SPEERMINT Working Group S. Niccolini Internet-Draft NEC Intended status: Informational August 29, 2006 Expires: March 2, 2007 VoIP Security Threats draft-niccolini-speermint-voipthreats-00 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. This document may not be modified, and derivative works of it may not be created, except to publish it as an RFC and to translate it into languages other than English. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on March 2, 2007. Copyright Notice Copyright (C) The Internet Society (2006). Niccolini Expires March 2, 2007 [Page 1] Internet-Draft VoIP Threats August 2006 Abstract This memo presents the different security threats related to VoIP. First of all a taxonomy for the different types of security threats is defined. Afterwards the different instances of the threats are briefly analyzed following such taxonomy. Finally the existing security solutions in SIP and RTP/RTCP are presented to describe the countermeasures currently available for such threats. The objective of this document is to identify and enumerate the VoIP threat vectors in order to specifiy security-related requirements specific to peering. Once the requirements are identified, methods and solutions how to achieve such requirements can be selected. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Taxonomy of VoIP Security Threats . . . . . . . . . . . . . . 4 2.1. Interception and Modification Threats . . . . . . . . . . 4 2.2. Interruption of Service Threats . . . . . . . . . . . . . 5 2.3. Abuse of Service Threats . . . . . . . . . . . . . . . . . 6 2.4. Social Threats . . . . . . . . . . . . . . . . . . . . . . 6 3. Overview of VoIP Security Solutions . . . . . . . . . . . . . 8 4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12 7. Informative References . . . . . . . . . . . . . . . . . . . . 13 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14 Intellectual Property and Copyright Statements . . . . . . . . . . 15 Niccolini Expires March 2, 2007 [Page 2] Internet-Draft VoIP Threats August 2006 1. Introduction With VoIP, the need for security is compounded because there is the need to protect both the control plane and the data plane. In a legacy telephone system, security is a more valid assumption. Intercepting conversations requires either physical access to telephone lines or to compromise the Public Switched Telephone Network (PSTN) nodes or the office Private Branch eXchanges (PBXs). Only particularly security-sensitive organizations bother to encrypt voice traffic over traditional telephone lines. In contrast, the risk of sending unencrypted data across the Internet is more significant (e.g. DTMF tones corresponding to the credit card number). An additional security threat to Internet Telephony comes from the fact that the signaling is sent using the same network as the multimedia data; traditional telephone systems have the signaling network separated from the data network. This is an increased security threat since a hacker could attack the signaling network and its servers with increased damage potential (call hijacking, call drop, DoS attacks, etc.). Therefore there is the need of investigating the different security threats and to highlight the solutiond how to avoid them. Niccolini Expires March 2, 2007 [Page 3] Internet-Draft VoIP Threats August 2006 2. Taxonomy of VoIP Security Threats A taxonomy of VoIP security threats has been defined in [1]. Such a taxonomy is a very complete one and takes into account also threats not caused by VoIP-specific technical reasons (e.g. loss of power). In this section a similar taxonomy is presented trying to reuse as much as possible from the referenced document but avoiding to classify threats that can not be reconducted to technical reasons. The VoIP security threats can be divided into four main areas: o Interception and Modification Threats; o Interruption of Service Threats; o Abuse of Service Threats; o Social Threats. 2.1. Interception and Modification Threats The interception threat results from the ability of the attacker of intercepting the signaling and/or the data. The interception-only threat results in the attacker being able to use the intercepted data for malicious scopes, examples are: o call pattern tracking - the attacker tracks the call patterns of the users; o number harvesting - the attacker harvest numbers and/or user identities for calling such numbers/identities or for using spoofed identities; o conversation reconstruction - the attacker reconstruct the conversation and/or additional data delivered with it (e.g. numbers transmitted with DTMF tones). The modification threat supposes that the attacker is able to modify the content of the packets being intercepted acting as a man in the middle. In principle this threat affect both the signaling and the data depending on the ability of the attacker of intercepting both. The interception and modification threat results in the