SIP Sessions

SIP Security: Theft of SIP Services

Stealing the identity of another user allows the attacker to use some service with the costs getting charged to someone else. However, the attacker would be limited to the privileges of the stolen identity and all calls conducted by the attacker would have the user's identity as the originator or recipient. Fraudsters would, however, in general like to conduct fraud on a larger scale, e.g., by selling stolen services to other people and, hence, gaining from the fraud not only free calls but also monetarily. This can be achieved by getting access to the infrastructure components of the SIP service, e.g., SIP proxies, databases or gateways to the PSTN. With such access, the attacker can manipulate the authentication process so that his calls are not authenticated or are considered as legitimate or can simply ensure that no billing records are generated for his calls.

Recently, there have been two patterns for conducting this kind of fraud, namely password guessing and credential emulation.

Password Guessing

SIP components usually have an administration interface that allows the administrator to configure the system, control the privileges of different users and actions and set the logging and billing criteria. This interface is usually protected through a password. Often, all devices manufactured by the same company share the same password. Administrators often forget to change this password during the installation process at the provider's premises. By knowing this default password, an attacker can assume the identity of the administrator, which would allow him to receive the needed privileges for misusing the service. Such fraud can be prevented by changing the password of the SIP components and protecting the administration interface so that it is only accessible over a trusted network link.

Credential Emulation

A popular setup for VoIP services is presented in the figure below. In this setup the proxy is responsible for authenticating the incoming requests and forwarding legitimate requests to the PSTN gateway. To indicate to the gateway that a request is legitimate, the proxy adds special information in the forwarded requests. This information is then used by the gateway as an indication of the legitimacy of the request and would, hence, only initiate calls to the PSTN if a request included this information. A fraudster can detect this information either by guessing or by brute force. By including this information in his own requests, a fraudster can fool a gateway into believing that his requests are legitimate. By running his own proxy server and adding this information to the requests of his customers, the fraudster would receive access to the PSTN without having to pay for it.

In general, this kind of attack is more complex. The fraudster needs to detect gateways that accept SIP signaling requests directly from the Internet and use this kind of authentication approach. Further, to cover their traces, fraudsters need to first gain access to a VoIP server of an enterprise or university with wideband Internet access and then route the calls through these servers.

To protect against such fraud, the communication between the proxy and the gateway must be secured. This can be achieved by having the gateway all SIP requests arriving from any other IP address than that of a set of trusted proxies. This could, however, be circumvented by having the fraudster spoof the IP addresses of his requests. Higher security can be achieved by establishing a secure tunnel, e.g., using IPSec or TLS, between the proxy and gateway and rejecting all SIP traffic not arriving over this secured link.