wiretapping end to end encrypted voip calls
play

Wiretapping End-to-End Encrypted VoIP Calls Real-World Attacks on - PowerPoint PPT Presentation

Jan 03, 2024 •139 likes •396 views

Institute of Operating Systems and Computer Networks Wiretapping End-to-End Encrypted VoIP Calls Real-World Attacks on ZRTP Dominik Schrmann, Fabian Kabus, Gregor Hildermeier, Lars Wolf, 2017-07-18 Introduction Man-in-the-Middle ZRTP

  1. Institute of Operating Systems and Computer Networks Wiretapping End-to-End Encrypted VoIP Calls Real-World Attacks on ZRTP Dominik Schürmann, Fabian Kabus, Gregor Hildermeier, Lars Wolf, 2017-07-18

  2. Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time Transport Protocol) 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 2 of 13 Institute of Operating Systems and Computer Networks

  3. Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time Transport Protocol) End-to-End Encryption SIP + DTLS-SRTP (SIP + Datagram Transport Layer Security-SRTP) 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 2 of 13 Institute of Operating Systems and Computer Networks

  4. Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time Transport Protocol) End-to-End Encryption SIP + DTLS-SRTP (SIP + Datagram Transport Layer Security-SRTP) End-to-End Encryption & Authentication SIP + SRTP + ZRTP 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 2 of 13 Institute of Operating Systems and Computer Networks

  5. Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time Transport Protocol) wiretapping difficulty End-to-End Encryption SIP + DTLS-SRTP (SIP + Datagram Transport Layer Security-SRTP) End-to-End Encryption & Authentication SIP + SRTP + ZRTP 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 2 of 13 Institute of Operating Systems and Computer Networks

  6. Introduction Man-in-the-Middle ZRTP Attacks Conclusion Man-in-the-Middle (Evil Operator) SIP with Encryption-only: Alice SIP Server Bob INVITE B@example.com INVITE B@example.com From: mitm@localhost From: A@example.com 4 1 mitm: A@example.com modi fi ed: modi fi ed: INVITE mitm@localhost INVITE B@example.com INVITE B@example.com INVITE B@example.com From: A@example.com From: A@example.com From: A@example.com From: A@example.com 8 5 200 OK 200 OK 200 OK 200 OK From: A@example.com From: A@example.com From: A@example.com From: A@example.com 7 2 3 6 9 9 10 INVITE mitm@localhost INVITE B@example.com Bob Alice From: A@example.com connect & From: mitm@localhost Valid Session! B@example… record Valid Session! A@example… header added: mitm: A@example.com 200 OK 200 OK From: A@example.com From: A@example.com MitM Client 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 3 of 13 Institute of Operating Systems and Computer Networks

  7. Introduction Man-in-the-Middle ZRTP Attacks Conclusion Man-in-the-Middle (Evil Operator) Encryption & Authentication with ZRTP: Alice SIP Server Bob INVITE B@example.com INVITE B@example.com From: mitm@localhost From: A@example.com 4 1 mitm: A@example.com modi fi ed: modi fi ed: INVITE mitm@localhost INVITE B@example.com INVITE B@example.com INVITE B@example.com From: A@example.com From: A@example.com From: A@example.com From: A@example.com 8 5 200 OK 200 OK 200 OK 200 OK From: A@example.com From: A@example.com From: A@example.com From: A@example.com 7 2 3 6 9 9 10 INVITE mitm@localhost INVITE B@example.com Bob Alice From: A@example.com connect & From: mitm@localhost Valid Session! B@example… record Valid Session! A@example… header added: mitm: A@example.com ZRTP SAS: ZRTP SAS: 200 OK 200 OK bz4f utd9 From: A@example.com From: A@example.com MitM Client 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 4 of 13 Institute of Operating Systems and Computer Networks

  8. Introduction Man-in-the-Middle ZRTP Attacks Conclusion ZRTP Attacks ZRTP Complex Protocol Authenticates Diffie-Hellman key exchange Authentication by comparison of Short Authentication Strings (SAS) Hash Commitment constraints online-attacker to one try per call Evaluation of Real-World Implementations Excluded closed-network implementations Excluded attacks with speech synthesis Assume correctly compared SAS 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 5 of 13 Institute of Operating Systems and Computer Networks

