vulnerabilities in dual mode wi fi phones
play

Vulnerabilities in Dual-mode / Wi-Fi Phones 8/2/07 Sachin Joglekar - PowerPoint PPT Presentation

Jan 12, 2023 •9 likes •449 views

8/2/07 - sachin joglekar Vulnerabilities in Dual-mode / Wi-Fi Phones 8/2/07 Sachin Joglekar Vulnerability Research Lead 1 8/2/07 - sachin joglekar Outline (Total 60-70 min) Introduction (7 min) Protocol Stack (7 min) Current

  1. 8/2/07 - sachin joglekar Vulnerabilities in Dual-mode / Wi-Fi Phones 8/2/07 Sachin Joglekar Vulnerability Research Lead 1

  2. 8/2/07 - sachin joglekar Outline (Total 60-70 min) • Introduction (7 min) • Protocol Stack (7 min) • Current State of Security Features (7 min) • Demo 1 (10 min) • Attack Vectors (7 min) • Vulnerabilities Discovered (15 min) • Demo 2 (10 min) • Q&A (5 min) 2

  3. 8/2/07 - sachin joglekar Part 1 VoIP/VoWLAN 3

  4. 8/2/07 - sachin joglekar What is VoIP and VoWLAN? • VoWLAN = Voice over • VoIP=Voice over Wireless LAN Internet Protocol • Mobile phones connect • For a layman to Wi-Fi to transmit – A very attractive and voice over Wi-Fi cheap phone service • Great indoors where • For a techie cellular signal is weak – A phone service that • Such phones can be transmits your voice over easily discovered from IP network IP network and… • For a hacker • … hacked into using – A very attractive new traditional techniques attack target!! 4

  5. 8/2/07 - sachin joglekar VoIP advantages and challenges • Advantages • Challenges – Cost effective – E911 issues • No need to pay for – Dependent on each line availability of power – Feature rich – Sometimes QoS – Fast ROI – Voice traveling – Easy to manage through un-trusted IP networks – Independence from geographic – Security restrictions on phone numbers 5

  6. 8/2/07 - sachin joglekar Data vs. VoIP • (Data) E-mail POP3: Connect to Server, and – SMTP, POP3 Server SMTP: Connect to Request Mail Server, and Send – Client-Server Mail – Store and Forward Client Client POP3: Deliver Mail • (VoIP) Proxy Make Call Deliver Call – SIP, H.323, Skinny – Peer-Peer Answer Call Answer Call – Real-Time – Separate Signaling Client/Server Client/Server and Media Planes – Feature Rich complex state RTP over UDP: machines Media (Audio/Video) 6

  7. 8/2/07 - sachin joglekar Typical Enterprise VoIP- Value and Risks Soft Clients IP Phones WiFi/Dual Mode Phones IP PBX Rogue Employee Infected PC Rogue Device Data VLAN VoIP VLAN DMZ Service Provider Driving Factors: Internet • Cellular cost savings Partner • Business Continuity Spammer • Trunk cost savings • Life style management Web Phone Hard Phone Dual-mode Phone • Productivity gains Hackers Soft Phone Infected PC 7

  8. 8/2/07 - sachin joglekar Protocols Used for VoIP Application Signaling: SIP, SDP, H323, Skinny Media: RTP, RTCP Encrypted Media: SRTP, ERTP, ZRTP Authentication: MD5 Digest, NTLM, Kerberos Transport UDP, TCP, TLS TLS Security Server Auth Only Mutual Auth Auth with null encryption Auth with encryption 8

  9. 8/2/07 - sachin joglekar SIP Protocol Complexity • Too many specifications • Too flexible specifications – SIP is an ASCII protocol (as – Specification leaves lot of room opposed to binary protocol like for flexibility in syntax and H.323) specified in IETF RFC extensions 3261 • Complex implementations – VoIP applications also make – That makes protocol message use of several other RFCs parser implementations [http://www.iana.org/assignments/si complex p-parameters] • Vulnerable code – And hence more prone to security vulnerabilities INVITE sip:9999@10.0.250.107 SIP/2.0 Via: SIP/2.0/UDP 10.0.250.101;branch=z9hG4bK5c95dece;rport From: "attacker" sip:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[0x90909090] [\x31\xD2\x52\x52\x52\x52\xB8\x8A\x05\x45\x7E\xFF\xD0]@10.0.250.101>;tag=6Mg0okSwlxd7 To: <sip:9999@10.0.250.107> Contact: <sip:attacker@10.0.250.101> Call-ID: 6Mg0okSwlxd7-CM0H4EqKTBwm CSeq: 123 INVITE User-Agent: Spoofed PBX Max-Forwards: 70 Allow: REFER, SUBSCRIBE, NOTIFY 9

