Vulnerabilities in SOHO VoIP Gateways Peter Thermos and Guy Hadsall {pthermos,ghadsall} @ vopsecurity.org The VoPSecurity.org Forum

Abstract The technological advancements and equipment cost reductions, aid in the rapid evolution of residential networks, which evolved in to an autonomous ecosystem with more elaborate services and capabilities than previously experienced. The elements in the residential networks are using a combination of hardware, software and communication protocols with inherent security vulnerabilities due to this new configuration. One such component is the Voice Over IP (VoIP) gateway, which in many cases is replacing the current Internet gateway thus providing network as well as VoIP connectivity. The new VoIP gateways are required to provide greater robustness and security than the current Internet gateways since they need to support critical services such as E911 and real-time multimedia applications. This paper reflects the results of a research study that aimed at identifying security issues associated with residential VoIP gateways, including signaling and media routing, implementation, operation, and network management in order to understand their impact on end users and service providers. The findings suggest that attacks such as message, replay, amplification (i.e. Denial of Service or “DoS” ), annoyance (SPIT), and eavesdropping along with misconfiguration and several other weaknesses can have a severe impact on the subscriber's ability to communicate in an emergency or disclosure of sensitive information.

protocols with inherent security vulnerabilities. In several cases the users require secure Virtual Private Network (VPN) access to corporate resources thus introducing another threat that corporate security has to manage.

1 Introduction Requirements for residential Internet access increase constantly as the costs of bandwidth become more of a commodity. For example, a decade ago a home network was comprised of a PC, dialup-modem and Fax machine. The state of home networking has been extended to include high-speed Internet access and wireless access point(s) which interconnect several devices (i.e. laptop’s, PC’s, Printer/Fax etc.) including experimental lava-lamps that are controlled using SIP. All while the cost of hardware, software, and services continue to fall.

Recently, there have been several announcements by telecommunication carriers and service providers to promote VoIP services. However there are several issues associated with the residential VoIP services and gateways, including session security, provisioning, operation, and network device management that require further research and understanding of their impact to end users and service providers.

This demonstrates that residential networks are evolving into an autonomous ecosystem with more elaborate services and capabilities as the prices continue to fall. These elements in the ecosystem are using various software and communication

1

The VoPSecurity.org forum has conducted a study to assess1 the security posture of selected VoIP Service providers and their respective hardware that are used to provide the VoIP service for Small Office/Home Office (SOHO) environments. This research has helped answer questions such as:

Configuration and profile protection mechanisms used and available in service provider VoIP gateways. The results of this study help in providing insight into the security posture of SOHO/Residential VoIP gateways. Furthermore it helps elevate the awareness level to end users and help the respective service providers and vendors strengthen their network posture since it is considered part of the critical infrastructure.

V What vulnerabilities may exist, that are associated with managing a SOHO/Residential VoIP gateway (i.e. can I shutdown my neighbors VoIP service through a web interface? Can I manage the device remotely by gaining unauthorized access)?

It should be noted that the names of the VoIP service providers and respective products have been omitted from this paper in order to properly disclose the information to the affected parties and provide them time to address the identified weaknesses. For completeness we intend on publishing the names of the vendors after a period of time in which they can remediate the vulnerabilities.

V What DoS attacks may be applicable (e.g. message amplification, malformed packets)and what are the service provider’s security measures implemented to protect against Denial of Service attacks if any and what could they do to protect end users from attacks (this question can be extended to both domestic and international VoIP service providers)?

1.1 Service Providers For this study we selected three VoIP Service providers to evaluate the security posture of the service and the respective device, This is an initial2 step to establish a reference point for further research in this area..

V What class of vulnerabilities can be exploited remotely (i.e. buffer overflows) in order to gain unauthorized access?

V Can a VoIP user’s registration or the user’s identity be hijacked? Would they know?

The selection of the service providers was based on the ease of geographical access, supporting infrastructure (e.g. carrier as a service provider or just service provider) and service architecture. For the remaining of the paper we will reference the VoIP service providers as follows:

V Can calls be originated without the user’s consent? The primary objectives of this study were to assess the security of the following areas: Management features, such as security controls (i.e. authentication, and authorization), configuration and updates of the VoIP gateway (i.e. is remote management turned on by default?)

