Using SIP Traffic to Influence the Communications and Geopolitical Landscape of Germany

too right uh yeah the slide's looking good on my okay cool um yes so uh this presentation um is on using sip data to discover potential security implications um and specifically in my case it had a lot to do with germany which i thought was interesting um you know being that we're in the u.s and they're a nato ally and things of that nature i just thought from the geopolitical landscape where they're situated in the world it's just interesting what the data showed that i was able to find and yeah i'm just kind of going to go over my project this was from my capstone engineering project at auburn university but i'll get more into that

okay so yeah here's the here's kind of what we're going to talk about table of contents wise i'll kind of give a little background about myself because i'm probably one of the lesser experienced speakers here from what i read from other people's bios and what i've seen everybody has had really cool presentations and i think you know hopefully hopefully mine's up to par with some of them uh then i'm gonna go over objectives of kind of what i hope some people will be able to learn if anybody's able to take one thing out of the entire presentation even just seeing where i got my data from uh it would be worth it to me um just

because you know just somebody getting something out of this would be really really cool um i'm going to go over how exactly uh sip the protocol works in like a very you know generic nutshell of how of how exactly um it works and you know from a really basic standpoint i'm not some signals processor expert or anything like that so if anybody has anything else to add during it that i might be explaining incorrectly that that would also be um you know very very helpful i think to anybody here but it's just a it's a nutshell how exactly it works and then my data source which i think is one of the most interesting parts of the

talk um using like rapid7's open records that they scan the internet with using zmapp um they have a lot of information on there and i think it sheds a lot of insight onto you know the open internet and things you can find and then i'm going to talk about my data analysis so some of the statistics um and then tools used to find that data analysis and then some of the potential security implications so almost kind of wargaming thinking of the different possible um you know risks associated with having an abundant use of the same you know fritz os in germany um and all these different residential neighborhoods and how people communicate i think it's just you know an

interesting outlook on things um i'm big on uh playing video games a big one right now cyberpunk you know i'm into sci-fi they're always talking about stuff like that um but it's it's real life that's what i think is pretty interesting and then some potential solutions that i came up with that i think would be able to kind of help help alleviate some of the pressure of possibly you know having a distributed denial of service against all these um you know voice over internet protocol and internet telephony type systems and then we can have some questions and answers uh at the end okay so uh here's my background um just so people can kind of get to know

me um i graduated from penn state with my bachelor's in security and risk analysis um and the the curriculum was along line with um the nsa and department of homeland security's accreditation efforts and then i just graduated from auburn university this was my like capstone project um to kind of graduate and i've kind of been accepted into some phd programs so i hope to kind of continue doing some research and doing things like that after i choose which job offer i go with so like i said i'm a little bit more of a newbie at this type of stuff than some of the other people here um and then my work experience i've worked in the public and private sector

so i've worked on some red teams and uh penetration testing teams and i've also done isso work on the defensive side and kind of securing systems and then i'm also really into ctfs so like collegiate penetration testing competition national cyber league all the ctfs every every single one of them most of them i've probably done i love hack the box try hack me so if anybody wants to connect and talk about that stuff you know i'd be really happy i'm trying to go for oswp and oscp soon so i need all the help i can get and then some of the certifications i have are on an associate of isc squared from passing cissp exam

red team apprentice certification ceh security plus and you learn securities junior penetration testing certification so um i have a bit of background and you know a broader spot so i i kind of come from both an offensive and defensive side so some of the objectives i hope to kind of you know enlighten and teach about is learn a background on sip learn where to find a huge data source of endpoints visible to the public internet so where you guys could possibly you know work on different projects and see you know if you work for a company or an organization they have dns records they have everything so um you know you can see if you have

something visible to somebody like me working on their masters project that you might not want visible to the public internet and then some tools for analyzing that data and i have some of the commands for you know sifting through it specifically from my case but it's pretty easy to catch on to because rapid seven has their own tools i have links for the githubs and stuff um so it's it's pretty easy to use if you know how to use the command line um and yeah that that's a really interesting part of it and then finally the security implications of you know sip endpoints in specific geographical areas so um that's that's probably the biggest thing i took out of this was

