DEF CON Safe Mode - Ismail Melih Tas and Kubilay Ahmet Kucuk - Practical VoIPUC Hacking w Mr SIP Q&A

• Hi there, so we are live with the speakers who presented on Practical VoIP Hacking using Mr. SIP. And welcome to DEF C0N Safe Mode. Not quite what you would have normally have expected probably for coming to Vegas right? But glad that you’re able to join us and share some information with us. I understand though that you are both first time speakers at DEF CON, is that correct? - Yeah - Yes, correct. - Yeah, that’s correct. - Thank you, thank you for the opportunity. - Yeah, that’s great. Yeah, so we have a tradition here at DEF CON for first time speakers where really it’s a historical tradition of where we kind of do a shot or a drink with someone on stage to kind of welcome them to DEF CON.

01:28 - So as your first time speakers, I’d like to you know, hold up a cup and then have a drink here with you both and say cheers and say welcome to DEF CON. - [All] Okay, Yup, Cheers! - That was strong. - Strong coffee. - Awesome, awesome. Yeah, so that’s great. So let’s get into a couple of the questions and everything. First off, right, so we recorded the talk a little bit ago, really, right? Like since you recorded and kind of presented on Mr. SIP here at DEF CON, is there any major changes or updates you kind of wanna share with the audience? - So, first of all, inside this presentation that’s gone, we actually show most of the new updates. So they were not published before.

02:28 - So exclusively we presented many other modules and all these demos. They’re all new. And we first time showed them in DEF CON since the video published, like in a which time. We are still updating the documentation and the YouTube channel we have, Twitter page we have, people can follow and the GET Lab page we use to host the website for the pro version. So these are the recent updates we can say, but other than that, the whole DEF CON experience is the new updates. So everything we show is the new content, all this pro features to new modules.

03:05 - They were not published before and then right now we just introduced them. - Awesome, awesome. Yeah, so kind of, I guess also to kick things off here, so kind of what drew you to like VoIP research and SIP security and like, kind of what’s the origin for Mr. SIP? - Okay. That’s, that’s some big question I think. May be I would like to answer that and if you would like to add something you’re welcome. So Mr. SIP goes back to 2011 and one of our meeting with Melih also goes back to like 2012 or 2013 interview because like once I had a job application in Melih’s company and he was interviewing me, but that was no tip that time, but that is just once we came to meet each other. And around that time Melih was working for a big telecom company. One of the biggest in the world.

04:04 - And they had the SIP team and security team there. They were developing one internal tool. And with that internal tool, they were also hiring somebody like a resource supporter. And then in 2012, I think they didn’t have NDA and went off that guy who was not hired for the project and also published some open source modules. But I think the project didn’t go too deep because it doesn’t have any like also that’s the comparison I think, we can say it doesn’t have any novel or unique exploits vulnerabilities inside, but this stands out that it is both scientific and practical. It has like, it is very intensive I would say.

04:54 - It has full automatic modules that does all the vulnerability search but then in the real world attacks, it is utilizing noble exploits, CV that is even just not published before Mr. SIP. So it contains a lot if you compare with other things. But if you go back again 2012 to 2015, Melih worked on a closed source project, different version of Mr. SIP that was kept always private and closed in the under the company. And by 2015 minutes left the company and he was thinking, and by coincidence, we met in Black Heart London, 2016. We said, Oh, hi, you interviewed me four years ago. And he said, Oh, how’s the going? He said, Oh, I quit that company he said that And then this was the story we said, okay what is happening? He said I wanna program it from scratch, make it bigger, like make it like pep suite. You know, we had the idea that we could make it just like a real application that every pen tester, penetration tester is using. That was a dream in 2016. Nowadays after four years, you have about 10 modules. It is becoming a reality. So we’ve worked hard on those programming, software engineering, because it is a big project.

06:14 - It is not one time published application but it’s evolving all the time. And we have lots in the roadmap. First, it appears as many times in arsenals black hat arsenals. So, and some other technical conferences, practitioners conferences, and also Melih published several research articles doing his PhD. So Mr.SIP actually gave him both, I would say almost like a startup company and a PhD. So there are a lot of I think, let’s say like events happen through the history of Mr. SIP.

