Download Lesson 8

Securing Your Voice and Voice
over Network Assets
Lesson 08
Wiretapping and Eavesdropping

Wiretapping
Legal perspective (individual and gov)
Techniques
– Tape recorder
– Lineman handset
– Small RF transmitter in handset
PBX soft wiretap
Telephones as listening devices
 Eavesdropping

Cordless (1.6-1.8MHz, 43.7-49.97MHz, 900MHz)
Cellular
– Conversation not the good stuff, the ‘serial’ number is -- cloning
Telecommunications Fraud
 Blue Boxes
blue box n. 1. obs. Once upon a time, before all-digital switches
made it possible for the phone companies to move them out of band,
one could actually hear the switching tones used to route long-distance
calls. Early phreakers built devices called `blue boxes' that could
reproduce these tones, which could be used to commandeer portions
of the phone network. (This was not as hard as it may sound; one early
phreak acquired the sobriquet `Captain Crunch' after he proved that he
could generate switching tones with a plastic whistle pulled out of a box
of Captain Crunch cereal!) There were other colors of box with more
specialized phreaking uses; red boxes, black boxes, silver boxes, etc.
2. n. An IBM machine, especially a large (non-PC) one.
(from
Jargon File)
Telecommunications Fraud

PBX Fraud
Common
– A university with $200K bill
– A computer manufacturer with $300K
– “call sell” operation with $1.4M tag
Risk of being caught generally low
No special equipment needed
There is money to be made in it!
Commonly exploited through dial-up connection directly to
the PBX
– Discover number through war-dialing or social engineering
– Once you have number, now you have to get past the password
Octel Voice Network Login
System Manager password is a #
 By default, set to 9999

From “Hacking Exposed”
Copyright (C) 1994-1998 Octel Communications Corporation. All Rights Reserved
Please Enter System Manager Password:
Number must be entered
Enter the password of either System Manager mailbox, then press “Return.”
9999
Williams PBX
 Type login
 Will be followed with prompt to enter user
number.
Requires four-digit numeric access code.
– (how long will it take to guess one?)
Meridian Links
 Looks similar in response to a Unix-based box
 userid: maint
Password: maint will get you into
management console
 userid: mluser Password: mluser will do the same
 will put you into a restricted unix shell
ROLM PhoneMail
 Default Accounts:
LOGIN: sysadmin
LOGIN: tech
LOGIN: poll
PASSWORD: sysadmin
PASSWORD: tech
PASSWORD: tech
ATT Definity G/System 75
 Lots of possibilities here
ATT UNIX S75
Login:
Password:
enquiry/enquirypw
maint/rwmaint
rcust/rcustpw
support/supportpw
kraft/kraftpw
init/intpw
locate/locatepw
cust/custpw
bcms/bcms
craft/craftpw
browse/looker
tech/field
inads/inads
blue/bluepw
field/support
Threats to PBXs






Theft of service – I.e., toll fraud, probably the most common of motives for attackers.
Disclosure of information – data disclosed without authorization, either by deliberate
action or by accident. Examples include both eavesdropping on conversations or
unauthorized access to routing and address data.
Data modification – data altered in some meaningful way by reordering, deleting or
modifying it. For example, an intruder may change billing information, or modify
system tables to gain additional services.
Unauthorized access – actions that permit an unauthorized user to gain access to
system resources or privileges
Denial of service – actions that prevent the system from functioning in accordance
with its intended purpose. A piece of equipment may be rendered inoperable or
forced to operate in a degraded state.
Traffic analysis – a form of passive attack in which an intruder observes information
about calls and makes inferences from things such as the source and destination
numbers, or the length or frequency of the calls.
PBX security –vs- OS security

PBXs are sophisticated computer systems, and many of the threats and
vulnerabilities associated with OS’s are shared by PBXs. There are,
however, two important distinctions:
External access/control – Like larger telephone switches, PBXs typically require
remote maintenance by the vendor. Instead of relying on local administrators to
make operating system updates and patches, organizations normally have updates
installed remotely by the switch manufacturer. This of course requires remote
maintenance ports.
Feature richness – The wide variety of features available on PBXs, particularly
administrative features and conference functions, provide the possibility of
unexpected attacks. A feature may be used by an attacker in a manner that was
not intended by its designers. Features may also interact in unpredictable ways
causing security problems. Even though the features may be fairly standard, the
implementation between vendors is different, thus the reason instruments can often
not be interchanged between PBXs.
PBX susceptibility to tapping