SP3-1: Maintains a VoIP infrastructure and has ubiquitous presence through existing ISP’s (Internet Service Providers, including DSL/Cable) in North America. Furthermore, this service provider plans to establish global presence.

Protocol/Signaling flow vulnerabilities that can be used to exploit various vulnerabilities including fraud and impersonation.

SP-2: This service provider has been an incumbent telecommunications carrier (including PSTN and wireless), therefore taking advantage of

Protocol implementation vulnerabilities (e.g. buffer overflows).

2

A follow-up assessment with a larger pool of service providers and extended assessment methodology is planned in the future. For more information you can contact [email protected] 3 SP stands for Service Provider

1

This study did not perform any attacks against the VoIP Service Provider’s network.

2

their existing switched infrastructure to route calls. Their VoIP presence, at the moment, is limited to the US. SP-3: This service provider maintains a VoIP infrastructure that offers VoIP service to residents within a local region (i.e. State not National). They are low cost producers of VoIP services.

1.2 The VoIP Gateways The type (vendor and capabilities) of the VoIP gateways and service architecture varied among the service providers. For the remaining of the paper we will reference the VoIP gateways as follows : Figure 1- High Level Topology

VG4-1: Uses the SIP protocol for signaling and the RTP protocol for media (voice).

All three Voice Gateways have an “internal” Ethernet port that is used for managing the device and an “external” port that is used to connect to the Internet Service Provider’s cable/DSL modem.

VG-2: Uses the MGCP protocol for signaling and the RTP protocol for media (voice). VG-3: Uses the SIP protocol for signaling and the RTP protocol for media (voice).

Gateway VG-1 has the ability to connect directly to a cable modem’s Ethernet port and be assigned a routable IP address. It can also be deployed behind a wired or wireless Internet Gateway (e.g. Linksys router) and be assigned a non-routable IP address.

The following table outlines the service provider’s corresponding device. Service Provider

Voice Gateway

Protocols Used

SP-1 SP-2 SP-3

VG-1 VG-2 VG-3

SIP/RTP MGCP/RTP SIP/RTP

SP-2 requires that Gateway VG-2 (using MGCP) to be connected directly to the SOHO/Residential bridge (i.e. Cable/DSL modem) and not behind a NAT device (although this is contradicted by online postings which claim that users were able to use the gateway behind a NAT device).

Table 1-Service Provider's VoIP Gateway

The following figure provides a high level representation of the SOHO/Residential VoIP Gateway topology.

4

Gateway VG-3 has the ability to connect directly to a cable/DSL modem’s Ethernet port and be assigned a routable IP address. It can also be deployed behind a wired or wireless Internet Gateway and be assigned non-routable IP address. Based on the results of the analysis it is recommended to place VG-3 behind another routing device (e.g. NAT device) due to associated security risks.

VG stands for Voice over IP Gateway

3

Area of focus

1.3 Methodology

Security

In order to support the aforementioned objectives of this study the assessment methodology focused on the following areas: Manageability o Remote management o Authentication o Authorization (e.g. unprivileged verses privileged user) o Session Confidentiality and Control (e.g. session-timeout) o Software Updates o Configuration Updates

Media Security

It should be noted that all target VoIP gateways were reachable from the Internet (verified by sending ICMP requests) and thus susceptible to various attacks (i.e. network layer DoS, application layer scanning and DoS for VG1 and VG3).

2.1 Manageability All target VG’s provide a management interface for device administration and configuration (from the internal interface). The management interfaces for VG-1, VG-2, and VG-3 run on port 80 and provide an HMTL Graphical User Interface.

The tools that were used for this analysis are outline in the following table:

Node Security

Nmap v3.5 Nessus v2.2

Signaling

Ethereal,

Traffic injection and robustness

Several findings we discovered during this research which dramatically impact the target VoIP gateways and service providers at various levels. We introduce and discuss only those findings which are actionable in the near term and leave open the opportunity for future research which will go deeper in peripheral classes of vulnerabilities. This paper discusses only the findings that provide useful enough information to establish a starting point for future work but also maintains a level of confidentiality for the affected parties.

