Voices, I Hear Voices

Attack Trends Editors: Elias Levy, [email protected] Iván Arce, [email protected] Voices, I Hear Voices

No, I’m not interested in developing a powerful brain. All I’m after is just a mediocre brain, something like the President of the American Telephone and Telegraph Company. —Alan Turing

Through pride we are ever deceiving ourselves. But deep down below the surface of the average conscience a still, small voice says to us, something is out of tune. —Carl G. Jung

n 1876 Alexander Graham Bell received US patent valuable tool: a toy whistle included in Captain Crunch cereal boxes that number 174,465 for his “improvement in telegraphy,” produced the exact signal—an au- dible tone with a 2,600-Hz triggering a revolutionary change in human com- frequency—required to disrupt telephone signaling systems and take munications and the emergence of a new industry with control of the telephony trunk. Call- I ing a random phone number and technology at its very foundation. Today, more than 130 years blowing the whistle at any point dur- ing the call would grant trunk con- IVAŃ ARCE after the telephone’s invention, we anecdotes, and facts that link known trol to the caller and open up the Core Security face the difficult task of reconciling personalities with security and pri- PSTN’s front gate. Technologies the prodigal children of the two vacy improvements and setbacks in The practice of exploring, ex- great men quoted above within the the telephony industry. perimenting, and exploiting PSTN confines of our computer networks. In 1971, for example, Steve Woz- and telephone equipment vulnera- The assignment is far from easy, niak (www.woz.org/letters/general/ bilities came to be called phreaking, considering that men from tele- 03.html) and Steve Jobs jerry-rigged and phreakers soon learned that phony and computing worlds have an ingenuous device called the “Blue messing around with a telephone substantially different philosophies, Box,” which gave its users control of company’s assets didn’t necessarily idiosyncrasies, technologies, busi- long-distance trunks on the public lead to success stories or happy end- ness models, entry barriers, and op- switched telephony network (PSTN) ings. Draper was arrested on charges erational characteristics. by manipulating the session teardown, of toll fraud in 1972 and sentenced to The clash between these two call routing, and session establishment five years’ probation; later, in 1977, worldviews in the realm of computer protocols (http://en.wikipedia.org/ he was arrested again and convicted networks already plagued with secu- wiki/Blue_box). The Blue Box of wire fraud. He made better use of rity and privacy concerns is a fertile proved to be a useful tool for explor- his idle time by writing EasyWriter, ground for both offensive and defen- ing a PSTN’s obscure and propri- one of the earliest word processor sive information security practition- etary corners and making prank calls programs for Apple and IBM PC ers. In this installment of Attack or engaging in phone fraud in the computers. In the years to come, Trends, I delve into the new security form of “free” long-distance calls. It many other phreakers and hackers and privacy challenges the ongoing also demonstrated the commercial would follow similar paths. widespread adoption of IP telephony viability of new types of electronic In the 1980s, the advent of PCs and voice over IP (VoIP) pose. consumer products: Wozniak and and the general availability of rela- Jobs went on to found Apple Com- tively low-cost modems popularized Phreaky styley puter in 1976. by bulletin board systems (BBS) Arguably, many of today’s informa- In his account of the Blue Box helped a new generation of com- tion technologies, defensive security story, Wozniak cites an inspiring and puter users explore the confines of mechanisms, and attack patterns supposedly fictional article featuring both their own computers and the came from organizations and indi- Joe Engressia and John Draper that vast technological world that lay at viduals with deep roots in the appeared in Esquire in 1971 (www. the end of the phone line. Telephony telecommunications world of the webcrunchers.com/crunch/esq- companies worldwide operated 1970s and ’80s. The information se- art.html). Draper was called “Cap- business-oriented data networks on curity folklore is filled with stories, tain Crunch” because of his most the physical circuits of their PSTNs

