Security Challenges in Hybrid Telephony Richard Hovey Communications Systems Analysis Division
Download ReportTranscript Security Challenges in Hybrid Telephony Richard Hovey Communications Systems Analysis Division
Security Challenges in Hybrid Telephony Richard Hovey Communications Systems Analysis Division February 8, 2007 Observations are my own and are not a reflection of views of CSAD or PSHSB. Hybrid IP-TDM Telephony Security Issues SIP DNS SS7 Session Initiation Protocol (SIP) Broadband Phone Domain NameService System PBX Signaling Interop Interop (DNS) router Routing Interop (BGP) IP PBX SSP IP PBX IP Network TDM Network Smartphone February 8, 2007 Non-public – for Internal Use Only 2 Security Challenges in Hybrid Telephony Outline 1. Perspectives on telecom convergence • "Very-Next" Generation c.2007-2010 2. Telephony on the commodity Internet • • Tutorial: basic SIP signaling SIP Security challenges 3. Hybrid Telephony IP – TDM • • Tutorial: basic SS7 signaling; SIP – SS7 Interworking SIP-SS7 security challenges 4. Emerging components & concerns – Open Source IP PBX – Smartphone February 8, 2007 Non-public – for Internal Use Only 3 Security Challenges in Hybrid Telephony Advisory Message • • • The Sky isn't exactly falling… …but the Sea Level is rising. Net effect: The Sky is getting closer. CSAD Advisory System Severe Risk of Sky Falling High Risk of Sky Falling Significant Risk of Sky Falling General Risk of Sky Falling Low Risk of Sky Falling February 8, 2007 Non-public – for Internal Use Only 4 Perspective on Convergence Very-Next Generation Residential Broadband • Today: parallel access to distinct infrastructures • Future: common IP core infrastructure? – Vision of "Carrier ISPs" – First test: adoption of “NGN Release 1” TDM phone net commodity Internet Broadband copper, cable, or fiber satellite distribution ~headend local servers February 8, 2007 Non-public – for Internal Use Only 5 Tutorial: IP-IP Telephony Session Initiation Protocol Signaling (SIP) IP Network 1 IP Network 2 Control Control SIP SIP DNS LOC Switching Router IP Link IP Link [Voice Path - RTP] IP Link [Signaling Path - SDP] February 8, 2007 Non-public – for Internal Use Only 6 Tutorial: IP-IP Telephony SIP Basics • Session Initiation Protocol (SIP) – Text-based protocol with a readable syntax, similar to HTTP – Used for controlling multimedia sessions over IP (i.e., signaling) – Telephony is a type of audio-only multimedia session • INVITE message – Used to establish a session; analogous to ISUP IAM message – IP-IP phone example (Kevin calls Michael over Internet) INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP 165.135.228.98:5060 Max-Forwards: 50 To: Michael <sip:[email protected]> From: Kevin <sip:[email protected]>;tag=8055002911 Content-type: application/sdp Content-length: 142 February 8, 2007 Non-public – for Internal Use Only 7 Tutorial: IP-IP Telephony Session Initiation Protocol Signaling (SIP) ❸ DNS Query ❺ LS Query ❹ INVITE SIP SIP ❼ Ringing DNS LOC ➑ OK ❷ ❻ ❶ Kevin "calls" Michael Router ❷ INVITE ➒ voice (RTP) to: sip:[email protected] ❻ INVITE IP Link IP Link [Voice Path] IP Link [Signaling Path] February 8, 2007 Non-public – for Internal Use Only 8 IP-based Telephony SIP Signaling -Challenges SIP and Privacy (withholding identity) – Identity carried in SIP URI and optional Display Name e.g., Kevin <sip:[email protected]> – Appears in numerous fields in SIP messages e.g., From:, Contact:, Reply-to: – Identity Info also appears in e.g., Via:, Call-Info:, User-Agent:, Organization:, Server: – Some are functional and have to be included – Complicated by intermediary proxy servers that add headers [and can examine the other header content] February 8, 2007 Non-public – for Internal Use Only 9 IP-based Telephony SIP Signaling -Challenges • Utility of protecting SIP with encryption? – i.e., protect SIP messages with IP Security (IPsec) at IP Layer • Hop-by-hop impact on Call Set-up time is significant – Almost certainly unacceptable No IPSec