vulnerabilities in dual mode wi fi phones
play

Vulnerabilities in Dual-mode / Wi-Fi Phones 8/2/07 Sachin Joglekar - PowerPoint PPT Presentation

Jan 12, 2023 •9 likes •449 views

8/2/07 - sachin joglekar Vulnerabilities in Dual-mode / Wi-Fi Phones 8/2/07 Sachin Joglekar Vulnerability Research Lead 1 8/2/07 - sachin joglekar Outline (Total 60-70 min) Introduction (7 min) Protocol Stack (7 min) Current

  1. 8/2/07 - sachin joglekar Vulnerabilities in Dual-mode / Wi-Fi Phones 8/2/07 Sachin Joglekar Vulnerability Research Lead 1

  2. 8/2/07 - sachin joglekar Outline (Total 60-70 min) • Introduction (7 min) • Protocol Stack (7 min) • Current State of Security Features (7 min) • Demo 1 (10 min) • Attack Vectors (7 min) • Vulnerabilities Discovered (15 min) • Demo 2 (10 min) • Q&A (5 min) 2

  3. 8/2/07 - sachin joglekar Part 1 VoIP/VoWLAN 3

  4. 8/2/07 - sachin joglekar What is VoIP and VoWLAN? • VoWLAN = Voice over • VoIP=Voice over Wireless LAN Internet Protocol • Mobile phones connect • For a layman to Wi-Fi to transmit – A very attractive and voice over Wi-Fi cheap phone service • Great indoors where • For a techie cellular signal is weak – A phone service that • Such phones can be transmits your voice over easily discovered from IP network IP network and… • For a hacker • … hacked into using – A very attractive new traditional techniques attack target!! 4

  5. 8/2/07 - sachin joglekar VoIP advantages and challenges • Advantages • Challenges – Cost effective – E911 issues • No need to pay for – Dependent on each line availability of power – Feature rich – Sometimes QoS – Fast ROI – Voice traveling – Easy to manage through un-trusted IP networks – Independence from geographic – Security restrictions on phone numbers 5

  6. 8/2/07 - sachin joglekar Data vs. VoIP • (Data) E-mail POP3: Connect to Server, and – SMTP, POP3 Server SMTP: Connect to Request Mail Server, and Send – Client-Server Mail – Store and Forward Client Client POP3: Deliver Mail • (VoIP) Proxy Make Call Deliver Call – SIP, H.323, Skinny – Peer-Peer Answer Call Answer Call – Real-Time – Separate Signaling Client/Server Client/Server and Media Planes – Feature Rich complex state RTP over UDP: machines Media (Audio/Video) 6

  7. 8/2/07 - sachin joglekar Typical Enterprise VoIP- Value and Risks Soft Clients IP Phones WiFi/Dual Mode Phones IP PBX Rogue Employee Infected PC Rogue Device Data VLAN VoIP VLAN DMZ Service Provider Driving Factors: Internet • Cellular cost savings Partner • Business Continuity Spammer • Trunk cost savings • Life style management Web Phone Hard Phone Dual-mode Phone • Productivity gains Hackers Soft Phone Infected PC 7

  8. 8/2/07 - sachin joglekar Protocols Used for VoIP Application Signaling: SIP, SDP, H323, Skinny Media: RTP, RTCP Encrypted Media: SRTP, ERTP, ZRTP Authentication: MD5 Digest, NTLM, Kerberos Transport UDP, TCP, TLS TLS Security Server Auth Only Mutual Auth Auth with null encryption Auth with encryption 8

  9. 8/2/07 - sachin joglekar SIP Protocol Complexity • Too many specifications • Too flexible specifications – SIP is an ASCII protocol (as – Specification leaves lot of room opposed to binary protocol like for flexibility in syntax and H.323) specified in IETF RFC extensions 3261 • Complex implementations – VoIP applications also make – That makes protocol message use of several other RFCs parser implementations [http://www.iana.org/assignments/si complex p-parameters] • Vulnerable code – And hence more prone to security vulnerabilities INVITE sip:9999@10.0.250.107 SIP/2.0 Via: SIP/2.0/UDP 10.0.250.101;branch=z9hG4bK5c95dece;rport From: "attacker" sip:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[0x90909090] [\x31\xD2\x52\x52\x52\x52\xB8\x8A\x05\x45\x7E\xFF\xD0]@10.0.250.101>;tag=6Mg0okSwlxd7 To: <sip:9999@10.0.250.107> Contact: <sip:attacker@10.0.250.101> Call-ID: 6Mg0okSwlxd7-CM0H4EqKTBwm CSeq: 123 INVITE User-Agent: Spoofed PBX Max-Forwards: 70 Allow: REFER, SUBSCRIBE, NOTIFY 9

  10. 8/2/07 - sachin joglekar Part 2 Dual-mode / Wi-Fi Phones -Protocol Stack and Attack Vectors 10

  11. 8/2/07 - sachin joglekar Dual-mode vs. Wi-Fi only phone • Dual mode = two modes of • Wi-Fi Only phone communication – No cellular radio – Type 1 – Only works with Wi-Fi access point • GSM Cellular Radio + CDMA Cellular Radio – Type 2 • Both phones can be used • Cellular Radio + Non- over Wi-Fi connection from cellular Radio (IEEE – Campus 802.11/Wi-Fi) – Home – Type 3 • VoIP + POTS – Hotspot • We will discuss Type 2 dual- mode phone and Wi-Fi only phone 11

  12. 8/2/07 - sachin joglekar Dual-mode Phone Protocol Stack Cellular Wi-Fi Telephony and Messaging Apps Data Apps T T P CM T E L D SIP D L A H S N S P C S P MM EAP RTP/RTCP TCP/IP 802.1x RR 802.3 LAPDm 802.11b TDMA/CDMA OS & Drivers Handset Hardware 12

  13. 8/2/07 - sachin joglekar Example Implementations Manufacturer Wi-Fi / Dual- OS VoIP Stack mode Blackberry 7270 Dual-mode RIM OS Native D-Link DPH-541 Wi-Fi Linux Native Nokia E-61 Dual-mode Symbian Native Samsung SCH-i730 Dual-mode Windows Mobile Can be installed (e.g. SJPhone) Dell Axim Wi-Fi Windows Mobile Can be installed 13

  14. 8/2/07 - sachin joglekar Typical Phone Connectivity PC USB Infrared 3G Bluetooth WLAN / Wi-Fi 14

  15. 8/2/07 - sachin joglekar Attack Vectors • Recon • Resource exhaustion – Phone is visible as an IP – These are low power address devices, some don’t clean- up transaction states, easy • Authentication bypass to exhaust memory and – Replay, IP spoofing CPU • Registration hijack • Implementation flaw – Well-known attack still valid exploitations on these phones – Not much thought has gone • Eavesdropping into making the stacks robust – Wireless access points that are not secured enough – Clients (which are also may provide a way to listen servers in case of SIP) don’t into conversations- without authenticate received physical access requests • Attack on supporting services – Users may have to face DoS 15

  16. 8/2/07 - sachin joglekar Wi-Fi to Cellular hand-off • If arbitrary shell code can be executed on the phone using a message sent to it over Wi-Fi, the phone can possibly be made to launch calls over Cellular • Data theft can occur • To be explored 16

  17. 8/2/07 - sachin joglekar Building a VoIP/SIP Attack SIP APPs Registrar Server Server Media PBX IVR Server Download Tools MGW MGW VoIP/SIP Sniffing Tools AuthTool, Cain & Abel, NetDude, Oreka, PSIPDump, SIPomatic, SIPv6 Analyzer, VOIPong, VOMIT, Wireshark VoIP/SIP Scanning & enumIAX, iWar, Nessus - SIP-Scan, SIPcrack, SIPSCAN, SiVuS, SMAP, Enum Tools VLANping VoIP/SIP Packet Creation IAXFlooder, INVITE Flooder, kphone-ddos, RTP Flooder, Scapy, SIPBomber, & Flooding Tools SIPNess, SIPp, SIPsak VoIP/SIP Signaling BYE Teardown, Phone Rebooter, RedirectionPoison, RegistrationAdder, Manipulation tools RegistrationEraser, RegistrationHacker, SIP-Kill, SIP-Proxy-Kill, SIP- RedirectRTP VoIP Media Manipulation RTP InsertSound, RTP MixSound, RTP Proxy Tools 17

