- Email: [email protected]
The return of the Phreak
R&D William Knight is a technology writer with 18 years experience in Software Development and IT consulting. He writes for titles that include: Computing, JavaPro and Ganthead.com
It’s extremely easy to set up a nongeographic number to go into a VoIP system.
IS071p32_34.indd 32
24/01/2007 15:12:40
R&D
The return of the Phreak Having rushed VoIP handsets and systems to market, now everybody wants to understand how to secure them. It’s a familiar story that started many years ago with a little research and a plastic flute. William Knight The phone phreaks of the last centuary ran up other people’s phone bills and called internationally for nothing. As the original hackers, they vanished only when there was no profit to be made, and by the late nineties, local calls were free, long-distance was included in fixed-price packages and international charges had fallen to such an extent that there was little to gain from dishonesty. The phreaks took control of call routing by, among other methods, blowing whistles into the receiver — unbelievably, the whistles came free in packets of breakfast cereal — in a manner no telecoms engineer had thought to test. “History shows us that advances and trends in information technology typically outpace the corresponding realistic security requirements, which are often tackled only after these technologies are widely deployed,” comments the VoIP Security Alliance (VoIPSA). Accordingly, David Endler, director of security research for 3Com’s security division, TippingPoint, reports that hacking conferences are starting to focus on VoIP. “A year ago at the Blackhat conference 2005, there was one presentation on VoIP. In 2006 there was a whole track dedicated to VoIP, about six presentations. More and
more people are starting to look at it from a security perspective, releasing tools and information on how to exploit the technology.” Another pointer to the rise of VoIP hacking is the SANS Institute list of top-20 Internet Security Attack Targets. In the most recent update, VoIP made the list for the first time, and SANS placed VoIP cyber attacks at number six in its top ten security trends for 2007, reasoning that “VoIP technology was deployed hastily without fully understanding security.”
Denying free speech Endler says that the most prevalent threat to VoIP is denial of service (DoS). “VoIP is another data application, but it’s a little different from your traditional email or web services. For example, if your organisation was under a DoS attack the email you sent out might not arrive for several hours or it might make your web browsing a little slower. These applications are forgiving to network congestion. VoIP is quite different. If packets arrive late, they may as well not have arrived at all.” And with traditional attacks like DoS go traditional social engineering attacks. Endler recently received his first VoIP phishing email. The phishers used a non-geographic
telephone number that directed the caller to a fake tele-banking system. “It’s extremely easy to set up a nongeographic number to go into a VoIP system. You can set this up with free tools, essentially Asterisk, which is the open-source VoIP platform. You mock-up your banking institution by calling the real site, recording the voice responses and using the wave files in your own systems. You can do this in a few hours.” Ken Munro, managing director of Thame-based Secure Test, agrees that there is growing evidence for social engineering attacks on VoIP systems. He thinks luring users to premium lines, and phishing with fake call centres are strategies likely to grow due to the “de-skilling” of voice attack technology. But it’s not only familiar network attacks and social engineering. As you might expect from a new technology, there are new opportunities for the hacker. Chief among these are those opened up by new protocols, which are, ironically, made more risky by widespread adoption. As Munro explains, hackers like standards so they have one target rather than having to customize attacks for each proprietary solution. “A handset is just a PC on the internet,” says Munro, explaining why an explosion of
JANUARY/FEBRUARY 2007
IS071p32_34.indd 33
33
24/01/2007 15:12:50
R&D wireless networks and end-devices all with the same embedded operating system feeds hacker dreams. SIP, or session initiation protocol, defines an abstract mechanism for managing communications channels. Be that email, Instant Message or VoIP. “SIP allows two speaking parties to set up, modify, and terminate a phone call between the two of them. SIP is a text-based protocol and is most similar, at first glance, to the HTTP protocol,” says Endler. Standards increase risk Attacking this common protocol offers enormous potential for the hacker: dropping calls; bypassing billing gateways; redirecting callers to bogus systems; and recording secure information, to name a few. So it is not surprising that much hacker attention is directed at the SIP layer, and many attacks rely on finding valid SIP user IDs and identifying VoIP extensions. In his book, Hacking VoIP Exposed, Endler details how with a basic understanding of SIP and a few free tools it is possible to “enumerate” a target’s open services, generating a list of valid phone extensions and user names. All done by exploiting the protocol’s normal operation and a few commonly misconfigured services such as webservers left operating on VoIP handsets. The list of valid users is the start point for further attacks. “VoIP is also exposed to new and sophisticated external threats such as caller ID spoofing – where a hijacked call recipient believes communication is from an authentic source – and Spam over Internet Telephony (SPIT),” says Nick Frost, consultant at the Information Security Forum. “SPIT is a particular worry. As massmarketers realise the benefits of low cost calls, the potential for voice-mail to be clogged with commercial messages and for staff to spend hours fielding pre-recorded and call-centre internet calls is enormous.” It’s true that many VoIP threats like DoS, are familiar or slightly modified system attacks including viruses, worms, Trojans, man-in-the-middle, and packet sniffing. This is why continued network
34
IS071p32_34.indd 34
HOW TO MITIGATE VOIP VULNERABILITIES Apply the vendor supplied patches for VoIP servers and phone software/firmware. Ensure that the operating system running the VoIP server is patched with the latest OS patch supplied by either the OS vendor or the VoIP product vendor. Scan the VoIP servers and phones to detect open ports. Firewall all the ports from the Internet that are not required for keeping up the VoIP infrastructure. Use a VoIP protocol aware firewall or Intrusion Prevention product to ensure that all UDP ports on VoIP phones are closed to the Internet for RTP/RTCP communications. Disable all the unnecessary services on phones and servers (telnet, HTTP etc.) Use VoIP protocol fuzzing tools such as the OULU SIP PROTOS suite against the VoIP components to ensure the VoIP protocol stack integrity. Additional caution should be taken at the product selection phase to ensure the VoIP product vendor supports OS patches as they are released. Many VoIP vendors will void support for unapproved patches and may take considerable time before approving them. Apply separate VLANs to your voice and data network, as much as your converged network will allow. Ensure that VoIP DHCP and TFTP servers are separate from your data network. Change the default passwords on phones’ and proxies’ administrative login functions.
The Cisco Self Defending Network Architecture for Unified Communications
security is so important for VoIP. “A recommendation you will hear over and over again,” says Endler, “is to segment portions of the VoIP network on a VLAN separate from the traditional data network. This will help mitigate a variety of threats, including enumeration.” But while you may be able to harden your networks and VoIP infrastructure to
mitigate most attacks, only suppressing hacker motivation will result in riskminimised VoIP. Right now, motivation is driven by tantalising money-making schemes, and low entry barriers. If history repeats, VoIP could herald the mass return of the phreak.
JANUARY/FEBRUARY 2007
24/01/2007 15:12:50
It’s extremely easy to set up a nongeographic number to go into a VoIP system.
IS071p32_34.indd 32
24/01/2007 15:12:40
R&D
The return of the Phreak Having rushed VoIP handsets and systems to market, now everybody wants to understand how to secure them. It’s a familiar story that started many years ago with a little research and a plastic flute. William Knight The phone phreaks of the last centuary ran up other people’s phone bills and called internationally for nothing. As the original hackers, they vanished only when there was no profit to be made, and by the late nineties, local calls were free, long-distance was included in fixed-price packages and international charges had fallen to such an extent that there was little to gain from dishonesty. The phreaks took control of call routing by, among other methods, blowing whistles into the receiver — unbelievably, the whistles came free in packets of breakfast cereal — in a manner no telecoms engineer had thought to test. “History shows us that advances and trends in information technology typically outpace the corresponding realistic security requirements, which are often tackled only after these technologies are widely deployed,” comments the VoIP Security Alliance (VoIPSA). Accordingly, David Endler, director of security research for 3Com’s security division, TippingPoint, reports that hacking conferences are starting to focus on VoIP. “A year ago at the Blackhat conference 2005, there was one presentation on VoIP. In 2006 there was a whole track dedicated to VoIP, about six presentations. More and
more people are starting to look at it from a security perspective, releasing tools and information on how to exploit the technology.” Another pointer to the rise of VoIP hacking is the SANS Institute list of top-20 Internet Security Attack Targets. In the most recent update, VoIP made the list for the first time, and SANS placed VoIP cyber attacks at number six in its top ten security trends for 2007, reasoning that “VoIP technology was deployed hastily without fully understanding security.”