  9. Introduction Man-in-the-Middle ZRTP Attacks Conclusion Evaluation Apps Application OS Version Library Acrobits Softphone iOS 5.8.1 - CSipSimple Android 1.02.03 ZRTP4PJ Jitsi Win, Lin, MacOS 2.9.0 ZRTP4J Linphone Android Android 3.1.1 bzrtp Signal Android 3.15.2 - Signal iOS 2.6.4 - Tests Paper: 7 protocol tests, 4 non-protocol tests Presentation: Most interesting results 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 6 of 13 Institute of Operating Systems and Computer Networks

  10. ZRTP in a Nutshell (Highly Simplified) F1-F4 Hello R I pvi = g svi mod p hvi = hash ( pvi ) ( h v i ) m i t C o m F 5 I R pvr = g svr mod p F 6 D H P a r t 1 ( p v r ) R I DHResult = pvr svi mod p p v i ) r t 2 ( H P a F 7 D I R DHResult = pvi svr mod p SAS = KDF ( DHResult � IDs � HashOfMessages ) Confirm F8-F10 – Verbal Comparison of SAS R I

  11. Check for Invalid Commit F1-F4 Hello R I pvi = g svi mod p hvi = hash ( pvi ) ( h v i ) m i t C o m F 5 I R pvr = g svr mod p F 6 D H P a r t 1 ( p v r ) R I DHResult = pvr svi mod p p v i ) r t 2 ( H P a F 7 D I R DHResult = pvi svr mod p hvi ? = hash ( pvi ) SAS = KDF ( DHResult � IDs � HashOfMessages ) Confirm F8-F10 – Verbal Comparison of SAS R I

  12. Introduction Man-in-the-Middle ZRTP Attacks Conclusion Invalid Commit: Linphone 100% 16 bits (B256) 90% 20 bits (B32) 80% 70% 60% 50% 40% 30% 20% 10% 0% 0 500000 1x10 6 1.5x10 6 2x10 6 number of tries Figure: Linphone CVE-2016-6271: Probability of hitting a targeted SAS 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 8 of 13 Institute of Operating Systems and Computer Networks

  13. Introduction Man-in-the-Middle ZRTP Attacks Conclusion RFC: Error on Invalid Shared Secret ZRTP stores secrets when user confirms SAS Cache: ZRTP ID assigned to rs1 = KDF ( DHResult ) (highly simplified) Next call no longer requires Diffie-Hellman and no SAS comparison RFC "If either party discovers a cache mismatch, the user agent who makes this discovery must treat this as a possible security event and MUST alert their own user that there is a heightened risk of a MiTM attack […]" 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 9 of 13 Institute of Operating Systems and Computer Networks

  14. Introduction Man-in-the-Middle ZRTP Attacks Conclusion RFC: Error on Invalid Shared Secret Questionable requirement in RFC CSipSimple, Linphone do not implement this Bug in Jitsi (ZRTP4J) A new cache entry copies the secrets and flags from the last saved one Invalid security warning is raised for new clients 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 10 of 13 Institute of Operating Systems and Computer Networks

  15. Introduction Man-in-the-Middle ZRTP Attacks Conclusion Shared Man-in-the-Middle Attack 1. Call between Eve & Alice, confirm SAS ⇒ rs1 A for Eve in Alice’ cache 2. Call between Eve & Bob, confirm SAS ⇒ rs1 B for Eve in Bob’s cache 3. Eve conducts MitM attack (evil operator) ⇒ No SAS confirmation, Eve has rs1 A , rs1 B in her cache 4. SIP addresses shown: Alice: B@example.com, Bob: A@example.com 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 11 of 13 Institute of Operating Systems and Computer Networks

  16. Introduction Man-in-the-Middle ZRTP Attacks Conclusion Shared Man-in-the-Middle Attack 1. Call between Eve & Alice, confirm SAS ⇒ rs1 A for Eve in Alice’ cache 2. Call between Eve & Bob, confirm SAS ⇒ rs1 B for Eve in Bob’s cache 3. Eve conducts MitM attack (evil operator) ⇒ No SAS confirmation, Eve has rs1 A , rs1 B in her cache 4. SIP addresses shown: Alice: B@example.com, Bob: A@example.com Why Does This Work? No ID binding to outer protocol ZRTP works independent of SIP addresses with random IDs ⇒ Cache uses ZRTP ID for lookup Alice and Bob’s cache lookup by Eve’s ZRTP ID 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 11 of 13 Institute of Operating Systems and Computer Networks

  17. Shared Man-in-the-Middle Signal: No cache ⇒ Secure Acrobits Softphone: RFC-compliant protection Other implementations: Insecure

Recommend

Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on fon-iks Adam White, Austin

Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on fon-iks Adam White, Austin

Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on fon-iks Adam White, Austin Matthews, Kevin Snow, and Fabian Monrose Presented By Corly Leung Introduction - Google Hangout, Skype, FaceTime - Encrypting VoIP Packets -

480 views • 14 slides
Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations C. Wright, L.

Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations C. Wright, L.

Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations C. Wright, L. Ballard, S. Coull, F. Monrose, G. Masson Talk held by Goran Doychev Selected Topics in Information Security and Cryptography Seminar 1 / 30 Overview 1

676 views • 42 slides
By: Jen DosSantos, Kerry Cassidy & Mike Dunn VoIP is an acronym for Voice over Internet

By: Jen DosSantos, Kerry Cassidy & Mike Dunn VoIP is an acronym for Voice over Internet

By: Jen DosSantos, Kerry Cassidy & Mike Dunn VoIP is an acronym for Voice over Internet Protocol. VoIP describes any kind of connection uses the internet to make phone calls. VoIP calls can be made from a computer to another computer, a

448 views • 13 slides
Signaling vulnerabilities in wiretapping systems Micah Sherr, Eric Cronin, Sandy Clark, and Matt

Signaling vulnerabilities in wiretapping systems Micah Sherr, Eric Cronin, Sandy Clark, and Matt

Signaling vulnerabilities in wiretapping systems Micah Sherr, Eric Cronin, Sandy Clark, and Matt Blaze Kyo Kim Introduction Law enforcement agencies use wiretapping to collect intelligence and evidence. Growing reliance in wiretapping.

444 views • 16 slides
Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit

Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit

Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit evidence that intelligence agencies are globally wiretapping Internet backbone connections Massive collection of web tra ffi c, emails, instant

512 views • 50 slides
What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for

What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for

Welcome to Business Matters Todays topic: What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for Voice over Internet Protocol - Phone service through your Internet connection 2 Components of

510 views • 29 slides
Recap: Tracking Anonymous Peer-to- Peer VoIP Calls on the Internet Scott E. Coull and Amos

Recap: Tracking Anonymous Peer-to- Peer VoIP Calls on the Internet Scott E. Coull and Amos

Recap: Tracking Anonymous Peer-to- Peer VoIP Calls on the Internet Scott E. Coull and Amos Wetherbee April 7, 2006 Encoding a bit Packet flow of n bits 1. Select 2r packets from the first n-d packets 2. at random d is used to prevent

599 views • 55 slides
Quality Analysis of CloudPBX VoIP Calls Matthew Fung, Conor Morrison, Jackie Xu, Stefan Hannie,

Quality Analysis of CloudPBX VoIP Calls Matthew Fung, Conor Morrison, Jackie Xu, Stefan Hannie,

Quality Analysis of CloudPBX VoIP Calls Matthew Fung, Conor Morrison, Jackie Xu, Stefan Hannie, Mohamed Laradji, Michelle Liu, Eric Lam, Idalia Machuca, Julian Mentasti A phone call CloudPBX B A` Caller Callee A B` The dataset - a call

478 views • 27 slides
TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1 DISCLAIMER: THIS IS NOT FULLY-BAKED We just fleshed out this idea yesterday, so its hand-wavy. Insufficient analysis has been done. IETF 94 TLS 1.3

886 views • 11 slides
Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP

Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP

Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP (voice over IP) is an IP telephony term for a set of facilities used to manage the delivery of voice information over the Internet. A major advantage of

1.26k views • 5 slides
SPECIAL CELLULAR PHONE SP7 WIRETAPPING PROTECTION www.ledbg.eu DEVICE DESCRIPTION NO MATTER

SPECIAL CELLULAR PHONE SP7 WIRETAPPING PROTECTION www.ledbg.eu DEVICE DESCRIPTION NO MATTER

SPECIAL CELLULAR PHONE SP7 WIRETAPPING PROTECTION www.ledbg.eu DEVICE DESCRIPTION NO MATTER WHERE YOU ARE, AT HOME OR ABROAD SPECIAL CELL PHONE SP7 GUARANTEES WIRETAPPING PROTECTION IN GSM MOBILE PROTECTION IN GSM MOBILE NETWORKS ANY

196 views • 18 slides
Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet Steven M.

Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet Steven M.

Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet Steven M. Bellovin https://www.cs.columbia.edu/smb Join work with Matt Blaze, Sandy Clark, Susan Landau 1 Steven M. Bellovin December 22, 2013 A Note on

366 views • 36 slides
Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1

Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1

Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1 PRI Gateway Dedicated VoIP-ISDN PRI Gateway Plug-n-Play device VoIP access device for an existing PBX PRI trunking for an

404 views • 27 slides
VoIP switching and billing suite Break through your data VoIP switching and billing suite

VoIP switching and billing suite Break through your data VoIP switching and billing suite

VoIP switching and billing suite Break through your data VoIP switching and billing suite components VoIP switch - SIP softswitch based on VoIP switch Opensips significantly re-developed by 5g 5g Future. Future Dynamic or static routing - a

156 views • 11 slides
Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE,

Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE,

Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE, NCTU Quincy Wu Email: solomon@ipv6.club.tw 1 Outline Introduction Voice over IP RTP & SIP NTP VoIP Platform Conclusion

1.02k views • 64 slides
VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely,

VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely,

VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely, 15.-16. January 2009 VoIP? PSTN: 100 year old technology, 99.999% uptime, call anyone anytime can VoIP offer that today? VoIP next

479 views • 15 slides
Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP

Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP

4/3/2015 Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP increasingly important Skype, Google Talk, and MSN Started with inexpensive use at home with friends and family Messenger Now businesses

631 views • 7 slides
SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP

SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP

LAB 117 & VoIP LAB SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP Platform in Taiwan Taiwan 19th APAN Meeting in Bangkok, January 2005 Ines Sok-Ian Sou and Prof. Quincy Wu Dept. of

293 views • 27 slides
A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic

A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic

A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic Tejmani Sinam, Irengbam Tilokchan Singh, Sukumar Nandi Pradeep Lamabam, Ngasham Nandarani Devi Department of Computer Science and Engineering,

231 views • 6 slides
CORPORATE presentation VoIP, SMS, SOFTWARE LICENCED LANDLINE VOIP SMS SOFTWARE TURKEY

CORPORATE presentation VoIP, SMS, SOFTWARE LICENCED LANDLINE VOIP SMS SOFTWARE TURKEY

CORPORATE presentation VoIP, SMS, SOFTWARE LICENCED LANDLINE VOIP SMS SOFTWARE TURKEY OPERATOR DATA MVNO OTTs Services that 100% guarantee reliable and lucrative partnerships lead to absolute success. premier global communications

331 views • 7 slides
Wiretapping with Audio Frequency Monitor AN/PTA-1 Presented by Mark J. Blair NF6X at the 2017

Wiretapping with Audio Frequency Monitor AN/PTA-1 Presented by Mark J. Blair NF6X at the 2017

Wiretapping with Audio Frequency Monitor AN/PTA-1 Presented by Mark J. Blair NF6X at the 2017 MRCG Meet Audio Frequency Monitor AN/PTA-1 Wire tapping device for field telephone lines 1954 TM with changes dated 1960, 1962

611 views • 16 slides
FCC Releases VoIP E911 Order Highlights: Providers of Interconnected VoIP Services

FCC Releases VoIP E911 Order Highlights: Providers of Interconnected VoIP Services

GLOBAL TELECOMMUNICATIONS AND MEDIA INDUSTRY GROUP E-NEWS JUNE 8, 2005 FCC Releases VoIP E911 Order Highlights: Providers of Interconnected VoIP Services Required to Supply Enhanced 911 (E911) capabilities. Must File Letters

357 views • 4 slides
Findings and Recommendations September 2011 Calls into VDN: 82,850 Calls Answered

Findings and Recommendations September 2011 Calls into VDN: 82,850 Calls Answered

Findings and Recommendations September 2011 Calls into VDN: 82,850 Calls Answered (ACCESS & 211): 32,717 Calls Abandoned: 13,978 (42%) Average Wait Time: 39 m minut nutes Customer Service Feedback: Question 8.

308 views • 20 slides
What We Learned From the Mid-Year Check-In Calls: Successes & Challenges Mid-Year Calls

What We Learned From the Mid-Year Check-In Calls: Successes & Challenges Mid-Year Calls

What We Learned From the Mid-Year Check-In Calls: Successes & Challenges Mid-Year Calls Asked state contact and contractor (if applicable) to be on calls Asked states to fill out work plan in advance Calls took around 1 hr.

396 views • 15 slides

More recommend