  18. 8/2/07 - sachin joglekar Part 3 Current State of Security Features 18

  19. 8/2/07 - sachin joglekar Survey of Current Security Features • What are security features implemented by Dual-mode / Wi-Fi phones? • What are out-of-the-box security settings? 19

  20. 8/2/07 - sachin joglekar Out-of-the-box Security Settings • Most common signaling transport – UDP (No signaling encryption) • Most common media transport – RTP (No media encryption) • Application-level Authentication – Only client is authenticated – No server authentication in most cases 20

  21. 8/2/07 - sachin joglekar Authentication Support • Signaling – Most of the phones do not authenticate server using cnonce during Digest Auth – TLS Authentication not implemented in several phones – S/MIME ? • Media – SRTP support very minimal – Exposure to rogue packet injection using spoofed IP addresses 21

  22. 8/2/07 - sachin joglekar Digest Authentication without sever authentication REGISTER sip:192.168.0.1:5060 SIP/2.0 From: sachin@sipera.com;tag=220587 Server Phone To: sachin@sipera.com Contact: 192.168.0.34;events="message-summary" Call-ID: E3A0F6BBEE91@192.168.0.34 Max-Forwards: 70 CSeq: 3 REGISTER Via: SIP/2.0/UDP 192.168.0.34;rport;branch=z9hG4bK805d2fa50131c9b1 SIP/2.0 401 Unauthorized WWW-Authenticate: Digest realm="asterisk", nonce="4f87b95d" .. REGISTER sip:192.168.0.1:5060 SIP/2.0 Authorization: Digest username=“sachin",realm="asterisk",nonce="4f87b95d", uri="sip:192.168.0.1:5060",response="fed6890f44712fbaef17c704e6e30eac“,cnonce=“dbf4afc” .. 200 OK 22

  23. 8/2/07 - sachin joglekar Encryption Support • Signaling – In the absence of transport security, phones can use S/MIME for providing authentication, and privacy services – But not many phones support S/MIME exposing them to spoofing and eavesdropping threats • Media – SRTP support very minimal – Exposure to eavesdropping (tools like VOMIT) 23

  24. 8/2/07 - sachin joglekar Transport Security • UDP is the most common and default used transport for SIP signaling • Transport layer security (TLS) not enforced • Even if TLS is used only server authentication is enforced, clients may not get authenticated by server allowing someone to steal identity if no other app-level auth is used 24

Recommend

Dual-Mode Configurable RISC-V Processor IP Nuclei System Technology Dual-Mode

Dual-Mode Configurable RISC-V Processor IP Nuclei System Technology Dual-Mode

Dual-Mode Configurable RISC-V Processor IP Nuclei System Technology Dual-Mode Configurable Configurable feature is to meet different application scenarios: Real-Time System Mode: Instruction and Data Local Memory (ILM, DLM)

329 views • 21 slides
What is Helix ??? Its a l Five-mode dual 31-band graphic equaliser l Five-mode dual 31-band

What is Helix ??? Its a l Five-mode dual 31-band graphic equaliser l Five-mode dual 31-band

What is Helix ??? Its a l Five-mode dual 31-band graphic equaliser l Five-mode dual 31-band graphic equaliser l Dual 12-band parametric equaliser l Dual 12-band parametric equaliser l Four configurable filters per channel l Four configurable

440 views • 23 slides
Phones w w w . o l p h o n e s . c o m CHARON SOL TALK BIG! 0.08 MP 1400 mAh

Phones w w w . o l p h o n e s . c o m CHARON SOL TALK BIG! 0.08 MP 1400 mAh

Phones w w w . o l p h o n e s . c o m CHARON SOL TALK BIG! 0.08 MP 1400 mAh 23 : 28 23 : 28 Ear phones Wireless FM with mic WED 27. THURSDAY Mp3 / Mp4 player 2.8 LCD Quad Band Dual SIM CHARON B2800 SPECIFICATION

744 views • 19 slides
FEATURE PHONES ROAD MAP w w w . o l p h o n e s . c o m CHARON SOL TALK BIG!

FEATURE PHONES ROAD MAP w w w . o l p h o n e s . c o m CHARON SOL TALK BIG!

FEATURE PHONES ROAD MAP w w w . o l p h o n e s . c o m CHARON SOL TALK BIG! 0.08 MP 1400 mAh 23 : 28 23 : 28 Ear phones Wireless FM with mic WED 27. THURSDAY Mp3 / Mp4 player 2.8 LCD Quad Band Dual SIM CHARON

241 views • 20 slides
New Constructions of Statistical NIZKs: Dual-Mode DV-NIZKs and More Benot Libert, Alain

New Constructions of Statistical NIZKs: Dual-Mode DV-NIZKs and More Benot Libert, Alain

New Constructions of Statistical NIZKs: Dual-Mode DV-NIZKs and More Benot Libert, Alain Passelgue, Hoeteck Wee, and David J. Wu May 2020 Non-Interactive Zero-Knowledge (NIZK) [BFM88] accept if NP language 0,1 0,1

678 views • 37 slides
BACKFLOW TESTER MEETING March 15, 2018 PLEASE TURN YOUR CELL PHONES TO SILENT MODE. RESTROOM

BACKFLOW TESTER MEETING March 15, 2018 PLEASE TURN YOUR CELL PHONES TO SILENT MODE. RESTROOM

6 TH ANNUAL BACKFLOW TESTER MEETING March 15, 2018 PLEASE TURN YOUR CELL PHONES TO SILENT MODE. RESTROOM LOCATIONS Background Information Backflow Prevention &amp; CCC Program has been managed by the Public Utilities Engineering

545 views • 26 slides
Today Booting Process abstraction Dual mode execution Sept 19, 2018 Sprenkle -

Today Booting Process abstraction Dual mode execution Sept 19, 2018 Sprenkle -

Today Booting Process abstraction Dual mode execution Sept 19, 2018 Sprenkle - CSCI330 1 Course Objectives Review Classical OS Emphasis on the why Agile class Synching with the Project

446 views • 33 slides
Development of a Concurrent Dual-Band Switch-Mode Power Amplifier Based on Current- Switching

Development of a Concurrent Dual-Band Switch-Mode Power Amplifier Based on Current- Switching

Development of a Concurrent Dual-Band Switch-Mode Power Amplifier Based on Current- Switching Class-D Configuration Yifei Li, Byron J. Montgomery and Nathan M. Neihart Iowa State University WAMICON 2016 Clearwater Beach, FL Contents

584 views • 21 slides
Survey Conducted: December 4-10, 2017 220-4933 Survey Methodology Conducted a dual-mode survey

Survey Conducted: December 4-10, 2017 220-4933 Survey Methodology Conducted a dual-mode survey

Survey Conducted: December 4-10, 2017 220-4933 Survey Methodology Conducted a dual-mode survey online and by telephone between December 4-10, 2017 Random sample of 980 registered Wildomar voters, modeled to reflect a likely November 2018

532 views • 24 slides
Today System debugging Dual Mode Processes Handling interrupts Sept 24, 2018

Today System debugging Dual Mode Processes Handling interrupts Sept 24, 2018

Today System debugging Dual Mode Processes Handling interrupts Sept 24, 2018 Sprenkle - CSCI330 1 Review What are the benefits of version control? How is the bcc-compatible version of C different from the gcc-compatible

629 views • 35 slides
Conducted July 6-12, 2020 220-5894 Survey Methodology Conducted a dual-mode survey , online,

Conducted July 6-12, 2020 220-5894 Survey Methodology Conducted a dual-mode survey , online,

Key Findings of a Survey Conducted July 6-12, 2020 220-5894 Survey Methodology Conducted a dual-mode survey , online, by cell, and landline between July 6-12, 2020 Surveys were completed by a random sample of 380 voters registered in

505 views • 27 slides
Packet Coalescing for Dual-Mode Energy Efficient Ethernet: A Simulation Study Mehrgan Mostowfi

Packet Coalescing for Dual-Mode Energy Efficient Ethernet: A Simulation Study Mehrgan Mostowfi

Packet Coalescing for Dual-Mode Energy Efficient Ethernet: A Simulation Study Mehrgan Mostowfi School of Mathematical Sciences University of Northern Colorado Greeley, Colorado, USA mehrgan.mostowfi@unco.edu Slide 1 of 11 Packet Coalescing for

