23C3 - 1.5

23rd Chaos Communication Congress
Who can you trust?

Jan Seedorf
Tag 3
Raum Saal 3
Beginn 16:00
Dauer 01:00
ID 1459
Veranstaltungstyp Vortrag
Track Science
Sprache englisch

SIP Security

Status Quo and Future Issues

The presentation will give an overview on SIP security issues and show possible weaknesses in current implementations using SIP (Hardphones, Softphones, Gateways). Further, an outlook on the security of future, serverless SIP systems (P2P-SIP) will be given.

The presentation will give the audience an overview of VoIP security issues, both current and future, focusing on the session initiation protocol (SIP). Today, SIP is the predominant protocol for VoIP signalling in consumer markets. The talk will present the status quo in SIP security and give an outlook on future security challenges.

First, the talk will introduce signalling with SIP. Fundamental differences to the PSTN will be shown and the consequences for security will be discussed. Among these problems are: Spam over Internet (SPIT), Lawful Interception, Security of Terminals & Servers, Anonimity / Privacy, Identity Assertion & Spoofing. These problems will be explained, including the current status quo on how to mitigate these problems.

Then, the talk will focus on the security of SIP terminals (softphones and hardphones) and SIP servers. We are currently testing several implementations of the session initiation protocol (SIP) in our security lab. We have designed a test framework using existing tools and developments of our own. During the presentation it will be shown how these devices (Softphones, Hardphones, PSTN-Gateways) are being tested and some results will be given.

Finally, the talk will give the audience an outlook on security issues in future VoIP scenarios (e.g. Peer-To-Peer setting). P2P-SIP is currently discussed in the IETF and several internet drafts exist (see www.p2psip.org). This infrastructure change will have some serious implications on security for VoIP communications. The P2P paradigm introduces new security threats to SIP that will be explained. For instance, the lack of a central authority in a serverless setting makes authentication of end-users difficult. Options to mitigate this and other problems for P2P-SIP will (briefly) be outlined.