Can you call someone using VoIP and steal their personal
data without talking to them? Most people would have said “No” until they saw
the Sipera VIPER Lab demonstration, which does exactly that. The demonstration,
first shown at Black Hat 2007, shows how to remotely exploit a soft phone
installed on a Windows laptop and view or steal the personal data stored on
that laptop. This means IT security administrators, responsible for keeping taps
on confidential data for privacy and compliance, must pay attention to the
risks inherent in VoIP.
Traditionally, threats from VoIP/unified communications
(UC) do not make it to the top of the list of information security issues.
Rather, such lists contain threats such as system probing, email attacks,
default password attacks, and sniffing. However, the VoIP-to-data exploit puts
VoIP/UC among top information security concerns.
The VoIP/UC threat
Like any complex computer system, VoIP/UC networks have
present unique security challenges. Despite many attempts to formulate best
security practices for VoIP/UC solutions within an enterprise, such best
practices are not always enforced or correctly followed. The reasons behind
this may be budgets, time, misunderstandings, or even just apathy towards
security. Whatever the reasons, leaving VoIP/UC networks unprotected makes it
and the co-existing data networks vulnerable to numerous security threats.
To give a simple example, standard security best practices
recommend the separation of the voice virtual local area network (VLAN) from
the data VLAN to prevent traffic from one to reach another. However, unified
communications enable soft phones to be installed on the data VLAN and talk to
hard VoIP phones on the voice VLAN. Completely blocking the traffic between the
two VLANs will prevent this communication, though IT administrators may allow
traffic between the two VLANs freely. Such a policy can enable legitimate
communication between the two VLANs, but if not monitored, it also allows
worms, viruses and other attacks to cross over to the other side and
vice-versa.
All enterprises do not yet deploy soft phones, but VoIP
soft phones are becoming an integral part of many unified communications
frameworks. One of the reasons is that they enable software-based migration of
end user devices to VoIP. Additionally, soft phones also enable users to be
reachable wherever they take their laptops. Even if the enterprise does not
expressly deploy VoIP soft phones, employees may use a freely available VoIP
soft phone with several public VoIP service providers. It is not wise to ignore
VoIP threats when investing resources to protect confidential data and assets
residing on a data network. Equal importance must be given to protecting
VoIP/UC devices to achieve comprehensive security across the enterprise.
Exploiting a VoIP soft phone
Let's look at a potential attack. One possible exploit
uses an IETF SIP (Session Initiation Protocol)-based soft phone.
Step 1: Finding an exploitable vulnerability.One of the most effective techniques to uncover
implementation vulnerabilities in protocol parser implementations is to subject
them to a “fuzzing” attack. According to Wikipedia:
“Fuzzing is a software testing technique that provides
random data (“fuzz”) to the inputs of a program”.
A fuzzing attack is more effective on ASCII based
protocol implementations (e.g., SIP), Unlike binary protocols, the ASCII
protocol message format is very flexible, making it difficult to build robust
parser implementations. Several freely available tools can be used to launch
such fuzzing attacks against the soft phones and discover vulnerabilities in
them.
Figure 1 shows an example of a “fuzzed” SIP INVITE
message with an oversized SIP “From” header value. Often, such oversized fields
uncover buffer overflow vulnerabilities in the target software.
Figure 1: An example of “fuzzed” SIP message with
oversized header value
Subsequently, these buffer overflow vulnerabilities can
be exploited to execute arbitrary code on the victim's system. Typically, when
subjected to such oversized messages, the vulnerable soft phones crash, which
means that when you find the one fuzzed message that crashes the soft phone
program, you have found the exploit case. Subsequently, this test case can be
tweaked to inject an executable shell code into the soft phone.
Step 2: Exploiting the vulnerability to execute shell
code.Using the exploit case to execute arbitrary code on the
machine where the vulnerable soft phone is installed involves carefully
crafting the content of the bad input buffer. Such crafting is done by studying
the OS memory addresses and then carefully inserting these addresses and the
encoded “shell code” into the input buffer. This crafted byte sequence can then
be inserted into the SIP INVITE message.
Step 3: Executing the shell code.Figure 2 shows a finished SIP message ready to be sent to
the vulnerable soft phone.
Figure 2: Finished SIP INVITE message with shell code
The address of a standard OS instruction is indicated by
4 underlined bytes. These 4 bytes will be used to trigger the execution of
shell code that follows.
Step 4: Mapping back to the enterprise network.Some SIP soft phones require that they successfully
register with a SIP server before they can start accepting calls, while others
can operate in a peer-to-peer mode. In the former case, we can demonstrate the
exploit using a well-known open-source IP PBX such as Asterisk
(www.asterisk.org).
Figure 3 shows a diagram of the test network used for
this VoIP-to-data exploit demonstration. Note that the laptop has anti-virus,
anti-spyware, and firewall active.
Figure 3: Test network for data theft using VoIP exploit
Typically, enterprises using SIP for remote user connectivity
configure their perimeter firewall to forward SIP traffic (port 5060) to the
internal IP PBX. The firewall used in the test network forwards port 5060 to
the internal IP PBX. Using this forwarding rule we can send the fuzzed messages
to the vulnerable soft phone from the internet. The IP-PBX treats this fuzzed
message as a new call for the soft phone and forwards the call to the
vulnerable soft phone. Once the soft phone gets this fuzzed message with the
shell code embedded in it, the shell code is executed, resulting in the
victim's laptop connecting back to the attacker's machine using port 80. The
enterprise firewall will typically allow outgoing connections to port 80,
thinking that it is standard web traffic.
Once the control connection is established back to
attacker's computer, the attacker can get access to all the data that is stored
on the victim's laptop.
Furthermore, the attacker can also do following damage to
victim's laptop:
- Copy the confidential data to a remote computer
- Delete the data
- Deny access to the data
- Change the system registry
- Shutdown or reboot the laptop
Preventive measures
To truly secure enterprise data and VoIP/UC networks and
protect against attacks, enterprises must adopt and enforce security best
practices, including:
- Prioritizing VoIP/UC threats as something that must be
addressed
- Keeping operating system and VoIP application patches
up-to-date
- Checking for poor or incorrect implementation of
policies
- Securing Wi-Fi access points
- Using VLANs to keep voice and data traffic separate and
police the bridges between the two VLANs
- Deploying VoIP aware intrusion prevention systems (IPS)
with signature and anomaly filtering along with behavior-learning techniques to
prevent zero-day attacks
Sitting at the edge of the enterprise network, usually
within the DMZ, a dedicated, comprehensive VoIP security box can address many
of these threat issues and ensure best practices are followed. Such a
purpose-build appliance must solve firewall/NAT traversal, terminate encrypted
traffic to the enterprise when the VoIP phone is external to the enterprise,
and offer fine-grained policy enforcement to apply different security and call
routing rules -- depending on whether the problem originates inside or outside
of the enterprise. But, most importantly, any dedicated VoIP security solution
should protect against signaling and media vulnerabilities through
sophisticated VoIP-specific security methodologies.
When evaluating a VoIP security device, enterprises
should research those that are aware of the complex nature of VoIP protocols,
and can conduct detection, mitigation and prevention in real time. Further,
such a device should also be able to understand user behavior, as this is the
most effective method of analyzing and eliminating false positives/negatives,
which can extremely damaging to the VoIP service and user experience. Together,
these practices proactively protect the VoIP service from attacks, misuse and
service abuse that networks and end-users face.