A summary of voip vulnerabilities from VoIPsa mailing list

下面是VoIPsa邮件列表中关于VoIP系统脆弱性的一个总结,有趣的是作者宣布他们已经实现了一个攻击测试系统,可以验证测试几乎所有的脆弱性和漏洞。这些脆弱性和漏洞包括:

1 传统IP网络本身的脆弱性
2 SIP重用了HTTP协议的认证机制,但是HTTP本身的认证机制却很不安全
3 SIP通信是基于消息交易的,协议很复杂,所以很容易遭受拒绝服务攻击
4 RTP没有加密,容易被窃听
5 VoIP软件带来的脆弱性
6 VoIP终端系统的智能化带来的额外的威胁等。

The following is the original english message, by sukerry@126.comhere is the summarization of voip vulnerabilities, and we are proud to say that we have realized an attack system to validate almost all the vulnerabilities, and I think point 2 and point 3 is due to the imperfection of SIP protocol itself

1.traditional IP network is insecure,its data stream is open to the public,VoIP, which is based on IP network certainly inherits this insecurity,this situation brings lots of attacks , such as Man in middle attak,call termination, sip password violent crack ,etc.

2.SIP reuses authentication mechanism from HTTP protocol ,in fact Http authentication is totally imperfect when applied to SIP protocol,for that it is a single-direction authentication, which means that only the server authenticates the endpoints,the endpoints do not authenticate the server,this situation makes it easy to deceive endpoints because they do not authenticate any entity in the network. Pseudo call (call someone with a false user id) ,server impersontation are dangerous attacks due to this vulnerability

3. SIP communication is based on message transaction, however sip transaction mechanism is quite complicated.for example, when a stateful proxy server receives a sip request message, it firstly computes the transaction ID for this message,if the transaction ID is not existed before, this request message is regarded as a new message, the server will do a lot things for this new message: save this message, create a finite statemachine for this message, construct a provisional response message and send it back, save this response message,update the finite statemachine, decide the next hop of this request message basing on the complex routing rules,transfer the request message, create one or more client transactions for the request message …these steps surely consume lots of CPU and memory resources. as a result,the server is susceptible to DoS Attacks when a hacker continually sends large quantities of SIP request messages with different Call-ID

4.Un-encrypted media stream such as RTP data is easy to be wiretapped

5.almost all VoIP software has some code flows, in this case,even a malicious packet may bring down the server, we call this packet exception packet, in fact we have found exception packets againtst both sip servers and h.323 servers

6.voip endpoints are much more intellectualized than traditional PSTN terminals,however,when this capability is abused,a lot of malicious network attacks appear:
disturbance call
call leaflet
voice broadcast
and more…

technorati tags: , , , , ,

2 Responses to A summary of voip vulnerabilities from VoIPsa mailing list

  1. zhaol says:

    后来这个邮件引起很多讨论,提出了异议。

    下面作者总结的H323和SIP的比较:

    1. H.323,which is defined by ITU-T, tends to be telecom application,it regards voip as an extension of telecommunication field. however, SIP ,which is defined by IETF, reuses many mechanisms from existing internet famous protocols,such as http, smtp,rtp,dns…,it regards voip as a totoally internet application. as we all know, now IP meltage is a trend, so sip is going to gain more and more acceptances.
    2. H.323 is based on binary codec(BER PER), and is very complex in call control signals,while SIP is based on text, and its control signals are simple .further more,many existing internet protocols(such as HTTP) implementation can be used as a reference to SIP system realization.
    3. SIP is much more flexible and extensible compared to H.323, for that its Method ,Head field, message body can be extened and added easily. H.323 is indeed not easy to be extended.
    4. SIP is not only a voip protocol, in fact, it has many more important uses besides voip. it is the communication protocol between softswitches and between softswitch and AS in the NGN network, it is the main protocol in IMS (3G core network).

    so ,SIP is ip oriented, simple,extensible ,flexible and broadly used, I think SIP is definitely a tendency,I will choose SIP when realize a voip system.

    but please note that SIP is immature compared to h.323.

  2. zhaol says:

    作者还提到了他们实验室进行的攻击测试的类型,转贴如下:
    exception-packet attack against server
    dos attack against server
    disturbance call attack against endpoints
    pseudo call attack against endpoints
    call leaflet attack against endpoints
    sip passwork crack
    voice eavesdropping (and maybe voice replacement and voice disturbance)
    voice broadcast & call leaflet attack against pstn terminals(via voip gateway)
    and maybe more

%d bloggers like this: