.323.

Question 6

What are the different specification families of SIP?

Answer 6

• SIP: The acutal signalling proto for call and control
• SDP (Session Description Protocol). Defines the media session inside SIP
• RTSP: Real Time Streaming Protocol. Sets up media streaming sessions.
• SIGCOMP: Signalling compression protocol. Compresses SIP and RTSP in application layer.

Question 7

What are the three major components in SIP signaling?

Answer 7

• User agent: dedicated IP telephones, adapters, other devices with SIP calling/receiving.
• Location servers: holds info about users location or IP address.
• Support servers: Three different types:
  
  • Proxy servers forwards requests from user agents.
  • Redirects provides information from “alternate called party location”.
  • Registrars receive user registration requests and updates location server DB.

In total, SIP manages the call lifecycle from locating the called party, ringing the phone, accepting the call, and terminating it.

Question 8

How does a SIP user agent enroll (register) to the service?

Answer 8

The user agent must register with location services, which temporarily links an IP address to the SIP URI (for instance sip:teacher@ntnu.no). This enforces identification and authentication to the registrar.

Question 9

How does SIP establish calls (in a simple matter)?

Answer 9

Caller user agent (UA) sends invitation to user agent client (UAC) aka receiving node, which relays signalling to the user agent server (UAS)

It is common to utilize proxy services in organisations as a “middle-man”.

Question 10

How does SIP handle security?

Answer 10

Basic SIP was not very secure. No encryptions and transmission of Registrars in cleartext. Several security features have been implemented since its origin.

Without strong endpoint authentication though, guessing of the UAC and valid SIP address can make it easier to guess weak passwords.

Question 11

What security aspects (H.235) does the H.323 protocol cover?

Answer 11

• It covers aspects of authentication, identification, confidentiality and integrity. Only authentication and integrity is required though in implementations.
• implementations involve one or two gatekeeper nodes.
• Authentication based on password mechanisms and key sharing using Diffie-Hellman with weak ciphers (HMAC-SHA1-96). MitM-attacks can be utilized.
• PKI authentication can be allowed, also in TLS or IPSec channels.
• Media stream privacy is only available in the full protocol.

Question 12

What are som VoIP codec protocols?

Answer 12

• G.711: Simple and old. 128kbit bidirectional.
• G.729: Licensed, 8kbit per directed channel.
• G.723.1 Low bandwith requirements (5-6kbit per channel). Low quality.
• GMS 06.10: 13 kbit, poor quality.

Question 13

What are some common VoIP attacks?

Answer 13

DoS attacks through:

• VoIP spam (SPIT).
• Injection of noise on signalling or media transport path

Vishing attacks (phishing over voice) can be used to fraud victims using the phone.

Other types of attacks and frauds:

• arbitrage: differences in call rates are exploited (e.g. routing traffic through other contries).
• Bypass: unauthorized injection on another carrier
• Call transfer fraud: initiate more expensive calls along a local connection using PBX or carrier. Further using PBX to blind transfer call to international call etc.
• Premium rates: Calling premium rate phones to pump renevue and payments.

2FA over SMS is also subject to MitM-attacks since messages can be redirected through interception-node.