SIPman : A penetration testing methodology for SIP and RTP

Wallgren, Elin, Willander, Christoffer

January 2022

Background. SIP and RTP are two protocols that are widely used, and they play an important role in VoIP services. VoIP is an integral part of many communication services, e.g., Microsoft Teams, Skype, Discord, and communications over cellular networks (VoLTE and VoWiFi). Since these technologies are so widely used, a high level of security is paramount. Objectives. The aim of this study is threefold: (1) To investigate if it is possible to create a penetration testing methodology for SIP and RTP, where the target group is penetration testers with no previous knowledge of these protocols. (2) To identify previously discovered vulnerabilities and attacks. (3) Due to the lack of domain experts, a methodology of this kind will hopefully help penetration testers without prior knowledge, easing them into a new work area. Further, the aim is to increase awareness of potential vulnerabilities in such systems. Methods. Through a literature review, threat modeling, and exploratory penetration testing on three different testbeds, several vulnerabilities and attacks were identified and validated. From the results, a methodology was compiled. For evaluation purposes, it was evaluated by a third party, who tested it on a testbed and gave feedback. Results. The results from our research show that SIP and RTP are susceptible to a wide array of different attacks even to this day. From our literature study, it was determined that most of these attacks have been known for a long time. Using exploratory penetration testing, we managed to verify most of these attacks on three different systems. Additionally, we discovered a few novel attacks that we did not find in previous research. Conclusions. Our literature study suggests that SIP and RTP based systems are relatively susceptible to multiple attacks. Something we also validated during the exploratory testing phase. We successfully executed multiple existing attacks and some new attacks on three different testbeds. The methodology received mostly positive feedback. The results show that many of the participants appreciated the simplicity and concrete model of the methodology. Due to the low number of participants in the evaluation, an improvement to the study and results would be to increase the population and also have multiple novice penetration testers test several different systems. An increase in the number of testbeds would also further support the results and help generalize the methodology. / Bakgrund. SIP och RTP  är två protokoll som är vitt använda och spelar en väldigt viktig roll i VoIP-tjänster. VoIP utgör en viktig del i många kommunikationstjänster, t.ex. Microsoft Teams, Skype och Discord, men även i kommunikation över mobilnätet (VoLTE och VoWiFi). Eftersom dessa teknologier används i så stor utsträckning, är säkerhet av största vikt. Syfte. Syftet med denna studie är trefaldig: (1) Undersöka om det är möjligt att utforma en penetration testningsmetod för SIP och RTP, för en målgrupp av penetrationstestare utan förkunskaper kring dessa protokoll. (2) Att identifiera sårbarheter och attacker från tidigare studier. (3) På grund av brist på kompentens inom området penetrationstestning och telekommunikation kan en sådan här metod förhoppningsvis hjälpa till att introducera penetrationstestare utan tidigare erfarenhet till det här specifika området. Ytterligare är också målet att att öka medvetheten när det kommer till sårbarheter i sådana system. Metod. Genom en literaturstudie, hotmodellering och utforskande penetrationstestning på tre olika testmiljöer har ett flertal sårbarheter och attacker identifieras och utförts. Från resultatet utformades en metod för penetrationstesning, som sedan evaluerades genom att en tredje part testade metoden och gav återkoppling som rör metodens format och struktur. Resultat. Resultaten från vår studie visar att SIP och RTP är sårbara för en rad olika attacker än idag. Resultaten från vår litteraturstudie visar att många av dessa attacker har varit kända under en lång tid. Vi lyckades verifiera de flesta av dessa attacker genom utforskande penetationstestning på tre olika system. Dessutom lyckades vi identifiera ett antal nya attacker som inte tidigare nämnts i forskning inom området. Slutsatser. Resultaten från vår litteraturstudie visar att system som använder sig av SIP och RTP är relativt sårbara för en mängd olika attacker. Detta bekräftades i den utforskande testningen, där ett flertal kända samt nya attacker utfördes framgångsrikt. Den interna evalueringen i studien visar på att metoden kan appliceras framgångsrikt på ett flertal olika system, med begränsningen att endast tre system testats. Resultaten från den externa evalueringen, där penetrationstestare blev tillfrågade att utvärdera och testa metoden visar att de hade en relativt positiv inställning till metoden. För att ytterligare underbygga detta påstående krävs en större population, både för testningen och utvärderingen. Det krävs också att en större mängd testmiljöer används för att kunna generalisera metoden.

Session Initiation Protocol

Real-time Transport Protocol

penetration testing

methodology

Voice over IP

Session Initiation Protocol

Real-time Transport Protocol

penetrationstestning

metod

Voice over IP

Telecommunications

Telekommunikation

Computer and Information Sciences

Data- och informationsvetenskap

Bezpečnostní analýza virtuální reality a její dopady / Security Analysis of Immersive Virtual Reality and Its Implications

Vondráček, Martin

January 2019

Virtuální realita je v současné době využívána nejen pro zábavu, ale i pro práci a sociální interakci, kde má soukromí a důvěrnost informací vysokou prioritu. Avšak bohužel, bezpečnostní opatření uplatňovaná dodavateli softwaru často nejsou dostačující. Tato práce přináší rozsáhlou bezpečnostní analýzu populární aplikace Bigscreen pro virtuální realitu, která má více než 500 000 uživatelů. Byly využity techniky analýzy síťového provozu, penetračního testování, reverzního inženýrství a dokonce i metody pro application crippling. Výzkum vedl k odhalení kritických zranitelností, které přímo narušovaly soukromí uživatelů a umožnily útočníkovi plně převzít kontrolu nad počítačem oběti. Nalezené bezpečnostní chyby umožnily distribuci škodlivého softwaru a vytvoření botnetu pomocí počítačového červa šířícího se ve virtuálních prostředích. Byl vytvořen nový kybernetický útok ve virtální realitě nazvaný Man-in-the-Room. Dále byla objevena bezpečnostní chyba v Unity engine. Zodpovědné nahlášení objevených chyb pomohlo zmírnit rizika pro více než půl milionu uživatelů aplikace Bigscreen a uživatele všech dotčených aplikací v Unity po celém světě.

