Consumers and enterprises alike are rapidly adopting voice-over-IP (VoIP) technologies, which offer higher flexibility and more features than traditional telephony infrastructures. They can also potentially lower costs through equipment consolidation and, for the consumer market, new business models. However, VoIP systems also represent high complexity in terms of architecture, protocols, and implementation, with a corresponding increase in the potential for misuse. The author conducted survey of published vulnerabilities in the Common Vulnerabilities and Exposures (CVE) database and in two IETF RFC Internet drafts. These issues ranged from relatively straightforward problems that can lead to server or equipment crashes (denial of service [DoS]) to more serious problems that let adversaries eavesdrop on communications, remotely take over servers or handsets, impersonate users, avoid billing or charge another user (toll fraud), and so on

Keromytis, Angelos D.

Columbia University Academic Commons

76	 COPUBLISHED	BY	THE	IEEE	COMPUTER	AND	RELIABILITY	SOCIETIES							■						1540-7993/10/$26.00	©	2010	IEEE							■						MARCH/APRIL	2010Secure SystemsEditors: Patrick McDaniel, mcdaniel@cse.psu.eduSean W. Smith, sws@cs.dartmouth.edudon’t directly let attackers eaves-drop on voice conversations.Figure 1b shows these vulner-abilities’ sources. Given CVE’s nature, it isn’t very surprising that most of the problems stem from implementation issues. However, a sizable and arguably undercounted source of problems is misconfigu-rations; these include default ad-ministrator credentials, insecure and undocumented services run-ning on the device (such as remote-ly accessible debuggers running on VoIP handsets, with no authentica-tion!), and access to otherwise re-stricted services through alternative interfaces (for example, a Web front end). Finally, a very few protocol vulnerabilities allow DoS attacks4 or toll fraud.5 These problems were discovered (or, at least, reported) only recently, which is surprising given how long the standards doc-uments have been published.Research into  VoIP SecurityConsidering VoIP’s importance, the scope of such systems (which include and depend on whole families of protocols, including the Dynamic Host Configuration Protocol, Domain Name System, and Web services) and the breadth of vulnerabilities, considerable re-search exists in this space. In con-junction with my vulnerability analysis, I surveyed all research papers I could find on VoIP secu-rity.6 I started with papers I was personally familiar with, then those published in the proceed-ings of top security conferences, workshops, and journals from the past five years, and the results from equipment consolidation and, for the consumer market, new busi-ness models. However, VoIP systems also represent high com-plexity in terms of architecture, protocols, and implementation, with a corresponding increase in the potential for misuse.VoIP VulnerabilitiesAs part of the Vampire proj-ect (http://vampire.gforge.inria.fr/)—funded by the French Na-tional Research Agency (ANR) and tasked to better under-stand the VoIP security problem space—I conducted a survey of all published vulnerabilities in the Common Vulnerabilities and Exposures (CVE) database and in two IETF RFC Internet drafts. In total, these included 221 problems disclosed from 1999 through No-vember 2009. These issues ranged from relatively straightforward problems that can lead to server or equipment crashes (denial of ser-vice [DoS]) to more serious prob-lems that let adversaries eavesdrop on communications, remotely take over servers or handsets, im-personate users, avoid billing or charge another user (toll fraud), and so on.Figure 1a breaks down the vulnerabilities by type, using the VoIP Security Alliance (VoIPSA) taxonomy.1 Most problems lead to DoS attacks, typically via server or equipment crashes, although less obvious DoS attacks that users or administrators wouldn’t notice immediately have also been re-ported. Note that our classification likely underestimates the number of more serious, remote-takeover vulnerabilities: many CVE entries report a DoS vulnerability, in-dicating that attackers could also conduct a buffer overflow attack, but don’t follow up with a thor-ough analysis.What the graph doesn’t show is that VoIP servers and clients (end devices) each account for roughly half the DoS vulnerabilities. Al-though we theoretically know how to conduct fault tolerance for server applications, it’s less clear how we can protect end devices; worse, up-dating VoIP equipment’s firmware occurs rather infrequently outside enterprise environments.Another interesting lesson from this graph and the supporting analysis2,3 is that traffic eavesdrop-ping and hijacking constitutes roughly one-fifth of these vulner-abilities; digging a little deeper, most of these problems enable traffic analysis via access to a user device or server’s call logs but Consumers and enterprises alike are rapidly adopting voice-over-IP (VoIP) technolo-gies, which offer higher flexibility and more features than traditional telephony infra-structures. They can also potentially lower costs through Angelos D. KeromytisColumbia UniversityVoice-over-IP	SecurityResearch and PracticeSecure Systems	 www.computer.org/security	 77	searching CiteSeer, IEEE Xplore, Google Scholar, and the ACM Digital