Proxy IPSec End-End IPSec IP-IP 4.6 7.5 20.2 IP-TDM 7.6 9.5 21.8 TDM-IP 5.2 8.0 12.7 TDM-IP-TDM 6.9 9.3 14.3 Source: Telcordia • Once connected phone-phone, delay acceptable – About 10% (8 msec) • Implications for NGN? February 8, 2007 Non-public – for Internal Use Only 10 IP-based Telephony Vulnerabilities in SIP devices • Dozens of vulnerabilities impacting IP-based telephony – Includes commodity Internet risks at other layers • Attacks on vulnerabilities – can impact confidentiality, integrity, availability – can trigger device hangs, crashes, restarts • Hundreds of SIP devices software implementations – both SIP phones and SIP Servers • Next: some approaches to mitigating risks – Security thru obscurity – don’t reveal implementation – Security thru testing – use test tools to check implementation February 8, 2007 Non-public – for Internal Use Only 11 IP-based Telephony IP Telephony Vulnerabilities by Protocol Layer Layer Attack Vector Confide ntiality Integrity Availablity Net Interface Layer Attack Vector Confide ntiality Integrity Availablity App. [cont] Physical Attacks X ARP cache X X X ARP flood MAC spoofing X X Registration Hijacking X X X X MGCP Hijack X X X X Message modification X X X RTP Insertion X X SIP Internet Spoof via header IP spoofing X Cancel / bye attack X Malformed method X Device X X X Redirect Via IP spoof X X X Malformed packets X X X SDP redirect X X X X IP frag RTP payload X X RTP tampering X Jolt Transport X TCP/UDP flood TCP/UDP replay X X Applicaition TFTP server insertion X DHCP server insertion X RTP X ICMP flood X X X Encryption X X X Default configuration X X X Unnecessary services X X X Buffer overflow X X X Legacy Network X X X DNS Availability DHCP starvation February 8, 2007 Redirect method Non-public – for Internal Use Only X Source: UC Boulder 12 IP-based Telephony Security thru Obscurity? • A vulnerable implementation becomes an explicit target – e.g., Windows vulnerabilities • SIP standard defines a "User-Agent" field – announces software version – can turn it off so software details are not revealed • But… turning off explicit identification doesn't really help – sufficient info in protocol responses to determine software – probing technique manipulates headers, log responses – each device has a unique fingerprint • Does suggest some security improvements – e.g., don't respond to non-compliant messages – e.g., randomize fields and attributes February 8, 2007 Non-public – for Internal Use Only 13 IP-based Telephony Security thru Obscurity? SIP device fingerprints Source: CMU & IBM Watson February 8, 2007 Non-public – for Internal Use Only 14 IP-based Telephony Security thru Testing • Commercially-available VoIP testing tools – “vulnerability scanners” • Inject abnormalities into SIP messages – E.g., one tool: 4500 test cases… – …but only for SIP “INVITE” message • Analysis of seven testing tools – based on lab tests of four tools; claims of three others – even combined, address less than half of known vulnerabilities February 8, 2007 Non-public – for Internal Use Only 15 IP-based Telephony IP Telephony Vulnerabilities Addressed by Tools Layer Attack Vector Addressed by ΣTools Net Interface Layer Attack Vector App. [cont] Physical Attacks SIP Registration Hijacking ARP cache MGCP Hijack ARP flood Message modification MAC spoofing RTP Insertion Internet Spoof via header IP spoofing X Device X Redirect Via IP spoof X Malformed packets Jolt Transport X TCP/UDP flood TCP/UDP replay X X Cancel / bye attack RTP IP frag Malformed method X Redirect method X SDP redirect X RTP payload X RTP tampering X Encryption X Default configuration Unnecessary services Application TFTP server insertion DHCP server insertion Buffer overflow X Legacy Network X DNS Availability X DHCP starvation Source: UC Boulder ICMP flood February 8, 2007 Addressed by ΣTools Non-public – for Internal Use Only 16 IP-based Telephony Denial of Service Attacks • Background – Brute force attacks are much easier than clever exploits • Attack