  10. 8/2/07 - sachin joglekar Part 2 Dual-mode / Wi-Fi Phones -Protocol Stack and Attack Vectors 10

  11. 8/2/07 - sachin joglekar Dual-mode vs. Wi-Fi only phone • Dual mode = two modes of • Wi-Fi Only phone communication – No cellular radio – Type 1 – Only works with Wi-Fi access point • GSM Cellular Radio + CDMA Cellular Radio – Type 2 • Both phones can be used • Cellular Radio + Non- over Wi-Fi connection from cellular Radio (IEEE – Campus 802.11/Wi-Fi) – Home – Type 3 • VoIP + POTS – Hotspot • We will discuss Type 2 dual- mode phone and Wi-Fi only phone 11

  12. 8/2/07 - sachin joglekar Dual-mode Phone Protocol Stack Cellular Wi-Fi Telephony and Messaging Apps Data Apps T T P CM T E L D SIP D L A H S N S P C S P MM EAP RTP/RTCP TCP/IP 802.1x RR 802.3 LAPDm 802.11b TDMA/CDMA OS & Drivers Handset Hardware 12

  13. 8/2/07 - sachin joglekar Example Implementations Manufacturer Wi-Fi / Dual- OS VoIP Stack mode Blackberry 7270 Dual-mode RIM OS Native D-Link DPH-541 Wi-Fi Linux Native Nokia E-61 Dual-mode Symbian Native Samsung SCH-i730 Dual-mode Windows Mobile Can be installed (e.g. SJPhone) Dell Axim Wi-Fi Windows Mobile Can be installed 13

  14. 8/2/07 - sachin joglekar Typical Phone Connectivity PC USB Infrared 3G Bluetooth WLAN / Wi-Fi 14

  15. 8/2/07 - sachin joglekar Attack Vectors • Recon • Resource exhaustion – Phone is visible as an IP – These are low power address devices, some don’t clean- up transaction states, easy • Authentication bypass to exhaust memory and – Replay, IP spoofing CPU • Registration hijack • Implementation flaw – Well-known attack still valid exploitations on these phones – Not much thought has gone • Eavesdropping into making the stacks robust – Wireless access points that are not secured enough – Clients (which are also may provide a way to listen servers in case of SIP) don’t into conversations- without authenticate received physical access requests • Attack on supporting services – Users may have to face DoS 15

  16. 8/2/07 - sachin joglekar Wi-Fi to Cellular hand-off • If arbitrary shell code can be executed on the phone using a message sent to it over Wi-Fi, the phone can possibly be made to launch calls over Cellular • Data theft can occur • To be explored 16

  17. 8/2/07 - sachin joglekar Building a VoIP/SIP Attack SIP APPs Registrar Server Server Media PBX IVR Server Download Tools MGW MGW VoIP/SIP Sniffing Tools AuthTool, Cain & Abel, NetDude, Oreka, PSIPDump, SIPomatic, SIPv6 Analyzer, VOIPong, VOMIT, Wireshark VoIP/SIP Scanning & enumIAX, iWar, Nessus - SIP-Scan, SIPcrack, SIPSCAN, SiVuS, SMAP, Enum Tools VLANping VoIP/SIP Packet Creation IAXFlooder, INVITE Flooder, kphone-ddos, RTP Flooder, Scapy, SIPBomber, & Flooding Tools SIPNess, SIPp, SIPsak VoIP/SIP Signaling BYE Teardown, Phone Rebooter, RedirectionPoison, RegistrationAdder, Manipulation tools RegistrationEraser, RegistrationHacker, SIP-Kill, SIP-Proxy-Kill, SIP- RedirectRTP VoIP Media Manipulation RTP InsertSound, RTP MixSound, RTP Proxy Tools 17

  18. 8/2/07 - sachin joglekar Part 3 Current State of Security Features 18

  19. 8/2/07 - sachin joglekar Survey of Current Security Features • What are security features implemented by Dual-mode / Wi-Fi phones? • What are out-of-the-box security settings? 19

