VOIP SECURITY RESEARCH

This section presents an overview of research concerning the security of Voice-over-IP (VoIP) systems done at SVS:

Current activities

• Testing SIP Implementations:
  We requested hardware SIP-devices (user agents, analog adapters, routers) from vendors to be tested in our security lab. We are interested in the security functionality today's devices offer and how secure devices are implemented. Furthermore, we are testing softphones with the same intention. This work is a subproject within the project Software Security.
• Testing TLS Support:
  We are developing a prototype to test the handling of certificates by SIP implementations which support TLS. This work is a subproject within the project Network Security.
• Lawful Interception of VoIP traffic:
  Lawful interception of VoIP traffic differs from lawful interception in the PSTN. The open nature of the Internet and some properties of VoIP make lawful interception a non-trivial task: First, content is transferred on a different route than signaling. Second, the service provider for VoIP may not be the access provider to the Internet. Jan Seedorf and Ilona Rappu are doing research on the problems which VoIP introduces for lawful interception.
• Security implications of P2P-SIP / DHT security:
  Recently, it has been proposed to use SIP in a peer-to-peer (P2P) scenario. One of the proposed solutions uses a distributed hash table (DHT) as the underlying technology for the P2P network. While this has some advantages (easier setup, NAT/firewall traversal, redundancy), such a setting has serious implications on security. Jan Seedorf is doing research with the goal of identifying the security implications of using a distributed hash table for P2P-SIP.
  
  If you are interested in further information on these activities, please contact Jan Seedorf.

Past activities

• Lawful Interception of SIP-based VoIP:
  Ilona Rappu has done research on the security issues that arise when trying to do Lawful Interception in SIP-based VoIP networks ("Studienarbeit").
• Implementing a back-to-back user agent (B2BUA):
  We have implemented a prototype SIP back-to-back user agent as a pseudonimity service. This work has been a subproject within the project Software Security.
• Security of SKYPE:
  Laalak Nassiri has done research on the security of the Skype P2P Network ("Studienarbeit").
• Security Analysis of German SIP-Providers
  During the winter term 2004/2005 a team of students analyzed the security of German SIP-Providers. They did their work as part of the project-seminar "Aktuelle Probleme der IT-Sicherheit". We have published a website with a summary and detailed results of their findings.

Publications

Seedorf, J.: Security Challenges for P2P-SIP, Special Issue on Securing Voice over IP, IEEE Network, vol. 20, no. 5, September 2006, pp. 38 - 45

Seedorf, J.: Using Cryptographically Generated SIP-URIs to protect the Integrity of Content in P2P-SIP, Third Annual VoIP Security Workshop, June 2006, Berlin, Germany, ( )
(© ACM, (2006). This is the author’s version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. The definitive version was/will be published in VSW06, June, 2006, Berlin, Germany. Copyright 2006 ACM 1-59593-387-5)

Posegga, J.; Seedorf, J.: Voice over IP: Unsafe at any Bandwidth?. Eurescom Summit 2005 – Ubiquitous Services and Applications, Heidelberg, 27.-29.4.2005, S. 305-314 ( )

Posegga, J.: Voice over IP - The end of the world as we knew it, Article in Eurescom Message 2/2005

Presentations

Jan Seedorf: Self-Certifying SIP-URIs. Presentation at SVS Oberseminar SS2006, May 23rd, 2006 ( )

Jan Seedorf.: Security Considerations for P2P-SIP. Presentation at SVS Oberseminar WS2005/2006, January 1st, 2006 ( )

Jan Seedorf.: Security Challenges in VoIP session establishment. Presentation at SVS Oberseminar WS2004/2005, December 13th, 2005 ( )

Opportunities for students

• Diploma Theses (work in progress):
  • A Webservice for Testing Implementations of the Session Initiation Protocol (Stephan Sutardi)
  • Implementing a Prototype for Secure Session Establishment in P2P-based VoIP Systems (Frank Ruwolt)
• Baccalaureus Theses (work in progress):
• Testing TLS Support in SIP User Agents (Frederick Pscheid / Volker Lübbers)
• Theses Offers:
  We offer Diploma Theses and Baccalaureus Theses in the field of Voice-over-IP security. Please contact Jan Seedorf if you are interested.

Teaching

• SS 2007:
  In the summer term 2007 we have a student project on the handling of certificates by SIP phones as part of the project Network Security (see current activities above). Please contact Jan Seedorf for further details.
• WS 2006/2007 and SS2007:
  In the winter term 2006 and summer term 2007 we have several student projects on Testing SIP Implementations as part of the project Software Security (see current activities above). Please contact Jan Seedorf for further details.
• WS 2005/2006 and SS2006:
  In the winter term 2005/2006 and summer term 2006 we had several student projects on the security of VoIP as part of the project Software Security.
• WS 2004/2005:
  During the winter term 2004/2005 a team of students analyzed the security of German SIP-Providers. They did their work as part of the project-seminar "Aktuelle Probleme der IT-Sicherheit". We have published a website with a summary and detailed results of their findings.