Hello, I am calling to tell you that you've been hacked

When one year ago I looked at the long term VoIP and UC security trends I discovered that most of the VoIP security research and attention was devoted to the signaling protocols and their vulnerabilities. SIP, Skinny, UNIStim and H.323 are being fuzzed, reverse engineered, spoofed and dissected in hundreds of ways. In the process we discovered a lot of vulnerabilities, fixed most of them and made these protocols more secure. And that's a good thing.

But I knew we were missing something. This something is another family of protocols (Real-time Transport Protocol (RTP) and its sister protocol Real-time Transport Control Protocol (RTCP). These protocols are used to carry actual content of voice calls, video or audio over IP networks.They have a few interesting properties that warrant closer look at them from the security point of view.

First, they are ubiquitous. VoIP and UC vendors use different signaling protocols in their products - standard SIP and H.323 or proprietary Skinny and UNIStim. But all of them are using standard based RTP/RTCP to carry voice, video and audio. The list of common applications using RTP/RTCP is very long. Some of them are deployed in very large numbers: Microsoft Communicator, any VoIP softphones and hardphones,  Live Windows Messenger, wireless VoIP and video clients and  QuickTime. We are talking about hundreds of millions of end-points.

Secondly, after signaling protocol establishes a connection between calling parties, in most cases RTP/RTCP is carried between endpoints in peer-to-peer mode thus bypassing PBX/Call Managers/softswitches. 

Thirdly, the ports used by RTP/RTCP are assigned dynamically during the signaling phase.

Fourth, RTP is a binary protocol carrying information in real-time. Since VoIP and video are sensitive to delay, packet loss  and jitter it is very difficult to analyze the content of RTP streams fast enough to not cause QoS to deteriorate.

Let's put it all in the context of VoIP and UC security. I asked my research team to look closer at RTP and RTCP implementations. Well, now we know that RTP/RTCP implementations have security vulnerabilities, some of them very serious. It is quite feasible that some of the exploits could be used to create massive attacks on telecommunication and business infrastructure as a part of cyberwarfare or they could be used selectively to steal information and penetrate enterprise security through a simple phone call.

Your laptop running a softphone could be taken over by someone simply calling you and exploiting a specific RTP vulnerability. And this attack could traverse PSTN networks. Even transferring sensitive data from inside of the enterprise is possible within the RTP streams.

In most cases RTP works in the peer-to-peer mode bypassing any centralized applications and devices. In many organizations any peer-to-peer traffic is simply blocked but this is not possible if VoIP or UC infrastructure is implemented.

And let's don't forget  about SPAM over Internet Telephony (SPIT). It is basically an equivalent to email SPAM but with a twist. Anti-spam applications have full access to email headers and the content so they can analyze the entire message and make an appropriate decision in non real-time. While in the case of SPIT we can easily analyze the signaling protocols but it is almost impossible to do it for RTP streams. Imagine buffering a conversation, analyzing the speech against certain rules and keywords (not everyone in the world speaks English), making a decision and inserting the content back into the RTP stream. All that in real-time for thousands of conversations at the time.

Securing RTP is our next challenge. Let's start working on it now.

| 0 Comments | 0 TrackBacks

Listed below are links to sites that reference Hello, I am calling to tell you that you've been hacked:

Hello, I am calling to tell you that you've been hacked TrackBack URL : http://blog.tmcnet.com/mt/mt-tb.cgi/38133

Around TMCnet:

Leave a comment

Around TMCnet Blogs

Latest Whitepapers

TMCnet Videos