06:54 - It is not the small application like it has several journals behind a PhD work, like a four years of PhD work. Plus it is becoming almost like a startup, but the main idea is that we keep it open source and we want community to use it and see how SIP is important, way but actually important and how they can just have a reliable tool. - Cool, that’s awesome. There’re actually some question in the chat about why does the website for Mr. SIP Pro require signing in to GET lab? Is that maybe one of the older ones or? - Oh, it is, I think not ready, that’s why. So we didn’t want Google to index something that is like a demo content because we have the template now important than GET Lab and it is getting updated.

07:41 - We are keeping it but we didn’t want to show it half missing. So it is just ongoing. It’s very new. And we wanted to include the links because the DEF CON video will remain online and maybe next week it will be open, the website, the Mr.SIP Pro website. But we get right now it is still ongoing that’s why it requires sign in. Even if you sign it, it will say you’re not authorized. But I think I’m happy if people go and sign up to give some feedback, I think that is cool. Its free and it allows a lot of things.

08:16 - - Awesome, yeah, so we’ll move on to - Sorry, I was just saying sorry for those users who’s trying to get into the website. I’m sorry that they are struggling because of that. Sorry, I interrupted you, please go on. - No, you good, no that’s, shows interest, right? it’s good right, everyone’s excited. Yeah, so another question from the chat. So, you know if you’re aware that someone’s going to use an attack you know, using Mr.

SIP, so imagine you’re on a blue team right, 08:45 - or like you know, in the SOC you know, what would you suggest as the first line of defense to protect yourself or your company? - I think like, okay. I will say something Melih but feel free. I take the first sentence and feel free to add after me. I think so when they do penetration testing inside the company, like let’s say they are using Mr.SIP and they are trying to find vulnerabilities and all tests. One of the defense they could do is like, we also mentioned in the presentation that awareness, the password policy awareness.

09:24 - So usually it is the lowest priority in the companies and security policies. And strong password policies really necessary. But when we look at SIP itself, it is vulnerable. So there are some of the aspects that are unavoidable like that. There will be VoIP by test. And that will be almost no defense if you deploy a con, like a sophisticated attack.

09:49 - So there is not much to do but they could do the standards like monitoring and actively having some security researchers looking at things and lots of awareness I think inside the company, strong policy for passwords. All these things that I think good for defense. I’m not sure Melih you wanna add something maybe? - Yeah, using very specific security parameters like VoIP application firewall or VoIP IPS should be beneficial. - Cool, I appreciate that. Yeah, so we’ve got one other question here, right? So if you have a lot of experience obviously looking at kind of SIP and VoIP attacks and everything. Would you say that there’s any device or companies out there you’d recommend over another to kind of do a better job of protecting against like the sallow attacks that are in Mr.

Sip? 10:49 - - Okay, I think I will give this question to Melih by adding some on that. So maybe when we recommend or think about the company it is the client applications than the server applications we can talk about. I would think they are mostly similar but Melih what do you think about the companies like SIP servers or other companies deploying products? What do you think about them? - I couldn’t get exact question but could you please summarize it? - Yeah, like I think, what I think is so, at the end our attacks are against the SIP protocol. It is not for products. And I think every product is vulnerable over time. So it does not product based thing. Also because I think inside the clients or servers they don’t have any defense mechanisms deployed in the server.

11:48 - So they have to get additional defense mechanism. But Melih what I’m thinking is you have more experience on that? What do you think if any SIP servers some brands or products are better than other ones? Do you recommend any of them? - It’s not appropriate to say. - Yep, yeah, no worries, that’s fine. Yeah, for someone who’s kind of, let’s say, you know, isn’t just familiar with the SIP space or the VoIP attacks right? Maybe they’re more used to using some of the standard, you know things against windows or Linux, you know, I guess how would you recommend someone start to learn and kind of experiment there, you know, come into, you know, what kind of resources would you recommend for someone starting to look at like SIP for VoIP style of attacks? Other than just saying SIP itself? - Other then what? - Other than just saying use Mr.SIP? - Oh, okay, Yeah. I think one of the things they can definitely deploy the environment, the lab environment that they can simulate or emulate SIP servers and the client. So they can have because, nobody has this all SIP deployment at home. But every company has it.