attacker being able to modify the packets for malicious scopes, examples are: o call black holing - the attacker intentionally drops essential packets (e.g. INVITE) of the VoIP protocol resulting the call initiation to fail; Niccolini Expires March 2, 2007 [Page 4] Internet-Draft VoIP Threats August 2006 o call rerouting - the attacker redirects the packets on a different path in order to include unauthorized nodes in the path or to exclude authorized ones from it; o conversation alteration - the attacker alters the packets in order to modify the conversation between two users; o conversation degrading - the attacker intentionally drops a selection of packets or modify the content of them with the objective of degrading the overall quality of the conversation; 2.2. Interruption of Service Threats The interruption of service attacks are mainly oriented at compromising the availability of the service or deteriorating the quality level of such resources. Interruption of service attacks can be either specific to SIP protocol or to RTP/RTCP protcol. General interruption of service attacks not using VoIP-specific protocols are out of the scope of this document. Examples of SIP protocol specific interruption of service attacks exploiting SIP-specific vulnerabilities are: o SIP malformed requests and messages - the attacker tries to cause a crash or a reboot of the proxy/endpoint by sending SIP malformed requests and messages; o SIP requests and messages flooding - the attacker tries to exhaust the resources of the proxy/endpoint by sending many SIP requests and messages; o call hijacking - the attacker uses SIP messages (e.g. 301 Moved Temporarly) in order to hijack an existing call towards other proxy/endpoint, it is needed that the attacker replicates the proper SIP header for the hijacking to be successful (To, From, Call-ID, CSeq); o call tear down - the attacker uses SIP messages (e.g. CANCEL/BYE) in order to tear down an existing call, it is needed that the attacker replicates the proper SIP header for the hijacking to be successful (To, From, Call-ID, CSeq). Examples of RTP/RTCP protocol specific interruption of service attacks exploiting RTP/RTCP-specific vulnerabilities are: o RTP/RTCP malformed messages - the attacker tries to cause a crash or a reboot of the proxy/endpoint by sending RTP/RTCP malformed messages;; Niccolini Expires March 2, 2007 [Page 5] Internet-Draft VoIP Threats August 2006 o RTP/RTCP messages flooding - the attacker tries to exhaust the resources of the proxy/endpoint by sending many RTP/RTCP messages;; o RTP/RTCP session tear down - the attacker uses RTCP messages (e.g. BYE) in order to tear down an existing call at RTP layer, the SIP layer will not notice that the RTP flow has been torn down and the call will not result as released; o RTP/RTCP QoS degradation - the attacker sends wrong RTCP reports advertising more packet loss or more jitter than actually experimented resulting in the usage of a poor quality codec degrading the overall quality of the call experience. In principle such attacks does not need interception of any packet in order to be performed (could be done by simple guessing) but some of these attacks (e.g. call hijacking, RTP/RTCP session tear down, etc.) benefit from the retrieval of call-specific information as coming from interception of SIP/RTP/RTCP packets. 2.3. Abuse of Service Threats In the abuse of service attacks services are improperly used for the scope of committing fraud or reduce billing. Examples of abuse of service attacks are: o identity theft - the attacker uses the identity of the owner without the consent for the scope of masking his real identity when committing fraud (e.g. when calling the attacker can charge the bill of the identity owner, the attacker can use the identity to bypass call blocking, etc.); o service volume fraud - the attacker injects in the network more traffic than what declared in the session request in order to avoid paying for the used resources; o session replay - the attacker replays a past session of another user in order to have access to the same resources (e.g. a bank account, etc.). 2.4. Social Threats False presentation of information together with unwanted contact are the only social threats that can be reconducted to a technical background in the case of VoIP. Examples are: o false presenation of identity/authority/rights/content - the attacker presents false or misleading credentials in order to gain Niccolini Expires March 2, 2007 [Page 6] Internet-Draft VoIP Threats August 2006 a social advantage out of it; o unwanted lawful/unlawful contact - the attacker contacts the victim with the unlawful or lawful scopes (e.g. extortion, telemarketing, etc.), please note that unwanted lawful contact in the case of VoIP is also referred to as SPam over Internet Telephony (SPIT), SPIT discussion is excluded by the SPEERMINT working group per charter. Niccolini Expires March 2, 2007 [Page 7] Internet-Draft