Hackers of India

Hacking VoIP through IPSec Tunnels

 Sachin Joglekar   Sudeep Patwardhan 



One of the primary advantages of Voice over IP (VoIP) is that it allows mobile operators and enterprises to extend their core telephony networks. And, with WiFi-enabled VoIP phones, users can connect to their core telephony servers over the Internet from any remote location. Often, such remote VoIP is secured using IPSec VPNs, which, as this demonstration will show, is not sufficient to secure VoIP.

In this presentation, we will show how to exploit a SIM card from an IPSec VPN-enabled GSM/VoIP phone to launch attacks through the IPSec tunnel. This demonstrates that IPSec VPNs are not sufficient to secure VoIP, and that it is possible to embed exploits inside the tunneled traffic to generate attacks on the core telephony network. More importantly, with all VPN tunnel traffic considered “trusted,” such attacks go undetected and can have a devastating impact on the core network.

While there are several ways to implement VPNs and authenticate remote phones, for the purpose of this demonstration, the demonstration will focus on EAP-SIM based authentication that is typically implemented in dual-mode GSM/VoIP phones.

With GSM 2G mobile network standards, GSM phones are equipped with a SIM module (typically a smart card) to allow the gateway server of the core telephony network to authenticate the identity of the GSM phone and to enable over-the-air encryption of the voice traffic. When such a GSM phone is also equipped with a VoIP module, the standard GSM authentication security strength is insufficient in the context of the IP-network. This problem is solved by extending the GSM authentication with the EAP-SIM (Extensible Authentication Protocol) mechanism (RFC 4186). Essentially, the GSM SIM runs GSM algorithms using credentials stored in the SIM card and challenges received from the core network to set up an IPSec tunnel with the network, and then routes all VoIP traffic through the tunnel. As far as the core network is concerned, any device that responds successfully to its challenges, and abides by the negotiated security parameters, is a legitimate device – which is where the problem lies. As this demonstration will show, it’s easy to become an authenticated subscriber on the network and launch attacks on the core infrastructure.

The presentation and demonstration will include following: