Threats Against Confidentiality
Another category of VoIP threat is the threat against confidentiality.
Unlike the service interruptions in the previous section, threats against confidentiality do not impact current communications generally, but provide an unauthorized means of capturing media, identities, patterns, and credentials that are used for subsequent unauthorized connections or other deceptive practices.
VoIP transactions are mostly exposed to the confidentiality threat because most VoIP service does not provide full confidentiality (both signal and media) end-to-end. In fact, full encryption of message headers is not possible because intermediary servers (for example, SIP proxy server) have to look at the headers to route the call. In some cases, the servers have to insert some information into the header (for example, Via header in SIP) as the protocol is designed.
This section introduces the most popular types of confidentiality threats: eavesdropping media, call pattern tracking, data mining, and reconstruction.
Eavesdropping on someone's conversation has been a popular threat since telecommunication service started a long time ago, even though the methods of eavesdropping are different between legacy phone systems and VoIP systems.
In VoIP, an attacker uses two methods typically. One is sniffing media packets in the same broadcasting domain as a target user's, or on the same path as the media. The other is compromising an access device (for example, Layer 2 switch) and forwarding (duplicating) the target media to an attacker's device.
The media can be voice-only or integrated with video, text, fax, or image. Figure 2-6 illustrates these cases.
Figure 2-6 Eavesdropping Media
In Figure 2-6, the attacker's device that is in the same broadcasting domain as the IP phone of User A can capture all signals and media through the hub. This figure also shows the possibility that the attacker intrudes in a switch or router, and configures a monitoring port for voice VLAN, and forwards (duplicates) the media to the attacker's capturing device.
Another possible way of eavesdropping media is that an attacker taps the same path as the media itself, which is similar to legacy tapping technique on PSTN. For example, the attacker has access to the T1 itself and physically splits the T1 into two signals.
Although this technique is targeting media, the next method (call pattern tracking) is targeting signal information.
Call Pattern Tracking
Call pattern tracking is the unauthorized analysis of VoIP traffic from or to any specific nodes or network so that an attacker may find a potential target device, access information (IP/port), protocol, or vulnerability of network. It could also be useful for traffic analysis—knowing who called who, and when. For example, knowing that a company's CEO and CFO have been calling the CEO and CFO of another company could indicate that an acquisition is under way. For another example, knowing that a CEO called her stockbroker immediately after meeting with someone with insider stock knowledge is useful. That is, this is useful for learning about people and information.
To show an example of unauthorized analysis, sample messages that an attacker may capture in the middle of a network are illustrated in Example 2-2. It shows simple SIP request (INVITE) and response (200 OK) messages, but an attacker can extract a great deal of information from them by analyzing the protocol (key fields are highlighted).
Example 2-2. Exposed Information from SIP Messages
INVITE sip:email@example.com:5060 SIP/2.0 Via: SIP/2.0/UDP 10.10.10.10:5060;branch=z9hG4bK00002000005 From: Alice <sip:firstname.lastname@example.org:5060>;tag=2345 To: Bob <sip:email@example.com> Call-Id: 9252226543-0001 CSeq: 1 INVITE Contact: <sip:firstname.lastname@example.org> Expires: 1200 Max-Forwards: 70 Content-Type: application/sdp Content-Length: 143 Session Description Protocol Version (v): = 0 Owner/Creator, Session Id (o): 2 2 2 IN IP4 10.10.10.10 Session Name (s): Session SDP Connection Information (c): IN IP4 10.10.10.10 Media Description, name and address (m): audio 9876 RTP/AVP 0 8 18 Media Attribute (a): rtpmap:0 PCMU/8000 Media Attribute (a): rtpmap:8 PCMA/8000 Media Attribute (a): rtpmap:18 G729a/8000 =========================================================== SIP/2.0 200 OK Via: SIP/2.0/UDP 10.10.10.10:5060;branch=z9hG4bK00002000005 From: Alice <sip:email@example.com:5060>;tag=2345 To: Bob <sip:firstname.lastname@example.org>;tag=4567 Call-Id: 9252226543-0001 CSeq: 1 INVITE Contact: <sip:email@example.com> Content-Type: application/sdp Content-Length: 131 Session Description Protocol Version (v): = 0 Owner/Creator, Session Id (o): 2 2 2 IN IP4 172.26.10.10 Session Name (s): Session SDP Connection Information (c): IN IP4 172.26.10.10 Media Description, name and address (m): audio 20000 RTP/AVP 18 Media Attribute (a): rtpmap:18 G729a/8000
The following list shows sample information that the attacker may extract from Example 2-2:
- The IP address of the SIP proxy server is 192.168.10.10, and the listening port is 5060.
- They use User Datagram Protocol (UDP) packets for signaling without any encryption, such as Transport Layer Security (TLS) or Secure Multipurpose Internet Mail Extension (S/MIME).
- The proxy server does not require authentication for a call request.
- The caller (Alice), who has a phone number 4085251111, makes a call to Bob at 9252226543.
- The IP address of Alice's phone is 10.10.10.10 and a media gateway is 172.26.10.10 (supposing that the call goes to PSTN).
- The media gateway opens a UDP port, 20000, to receive Real-time Transport Protocol (RTP) stream from Alice's phone.
- The media gateway accepts only G.729a codec (Alice's phone offered G.711a, G.711u, and G.729a initially).
The information just presented can be used for future attacks, such as DoS attack on the proxy server or the media gateway.
Like email spammers who collect email addresses from various sources like web pages or address books, VoIP spammers also collect user information like phone numbers from intercepted messages, which is one example of data mining.
The general meaning of data mining in VoIP is the unauthorized collection of identifiers that could be user name, phone number, password, URL, email address, strings or any other identifiers that represent phones, server nodes, parties, or organizations on the network. In Example 2-2, you can see that kind of information from the messages.
An attacker utilizes the information for subsequent unauthorized connections such as:
- Toll fraud calls
- Spam calls (for example, voice, Instant Messaging [IM], presence spam)
- Service interruptions (for example, call flooding, call hijacking, and call teardown)
- Phishing (identity fraud; see the section "Threats Against Social Context" for more information)
With valid identities, attackers could have a better chance to interrupt service by sending many different types of malicious messages. Many servers reject all messages, except registration, unless the endpoint is registered.
Reconstruction means any unauthorized reconstruction of voice, video, fax, text, or presence information after capturing the signals or media between parties. The reconstruction includes monitoring, recording, interpretation, recognition, and extraction of any type of communications without the consent of all parties. A few examples are as follows:
- Decode credentials encrypted by a particular protocol.
- Extract dual-tone multifrequency (DTMF) tones from recorded conversations.
- Extract fax images from converged communications (voice and fax).
- Interpret the mechanism of assigning session keys between parties.
These reconstructions do not affect current communications, but they are utilized for future attacks or other deceptive practices.
In this section so far, you have learned about threats against confidentiality such as eavesdropping media, call pattern tracking, data mining, and reconstruction. The next section covers another type of threats: breaking message and media integrity.