A PBX’s susceptibility to tapping depends on the methods
used for communication between the PBX and its instruments.
This may include voice, data, and signaling information.
Signaling information is typically commands to the instrument (turn
on indicators, microphones, speakers, etc.) and status from the
instrument (hook status, keys pressed, etc.).
Three general communication methods exist
– Analog Voice with separate Control Signals
– Analog Voice with inclusive Control Signals
– Digital Voice with Inclusive Control Signals
Analog Voice with separate Control
Signals
Simplest method. Analog voice is passed between the PBX and the
instrument on either a single pair of wires or two pairs (one for transmit
and one for receive). If there is any additional signaling
communication (other than the hook switch) between the PBX and the
instrument, it is done on wires that are separate from the voice pair(s).
 Voice information is transmitted essentially as it is picked up by the
microphone. It is in a form that can be directly reproduced by a
speaker.
 The voice line can be easily tapped by connecting an amplifier to the
pair of voice wires. The amplified voice signal can then be heard
directly with a speaker or headphones or be recorded.

Analog Voice with inclusive Control
Signals
Analog voice and control signaling is passed between the PBX
and the instrument on either a single pair of wires or two pairs.
This can be done if the signal path is of high enough
bandwidth to pass voice information (less than 4KHz) plus
additional data information. For example, voice information
can be combined with data information modulated onto a
carrier tone that is centered outside of the voice band.
 Vulnerable to tapping by connecting an amplifier to the pair
and passing signal through filters to separate the voice and
data information. Data information can be recovered by
demodulating the carrier tone.

Digital Voice with Inclusive Control
Signals
Voice and control signaling data are passed across the same
pair of wires. There may be two pairs of wires, one for each
direction, or both directions could be combined onto one pair
of wires using echo cancellation. Conventional tapping
techniques won’t work against most types of digital lines. The
format and type of digital signals that pass between the PBX
and its instruments vary widely between vendors.
 If separate pairs are used for transmit and receive, each pair
could be tapped to provide access to the bit streams but the
format needs to be determined.

Echo Cancellation
If both transmit and receive are combined on one pair using
echo cancellation, the previously described methods would
not be useful for tapping.
 Each transmit end of the link can only determine what is being
received by subtracting out what it is transmitting from the
total signal.
 An outside observer tapping the line somewhere between the
two ends would only have access to the total signal and
would therefore find it very difficult to reproduce either end.
An attack would depend on a known original condition on an
end.

Maintenance Feature
Vulnerabilities


Maintenance-out-of-service (MOS) – this feature allows maintenance
personnel to place a line out of service for maintenance. If a line is
placed MOS while it is in operation, the PBX may terminate its
signaling communication with the instrument and leave the instrument’s
voice channel connection active even after the instrument is placed onhook.
Line Testing Capabilities – the ability to connect two lines together in
order to transmit data from one line to the other and verify whether or
not the second line receives the data properly. This feature would
allow someone with maintenance access to connect a user’s
instrument to an instrument at another location in order to eavesdrop
on the area surrounding the user’s instrument without the user’s
knowledge.
Securing Voice over Networks
The Promise of IP Telephony
 World moving toward “converged” networks
 Benefits usually cited for implementing VoIP
Long-Distance toll savings
Increased number of calls with less bandwidth
Additional and enhanced services
Most efficient use of IP assets
Combined network/telecom infrastructure
Additional Issues
 Related VoIP Issues
International calls
Telemarketing
Call Centers
Facsimile
IP Telephony Protocols

H.323
ITU -- 1996, 1998, 1999

SIP – Session Initiation Protocol
IETF -- 1999

MGCP – Media Gateway Control Protocol
(Megaco/H.248)
IETF/ITU -- 1999
IP Telephony Overview
H.323 Architecture
Router
MCU
Gatekeeper
Gatekeeper
Ethernet
Phone
intranet, Internet, VPNs
Ethernet Phone
H.323 Terminal
Gateway
PBX-std.
Phone
Packet-switched
IP Network
H.323
Terminal
Router
Gateway
PBX
Circuit-switched
Networks
Standard
Phone
PBX
PSTN, ISDN, wireless
From: “Security Requirements and Constraints of VoIP” by Mika Marjalaakso
H.323 Components


Terminal – a terminal, or a client, is an endpoint where H.323
data streams and signaling originate and terminate. It may be a
multimedia PC with a H.323 compliant stack or a standalone
device such as a USB (universal serial bus) IP telephone. A
terminal must support audio communication; video and data
communication support is optional.
Gateway – a gateway is an optional component in a H.323enabled network. When communication is required between
different networks a gateway is needed at the interface. It
provides data format translation, control signaling translation,
audio and video codec translation, and call setup and termination
functionality on both sides of the network.
H.323 Components (cont.)

