Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

30 Security Issues in VoIP Telecommunica... > 30.5 Billing Attacks - Pg. 774

774 CHAPTER 30 Security Issues in VoIP Telecommunication Networks 2. The AT&T phone sends INVITE messages to the AT&T server with all the subscriber cre- dentials. 3. The server requests for authentication in the response message. 4. The phone authenticates the INVITE message to the proxy on request. 5. The remote attacker intercepts this INVITE message with the authentication credentials. 6. The remote attacker can modify the Session Description (SDP) and is able to establish a session between the remote attacker and the SIP server. 7. Now the MITM can speak to anyone and lis- ten to voice messages of the legitimate sub- scriber. The experiment illustrated in Figure 30-14 shows that the intercepted INVITE messages can be replayed successfully after 1 week of the INVITE message being intercepted. Thus, this attack can be launched on the subscriber any- time. Also, the results show that the Vonage SIP is immune to such kinds of replay attacks and the Vonage SIP server has implemented anti-replay correctly. The steps below show the general message flow between the clients with remote attackers in the network setup for demonstration of fake busy, bye delay, and bye drop billing attacks as illustrated in Figures 30-15 to 30-18. The call is made from the Vonage SIP phone to the AT&T SIP phone. These steps demonstrate the message flow during Fake Busy Billing attacks, Bye Delay Billing attacks, and Bye Drop Billing attacks. 1. The Vonage SIP phone sends an INVITE mes- sage to the Vonage SIP server and authenti- cates the INVITE message. 2. The MITM1 intercepts the INVITE message from the Vonage SIP phone and modifies its SDP to the attacker's IP address and port number. 3. The MITM1 sends the modified SIP INVITE message to the Vonage server. The Vonage server informs the AT&T server the Vonage phone is trying to connect to the AT&T SIP phone. 30.5. BILLING ATTACKS Billing is one of the important services in telecom- munication and has direct relevance to almost every user. In VoIP, the two most important requirements are reliability and trustworthiness. The present VoIP billing services are based on VoIP signaling; hence, any attack on the VoIP is a potential threat to the billing service. Our exper- iments show the vulnerabilities between AT&T and Vonage SIP phones [4]. 30.5.1. Billing Attacks on SIP Existing commercial VoIP services have either a limited or an unlimited call time. Call rates depend on the country to which they are made and most plans include free calls within a geo- graphic area. In these cases, the remote attacker can prolong the calls or create unauthorized ses- sions so that the VoIP subscriber will be pay- ing more for the service when it is not required. The Man-in-the-Middle (MITM) attack plays an important role in the billing attacks. There are four kinds of billing attacks that can be per- formed on a VoIP subscriber between AT&T and Vonage SIP. 30.5.2. Invite Replay Billing Attack An invite replay attack results in unauthorized calls by replaying INVITE messages to a different destination. This vulnerability is an effect of the SIP implementation error of anti-replay function- ality. This exploitation cannot be stopped even with the SIP authentication of INVITE messages. In Figure 30-13, the MITM in-between the AT&T SIP UA and AT&T SIP server can inter- cept all the messages going between them. The remote attacker can send the INVITE message to the proxy server, who can make unauthorized calls with a modified INVITE message from the AT&T phone. 1. The attacker intercepts all the communication between the AT&T SIP phone and AT&T server.