a lot of places are using the same exact vendor and the same exactive system and it's like all situated in like one congested area and you know it just brings to mind some attacks in recent years that i read about um and uh like cyber warfare and things of that nature from like nation states you know if you're able to take down somebody's communications they lose situational awareness so i think that that that's a huge takeaway i think something that should be fresh in everybody's minds when you know we we always talk about the balance between security and functionality and sip is associated with voip and voip is you know is really cool because it's easy to set up anybody can set it

up literally on avm's website from germany they say your grandma is most likely using um this type of telephone system so like it's it takes it takes no effort whatsoever to set up but there's i think huge security implications with it um so some of the beginnings of sip it stands for session initiation protocol um it's one of the many signaling protocols the others h one that i know is pretty big is h three dot three two three um it's used for encapsulating communications between multiple hosts um so it's kinda used in the background of voip and it's primarily used for phone messaging and video applications so um what you'll notice is uh with this with this fritz box that

i'm gonna talk about it's kind of like this simple modem that you can just connect uh plenty of like phone numbers to um and that that's from it from this application but you can use it uh for example in the attack i'll talk about in [Music] georgia that was suspected from the russians in 2008 um they couldn't use like instant messaging over the internet too which i thought was interesting uh so that that's another example and that's just the rfc number for anybody who wants to kind of learn more about it they kind of have all the standardization stuff and it has a you know goes into really gruesome technical detail the protocol background so it's text

based and it functions a lot like http and smtp so you know looking at the packets it's in wireshark it's a lot similar to just seeing like an http packet and it utilizes ports 50 60 and 5061 which are you know different um you know those are a bit higher in numbers something something most people aren't used to i know unlike most of the exams for our certifications like that that didn't really pop up too much so i didn't really know much about it before this project um and then 5061's typically used for security purposes um so you know you have like uh that you can use tls it's um it's like integrated and sip

so that's how you can encrypt your traffic and make sure it's relatively secure but it's not always done like that which is something i'll kind of get into because you'll see from my data it's not encrypted at all and so sip is used within voip i mentioned that before so it's they're not the same thing but like sip is just used inside a void for encapsulating packets and kind of sending it over the wire um so yeah so i'll kind of use those terms like kind of you know in between each other but um i just kind of want to mention they're not exactly the same thing and so this picture is a pretty cool

pretty good example of you know how exactly um sip works over the wire and i called it a handshake because it kind of reminded me of tcp but i guess it's you know it's not exactly like the same exact thing as that but um it uses an invitation and that's done over the session data protocol and then the parameters are kind of sent to each other uh after it's acknowledged and then the data is actually transferred through real-time protocol um so that's like the simple concept and then i'll show you kind of what it looks like you know what you can see in the jsong data from rapid7 and and that'll kind of you know make it

a little bit more obvious of what what exactly it is um so for anybody who doesn't know what is a user agent um so to the right that's kind of what that's what it looks like the raw data not exactly from rapid7 but in general that's that's a basic example so if you see down there there's a user agent colon sip telephone so usually that's a tall tale giveaway of um you know what exactly is running on that um on that on that end point um and the end point will liter will usually have um and i can show the excel spreadsheet i have of where all my data is sorted but it'll it'll have like the exact

like model number of what the person's using um so it'll basically say like what what you know sip um what type of telephone they're using which i thought was interesting because um you know if somebody's able to figure out who's using what all over the place then it's a lot easier to kind of send an exploit that'll affect all of them at once um when it gives like exact hardware numbers exact firmware numbers it can go into pretty you know detailed messages um and so the user agent um kind of just symbolizes the network endpoint and it sends or receives calls because it's a signaling protocol and it's used as both a server and the

client and it like i said it has device specific configs so a thread actor can kind of use that to their advantage when figuring out you know if you're able to figure out where in a geographical area everybody has the same thing it's a lot it's a lot easier to know who to target in that aspect and so here are some of the basics security concerns doesn't require any security to function in the first place so using that whole tls thing i was talking about the beginning is completely optional and you know you don't need to use that most things don't come set up with that so it's vulnerable to some of the cves i