Gatekeeper – a gatekeeper is a very useful, but
optional, component of an H.323-enabled network.
Gatekeepers are needed to ensure reliable,
commercially feasible communications. When a
gatekeeper exists all endpoints (terminals, gateways,
and MCUs) must be registered with it.
A gatekeeper provides several services to all endpoints in its
zone. These services include:
–
–
–
–
Address translation
Admission and access control of endpoints
Bandwidth management
Routing capability
H.323 Components (cont.)

MCU – a multipoint control unit (MCU) enables
conferencing between three or more endpoints.
Although the MCU is a separate logical unit it may be
combined into a terminal, gateway, or gatekeeper. The
MCU is an optional component of an H.323-enabled
network.
The multipoint controller provides a centralized location
for multipoint call setup. Call and control signaling are
routed through the MC so that endpoints capabilities
can be determined and communication parameters
negotiated.
Standards for IP Telephony

H.323 for IP Telephony
Video
Audio
H.261
H.263
(video
Coding)
G.711
G.722
G.723
G.728
G.729
RTP
RTCP
RTP
Control
Data
H.245
H.225
H.225
Terminal to
gatekeeper
signaling
Call
signaling
T.120
(Multipoint
data transfer)
RTCP
Unreliable Transport (UDP)
Reliable Transport (TCP)
From: IP Telephony, by Goralski & Kolon
H.225 and H.245

H.225 performs the signaling for call control
uses H.245 to establish and terminate individual logical channels
for communication

Five phases of signaling process
Call setup
Initial communications and capability exchange
Establishment of audiovisual communication
Call services
Call termination
Encoding techniques
70
60
50
Data Rate
Delay (ms)
Quality (MOS)
40
30
20
10
0
G.711
G.722
G.726
G.728
G.729
G.723
From: IP Telephony, by Goralski & Kolon
IP Telephony Overview
Session Initiation Protocol (SIP) Architecture
Location Server
Redirect
Server
Proxy Server
SIP
Phone
Proxy Server
Packet-switched
IP Network
SIP
Terminal
intranet, Internet, VPNs
SIP Phone
Router
SIP Terminal
Router
From: “Security Requirements and Constraints of VoIP” by Mika Marjalaakso
IP Telephony Overview
MGCP, H.248/Megaco Architecture
Media Gateway
Controller
Signaling Conversion
Sigtran
Signaling
Gateway
Media Gateway
Controller
IP Signaling
H323, SIP, ISUP
Signaling Conversion
Sigtran
Signaling
Gateway
Packet-switched
IP Network
PSTN Signaling
SS7, ISDN, Q.Sig
PSTN Signaling
SS7, ISDN, Q.Sig
Media GW Control
MGCP,
Megaco/H.248
SS7
PSTN
SS7
Media
RTP/RTCP
TDM
Media
Gateway
TDM
PSTN
Media
Gateway
From: “Security Requirements and Constraints of VoIP” by Mika Marjalaakso
IP Telephony Overview
The Protocol Stack
Signaling
Gateway Control
Media
H.323
H.450.x
H.235
H.225.0
(Q.931)
H.245
Codecs
(A/V)
MGCP
RAS
SIP
SGCP
TCP
IPDC
H.248
Megaco
RTP
RTCP
RTSP
UDP
IP
From: “Security Requirements and Constraints of VoIP” by Mika Marjalaakso
Approaches to IP Telephony
 Strategy One (PBX Vendors)
PBX
Private Branch Exchange
T1
Phones
ISDN
ANALOG
Approaches to IP Telephony
 Strategy One-a (PBX Vendors)
PBX
Private Branch Exchange
T1
Phones
ISDN
ANALOG
Approaches to IP Telephony
 Strategy Two (Networking Vendors)
PBX
Private Branch Exchange
Data Switch
IP Phones
Approaches to IP Telephony
 Strategy Three (Telecom Firewall)
PBX
Private Branch Exchange
T1
ISDN
ANALOG
Least cost Routing
Security – PSTN & Internet
Leverage Existing Infrastructure
Quality of Service Issues
 “Perhaps the most vexing problem in voice-
over-IP, in general, has been the issue of
quality of service (QoS). The delay in
conversation that many VoIP users
encounter is caused by the jitter and latency
of packet delivery within the Internet itself”
[J. Rosenberg, Computer Telephony: The SIP Protocol. June 2000]
Quality of Service Issues
 Bandwidth (minimum)
 Latency (maximum)
 Jitter (delay variation)
 Packet loss (network congestion or errors)
 Availability (individual)
 Reliability (network)
Network Reliability
Reliability
99%
99.5%
99.9%
99.95%
99.99%
99.995%
99.999%
Total yearly Downtime
3.65 days
1.825 days
8.76 hours
4.38 hours
52.56 minutes
26.28 minutes
5.25 minutes
From: IP Telephony, by Goralski & Kolon
Quality of Service Issues

