The study and demonstration on SIP security vulnerabilities Mahidhar Penigi Vamsi Krishna Karnati Introduction Session Initiation Protocol, is a text based protocol Signaling protocol to initiate, manage and terminate voice sessions BICC, H.323, MGCP and MEGACO SIP is very similar to HTTP For secure SIP transmissions SIP secure (SIPS) is used SIP establishes and terminates a session in a series of handshakes (Illustrated in the next slide) The three way handshake http://www.packetizer.com/ipmc/sip/papers/understanding_sip_voip/sip_call_flow.png Major drawbacks of SIP SIP does not have inbuilt security Elements like: Encryption Authentication, and Confidentiality have to deployed a another layer for additional security in SIP Encryption: Malicious users and hackers are easily able to intercept and decode SIP messages retrieved using the simple networking tools/softwares. Authentication: It is not very simple for an unauthorized user to be traced down without additional layers of security. Due to this IP spoofing could be performed to enter the network and by replacing another device with the same IP and kicking it out of the network. This user is then authenticated within the SIP network since authentication schemes come as a part of an external solution and is not inbuilt SIP message protection is also required Protecting content exchanged between two user or end devices during any kind of exchange over an IP network is called message protection Very important for end to end voice delivery to be reliable and secure to avoid a major section of attacks that are classified by the attacker being able to recognize and understand an ongoing target session Attacks due to lack of encryption Malformed message attacks Message Tampering http://blogs.ixiacom.com/default/assets/Image/SIP_fuzzing_attack.gif Attacks due to lack of authentication Denial of service attacks IP spoofing IP address of an authenticated device is borrowed temporarily to utilize the services of the network, this is not authorized Computer.howstuffworks.com Attacks due to lack of authentication Man in middle attacks, Eavesdropping and Registration Hacking Other Attacks Proxy Impersonation is where the attacker claims the identity of the proxy server taking temporary control over all ongoing sessions (voice) and devices interacting with it http://www.asteriskdocs.org/en/2nd_Edition/asterisk-book-html-chunk/figs/web/ast2_0801.png The solution for better security A Telephony Solution that is need based is often deployed over SIP to take care of the general security issues mentioned earlier TCP/IP rather than UDP for SIP Even though most SIP deployments are a compromise in infrastructure when additional security is required SIP is going to be accompanied with some kind of a TLS as well Raw UDP transport method with ZRTP could also keep most hackers and attacks away PACKET TRACER 5 Network simulation Program provided by CISCO. It helps to learn complex Technology concepts. Unlimited Devices can be added into a network for demonstration. Cisco certified tool for learning complex networks. Demonstration of Attacks: Packet Tracer 5.0 IP spoofing Registration Hacking Denial of Service due to Packet flooding Conclusion Now specially with the advent of VoLTE, that provisions for a higher level integration between the PSTN, IMS and VoIP networks is higher, and a small loophole in one segment of one of the voice based networks could eventually lead to a bigger threat for the larger VoLTE system in place. SIP is one such loophole and it is very necessary to recognize, understand and prevent the issues pertaining to Session Initiation Protocol (SIP) and hence deploy a better network with better security standards. References www.voip-info.org/wiki/view/SIP+security download.securelogix.com/library/SIP_Security030105.pdf http://backtrack-linux.org