VoIP : Part II

A number of the security problems in SIP occur because the data is sent in the clear and is easy to view and modify. The server and the agent use a challenge response system where the password is hashed with the realm and the nonce. The calculation for the response is

H1 = MD5(username:realm:password)
H2 = MD5(method:uri)
Response = MD5(H1:nonce:H2)

The username, realm and nonce are passed in the challenge and so the only unknown is the password. An attacker who has access to both the challenge and the response, can compute the hashes offline using a brute-force or dictionary attack and obtain the password of the user. Another attack that arises is that the agent can impersonate any other user by changing the From field in an INVITE request.

Denial of Service Attacks

Denial of Service (DoS) is a class of attacks where a particular agent is made unavailable to any other agent on the network. These attacks are possible because the agents do not verify the identity of the sender of messages. They rely on IP addresses which can be spoofed. Sending a CANCEL request to an agent who has received an INVITE packet cancels the phone call, even if it is sent by an attacker on the network. Sending a BYE packet to the server while impersonating an agent, can also prevent that agent from receiving any calls.

A large number of the vulnerabilities in SIP and RTP would be mitigated if SSL/TLS were used along with SIP to prevent Man in the middle style attacks.

VoIP : Part I

Over the last few days, we have been playing around with VoIP security using an Asterisk server and some soft-phones as agents. Primarily, we've been experimenting with the Session Initiation Protocol or SIP and the Real-time Transport Protocol or RTP. This is the protocol that is increasingly being used for call management functions such as registering the agents and setting up and terminating calls.
The main kinds of SIP requests are a REGISTER request that is sent by the agents to the server to register themselves, an INVITE request to invite another agent to join a call, a CANCEL request to cancel an invitation, and a BYE message to terminate a call.

Anatomy of a Call

The agent sends an INVITE packet to the server with the address of the agent it wishes to call. The server than forwards this to the recipient, which replies with a ringing tone if it is free to accept a call. The server then returns this ringing tone and the address of the recipient to the caller. The caller can now directly contact the recipient to set up a channel for communication. In case the caller and recipient lie on the same network they can communicate directly. However, if they lie on different networks, they may use a proxy for communication.

Eavesdropping a call

During the call set up, the IP addresses and ports of both agents along with recording parameters such as the protocol type and audio encoding to be used are exchanged. The most common protocol for exchange of voice data is RTP. An attacker can mount a Man in the middle attack to view the packets that are being exchanged by both the systems. As the RTP packets are unencrypted, they can be combined by the attacker using the codec specified to listen in on the audio file. Both Wireshark and Cain and Abel are able to reconstruct wave files from the RTP packets that they intercept without too much difficulty and the conversation is recorded!

Young IT Profesional of the Year Award

Two of our team members - Bhavesh and Mihir, have jointly won the Young IT Professional of the Year Award (YITPA) for the West Zone for their work on Helios. This has awarded by the Computer Society of India, the largest body of computer professionals in the country.