Media Security o Message authentication o Message confidentiality o Information Leakage and effort required to gather remotely o Robustness of software Implementation

Tool Ethereal v0.10.10

Robustness and Signaling Security Robustness Traffic Analysis

2 Findings

Signaling Security o Message authentication o Message confidentiality o Information Leakage and effort required to gather remotely o Robustness of software Implementation

Area of focus

PROTOS Ethereal, v0.10.10 SIVuS, v1.09

Purpose

Table 2 - Analysis Tools

Node Security o Operating System security (e.g. users and services) o Default configuration

Manageability

Tool v0.10.10 SIVuS, v1.09

Purpose Monitor Management Sessions to identify associated attributes (e.g. authentication and encryption) Identify open ports/services Identify known vulnerabilities Traffic Analysis

None of the SOHO/Residential VoIP gateways use Secure Socket Layer (SSL) to protect communications between the user’s browser and the remote gateway. Thus communication can be intercepted including, credentials (such as admin user-id and password) and management commands. Although it may argued that the gateways are typically deployed in small environments where the threat level is low, and SSL encryption is not needed for the internal

4

management interface, the fact remains that these devices are deployed in small offices which may also be using other technologies and network connections (e.g. insecure Wireless Access Point) that maybe poorly configured and vulnerable.

443/tcp 443/tcp 17185/udp 5060/udp Table 3 - Open ports

Although VG-2 requires a listening port to accept incoming calls, it was not identified during portscanning since the packets originating from the testing host are not permitted to connect to the VG-2’s signaling ports. VG-2 has a State-full Port Firewall that restricts connections from unauthorized hosts.

In addition, the devices did not offer Role-Based access (i.e. operator, administrator) for management. Although this may not appeal as a critical capability for a residential gateway, in a remote office environment (i.e. corporate branch, home office) may be a requirement by the organizational security policy.

Some of the most significant findings include:

And last, the devices do not maintain logs of the traversed traffic nor configuration changes thus making it difficult to troubleshoot and perform forensics if required.

Default Passwords; All SOHO/Residential gateways where delivered with default passwords; a quick search on the Internet provided privileged access (internal or external interfaces where applicable) to every device.

2.2 Node Security All three devices performed well during the vulnerability analysis using the Nessus scanner. This doesn’t mean that the devices are not vulnerable, but rather that they are not susceptible to known vulnerabilities available in automated vulnerability scanners such as Nessus.

Publicly exposed ports and services; The analysis of VG-3 revealed that management ports (e.g. 23/tcp, 80/http, 161/snmp and 443/tcp) are open on the external interface and accessible from the internet thus exposing the device to various attacks. Furthermore, default settings on the services running on these ports (e.g. default SNMP community strings, telnet login and password) increase the opportunity for an attack.

One of the known techniques used by attackers to gain access to vulnerable hosts is to identify open ports (e.g. by port-scanning) and corresponding services that may have vulnerabilities. During the port-scanning exercise, all 65534 UDP and TCP ports on the internal and external interfaces of the target VG’s were scanned.

Gateways VG-1 and VG-2 do not maintain any open ports on the external interface expect the ones used for signaling and media which are allocated dynamically.

The results from the portscans are summarized in the following table:

2.3 Signaling Security VoIP Gateway

VG-1 VG-2 VG-3

Internal Interface (open ports) 80/tcp 80/tcp 23/tcp 80/tcp 161/udp

The security of the signaling messages was another area of focus during this study. Given that the modern PSTN treats signaling data flows as semi trusted across network boundaries, our findings raise several concerns.

External Interface (open ports) 5061/UDP none5 23/tcp 80/tcp 161/udp

None of the implementations used confidentiality mechanisms to protect signaling messages. As such, the messages were exposed to several attacks. Some of the most significant findings include:

5

Based on testing results, review of documentation and online postings it appears that the VG uses a statefull packet filtering (SPF) mechanism which allows connections only from authorized hosts (e.g. similar to tcpwrappers).

