Sweep Documentation
Download
Report
Transcript Sweep Documentation
SOURCE
BOSTON 2008
Copyright 2008, James M. Atkinson
Telephone Defenses
Against the Dark Arts
James M. Atkinson
Granite Island Group
www.tscm.com
Telephone Vulnerability Basics
1.
2.
3.
4.
5.
6.
Instrument
Local Distribution
Local Switch
Demarcation/Network Interface
Transmission
Switching
Instrument
Vulnerabilities
1.
2.
3.
4.
5.
6.
Speaker of Microphone Exploit
Installation of Foreign Device
Hookswitch Manipulation
Software/Firmware Exploits
Normal Operation Exploits
Moderate Protection, Easy to Subvert
Local Distribution
Vulnerabilities
1.
2.
3.
4.
Wall Plates
Raw Wiring
Cross Connection Points
Normally Not Protected or Supervised
Local Switch
Vulnerabilities
1.Cross Connections Points
2.Switch Inputs/Outputs
3.Switch/PCM Backplane
4.Parallel Channels
5.Switch Software/Firmware Exploits
6.May or May Not Be Protected
Demarcation/Network Interface
Vulnerabilities
1.Ripe for Exploitation
2.Poorly Protected
3.Generally Accessible
4.Target Specific
5.Significant Choke Point
Local Transmission Network
Vulnerabilities
1.
2.
3.
4.
5.
Post Demarcation/NID
Before Switch
Easy to Isolate Single Subscriber
Open Terminals and Boots
Not Protected, Wide Open
Switching
Vulnerabilities
1.
2.
3.
4.
5.
Central Office
Used to Be Huge Buildings
Modern Small Scale Switching
Post 9-11 Logo Removals
High Value OVERT Choke Point
CALEA and .gov targeting
6. Usually Highly Protected
Transmission Network
Vulnerabilities
1.
2.
3.
4.
5.
6.
Mostly Single Mode Fiber Optics
Accessible Pubic Pathways
Usually Well Marked
High Value COVERT Choke Point
Cable Vaults on Alarms
“Supervised” Against Breakage
Telephonic Integration
Voice over IP
• Cable Modems
• Other Broadband Services
ISDN
Fiber Optic Internet Service
EVDO
Other Wireless Services
The Realistic Threat
RF Device
Hard Wired Recorder
Wireless Intercept
Software Manipulation
Other Methods
Essential Tasks
Conductor Inventory
Pathway Mapping
Known Electronic Metrics
• Re-Testing Against Metric
• Open Testing
Physical Inspection
Auditing Telephone Instruments
What Kind of Phones
“Soft Under-Belly”
What Should It Normally Do
• Is It a Risk?
• Is It a Threat?
• Hostile Manipulation?
Feature, Hazard, or Risk?
Auditing Wiring
What Wire is in the Walls?
What Wire is in the Ceiling?
Wall Plates?
Termination Points
Junction Points/Punch Blocks
Auditing Wiring
Conductor Maps
•
•
•
•
Signal Pathways
Pair Combinations
Industry Standard Pin-Outs
Color Codes?
• Conductor Length
Fractions of an Inch Accuracy
• Non Linear Junction Combinations
Auditing Transmission Paths
Map Out Every
• Cable
• Conductor
• Wire
• Fortuitous Pathway
• Location Must Be Within Inches
Auditing Switching Systems
What is a the Default Generic?
• Actual Translation?
• What is Different?
• Is it Safe?
Always Reduce to Hardcopy Form
Auditing Secure Communications
Systems
Tampering with Actual Instrument
Tampering with:
• Uncontrolled Accessories
Handsets, Cords Cables
Power Supplies
Low Bandwidth (300 Hz) Filter Bypass
Proximity to RF Emitters
Prior Penetrations, Hacks, and
Attacks.
Common Manipulations
Raw Hacking/Manipulations
Naked Attacks
Appropriate Counter Measures
VOIP Attacks
Extremely High Risk
• Rarely Utilize Hook Switch
• Open Microphone
• Firmware Can Be Remotely Updated
• Network Provides a Serious Choke Point
Mechanisms to Detect and Defeat
VOIP Attacks and Exploits
Detection
• Unregistered IP Address on VOIP NW
• Non-VOIP Asset on VOIP Network
• Hub, not Switch Being Used
• Machine Being Used On Backbone
Classic Man-in-the-Middle Exploit
• Suspect Data Traffic on an Unused VOIP
Phone Line
Methods to Secure VOIP Systems
Utilize Smart Switches
Keep VOIP Terminals on Dedicated
Networks and Gateways
Do Not Integrate in Data Networks
Lockdown Instrument Firmware
• Disallow Firmware Updates
Cardinal Rule
Convenience and
Privacy are Inversely
Proportional™
Questions?
Thank You
Telephone Defenses
Against the Dark Arts
James M. Atkinson
Granite Island Group
www.tscm.com