Friday, 5 August 2011

SIP Registration Hijacking...

The reason we want to scan VoIP systems is the same as any other. I will also be posting on a number of free VoIP vulnerability scanning tools this weekend. The things an attacker can do using SIP Registration Hijacking include:

  • Call redirection (to a phone they want to monitor, to another person’s phone as a prank or just to a black hole, a fax or something else that causes problems)
  • Call swapping (having different people get different calls that should have been destined for the other)
  • Sending messages to a voicemail store or a recorder controlled by the attacker
  • MITM attacks.
MITM attacks on VoIP can lead to call interception, call recording and event injection and modification.

Defences…
I will detail more on the blog, but using TCP instead of UDP for SIP registrations is more secure. It makes life harder for the attacker and hence our lives as security professionals easier.

Better, use signalling encryption. Secure SIP (SIP-TLS and SIPS) may be an existing option with your current VoIP system. If it is, enable it. If not, you can use IPSec and other VPN tunnel technologies to encapsulate the SIP traffic and hence make it more difficult for an attacker to intercept and modify.

Always use strong SIP authentication policies with difficult to crack passwords (with SIP and all other passwords for this matter).

Finally, by reducing SIP registration intervals, the length of time an attacker has control is minimised and the attack becomes more difficult.

I will write on VoIP vulnerability scans this weekend.

No comments: