2. About me
Luca Pradovera
Voice Application Developer
Mojo Lingo LLC, Atlanta, GA
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
9. Attacking SIP
(TRY THIS AT SOMEONE ELSE’S HOME.)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
10. SIP digest auth is weak.
MD5-1 = MD5 (Username:Realm:Password)
MD5-2 = MD5 (Method:URI)
Response MD5 Value = MD5 (MD5-1:Nonce:MD5-2)
The only
unknown
term is
the password
=
An offline attack
is possible!
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
11. SIP is vulnerable
Forging Contact: to hijack a session
Easy man-in the
middle attacks
DoS via Expires: 0
Denial of service
via REGISTER
Denial of service
via BYE
Identity theft
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
12. SIPS
How do we solve this?
(SIP Secure)
Very similar to HTTPS - Requires client support
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
15. RTP Basics
UDP protocol
Ports 1024 to 65535
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
16. Let me hear you say…
Packet sniffing enables easy eavesdropping
A switched network requires an ARP cache poisoning
attack but not much more
CREEPY DEMO TIME!
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
17. What if I want to be REALLY bad?
The timestamp usually starts with 0 and increments by the
length of the codec content (e.g. 160ms); the sequence starts
with 0 and increments by 1, and the SSRC is usually a static
value for the session and a function of time.
=
They are PREDICTABLE!
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
18. How can we have fun?
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
19. Audio injection
By predicting timestamp, sequence and SSRC, we can
play whatever frame we want.
“Did you just say
something?
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
20. Audio replacement
Using higher sequences and timestamp, we
make the original audio packets obsolete.
Just replace “buy” with “sell” and
watch Bitcoin crash!
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
21. What if I am just
grumpy?
DoS via packet flooding
(keep repeating a packet)
DoS by RTCP Bye
(session teardown)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
22. By the way, the NSA
knows about this.
(AND IN CASE THEY WERE MISSING ANYTHING, IT IS IN
MY DROPBOX ANYWAY)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
23. SRTP
(Secure RTP)
Uses AES in counter mode (AESCTR) with 128 or 256 bit keys
Generates a cypher stream that
is XORed real-time with plaintext
media
Headers are signed, payload is
encrypted
Uses symmetric keys and
ciphers that need to be
negotiated somehow
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
24. Still need those keys…
(NEGOTIATION)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
25. MIKEY and SDES
MIKEY was never actually adopted
because it requires additional SIP
capabilities
SDES (SDP Security Descriptions)
a=crypto:1 AES_CM_128_HMAC_SHA1_80
inline:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj|2^20|1:32
requires full TLS protection and still exposes keying to
SIP servers.
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
26. Keying in the media
path: DTLS-SRTP
•
DTLS exchange over the media port
•
Uses secrets from the DTLS handshake as keying
information
•
Requires PKI (Public Key Infrastructure)
•
Used by WebRTC
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
27. ZRTP
(Z is cooler than S.)
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
28. What it does
1. Discovery phase, to find out if the peers
support ZRTP
2. Key agreement phase, to exchange the
keying data
3. Secure phase, confirming the
cryptographic exchange worked and
switching to SRTP
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
29. How it works
•
Exchange happens in
media path
•
Diffie-Hellman key
exchange
•
SAS (Short Authentication
String) produced so it can
be compared by humans
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
30. Hellman, the mayonnaise guy?
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
31. Why is the SAS important?
•
The Short Authentication String is computed with a
hash of the keys negotiated during DH exchange
•
It is usually a 4 digit number
•
It guarantees the absence of a man-in-the-middle
•
It is retained and reused for subsequent
communications
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
32. Benefits
•
Does not require any signaling security
•
It is, in fact, signaling and server agnostic (SIP, H.
323, Jingle, WebRTC)
•
Protected against man-in-the-middle attacks
•
Best-effort encryption with feedback (the user agent
knows if the line is secure or not)
•
It has a Z in the acronym.
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
34. Final caveats
•
You are never truly
secure
•
Ensure you never
drop out of the IP
network
•
Endpoints are easy
targets
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA
35. Bibliography
•
Hacking VoIP: Protocols, Attacks and
Countermeasures (http://goo.gl/33EtU7)
•
SIP: Understanding the Session Initiation
Protocol (http://goo.gl/sFSsSi)
•
Applied Cryptography: Protocols, Algorithms, and
Source Code in C (http://goo.gl/U4QOJj)
•
Countless RFCs and extensions
Securing telephony - AdhearsionConf 2013 - December 4 and 5, Atlanta, GA