Exploiting VoIP vulnerabilities to steal confidential data
Exploiting VoIP vulnerabilities to steal confidential data
Can you call someone using VoIP and steal their personal data without talking to them? Most people would have said “No” until they saw the Sipera VIPER Lab demonstration, which does exactly that. The demonstration, first shown at Black Hat 2007, shows how to remotely exploit a soft phone installed on a Windows laptop and view or steal the personal data stored on that laptop. This means IT security administrators, responsible for keeping taps on confidential data for privacy and compliance, must pay attention to the risks inherent in VoIP.

Traditionally, threats from VoIP/unified communications (UC) do not make it to the top of the list of information security issues. Rather, such lists contain threats such as system probing, email attacks, default password attacks, and sniffing. However, the VoIP-to-data exploit puts VoIP/UC among top information security concerns.

The VoIP/UC threat
Like any complex computer system, VoIP/UC networks have present unique security challenges. Despite many attempts to formulate best security practices for VoIP/UC solutions within an enterprise, such best practices are not always enforced or correctly followed. The reasons behind this may be budgets, time, misunderstandings, or even just apathy towards security. Whatever the reasons, leaving VoIP/UC networks unprotected makes it and the co-existing data networks vulnerable to numerous security threats.

To give a simple example, standard security best practices recommend the separation of the voice virtual local area network (VLAN) from the data VLAN to prevent traffic from one to reach another. However, unified communications enable soft phones to be installed on the data VLAN and talk to hard VoIP phones on the voice VLAN. Completely blocking the traffic between the two VLANs will prevent this communication, though IT administrators may allow traffic between the two VLANs freely. Such a policy can enable legitimate communication between the two VLANs, but if not monitored, it also allows worms, viruses and other attacks to cross over to the other side and vice-versa.

All enterprises do not yet deploy soft phones, but VoIP soft phones are becoming an integral part of many unified communications frameworks. One of the reasons is that they enable software-based migration of end user devices to VoIP. Additionally, soft phones also enable users to be reachable wherever they take their laptops. Even if the enterprise does not expressly deploy VoIP soft phones, employees may use a freely available VoIP soft phone with several public VoIP service providers. It is not wise to ignore VoIP threats when investing resources to protect confidential data and assets residing on a data network. Equal importance must be given to protecting VoIP/UC devices to achieve comprehensive security across the enterprise.

Exploiting a VoIP soft phone
Let's look at a potential attack. One possible exploit uses an IETF SIP (Session Initiation Protocol)-based soft phone.

Step 1: Finding an exploitable vulnerability.One of the most effective techniques to uncover implementation vulnerabilities in protocol parser implementations is to subject them to a “fuzzing” attack. According to Wikipedia:

“Fuzzing is a software testing technique that provides random data (“fuzz”) to the inputs of a program”.

A fuzzing attack is more effective on ASCII based protocol implementations (e.g., SIP), Unlike binary protocols, the ASCII protocol message format is very flexible, making it difficult to build robust parser implementations. Several freely available tools can be used to launch such fuzzing attacks against the soft phones and discover vulnerabilities in them.

Figure 1 shows an example of a “fuzzed” SIP INVITE message with an oversized SIP “From” header value. Often, such oversized fields uncover buffer overflow vulnerabilities in the target software.

Figure 1: An example of “fuzzed” SIP message with oversized header value

Subsequently, these buffer overflow vulnerabilities can be exploited to execute arbitrary code on the victim's system. Typically, when subjected to such oversized messages, the vulnerable soft phones crash, which means that when you find the one fuzzed message that crashes the soft phone program, you have found the exploit case. Subsequently, this test case can be tweaked to inject an executable shell code into the soft phone.

Step 2: Exploiting the vulnerability to execute shell code.Using the exploit case to execute arbitrary code on the machine where the vulnerable soft phone is installed involves carefully crafting the content of the bad input buffer. Such crafting is done by studying the OS memory addresses and then carefully inserting these addresses and the encoded “shell code” into the input buffer. This crafted byte sequence can then be inserted into the SIP INVITE message.

Step 3: Executing the shell code.Figure 2 shows a finished SIP message ready to be sent to the vulnerable soft phone.

Figure 2: Finished SIP INVITE message with shell code

The address of a standard OS instruction is indicated by 4 underlined bytes. These 4 bytes will be used to trigger the execution of shell code that follows.

Step 4: Mapping back to the enterprise network.Some SIP soft phones require that they successfully register with a SIP server before they can start accepting calls, while others can operate in a peer-to-peer mode. In the former case, we can demonstrate the exploit using a well-known open-source IP PBX such as Asterisk (www.asterisk.org).

Figure 3 shows a diagram of the test network used for this VoIP-to-data exploit demonstration. Note that the laptop has anti-virus, anti-spyware, and firewall active.

Figure 3: Test network for data theft using VoIP exploit

Typically, enterprises using SIP for remote user connectivity configure their perimeter firewall to forward SIP traffic (port 5060) to the internal IP PBX. The firewall used in the test network forwards port 5060 to the internal IP PBX. Using this forwarding rule we can send the fuzzed messages to the vulnerable soft phone from the internet. The IP-PBX treats this fuzzed message as a new call for the soft phone and forwards the call to the vulnerable soft phone. Once the soft phone gets this fuzzed message with the shell code embedded in it, the shell code is executed, resulting in the victim's laptop connecting back to the attacker's machine using port 80. The enterprise firewall will typically allow outgoing connections to port 80, thinking that it is standard web traffic.

Once the control connection is established back to attacker's computer, the attacker can get access to all the data that is stored on the victim's laptop.

Furthermore, the attacker can also do following damage to victim's laptop:

  • Copy the confidential data to a remote computer
  • Delete the data
  • Deny access to the data
  • Change the system registry
  • Shutdown or reboot the laptop

Preventive measures
To truly secure enterprise data and VoIP/UC networks and protect against attacks, enterprises must adopt and enforce security best practices, including:

  • Prioritizing VoIP/UC threats as something that must be addressed
  • Keeping operating system and VoIP application patches up-to-date
  • Checking for poor or incorrect implementation of policies
  • Securing Wi-Fi access points
  • Using VLANs to keep voice and data traffic separate and police the bridges between the two VLANs
  • Deploying VoIP aware intrusion prevention systems (IPS) with signature and anomaly filtering along with behavior-learning techniques to prevent zero-day attacks

Sitting at the edge of the enterprise network, usually within the DMZ, a dedicated, comprehensive VoIP security box can address many of these threat issues and ensure best practices are followed. Such a purpose-build appliance must solve firewall/NAT traversal, terminate encrypted traffic to the enterprise when the VoIP phone is external to the enterprise, and offer fine-grained policy enforcement to apply different security and call routing rules -- depending on whether the problem originates inside or outside of the enterprise. But, most importantly, any dedicated VoIP security solution should protect against signaling and media vulnerabilities through sophisticated VoIP-specific security methodologies.

When evaluating a VoIP security device, enterprises should research those that are aware of the complex nature of VoIP protocols, and can conduct detection, mitigation and prevention in real time. Further, such a device should also be able to understand user behavior, as this is the most effective method of analyzing and eliminating false positives/negatives, which can extremely damaging to the VoIP service and user experience. Together, these practices proactively protect the VoIP service from attacks, misuse and service abuse that networks and end-users face.