13:12 - So my university adopts what we have this SIP servers, clients and it would be really easy, I think, to hijack a professor’s phone and then do these things. But at the end for a new starter to experiment it, it is not gonna be possible to deploy or have a SIP deployment at home. Nobody does that but they can definitely emulate something on their computer. And there are many tools for that. That they can start generating SIP messages on their local server and they can run virtual mission. So you take some virtual box put instances.

13:48 - One of them is server, it has an IP address. Other one is few clients, et cetera. And then one, imagine one virtual box is calling another one and while doing so, you have another virtual box which is And then this one is the machine Gets access to network and they can play with it. So they can watch the network messages and play with it. I think new beginners could do that. And that would be fun. - Yeah, also reading first CPRCs are beneficial. Is it virtual CPVC, they can use any kind of asterix based CPVC such as trixpacs or free CPVC et cetera.

14:38 - - Yeah, so there’s a question in the chat from RTTK 2015. Can you expand a little bit about wholesale VoIP, carrier voice and call shop? Kind of the attacks were mentioned in the talk in context of registration hijacking. - Yeah, so I would like to give some quick summary on that because it is a real incident first of all. And Melih was also one of the investigators and you know, like an expert, like preparing technical reports on it, like in a real million dollar, I think. So they found out how the hackers did it. And now we’ll say in DEF CON, we’ll show how they did it.

15:20 - So what happens is the steps are simple I think. So the hackers could get into the company network. That is, I think one of the precondition. And then with using Mr. SIP they can enumerate the users, break the passwords, get into the, or collect all the users credentials. That is the step. And that is not difficult by using Mr. SIP, everything is automatic. Once the hackers collect enough information about the users, what they do is that they can start selling whenever the users are sleeping or not using their lines or the accounts let’s say.

16:04 - The hackers can start selling their accounts. And just charge all these things into the company because company has the infrastructure that’s running. And if they allow cost to let’s say other countries, hackers can just, without running any infrastructure telecom infrastructure. They can just charge them and make costs on the health of all these stolen users. And at the end maybe three months later the company will realize okay, there were all these fraud going on.

16:35 - They will detect but it will be too late because the guys, the hackers will already make I think millions easily by selling few months of utilizing this telecom infrastructure for a few months. So what they can do, they can for example run a local teller, a local phone call shop. Imagine one of the corner shops that says okay, you can make international calls. And they might be using actually one of the other big company infrastructure and underground like maybe stolen credentials and you still go and pay them and make the call. And it does maybe long distance calls, super expensive thing.

17:12 - And they charge small money but because they don’t pay anything for the infrastructure and because everything is pretty quickly, as much as they sense, they start selling those services and many other things, they are very creative, right? Very creative people. So that’s basically it. So few months I think it will take until a company realizes okay, why our bills are much higher than usual or the traffic going on too much. And then, that’s what happened I think, that is the story. - Also even if they understand that, they need to pinpoint the problem, exact problem. Cause they still don’t know about the fact. This is also very common hacking story in the real life. So I experienced a lot. - Melih, can I ask you a quick question? So do you think not only the telecom companies I think, the banks can have this or what are these types of companies can have this type of call fraud? Because if a bank has the infrastructure for their own use and if they allow with the SIP trunks external calls, so they can also be the victim of this type of fraud, right? - Yes exactly. - The banks and other companies. It’s not only the telecom companies so many other companies can suffer. - Any company, any enterprises running Voice over IP and making bulk calls through internet can be vulnerable for that kind of attack. - Cool, yes we have another question from the chat from thought seeker. - Oh great.

18:53 - Do you recommend using session border controls in front of critical SIP infrastructure? - Yeah, I can reply this question. SBCS, the Session Border of Controller very common in internet service provider level companies, not for enterprises maybe. They are expensive as far as I know but it’s very beneficial. It’s working like SIP firewall, SIP application firewalls so it’s one of them, best security firewall type, I can say. - Cool, awesome, yeah. So something else. So just kind of pondering you know, what do you think is probably the most significant attacks someone could kind of do using like SIP VoIP traffic? Like what do you think that maybe it would be the most impactful or significant thing you could see someone trying to do? - Right, Melih do you wanna answer that maybe? I have some stories I think but we can both elaborate on this, what do you think? - In this service provider world, there are many fraud type attacks but for enterprises Telephony DoS is one of the most powerful attack, impactful attack.

