We are Listening – Common Flaws in Encrypted VoIP: SIP-over-TLS and sRTP.

Thanks to news about mass surveillance, thanks to tender bids, VoIP devices got enhanced with Encrypted VoIP. 15 software phones (iOS and Android), 3 routers, and 20 desk phones: Let us double-check their implementation!

  • Introduction of the Presenters

  • Background
    • Unencrypted VoIP (SIP-over-UDP) and its Protocol Stack
    • Encrypted VoIP – History of Alternatives:
      a. VPN
      b. SIP-over-TLS and (optional) SDES-SRTP
      c. WebRTC: SIP-over-WebSockets and DTLS-SRTP
    • Protocol Stack Add-ons because of Encrypted SIP/sRTP
    • Message Flow of SIP/sRTP in the so called All-IP Network (3GPP IMS; explain it with a short example, flow diagram, and how your landline and mobile phone are connected to that)
  • Common Flaws and Mitigations (explain flaws, attacks and mitigation):
    • Signaling (faulty configuration of the TLS/SSL library):
      1. TLS Weak Cipher-Suites (CVE-2018-7958)
        • Welcome back Single-DES and Anonymous DH!
      2. TLS Hostname Validation
        • see doi>10.1145/2382196.2382204
      3. TLS Trust-Anchors no at all
        • some devices come without CA certificates
        • some do not allow to add any!
      4. TLS Trust-Anchors buried in
        • some devices ship with outdated CAs
        • some devices ship with CA – which ones is unknown
        • some do not allow to disable/replace those!
      5. Certificate Revocation
        • Not supported by any phone, really?
      6. TLS Outdated in General
        • various findings like old TLS versions, no PFS, no AEAD, no TLS-SNI
    • Media (audio-codec attacks):
      1. sRTP Weak Key (CVE-2018-7959)
        • seven devices use(d) weak keys for encryption of audio
      2. Audio-Codec Variable Bitrate
        • variable bitrates must be disabled with encryption (or show no padlock icon)
        • see IETF RFC 6562
      3. Audio-Codec Fuzzing
        • All-IP Network allows callers direct access to the audio decoder
        • how we attacked this; one finding is used as example
      4. RTP and SDP Fuzzing
        • what was attacked by previous work (required authentication)
        • what can be attacked now in the new All-IP Network (everyone is authenticated)
    • Usable Security:
      1. Configurable by Anyone via Public IPv6
        • Can’t wait to see your phone in Shodan? Enable IPv6!
        • some devices can be configured via IPv6, globally without a password
      2. Call Drops thanks to added (Opportunistic) Encryption? Bugs in previous features:
        • SIP Session Timers (RFC 4028),
        • SIP Compact Form (RFC 3261 section 7.3.3), and
        • SIP/SDP Negotiation.
      3. sRTP Padlock Icon (CVE-2018-7960)
        • many phones show a (closed) padlock icon like Web browsers
        • some show it, even when media encryption-key was transmitted in plain text
  • Experiences with Responsible Disclosure

  • Lessons-learned for:
    • Implementers
    • Purchasers
    • Administrators

About the Speaker