Denying free speech Endler says that the most prevalent threat to VoIP is denial of service (DoS). “VoIP is another data application, but it’s a little different from your traditional email or web services. For example, if your organisation was under a DoS attack the email you sent out might not arrive for several hours or it might make your web browsing a little slower. These applications are forgiving to network congestion. VoIP is quite different. If packets arrive late, they may as well not have arrived at all.” And with traditional attacks like DoS go traditional social engineering attacks. Endler recently received his first VoIP phishing email. The phishers used a non-geographic
telephone number that directed the caller to a fake tele-banking system. “It’s extremely easy to set up a nongeographic number to go into a VoIP system. You can set this up with free tools, essentially Asterisk, which is the open-source VoIP platform. You mock-up your banking institution by calling the real site, recording the voice responses and using the wave files in your own systems. You can do this in a few hours.” Ken Munro, managing director of Thame-based Secure Test, agrees that there is growing evidence for social engineering attacks on VoIP systems. He thinks luring users to premium lines, and phishing with fake call centres are strategies likely to grow due to the “de-skilling” of voice attack technology. But it’s not only familiar network attacks and social engineering. As you might expect from a new technology, there are new opportunities for the hacker. Chief among these are those opened up by new protocols, which are, ironically, made more risky by widespread adoption. As Munro explains, hackers like standards so they have one target rather than having to customize attacks for each proprietary solution. “A handset is just a PC on the internet,” says Munro, explaining why an explosion of
JANUARY/FEBRUARY 2007
IS071p32_34.indd 33
33
24/01/2007 15:12:50
R&D wireless networks and end-devices all with the same embedded operating system feeds hacker dreams. SIP, or session initiation protocol, defines an abstract mechanism for managing communications channels. Be that email, Instant Message or VoIP. “SIP allows two speaking parties to set up, modify, and terminate a phone call between the two of them. SIP is a text-based protocol and is most similar, at first glance, to the HTTP protocol,” says Endler. Standards increase risk Attacking this common protocol offers enormous potential for the hacker: dropping calls; bypassing billing gateways; redirecting callers to bogus systems; and recording secure information, to name a few. So it is not surprising that much hacker attention is directed at the SIP layer, and many attacks rely on finding valid SIP user IDs and identifying VoIP extensions. In his book, Hacking VoIP Exposed, Endler details how with a basic understanding of SIP and a few free tools it is possible to “enumerate” a target’s open services, generating a list of valid phone extensions and user names. All done by exploiting the protocol’s normal operation and a few commonly misconfigured services such as webservers left operating on VoIP handsets. The list of valid users is the start point for further attacks. “VoIP is also exposed to new and sophisticated external threats such as caller ID spoofing – where a hijacked call recipient believes communication is from an authentic source – and Spam over Internet Telephony (SPIT),” says Nick Frost, consultant at the Information Security Forum. “SPIT is a particular worry. As massmarketers realise the benefits of low cost calls, the potential for voice-mail to be clogged with commercial messages and for staff to spend hours fielding pre-recorded and call-centre internet calls is enormous.” It’s true that many VoIP threats like DoS, are familiar or slightly modified system attacks including viruses, worms, Trojans, man-in-the-middle, and packet sniffing. This is why continued network
34
IS071p32_34.indd 34
HOW TO MITIGATE VOIP VULNERABILITIES Apply the vendor supplied patches for VoIP servers and phone software/firmware. Ensure that the operating system running the VoIP server is patched with the latest OS patch supplied by either the OS vendor or the VoIP product vendor. Scan the VoIP servers and phones to detect open ports. Firewall all the ports from the Internet that are not required for keeping up the VoIP infrastructure. Use a VoIP protocol aware firewall or Intrusion Prevention product to ensure that all UDP ports on VoIP phones are closed to the Internet for RTP/RTCP communications. Disable all the unnecessary services on phones and servers (telnet, HTTP etc.) Use VoIP protocol fuzzing tools such as the OULU SIP PROTOS suite against the VoIP components to ensure the VoIP protocol stack integrity. Additional caution should be taken at the product selection phase to ensure the VoIP product vendor supports OS patches as they are released. Many VoIP vendors will void support for unapproved patches and may take considerable time before approving them. Apply separate VLANs to your voice and data network, as much as your converged network will allow. Ensure that VoIP DHCP and TFTP servers are separate from your data network. Change the default passwords on phones’ and proxies’ administrative login functions.
The Cisco Self Defending Network Architecture for Unified Communications
security is so important for VoIP. “A recommendation you will hear over and over again,” says Endler, “is to segment portions of the VoIP network on a VLAN separate from the traditional data network. This will help mitigate a variety of threats, including enumeration.” But while you may be able to harden your networks and VoIP infrastructure to
mitigate most attacks, only suppressing hacker motivation will result in riskminimised VoIP. Right now, motivation is driven by tantalising money-making schemes, and low entry barriers. If history repeats, VoIP could herald the mass return of the phreak.
JANUARY/FEBRUARY 2007
24/01/2007 15:12:50