The bulk of security research pertaining to VoIP call control, setup and signaling protocols has focused on the Session Initiation Protocol (SIP), due to the ubiquity and widespread adoption of this protocol. However, a number of other protocols and protocol suites are in use in many organizations and have been adopted by many of the VoIP vendors. Some examples of these protocols are Cisco’s Skinny Client Control Protocol (SCCP or Skinny), the H.323 suite of protocols, and Asterisk’s Inter-Asterisk eXchange (IAX).
Himanshu Dwivedi and Zane Lackey of iSec Partners presented a talk at BlackHat in Vegas this year which explored some of the vulnerabilities facing H.323 and IAX. The talk was really enjoyable and refreshing as a change from the gamut of SIP issues and vulnerabilities which have been the focus of researchers. The bulk of the research conducted and the tools developed by iSec Partners centered on attacking the Authentication and Authorization processes, as well as on Denial of Service attacks against both H.323 and SIP respectively.
If one were to ignore the RTP-based attacks which target the transport protocol for digitized voice, and concentrate on the signalling and call control protocols, what struck me most is that the attacks conducted are mostly a new application of known older attack methods. Himanshu and Zane demonstrate how traffic can be sniffed from the wire, and at a very high-level, how capturing authentication requests can allow an attacker to perform offline dictionary attacks to determine the password which is required for authentication. This is achieved by calcluating MD5 hashes and comparing these to the captured values. (Bear in mind that for H.323 for example, the username, timestamp and MD5 hash can be pulled from the wire, resulting an an attacker having all of the ingredients with which to derive the password at her disposal).
Of course, a number of additional attacks were demonstrated, but the dictionary attack struck me as the most intruiging. One can consider early attacks against the hash-based authentication process for Microsoft Windows domains, as a single example, and easily draw the parallels – the premise of the attack is essentially identical. This is concerning and raises a number of questions, most notably – have we learned nothing from the past mistakes which have been made? Just because a technology is shiny and new, it should by no means be considered impervious to the old bugbears we have come to know and love (or loathe, depending on which side of the fence you sit).
This thought process was driven home for me by the Premature Ajax-ulation talk delivered by Billy Bryan Hoffman and Billy Sullivan of SPI Dynamics – I have caught a number of Billy Hoffman’s talks and really enjoy his Ajax research, and his energetic presentation style. The talk was novel in that an Ajax-based application was built by the Billies from resources commonly available to Ajax developers (books, blogs etc) without bringing the researchers’ security knowledge and experience into the mix. The idea was to accurately simulate the applications Ajax developers would produce.
The application was then torn apart from a security perspective, demonstrating all sorts of our old web application friends, including SQL Injection and Parameter Tampering among others, wrapped up in a shiny Ajax shell. Again I must say…we have been shouting about validation of data and not trusting the client since what feels like the dawn of time. Unleash a new technology and this all goes out the window? Indeed this is a sad, sad place to be…and security professionals and researchers cannot be blamed for feeling slightly jaded by the whole state of affairs…
Either way…the talks were fun…and shouts must go to the researchers mentioned, as well as those whose talks I didn’t mention, but enjoyed at BlackHat and Defcon. As I’m officially on vacation…I’m signing off and leaving you with some food for thought…if you fell off your BMX repeatedly when trying to perform 720 airborne spins as a kid and ultimately realized it was a bad idea, why try it again when you get a fancy new motorbike…? :>