VoIP : Part I

Over the last few days, we have been playing around with VoIP security using an Asterisk server and some soft-phones as agents. Primarily, we've been experimenting with the Session Initiation Protocol or SIP and the Real-time Transport Protocol or RTP. This is the protocol that is increasingly being used for call management functions such as registering the agents and setting up and terminating calls.
The main kinds of SIP requests are a REGISTER request that is sent by the agents to the server to register themselves, an INVITE request to invite another agent to join a call, a CANCEL request to cancel an invitation, and a BYE message to terminate a call.

Anatomy of a Call

The agent sends an INVITE packet to the server with the address of the agent it wishes to call. The server than forwards this to the recipient, which replies with a ringing tone if it is free to accept a call. The server then returns this ringing tone and the address of the recipient to the caller. The caller can now directly contact the recipient to set up a channel for communication. In case the caller and recipient lie on the same network they can communicate directly. However, if they lie on different networks, they may use a proxy for communication.

Eavesdropping a call

During the call set up, the IP addresses and ports of both agents along with recording parameters such as the protocol type and audio encoding to be used are exchanged. The most common protocol for exchange of voice data is RTP. An attacker can mount a Man in the middle attack to view the packets that are being exchanged by both the systems. As the RTP packets are unencrypted, they can be combined by the attacker using the codec specified to listen in on the audio file. Both Wireshark and Cain and Abel are able to reconstruct wave files from the RTP packets that they intercept without too much difficulty and the conversation is recorded!