targets – SIP infrastructure (SIP servers, Gateways) – Supporting services (DNS) – End points (SIP phones) • Commercially available solutions for UDP/SYN flooding – But currently none for SIP February 8, 2007 Non-public – for Internal Use Only 17 IP-based Telephony Denial of Service Attacks • Carrier-class Analysis – Two types of attacks used: General and VoIP-specific – Bi-directional Speech grade-of-service metrics collected • Results – VoIP-specific attacks effective at low rates against all devices • No service – let alone grade of service - to record – General attacks caused a wide-range of effects • Unexpected: all devices adversely affected by TCP SYN attacks • Conclusions (November 2004): “Keep VoIP on private secured networks (off the public Internet) where practical” “Design DDOS mitigation products to be VoIP-aware” Sprint Adv. Tech. Labs February 8, 2007 Non-public – for Internal Use Only 18 IP-based Telephony Denial of Service Attacks Voice Quality during TCP SYN attack on a network element acceptable quality▲ ◄Attack Level 20% of bandwidth February 8, 2007 Non-public – for Internal Use Only 19 IP-based Telephony Denial of Service Attacks Current carrier-class work • Addressing perimeter protection problem of VoIP service • Strategy – two detection and mitigation filters – SIP: Rule-based detection and mitigation filters (only valid SIP) – Media: SIP-aware dynamic pinhole filtering (only signaled RTP) February 8, 2007 Non-public – for Internal Use Only 20 IP-based Telephony Denial of Service Attacks Columbia U – Verizon Labs February 8, 2007 Non-public – for Internal Use Only 21 IP-based Telephony Denial of Service Attacks Carrier-class Prototype • Rely on wire-speed, deep-packet inspection • 300 calls/second;10K-30K concurrent calls • Conclusion (October 2006): “Need to generalize methodology to cover a broader range of cases and apply anomaly detection, pattern recognition and learning systems” Columbia U – Verizon Labs February 8, 2007 Non-public – for Internal Use Only 22 Tutorial: TDM-TDM Telephony Inter-exchange Signaling (SS7) ISDN User Part (ISUP) Protocol W ❷ Initial Address Message [IAM] ❹ ACM X ❷ IAM ❹ Address Complete Message [ACM] ❸ number idle? ❶ dial digits A ❻ connect to trunk ❺ ring tone Subscriber Line Voice Trunk B ❺ ring line, transmit Caller ID Signaling Link February 8, 2007 Non-public – for Internal Use Only 24 Tutorial: TDM-TDM Telephony Initial Address Message (IAM) Initial Address Message Called Party Number parameter Calling Party Number parameter Charge Number parameter February 8, 2007 Non-public – for Internal Use Only 25 Tutorial: IP-TDM Telephony SIP DNS MGC Broadband Phone Service router SSP February 8, 2007 Non-public – for Internal Use Only 26 Tutorial: IP-TDM Telephony SIP to SS7 MGC • Media Gateway Controller (MGC) – – – – Also referred to as a "Softswitch" or "Call Agent" Has logical interfaces facing both networks Translates between SIP and ISUP messages SS7 protocol Level 4 (e.g. "INVITE" "IAM“) • Media Gateway (MG) – Has trunking interfaces facing both networks – Translates between IP and TDM voice streams (i.e. RTPT1) – MGC and MG can be merged in one box or kept separate • Signaling Gateway (SG) – Performs mapping of Signaling Network Messages – SS7 protocol Level 3 – Level 3: controls congestion, balances loads, re-routes traffic February 8, 2007 Non-public – for Internal Use Only 27 Tutorial: IP-TDM Telephony SIP to SS7 MGC Questions wrt Media Gateway Controller: • How do they map fields? e.g. "INVITE" "IAM“? – e.g., "From:" "Calling Party Number“ and "Charge Number" • What call records do they maintain? – significant implications for Authenticating source February 8, 2007 Non-public – for Internal Use Only 28 Tutorial: IP-TDM Telephony SIP to SS7 • INVITE message – IP-to-Wireline phone example (Kevin calls Michael from Internet) INVITE sip:[email protected];user=phone SIP/2.0 Via: SIP/2.0/UDP client.kevin.fcc.gov:5060 Max-Forwards: 50 To: Michael <sip:[email protected];user=phone> From: Kevin <sip:+12024180100>;tag=8055002911 Content-type: application/sdp Content-length: 142 February 8, 2007 Non-public – for Internal Use Only 29 Tutorial: IP-TDM Telephony SIP to SS7 MGC IP • Signaling Gateway (SG) function – Performs mapping of signaling network messages – SS7 Level 3: congestion, balances loads, traffic re-routing TDM • Transporting SS7 over IP Network IP SS7 SG MGC STP (NIF) ISUP ISUP M3UA M3UA MTP3 MTP3 SCTP SCTP MTP2 MTP2 IP IP MTP1 MTP1 • Bottom line: SG can appear as an SS7 SP at the interface February 8, 2007 Non-public – for Internal Use Only 30 Tutorial: IP-TDM Phone Service SIP-SS7 Signaling Questions? February 8, 2007 Non-public – for Internal Use Only 31 IP-TDM Phone Service Signaling Interworking Vulnerabilities Background • New players (CLECs) increasing the number of SS7 access points • Signaling Gateway looks like another SS7 SP to an STP • Absence of message integrity and authentication in SS7 – Could use IPSec in hybrid environment – but ends at the SG Recent Analysis (December 2006) • Hijacked or misbehaving SS7 nodes – Open to Signaling Network Management (SNM) injects – Injections towards MGC can disrupt VoIP services • Hijacked or misbehaving Signaling Gateway – Can affect functioning of SS7 network “Threats arising in either network due to misprovisioned or malicious signaling nodes are not confined to that network alone but may affect the other network as well.” GMU - UNT February 8, 2007 Non-public – for Internal Use Only 32 IP-TDM Phone Service Signaling Interworking Vulnerabilities Critical Management Messages in IP and SS7 networks – just SS7 level 3 SS7 protocol layer and its management messages SS7 network management messages in an IP network Message Transfer Part Level 3: MTP3 SIGTRAN layer: M3UA Signaling Network Management msgs: • Emergency Changeover Order • Changeover Order • Transfer Prohibited • Transfer Controlled • Transfer Restricted At Signaling Gateway, M3UA provides interworking with MTP3 function by using ASP management messages: • Destination Restricted • Destination Unavailable • Signaling Congestion • Destination User Part Unavailable February 8, 2007 Non-public – for Internal Use Only 33 IP-TDM Phone Service Signaling Interworking Vulnerabilities • Only widely deployed security solution – – – – Telcordia’s Gateway Screening Specification Implemented at gateway STPs Generally screens out only message headers Doesn’t check content and structure of most signaling messages • Commercial products to secure SS7 are emerging – Content-based and signal-sequence firewalls – Network Access Meditation (Sevis); – SS7 Security Gatekeeper (Verizon) • Proposed: MTPSec to secure SS7 network layer February 8, 2007 Non-public – for Internal Use Only 34 Open Source PBX Be Your Own Phone Company Termination Provider router Asterisk PBX February 8, 2007 SSP Non-public – for Internal Use Only 35 Be Your Own Phone Company Asterisk – Corporate PBX February 8, 2007 Non-public – for Internal Use Only 36 Open Source PBX Spoofing - Service & Do-It-Yourself Termination Provider router Asterisk PBX February 8, 2007 SSP Non-public – for Internal Use Only 37 Be Your Own Phone Company Spoofing - Service & Do-It-Yourself Things to know: – Can use standard SetCallerID(nnnnnnnnnn) command • PBX-like; not efficient for per-call spoofing – Asterisk software is easily patched to do Caller ID spoofing •Add the following lines to extension config file exten => 33,1,Answer exten => 33,2,AGI(cidspoof.agi) •Download the cidspoof.agi script changing line 77 to the correct username / hostname for VoIP service provider, and copy to /var/lib/asterisk/agi-bin/ •Start Asterisk •Call extension 33, enter number you wish to spoof from, followed by number you wish to spoof to. February 8, 2007 Non-public – for Internal Use Only 38 Open Source PBX • Authentication concerns (CPN, BTN) – manipulation now much cheaper – isolation from traceability much greater February 8, 2007 Non-public – for Internal Use Only 39 Smartphone Security