  20. 8/2/07 - sachin joglekar Out-of-the-box Security Settings • Most common signaling transport – UDP (No signaling encryption) • Most common media transport – RTP (No media encryption) • Application-level Authentication – Only client is authenticated – No server authentication in most cases 20

  21. 8/2/07 - sachin joglekar Authentication Support • Signaling – Most of the phones do not authenticate server using cnonce during Digest Auth – TLS Authentication not implemented in several phones – S/MIME ? • Media – SRTP support very minimal – Exposure to rogue packet injection using spoofed IP addresses 21

  22. 8/2/07 - sachin joglekar Digest Authentication without sever authentication REGISTER sip:192.168.0.1:5060 SIP/2.0 From: sachin@sipera.com;tag=220587 Server Phone To: sachin@sipera.com Contact: 192.168.0.34;events="message-summary" Call-ID: E3A0F6BBEE91@192.168.0.34 Max-Forwards: 70 CSeq: 3 REGISTER Via: SIP/2.0/UDP 192.168.0.34;rport;branch=z9hG4bK805d2fa50131c9b1 SIP/2.0 401 Unauthorized WWW-Authenticate: Digest realm="asterisk", nonce="4f87b95d" .. REGISTER sip:192.168.0.1:5060 SIP/2.0 Authorization: Digest username=“sachin",realm="asterisk",nonce="4f87b95d", uri="sip:192.168.0.1:5060",response="fed6890f44712fbaef17c704e6e30eac“,cnonce=“dbf4afc” .. 200 OK 22

  23. 8/2/07 - sachin joglekar Encryption Support • Signaling – In the absence of transport security, phones can use S/MIME for providing authentication, and privacy services – But not many phones support S/MIME exposing them to spoofing and eavesdropping threats • Media – SRTP support very minimal – Exposure to eavesdropping (tools like VOMIT) 23

  24. 8/2/07 - sachin joglekar Transport Security • UDP is the most common and default used transport for SIP signaling • Transport layer security (TLS) not enforced • Even if TLS is used only server authentication is enforced, clients may not get authenticated by server allowing someone to steal identity if no other app-level auth is used 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dual-Mode Configurable RISC-V Processor IP Nuclei System Technology Dual-Mode

Dual-Mode Configurable RISC-V Processor IP Nuclei System Technology Dual-Mode

Dual-Mode Configurable RISC-V Processor IP Nuclei System Technology Dual-Mode Configurable Configurable feature is to meet different application scenarios: Real-Time System Mode: Instruction and Data Local Memory (ILM, DLM)

329 views • 21 slides
What is Helix ??? Its a l Five-mode dual 31-band graphic equaliser l Five-mode dual 31-band

What is Helix ??? Its a l Five-mode dual 31-band graphic equaliser l Five-mode dual 31-band

What is Helix ??? Its a l Five-mode dual 31-band graphic equaliser l Five-mode dual 31-band graphic equaliser l Dual 12-band parametric equaliser l Dual 12-band parametric equaliser l Four configurable filters per channel l Four configurable

440 views • 23 slides
Phones w w w . o l p h o n e s . c o m CHARON SOL TALK BIG! 0.08 MP 1400 mAh

Phones w w w . o l p h o n e s . c o m CHARON SOL TALK BIG! 0.08 MP 1400 mAh

Phones w w w . o l p h o n e s . c o m CHARON SOL TALK BIG! 0.08 MP 1400 mAh 23 : 28 23 : 28 Ear phones Wireless FM with mic WED 27. THURSDAY Mp3 / Mp4 player 2.8 LCD Quad Band Dual SIM CHARON B2800 SPECIFICATION

744 views • 19 slides
FEATURE PHONES ROAD MAP w w w . o l p h o n e s . c o m CHARON SOL TALK BIG!

FEATURE PHONES ROAD MAP w w w . o l p h o n e s . c o m CHARON SOL TALK BIG!