saw were man in the middle attacks you know eavesdropping so information disclosure and denial of service attacks which i think is probably the biggest concern for all of them um and from my data it was primarily from port 5060 uh and then most of the devices are plug and play so as avm mentions you know anybody can kind of use it um so my original project idea for this uh for my masters you know was kind of i was working with a few different people i was working with my advisors from auburn university so dr um first and jason cunio he's he's involved a lot in previous years besides huntsville and industry leaders so h.d moore from

uh he used to be with rapid seven he helped make metasploit he actually kind of introduced me to the whole project idea and and helped me with uh figuring out you know something to talk about because i really wanted to speak at a conference so um he was really instrumental in helping me out but it started off as analyzing the data from project sonar and convert the raw data from sip replies to human readable data so you know taking the jsons and then um you know exfiltrating the user agent so that you that specific configuration of that um end point and then you know having a source address with it uh and then developing new fingerprints

for a network scanner they're developing and so i did find some fingerprints and figure out like using regular expressions and things of that nature but then what i noticed was there is you know correlations of the user agents and server headers to specific geographic areas and from there you can kind of figure out that there's uh big security implications with those distributed networks and um what's interesting is you know places like deutsche telekom in kind of shut down so this is in germany they shut down all of their like analog systems for landlines and uh they primarily use internet telephony now so like they don't they don't really even source out like your old style landlines um

which i thought was interesting and so that kind of that that shows why uh germany itself kind of correlates with with having that much of um that much of the data um so this will go into project sonar from rapid seven if you've never heard of it i think it's something to really that you should really look up um specifically if you want to learn more about your organization and their network fingerprint i guess of um or network footprint of you know what what you have open so they have dns records um and then they also have tcp and udp scans of the entire internet so there's over 46 terabytes of data on this um and it's kind of like i said it's

perfect for anyone who wants to do something with a graduate degree and you need data to kind of source through and do your thesis or project or anything like that and then or if you want to do a side project there's just a lot of data to choose from and some interesting ports and protocols for example like using sip and there's not as much research done on it and it's constantly updated so i saw yesterday they updated it with their with their dns records so you can like i said you can kind of see if you have like a sharepoint login that's not supposed to be up um public to the internet which i think

is really cool and it's it's simple to use and extract data from and then that's the exact data source i used um which is just a udp sip gz file and that's uh when i when i share these slides that's the link to go there and see all the different data sources so this is the raw data unformatted that i found from each of the each of the sip replies and what's interesting here is you can see source address destination address and then kind of what i was talking about if you look towards the bottom uh this is just one of the many examples i just took a screenshot on there's uh there's the fritz os

um which you'll s which occurs a lot throughout the entire um throughout the entire data set so i could just grep and find where fritz and avm products were and that's kind of how i was able to figure out how many were in that um thousand thousand you know uh replies of of the data um and then the above picture just has the commands used to extract the data from it um so pig z is just for decompressing the gz file and then dap is rapid7's custom tool for a data analysis and you can take it into a lot of different file types so i use csv um i use csv primarily and then or you can use json but it's still

there's there's a lot more there's just a lot more options inside of it to choose from so it's just a little bit more cluttered and harder to read so yeah that's that's kind of how it looks unformatted um and then the tools utilized like i said were dap and they have a really good github for explaining how to use it and i'm sure you can probably use it for more than just those files from project sonar so i think that's that's a really cool tool to look up if you're trying to sift through a lot of data especially if it's you know you're working with csvs and json files and as it says there they can use it for

public scan data sets from like scans dot io so it can be used in a lot of different instances and then pig z is is just a simpler tool uh to decompress it all and then towards the end i needed to sort the data so just using bash commands uh that were you know basic linux commands uh that that was pretty necessary at towards the end of the project um so in the top right that picture is kind of an example of what it looked like uh so that one just from like reading through the data as a human being you know we're always constantly looking for patterns um pattern recognition is a huge thing

in human beings so um that was something i noticed right away was like all these are just fritz os and you start doing some googling and this company's centered in germany um and it's under avm uh so what's interesting with that um is kind of mentioned in the abstract you know at random 380 or avm products out of the 1000 uh replies so that's like a lot considering this is like a worldwide scan like i said this is z map scanning the entire world and 380 of the thousand packets in that one set were from germany so um you know i just think that's like an alarming amount especially because you start doing more research and see