Library. I used obvious keywords such as “VoIP security” and “SIP security” and recursively followed relevant cited papers. I omitted some that were only peripherally relevant to VoIP or VoIP security. In the end, I looked at 200 papers, which I classified using an augmented VoIPSA tax-onomy, given that more than half didn’t naturally fit in the VoIPSA scheme.Figure 2a shows how I classified these papers using the  VoIPSA tax-onomy. What we see is a breadth of research but also a lack of atten-tion to some problem areas that ap-pear to dominate the set of known vulnerabilities. Specifically, only 21 percent of the papers focused on the DoS problem, which cor-responds to 58 percent of disclosed vulnerabilities. Conversely, a large focus (50 percent) is on VoIP spam, also known as spam over Inter-net telephony (SPIT); although 18 percent of vulnerabilities fit in the same category (social threats), few were actually related to SPIT.Figure 2b shows the break-down of the remaining papers. Approximately 40 percent are sur-veys and overviews of VoIP prob-lems and security mechanisms. Some could in fact help against specific problems (such as DoS), although much of the effort in both intrusion detection and ar-chitectures is focused on SPIT de-tection and prevention.T he lesson to draw from the juxtaposition of these two surveys is that further research is needed into DoS attacks against VoIP systems. Furthermore, the research community and security professionals should better address configuration problems and emer-gent properties, especially those arising from unexpected interac-tions among different services, such as cross-site scripting attacks on Web management interfaces implemented by injecting code through the SIP Caller field.One limitation of my work to date is that it represents a view that’s potentially detached from what’s actually happening on the Internet with respect to mali-cious activity and VoIP devices. Thus, some of the next steps in the Vampire project include design-ing, implementing, and deploying a distributed VoIP honeynet that will give us some insight as to the operational significance of differ-ent vulnerability types and the po-tential impact of various research thrusts. In the meantime, VoIP users and operators must remain vigilant and follow best practices, including the timely application of firmware and patch updates, the use of VoIP-aware firewalls and intrusion-detection systems, and the overall hardening of the criti-cal services on which their VoIP infrastructures depend. AcknowledgmentsThe work described in this article was performed while the author was on sabbatical with Symantec Research Labs Europe.References1. “VoIP Security and Privacy Threat Taxonomy,” VoIP Secu-rity Alliance, Oct. 2005; www.voipsa.org/Activities/VOIPSA _Threat_Taxonomy_0.1.pdf.2. A.D. Keromytis, “A Look at VoIP Vulnerabilities,” login; The USENIX Magazine, vol. 35, no. 1, 2010; www.usenix. org/publications/login/2010-02/pdfs/keromytis.pdf.3. A.D. Keromytis, “Voice over IP: Risks, Threats and Vulnerabili-ties,” Proc. Cyber Infrastructure Pro-tection (CIP) Conf., 2009; www.cs.columbia.edu/~angelos/Papers/ 2009/cip.pdf.4. R. Sparks et al., Addressing an Amplification Vulnerability in Ses-sion Initiation Protocol (SIP) Forking Proxies, IETF RFC 5393, Dec. 2008; www.rfc-editor.org/rfc/rfc 5393.txt.5. R. State et al., “SIP Digest Au-thentication Relay Attack,” IETF Social threats (1)Eavesdropping, hijacking (2)Denial of service (3)Service abuse (4)Physical access (5)Interruption of services (6)4%58%20%18%ImplementationProtocolConfiguration11%1%88%(a)(b)Figure 1. Vulnerabilities in voice over IP (VoIP). We can see (a) the vulnerability classification using the VoIP Security Alliance taxonomy and (b) the vulnerabilities’ locations and causes.Secure Systems78	 IEEE	SECURITY	&	PRIVACY7%21%22%50%Social threats (1)Traffic attacks (2)Denial of service (3)Service abuse (4)(a)(b)Overviews & surveysPerformance analysisArchitecturesIntrusion detectionField studiesAuthenticationMiddleboxesMiscellaneous2691912101145Figure 2. Voice-over-IP (VoIP) security papers. I classified (a) 43% of the 200 papers I surveyed using the VoIP Security Alliance taxonomy. I conducted an informal classification on (b) the remaining 57 percent of the papers (bars indicate the number of papers).Internet draft, work in progress, Mar. 2009.6. A.D. Keromytis, “A Compre-hensive Survey of Voice over IP Security Research,” Security in Computing and Networking Systems: The State-of-the-Art, W. McQuay and W.W. Smari, eds., to be pub-lished, Wiley & Sons, 2010.Angelos D. Keromytis is an associ-ate professor with the Department of Computer Science at Columbia Uni-versity, and director of the Network Security Lab. His research interests re-volve around most aspects of security, with particular interest in systems and software security, cryptography, and access control. Keromytis has a PhD in computer science from the University of Pennsylvania. He’s a senior member of the ACM and IEEE. Contact him at  angelos@cs.columbia.edu.Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.

Voice-over-IP Security: Research and Practice

https://academiccommons.columbia.edu/doi/10.7916/D8DZ0JRW/download

Voice-over-IP Security: Research and Practice

Abstract

Similar works

Full text

Available Versions

Columbia University Academic Commons