A SIP Introduction

For those not familiar with how SIP looks like and how it behaves, check out this easy read article on Trainsignal training. Of course the article is over simplified - RFC 3261 is still the place to look for the details.

Another interview with Robert Moore

Information Week published an interview with the notorious VoIP hacker who was charge with fraud last year. The main point that came out of the interview is that the password is the weakest link. He mentions two VoIP vendors - Cisco and MERA and how he felt comfortable with breaking into these systems because of default or easily guessable passwords. In a previous interview we learned that he mainly attacked H323 devices rather than SIP boxes, however the attacks that the attacker pulled off are quite similar to what you can do with SIPVicious tools.

Reference: Robert Moore Tells How He Broke Into Routers And Stole VoIP Services

MediaDefender Phone Call was over VoIP

If you're not familiar with the leak, this article on TorrentFreak talks about phonecalls between a New York attorney and MediaDefender which were leaked out.

Funnily enough (for some), during the phone call one of the parties says: "what we could do if you wanted, change the port ... change the login, obviously the password, if you guys need to know the password that we're using we can just communicate that by phone. .... If you need to .. anything which is really really sensitive we can just communicate in this [phonecall] fashion".

There were different opinions on how this call was captured. One suggestion floating on the forums are that the VoIP call was recorded by one of the parties (MediaDefender or NY attorney) and put on a compromised server. Another idea is that that the call was sniffed by the attacker.

Which ever way this call was compromised, this show two things with regards to VoIP communications:

• Phone traffic now goes over the Internet. Don't assume that your call cannot be intercepted over the Internet .. that assumption is very outdated.
  
• Encryption definitely has an important place in VoIP security. In this case, it would probably have helped
  

Microsoft VoIP As You Are

I just saw Microsoft (relavitely) new VoIP ad compaign called "VoIP As You Are". The ads on the MS site are cute, showing two old PBXs having a chat. Apparently you get a different ad every time you click.. so keep clicking ;-)

So what this implies is that Microsoft is taking into account that the bigger companies will find it hard to switch to VoIP if they have to ditch their old system and start a new page. It also means that old vulnerabilities in PBX servers will probably be exposed to the less friendly networks (such as the Internet).

SIPVicious tools in the works

Been working on more features with regards to svmap. Some of these features find themselves in svwar and svcrack as well in the next release version. So what features of interest?

• Svmap is now session based. This allows us to have the following features:
• You may stop a current scan, go have a coffee and resume it later.
• If the power cuts, a natural disaster occurs or anything bad happens, you can resume your scan later because of the autosave feature, provided you survived the accident.
  
• Results are now stored in BSD database form. Svreport.py comes in quite handy .. more on this below.
• You can now pass various types of host ranges to svmap, depending on your (bad) taste and habits. Examples:
  
• 1.1.1.1-20 1.1.2-4.1-10
• 1.1.1.*
• 1.1.1.1-1.1.2.20
• sipvicious.org/22
• 10.0.0.1/24
• sipvicious.org
• Random scans. Two kinds of random scans:
• Internet random - you don't pass svmap any host/ip ranges. It scans the IPs randomly, avoiding those that belong to private networks or reserved address space
• Random targeted scan. You pass a range of hosts/ips and they are scanned randomly instead of sequentially.
• Output to an ASCII table when the scan is complete. If you need to see the results instantly, then the verbose option is your friend. Double verbose gives out a lot of debug information.
• Lots of bug fixes, optimizations and cleaning up ;)
  

Earlier I mentioned svreport.py which is a new script that will be soon added to the suite. It will grab previous sessions from SIPVicious tools and export them to the following formats:

• PDF - Portable Document Format
  
• XML - Extensible Markup Language
  
• CSV - Comma delimited files
  
• Text - Human friendly format
  

That's all for now. If you're curious check out the svn repository. Otherwise version 0.2 is on the way.

SIP Security with Cullen Jennings of IETF and Cisco

Blue Box podcast has published a very interesting discussion / interview with someone who has a finger in the pie when it comes to SIP. He talks about some real issues when it comes to SIP and VoIP.

Security Analysis of Voice-over-IP Protocols

This paper talks about the state of security or lack of of the VoIP protocols. It talks a lot about encryption and introduces some attacks in that area. Of interest:

• replay attack on SDES key exchange causing SRTP to use the same keystream in multiple sessions. This means that the attacker removes encryption from SRTP-protected data streams.
• An attack on ZRTP involving unauthenticated uesr IDs. This allows bypassing / disabling of authentication or a DoS attack.
• A security issue related to randomness in MIKEY