Docstoc

Mobile Virus Threats

Document Sample
Mobile Virus Threats Powered By Docstoc
					    Security Challenges in
      Hybrid Telephony

 Richard Hovey
 Communications Systems Analysis Division
 February 8, 2007


          Observations are my own and
are not a reflection of views of CSAD or PSHSB.
        Security                        Hybrid IP-TDM
         Issues
                                          Telephony

                                 Session                        SS7
                       SIP      Initiation
                              Protocol (SIP)
          DNS
                 Broadband Phone                                                  PBX
                                                 Signaling
            Domain NameService                    Interop
              System
            Interop (DNS)
              router
                                Routing
                             Interop (BGP)
         IP
                                                                           SSP
        PBX

        IP PBX


  IP Network                                                                TDM Network
                                                              Smartphone

February 8, 2007                Non-public – for Internal Use Only                        2
           Security Challenges in Hybrid Telephony
                            Outline
 1. Perspectives on telecom convergence
       •   "Very-Next" Generation c.2007-2010
 2. Telephony on the commodity Internet
       •   Tutorial: basic SIP signaling
       •   SIP Security challenges
 3. Hybrid Telephony IP – TDM
       •   Tutorial: basic SS7 signaling; SIP – SS7 Interworking
       •   SIP-SS7 security challenges
 4. Emerging components & concerns
       – Open Source IP PBX
       – Smartphone


February 8, 2007          Non-public – for Internal Use Only       3
         Security Challenges in Hybrid Telephony
                    Advisory Message
                   •   The Sky isn't exactly falling…
                   •   …but the Sea Level is rising.
                   •   Net effect: The Sky is getting closer.
                                                        CSAD Advisory System
                                                                 Severe Risk of
                                                                  Sky Falling
                                                                  High Risk of
                                                                  Sky Falling
                                                             Significant Risk of
                                                                Sky Falling
                                                                 General Risk of
                                                                   Sky Falling
                                                                  Low Risk of
                                                                  Sky Falling

February 8, 2007            Non-public – for Internal Use Only                     4
            Perspective on Convergence
     Very-Next Generation Residential Broadband
             • Today: parallel access to distinct infrastructures
             • Future: common IP core infrastructure?
                   – Vision of "Carrier ISPs"
                   – First test: adoption of “NGN Release 1”
                                                                         TDM phone net



                                                                       commodity Internet




                       Broadband
                        copper,
                         cable,
                        or fiber           ~headend                    satellite distribution



                                                       local servers
February 8, 2007            Non-public – for Internal Use Only                                  5
                Tutorial: IP-IP Telephony
        Session Initiation Protocol Signaling (SIP)
                     IP Network 1                          IP Network 2
                                    Control
           Control
                       SIP                                          SIP
          DNS
                                                                              LOC




                   Switching
              Router



                                                               IP Link
                                                               IP Link [Voice Path - RTP]
                                                               IP Link [Signaling Path - SDP]

February 8, 2007               Non-public – for Internal Use Only                               6
                     Tutorial: IP-IP Telephony
                            SIP Basics

• Session Initiation Protocol (SIP)
    – Text-based protocol with a readable syntax, similar to HTTP
    – Used for controlling multimedia sessions over IP (i.e., signaling)
    – Telephony is a type of audio-only multimedia session
• INVITE message
    – Used to establish a session; analogous to ISUP IAM message
    – IP-IP phone example (Kevin calls Michael over Internet)
         INVITE sip:michael@mkpgroup.com SIP/2.0
         Via: SIP/2.0/UDP 165.135.228.98:5060
         Max-Forwards: 50
         To: Michael <sip:michael@mkpgroup.com>
         From: Kevin <sip:kevin@fcc.gov>;tag=8055002911
         Content-type: application/sdp
         Content-length: 142



 February 8, 2007          Non-public – for Internal Use Only              7
                    Tutorial: IP-IP Telephony
            Session Initiation Protocol Signaling (SIP)
           ❸ DNS Query                                                 ❺ LS Query
                                         ❹ INVITE
                           SIP                                        SIP
             DNS                         ❼ Ringing                              LOC

                                         ➑ OK                         ❻
                           ❷
❶ Kevin "calls"
  Michael

                  Router

❷ INVITE                                  ➒ voice (RTP)                     ❻ INVITE
  to: sip:michael@mkpgroup.com                                   IP Link
                                                                 IP Link [Voice Path]
                                                                 IP Link [Signaling Path]

   February 8, 2007              Non-public – for Internal Use Only                         8
                      IP-based Telephony
                   SIP Signaling -Challenges

SIP and Privacy (withholding identity)
     – Identity carried in SIP URI and optional Display Name
       e.g., Kevin <sip:kevin@fcc.gov>
     – Appears in numerous fields in SIP messages
       e.g., From:, Contact:, Reply-to:
     – Identity Info also appears in
       e.g., Via:, Call-Info:, User-Agent:,
       Organization:, Server:
     – Some are functional and have to be included
     – Complicated by intermediary proxy servers that add headers
       [and can examine the other header content]


February 8, 2007        Non-public – for Internal Use Only          9
                      IP-based Telephony
                   SIP Signaling -Challenges
• Utility of protecting SIP with encryption?
     – i.e., protect SIP messages with IP Security (IPsec) at IP Layer
• Hop-by-hop impact on Call Set-up time is significant
     – Almost certainly unacceptable
                         No IPSec            Proxy IPSec     End-End IPSec
     IP-IP                  4.6                    7.5           20.2
     IP-TDM                 7.6                    9.5           21.8
     TDM-IP                 5.2                    8.0           12.7
     TDM-IP-TDM             6.9                    9.3           14.3
                                                                Source: Telcordia

• Once connected phone-phone, delay acceptable
     – About 10% (8 msec)
• Implications for NGN?
February 8, 2007        Non-public – for Internal Use Only                          10
                       IP-based Telephony
                   Vulnerabilities in SIP devices

• Dozens of vulnerabilities impacting IP-based telephony
     – Includes commodity Internet risks at other layers
• Attacks on vulnerabilities
     – can impact confidentiality, integrity, availability
     – can trigger device hangs, crashes, restarts
• Hundreds of SIP devices software implementations
     – both SIP phones and SIP Servers


• Next: some approaches to mitigating risks
     – Security thru obscurity – don’t reveal implementation
     – Security thru testing – use test tools to check implementation

February 8, 2007          Non-public – for Internal Use Only            11
                       IP-based Telephony
           IP Telephony Vulnerabilities by Protocol Layer
Layer           Attack Vector           Confide    Integ-   Avail-   Layer         Attack Vector             Confide    Integ-   Avail-
                                        ntiality     rity   ablity                                           ntiality     rity   ablity
Net Interface                                                        App. [cont]
                Physical Attacks           X                  X      SIP           Registration Hijacking       X         X        X
                ARP cache                  X         X        X                    MGCP Hijack                  X         X        X
                ARP f lood                                    X                    Message modif ication        X         X
                MAC spoof ing              X         X        X                    RTP Insertion
Internet                                                                           Spoof via header             X         X        X
                IP spoof ing                                                       Cancel / bye attack                             X
                Device                     X         X        X                    Malf ormed method                               X
                Redirect Via IP spoof      X         X        X                    Redirect method              X                  X
                Malf ormed packets         X         X        X      RTP           SDP redirect                                    X
                IP f rag                   X         X        X                    RTP payload                                     X
                Jolt                                          X                    RTP tampering                                   X
Transport                                                                          Encryption                   X         X        X
                TCP/UDP f lood                                X                    Def ault conf iguration      X         X        X
                TCP/UDP replay             X         X                             Unnecessary services         X         X        X
Applicaition                                                                       Buf f er overf low           X         X        X
                TFTP server insertion                X                             Legacy Network               X         X        X
                DHCP server insertion                X                             DNS Availability                                X
                DHCP starvation                               X
                ICMP f lood                                   X                                                Source: UC Boulder

 February 8, 2007                              Non-public – for Internal Use Only                                                   12
                     IP-based Telephony
                    Security thru Obscurity?

• A vulnerable implementation becomes an explicit target
     – e.g., Windows vulnerabilities
• SIP standard defines a "User-Agent" field
     – announces software version
     – can turn it off so software details are not revealed
• But… turning off explicit identification doesn't really help
     – sufficient info in protocol responses to determine software
     – probing technique manipulates headers, log responses
     – each device has a unique fingerprint
• Does suggest some security improvements
     – e.g., don't respond to non-compliant messages
     – e.g., randomize fields and attributes

February 8, 2007         Non-public – for Internal Use Only          13
    IP-based
   Telephony
  Security thru
   Obscurity?

SIP device fingerprints




 Source: CMU & IBM Watson



February 8, 2007            Non-public – for Internal Use Only   14
                      IP-based Telephony
                      Security thru Testing

• Commercially-available VoIP testing tools
     – “vulnerability scanners”
• Inject abnormalities into SIP messages
     – E.g., one tool: 4500 test cases…
     – …but only for SIP “INVITE” message
• Analysis of seven testing tools
     – based on lab tests of four tools; claims of three others
     – even combined, address less than half of known vulnerabilities




February 8, 2007        Non-public – for Internal Use Only              15
               IP-based Telephony
  IP Telephony Vulnerabilities Addressed by Tools
         Layer           Attack Vector            Addressed      Layer         Attack Vector             Addressed
                                                  by ΣTools                                              by ΣTools
         Net Interface                                           App. [cont]
                         Physical Attacks                        SIP           Registration Hijacking        X
                         ARP cache                                             MGCP Hijack
                         ARP f lood                                            Message modif ication
                         MAC spoof ing                                         RTP Insertion
         Internet                                                              Spoof via header              X
                         IP spoof ing                 X                        Cancel / bye attack
                         Device                       X
                                                                               Malf ormed method             X
                         Redirect Via IP spoof        X
                                                                               Redirect method               X
                         Malf ormed packets
                                                                 RTP           SDP redirect                  X
                         IP f rag
                                                                               RTP payload                   X
                         Jolt
                                                                               RTP tampering                 X
         Transport
                                                                               Encryption                    X
                         TCP/UDP f lood               X
                                                                               Def ault conf iguration
                         TCP/UDP replay
                                                                               Unnecessary services
         Application
                                                                               Buf f er overf low            X
                         TFTP server insertion
                                                                               Legacy Network                X
                         DHCP server insertion
                                                                               DNS Availability              X
                         DHCP starvation
                                                                                                         Source: UC Boulder
                         ICMP f lood


February 8, 2007                            Non-public – for Internal Use Only                                                16
                     IP-based Telephony
                   Denial of Service Attacks

• Background
     – Brute force attacks are much easier than clever exploits
• Attack targets
     – SIP infrastructure (SIP servers, Gateways)
     – Supporting services (DNS)
     – End points (SIP phones)
• Commercially available solutions for UDP/SYN flooding
     – But currently none for SIP




February 8, 2007        Non-public – for Internal Use Only        17
                       IP-based Telephony
                     Denial of Service Attacks
• Carrier-class Analysis
     – Two types of attacks used: General and VoIP-specific
     – Bi-directional Speech grade-of-service metrics collected
• Results
     – VoIP-specific attacks effective at low rates against all devices
          • No service – let alone grade of service - to record
     – General attacks caused a wide-range of effects
          • Unexpected: all devices adversely affected by TCP SYN attacks
• Conclusions (November 2004):
       “Keep VoIP on private secured networks (off the public Internet)
        where practical”
        “Design DDOS mitigation products to be VoIP-aware”

                                                           Sprint Adv. Tech. Labs
February 8, 2007            Non-public – for Internal Use Only                      18
                        IP-based Telephony
                      Denial of Service Attacks
          Voice Quality during TCP SYN attack on a network element




acceptable quality▲

                                                                 ◄Attack Level
                                                                20% of bandwidth




 February 8, 2007          Non-public – for Internal Use Only                19
                     IP-based Telephony
                   Denial of Service Attacks

Current carrier-class work
• Addressing perimeter protection problem of VoIP service
• Strategy – two detection and mitigation filters
     – SIP: Rule-based detection and mitigation filters (only valid SIP)
     – Media: SIP-aware dynamic pinhole filtering (only signaled RTP)




February 8, 2007         Non-public – for Internal Use Only            20
                     IP-based Telephony
                   Denial of Service Attacks




                                                           Columbia U – Verizon Labs
February 8, 2007      Non-public – for Internal Use Only                               21
                     IP-based Telephony
                   Denial of Service Attacks

Carrier-class Prototype
• Rely on wire-speed, deep-packet inspection
• 300 calls/second;10K-30K concurrent calls
• Conclusion (October 2006):
     “Need to generalize methodology to cover a broader range
      of cases and apply anomaly detection, pattern recognition
      and learning systems”
                                                       Columbia U – Verizon Labs




February 8, 2007      Non-public – for Internal Use Only                           22
                    Tutorial: TDM-TDM Telephony
                   Inter-exchange Signaling (SS7)
                   ISDN User Part (ISUP) Protocol



                                W                  X

    ❷ Initial Address                                            ❹ Address Complete
                              ❹ ACM             ❷ IAM                Message [ACM]
      Message [IAM]

❶ dial digits                                                           ❸ number idle?

                   A                                                    B
                                                       ❺ ring tone
       ❻ connect to trunk              Subscriber Line
                                                                     ❺ ring line,
                                                                       transmit
                                       Voice Trunk                     Caller ID
                                       Signaling Link


February 8, 2007            Non-public – for Internal Use Only                           24
                   Tutorial: TDM-TDM Telephony
                   Initial Address Message (IAM)



            Initial Address Message

    Called Party Number parameter

    Calling Party Number parameter
        Charge Number parameter




February 8, 2007               Non-public – for Internal Use Only   25
                     Tutorial: IP-TDM Telephony



                     SIP
          DNS                         MGC
            Broadband Phone Service


            router




                                                                SSP




February 8, 2007           Non-public – for Internal Use Only         26
                    Tutorial: IP-TDM Telephony
                             SIP to SS7
                                                                MGC

• Media Gateway Controller (MGC)
    –   Also referred to as a "Softswitch" or "Call Agent"
    –   Has logical interfaces facing both networks
    –   Translates between SIP and ISUP messages
    –   SS7 protocol Level 4 (e.g. "INVITE"  "IAM“)
• Media Gateway (MG)
    – Has trunking interfaces facing both networks
    – Translates between IP and TDM voice streams (i.e. RTPT1)
    – MGC and MG can be merged in one box or kept separate
• Signaling Gateway (SG)
    – Performs mapping of Signaling Network Messages
    – SS7 protocol Level 3
    – Level 3: controls congestion, balances loads, re-routes traffic

 February 8, 2007          Non-public – for Internal Use Only           27
                    Tutorial: IP-TDM Telephony
                             SIP to SS7
                                                              MGC

Questions wrt Media Gateway Controller:
• How do they map fields? e.g. "INVITE"  "IAM“?
   – e.g., "From:"  "Calling Party Number“ and "Charge Number"
• What call records do they maintain?
    – significant implications for Authenticating source




 February 8, 2007        Non-public – for Internal Use Only         28
                   Tutorial: IP-TDM Telephony
                            SIP to SS7

• INVITE message
   – IP-to-Wireline phone example (Kevin calls Michael from Internet)
        INVITE sip:+12126441200@ss1.fcc.gov;user=phone SIP/2.0
        Via: SIP/2.0/UDP client.kevin.fcc.gov:5060
        Max-Forwards: 50
        To: Michael <sip:+12126441200@ss1.fcc.gov;user=phone>
        From: Kevin <sip:+12024180100>;tag=8055002911
        Content-type: application/sdp
        Content-length: 142




February 8, 2007          Non-public – for Internal Use Only        29
                        Tutorial: IP-TDM Telephony
                                 SIP to SS7
                                                                              MGC
                                                                 IP
• Signaling Gateway (SG) function
     – Performs mapping of signaling network messages
     – SS7 Level 3: congestion, balances loads, traffic re-routing TDM
• Transporting SS7 over IP Network
                           IP                            SS7
                   MGC                    SG                          STP


              ISUP                       (NIF)                         ISUP
              M3UA                M3UA         MTP3                   MTP3
              SCTP                SCTP         MTP2                   MTP2
                   IP               IP         MTP1                   MTP1


 • Bottom line: SG can appear as an SS7 SP at the interface
February 8, 2007            Non-public – for Internal Use Only                      30
                   Tutorial: IP-TDM Phone Service
                          SIP-SS7 Signaling




                              Questions?