that they've switched primarily to internet telephony um and it's primarily used in residential neighborhoods uh for you know simple communications and smart home devices and i'm sure everybody's aware that that type of stuff is extremely insecure uh so here's some of the implications that came up from with that data you know there's there's just a lot more threat vectors for somebody to kind of go into a residential area and figure out how to eavesdrop on conversations and things like wiretapping which you think don't really happen i think is is a little bit more uh scary to think about when everybody's using the same exact device um and it isn't as secure as something like uh you know your iphone or something

along those lines um especially when you see how many cves have come about recently for for this specific um product which i guess in a way is good because they're finding a lot of issues but um it kind of just shows that they've had issues with security and you know bypassing protocols and information to close disclosure and things like that so that's just one of the cves there and yeah um i think it's for personal privacy for like the common person i know that's already a big thing with all the different big tech companies and with social media and things like that um if people you know don't feel comfortable talking on the phone with

other people because they think somebody could possibly be listening in on the conversation i think that's that's a huge issue from the residential setting standpoint um and then there's like commercial settings security implications because i'm sure they're probably using it in enterprise networks um as well there and i know from places i've worked voip's commonly used which is which is good to a certain extent but if they're using a product that isn't exactly secure from the beginning i think there's a huge issue for multiple points of failure and losing losing a lot of money and possibly having their reputation tarnished which can cause um you know adverse effects in the stock market um we've seen that recently

with solar winds from from everything that happened with their clients in the department of justice and throughout the public sector they lost a lot of money and their shares still haven't recovered in the process so something i always think about with this would be if somebody's if somebody's gets you know compromised and dost they could they could have um they could have their company kind of just go under in the process so that's one scenario i think could be a huge issue and in the others we're right now i think incorporating it with everything going on in the world from a healthcare standpoint you know if hospital systems using all these phones and uh and this specific product

um the entire system could go down and you know makes communications in that type of environment much more difficult uh for people to kind of get the quality care they need um you know especially during a pandemic and things like that um let alone that if it's you know in somewhere like an icu or an emergency room you know uh the hospital's primary we primarily use phones to communicate from different floors to get doctors in the right spots um have people set up properly so it would just cause a hindrance from that standpoint and then finally one last security implication i kind of thought of was and this is the biggest one i kind of

got out of the whole thing was um you know nation state attacks they're using with this data you can see they're all using you know that fritz os and um you know even other even other of even other replies of the sip data kind of use the same vendor device hardware firmware and software leaves the nation vulnerable to mass denial services so at this point you're getting past like you know financial attacks towards specific companies or people listening in on personal conversations you're getting to um you know more more apt style stuff um you know in massive denial service attacks and i brought it up earlier but you know i had a really good paper i read about from

a us army war college i have it linked as a reference at the end from this but they uh they talked about when russia utilized cyber warfare against georgia and some of the attacks against estonia in 2007 and voip was primarily one of the biggest concerns because the entire country couldn't communicate um over the phone to each other and instant messaging wasn't be able to be used something kind of unrelated they weren't able to use google earth to uh look at each other's you know potential geo locations and things like that so the country as a whole was at a complete disadvantage when it came to situational awareness and being able to communicate to each other

um which which you know arguably plays a huge role in that type of situation um and you know obviously uh in 2008 they kind of hurt from not being able to do that russia kind of controlled that entire section of warfare and then they also went after other things like cell phone towers and things like that so you couldn't communicate uh you know using cell phones or um just being able to speak with you know our quote unquote landlines and being that they're not analog and using ips stuff it's it's a lot easier to just take down all the communications for somebody um and kind of like i talked about like a lot of chaos would ensue from something

like that no one would be able to communicate and so you have all those issues of you know health care military energy things like that um it would just it would just cause a lot of issues which i think is one of the most abundantly clear things from all the data i found um and it would hurt both you know residential and commercial settings in in the long run too um so some of the potential solutions uh sometimes kind of like i said the best defense is using attackers threat methodology so um assuming compromise with that type of stuff is something that i always noticed from uh pen testing and red teaming um not a lot of times people assume that

