[VOIPSEC] Actual Attacks

Brian Rosen br at brianrosen.net
Fri Feb 25 19:18:46 CST 2005 

Chris

I'm pretty heavily involved in SIP standards development, and have been for
some time.  I talk regularly with the kind of folks that I think would know
if their stuff had been "hit".  I know about plenty of attacks on the
underlying infrastructure, including the platform attacks.  I have NEVER
heard even a whisper of an actual attack on VoIP equipment that used
exploits specifically related to SIP (which I don't think is substantially
better or worse than other VoIP protocols).  There is one exception, which
is when the Uppsala tests came out, some folks saw script kiddies using the
test scripts against some devices.  As we know, most devices did crash first
time out with those tests.  So agree that there have been attacks, primarily
using platform vulnerabilities, but don't think there have been many attacks
directly on the VoIP stuff.

With regard to eavesdropping, it's not very easy to eavesdrop within a
corporate network unless you have physical access to the switches, or, for a
really knowledgeable hacker, passwords to the network management systems.
The nature of the switched architecture is that packets come in one port and
go out ONE other port; it's not a bus or broadcast system any more.

Now, I always assume it's possible when designing systems; assume that every
switch is a bridge..., but the reality is that sniffing packets for VoIP is
much harder than most people think it is.

Brian

> -----Original Message-----
> From: Christopher A. Martin [mailto:chris at sip1.com]
> Sent: Friday, February 25, 2005 6:51 PM
> To: 'Brian Rosen'; 'Mark Teicher'; voipsec at voipsa.org
> Subject: RE: [VOIPSEC] Actual Attacks
> 
> Hi Brian,
> Just a little comment on your question...
> 
> Many of these attacks do involve the use of protocols other than SIP to
> perform, such as DNS poisoning, which is a real existing threat today due
> to
> complacency or resource issues (in terms of staff and time).
> 
> The reason you won't hear much about any real exploits is that no one
> wants
> this to get out. Even in existing non VoIP implementations, until
> regulatory
> stepped in (Sarbanes Oxley, etc...) no one wanted this dirty laundry to go
> public...and I suspect even with regulations secrets will be kept as long
> as
> possible.
> 
> You are correct though on the eavesdropping, this typically will be an
> insider attack (which as statistics show is about 70% of actual enterprise
> threat) or kiddies on wifi and cable modems as you noted.
> 
> This is one of the reasons that I focus on the big picture when developing
> the preventive measures for an infrastructure. SIP is one piece, but it
> can
> easily be the facilitator that was missing in the past for true
> exploitation. This is however at the moment an unfounded comment...to
> date.
> 
> Christopher A. Martin
> P.O. Box 1264
> Cedar Hill, Texas 75106
> Chris at InfraVAST.com
> 
> > -----Original Message-----
> > From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> > Behalf Of Brian Rosen
> > Sent: Friday, February 25, 2005 4:32 PM
> > To: 'Mark Teicher'; voipsec at voipsa.org
> > Subject: RE: [VOIPSEC] Actual Attacks
> >
> > Are you aware of this actually happening, or is this all theoretic?
> >
> > I've never heard of actual incidents of any of this.
> >
> > The latter (eavesdropping) is actually the reverse; when we do testing,
> we
> > have to go through all kinds of grief to allow the sniffers to get at
> the
> > packets.  Someone has to actually bring a hub (not a switch) so we can
> > sniff
> > the packets.  You can, of course, run Etherreal on some of the actual
> > devices.  It's amazingly hard to sniff packets in a typical switched
> > architecture.  When we implement CALEA (legal wiretap), it takes a
> special
> > box that we force all the traffic to go through so we can copy the
> packets
> > to the LEA.
> >
> > WiFi and your neighbor's cable modem excepted, of course.
> >
> > Brian
> >
> > > -----Original Message-----
> > > From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
> On
> > > Behalf Of Mark Teicher
> > > Sent: Friday, February 25, 2005 4:37 PM
> > > To: voipsec at voipsa.org
> > > Subject: RE: [VOIPSEC] Actual Attacks
> > >
> > > Actual Attacks
> > >
> > > SIP Proxy Impersonation
> > > SIP Proxy Hijacking
> > > Message Tampering - hard to devise an common exploit across VOIP
> > > platforms, but most likely possible
> > > Denial of Service - depends on the packet, usually just causes a phone
> > to
> > > reset, or a port to shutter on the gateway, call server more
> vulnerable
> > > due to the underlying operating system
> > > Session Attack - hard to devise a common exploit applicabel across all
> > > VOIP platforms, possible on some of the well known vendors
> > > Eavesdropping - more feasible than most, especially if some of the
> > default
> > > features of the particular VOIP equipment is not configured properly.
> > >
> > > -----Original Message-----
> > > From: Robert Moskowitz <rgm at icsalabs.com>
> > > Sent: Feb 25, 2005 1:56 PM
> > > To: Brian Rosen <br at brianrosen.net>, 'Simon Horne'
> <security at isvo.net>,
> > > 	voipsec at voipsa.org
> > > Subject: RE: [VOIPSEC] Actual Attacks
> > >
> > > At 09:36 AM 2/24/2005, Brian Rosen wrote:
> > >
> > > >"Web of Trust" is a failed concept.  It works, but we have not been
> > able
> > > to
> > > >successfully deploy in a large scale.
> > >
> > > But it CAN work for groups of friends.
> > >
> > > >Certificate authority chains work only within an enterprise.  We have
> > not
> > > >really made them work well outside of that.
> > >
> > > Check out ACES.
> > >
> > > Check out the Federal PKI and work being done to duplicate it in
> > > commercial
> > > settings (drug industry for one).  Note I am the author of the Bridge
> CA
> > > model in the federal PKI.
> > >
> > > Thing is you REALLY need a reason to get PKi s to work together.  Mail
> > was
> > > never one.  Bout VoIP could be.
> > >
> > >
> > > Robert Moskowitz
> > > Senior Technical Director
> > > ICSA Labs, a division of Cybertrust, Inc.
> > > W:      248-968-9809
> > > F:      248-968-2824
> > > E:      rgm at icsalabs.com
> > >
> > > There's no limit to what can be accomplished
> > > if it doesn't matter who gets the credit
> > >
> > >
> > >
> > > _______________________________________________
> > > Voipsec mailing list
> > > Voipsec at voipsa.org
> > > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Voipsec mailing list
> > > Voipsec at voipsa.org
> > > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> > >
> >
> >
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
>

More information about the Voipsec mailing list