Renforcement de la sécurité à travers les réseaux programmables

Abou El Houda, Zakaria

09 1900

La conception originale d’Internet n’a pas pris en compte les aspects de sécurité du réseau; l’objectif prioritaire était de faciliter le processus de communication. Par conséquent, de nombreux protocoles de l’infrastructure Internet exposent un ensemble de vulnérabilités. Ces dernières peuvent être exploitées par les attaquants afin de mener un ensemble d’attaques. Les attaques par déni de service distribué (Distributed Denial of Service ou DDoS) représentent une grande menace et l’une des attaques les plus dévastatrices causant des dommages collatéraux aux opérateurs de réseau ainsi qu’aux fournisseurs de services Internet. Les réseaux programmables, dits Software-Defined Networking (SDN), ont émergé comme un nouveau paradigme promettant de résoudre les limitations de l’architecture réseau actuelle en découplant le plan de contrôle du plan de données. D’une part, cette séparation permet un meilleur contrôle du réseau et apporte de nouvelles capacités pour mitiger les attaques par déni de service distribué. D’autre part, cette séparation introduit de nouveaux défis en matière de sécurité du plan de contrôle. L’enjeu de cette thèse est double. D’une part, étudier et explorer l’apport de SDN à la sécurité afin de concevoir des solutions efficaces qui vont mitiger plusieurs vecteurs d’attaques. D’autre part, protéger SDN contre ces attaques. À travers ce travail de recherche, nous contribuons à la mitigation des attaques par déni de service distribué sur deux niveaux (intra-domaine et inter-domaine), et nous contribuons au renforcement de l’aspect sécurité dans les réseaux programmables. / The original design of Internet did not take into consideration security aspects of the network; the priority was to facilitate the process of communication. Therefore, many of the protocols that are part of the Internet infrastructure expose a set of vulnerabilities that can be exploited by attackers to carry out a set of attacks. Distributed Denial-of-Service (DDoS) represents a big threat and one of the most devastating and destructive attacks plaguing network operators and Internet service providers (ISPs) in a stealthy way. Software defined networks (SDN), an emerging technology, promise to solve the limitations of the conventional network architecture by decoupling the control plane from the data plane. On one hand, the separation of the control plane from the data plane allows for more control over the network and brings new capabilities to deal with DDoS attacks. On the other hand, this separation introduces new challenges regarding the security of the control plane. This thesis aims to deal with various types of attacks including DDoS attacks while protecting the resources of the control plane. In this thesis, we contribute to the mitigation of both intra-domain and inter-domain DDoS attacks, and to the reinforcement of security aspects in SDN.

Tests d’intrusion (informatique)

Blockchains

Wide area networks (Computer networks)

Penetration testing (Computer security)

Supervised learning (Machine learning)

Blockchains

DESIGN AND DEVELOPMENT OF A REAL-TIME CYBER-PHYSICAL TESTBED FOR CYBERSECURITY RESEARCH

Vasileios Theos (16615761)

03 August 2023

<p>Modern reactors promise enhanced capabilities not previously possible including integration with the smart grid, remote monitoring, reduced operation and maintenance costs, and more efficient operation. . Modern reactors are designed for installation to remote areas and integration to the electric smart grid, which would require the need for secure undisturbed remote control and the implementation of two-way communications and advanced digital technologies. However, two-way communications between the reactor facility, the enterprise network and the grid would require continuous operation data transmission. This would necessitate a deep understanding of cybersecurity and the development of a robust cybersecurity management plan in all reactor communication networks. Currently, there is a limited number of testbeds, mostly virtual, to perform cybersecurity research and investigate and demonstrate cybersecurity implementations in a nuclear environment. To fill this gap, the goal of this thesis is the development of a real-time cyber-physical testbed with real operational and information technology data to allow for cybersecurity research in a representative nuclear environment. In this thesis, a prototypic cyber-physical testbed was designed, built, tested, and installed in PUR-1. The cyber-physical testbed consists of an Auxiliary Moderator Displacement Rod (AMDR) that experimentally simulates a regulating rod, several sensors, and digital controllers mirroring Purdue University Reactor One (PUR-1) operation. The cyber-physical testbed is monitored and controlled remotely from the Remote Monitoring and Simulation Station (RMSS), located in another building with no line of sight to the reactor room. The design, construction and testing of the cyber-physical testbed are presented along with its capabilities and limitations. The cyber-physical testbed network architecture enables the performance of simulated cyberattacks including false data injection and denial of service. Utilizing the RMSS setup, collected information from the cyber-physical testbed is compared with real-time operational PUR-1 data in order to evaluate system response under simulated cyber events. Furthermore, a physics-based model is developed and benchmarked to simulate physical phenomena in PUR-1 reactor pool and provide information about reactor parameters that cannot be collected from reactor instrumentation system.</p>

advanced nuclear reactors

I&C Architecture

Cybersecurity

Digital Twin (DT)

Penetration Testing

Cyberattack

Nuclear Reactor

PUR-1

Industrial Control System (ICS)