using the ITU-T X.25 protocol suite 1990s. As the process unfolds, it’s in- tion assumption and expose entire for wide area networks (WANs) over creasingly obvious that security and telephony networks to the whim of phone lines (http://en.wikipedia. privacy concerns, attackers, and at- technically savvy users. The Blue- org/wiki/X.25). Interconnectivity, tack patterns have carried over from Boxing phreaker exploited the fact open protocols, and free access to both the telephony and computer that telephony trunks were operated data networks belonged to “toy net- network worlds. via in-band signaling, a system in works” such as the Internet, not the which network command and con- serious business-oriented infrastruc- Like Ma Bell, I’ve got trol and user data is sent over the same tures of X.25 networks. the ill communications medium. Abuse of in-band signaling In this context, several publica- A cursory review of the foundations prompted the move to out-of-band tions, such as Phrack (www.phrack. of PSTNs and IP-based networks signaling systems such as the Com- org) and 2600 The Hacker Quarterly reveals two opposing views on how mon Channel Interofﬁce Signaling (www.2600.org), and organizations to use technology for voice and data (CCIS, or Signaling System 7 as it such as the German Chaos Com- communications. The telephony came to be known internationally puter Club (www.ccc.de) and the networks were built on the assump- [http://en.wikipedia.org/wiki/ Dutch Hack-Tic Group (www. tion of complete ownership of al- Signalling_System_7]), which is an hacktic.nl), emerged as the telltale most all communications. A handful effective countermeasure for separat- signs of a subculture linked together of providers deployed and ran com- ing signaling and voice circuits. via a string of BBSs, informal techni- munications over physical links and Nonetheless, Micah Sheer, Eric cal publications, prototypical chat tightly controlled international stan- Cronin, Sandy Clark, and Matt Blaze systems, and social gatherings. The dards and proprietary protocols. showed—more than a decade later— line separating harmless and legiti- Most important, these providers that in-band signaling vulnerabilities mate activity from harmful and illegal maintained closed networks whose remain a valid security and privacy deeds rapidly blurred and soon con- operational characteristics couldn’t concern today.1 fronted the apparent lack of legal, reg- be tampered with because users The use of computers and termi- ulatory, and technical preparedness to were physically isolated from the sys- nals to manage and operate tele- address security and privacy con- tems that controlled them. phony equipment and networks cerns. Science-ﬁction author Bruce The Blue Box story is a particular weakened another major premise— Sterling’s novel epitomizes the daz- example of how the discovery and that PSTNs were closed networks. zled and confused times of this new exploitation of design weaknesses in This proved to be invalid when the subculture and its clash with law and signaling systems invalidate the isola- equipment became remotely accessi- order (“The Hacker Crackdown: Law and Disorder in the Electronic Frontier” is available online at http:// gopher.well.sf.ca.us:70/0/Publi cations/authors/Sterling/hc). Meanwhile, the Internet and IP protocol suite marched on to become the de facto standard for interconnect- ing research and academic organizations, building local area networks (LANs), and reaching out to the users who would transform it into a global nerve system for business and leisure. With it came a new crop of security and privacy problems: Web site de- facements, data privacy breaches, dis- tributed denial-of-service attacks, proliferation of computer worms and other malware, and spam. The convergence of voice and data communications over IP-based networks is developing steadily de- spite the iterative cycle of praise and dismissal that has raged since the mid

