Taming SIP Vicious
Punk's not dead in the VoIP space, and action must be taken, notes Peter Cox
Spend any time researching VoIP risks and you will quickly discover the name SIP Vicious. This is not a typo, but a set of freely downloadable tools designed for testing and auditing VoIP networks. While these tools have a legitimate use, they are also misused to attack VoIP networks.
SIP Vicious is designed as a service enumerator, an application that scans large numbers of network addresses looking for systems running a specific service. In the case of SIP Vicious, the target service is the Session Initiation Protocol (SIP), which is implemented by all IP PBX vendors and used by internet telephony services providers, so the presence of SIP Vicious represents a significant danger.
SIP Vicious is frequently misused to scan the internet and find IP phone systems running SIP. It works by sending status request messages, known in SIP terms as an OPTIONS request, to large number of IP addresses.
If it blindly follows the SIP standard, any system running SIP will reply with either a response to the request, an authentication request or just an error message indicating that the request was not processed.
The attacker is not interested in what type of response it receives. Any response will indicate that a system running SIP lives at the identified IP address. And this is where the problem starts.
SIP OPTIONS requests are very simple messages that can be sent quickly because they use UDP. This is a connectionless transport, which means the sender can send out the requests to millions of addresses and note which ones send a reply.
SIP Vicious scans are widespread and can originate from anywhere. Any internet-connected VoIP system is likely to receive 10 or more scans per day. When the scan is complete, the attacker will have a list of the network addresses of a large number of IP phone systems and can then take full advantage.
Once an attacker locates an internet-connected SIP system, the system will become the target of more direct attacks.
A favourite is the so-called call fraud attack, which works by sending large numbers of call requests to an IP address known to be running SIP in an attempt to make a call to a PSTN number. If that PTSN call succeeds, the attacker is able to make calls at the victim's expense.
A call fraud attack will succeed if:
- The targeted IP-PBX is configured so an external attacker can make PSTN calls without being asked to provide identification and authentication information. Poorly configured IP PBX systems are, unfortunately, all too common.
- The targeted IP-PBX uses weak passwords. Although remote phones are asked to identify and authenticate themselves, an attacker can easily guess the necessary authentication credentials.
Once an attacker has found a susceptible system, he or she can also sell access to that system, perhaps by setting up a cheap overseas call service. If the calls are free, the profit margins are high.
We have tested this by setting up a honey pot, an internet-connected IP-PBX with weak security controls. In less than 24 hours, this system was discovered by an attacker, and, in less than one hour, there were some 350 fraudulent call attempts.
Some were allowed to connect so the call destination and duration could be determined. Call destinations included mobiles in Haiti, Mali and Sierra Leone and the call duration was anything between 10 seconds to more than a minute.
An attacker may also set up a premium-rate number, which the attacked system is forced to call, perhaps making several calls simultaneously. Victims have faced phone bills running into thousands of pounds.
VoIP systems are, of course, vulnerable to other attacks as well, such as denial of service, call eavesdropping and monitoring.
Do not try to rely on a standard data firewall to protect an IP PBX. Many VoIP attacks, including SIP Vicious scans, are at the application level.
A standard data firewall cannot distinguish between a SIP Vicious scan and a legitimate request.
A good data firewall will handle a network scan by keeping quiet. A good SIP security product, such as a gateway, will do the same for device discovery scans such as SIP Vicious.
VoIP security awareness is in its infancy. Too many users are either ignoring the problem or trying to address it without investing in targeted security controls.
Peter Cox is chief executive officer of UM Labs