VOICE OVER IP: RISKS, THREATS AND VULNERABILITIES

Voice over IP (VoIP) and Internet Multimedia Subsystem (IMS) technologies are rapidly being adopted by consumers, enterprises, governments and militaries. These technologies offer higher flexibility and more features than traditional telephony (PSTN) infrastructures, as well as the potential for lower cost through equipment consolidation and, for the consumer market, new business models. However, VoIP/IMS systems also represent a higher complexity in terms of architecture, protocols and implementation, with a corresponding increase in the potential for misuse. Here, we begin to examine the current state of affairs on VoIP/IMS security through a survey of known/disclosed security vulnerabilities in bug-tracking databases. This paper should serve as a starting point for understanding the threats and risks in a rapidly evolving set of technologies that are seeing increasing deployment and use. Our goal is to gain a better understanding of the security landscape with respect to VoIP/IMS, toward directing future research in this and other similar emerging technologies.

[1]  Ralph E. Droms,et al.  Dynamic Host Configuration Protocol , 1993, RFC.

[2]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[3]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[4]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.

[5]  Blake Ramsdell,et al.  Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification , 2004, RFC.

[6]  Henry Haverinen,et al.  Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM) Subscriber Identity Modules (EAP-SIM) , 2006, RFC.

[7]  Mark Handley,et al.  Internet Denial-of-Service Considerations , 2006, RFC.

[8]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[9]  Jari Arkko,et al.  Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA') , 2009, RFC.

[10]  Karen R. Sollins,et al.  TFTP Protocol (revision 2) , 1981, RFC.

[11]  Jari Arkko,et al.  Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA) , 2006, RFC.

[12]  Pyda Srisuresh,et al.  Traditional IP Network Address Translator (Traditional NAT) , 2001, RFC.

[13]  Ingemar Johansson,et al.  Support for Reduced-Size Real-Time Transport Control Protocol (RTCP): Opportunities and Consequences , 2009, RFC.

[14]  Bert Wijnen,et al.  An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks , 2002, RFC.

[15]  Radu State,et al.  VoIP Honeypot Architecture , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.

[16]  Mark Handley,et al.  SDP: Session Description Protocol , 1998, RFC.

[17]  Jon Postel,et al.  User Datagram Protocol , 1980, RFC.

[18]  Sean Turner,et al.  Secure/Multipurpose Internet Mail Extensions , 2010, IEEE Internet Computing.

[19]  Jari Arkko,et al.  MIKEY: Multimedia Internet KEYing , 2004, RFC.

[20]  Henning Schulzrinne,et al.  An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol , 2004, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[21]  Humberto Abdelnur,et al.  SIP digest authentication relay attack , 2009 .

[22]  Dan Wing,et al.  Session Traversal Utilities for NAT (STUN) , 2020, RFC.

[23]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[24]  Henning Schulzrinne,et al.  RTP: A Transport Protocol for Real-Time Applications , 1996, RFC.

[25]  Eric Rescorla,et al.  Datagram Transport Layer Security , 2006, RFC.

[26]  Lyndon Ong,et al.  An Introduction to the Stream Control Transmission Protocol (SCTP) , 2002, RFC.

[27]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[28]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[29]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[30]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[31]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[32]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[33]  Ross S. Finlayson Bootstrap loading using TFTP , 1984, RFC.

[34]  P. Biondi,et al.  Silver Needle in the Skype , 2006 .

[35]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[36]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[37]  David L. Mills,et al.  Network Time Protocol (Version 3) Specification, Implementation and Analysis , 1992, RFC.