Security risks of VoIP in WLAN Networks (1)

The security issues of VoIP are mainly concentrated on the SIP and RTP protocols. Due to the addition of wireless networks and the lack of wireless network security management, the security issues are even more prominent. If the security authentication and data confidentiality of the VoWiFi system are not enhanced, it will pose a great threat to the system, this article analyzes several potential security threats and attack methods: Eavesdropping and Sniffing VoIP calls and Man-in-the-Middle (Man in the Middle) attacks, denial of Service (Denial of Service) attacks, Call Interruption, and establishment of wrong calls are common threats in the wireless LAN.

1 Overview

VoIP technology makes it possible to implement telephone services based on data networks like the Internet. Compared with traditional telephone services, this implementation model can provide more integrated functions, higher communication bandwidth, more stable communication quality and more flexible management capabilities, and significantly reduce costs.

2. eavesdropping and sniffing

Eavesdropping on a telephone call and then forwarding the relevant parts of the communication. This is the most obvious attack against VoIP. It can launch man-in-the-middle attacks on wired networks through many technical vulnerabilities. For example, the ARP virus is used to forcibly attack the SIP server, resulting in threatening third-party intervention and making the call fail. In a wireless communication environment, without the protection of security mechanisms, VoIP is more vulnerable to attacks. Anyone who has a computer, a suitable wireless adapter, and a listening software can easily Snoop VoIP calls in a Wi-Fi network.

The Etherea listening software can identify the VoIP call in the intercepted packets, use the SIP protocol, and even resume the audio stream from the intercepted RTP packets. The Etherea eavesdropping software can also view the call records of both parties in a chart.

What's more, Etherea's eavesdropping software can also identify different RTP streams from captured packets, and then extract the speech content from different packets, resume and save the conversation.

3 man-in-the-middle attack

In a wired exchange network, most of the objects attacked by man-in-the-middle attacks are listening to network services. According to the definition of the media network shared in the 802.11 LAN, once you get the password, you can snoop all packets in the LAN. Once such a "man-in-the-middle" occurs between two wireless hosts, it is easy to launch an attack on the business flow. Man-in-the-middle attacks on WLAN are concentrated on the first and second layers of the OSI model. Attacks on the first layer often interfere with existing wireless access points, these disturbances are usually carried out using special interference software, or directly using junk services to block access point channels. The parameters of these illegal access points are obtained from the parameters of valid access points.

The second layer of attacks mainly target hosts that are being connected to valid access points by using a large number of forged end connections or end authentication frames. This is much more effective than simple channel interference. Experienced attackers often combine layer-2 attacks to achieve better results.

Attackers often focus on the transmission channel between existing wireless users and legitimate access points. If you want to attack a target, you must install a wireless adapter on the same computer, and we can simulate this process, we use the adapter IPW2200b/g, and the wireless adapter DWL-G650 that can match it, it makes IPW2200b/g an access point and uses this illegal access point to detect the specific parameters of the wireless access point. The driver Madwifi will allow the wireless Nic of the Dwl-G650 to work in control mode, to establish the actual wireless interface, and to make the DWL-G650 work in different modes at the same time.

When the signal power of the two access points can be estimated, an attack can be launched. It is very difficult to control the signal transmitted in the corresponding channel of a valid access point. Illegal nodes often intrude into different channels to increase the possibility of attacks. The method mentioned above can be used to attack the first and second layers of the OSI model, which can greatly weaken or even delete the signals of valid access points.

The DWL-G650's Nic and Madwifi drivers can create two logical network interfaces, one working in monitoring mode (ath0) and the other working in operation mode (ath1 ), they work with legitimate access points in channel no.1, IPW2200b/g adapters (eth2) in channel no. 9, and configure the wireless network card (ESSID) to form a "default" valid access point.

In addition to the DWL-G650, other devices must reside as wireless devices to work on different channels, because the logical interface created by Madwifi cannot work on different channels unless it is in monitoring mode.

From the command sequence above, the command "brctl" creates an Ethernet bridge that can be connected to other Ethernet networks. The last line of the command describes the configuration of the "ath0" interface and the use of the aireplay software, the aireplay software forcibly inserts a forged end frame into the wireless network through the "ath0" interface, which causes the user to be unable to connect to a valid access point and reduce channel no. 1 signal quality.

In many cases, the base station is connected to an illegal access point and connected to another legal access point in parallel. For example, access points all work in the same channel. The main reason is that the signal power of most access points can be obtained through mutual comparison, it is difficult for us to have enough equipment to monitor signals from legitimate access points. Because many exchanged frames are stored in the ESSID, as long as the forwarding beacon is hidden in the ESSID, the network will become unavailable. Once the beacon forwarding frame in the valid access point is detected, only a small number of forged authentication frames are required. The attacks mentioned above will multiply, even if the signal power of the valid access point is higher than that of the illegal access point, it is no exception.

When a normal wireless user cannot connect to the network through channel no. 1, other channels will be searched. If you are lucky, you can search for channel no. 9. the Access Point with preset parameters can also be used.

When an illegal access point is connected to the base station, the valid access point is also sending beacon frames. Forged end authentication frames must be inserted into the active communication channel to achieve the attack effect. Between wireless base stations, bridges between access points make it easy for attackers to detect and send data packets in any form to the network. The eavesdroppers have full control over the VoIP traffic between base stations, using Netfilter/iptables in Linux, you can easily filter data packets that are exchanged.