Wiretapping VoIP: Techniques to exploit VoIP over WLAN 1

1
Wiretapping VoIP Techniques to exploit VoIP
over WLAN 1
EECE 702, Wireless Security

• Young J. Won (20063292)
• Date May 30, 2007
• Email yjwon_at_postech.ac.kr
• DP NM Lab., POSTECH

2
Introduction

• Security of the VoIP are mainly related to
• Weakness of the combination of the SIP and RTP
  protocols
• Assuming WPA enabled (rather than WEP)
• Several types of attack
• Eavesdropping and sniffing of VoIP WLAN
• Man in the Middle Attack
• Denial of Service
• Call Interruption
• Build false calls
• US Patents

3
Secure SIP/RTP

• Session Initiation Protocol RFC 3261
• Realtime Transport Protocol RFC 3550
• Transporting the multimedia datastream
• Sending packets via UDP
• To become the standard protocol for VoIP
• Protocol for Multimedia-support in UMTS

4
VoIP Element Topology

• NIST publication 800-58
• Security considerations for Voice over IP
  systems, vulnerabilities, and etc.

5
Eavesdropping and Sniffing

• Interception of the VoIP call is even simpler
• Listen to an unprotected WiFi network
• RTP stream reassembly using Ethereal
• Identify the VoIP calls, using the SIP protocol
• Graphical representation of packet exchange

6
Man in the Middle Attack (1/2)

• Two wireless adapters in the same machine
• Master mode - rogue AP
• http//sourceforge.net/projects/ipw2200-ap
• Manipulating signal strength?

7
Man in the Middle Attack (2/2)

• Using Airreplay to
• Inject in the wireless network through the
  interface the de-authentication frame
• Disconnect the client from his legitimate AP
• Observing the VoIP packets
• Determine the UDP port, then forward packets
  using iptables.

8
Denial of Service (1/2)

• A SIP service can fail because of an invalid SIP
  not valid messages
• Monitoring SIP messages
• Using SIP, INVITE messages to find out
  vulnerabilities
• Call Conductor v. 1.03
• Discovery of SIP vulnerabilities
• INVITE messages with negative Content-Length
• INVITE messages with Content-Length higher than
  1073741823 bytes
• Express Talk X-lite free Open Source tools
• Attacking the wireless station
• Not being associated ourselves

9
Denial of Service (2/2)

• Exceptional Element Categories
• Known vulnerabilities - SIP
• PROTO

10
Call Interruption

• Forwarding of a BYE message
• immediate call interruption
• Using CANCEL method
• Detect SIP setup, collect INVITE message
• scapy library
• injecting the message in the wireless channel
• Interactive packet manipulation program
• Decoding protocols (including VoIP decoding on
  WEP encrypted channel)
• http//www.secdev.org/projects/scapy/

11
Building False Calls

• Injecting an acknowledgement packets containing
• The same and destination fields of the previous
  INVITE request, Call-ID field
• Terminals do not receive the audio
• Discrepancy between the UDP ports (RTP stream)
• This produces many contemporary SIP calls inside
  the network
• Detecting attack attempts

12
Challenges of Wireless Monitoring

• Limited capacity of each sniffer each sniffer
  has the limitations, e.g. on signal receiving
  range, disk space, processing power, etc.
• Placement finding the best location for each
  sniffer is difficult.
• Data collection it is difficult to collect and
  synchronize a large volume of data from multiple
  sniffers.

13
US Patents

• Methods and Apparatus for Wiretapping IP-Based
  Telephone Lines
• Protecting Wireless Local Area Networks From
  Intrusion by Eavesdropping on the Eavesdroppers
  and Dynamically reconfiguring Encryption Upon
  Detection of Intrusion
• Method and System for Providing Private Virtual
  Secure Voice Over Internet Protocol
  Communications
• Peer-to-Peer Telephone System Skype (World
  Intellectual Property Organization)

14
US Patent (1)
15
US Patent (2)
16
Conclusion

• Introduction to
• Security Measures by VoIP Wireless technologies
• We have looked at attacks in VoIP over WLAN
• Eavesdropping and sniffing of VoIP WLAN
• Man in the Middle Attack
• Denial of Service
• Call Interruption
• Build false calls
• US Patents about Wiretapping of VoIP in wireless
• Monitoring framework in wireless networks
• Issues and security measured in wired environment
• Monitoring VoIP call over WLAN using commodity
  hardware in mobility - Interference and Location
  Discovery ?

17
Reference

• G. Me, D. Verdone. An Overview of Some
  Techniques to Exploit VoIP over WLAN,
  International Conference on Digital
  Telecommunications, 2006.
• S. Upson. Wiretapping Woes, IEEE Spectrum, May
  2007.
• A. Batchvarov. Security Issues and Solutions for
  Voice over IP compared to Circuit Switched
  Networks, INFOTECH Seminar ACS, 2004.
• J. Yeo et al. A Framework for Wireless LAN
  Monitoring and Its Applications, WiSE, October
  2004.
• A. Bakre. Intel VoIP over WLAN Architecture,
  WICON, August 2006.