Devices connected to the UC system, such as SIP user terminals (VoIP phones and FXS Media Gateways) and SIP trunk media gateways, must also be secured using the best available policies.
Many currently available UC systems still do not implement proper policies or do not apply them by default. What security risks can this cause?
If TFTP is used, simply knowing the MAC address of the device allows acquisition of the provisioning file, which contains the SIP credentials to connect to any device.
If HTTP is used, a man-in-the-middle attack can easily be carried out and allows acquisition of the following:
- The SIP password and other passwords, which are used to get access to shared resources (such as an LDAP server).
- The credentials to download and update the password in the future.
Such attacks are incredibly easy to carry out.
Any system should enforce all the security improvements and implement:
- Authentication (via login and password) to download the provisioning file
- TLS 1.2 (especially enforcing CA)
Many devices have an embedded web interface, which is usually not properly configured and uses a default authentication password. Using such an interface, an attacker can:
- Download a backup and find authentication credentials within it.
- Use the device to perform operations (such as making calls).
- Make the device unservable by changing parameters.
Many vendors on the market do not protect their devices with proper security measures, or they set a default password that is common to all devices. If compromised, this password allows an attacker to connect to any of the devices.
Special attention must be paid to the password created by users. The system must require the users to set passwords with an acceptable security level containing:
- At least 8 characters
- At least one number, one uppercase letter, one lowercase letter, and one special symbol
The same policy must be applied to all passwords used on the system, including provisioning and device passwords.
Particular emphasis must be placed on not allowing the same password to be used between different users.
Signaling Encryption and SIP ALG
Besides offering privacy encryption, SIP TLS encryptions offer an easy way to bypass problems introduced by poor implementation of SIP / ALG in routers.
SIP application-level gateways, implemented in many routers and firewalls, should help SIP enabled devices work better in environments where NAT / PAT is applied. SIP ALG should take care of rewriting headers with the public IP address assigned to the router and opening ports for RTP.
In reality, most implementations are not working properly, and the SIP messages inspected and modified by the SIP ALG application are broken.
SIP TLS elegantly solves this kind of problem, and can also help in scenarios where the telecom operator voluntarily drops SIP packets.