Phishing environments, techniques, and countermeasures

We present a comprehensive survey of Voice over IP security academic research, using a set of 245 publications forming a closed cross-citation set. We classify these papers according to an extended version of the VoIP Security Alliance (VoIPSA) Threat Taxonomy. Our goal is to provide a roadmap for researchers seeking to understand existing capabilities and to identify gaps in addressing the numerous threats and vulnerabilities present in VoIP systems. We discuss the implications of our findings with respect to vulnerabilities reported in a variety of VoIP products. We identify two specific problem areas (denial of service, and service abuse) as requiring significant more attention from the research community. We also find that the overwhelming majority of the surveyed work takes a black box view of VoIP systems that avoids examining their internal structure and implementation. Such an approach may miss the mark in terms of addressing the main sources of vulnerabilities, i.e., implementation bugs and misconfigurations. Finally, we argue for further work on understanding cross-protocol and cross-mechanism vulnerabilities (emergent properties), which are the byproduct of a highly complex system-of-systems and an indication of the issues in future large-scale systems.

/pdf/a-comprehensive-survey-of-voice-over-ip-security-research-12md93jxpa.pdf

A Comprehensive Survey of Voice over IP Security Research

http://www.cs.columbia.edu/~dgen/papers/journal/Journal-08.pdf

Survey of network security systems to counter SIP-based denial-of-service attacks

VoLTE (Voice-over-LTE) is the designated voice solution to the LTE mobile network, and its worldwide deployment is underway. It reshapes call services from the traditional circuit-switched telecom telephony to the packet-switched Internet VoIP. In this work, we conduct the first study on VoLTE security before its full rollout. We discover several vulnerabilities in both its control-plane and data-plane functions, which can be exploited to disrupt both data and voice in operational networks. In particular, we find that the adversary can easily gain free data access, shut down continuing data access, or subdue an ongoing call, etc. We validate these proof-of-concept attacks using commodity smartphones (rooted and unrooted) in two Tier-1 US mobile carriers. Our analysis reveals that, the problems stem from both the device and the network. The device OS and chipset fail to prohibit non-VoLTE apps from accessing and injecting packets into VoLTE control and data planes. The network infrastructure also lacks proper access control and runtime check.

Insecurity of Voice Solution VoLTE in LTE Mobile Networks

Long Term Evolution (LTE) is becoming the dominant cellular networking technology, shifting the cellular network away from its circuit-switched legacy towards a packet-switched network that resembles the Internet. To support voice calls over the LTE network, operators have introduced Voice-over-LTE (VoLTE), which dramatically changes how voice calls are handled, both from user equipment and infrastructure perspectives. We find that this dramatic shift opens up a number of new attack surfaces that have not been previously explored. To call attention to this matter, this paper presents a systematic security analysis. Unlike the traditional call setup, the VoLTE call setup is controlled and performed at the Application Processor (AP), using the SIP over IP. A legitimate user who has control over the AP can potentially control and exploit the call setup process to establish a VoLTE channel. This combined with the legacy accounting policy (e.g., unlimited voice and the separation of data and voice) leads to a number of free data channels. In the process of unveiling the free data channels, we identify a number of additional vulnerabilities of early VoLTE implementations, which lead to serious exploits, such as caller spoofing, over-billing, and denial-of-service attacks. We identify the nature of these vulnerabilities and concrete exploits that directly result from the adoption of VoLTE. We also propose immediate countermeasures that can be employed to alleviate the problems. However, we believe that the nature of the problem calls for a more comprehensive solution that eliminates the root causes at mobile devices, mobile platforms, and the core network.

/pdf/breaking-and-fixing-volte-exploiting-hidden-data-channels-51ud7mjxs0.pdf

Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations

Billing is fundamental to any commercial VoIP services and it has direct impact on each individual VoIP subscriber. One of the most basic requirements of any VoIP billing function is that it must be reliable and trustworthy. From the VoIP subscriber's perspective, VoIP billing should only charge them for the calls they have really made and for the duration they have called.

Existing VoIP billing is based on VoIP signaling. Therefore, any vulnerability in VoIP signaling is a potential vulnerability of VoIP billing. In this paper, we examine how the vulnerabilities of SIP can be exploited to compromise the reliability and trustworthiness of the billing of SIP-based VoIP systems. Specifically, we focus on the billing attacks that will create inconsistencies between what the VoIP subscribers received and what the VoIP service providers have provided. We present four billing attacks on VoIP subscribers that could result in charges on the calls the subscribers have not made or overcharges on the VoIP calls the subscribers have made. Our experiments show that Vonage and AT&T VoIP subscribers are vulnerable to these billing attacks.

