Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Phone Systems and their security

BreachForce
September 22, 2024
8

Phone Systems and their security

Title: Phone Systems and their security
Presenter: Sumir Broota
Event: BreachForce CyberSecurity Cohort
Talk Date: 22-September-2024

Detailed Blog: https://breachforce.net/building-your-voip-system-call-spoofing

Key Takeaways: Sumir Broota presented on the evolution and security challenges of phone systems, highlighting issues with SIP and the lack of TLS adoption. He discussed the STIR/SHAKEN protocols aimed at reducing caller ID spoofing but noted their implementation difficulties. Emphasizing the need for awareness, he encouraged proactive measures to combat fraud and scams.

BreachForce

September 22, 2024
Tweet

Transcript

  1. Phone Systems and their security From PBX to PSTN while

    having it SHAKEN/STIR’d BreachForce Cyber Security Cohort
  2. My name is Sumir Broota I am a Developer at

    IDfy & I am the Community Leader of BreachForce About Me BreachForce Cyber Security Cohort
  3. DISCLAIMER All of the infomation showed here is for educational

    purposes & to raise awareness about our current systems. Please don’t use this information for anything malicious. All the opinions/data shared is from my own research & is not meant to reflect on my employer Also feel free to also raise your hand and ask questions anytime during the presentation. An interactive session is always more fun for everyone BreachForce Cyber Security Cohort
  4. Earlier phone companies used a system called Signaling System 5

    This system used to transmit the phone’s connection & control data stream over the same channel as the voice data stream Some of the inquisitive explorers of the system noticed that they could manipulate the phone control system operating on 2600 Hz range by whistling into this toy. They could use this to get free calls any where around the world. Leading to the phenomenon known as Phreaking A toy that struck fear in the phone companies Why? BreachForce Cyber Security Cohort
  5. Can you guess who created the first digital blue box?

    Blue Box 02 Setting Up Remote Teams 03 Remote Work Suitability by Industry 04 Importance of Cybersecurity and Security 05 Technology Benefits on Companies 06 Tracking and Monitoring Neat Trivia On the right is a blue box. A digital dialer that gave the end user an easier method to hack the phone systems & make calls anywhere for free BreachForce Cyber Security Cohort
  6. How do businesses bring/create their systems to work with the

    phone network? This is where Private Branch Exchange (PBX) systems come in to place A PBX system is like a router creating a LAN for your legacy (or modern) internal phone systems You can connect your PBX system to the public network using SIP trunk providers (similar to ISP’s) Giving a single point of entry/exit to all your local phone systems. BreachForce Cyber Security Cohort
  7. ON-PREM PBX Hosted & managed on site by end user

    Powered by VoIP using IP PBX Requires purchase of own hardware & in house team to maintain Hence still expensive HOSTED/CLOUD/VIRTUAL PBX VoIP based phone system maintained by 3rd party Has better savings, mobility, scalability Has advanced VoIP features ANALOG/LEGACY PBX Traditional onsite hardware PBX working via wired PSTN Business responsible for install/maintenance/monitoring Limited features + expensive hardware Obsolete Types of PBX systems Examples include Open Source solutions such as - Asterisk, FreePBX, Trixbox and many more... HYBRID PBX Mix of virtual & hardware PBX Uses SIP trunking End user still needs to maintain the on prem phone system BreachForce Cyber Security Cohort
  8. Exploring the most widely adopted modern phone protocol - Session

    Initiation Protocol (SIP) Developed in the 1990's The most important change during this time was the use of the internet (VoIP) to transmit data rather than the old analog public switch telephone networks BreachForce Cyber Security Cohort
  9. RTP (REAL-TIME TRANSPORT PROTOCOL) The actual voice or video traffic

    is transmitted via Real- Time Protocol (RTP or SRTP) after authentication and negotiations are done via SIP. SDP (SESSION DESCRIPTION PROTOCOL) SDP (Session Description Protocol) is a text-based format used to describe the characteristics of multimedia sessions, such as voice, video, or data conferencing, over IP networks. SDP does not handle the actual media transmission or session establishment but is used in conjunction with other signaling protocols, like SIP, to negotiate and exchange information about the media streams and their attributes. SIP (Session Initiation Protocol) The de facto standard (text-based) for VoIP communication, used for initial authentication and negotiations when making connections. SIP is an application layer protocol that uses UDP or TCP for traffic. By default, SIP uses UDP/TCP port 5060. Protocols that enable VoIP BreachForce Cyber Security Cohort
  10. BreachForce Cyber Security Cohort User 1 & User 2 REGISTER

