One document matched: draft-niccolini-speermint-voipthreats-00.txt
SPEERMINT Working Group S. Niccolini
Internet-Draft NEC
Intended status: Informational August 29, 2006
Expires: March 2, 2007
VoIP Security Threats
draft-niccolini-speermint-voipthreats-00
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
This document may not be modified, and derivative works of it may not
be created, except to publish it as an RFC and to translate it into
languages other than English.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 2, 2007.
Copyright Notice
Copyright (C) The Internet Society (2006).
Niccolini Expires March 2, 2007 [Page 1]
Internet-Draft VoIP Threats August 2006
Abstract
This memo presents the different security threats related to VoIP.
First of all a taxonomy for the different types of security threats
is defined. Afterwards the different instances of the threats are
briefly analyzed following such taxonomy. Finally the existing
security solutions in SIP and RTP/RTCP are presented to describe the
countermeasures currently available for such threats. The objective
of this document is to identify and enumerate the VoIP threat vectors
in order to specifiy security-related requirements specific to
peering. Once the requirements are identified, methods and solutions
how to achieve such requirements can be selected.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Taxonomy of VoIP Security Threats . . . . . . . . . . . . . . 4
2.1. Interception and Modification Threats . . . . . . . . . . 4
2.2. Interruption of Service Threats . . . . . . . . . . . . . 5
2.3. Abuse of Service Threats . . . . . . . . . . . . . . . . . 6
2.4. Social Threats . . . . . . . . . . . . . . . . . . . . . . 6
3. Overview of VoIP Security Solutions . . . . . . . . . . . . . 8
4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 10
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
7. Informative References . . . . . . . . . . . . . . . . . . . . 13
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14
Intellectual Property and Copyright Statements . . . . . . . . . . 15
Niccolini Expires March 2, 2007 [Page 2]
Internet-Draft VoIP Threats August 2006
1. Introduction
With VoIP, the need for security is compounded because there is the
need to protect both the control plane and the data plane. In a
legacy telephone system, security is a more valid assumption.
Intercepting conversations requires either physical access to
telephone lines or to compromise the Public Switched Telephone
Network (PSTN) nodes or the office Private Branch eXchanges (PBXs).
Only particularly security-sensitive organizations bother to encrypt
voice traffic over traditional telephone lines. In contrast, the
risk of sending unencrypted data across the Internet is more
significant (e.g. DTMF tones corresponding to the credit card
number). An additional security threat to Internet Telephony comes
from the fact that the signaling is sent using the same network as
the multimedia data; traditional telephone systems have the signaling
network separated from the data network. This is an increased
security threat since a hacker could attack the signaling network and
its servers with increased damage potential (call hijacking, call
drop, DoS attacks, etc.). Therefore there is the need of
investigating the different security threats and to highlight the
solutiond how to avoid them.
Niccolini Expires March 2, 2007 [Page 3]
Internet-Draft VoIP Threats August 2006
2. Taxonomy of VoIP Security Threats
A taxonomy of VoIP security threats has been defined in [1]. Such a
taxonomy is a very complete one and takes into account also threats
not caused by VoIP-specific technical reasons (e.g. loss of power).
In this section a similar taxonomy is presented trying to reuse as
much as possible from the referenced document but avoiding to
classify threats that can not be reconducted to technical reasons.
The VoIP security threats can be divided into four main areas:
o Interception and Modification Threats;
o Interruption of Service Threats;
o Abuse of Service Threats;
o Social Threats.
2.1. Interception and Modification Threats
The interception threat results from the ability of the attacker of
intercepting the signaling and/or the data. The interception-only
threat results in the attacker being able to use the intercepted data
for malicious scopes, examples are:
o call pattern tracking - the attacker tracks the call patterns of
the users;
o number harvesting - the attacker harvest numbers and/or user
identities for calling such numbers/identities or for using
spoofed identities;
o conversation reconstruction - the attacker reconstruct the
conversation and/or additional data delivered with it (e.g.
numbers transmitted with DTMF tones).
The modification threat supposes that the attacker is able to modify
the content of the packets being intercepted acting as a man in the
middle. In principle this threat affect both the signaling and the
data depending on the ability of the attacker of intercepting both.