254 views • 11 slides
Detector Characterization of Dual-Recycled GEO600 Joshua Smith for the GEO600 team Joshua Smith

Detector Characterization of Dual-Recycled GEO600 Joshua Smith for the GEO600 team Joshua Smith

Detector Characterization of Dual-Recycled GEO600 Joshua Smith for the GEO600 team Joshua Smith December 2003 Optical layout Michelson Interferometer with Dual Recycling Folded arms with optical Mode Cleaners path length of 2400 m Laser

540 views • 17 slides
7 TH ANNUAL BACKFLOW TESTER MEETING March 21, 2019 PLEASE TURN YOUR CELL PHONES TO SILENT

7 TH ANNUAL BACKFLOW TESTER MEETING March 21, 2019 PLEASE TURN YOUR CELL PHONES TO SILENT

7 TH ANNUAL BACKFLOW TESTER MEETING March 21, 2019 PLEASE TURN YOUR CELL PHONES TO SILENT MODE. RESTROOM LOCATIONS Background Information Backflow Prevention &amp; CCC Program has been managed by the Public Utilities Engineering

579 views • 25 slides
Phones All human speech is composed from 40-50 phones, determined by the configuration of

Phones All human speech is composed from 40-50 phones, determined by the configuration of

Phones All human speech is composed from 40-50 phones, determined by the configuration of articulators (lips, teeth, tongue, vocal cords, air flow) Form an intermediate level of hidden states between words and signal Speech recognition (briefly)

430 views • 3 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security &amp; Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
Evaluating the Accuracy of Data Collection on Mobile Phones: Collection on Mobile Phones: A

Evaluating the Accuracy of Data Collection on Mobile Phones: Collection on Mobile Phones: A

Evaluating the Accuracy of Data Collection on Mobile Phones: Collection on Mobile Phones: A Study of Forms, SMS, and Voice Somani Patnaik 1 , Emma Brunskill 1 , William Thies 2 1 Massachusetts Institute of Technology 2 Microsoft Research India

439 views • 29 slides
Org-mode Nick Higham April 22, 2013 Nick Higham Org-mode 1 / 7 University of Manchester What

Org-mode Nick Higham April 22, 2013 Nick Higham Org-mode 1 / 7 University of Manchester What

Org-mode Nick Higham April 22, 2013 Nick Higham Org-mode 1 / 7 University of Manchester What is Org Mode? Emacs mode for note taking task management tables and spreadsheets producing L A T EX documents and web pages literate

212 views • 7 slides
Dual Credit Courses What does it mean to be a dual credit student? Dual enrollment simply means: A

Dual Credit Courses What does it mean to be a dual credit student? Dual enrollment simply means: A

Lamar Consolidated ISD &amp; Lone Star College Present Dual Credit Courses What does it mean to be a dual credit student? Dual enrollment simply means: A student is still in high school and enrolled in a college-level class at the same time;

371 views • 16 slides
DUAL CREDIT WHAT IS DUAL CREDIT? Dual credit means two things are happening at once. Students

DUAL CREDIT WHAT IS DUAL CREDIT? Dual credit means two things are happening at once. Students

DUAL CREDIT WHAT IS DUAL CREDIT? Dual credit means two things are happening at once. Students are earning high school credit while also earning college credit. Dual credit courses are taught at the college level. Expect the class to be

323 views • 21 slides
Dual Universities and the Dual System is there a new shift towards academic pathways in

Dual Universities and the Dual System is there a new shift towards academic pathways in

Presentation at the Ontario Institute for Studies of Education, Toronto 13.9.18 Prof. Dr. Dr. h.c. Thomas Deissinger, University of Konstanz, Chair of Business Education Dual Universities and the Dual System is there a new shift towards

336 views • 30 slides
Dual Deploy Recovery Why do dual deploy? What you need Mandatory

Dual Deploy Recovery Why do dual deploy? What you need Mandatory

Dual Deploy Recovery Why do dual deploy? What you need Mandatory Optional/Configuration-dependent Altimeter Redundant systems Wiring Charge wells Battery and holder Shear pins Switch Parachute management

599 views • 37 slides

More recommend