Snooping is More than a Public Telephone Threat: How to Prevent Vo-Fi Attacks
by L. Phifer
Public telephone snooping isn’t the only call vulnerability out there. Voice over IP calls can be snooped over wireless networks, leaving corporate and personal calls vulnerable without appropriate precautions and tools. Any unencrypted traffic sent over Wi-Fi can be easily captured for later replay. Both commercial and open-source tools are readily available to passively capture VoIP traffic (e.g., RTP packets), reassembling them into sessions that can be played back with the push of a button. So let’s start by assuming that anyone who cares about call privacy encrypts voice traffic sent over Wi-Fi.
Next, what can be learned from capturing encrypted voice over Wi-Fi? Commercial tools such as NETSCOUT's AirMagnet VoFi Analyzer can observe voice traffic and analyze the quality of Wi-Fi calls - even when encrypted. However, such diagnostic tools don’t snoop on call content. Rather, they help administrators diagnose problems such as calls dropped due to roaming or degraded by interference. For example, VoFi Analyzer reports on call quality using metrics like WiMOS scores and WiR values, letting admins easily see which devices are experiencing quality issues, when, and where.
Using such tools, enterprises that encrypt voice over Wi-Fi traffic can troubleshoot and optimize call quality while preserving call privacy. However, there’s another risk to consider: man-in-the-middle attacks performed by voice-aware Evil Twins. For example, a recently published paper shows how T-Mobile’s Wi-Fi calling service leaves SIP calls vulnerable to snooping. Beekman and Thompson created an experiment where SSL-encrypted Wi-Fi calling traffic was captured by an Evil Twin running the common SSL sniff man-in the-middle attack tool. Because the Wi-Fi calling service fails to validate the T-Mobile call server’s weak self-signed certificate, their Evil Twin could easily record, block and reroute encrypted SIP traffic.
Not all Wi-Fi calling client applications and versions were vulnerable to this attack. The researchers demonstrated this attack on two Samsung Android phones and speculated that several other Samsung Galaxy products might also be vulnerable. To their credit, researchers also gave T-Mobile a chance to fix this vulnerability and make patches available to customers before publishing this paper.
Of course, there are hundreds of other voice over Wi-Fi implementations out there, both hardware and software-based. Some might be vulnerable to similar man-in-the-middle attacks. The lesson to be learned is that encryption is an excellent start to preserve voice call privacy over any kind of network. But don’t be complacent. Enterprises that use voice over Wi-Fi calling should diligently monitor their airspace for rogue APs, Evil Twins and other telltale signs of man-in-the-middle attack by using a 24x7 WIPS/WIDS system like AirMagnet Enterprise.