[VOIPSEC] VoIP vulnerabilities summarization

Janne Magnusson janne at ingate.com
Wed Dec 14 05:10:37 CST 2005 

Hi Sukery,

I think you made a good summarization of the vulnerabilities and I agree
with what you say.

But I think several of the problems you mention can be solved by using
TLS to protect the signalling and SRTP to protect the media as described
in existing standards and drafts. These technologies may not be widely
spread among existing implementations but they exist and your list
provides some good reasons that may motivate others to follow. 

I'm also interested in what tool you used.

Cheers
/Janne

> 2.SIP reuses  authentication mechanism from HTTP protocol ,in fact
Http
> authentication is totally imperfect when applied to SIP protocol,for
that
> it is a single-direction authentication, which means that only the
server
> authenticates the endpoints,the endpoints do not authenticate the
> server,this situation makes it easy to deceive endpoints because they
do
> not authenticate any entity in the network. Pseudo call (call someone
with
> a false user id) ,server impersontation are dangerous attacks due to
this
> vulnerability
> 
> 3. SIP communication is based on message transaction, however sip
> transaction mechanism is quite complicated.for example, when  a
stateful
> proxy server receives a sip request message, it firstly computes the
> transaction ID for this message,if the transaction ID is not existed
> before, this request message is regarded as  a new message, the server
> will do a lot things for this new message:  save this message, create
a
> finite statemachine for this message, construct a provisional response
> message and send it back, save this response message,update the finite
> statemachine, decide the next hop of this request message basing on
the
> complex routing rules,transfer the request message, create one or more
> client transactions for the request message ...these steps surely
consume
> lots of CPU and memory resources.  as a result,the server is
susceptible
> to DoS Attacks when a hacker continually sends large quantities of SIP
> request messages with different Call-ID
> 
> 4.Un-encrypted media stream such as RTP data is easy to be wiretapped
> 
> 5.almost all VoIP software has some code flows, in this case,even a
> malicious packet may bring down the server, we call this packet
exception
> packet, in fact we have found exception packets againtst both sip
servers
> and h.323 servers
> 
> 6.voip endpoints are much more intellectualized than traditional PSTN
> terminals,however,when this capability is abused,a lot of  malicious
> network attacks appear:
>      disturbance call
> 	 call leaflet
>      voice broadcast
>      and more...
> 
> 
> >Chris
> >
> >I'm pretty heavily involved in SIP standards development, and have
been
> for
> >some time.  I talk regularly with the kind of folks that I think
would
> know
> >if their stuff had been "hit".  I know about plenty of attacks on the
> >underlying infrastructure, including the platform attacks.  I have
NEVER
> >heard even a whisper of an actual attack on VoIP equipment that used
> >exploits specifically related to SIP (which I don't think is
> substantially
> >better or worse than other VoIP protocols).
> >_______________________________________________
> >Voipsec mailing list
> >Voipsec at voipsa.org
> >http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
> 
>

More information about the Voipsec mailing list