February 8, 2007         Non-public – for Internal Use Only   31
                    IP-TDM Phone Service
             Signaling Interworking Vulnerabilities
Background
• New players (CLECs) increasing the number of SS7 access points
• Signaling Gateway looks like another SS7 SP to an STP
• Absence of message integrity and authentication in SS7
   – Could use IPSec in hybrid environment – but ends at the SG
Recent Analysis (December 2006)
• Hijacked or misbehaving SS7 nodes
     – Open to Signaling Network Management (SNM) injects
     – Injections towards MGC can disrupt VoIP services
• Hijacked or misbehaving Signaling Gateway
     – Can affect functioning of SS7 network
   “Threats arising in either network due to misprovisioned or
   malicious signaling nodes are not confined to that network alone but
   may affect the other network as well.”               GMU - UNT

February 8, 2007          Non-public – for Internal Use Only         32
                     IP-TDM Phone Service
              Signaling Interworking Vulnerabilities

Critical Management Messages in IP and SS7 networks – just SS7 level 3

       SS7 protocol layer and its            SS7 network management messages
        management messages                           in an IP network

 Message Transfer Part Level 3: MTP3                  SIGTRAN layer: M3UA
 Signaling Network Management msgs:         At Signaling Gateway, M3UA provides
 • Emergency Changeover Order               interworking with MTP3 function by
 • Changeover Order                         using ASP management messages:
 • Transfer Prohibited                      • Destination Restricted
 • Transfer Controlled                      • Destination Unavailable
 • Transfer Restricted                      • Signaling Congestion
                                            • Destination User Part Unavailable



 February 8, 2007         Non-public – for Internal Use Only                  33
                    IP-TDM Phone Service
             Signaling Interworking Vulnerabilities

• Only widely deployed security solution
     –   Telcordia’s Gateway Screening Specification
     –   Implemented at gateway STPs
     –   Generally screens out only message headers
     –   Doesn’t check content and structure of most signaling messages
• Commercial products to secure SS7 are emerging
     – Content-based and signal-sequence firewalls
     – Network Access Meditation (Sevis);
     – SS7 Security Gatekeeper (Verizon)
• Proposed: MTPSec to secure SS7 network layer


February 8, 2007         Non-public – for Internal Use Only          34
                          Open Source PBX
                     Be Your Own Phone Company
                                  Termination
                                   Provider




            router



       Asterisk
                                                               SSP
        PBX




February 8, 2007          Non-public – for Internal Use Only         35
                   Be Your Own Phone Company
                     Asterisk – Corporate PBX




February 8, 2007        Non-public – for Internal Use Only   36
                        Open Source PBX
                 Spoofing - Service & Do-It-Yourself
                                 Termination
                                  Provider




               router



    Asterisk
                                                              SSP
     PBX




February 8, 2007         Non-public – for Internal Use Only         37
                Be Your Own Phone Company
               Spoofing - Service & Do-It-Yourself

Things to know:
     – Can use standard SetCallerID(nnnnnnnnnn) command
          • PBX-like; not efficient for per-call spoofing
     – Asterisk software is easily patched to do Caller ID spoofing
          •Add the following lines to extension config file
             exten => 33,1,Answer
             exten => 33,2,AGI(cidspoof.agi)
          •Download the cidspoof.agi script changing line 77 to
           the correct username / hostname for VoIP service provider, and copy
           to /var/lib/asterisk/agi-bin/
          •Start Asterisk
          •Call extension 33, enter number you wish to spoof from, followed by
           number you wish to spoof to.