20:28 - So, there are many different kinds of kind of key Telephony DoS attacks you can run using OSROP systems. - Yeah I think so, in the DoS, Denial of Service attacks. Mr. SIP is very skilled because we have so many protocol level vulnerabilities being published and getting also published. And that is one of the area that Mr. SIP is very powerful. It has very unique, novel attacks, Wilton modules, and by doing so, I would say DoS is definitely one of the impactful but at the same time inside Mr.

SIP 21:15 - we have advanced scenarios that value you wanna make an impact without knowing anything full automatic scenario that you wanna attack an infrastructure. All these advanced custom scenarios we have a mechanism to write and prepare your attack. And then Mr.SIP automatically follow all that attack, and you will not do anything but let’s say you put a raspberry Pi into the company network, leave it there. Maybe a month later nobody’s there but it will begin an attack, deploy the full automatic attack. And any of those imagine the fraud infrastructure running, maybe you can build a VPN server inside, make a tunnel outside, play a lot with this.

22:00 - And then anytime you wanna distract people to camp, place a DoS attack and any other stuff. - We couldn’t have a chance to make demonstration for our attack scenario players but it’s the new module of Mr.SIP. And we did some predefined attack scenarios including Telephony DDoS type of attacks. And one off time is like just by sending running a CPU might miss it and we can occupy the SIP server for 64 seconds. I just gave technical information about this kind of attack which was normal attack and we have published it in our academic research papers. - Yeah.

22:54 - - Yeah, so we’re coming near the end but is there anything in particular you really wanted to add that you kind of ran out of time to cover in the talk? Anything you really wanna make sure you share with everyone here? - I think I would recommend everybody and all this SIP community to support and give us the feedback. That is one of the important thing because Mr.SIP is another one time tool, it’s evolving. And last four years I think we showed a good progress. And next few years that would be a lot of new modules and no attacks coming up because our roadmap is huge. Even though we still say some of the parts like I know what Melih has and we discuss all the nights that we have huge abilities.

23:42 - We will integrate keep integrating into Mr. SIP. And we would like to say, tell the community that they should definitely follow and tell us how we can cooperate, how they can join. They are most welcome to help Mr.SIP and take up active role. And then so that we can make it better. But the point that we should not miss is definitely follow and communicate because there are a lot coming. - Awesome, awesome - Yeah, I guess so the last kinda question, I guess to wrap things up.

24:19 - So if folks want to learn more right? Or wanna contribute like you were saying you know, what’s the best way for them to kind of reach out kind of what’s the best contact like through the GET Hub or Twitter? What’s your preferred means of communication? We can share shared links as well on the chat. - So definitely GET Hub is our first point of contact that we have the public version, open source version. The pro version is right now private. We are also open-sourcing gradually the pro version modules. They will get into the public domain at some point. But Get Hub is definitely useful. We have the links in the slide. Twitter is definitely a good contact. Private mail address or Melih’s personal accounts. They are definitely good contact.

25:16 - We are very active and we will likely not miss anything that anybody uses any of the point of contact in social media, Mr. SIP account or personal details, personal accounts, most welcome. I think if you don’t mind there is no official or like crazy strict rules on how to reach them, just like easy. - Melih do you wanna add something on? - I can add one more thing people just asking about demo and we will share new demo videos on our YouTube channel most probably next week. - Yeah, I think that is very important that we should tell yeah because in the Def Con video, I think the fonts were small. That was not very readable. It’s HD and high definition.

26:17 - If they actually watch HD quality, they will see, they will be able to read everything but we will also publish the videos of all the modules and all these attacks bigger fonts, maybe slowly in a better quality. They will come and you recommend the right thing. Definitely they should be watching the YouTube channel. - Awesome, awesome. Yeah I definitely think that’d be helpful. Cool, well if there’s no last minute thoughts from either of you, I would really just say thank you for joining us for DEF CON.

26:51 - Thank you for participating from remote places, again not in Vegas And yeah and look forward to running into you in a future DEF CON hopefully in Vegas in person. And otherwise just really wanna thank you and, you know, stay safe out there. - Thank you guys. We would like to thank everybody that yeah, I think Def Con team helped a lot through this online experience, Powders and Nikita and everybody. I’ve taken roll there and thank you guys for helping and arranging all these things. Even in last minute all these difficult time. - Awesome, well.

27:34 - Thanks again everyone stay safe out there, cheers! - Thank you. .