everything can be you know can be exploited in that aspect um so i think you know using this open source data and seeing that it's easy for anybody to see all this stuff is something that maybe like a company like avm should take into consideration or anybody using the product should also take into consideration i know that's difficult when people you know aren't exactly um as technical rounded to figuring out and doing it themselves but i think that's something that you know uh with that open source data you know a company organization should do to kind of see what their what their footprint is and what people can see um and then you know obviously using

sips which is the secure version of sip with tls and encryption should avoid um people kind of you know using man in the middle of text and seeing um seeing everything you saw like in that reply packet like that wouldn't all be visible to a human to read in that instance and then proper patch management so all those cves that are discovered you know hopefully hopefully they're patching the stuff that they have the devices they have throughout their you know throughout the use of all those people hopefully it's getting properly patched because you know most people aren't um you know able to do that type of thing themselves so those are most the most of the

potential solutions i kind of thought of to come up with and uh you know reducing the amount of data that's just open to the internet for somebody to see in that protocol specifically um so yeah i kind of finished up i think a little bit earlier than i thought i would but does anybody have any questions um

if not you can also message me too if you need any of the different data sources i had or things like that um i'd be happy to share anything with anybody uh and then yeah connect with me on linkedin too um or if you want to talk about ctfs or anything like that i have a lot of knowledge on that stuff too

hey luke i uh hey good job man i liked it oh yeah i thought it was good okay okay did anybody else notice at the beginning when luke was talking about his um his education he said he said oh yeah i kind of got accepted into a phd program and finished my masters he said he said kinda so casually like ah it's not a big deal you know just just brushing it off the shoulders no i feel like a lot of other people here are probably a lot more experienced than me i don't know i'm like not trying to uh not trying to come off as like bragging or something so i was just kind of although

i did hear it and it i got it more of a a more humble idea yeah that's that's what i thought too it was yeah i don't know if it was just a little funny man yeah no i know i i yeah it was recent too it's just in the past few weeks so i just wanted to mention that oh dude congratulations man that's awesome that's i mean if i were you i'd brag about that as much as any time i get yeah but yeah i mean like i was saying if anybody has questions i don't know if i don't know if i ex you know or any critiquing if and if anybody has any critiquing of the talk

itself uh you can message me privately too i don't know if it was um too high level or low level hey can everyone hear me clearly uh yep we can hear you yeah i said the question is something really interesting you said about uh if i heard you correctly that germany um i think you were talking about germany you said something about the them discarding or retiring older analog systems has that been like systematic um to where they only have like pbx or voip systems um or do they have emergency analog or you're basically saying they don't have anything to fall back to yes so here i'll actually pull up right here um let me just grab

trying to now i know why like all my professors have trouble with zoom when you're actually doing it yourself but it's kind of fun like the thoughts run through my head is i mean i'm a career i.t guy and uh at the same time i'm always one of those um paranoids uh that worries about when the great goes down what you do yeah yeah yeah no i well that's that's my thing with this like i don't i'm not much of a person who walks around with the tinfoil hat all the time um but it was a little weird how like you know rounding up basically 40 of the country you know 40 of that data like randomly

selected was in germany and um so this right here though i had with avm i'm just talking about like their advantages of using voip um because kind of like you said i think they're they're like just kind of forcing everybody to sway towards this um and so this was right here um they kind of that's what i was talking about with deutsche telekom um i'm not sure if you're familiar with them they were involved with that whole thing with the wiretapping in 2009 too so they don't exactly have um well suspected why it was in their spiegel the german um the german newspaper yeah um but uh i'm familiar with like a lot of german culture and stuff because

i've been taking it for years like learning the language and everything but um this this sentence is kind of where i took that from uh yeah i guess they just deactivated all their analog connections at that point um yeah i have friends in germany i could uh i could ask them probably that question see if they've moved completely to voip or cellular yeah exactly when it comes to cellular now that i mentioned that is the backbone basically voip uh so what i uh oh i'm reading hundreds message right now i say backbone backbone often refers to the actual physical infrastructure but i guess over that backbone is everything getting converted into voip yeah yeah from what i understand yeah

um let me see here i just got i got a private question too or a private message as well oh i think you answered my question so thank you

you