FEATURE PHONES ROAD MAP w w w . o l p h o n e s . c o m CHARON SOL TALK BIG! 0.08 MP 1400 mAh 23 : 28 23 : 28 Ear phones Wireless FM with mic WED 27. THURSDAY Mp3 / Mp4 player 2.8 LCD Quad Band Dual SIM CHARON

241 views • 20 slides
New Constructions of Statistical NIZKs: Dual-Mode DV-NIZKs and More Benot Libert, Alain

New Constructions of Statistical NIZKs: Dual-Mode DV-NIZKs and More Benot Libert, Alain

New Constructions of Statistical NIZKs: Dual-Mode DV-NIZKs and More Benot Libert, Alain Passelgue, Hoeteck Wee, and David J. Wu May 2020 Non-Interactive Zero-Knowledge (NIZK) [BFM88] accept if NP language 0,1 0,1

678 views • 37 slides
BACKFLOW TESTER MEETING March 15, 2018 PLEASE TURN YOUR CELL PHONES TO SILENT MODE. RESTROOM

BACKFLOW TESTER MEETING March 15, 2018 PLEASE TURN YOUR CELL PHONES TO SILENT MODE. RESTROOM

6 TH ANNUAL BACKFLOW TESTER MEETING March 15, 2018 PLEASE TURN YOUR CELL PHONES TO SILENT MODE. RESTROOM LOCATIONS Background Information Backflow Prevention &amp; CCC Program has been managed by the Public Utilities Engineering

545 views • 26 slides
Today Booting Process abstraction Dual mode execution Sept 19, 2018 Sprenkle -

Today Booting Process abstraction Dual mode execution Sept 19, 2018 Sprenkle -

Today Booting Process abstraction Dual mode execution Sept 19, 2018 Sprenkle - CSCI330 1 Course Objectives Review Classical OS Emphasis on the why Agile class Synching with the Project

446 views • 33 slides
Development of a Concurrent Dual-Band Switch-Mode Power Amplifier Based on Current- Switching

Development of a Concurrent Dual-Band Switch-Mode Power Amplifier Based on Current- Switching

Development of a Concurrent Dual-Band Switch-Mode Power Amplifier Based on Current- Switching Class-D Configuration Yifei Li, Byron J. Montgomery and Nathan M. Neihart Iowa State University WAMICON 2016 Clearwater Beach, FL Contents

584 views • 21 slides
Survey Conducted: December 4-10, 2017 220-4933 Survey Methodology Conducted a dual-mode survey

Survey Conducted: December 4-10, 2017 220-4933 Survey Methodology Conducted a dual-mode survey

Survey Conducted: December 4-10, 2017 220-4933 Survey Methodology Conducted a dual-mode survey online and by telephone between December 4-10, 2017 Random sample of 980 registered Wildomar voters, modeled to reflect a likely November 2018

532 views • 24 slides
Today System debugging Dual Mode Processes Handling interrupts Sept 24, 2018

Today System debugging Dual Mode Processes Handling interrupts Sept 24, 2018

Today System debugging Dual Mode Processes Handling interrupts Sept 24, 2018 Sprenkle - CSCI330 1 Review What are the benefits of version control? How is the bcc-compatible version of C different from the gcc-compatible

629 views • 35 slides
Conducted July 6-12, 2020 220-5894 Survey Methodology Conducted a dual-mode survey , online,

Conducted July 6-12, 2020 220-5894 Survey Methodology Conducted a dual-mode survey , online,

Key Findings of a Survey Conducted July 6-12, 2020 220-5894 Survey Methodology Conducted a dual-mode survey , online, by cell, and landline between July 6-12, 2020 Surveys were completed by a random sample of 380 voters registered in

505 views • 27 slides
Packet Coalescing for Dual-Mode Energy Efficient Ethernet: A Simulation Study Mehrgan Mostowfi

Packet Coalescing for Dual-Mode Energy Efficient Ethernet: A Simulation Study Mehrgan Mostowfi

Packet Coalescing for Dual-Mode Energy Efficient Ethernet: A Simulation Study Mehrgan Mostowfi School of Mathematical Sciences University of Northern Colorado Greeley, Colorado, USA mehrgan.mostowfi@unco.edu Slide 1 of 11 Packet Coalescing for

254 views • 11 slides
Detector Characterization of Dual-Recycled GEO600 Joshua Smith for the GEO600 team Joshua Smith

Detector Characterization of Dual-Recycled GEO600 Joshua Smith for the GEO600 team Joshua Smith

Detector Characterization of Dual-Recycled GEO600 Joshua Smith for the GEO600 team Joshua Smith December 2003 Optical layout Michelson Interferometer with Dual Recycling Folded arms with optical Mode Cleaners path length of 2400 m Laser