Prevailing IP Telephony thinking:
security reduces QoS to unacceptable levels
security or QoS - but not both
let’s fix QoS then worry about security
security and QoS are competing requirements
security isn’t necessary over well-managed IP networks (e.g.
“I’m not using the Internet, so why worry.”)
Quality of Service Issues
 Scheduled downtime is not a term used in the
telephony world.
 Security is not usually thought of as a QoS issue
-- but it should be!
VoIP Security
“It may seem painfully obvious, but it’s important
to remember that a VoIP network is an IP network.
Any VoIP device is an IP device, and it’s therefore
vulnerable to the same types of attacks as any other
IP device. In addition, a VoIP network will almost
always have non-VoIP devices attached to it and be
connected to other mission-critical networks.”
Dr. Andrew Molitor, Aravox Technologies
Special VoIP Security
Considerations
Availability requirements for VoIP are extremely critical,
higher than normal network operations.
 VoIP applications are badly behaved IP applications.

Tend to use dynamically negotiated ports.
Makes security job harder since we don’t know in advance which
port numbers represent legitimate communication.

VoIP applications are more sensitive to delays and other
performance issues
IP designed to work over slow, noisy networks.

Current IP security devices designed to meet the needs of a
data-oriented network.
IP Telephony Security Issues
 Security in IP Telephony
achieved using built-in mechanisms of protocols
achieved using external application or network layer
protocols (e.g. IPSEC)
IP Telephony Security Issues
 Benefits of Security in IP Telephony
Confidentiality
Integrity
Availability
Authentication
Non-repudiation
IP Telephony Security Issues
 Basic Threats to Traditional Telephony
Phone disturbance
Prank calls
Free calls using someone else’s phone number
Masquerading as someone else
Denial-of-Service attacks aimed at phone system
Attacks aimed at telephony equipment
– Voicemail attacks
– PBX configuration port attacks
IP Telephony Security Issues

Basic Threats to IP Telephony
Data network access through VoIP ports (tunneling)
Free long distance calls over PSTN (spoofing)
Eavesdrop on conversations (packet sniffing)
Record conversations without authorization
Modify, delete, or replace fax/voice packets
Forward incoming phone calls to somewhere else
Denial-of-Service attack on business phone system
Denial-of-Service attack on business data network
Expose private conversations on Internet
Hijack conversations
Block calls of targeted individuals
Log all calls through an organization
The Threats to VoIP
Attack Category
Denial of Service
Eavesdropping
Unauthorized Access
Spoofing
Information Loss
Repudiation
Information Corruption
Likelihood
3
2-3
Impact
3
1-3
2-3
2
1-2
1-2
1
Risk Factor
9
7
2-3
3
3
3
3
7
6
5
5
3
DTR/TIPHON-08002 V0.1.8 (2000-12-07)
Telecommunications and Internet Protocol Harmonization over Networks (TIPHON
Eavesdropping on VoIP
IP Telephony Security Issues
 Security Constraints – the reason why security in
IP Telephony is practically non-existent
adds latency to the voice packet
increases computational load of network devices
doesn’t work well with data-centric VPNs
doesn’t work well with data-centric firewalls
increases bandwidth requirements
public-key infrastructure not globally available
doesn’t work well with NAT-enabled routers/firewalls
IP Telephony Security Issues
Example 1: VoIP Gateway with IP Firewall
The Ideal - the Firewall allows VoIP packets across
10/100
GW
IP Firewall
PBX
Internet
PSTN
Router
IP Telephony Security Issues
Example 1: VoIP Gateway with IP Firewall
Reality - the Firewall blocks VoIP packets
10/100
GW
IP Firewall
PBX
Internet
PSTN
Router
IP Telephony Security Issues
Example 1: VoIP Gateway with IP Firewall
Some firewall ports are left open to allow VoIP packets.
Danger – opened VoIP ports can be attacked
10/100
GW
IP Firewall
PBX
Internet
PSTN
Router
VoIP - Capable Firewalls
Firewalls have to support IP telephony to allow use of VoIP
or
IP telephony has to support firewalls to allow use of VoIP
A VoIP Capable Firewall should:
Allow a host to send packets to another through dynamically
assigned ports, Allow signaling devices to “control” the firewall.
IP Telephony Security Issues

Traditional Responses to Security Threats
IP Firewalls
– must prioritize to not delay critical packets such as VoIP
– must handle multiple dynamic UDP port assignments
– must be able to handle or else not use NAT
VPNs
– must prioritize VoIP packets
– must handle numerous smaller packets
– must not add too much latency
Encryption
– needs to be FAST
– PKI issues need to be addressed
Summary
 What is the Importance and Significance of this
material?
 How does this topic fit into the subject of “Voice
and Data Security”?