www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 81 Attack Trends

ble via modems attached to regular, almost total disregard for security and work (www.ee.oulu.fi/research/ous although unlisted, phone lines. The an explicitly stated spirit of openness pg/protos/testing/c07/sip/). A year practice of systematically calling a set to foster interoperation among co- later, in April 2004, the UK Na- of phone numbers in search of an operative parties, which elicits a con- tional Infrastructure Security Coor- auto-answering modem attached to stantly changing threat model due to dination Centre (NISCC) worked a computer system became a popular the rapid development and adoption jointly with OUSPG to uncover hobby for home computer users. of new protocols, technologies, and multiple vulnerabilities in imple- War Games, a popular 1983 film, ex- applications. On the other hand, the mentations of the H.323 protocol posed this hacker “folklore” and in- technological foundations of tradi- suite that affect various vendors troduced the term war dialing (www. tional telephony networks indicate a (www.cert.org/advisories/CA- imdb.com/title/tt0086567). The conscious attempt to maintain con- 2004-01.html). The Secure RTP process was later automated with the trol of all the variables in an almost specification of March 2004 (www. development of ad hoc programs unchanged and unchangeable threat ietf.org/rfc/rfc3711.txt) seeks to ad- such as ToneLoc (www.textfiles. model, demanding security by ob- dress the lack of confidentiality, mes- com/hacking/tl-user.txt), a func- scurity and slower adoption and de- sage authentication, and replay tional predecessor to early TCP ployment of new technologies and protection mechanisms in the origi- port-scanning tools such as Strobe innovative business models. nal RTP and RTCP standards, a (http://ftp.cerias.purdue.edu/pub/ These two conflicting visions substantial privacy concern because tools/unix/scanners/strobe/). were on a collision course 20 years these protocols are used for voice The use of the Private Branch Ex- ago, and the possible outcomes of the transmission over IP networks. change (PBX) by government agen- impending crash are increasingly evi- Protocol-level attacks are no cies and research, education, and dent today in both the corporate net- longer theoretical possibilities, as businesses organizations implied the work and consumer market realms. Peter Thermos indicates in his de- deployment of telephony equip- tailed account of two plausible attack ment, owned and operated by PSTN I sit around and scenarios against VoIP (www.security customers, once again breaking the focus.com/infocus/1862), but a closed-network assumption and cast- watch the phone, more mundane type of security flaw ing some light on the software and but no one is calling plagues VoIP devices and software. hardware used in telephony equip- As IP telephony and VoIP become Insecure default configurations and ment. Further addition of IP-capable integral parts of modern enterprise software riddled with buffer over- interfaces for management of PBX networks, security and privacy con- flows and other trivial flaws charac- and central office switching equip- cerns are on the rise. On the security terize many VoIP devices being ment paved a road that would eventu- front, several groups have pointed deployed in corporate networks as ally lead to the IP protocol suite’s out several design and implementa- you read this article. Specific IP tele- adoption for the only component of tion flaws in VoIP’s building blocks phony and VoIP vulnerability met- the telecommunications infrastruc- and in its relatively new protocols, rics and statistics aren’t compiled as a ture that remained isolated from data such as the H.323 protocol suite single class in the lists maintained by networks: voice transmissions. (www.packetizer.com/voip/h323/ the Open Source Vulnerability Although the original PSTNs re- standards.html), the Session Initia- Database (OSVDB; www.osvdb. lied on a set of assumptions that de- tion Protocol (SIP, www.ietf.org/ org), MITRE (http://cve.mitre.org), fined a specific threat model, rfc/rfc3261.txt), Real-time Trans- SecurityFocus.com (www.security IP-based networks suffered from se- port Protocol and Real-time Trans- focus.com/vulnerabilities), or Secu- curity and privacy issues that derived port Control Protocol (RTP and nia (www.secunia.com), but a quick from their own set of assumptions. RTCP, www.ietf.org/rfc/rfc3550. search for vulnerabilities with the The adoption of open protocols txt), and the Media Gateway Con- keywords “voip,” “phone,” and helped make interoperation possible trol Protocol (MGCP, www.ietf. “SIP” reveals a mounting number of with many implementations that org/rfc/rfc3435.txt). IP-telephony products with a grow- were running on low-cost hardware In February 2003, the Oulu ing history of security flaws. and rapidly evolving software. Com- University Secure Programming munications over a shared medium Group (OUSPG) found an “alarm- Operator, with no single entity enforcing stan- ing failure rate” when it performed number please dards, regulating use, or policing security testing of various SIP im- Although deployment of IP- abuse yields, at least initially, a sub- plementations (www.cert.org/advi telephony and VoIP systems on enter- stantially different threat model. At sories/CA-2003-06.html) with the prise networks pose security and pri- the heart of the IP protocol suite is an PROTOS security testing frame- vacy challenges with no precise or

