VoIP Threat Taxonomy

Chapter Description

This chapter categorizes the main threats against VoIP service (threats against availability, confidentiality, integrity, and social context) and explains their impact and possible methods of protection.

From the Book

Voice over IP Security

Voice over IP Security

$60.00

Threats Against Integrity

Another category of VoIP threat is the threat against integrity, which impacts current service severely in most cases.

The basic method of the integrity threat is altering messages (signals) or media after intercepting them in the middle of the network. That is, an attacker can see the entire signaling and media stream between endpoints as an intermediary. The alteration can consist of deleting, injecting, or replacing certain information in the VoIP message or media.

This section is divided into two types of threat at a high level:

  • Threats against message integrity (message alteration)
  • Threats against media integrity (media alteration)

The next section describes and gives examples of each type of threat.

Message Alteration

Message alteration is the threat that an attacker intercepts messages in the middle of communication entities and alters certain information to reroute the call, change information, interrupt the service, and so on. The typical examples are call rerouting and black holing.

Call Rerouting

Call rerouting is any unauthorized change of call direction by altering the routing information in the protocol message. The result of call rerouting is either to exclude legitimate entities or to include illegitimate entities in the path of call signal or media.

Figure 2-7 illustrates the example of including a malicious entity during call setup.

Figure 2-7

Figure 2-7 Call Rerouting

In Figure 2-7, an attacker keeps monitoring the call request message (for example, SIP INVITE) from User A to a redirect server. When User A initiates a call, the IP phone sends an INVITE message to the redirect server, as shown in Example 2-3.

Example 2-3. IP Phone Sends an INVITE Message to the Redirect Server

INVITE sip:Bob@192.168.10.10:5060 SIP/2.0
Via: SIP/2.0/UDP 10.10.10.10:5060;branch=z9hG4bK00002000005
From: UserA <sip:UserA@10.10.10.10:5060>;tag=2345
To: Bob <sip:Bob@192.168.10.10>
Call-Id: 9252226543-0001
CSeq: 1 INVITE
Contact: <sip:UserA@10.10.10.10>
Max-Forwards: 70
Content-Length: 0

The attacker detects the INVITE and intercepts the response message (that is, "302 Moved Temporarily") from the redirect server, as shown in the continuation of Example 2-3.

SIP/2.0 302 Moved Temporarily
From: UserA <sip:UserA@10.10.10.10:5060>;tag=2345
To: Bob <sip:Bob@192.168.10.10>;tag=6789
Call-Id: 9252226543-0001
CSeq: 1 INVITE
Contact: <sip:Bob@10.1.1.10>
Content-Length: 0

The attacker replaces the IP address of the proxy server (10.1.1.10) in the Contact header with his proxy server (172.26.1.10), and sends to the IP phone, as shown in the continuation of Example 2-3.

SIP/2.0 302 Moved Temporarily
From: UserA <sip:UserA@10.10.10.10:5060>;tag=2345
To: Bob <sip:Bob@192.168.10.10>;tag=6789
Call-Id: 9252226543-0001
CSeq: 1 INVITE
Contact: <sip:Bob@172.26.1.10>
Content-Length: 0

The IP phone sends a new INVITE to attacker's proxy server rather than the legitimate server, and his server relays the message as shown in the picture. From now on, the attacker in the middle can see all signals between the endpoints and modify for any malicious purpose.

Call Black Holing

Call black holing is any unauthorized method of deleting or refusing to pass any essential elements of protocol messages, in the middle of communication entities. The consequence of call black holing is to delay call setup, refuse subsequent messages, make errors on applications, drop call connections, and so on. Here are a few examples with SIP:

  1. An attacker as an intermediary drops only ACK messages between call entities so that the SIP dialog cannot be completed, even though there could be early media between them.
  2. An attacker as an intermediary deletes media session information (SDP) in the INVITE message, which could result in one-way audio or call disconnection.
  3. An attacker as an intermediary refuses to pass all messages to a specific user (victim) so that the user cannot receive any inbound calls.

The call rerouting and black holing belong to message alteration as previously described. The next section covers media alteration as part of the threat against integrity.

Media Alteration

Media alteration is the threat that an attacker intercepts media in the middle of communication entities and alters media information to inject unauthorized media, degrade the QoS, delete certain information, and so on. The media can be voice-only or integrated with video, text, fax, or image. The typical examples are media injection and degrading.

Media Injection

Media injection is an unauthorized method in which an attacker injects new media into an active media channel or replaces media in an active media channel. The consequence of media injection is that the end user (victim) may hear advertisement, noise, or silence in the middle of conversation. Figure 2-8 illustrates the example with voice stream.

Figure 2-8

Figure 2-8 Media Injection

In Figure 2-8, User A with an IP phone makes a call to User B who has a PSTN phone through a media gateway. After the call setup, the IP phone sends voice (RTP) packets to the media gateway. An attacker in the middle monitors the RTP sequence number of the voice packets, and adjusts the sequence number of illegitimate packets (for example, advertisements), and injects them into the voice channel so that they will arrive before the legitimate packets. User B in PSTN hears the injected voice.

Media Degrading

Media degrading is an unauthorized method in which an attacker manipulates media or media control (for example, Real-Time Control Protocol [RTCP]) packets and reduces the QoS of any communication. Here are a couple of examples:

  1. An attacker intercepts RTCP packets in the middle, and changes (or erases) the statistic values of media traffic (packet loss, delay, and jitter) so that the endpoint devices may not control the media properly.
  2. An attacker intercepts RTCP packets in the middle, and changes the sequence number of the packets so that the endpoint device may play the media with wrong sequence, which degrades the quality.

In this section so far, you have learned about VoIP threats against integrity such as message alteration (call rerouting, call black holing) and media alteration (media injection, media degrading). The next section covers another type of threats: social threats.

4. Threats Against Social Context | Next Section Previous Section