Trefor.net welcomes VoIP Week contributor Tim Bray, Technical Director for ProVu Communications
Most SIP providers in the UK use auto provisioning to look after their SIP phones, with the phones calling home to a central server via HTTP to download configuration files.
Auto provisioning is an essential part of the hosted SIP and SIP PBX market in the UK, which would be unviable without it. The advantages offered are a consistent phone setup and an ongoing ability for the support team to manage and support the device.
Parts of the system
- Provisioning server
- Provisioning client on phone
- Redirection server at manufacturer
- Multicast detection (for a PBX to detect phones on local networks)
- File format – usually key/value based or XML
Recent security disclosures (Cal Leeming, et al) have given the impression that all auto provisioning is insecure, the basic argument being that phone MAC addresses are predictable and thus a provisioning server can be easily scanned. I am not sure these disclosures have really brought out anything that was not already understood by the competent players in the market, but they did bring to light the fact that some people are acting in an insecure manner and probably need to tidy up their systems a bit.
SIP usernames and passwords have a value in the underworld of VoIP fraud.
I know from personal experience that security holes in phones cause more damage than exploited provisioning servers, and having the ability to rapidly upgrade thousands of vulnerable phones by way of a provisioning server is invaluable.
At Provu we run a provisioning system for many thousands of phones, and we act as a provisioning service provider for ITSPs who need it. We have always had a policy to only provision SIP passwords one time and then to immediately delete those passwords, and phones that never call home get their passwords deleted as well, all of which provides some level of protection.
Authentication
It is my view that the provisioning session between the phone and the server should be authenticated. A very good way to do this is to use HTTPS with client certificates (the certificates are for client authentication, with the https encryption almost secondary) that are installed in the phones at the factory. A provisioning server can then use the public part of the Certificate Authority (CA) to authenticate the phone. Each phone has a unique certificate and the MAC address of the phone is embedded as a field within the certificate, and thus a provisioning server can know for certain which phone it is talking to simply by checking the certificate.
The main advantage of the certificate authentication method is that no setup is required on the phone. The certificates are inserted at the factory and can be validated by anybody with the CA file. Some phone vendors already support this, too, it being an idea that was first put to use by Sipura sometime around 2005. For years, I have been asking the phone vendors I deal with to add certificates as part of their manufacturing process, and I would very much like to see a world where client certificates are standard on all SIP phones. The certificates can also be used for SIP as well, serving to immediately block an avenue for fraud.
Wider Security
There are many phone configuration best practices that can be enforced by a provisioning server, including:
- Enforcement of strong passwords on web interface
- Disablement of dialing from web interface
- Updating firmware with all the latest security fixes
- Configuration of SIP on a random port number
- Disablement of backdoor entry points for click-to-dial software
- Disablement `hidden` web access usernames and passwords
- Enforcement of long SIP passwords (much easier to provision a 20 character random password than have the end user type it in)
Provisioning Server Security
- Use authentication — Must be not replayable
- Rate Limits — Basic sysadmin firewall type tasks
- Patched up-to-date with security fixes
- No directory indexes
- Use script that deletes passwords once provisioned
VoIP Week Posts:
- Ten Years of VoIP – Happy Birthday!
- #voipweek on trefor.net Brings Diverse Set of Posts
- The Conception and Birth of a New IP Handset
- UC Disappearing Like VoIP
- Microsoft Lync, Embrace or Ignore?
- Voice Fraud – You Need to Act!
- VoIP and Emergency Services – Location, Location, Location…
- Vastly Objectionable Ignominious Phrase
- A VoIP Spring
- Voice Technology Makes Conference Calls Sound Amazingly Clear and Life-like
- Net Neutrality and Telephony
- The Smoking Rooms of Net Neutrality
- Provisioning, Cloud Management and Obihai
One reply on “Secured SIP Provisioning”
You said…
For years, I have been asking the phone vendors I deal with to add certificates as part of their manufacturing process, and I would very much like to see a world where client certificates are standard on all SIP phones
All I can add is “Amen to that”. If any SIP phone vendors read this, please make sure you have device certificates embedded before you approach 8×8 for any business. If you don’t have this, you won’t get any business from us.