General Outlook • Virus problem seems relatively small and manageable… – Cell phone carriers have strong incentives to keep under control – Cell phone carriers have good control points (e.g., gateways) – Incidents to date haven't been widespread or fast spreading – Many categorized as low-threat "proof of concept" • Q: "Is the Sky Falling?" A: "Probably not; not at the moment." • “But the ocean…” February 8, 2007 Non-public – for Internal Use Only 40 Smartphone Security General Outlook • But… cell phones are an increasingly attractive target – Applications becoming more PC-like; e.g., email attachments (smart phones make up about 5% of cell phones) – Operating System uniformity increases appeal to hackers (i.e., Symbian, PocketPC, PalmOS dominate smart phones) – Standard Markup Languages create openings (e.g., java scripts) – Phones increasingly carry sensitive info (e.g., business info) – Phones increasingly can make small financial charges • by accepting "reverse SMS" micropayment charges • i.e., there's a direct link to money • Potential impact of viruses seems high February 8, 2007 Non-public – for Internal Use Only 41 Smartphone Security General Outlook Q: “What can mobile viruses do?” • • • • • • • • • • Spread via Bluetooth, MMS Send SMS messages Infect files Enable remote control of the smartphone Modify or replace icons or system applications Install “false” or non-operational fonts and applications Combat antivirus programs Install other malicious programs Block memory cards Steal data February 8, 2007 Non-public – for Internal Use Only 42 Smartphone Security Symbian OS… • Dominant smartphone OS (50% of phones shipped) • Allows user to install untrusted code – post-installation antivirus software not as mature as PC • Once installed code has access to all resources – extract phone numbers, email – send SMS, MMS, email; make HTTP connections – dial numbers; connect via Bluetooth • Possible to avoid detection – run in background (server); wait for long idles; delete logs – user unaware of filesystem • Possible to avoid removal, short of reflashing February 8, 2007 Non-public – for Internal Use Only 43 Smartphone Security Bluetooth… • Devices – 13% of phones sold worldwide in 2004; 4% in U.S. • Distances – Nominal range is 10 meters (often boosted to 100m) – Hijacking phones has been demonstrated at over a mile • Suggested cipher vulnerabilities – [see Wetzel] • Observation – a "personal networking standard" vulnerable to personal misjudgments and oversights February 8, 2007 Non-public – for Internal Use Only 44 Smartphone Security Creating the Conditions for a Perfect Storm? PSTN Internet Bluetooth February 8, 2007 Non-public – for Internal Use Only 45 Smartphone Security Evolution • By early 2005 main types of mobile viruses had evolved – Very few in last 18-24 months are truly original • Now 31 families, 170 variants. • MMS will eventually become common method of propagation Increase of known mobile malware variants 6/2004 ▲ February 8, 2007 Non-public – for Internal Use Only 46 Service Providers Cyber Security Practice Background • History – – – – Network Reliability & Interoperability Council (NRIC) NRIC VI & VII: assembled Cybersecurity Best Practices applicable as appropriate; voluntary, … more of a checklist where one would like a culture • Stipulation – Technical complexity; industry's superior expertise & resources – Regulation may not result in adoption of underlying philosophy February 8, 2007 Non-public – for Internal Use Only 47 Service Providers Cyber Security Practice • Question – Are ISP businesses "Markets for Lemons" wrt security? • asymmetric information > willingness to pay only average price • above average security will be driven out of the market? • Challenge – Are there approaches to improving security and reliability of infrastructure that benefit both users and providers? – What are the incentives? – Are ISP businesses dynamics and industry sectors different? February 8, 2007 Non-public – for Internal Use Only 48