February 8, 2007                  Non-public – for Internal Use Only       38
                        Open Source PBX

• Authentication concerns (CPN, BTN)
     – manipulation now much cheaper
     – isolation from traceability much greater




February 8, 2007         Non-public – for Internal Use Only   39
                     Smartphone Security
                      General Outlook

• Virus problem seems relatively small and manageable…
    – Cell phone carriers have strong incentives to keep under control
    – Cell phone carriers have good control points (e.g., gateways)
    – Incidents to date haven't been widespread or fast spreading
    – Many categorized as low-threat "proof of concept"


• Q: "Is the Sky Falling?"
   A: "Probably not; not at the moment."

• “But the ocean…”

February 8, 2007        Non-public – for Internal Use Only            40
                     Smartphone Security
                      General Outlook

• But… cell phones are an increasingly attractive target
     – Applications becoming more PC-like; e.g., email attachments
       (smart phones make up about 5% of cell phones)
     – Operating System uniformity increases appeal to hackers
       (i.e., Symbian, PocketPC, PalmOS dominate smart phones)
     – Standard Markup Languages create openings (e.g., java scripts)
     – Phones increasingly carry sensitive info (e.g., business info)
     – Phones increasingly can make small financial charges
         • by accepting "reverse SMS" micropayment charges
         • i.e., there's a direct link to money
• Potential impact of viruses seems high

February 8, 2007       Non-public – for Internal Use Only          41
                       Smartphone Security
                        General Outlook

Q: “What can mobile viruses do?”
•   Spread via Bluetooth, MMS
•   Send SMS messages
•   Infect files
•   Enable remote control of the smartphone
•   Modify or replace icons or system applications
•   Install “false” or non-operational fonts and applications
•   Combat antivirus programs
•   Install other malicious programs
•   Block memory cards
•   Steal data




February 8, 2007         Non-public – for Internal Use Only     42
                      Smartphone Security
                        Symbian OS…

• Dominant smartphone OS (50% of phones shipped)
• Allows user to install untrusted code
     – post-installation antivirus software not as mature as PC
• Once installed code has access to all resources
     – extract phone numbers, email
     – send SMS, MMS, email; make HTTP connections
     – dial numbers; connect via Bluetooth
• Possible to avoid detection
     – run in background (server); wait for long idles; delete logs
     – user unaware of filesystem
• Possible to avoid removal, short of reflashing
February 8, 2007         Non-public – for Internal Use Only           43
                      Smartphone Security
                         Bluetooth…
• Devices
     – 13% of phones sold worldwide in 2004; 4% in U.S.
• Distances
     – Nominal range is 10 meters (often boosted to 100m)
     – Hijacking phones has been demonstrated at over a mile
• Suggested cipher vulnerabilities
     – [see Wetzel]
• Observation
     – a "personal networking standard" vulnerable to personal
       misjudgments and oversights



February 8, 2007        Non-public – for Internal Use Only       44
                Smartphone Security
     Creating the Conditions for a Perfect Storm?




                   Internet                                        PSTN


                                      Bluetooth




February 8, 2007              Non-public – for Internal Use Only          45
                         Smartphone Security
                              Evolution
• By early 2005 main types of mobile viruses had evolved
    – Very few in last 18-24 months are truly original
• Now 31 families, 170 variants.
• MMS will eventually become common method of propagation
                    Increase of known mobile malware variants




         6/2004 ▲


February 8, 2007            Non-public – for Internal Use Only   46
                       Service Providers
                     Cyber Security Practice

Background
• History
     –   Network Reliability & Interoperability Council (NRIC)
     –   NRIC VI & VII: assembled Cybersecurity Best Practices
     –   applicable as appropriate; voluntary, …
     –   more of a checklist where one would like a culture
• Stipulation
     – Technical complexity; industry's superior expertise & resources
     – Regulation may not result in adoption of underlying philosophy




February 8, 2007         Non-public – for Internal Use Only              47
                        Service Providers
                      Cyber Security Practice

• Question
     – Are ISP businesses "Markets for Lemons" wrt security?
          • asymmetric information > willingness to pay only average price
          • above average security will be driven out of the market?
• Challenge
     – Are there approaches to improving security and reliability of
       infrastructure that benefit both users and providers?
     – What are the incentives?
     – Are ISP businesses dynamics and industry sectors different?




February 8, 2007           Non-public – for Internal Use Only                48

				
DOCUMENT INFO