/pdf/billing-attacks-on-sip-based-voip-systems-ui6mfkg7ay.pdf

Billing attacks on SIP-based VoIP systems

The man-in-the-middle (MITM) attack has been shown to be one of the most serious threats to the security and trust of existing VoIP protocols and systems. For example, the MITM who is in the VoIP signaling and/or media path can easily wiretap, divert and even hijack selected VoIP calls by tempering with the VoIP signaling and/or media traffic. Since all previously identified MITM attacks on VoIP require the adversary initially in the VoIP signaling and/or media path, there is a common belief that it is infeasible for a remote attacker, who is not initially in the VoIP path, to launch any MITM attack on VoIP. This makes people think that securing all the nodes along the normal path of VoIP traffic is sufficient to prevent MITM attacks on VoIP.In this paper, we demonstrate that a remote attacker who is not initially in the path of VoIP traffic can indeed launch all kinds of MITM attacks on VoIP by exploiting DNS and VoIP implementation vulnerabilities. Our case study of Vonage VoIP, the No. 1 residential VoIP service in the U.S. market, shows that a remote attacker from anywhere on the Internet can stealthily become a remote MITM through DNS spoofing attack on a Vonage phone, as long as the remote attacker knows the phone number and the IP address of the Vonage phone. We further show that the remote attacker can effectively wiretap and hijack targeted Vonage VoIP calls after becoming the remote MITM. Our results demonstrate that (1) the MITM attack on VoIP is much more realistic than previously thought; (2) securing all nodes along the path of VoIP traffic is not adequate to prevent MITM attack on VoIP; (3) vulnerabilities of non-VoIP-specific protocols (e.g., DNS) can indeed lead to compromise of VoIP.

/pdf/on-the-feasibility-of-launching-the-man-in-the-middle-1gxuy2wfa0.pdf

On the feasibility of launching the man-in-the-middle attacks on VoIP from remote attackers

Voice communication is fundamental to the normal operation of our society. The general public have put a lot of trust in voice communication and they have been relying on it for many critical and sensitive information exchange (e.g., emergency 911 calls, calls to customer service of financial institutions). Now more and more voice calls are carried, at least partially, over the public Internet rather than traditional Public Switched Telephone Network (PSTN). The security ramifications of using VoIP, however, have not been fully recognized. It is not clear how secure and trustworthy the currently deployed VoIP systems are, and there exists a substantial gap in the understanding of the potential impact of VoIP exploits on the VoIP users. In this paper, we seek to fill this gap by investigating the trust issues of currently deployed VoIP systems and their implications to the VoIP users.Our experiments with leading deployed VoIP services (e.g, Vonage, ATT 2) redirect any selected Vonage and ATT 3) manipulate and set the call forwarding setting of any selected Gizmo VoIP subscriber without authorization. Such an unauthorized call diversion capability enables a new attack, called voice pharming, against VoIP users, where the attacker transparently diverts selected VoIP calls to the bogus IVR (interactive voice response) or bogus representative. In other words, voice pharming can cause selected VoIP callers to interact with the bogus IVR or representative even if they have dialed the correct phone numbers. Therefore, even the most meticulous VoIP caller could be tricked into giving out sensitive information (e.g., SSN, credit card number, PIN) to the adversary. To mitigate such imminent threats to current VoIP users, all segments along the VoIP path need to be protected and trustworthy. Our experience shows that enforcing TLS or IPSEC between the SIP phone and SIP servers could be an effective first step toward mitigation.

/pdf/voice-pharming-attack-and-the-trust-of-voip-kf8t6cjmia.pdf

Voice pharming attack and the trust of VoIP

On the billing vulnerabilities of SIP-based VoIP systems

Phone features, e.g., 911 call , voicemail , and Do Not Disturb , are critical and necessary for all deployed VoIP systems. In this paper, we empirically investigate the security of these phone features. We have implemented a number of attacks and experimented with VoIP services by leading VoIP service providers Vonage, ATT and 2) spoof the voicemail servers of both the caller and the callee of selected VoIP calls; and 3) make spam calls to VoIP subscribers even if Do Not Disturb is enabled. These empirical results confirm that leading deployed SIP-based VoIP systems have serious security vulnerabilities.

/pdf/an-empirical-investigation-into-the-security-of-phone-4d8rh7otbr.pdf

Xiaohui Yang

Papers

Billing attacks on SIP-based VoIP systems

On the feasibility of launching the man-in-the-middle attacks on VoIP from remote attackers

Voice pharming attack and the trust of VoIP

On the billing vulnerabilities of SIP-based VoIP systems

An Empirical Investigation into the Security of Phone Features in SIP-Based VoIP Systems