82 IEEE SECURITY & PRIVACY ■ JULY/AUGUST 2006 Attack Trends

clear-cut solutions, the increasing Jr. broke the story of a set of VoIP (www.amazon.com/gp/product/ adoption of VoIP in the consumer and scams that were worth one million 1596930500/104-5238401- small-enterprise markets doesn’t ap- US dollars to Edwin Andrés Pena, a 7578347) maintains a comprehen- pear free of problems either. Signaled 23-year old Miami Fla., resident sive IP telephony security site. An by eBay’s US$3,200 million acquisi- who was arrested a day earlier on extensive and regularly updated set tion of Luxembourg-based software fraud charges (www.nytimes.com/ of resources is also available at developer Skype Group in 2005, the 2006/06/08/technology/08voice. http://hhi.corecom.com/voip race to prevail in the VoIP communi- html?ex=1307419200&en=ae6b91 security.htm. cations market seems to be gaining a86dc4d7fa&ei=5088) speed when we look at initial public If phishing and spam are any indi- offering (IPO) tribulations of the US- cation of real and present threats for ur networks are converging based Internet telephony company “traditional” IP networks and initial O rapidly to become a single Vonage Holdings (www.business reports of use of these nefarious medium for all communications. week.com/technology/content/feb2 techniques over VoIP are confirmed We’re lured by the siren songs that 006/tc20060209_519496.htm), the (www.newscientist.com/article.ns? praise countless benefits and new availability of instant messaging soft- id=dn6445 and http://blogs.pc business opportunities, but if we don’t ware with voice communications ca- world.com/staffblog/archives/0019 seal our ears with wax and listen care- pabilities such as Google Talk 21.html), no further wakeup calls for fully, we’ll not miss a voice saying that (www.google.com/talk/), America information security practitioners something is out of tune. It’s in our Online’s TotalTalk service (www. should be necessary to address IP- hands to test the VoIP waters, hold totaltalk.com), and the new VoIP telephony threats proactively. Sev- steady at the helm of our networks, service offerings from incumbent eral guidelines and resources are and pilot our way to tranquil shores US phone companies such as AT&T- already available: where we can take advantage of this SBC, Qwest, and Verizon and cable- innovative communications technol- modem operators such as Cox • In April 2006, the first IEEE ogy without having to do it at the ex- Communications and Comcast. workshop on VoIP management pense of our privacy and security. and security occurred in Vancou- I am calling ver, Canada, at the 10th IEEE Reference Network Operations and Man- 1. M. Sheer et al., “Signaling Vulner- long distance, don’t agement Symposium (www.noms abilities in Wiretapping Systems,” worry ‘bout the cost 2006.org/content/workshop.htm IEEE Security & Privacy, vol. 3, no. In April 2006, Nicholas Fischbasch, l#voip). The initiative is promis- 6, 2005, pp. 13–25. senior manager of network engi- ing and, hopefully, will continue neering security at COLT Telecom, to gather research, industry, and Iván Arce is chief technology officer and cofounder of Core Security Technologies, a European Internet service provider service provider experts from an information security company based in 14 countries, described carrier around the world. in Boston. Previously, he worked as vice VoIP security as both a present con- • In January 2005, the US National president of research and development for cern and a difficult-to-solve puzzle Institute of Standards and Tech- a computer telephony integration company and as information security consul- at the CanSecWest security confer- nology (NIST) published special tant and software developer for various ence in Vancouver, Canada (www. report 800-53, “Security Consid- government agencies and financial and cansecwest.com/slides06/csw06- erations for Voice over IP Sys- telecommunications companies. Contact fischbach.pdf ). A day later at the tems” (http://csrc.nist.gov/public him at [email protected]. same venue, German researcher ations/nistpubs/800-58/ Hendrik Scholz provided the flip SP800-58-final.pdf ). Feedback side of the coin with a presentation • The Voice over IP Security Al- that gave a panoramic view of attack liance (VOIPSA, www.voipsa. Like what you just read? Hate it? scenarios against VoIP networks org), an industry consortium of If you’d like to share your opin- (www.wormulon.net/files/pub/cs VoIP and information security ions on this or any other material w06-attacking-voip-networks.pdf ). vendors, runs a mailing list dedi- you’ve read in this issue of IEEE The skeptics needed only to wait cated to VoIP security and pro- S&P magazine, please contact just over a month to read about a vides several security resources. lead editor Kathy Clark-Fisher, real-world example of VoIP-related • David Piscitello, ICANN Security kclark-fi[email protected]. Be attacks motivated by quick profits. and Stability Advisory Committee sure to include “Letter to the On 8 June, 2006, New York Times re- fellow and coauthor of “Under- Editor” in your subject line. porters Ken Belson and Tom Zeller standing Voice over IP Security”