The interception and modification threat results in the attacker
being able to modify the packets for malicious scopes, examples are:
o call black holing - the attacker intentionally drops essential
packets (e.g. INVITE) of the VoIP protocol resulting the call
initiation to fail;
Niccolini Expires March 2, 2007 [Page 4]
Internet-Draft VoIP Threats August 2006
o call rerouting - the attacker redirects the packets on a different
path in order to include unauthorized nodes in the path or to
exclude authorized ones from it;
o conversation alteration - the attacker alters the packets in order
to modify the conversation between two users;
o conversation degrading - the attacker intentionally drops a
selection of packets or modify the content of them with the
objective of degrading the overall quality of the conversation;
2.2. Interruption of Service Threats
The interruption of service attacks are mainly oriented at
compromising the availability of the service or deteriorating the
quality level of such resources. Interruption of service attacks can
be either specific to SIP protocol or to RTP/RTCP protcol. General
interruption of service attacks not using VoIP-specific protocols are
out of the scope of this document. Examples of SIP protocol specific
interruption of service attacks exploiting SIP-specific
vulnerabilities are:
o SIP malformed requests and messages - the attacker tries to cause
a crash or a reboot of the proxy/endpoint by sending SIP malformed
requests and messages;
o SIP requests and messages flooding - the attacker tries to exhaust
the resources of the proxy/endpoint by sending many SIP requests
and messages;
o call hijacking - the attacker uses SIP messages (e.g. 301 Moved
Temporarly) in order to hijack an existing call towards other
proxy/endpoint, it is needed that the attacker replicates the
proper SIP header for the hijacking to be successful (To, From,
Call-ID, CSeq);
o call tear down - the attacker uses SIP messages (e.g. CANCEL/BYE)
in order to tear down an existing call, it is needed that the
attacker replicates the proper SIP header for the hijacking to be
successful (To, From, Call-ID, CSeq).
Examples of RTP/RTCP protocol specific interruption of service
attacks exploiting RTP/RTCP-specific vulnerabilities are:
o RTP/RTCP malformed messages - the attacker tries to cause a crash
or a reboot of the proxy/endpoint by sending RTP/RTCP malformed
messages;;
Niccolini Expires March 2, 2007 [Page 5]
Internet-Draft VoIP Threats August 2006
o RTP/RTCP messages flooding - the attacker tries to exhaust the
resources of the proxy/endpoint by sending many RTP/RTCP
messages;;
o RTP/RTCP session tear down - the attacker uses RTCP messages (e.g.
BYE) in order to tear down an existing call at RTP layer, the SIP
layer will not notice that the RTP flow has been torn down and the
call will not result as released;
o RTP/RTCP QoS degradation - the attacker sends wrong RTCP reports
advertising more packet loss or more jitter than actually
experimented resulting in the usage of a poor quality codec
degrading the overall quality of the call experience.
In principle such attacks does not need interception of any packet in
order to be performed (could be done by simple guessing) but some of
these attacks (e.g. call hijacking, RTP/RTCP session tear down, etc.)
benefit from the retrieval of call-specific information as coming
from interception of SIP/RTP/RTCP packets.
2.3. Abuse of Service Threats
In the abuse of service attacks services are improperly used for the
scope of committing fraud or reduce billing. Examples of abuse of
service attacks are:
o identity theft - the attacker uses the identity of the owner
without the consent for the scope of masking his real identity
when committing fraud (e.g. when calling the attacker can charge
the bill of the identity owner, the attacker can use the identity
to bypass call blocking, etc.);
o service volume fraud - the attacker injects in the network more
traffic than what declared in the session request in order to
avoid paying for the used resources;
o session replay - the attacker replays a past session of another
user in order to have access to the same resources (e.g. a bank
account, etc.).
2.4. Social Threats
False presentation of information together with unwanted contact are
the only social threats that can be reconducted to a technical
background in the case of VoIP. Examples are:
o false presenation of identity/authority/rights/content - the
attacker presents false or misleading credentials in order to gain
Niccolini Expires March 2, 2007 [Page 6]
Internet-Draft VoIP Threats August 2006
a social advantage out of it;
o unwanted lawful/unlawful contact - the attacker contacts the
victim with the unlawful or lawful scopes (e.g. extortion,
telemarketing, etc.), please note that unwanted lawful contact in
the case of VoIP is also referred to as SPam over Internet
Telephony (SPIT), SPIT discussion is excluded by the SPEERMINT
working group per charter.
Niccolini Expires March 2, 2007 [Page 7]
Internet-Draft VoIP Threats August 2006
3. Overview of VoIP Security Solutions
This section presents the VoIP security features currently
standardized or under standardization in order to give an overview of
the building blocks needed to counter the VoIP Security threats
detailed in this draft. The technology to secure VoIP can be divided
in three main areas as follows:
o Authentication/Authorization;
o Encryption;
o Identity management.
