Transcript Slide 1

Security-Assessment
.com
Hacking VoIP
Is your Conversation confidential?
by Nick von Dadelszen and Darren Bilby
Copyright Security-Assessment.com 2004
Security-Assessment
.com
VoIP Trends
• VOIP becoming more popular and will increase in future
• Many ISPs and Teleco’s starting to offer VoIP services
• Like most other phone calls, it is presumed to be
confidential
Copyright Security-Assessment.com 2004
Security-Assessment
.com
Types of Phones
• SoftPhone
• HardPhone
Copyright Security-Assessment.com 2004
Security-Assessment
.com
Typical VoIP Architecture
Copyright Security-Assessment.com 2004
Security-Assessment
.com
Attacks Against VoIP
• Multiple attack avenues:
– Standard traffic capture attacks
– Bootp attacks
– Phone-based vulnerabilities
– Management interface attacks
Copyright Security-Assessment.com 2004
Security-Assessment
.com
Consequences of Attacks
• Consequences of VoIP attacks include:
– Listening or recording phone calls
– Injecting content into phone calls
– Spoofing caller ID
– Crashing phones
– Denying phone service
– VoIP Spamming
Copyright Security-Assessment.com 2004
Security-Assessment
.com
VoIP Protocols
• H.323
– Earlier protocol used, though still used today
– Provides for encryption and authentication of data
• SIP
– Digest authentication based on HTTP, but many times not enabled
– No encryption
• MGCP
– Relies on IPSEC for security, but most current phones don’t support
IPSEC
Copyright Security-Assessment.com 2004
Security-Assessment
.com
Use of VLANS
• Cisco recommends separate VLANs for data and voice
traffic
• To ease implementation, many phones allow sharing of
network connections with desktop PCs
• VoIP allows the use of SoftPhones installed on desktop
PCs
• Therefore cannot separate voice traffic from the rest of the
network
Copyright Security-Assessment.com 2004
Security-Assessment
.com
Capturing VoIP Data
• Ethereal has built-in support for some VoIP protocols
• Has the ability to capture VoIP traffic
• Can dump some forms of VoIP traffic directly to WAV files.
Copyright Security-Assessment.com 2004
Security-Assessment
.com
Copyright Security-Assessment.com 2004
Security-Assessment
.com
Copyright Security-Assessment.com 2004
Security-Assessment
.com
Audio Capture
Copyright Security-Assessment.com 2004
Security-Assessment
.com
Other Tools
• Vomit
– Injects wave files into VoIP conversations
• Tourettes
– Written by a staff member of a customer for fun
– Injects random swear words into a conversation
Copyright Security-Assessment.com 2004
Security-Assessment
.com
Example Phone Exploit
• CAN-2002-0769
• Cisco ATA-186 Web interface could reveal sensitive
information
• Sending a POST request consisting of one byte to the
HTTP interface of the adapter reveals the full configuration
of the phone, including administrator password
• IP Phones – Another thing to patch!
Copyright Security-Assessment.com 2004
Security-Assessment
.com
Caller ID Spoofing
• Caller ID is based on a Calling Party Number (CPN)
• This is always sent when a call is placed
• A privacy flag tells the receiver whether to show the
number or not
• Have always been able to spoof Caller ID but needed
expensive PBX equipment to do so.
• With VoIP PBX software, spoofing is easier
• Has repercussions for phone authentication
Copyright Security-Assessment.com 2004