ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
On the feasibility of launching the man-in-the-middle attacks on VoIP from remote attackers
Full text PdfPdf (1.51 MB)
Source
ASIAN ACM Symposium on Information, Computer and Communications Security archive
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security table of contents
Sydney, Australia
SESSION: Network security-II table of contents
Pages 61-69  
Year of Publication: 2009
ISBN:978-1-60558-394-5
Authors
Ruishan Zhang  George Mason University, Fairfax, VA
Xinyuan Wang  George Mason University, Fairfax, VA
Ryan Farley  George Mason University, Fairfax, VA
Xiaohui Yang  George Mason University, Fairfax, VA
Xuxian Jiang  N.C. State University, Raleigh, NC
Sponsor
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 60,   Downloads (12 Months): 237,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1533057.1533069
What is a DOI?

ABSTRACT

The man-in-the-middle (MITM) attack has been shown to be one of the most serious threats to the security and trust of existing VoIP protocols and systems. For example, the MITM who is in the VoIP signaling and/or media path can easily wiretap, divert and even hijack selected VoIP calls by tempering with the VoIP signaling and/or media traffic. Since all previously identified MITM attacks on VoIP require the adversary initially in the VoIP signaling and/or media path, there is a common belief that it is infeasible for a remote attacker, who is not initially in the VoIP path, to launch any MITM attack on VoIP. This makes people think that securing all the nodes along the normal path of VoIP traffic is sufficient to prevent MITM attacks on VoIP.

In this paper, we demonstrate that a remote attacker who is not initially in the path of VoIP traffic can indeed launch all kinds of MITM attacks on VoIP by exploiting DNS and VoIP implementation vulnerabilities. Our case study of Vonage VoIP, the No. 1 residential VoIP service in the U.S. market, shows that a remote attacker from anywhere on the Internet can stealthily become a remote MITM through DNS spoofing attack on a Vonage phone, as long as the remote attacker knows the phone number and the IP address of the Vonage phone. We further show that the remote attacker can effectively wiretap and hijack targeted Vonage VoIP calls after becoming the remote MITM. Our results demonstrate that (1) the MITM attack on VoIP is much more realistic than previously thought; (2) securing all nodes along the path of VoIP traffic is not adequate to prevent MITM attack on VoIP; (3) vulnerabilities of non-VoIP-specific protocols (e.g., DNS) can indeed lead to compromise of VoIP.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Black Hat USA 2007 Briefings. URL. http://www.blackhat.com/html/bh-usa-07/bh-usa-07-speakers.html
 
2
First Report and Order and Notice of Proposed RuleMaking. URL. http://www.fcc.gov/cgb/voip911order.pdf.
 
3
DNSSEC. URL. http://www.dnssec.net/.
 
4
IDC Anticipates 34 Million More Residential VoIP Subscribers in 2010. URL. http://www.idc.com/getdoc.jsp?-containerId=prUS20211306.
 
5
OpenSSL DTLS Implementation Remote Heap Overflow Vulnerability. URL. http://secwatch.org/advisories/1019254/
 
6
PROTOS SIP Fuzzer. URL. http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
 
7
SANS Institute. DNS Spoofing by The Man In The Middle. http://www.sans.org/reading room/whitepapers/dns/1567php
 
8
Snort. URL. http://www.snort.org/
 
9
US VoIP market shares. URL. http://blogs.zdnet.com/ITFacts/?p=11425.
 
10
Vonage. URL. http://www.vonage.com/.
 
11
Wireshark. URL. http://www.wireshark.org/
 
12
J. Arkko , V. Torvinen , G. Camarillo , A. Niemi , T. Haukka, Security Mechanism Agreement for the Session Initiation Protocol (SIP), RFC Editor, 2003
 
13
M. Baugher , D. McGrew , M. Naslund , E. Carrara , K. Norrman, The Secure Real-time Transport Protocol (SRTP), RFC Editor, 2004
 
14
S. Bellovin, M. Blaze, E. Brickell, C. Brooks, V. Cerf, W. Diffie, S. Landau, J. Peterson and J. Treichler. Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP. http://www.cs.columbia.edu/smb/papers/CALEAVOIPreport.pdf
 
15
F. Cao and S. Malik. Vulnerability analysis and best practices for adopting IP telephony in critical infrastructure sectors. Communications Magazine, 44(4), Pages 138--145, April 2006.
 
16
Ram Dantu , Prakash Kolan, Detecting spam in VoIP networks, Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, p.5-5, July 07, 2005, Cambridge, MA
 
17
S. McGann and D. C. Sicker. An analysis of Security Threats and Tools in SIP-Based VoIP Systems. Second VoIP Security Workshop, 2005.
 
18
P. V. Mockapetris, Domain names - implementation and specification, RFC Editor, 1987
 
19
B. Reynolds and D. Ghosal. Secure IP Telephony Using Multi-layered Protection In Proceedgins of the 2003 Network and Distributed System Security Symposium (NDSS 2003), Feburary 2003.
 
20
J. Rosenberg , H. Schulzrinne , G. Camarillo , A. Johnston , J. Peterson , R. Sparks , M. Handley , E. Schooler, SIP: Session Initiation Protocol, RFC Editor, 2002
 
21
S. Salsano, L. Veltri, D. Papalilo. SIP Security Issues: the SIP Authentication Procedure and Its Processing Load. IEEE Network, 16(6), Pages 38--44, 2002.
 
22
H. Schulzrinne, S. Casner, R. Frederick and V. Jacobson. RTP: A Transport Protocol for Real-Time Applications. RFC 1889, IETF, January 1996.
 
23
Hemant Sengar , Duminda Wijesekera , Haining Wang , Sushil Jajodia, VoIP Intrusion Detection Through Interacting Protocol State Machines, Proceedings of the International Conference on Dependable Systems and Networks, p.393-402, June 25-28, 2006  [doi>10.1109/DSN.2006.73]
24
Xinyuan Wang , Ruishan Zhang , Xiaohui Yang , Xuxian Jiang , Duminda Wijesekera, Voice pharming attack and the trust of VoIP, Proceedings of the 4th international conference on Security and privacy in communication netowrks, September 22-25, 2008, Istanbul, Turkey  [doi>10.1145/1460877.1460908]
 
25
Yu-Sung Wu , Saurabh Bagchi , Sachin Garg , Navjot Singh , Tim Tsai, SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments, Proceedings of the 2004 International Conference on Dependable Systems and Networks, p.433, June 28-July 01, 2004
 
26
Ruishan Zhang , Xinyuan Wang , Xiaohui Yang , Xuxian Jiang, Billing attacks on SIP-based VoIP systems, Proceedings of the first USENIX workshop on Offensive Technologies, p.1-8, August 06-10, 2007, Boston, MA

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.3 Network Operations
          Subjects: Network monitoring


General Terms:
Reliability, Security


Keywords:
DNS spoofing, MITM attacks, SIP, VoIP security

Collaborative Colleagues:
Ruishan Zhang: colleagues
Xinyuan Wang: colleagues
Ryan Farley: colleagues
Xiaohui Yang: colleagues
Xuxian Jiang: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player