VoIP Threats August 2006 3. Overview of VoIP Security Solutions This section presents the VoIP security features currently standardized or under standardization in order to give an overview of the building blocks needed to counter the VoIP Security threats detailed in this draft. The technology to secure VoIP can be divided in three main areas as follows: o Authentication/Authorization; o Encryption; o Identity management. Authentication is needed to understand who was the sender of a specific packet. Authentication can take place between different entities or end-to-end: o from client to server - Digest authentication [2] or mutual Transport Layer Security (TLS) [3]; o from server to server - mutual Transport Layer Security (TLS); o from server to client - Transport Layer Security (TLS); o end-to-end - S/MIME [4]. All solutions require some kind of trust relationship (i.e. shared secret or certificates authorities). Encryption is needed to protect the content of the packets from being read by other parties than the ones which are supposed to be the recipient of such packets. Encryption follows the same paradigm as authentication and can be done either on a hop-by-hop or on a end-to- end basis. On a hop-by-hop basis TLS is used (TLS creates an authenticated, encrypted, integrity-checked channel). On a end-to- end basis S/MIME is used to sign and encrypt portions of the SIP body. At the media level a end-to-end encryption is possible using SRTP [5] to protect RTP/RTCP media (audio, video). Currently there is a discussion in the IETF about the requirements for SRTP media keying which is still an open issue. Other solutions that provide encryption and integrity are lower layer ones like IPsec which is done hop-by-hop. Identity managemement is also an important piece of security framework in SIP [6]. The objective of the identity framework is to give technical means to assess user identity in a secure manner. It requires strong cryptographic assertions but it represents the most Niccolini Expires March 2, 2007 [Page 8] Internet-Draft VoIP Threats August 2006 promising approach to enable furhter security solutions which need the assumption of dealing with strong authenticated identities. Pleae note that other techniques could also be used to counter VoIP Security threats, the techniques that constitute stand-alone solutions and that do not need standardization work are left out the scope of this document. It is left open for discussion which other security techniques to include in this section. Niccolini Expires March 2, 2007 [Page 9] Internet-Draft VoIP Threats August 2006 4. Conclusions This memo presented a taxonomy for the different types of VoIP security threats. The multiple instances of the threats were also presented with a brief explanation. Finally the existing security solutions in VoIP were presented to describe the countermeasures currently available for such threats. The objective of this document is to identify and enumerate the VoIP threat vectors in order to specifiy security-related requirements specific to peering. Once the requirements are identified, methods and solutions how to achieve such requirements can be selected. Niccolini Expires March 2, 2007 [Page 10] Internet-Draft VoIP Threats August 2006 5. Security Considerations This memo is entirely focused on the security threats for VoIP. Niccolini Expires March 2, 2007 [Page 11] Internet-Draft VoIP Threats August 2006 6. Acknowledgements This memo takes inspiration from VOIPSA VoIP Security and Privacy Threat Taxonomy. The author would like to thank VOIPSA for having produced such a comprehensive taxonomy which is the starting point of this draft. The author would also like to thank Cullen Jennings for the useful slides presented at the VoIP Management and Security workshop. Niccolini Expires March 2, 2007 [Page 12] Internet-Draft VoIP Threats August 2006 7. Informative References [1] "VOIPSA VoIP Security and Privacy Threat Taxonomy", October 2005. [2] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. [3] Dierks, T. and E. Rescorla, "The TLS Protocol Version 1.2", draft-ietf-tls-rfc4346-bis-01.txt (work in progress), June 2006. [4] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification", RFC 3851, July 2004. [5] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, March 2004. [6] Peterson, J. and C. Jennings, "Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)", draft-ietf-sip-identity-06.txt (work in progress), October 2005. Niccolini Expires March 2, 2007 [Page 13] Internet-Draft VoIP Threats August 2006 Author's Address Saverio Niccolini Network Laboratories, NEC Europe Ltd. Kurfuersten-Anlage 36 Heidelberg 69115 Germany Phone: +49 (0) 6221 4342 118 Email: saverio.niccolini@netlab.nec.de URI: http://www.netlab.nec.de Niccolini Expires March 2, 2007 [Page 14] Internet-Draft VoIP Threats August 2006 Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Niccolini Expires March 2, 2007 [Page 15]