Something Old (H.323), Something New (IAX), Something Hollow (Security), and Something Blue (VoIP Administrators) presented at BlackHatDC 2007

by Himanshu Dwivedi,


Summary : The presentation will discuss the security issues, attacks, and exploits against two VoIP protocols, including IAX (a newer protocol) and H.323 (an existing VoIP protocol). H.323 is a well known technology; however, its security issues are not well publicized. While previous VoIP presentations and/or whitepapers discuss SIP security extensively, much is to be desired about H.323 security content and attack tools. Despite the fact that H.323 is most dominant VoIP session-setup protocol used in enterprise environments, it has not been given adequate attention in terms of security. The presentation will cover specific security attacks targeting H.323 authentication weaknesses, replay attacks, endpoint spoofing (E.164 alias), hopping attacks, and a sleuth of DOS attacks that can be executed with a few UDP packets. The presentation will also include a demonstration of new tool for H.323 security testing (H.323-me-ASAP.exe), which will be released at the conference.
In addition to the H.323 material, IAX security issues, attacks, and exploits will also be presented. While SIP/H.323 with RTP has been face of VoIP for many years, newer protocols such as IAX are gaining momentum (as shown with the popular open source Asterisk PBX system). IAX can be used for session setup as well as media transfer, providing a nice self-contained VoIP protocol that can be used to replace the combination of either SIP/H.323 with RTP. Similar to H.323, IAX has room for improvement in terms of security. The presentation will discuss security attacks on IAX, specifically authentication weaknesses that lead to offline dictionary attacks, pre-computed dictionary attacks, middle person attacks, and downgrade attacks on IAX clients. In addition to the authentication attacks, the presentation will show how DOS attacks can disrupt an IAX network and its devices quite easily. Each IAX attack shown will be demonstrated with three new attack tools for IAX security testing (IAX.Brute, IAXAuthJack, and IAXHangup), which will also be released at the conference.
The presentation will concluded with existing solutions to mitigate both the H.323 and IAX security issues discussed during the presentation.