Book Review: Hacking VoIP

If you use any flavor of voice-over-IP (VoIP) technology, whether free software or proprietary, lone softphone or multi-line office Asterisk server, then you need to take a hard look at VoIP security. Himanshu Dwivedi's Hacking VoIP: protocols, attacks, and countermeasures from No Starch Press provides a thorough, but clear, examination of the landscape. It systematically examines the core VoIP protocols, server and connection infrastructure, and social engineering weaknesses in VoIP deployment. It also provides example attacks that the reader can reproduce on test machines, and details the effective safeguards.

The book covers security for all major breeds of voice-over-IP technology: Session Initiation Protocol (SIP)-based, H.323-based, and Inter-Asterisk Exchange (IAX)-based. SIP is found in most current-generation VoIP software, such as Twinkle, KPhone, and Telepathy. H.323 is an older protocol stack, but is still in widespread use, particularly through the Ekiga project. Both SIP and H.323 use Real-time Transport Protocol (RTP) to handle audio streams. IAX handles connection management and audio data in one protocol, and is used by the Asterisk telephony server, although Asterisk can handle SIP and H.323 as well.

Part I examines each protocol in turn: SIP, H.323, RTP, and IAX. The author provides an overview of the authentication, call set-up, session management, and audio transport of each protocol stack. He then explores weaknesses and potential attacks against each protocol in depth.

Part II looks at potential attacks on VoIP networks that exploit underlying Internet infrastructure that connects both clients and servers, such as Simple Network Management Protocol (SNMP) and DNS. It also examines non-technical security threats such as phishing and Spam Over IP Telephony (SPIT), and includes a brief roundup of the security status of various widely available public VoIP services.

Part III explores how to harden VoIP systems, using encryption and secure authentication based on technologies such as Transport Layer Security (TLS), Secure RTP (SRTP), and Phil Zimmermann's ZRTP. The book concludes with a step-by-step VoIP Security Audit Program created by the author.

Dwivedi's writing makes the subject matter accessible without sacrificing detail. His explanations of topics like SIP authentication handshakes are clear enough for a novice to understand. That clarity is critical for explaining more complicated issues like Man-in-the-Middle and eavesdropping attacks that consist of a precise sequence of events.

Better still, for each loophole exploited, he provides step-by-step instructions for executing the attack in a laboratory environment. The laboratory consists of an Asterisk server and one or more client applications connecting via SIP, H.323, or IAX. Some exploits — such as username sniffing — require only common network analysis tools like Wireshark. For those that require special capabilities, like injecting SIP packets, the author provides links to the appropriate applications.

If you are not already familiar with VoIP security, the outlook may frighten you. All three protocol stacks are assailable on a number of fronts, from identity spoofing to denial-of-service, and the chinks in the armor are part of the stacks themselves, not poor implementations.

For example, SIP and H.323 both use MD5 to hash authentication credentials, making them vulnerable to offline dictionary attacks. IAX supports stronger RSA authentication in addition to MD5, but it can be downgraded to plaintext authentication with a single spoofed packet. Denial of service attacks on all three protocols are as simple as flooding the network with registration rejection, call rejection, or call termination packets. RTP eavesdropping and audio insertion are possible because RTP assumes that the connection — established by SIP or H.323 — is secure.

The good news is that the strength of SIP, H.323, and IAX can be significantly improved. TLS can secure call set-up, SRTP can harden audio transport, and careful security auditing can close holes on gateway servers and proxies. But this takes active measures; as Dwivedi observes in the book, end users and administrators often make assumptions about the security of VoIP based on their past experience with the comparatively robust security of traditional phone systems and GSM networks.

Those assumptions are by and large wrong. Dwivedi devotes a chapter to scrutinizing the security of widespread VoIP products, from free services like Google Talk and Yahoo Messenger to commercial products like Vonage. Vonage uses neither TLS nor SRTP, making it vulnerable to every attack on SIP or RTP. Yahoo and Google gain some security by using TLS on their sign-on processes, but are still exposed to a long list of exploits.

In light of that chapter, I did a brief survey of the open source VoIP project scenes to see which supported TLS, SRTP, and ZRTP; the results are not much better. A few projects, such as minisip and Twinkle, make security a priority, but most do not. Notably, Asterisk and Ekiga have long planned to support TLS and SRTP, but have yet to release a working build.

Hacking VoIP is a must-read for anyone interested in Internet telephony, whether as a developer or an end-user. Dwivedi clears away the fog surrounding VoIP security, revealing it for what it is: attainable, but only through conscious effort.

Every day, I see more and more TV commercials advertising "magic" boxes that plug in to your telephone and your broadband, allowing you to make free or cheap telephone calls. These products are undoubtedly SIP-and-RTP-based devices with no security. VoIP is still in its infancy compared to email and the Web; making security commonplace is still possible. By spreading a good understanding of the seriousness of the issues and how to solve them, this book could go a long way towards making that a reality.