Transcript Slide 1
Security-Assessment .com Hacking VoIP Is your Conversation confidential? by Nick von Dadelszen and Darren Bilby Copyright Security-Assessment.com 2004 Security-Assessment .com VoIP Trends • VOIP becoming more popular and will increase in future • Many ISPs and Teleco’s starting to offer VoIP services • Like most other phone calls, it is presumed to be confidential Copyright Security-Assessment.com 2004 Security-Assessment .com Types of Phones • SoftPhone • HardPhone Copyright Security-Assessment.com 2004 Security-Assessment .com Typical VoIP Architecture Copyright Security-Assessment.com 2004 Security-Assessment .com Attacks Against VoIP • Multiple attack avenues: – Standard traffic capture attacks – Bootp attacks – Phone-based vulnerabilities – Management interface attacks Copyright Security-Assessment.com 2004 Security-Assessment .com Consequences of Attacks • Consequences of VoIP attacks include: – Listening or recording phone calls – Injecting content into phone calls – Spoofing caller ID – Crashing phones – Denying phone service – VoIP Spamming Copyright Security-Assessment.com 2004 Security-Assessment .com VoIP Protocols • H.323 – Earlier protocol used, though still used today – Provides for encryption and authentication of data • SIP – Digest authentication based on HTTP, but many times not enabled – No encryption • MGCP – Relies on IPSEC for security, but most current phones don’t support IPSEC Copyright Security-Assessment.com 2004 Security-Assessment .com Use of VLANS • Cisco recommends separate VLANs for data and voice traffic • To ease implementation, many phones allow sharing of network connections with desktop PCs • VoIP allows the use of SoftPhones installed on desktop PCs • Therefore cannot separate voice traffic from the rest of the network Copyright Security-Assessment.com 2004 Security-Assessment .com Capturing VoIP Data • Ethereal has built-in support for some VoIP protocols • Has the ability to capture VoIP traffic • Can dump some forms of VoIP traffic directly to WAV files. Copyright Security-Assessment.com 2004 Security-Assessment .com Copyright Security-Assessment.com 2004 Security-Assessment .com Copyright Security-Assessment.com 2004 Security-Assessment .com Audio Capture Copyright Security-Assessment.com 2004 Security-Assessment .com Other Tools • Vomit – Injects wave files into VoIP conversations • Tourettes – Written by a staff member of a customer for fun – Injects random swear words into a conversation Copyright Security-Assessment.com 2004 Security-Assessment .com Example Phone Exploit • CAN-2002-0769 • Cisco ATA-186 Web interface could reveal sensitive information • Sending a POST request consisting of one byte to the HTTP interface of the adapter reveals the full configuration of the phone, including administrator password • IP Phones – Another thing to patch! Copyright Security-Assessment.com 2004 Security-Assessment .com Caller ID Spoofing • Caller ID is based on a Calling Party Number (CPN) • This is always sent when a call is placed • A privacy flag tells the receiver whether to show the number or not • Have always been able to spoof Caller ID but needed expensive PBX equipment to do so. • With VoIP PBX software, spoofing is easier • Has repercussions for phone authentication Copyright Security-Assessment.com 2004