VoIP protocol insecurity |
 |
| 29 Jan 2006 | By Lisa Phifer |
|
|
Like many Internet protocols, SIP was designed with simplicity, not security, in mind. And, although H.323 was created to meet broader goals, security issues have plagued it as well. Some vulnerabilities are inherent in the protocols themselves; others have been introduced by the developers who turn these standards into products. The following are some examples:
- Plaintext SIP messages are trivial to modify or inject, particularly over broadcast media. Although SIP is not encrypted, it can be protected using IPsec, SSL/TLS or S/MIME. However, even then, some header fields like "To" and "Via" must remain visible so SIP requests can be routed correctly. Attackers can thus send spoofed INITIATE requests containing phony IP addresses. Or an attacker who captures SIP setup messages can use spoofed "BYE" requests to disrupt calls in progress.
- ASN.1 makes H.323 messages slightly harder to fabricate, but not much. To make matters worse, in January 2004, the UK National Infrastructure Security Coordination Center reported a slew of ASN.1 vulnerabilities in many H.323 implementations. According to US CERT VU#749342 (http://www.kb.cert.org/vuls/id/749342), "Sending an exceptional ASN.1 element to a vulnerable telephony component that cannot handle it may cause the application or system behavior to become unpredictable... The impacts associated with these vulnerabilities include denial-of-service and potential execution of arbitrary code." Many of the affected implementations have since been patched, but this illustrates the potential for widespread vulnerabilities in complex new code that is not thoroughly error-tested.
- Researchers also discovered dozens of denial-of-service (DoS) vulnerabilities in the INVITE message processing of many SIP implementations. According to CERT Advisory CA-2003-06 (http://www.cert.org/advisories/CA-2003-06.html), "Exploitation of these vulnerabilities may result in denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain unauthorized access to the affected device."
- Even when a single vendor's implementation is involved, impact may be significant due to the volume of VoIP endpoints. In April 2004, the Microsoft Windows H.323 implementation (http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx) reportedly contained a request-handling buffer overflow condition. This vulnerability can be exploited to run arbitrary code on unpatched Windows 98, ME, NT, 2000, XP and Server 2003 systems, and with early versions of NetMeeting.
These are just a few of the SIP and H.323 Common Vulnerabilities and Exposures (CVEs) found over the past few years. To be fair, many other Internet protocols are vulnerable to spoofing or buffer overflows. But given the high availability associated with the public switched telephone network, companies moving to VoIP may be more sensitive to these threats. Furthermore, as RFC 3261 acknowledges, "SIP is not an easy protocol to secure. Its use of intermediaries, its multi-faceted trust relationships, its expected usage between elements with no trust at all and its user-to-user operation make security far from trivial."
VOIP PROTOCOLS TECHNICAL GUIDE
 Introduction
Understanding VoIP protocols
VoIP protocol insecurity
How to use fuzzing to deter VoIP protocol attacks
Want to learn more about VoIP security? Check out our Learning Guide.
ABOUT THE AUTHOR:
|
Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications.
|
|
|
|
|
|