540 views • 17 slides
7 TH ANNUAL BACKFLOW TESTER MEETING March 21, 2019 PLEASE TURN YOUR CELL PHONES TO SILENT

7 TH ANNUAL BACKFLOW TESTER MEETING March 21, 2019 PLEASE TURN YOUR CELL PHONES TO SILENT

7 TH ANNUAL BACKFLOW TESTER MEETING March 21, 2019 PLEASE TURN YOUR CELL PHONES TO SILENT MODE. RESTROOM LOCATIONS Background Information Backflow Prevention &amp; CCC Program has been managed by the Public Utilities Engineering

579 views • 25 slides
Phones All human speech is composed from 40-50 phones, determined by the configuration of

Phones All human speech is composed from 40-50 phones, determined by the configuration of

Phones All human speech is composed from 40-50 phones, determined by the configuration of articulators (lips, teeth, tongue, vocal cords, air flow) Form an intermediate level of hidden states between words and signal Speech recognition (briefly)

430 views • 3 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
CANINE A NetFlows Conversion/Anonymization Tool for Format Interoperability and Secure Sharing

CANINE A NetFlows Conversion/Anonymization Tool for Format Interoperability and Secure Sharing

CANINE A NetFlows Conversion/Anonymization Tool for Format Interoperability and Secure Sharing Katherine Luo*, Yifan Li, Adam Slagell, William Yurick SIFT Research Group National Center for Supercomputing Applications (NCSA) University of

508 views • 15 slides
Hardware news 2015 Miroslav Kocur Own products HW news RTU &amp; HMI RTU RTUs for control,

Hardware news 2015 Miroslav Kocur Own products HW news RTU &amp; HMI RTU RTUs for control,

www.elvac.eu Hardware news 2015 Miroslav Kocur Own products HW news RTU &amp; HMI RTU RTUs for control, protection, data acquisition and communication Content RTU7C compact unit ELVAC RTU configuration web SMC 133, SMC 144 - class S power

673 views • 34 slides
Automatic Interface Synthesis based on the Classification of Interface Protocols of IPs ChangRyul

Automatic Interface Synthesis based on the Classification of Interface Protocols of IPs ChangRyul

Automatic Interface Synthesis based on the Classification of Interface Protocols of IPs ChangRyul Yun 1 , DongSu Kang 2 , YoungHwan Bae 3 , HanJin Cho 3 , KyoungSon Jhang 2 1 Agency for Defense Development, KOREA 2 Dept. of Computer Engineering,

758 views • 26 slides
Into a High-Performance, Energy Efficient Data Center DCIM &amp; Monitoring Solutions Beyond

Into a High-Performance, Energy Efficient Data Center DCIM &amp; Monitoring Solutions Beyond

Transforming White Space Into a High-Performance, Energy Efficient Data Center DCIM &amp; Monitoring Solutions Beyond Whitespace Seminar April 27 th , 2014 Presenter: Cam Rogers Director of International &amp; Western US Sales 1 May 4, 2017

650 views • 28 slides
LoRa Wireless Network for the Internet of Things Content 1) The Internet of Things 2) Low-Power

LoRa Wireless Network for the Internet of Things Content 1) The Internet of Things 2) Low-Power

LoRa Wireless Network for the Internet of Things Content 1) The Internet of Things 2) Low-Power Wide-Area Network (LPWAN) 3) LoRa Architecture Layers Limitations 4) Other LPWAN Technologies 5) Conclusion 2 The Internet of Things

10.73k views • 27 slides
zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Procedure for Approving Aftermarket Diesel

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Procedure for Approving Aftermarket Diesel

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Procedure for Approving Aftermarket Diesel Procedure for Approving Aftermarket Diesel Particulate Filters (DPF) Intended as Modified Parts Particulate Filters (DPF) Intended as Modified Parts

630 views • 37 slides
IGVC - History and Description June 8-11, 2007 in Rochester, Michigan, hosted by Oakland

IGVC - History and Description June 8-11, 2007 in Rochester, Michigan, hosted by Oakland

Autonomous Ground Vehicle Senior Design Project EE ME Anshul Tandon Donald Lee Hardee Brandon Nason Ivan Bolanos Brian Aidoo Wilfredo Caceres Eric Leefe Advisors : Mr. Bryan Audiffred Dr. Michael C. Murphy IGVC - History and Description

432 views • 41 slides

More recommend