Exploiting VoIP vulnerabilities to steal confidential data

June 9, 2008
Can you call someone using VoIP and steal their personaldata without talking to them? Most people would have said “No” until they sawthe Sipera VIPER Lab demonstration, which does exactly that. The demonstration,first shown at Black Hat 2007, shows how to remotely exploit a soft phoneinstalled on a Windows laptop and view or steal the personal data stored onthat laptop. This means IT security administrators, responsible for keeping tapson confidential data for privacy and compliance, must pay attention to therisks inherent in VoIP.

Traditionally, threats from VoIP/unified communications(UC) do not make it to the top of the list of information security issues.Rather, such lists contain threats such as system probing, email attacks,default password attacks, and sniffing. However, the VoIP-to-data exploit putsVoIP/UC among top information security concerns.

The VoIP/UC threat
Like any complex computer system, VoIP/UC networks havepresent unique security challenges. Despite many attempts to formulate bestsecurity practices for VoIP/UC solutions within an enterprise, such bestpractices are not always enforced or correctly followed. The reasons behindthis may be budgets, time, misunderstandings, or even just apathy towardssecurity. Whatever the reasons, leaving VoIP/UC networks unprotected makes itand the co-existing data networks vulnerable to numerous security threats.

To give a simple example, standard security best practicesrecommend the separation of the voice virtual local area network (VLAN) fromthe data VLAN to prevent traffic from one to reach another. However, unifiedcommunications enable soft phones to be installed on the data VLAN and talk tohard VoIP phones on the voice VLAN. Completely blocking the traffic between thetwo VLANs will prevent this communication, though IT administrators may allowtraffic between the two VLANs freely. Such a policy can enable legitimatecommunication between the two VLANs, but if not monitored, it also allowsworms, viruses and other attacks to cross over to the other side andvice-versa.

All enterprises do not yet deploy soft phones, but VoIPsoft phones are becoming an integral part of many unified communicationsframeworks. One of the reasons is that they enable software-based migration ofend user devices to VoIP. Additionally, soft phones also enable users to bereachable wherever they take their laptops. Even if the enterprise does notexpressly deploy VoIP soft phones, employees may use a freely available VoIPsoft phone with several public VoIP service providers. It is not wise to ignoreVoIP threats when investing resources to protect confidential data and assetsresiding on a data network. Equal importance must be given to protectingVoIP/UC devices to achieve comprehensive security across the enterprise.

Exploiting a VoIP soft phone
Let's look at a potential attack. One possible exploituses an IETF SIP (Session Initiation Protocol)-based soft phone.

Step 1: Finding an exploitable vulnerability.One of the most effective techniques to uncoverimplementation vulnerabilities in protocol parser implementations is to subjectthem to a “fuzzing” attack. According to Wikipedia:

“Fuzzing is a software testing technique that providesrandom data (“fuzz”) to the inputs of a program”.

A fuzzing attack is more effective on ASCII basedprotocol implementations (e.g., SIP), Unlike binary protocols, the ASCIIprotocol message format is very flexible, making it difficult to build robustparser implementations. Several freely available tools can be used to launchsuch fuzzing attacks against the soft phones and discover vulnerabilities inthem.

Figure 1 shows an example of a “fuzzed” SIP INVITEmessage with an oversized SIP “From” header value. Often, such oversized fieldsuncover buffer overflow vulnerabilities in the target software.


Figure 1: An example of “fuzzed” SIP message withoversized header value

Subsequently, these buffer overflow vulnerabilities canbe exploited to execute arbitrary code on the victim's system. Typically, whensubjected to such oversized messages, the vulnerable soft phones crash, whichmeans that when you find the one fuzzed message that crashes the soft phoneprogram, you have found the exploit case. Subsequently, this test case can betweaked to inject an executable shell code into the soft phone.

Step 2: Exploiting the vulnerability to execute shellcode.Using the exploit case to execute arbitrary code on themachine where the vulnerable soft phone is installed involves carefullycrafting the content of the bad input buffer. Such crafting is done by studyingthe OS memory addresses and then carefully inserting these addresses and theencoded “shell code” into the input buffer. This crafted byte sequence can thenbe inserted into the SIP INVITE message.

Step 3: Executing the shell code.Figure 2 shows a finished SIP message ready to be sent tothe vulnerable soft phone.


Figure 2: Finished SIP INVITE message with shell code

The address of a standard OS instruction is indicated by4 underlined bytes. These 4 bytes will be used to trigger the execution ofshell code that follows.

Step 4: Mapping back to the enterprise network.Some SIP soft phones require that they successfullyregister with a SIP server before they can start accepting calls, while otherscan operate in a peer-to-peer mode. In the former case, we can demonstrate theexploit using a well-known open-source IP PBX such as Asterisk(www.asterisk.org).

Figure 3 shows a diagram of the test network used forthis VoIP-to-data exploit demonstration. Note that the laptop has anti-virus,anti-spyware, and firewall active.


Figure 3: Test network for data theft using VoIP exploit

Typically, enterprises using SIP for remote user connectivityconfigure their perimeter firewall to forward SIP traffic (port 5060) to theinternal IP PBX. The firewall used in the test network forwards port 5060 tothe internal IP PBX. Using this forwarding rule we can send the fuzzed messagesto the vulnerable soft phone from the internet. The IP-PBX treats this fuzzedmessage as a new call for the soft phone and forwards the call to thevulnerable soft phone. Once the soft phone gets this fuzzed message with theshell code embedded in it, the shell code is executed, resulting in thevictim's laptop connecting back to the attacker's machine using port 80. Theenterprise firewall will typically allow outgoing connections to port 80,thinking that it is standard web traffic.

Once the control connection is established back toattacker's computer, the attacker can get access to all the data that is storedon the victim's laptop.

Furthermore, the attacker can also do following damage tovictim's laptop:

  • Copy the confidential data to a remote computer
  • Delete the data
  • Deny access to the data
  • Change the system registry
  • Shutdown or reboot the laptop

Preventive measures
To truly secure enterprise data and VoIP/UC networks andprotect against attacks, enterprises must adopt and enforce security bestpractices, including:

  • Prioritizing VoIP/UC threats as something that must be addressed
  • Keeping operating system and VoIP application patches up-to-date
  • Checking for poor or incorrect implementation of policies
  • Securing Wi-Fi access points
  • Using VLANs to keep voice and data traffic separate and police the bridges between the two VLANs
  • Deploying VoIP aware intrusion prevention systems (IPS) with signature and anomaly filtering along with behavior-learning techniques to prevent zero-day attacks

Sitting at the edge of the enterprise network, usuallywithin the DMZ, a dedicated, comprehensive VoIP security box can address manyof these threat issues and ensure best practices are followed. Such apurpose-build appliance must solve firewall/NAT traversal, terminate encryptedtraffic to the enterprise when the VoIP phone is external to the enterprise,and offer fine-grained policy enforcement to apply different security and callrouting rules -- depending on whether the problem originates inside or outsideof the enterprise. But, most importantly, any dedicated VoIP security solutionshould protect against signaling and media vulnerabilities throughsophisticated VoIP-specific security methodologies.

When evaluating a VoIP security device, enterprisesshould research those that are aware of the complex nature of VoIP protocols,and can conduct detection, mitigation and prevention in real time. Further,such a device should also be able to understand user behavior, as this is themost effective method of analyzing and eliminating false positives/negatives,which can extremely damaging to the VoIP service and user experience. Together,these practices proactively protect the VoIP service from attacks, misuse andservice abuse that networks and end-users face.

prestitial ad