    TO PBX using Digest Auth on port 5060 User 1 (Ext. 3002) INVITE to PBX Requesting connection to Ext 4003 User 2 (Ext. 4003) INVITE forwarded to Ext 4003. Awaiting Accept Signal
  11. 01 SHAKEN stands for Signature-based Handling of Asserted Information using

    toKENs. It is a specification designed by the Alliance for Telecommunications Industry Solutions (ATIS) to fight caller ID spoofing. 02 STIR (Secure Telephone Identity Revisited) is a protocol developed by the Internet Engineering Task Force (IETF) to enable end-to-end call authentication, but the protocol is very broad and doesn't ensure that different providers will be able to verify each others' calls. 03 The SIP provider certifies the classes of caller ID’s into the following: Class A - (most trusted). The number being dialed from has been authenticated by the service provider, and the caller has been authorized to use that number. Class B - The service provider has verified that the call has originated from the customer but not that they are authorized to use it. Class C - The service provider does not know the caller’s identity and the source of the call cannot be identified (maybe coming from an international gateway/outside their network). SHAKEN/STIR The current protection mechanism against call spoofing. This requires all SIP trunk providers to sign outgoing calls with their certificate, according to the legitimacy of the outbound caller id. BreachForce Cyber Security Cohort
  12. BreachForce Cyber Security Cohort Trunk Configuration (Where you define provider)

    Route Configuration Extension Configuration (where match PBX CID w/ trunk/outbound CID) (define CID, access & more at end user/no. level)
  13. REGISTER TO PBX using Digest Auth on port 5060 INVITE

    to PBX Requesting connection to Ext US Phone number Prepended with no. ‘8’ to denote call outside the PBX system Forwarded Request from Softphone w/ Outbound Caller ID as set in Route SIP Trunk Public Switched Telephone Network End User Receiving Call with Spoofed ID BreachForce Cyber Security Cohort User 1 User 1 (Ext. 4003)
  14. Issues with our current system 1 Despite the avaliability of

    TLS encryption with SRTP & SIP-TLS, the lack of industry wide adoption poses a challenge. Anyone with knowledge of the system can capture the data Most providers transmit data over clear text 2 Though most SIP trunking providers have added protections in place, there are plenty of providers willing to skirt the regulation. Trust on User Defined Outbound Caller ID 3 In case the call gets routed/forwarded through a legacy system, the data signed by the SIP trunk gets dropped Protection Mechanism in place doesn’t account for legacy systems in the route 4 SHAKEN/STIR is difficult to maintain, leaving power in the hands of major providers. Also 3rd party SIP trunk resellers can be held liable as service providers despite being dependent on larger providers for their signing method SHAKEN/STIR is expensive to maintain 5 SHAKEN/STIR was originally made for US/Canada to be deployed in their own countries and was later modified to be more global. Due to political relations between nations & lack of accountability in enforcing these protections across countries it can be difficult to ratify as a standard Doesn’t factor into the Global context well BreachForce Cyber Security Cohort
  15. Ways to protect yourself 1 For Indian Citizens: https://sancharsaathi.gov.in/sfc/ Report

    Incoming International Call With Indian Number (RICWIN) https://sancharsaathi.gov.in/InternationalCall/ReportIntCall.jsp Alternatively you can report on 1963/1800110420 Report fraudulent calls 2 Before making any major decision based on a possibly fraudulent Call/SMS do the following: Take a deep breath and don't rush yourself Ask probing questions that only the person you're connecting with would know Connect/Communicate with your contact over another medium (email/physically meet) Scammers often try to rush your decision making 0 The more people are aware, the less likely they are to fall for such scams Raise Awareness of such issues amongst family & friends BreachForce Cyber Security Cohort 3 Quickest, simplest way TRAI & telco's have stopped spoofed calls from overseas is to look at the phone numbers for each inbound call and to block them if they pretend to have a domestic origin. Note during my testing - it sometimes let the call through but set the caller id as a random number. This behaviour may vary from provider to provider 1. TRAI issued recommendations on leveraging AI-based fraud detection systems to identify and prevent fraudulent activities, such as unauthorized usage of SIM cards, subscription fraud, and billing fraud. 2. Know that the Indian Government is taking steps to reduce these threats
  16. Glossary VoIP is an acronym for Voice Over Internet Protocol,

    or in more common terms phone service over the Internet. Private Branch Exchange (PBX) It is a private telephone network that is used by an organisation to communicate internally and externally. PBX systems are used to route calls between internal extensions and the public telephone network. Session Initiation Protocol (SIP) The de facto standard for VoIP communication, used for initial authentication and negotiations(terminate, or modify) when making connections. (like metadata for comms) SIP is an application layer protocol that uses UDP or TCP for traffic. By default, SIP uses UDP/TCP port 5060. SIP Trunk In order for people to make calls to your internal PBX network (and vice verse)- your network must have an actual exposed number - that is the job of SIP Trunk It connects your PBX network to the Public Switched Telephone Network AKA PSTN STIR/SHAKEN Caller ID authentication confirms the accuracy of the information. It is more difficult for attackers to spoof numbers with this additional degree of security. BreachForce Cyber Security Cohort
  17. Thank you People I want to thank for their resources/guidance/help

    Alex Sanders Jonathan Stines Sudhendhu Lenka Amar Harpalani Luis Rossman CrossTalk Solutions Shalom Kusuma Siddhant Pillai Fawzan Sayed BreachForce Cyber Security Cohort
  18. B for blur C for confetti D for a drumroll

    M for mic drop O for bubbles Q for quiet U for unveil Any number from 0-9 for a timer Resource Page All resources are highlighted in the presentation comments & on the breachforce.net article QR code to the same: BreachForce Cyber Security Cohort