5

Registration and call/identity hijacking; during this study we were able to intercept SIP registration messages, modify, replay and divert any subsequent communications (incoming calls) to another host which was using a SIP soft-phone. This finding was applicable to both SIP VG’s and positively answers our initial question of “Can user registration or user’s identity be hijacked?”

packet replay packet injection etc. Some of the most significant findings include: Eavesdropping; the ability to intercept, collect and decode voice traffic using Ethereal. Furthermore this vulnerability allowed our research to capture embedded values in the RTP data streams which are used in voice mail passwords, calling cards, and telephone banking. The risk to the end user was determined to be very serious.

Denial of Service; a message amplification attack6 was performed against the signaling port of the VoIP gateways to verify whether the VoIP gateway has the ability to initiate calls or maintain a call during an attack. The results demonstrated that that the VoIP Gateways could maintain an existing call but the audio quality was degraded by ~20%. Furthermore the VoIP Gateways were not able to initiate new outbound calls or receive inbound calls during the attack. The behavior of the attached phone varied during the attack (e.g. long rings or short intercepted rings, no dialtone). Thus answering our initial question “What DoS attacks may be applicable?”.

Voice quality degradation and media manipulation; during traffic amplification and message manipulation attacks (e.g. DoS against RTP traffic) we observed voice quality degradation and also the ability to disrupt existing communications and inject media packets. The impact on the end user as a result of such attacks varies from annoying to life threatening. Thus contributing to our answer to our initial question “What DoS attacks may be applicable?”.

2.5 General observations Although this study was focused on the aforementioned areas, some additional general observations were made which provide further insight to the routing and susceptibility to attacks.

Implementation issues (e.g. buffer overflows); during the robustness testing several test-cases rendered the target SOHO/Residential VoIP gateway inoperable (e.g. the gateway did a soft-reset) or interrupted an existing call. The test cases included various types of malformed messages (e.g. null string, alphanumeric combination) that the SIVuS v1.09 scanner generates.

In general the Service Provider implementation addressed a minimal set of security objectives, thus exposing the gateways and subscribers to various attacks. The following table summarizes the status of the security objectives that each Service Provider and respective device have implemented:

Other known [3] [4] issues were verified which include denial of service attacks (i.e. UDP/TCP flood) against the signaling and management ports of the Voice Gateways.

2.4 Media Security All SOHO/Residential VoIP gateways used Real Time Transfer Protocol (RTP) for the media streams. None of them provided any security controls (e.g. authentication, confidentiality) to protect against attacks such as eavesdropping,

Security Objective

VG

Status

Authentication

VG-1

Provides authentication for initial REGISTRATION and INVITE messages Provides No Authentication Provides authentication for initial REGISTRATION and INVITE

VG-2 VG-3

6

The attacks were generated using the SIVuS Message Generator which allows crafting and generation (e.g. 10,000 messages) of specific SIP messages.

6

Security Objective

VG

Status Via: SIP/2.0/UDP x.x.x.55:5061 Via: SIP/2.0/UDP x.x.x.174:5060 Via: SIP/2.0/UDP x.x.x.206:5060;branch=z9hG4bK1207

messages VG-1 Provides No Confidentiality Confidentiality VG-2 Provides No Confidentiality VG-3 Provides No Confidentiality VG-1 Message integrity Integrity is not enforced. Although, proper syntax is checked. VG-2 Message integrity is not enforced. Although, proper syntax is checked. VG-3 Message integrity is not enforced. Although, proper syntax is checked. Table 4 - Security Objectives Implemented by VG's

The network element with IP x.x.x.55 serves as the SOHO/Residential gateway’s Proxy/Registrar and all communications are performed through port 5061. Based on the informational from the remaining Via headers, the signaling occurs at port 5060. Furthermore the lack of security mechanisms to protect the signaling headers reveals information that can be used to narrow an attack (i.e. protocol headers such as Via in SIP maintain a list of intermediate Proxies that can be targeted).

3 Recommendations Although some skeptics feel that security may impact the quality and performance of VoIP (ie: implementing cryptographic controls to protect the media streams); there have been studies which help clarify that quality is not affected, if the appropriate controls are implemented correctly [3].