Authentication is needed to understand who was the sender of a
specific packet. Authentication can take place between different
entities or end-to-end:
o from client to server - Digest authentication [2] or mutual
Transport Layer Security (TLS) [3];
o from server to server - mutual Transport Layer Security (TLS);
o from server to client - Transport Layer Security (TLS);
o end-to-end - S/MIME [4].
All solutions require some kind of trust relationship (i.e. shared
secret or certificates authorities).
Encryption is needed to protect the content of the packets from being
read by other parties than the ones which are supposed to be the
recipient of such packets. Encryption follows the same paradigm as
authentication and can be done either on a hop-by-hop or on a end-to-
end basis. On a hop-by-hop basis TLS is used (TLS creates an
authenticated, encrypted, integrity-checked channel). On a end-to-
end basis S/MIME is used to sign and encrypt portions of the SIP
body. At the media level a end-to-end encryption is possible using
SRTP [5] to protect RTP/RTCP media (audio, video). Currently there
is a discussion in the IETF about the requirements for SRTP media
keying which is still an open issue. Other solutions that provide
encryption and integrity are lower layer ones like IPsec which is
done hop-by-hop.
Identity managemement is also an important piece of security
framework in SIP [6]. The objective of the identity framework is to
give technical means to assess user identity in a secure manner. It
requires strong cryptographic assertions but it represents the most
Niccolini Expires March 2, 2007 [Page 8]
Internet-Draft VoIP Threats August 2006
promising approach to enable furhter security solutions which need
the assumption of dealing with strong authenticated identities.
Pleae note that other techniques could also be used to counter VoIP
Security threats, the techniques that constitute stand-alone
solutions and that do not need standardization work are left out the
scope of this document. It is left open for discussion which other
security techniques to include in this section.
Niccolini Expires March 2, 2007 [Page 9]
Internet-Draft VoIP Threats August 2006
4. Conclusions
This memo presented a taxonomy for the different types of VoIP
security threats. The multiple instances of the threats were also
presented with a brief explanation. Finally the existing security
solutions in VoIP were presented to describe the countermeasures
currently available for such threats. The objective of this document
is to identify and enumerate the VoIP threat vectors in order to
specifiy security-related requirements specific to peering. Once the
requirements are identified, methods and solutions how to achieve
such requirements can be selected.
Niccolini Expires March 2, 2007 [Page 10]
Internet-Draft VoIP Threats August 2006
5. Security Considerations
This memo is entirely focused on the security threats for VoIP.
Niccolini Expires March 2, 2007 [Page 11]
Internet-Draft VoIP Threats August 2006
6. Acknowledgements
This memo takes inspiration from VOIPSA VoIP Security and Privacy
Threat Taxonomy. The author would like to thank VOIPSA for having
produced such a comprehensive taxonomy which is the starting point of
this draft. The author would also like to thank Cullen Jennings for
the useful slides presented at the VoIP Management and Security
workshop.
Niccolini Expires March 2, 2007 [Page 12]
Internet-Draft VoIP Threats August 2006
7. Informative References
[1] "VOIPSA VoIP Security and Privacy Threat Taxonomy",
October 2005.
[2] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
Session Initiation Protocol", RFC 3261, June 2002.
[3] Dierks, T. and E. Rescorla, "The TLS Protocol Version 1.2",
draft-ietf-tls-rfc4346-bis-01.txt (work in progress), June 2006.
[4] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
(S/MIME) Version 3.1 Message Specification", RFC 3851,
July 2004.
[5] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, March 2004.
[6] Peterson, J. and C. Jennings, "Enhancements for Authenticated
Identity Management in the Session Initiation Protocol (SIP)",
draft-ietf-sip-identity-06.txt (work in progress), October 2005.
Niccolini Expires March 2, 2007 [Page 13]
Internet-Draft VoIP Threats August 2006
Author's Address
Saverio Niccolini
Network Laboratories, NEC Europe Ltd.
Kurfuersten-Anlage 36
Heidelberg 69115
Germany
Phone: +49 (0) 6221 4342 118
Email: saverio.niccolini@netlab.nec.de
URI: http://www.netlab.nec.de
Niccolini Expires March 2, 2007 [Page 14]
Internet-Draft VoIP Threats August 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Niccolini Expires March 2, 2007 [Page 15]
| PAFTECH AB 2003-2026 | 2026-04-24 03:10:26 |