The data from traffic analysis revealed that the SP1 (with VG-1) is routing unencrypted SIP over UDP using port 5061 instead of port 5060. Traditionally, port 5061 is allocated for encrypting SIP over Transport Layer Security (TLS). We suspect that there may be two explanations for this architectural configuration:

This study demonstrates that additional efforts are required by VoIP Service Providers and product vendors in order to improve service and subscriber security. Several of the findings in this study are associated with poor, or nonexistent security requirements. The following, are recommended areas for improvement:

a) Security through obscurity (i.e. claim that secure signaling is used for the service, since traffic is routed through port 5061 which is designated for TLS).

Architecture; Service providers should consider developing architectures that provide control and isolation of network topology and routing along with mechanisms to detect and prevent attacks (i.e. Denial of Service attacks) against subscriber gateways [1] [4].

b) Restrict subscribers from using their equipment with another SOHO/Residential VoIP Service Provider. Additional analysis revealed that this approach is implemented at the edge of the network, between the residential gateway and the first SIP Proxy/Registrar. Port 5060 is used by network elements that reside towards the core of the network. For example, the following information was captured during an incoming call to the target SOHO/Residential VoIP gateway and the VIA fields list the traversed Proxies.

Robust implementations; product vendors should take a proactive role in developing software and firmware that follow secure programming practices. Furthermore proper implementation of standards will allow the use of recommended security features such as using Transport Layer Security TLS for SIP

7

including VoIP, some vendors and service providers choose to maintain a weak security posture. As with most Internet services “time to market” appears to be trumping security while a minority of vendors have chosen to consider and act upon recommendations to improve and maintain an adequate security posture. We believe that one differentiator is the development and adoption of security requirements during product inception and design prior to development and deployment. Thus security is not realized (as it has been traditionally) as a significant cost later on. The single differentiator appears to be compromising security in the SOHO/Residential market space. Should this lack of concern propagate into the carriers switching fabric it might compromise the global market space. Vendors and service providers must be willing and put forth efforts to include security throughout the development and maintenance process.

and Secure Real Time Protocol (SRTP) for media streams. Security Requirements; Security requirements for Voice over Packet networks are in their initial stages. Standards organizations (i.e. IETF, ATIS, ITU) have made some progress in identifying security controls for protocols used in signaling and media messages. Additional efforts are required to promote the development of security requirements, which product vendors, service providers and carriers should implement, to help maintain an adequate security posture and protect subscribers and network elements from attacks (i.e. Network to Network Interface security requirements or SOHO Gateway requirements). Initiatives such as The VoPSecurity Forum and VoIPSA may contribute in these efforts.

This study provides a snapshot of the current security posture of only three VoIP Service Providers and their respective SOHO/Residential gateways. The number of VoIP service providers has more than doubled in the past 24 months. We plan to conduct a consecutive study that uses additional VoIP providers with methodology that penetrates the data flows and compares the vendor’s implementation to the actual standards.

4 Conclusions The results of this study demonstrate that several security issues exist in SOHO/Residential VoIP gateways which can impact subscribers at various levels. These findings are associated with the areas of management, node security, signaling and media, specifically; Management o Management session confidentiality o Role based access and authorization

5 References [1] Charlie Kaufman, Radia Perlman, Bill Sommerfeld, “DoS Protections for UDP-Based Protocols”, Conference on Computer and Communications Security, Proceedings of the 10th ACM conference on Computer and communications security, Washington DC, 2003

Node Security o Default Passwords o Publicly exposed ports and services Signaling o Registration and call/identity hijacking; o Implementation issues (e.g. buffer overflows); o Denial of Service Media Security o Eavesdropping o Voice quality degradation and media manipulation;

[2] Debbie Greenstreet, Sophia Scoggins, “Building Residential VoIP Gateways: A Tutorial Part Four: VoIP Security Implementation”, Texas Instruments Incorporated [3] Thomas Bowen, John Haluska, Panayiotis Thermos, Steve Unger, “Using IPSec and Intrusion Detection to protect SIP implanted IP telephony”, IEEE GlobeCom 2004 [4] John Larson et al., “Defending VoIP Networks from DDoS Attacks”, IEEE GlobeCom 2004

Although the industry has emphasized the need to address general security in networked devices

8

[5] C. Weiser, M. Laakso, H. Schulzrinne, “Security Testing of SIP Implementations”, 20 Feb, 2005 http://www1.cs.columbia.edu/~library/TRrepository/ reports/reports-2003/cucs-024-03.pdf

9