Scribd Logo
Upload

Welcome to Scribd!

  • Voip Security 2007 v1 0 Final 090724001214 Phpapp01

    Uploaded by

    Dayanand Prabhakar
    20 views24 pages
    Attacks and countermeasures in the Corporate World. Many of the threats against VoIP are the same threats inherited from the data networking world. Eavesdropping - unauthorised interception of voice packets Impersonation - masquerading as a handset or a piece of VoIP infrastructure.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Attacks and countermeasures in the Corporate World. Many of the threats against VoIP are the same threats inherited from the data networking world. Eavesdropping - unauthorised interception of voice packets Impersonation - masquerading as a handset or a piece of VoIP infrastructure.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    20 views24 pages

    Voip Security 2007 v1 0 Final 090724001214 Phpapp01

    Uploaded by

    Dayanand Prabhakar
    Attacks and countermeasures in the Corporate World. Many of the threats against VoIP are the same threats inherited from the data networking world. Eavesdropping - unauthorised interception of voice packets Impersonation - masquerading as a handset or a piece of VoIP infrastructure.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    VoIP: Attacks & Countermeasures in the Corporate World

    1 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security

    Agenda
    Introduction Typical VoIP Network Architecture Anatomy of VoIP Attacks Demo of a few VoIP Attacks Countermeasures

    2 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security

    Introduction
    Historically trends and advances in IT outpace security requirements. e.g. 802.11 Wireless. VoIP is the same. Tools are becoming more readily available. Many of the threats against VoIP are the same threats inherited from the data networking world. e.g. eavesdropping, mitm, replay etc.

    3 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security

    Key Threats
    Denial of Service attacks against availability Eavesdropping - unauthorised interception of voice packets Impersonation
    masquerading as a handset or a piece of VoIP infrastructure

    4 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security

    Disclaimer
    The techniques demonstrated are not vendor specific. Our attacks are against an out of the box or default implementation of VoIP. We are not responsible for what you do with the tools and techniques demonstrated!

    5 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security Typical Cisco VoIP Implementation


    CISCO IP PHONE
    7941SERIES

    1 4 7

    ABC

    2 5 8

    DEF

    3 6 9 #

    GHI

    JKL

    MNO
    +

    PQRS

    TUV

    WXYZ

    OPER

    IP Phone #1 x 1000 IP Phone #2 x 2000

    11

    13

    15

    17

    19

    21

    23 1

    CATALYST 3550
    2

    SYSTEM RPS STAT UTIL DUPLEX SPEED

    10

    12

    14

    16

    18

    20

    22

    24

    IP Phone #3 x 3000

    Cisco Call Manager v4.X

    Data VLAN 2
    6 Sense of Security 2007

    Voice VLAN 6
    www.senseofsecurity.com AusCERT - May 2007

    VoIP Security

    Anatomy of Attack Impersonation


    Step 1: Determine MAC address of handset Step 2: Change MAC address on PC Step 3: Use Softphone to make a call as that extension

    7 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security

    Anatomy of Attack - Eavesdropping


    Step 1: Gather initial information Step 2: Get access to voice VLAN Step 3: Locate phone targets Step 4: Execute ARP poisoning attack and record voice call

    8 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security Information Gathering


    Cisco phone information disclosure

    IP addresses: DHCP, Call Manager, TFTP, DNS Servers

    9 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security
    Plug into the PC port and sniff!

    10 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security

    Get on the Voice Network


    Use the info we have gathered to get on the Voice VLAN. Configure the network adapter to tag all ethernet frames with the voice VLAN. Voila! We are on the voice VLAN. Now we can attack any system on the voice network.

    11 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security MITM Attack ARP Theory

    11

    13

    15

    17

    19

    21

    23 1

    CATALYST 3550
    2

    SYSTEM RPS STAT UTIL DUPLEX SPEED

    10

    12

    14

    16

    18

    20

    22

    24

    12 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security MITM Attack - ARP Poisoning Theory


    Attackers PC IP: 10.6.0.40 MAC: D

    IP Phone #2 IP: 10.6.0.20 MAC: B

    11

    13

    15

    17

    19

    21

    23 1

    CATALYST 3550
    2

    SYSTEM RPS STAT UTIL DUPLEX SPEED

    10

    12

    14

    16

    18

    20

    22

    24

    IP Phone #3 IP: 10.6.0.30 MAC: C

    13 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security

    MITM Attack Execution


    Start Cain & Abel and configure ARP poisoning. Cain & Abel also has the capability to record a call. Sit back and wait!

    14 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security

    Game Over!

    15 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security

    Some Attack Possibilities..


    Telephone banking / Voicemail PIN disclosure Insertion of audio into conversation Real-time voicemail capture

    16 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security

    Compromising the PIN


    Telephone banking requires a user to enter a customer number and PIN using the touchpad. Each number pressed sends a unique tone which is interpreted by the end system.

    17 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security

    18 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security
    But which buttons were pressed?

    19 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security

    Countermeasures
    Cisco Switch: Enable DHCP Snooping Enable Dynamic ARP Inspection Enable IP Sourceguard Enable Port Security Implement VLAN ACLs Implement 802.1x

    20 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security

    Countermeasures (cont.d)
    Cisco Call Manager: (Not without some side effects!) Disable Settings button on phone Disable Span to PC port Disable Gratuitous ARP Disable PC Voice VLAN Access Configure Signaling & Media Encryption!

    21 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security How Real is the Threat in Australia?


    One Australian organisation suffers a major telephone hack each and every day. AusCERT Computer Crime and Security Survey 2006 shows average value of loss of over $60,000. The largest phone hack on record is $1.7M. 97% not reported due to risk of adverse publicity. Threat to phone service - how would your business cope without phones for an entire day? Telstra, Optus and Macquarie Telecom have written to clients warning of the dangers and confirming the customer is liable.
    22 Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007

    VoIP Security

    Conclusion
    Most current implementations of VoIP are insecure. VoIP can be secured with the right know how. The only way to know if your implementation is secure is to have it audited by independent experts.

    23 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    VoIP Security

    Questions?
    Contact: Jason Edelstein T: +61 2 9290 4441 E: jasone@senseofsecurity.com.au www.senseofsecurity.com.au

    24 Sense of Security 2007

    www.senseofsecurity.com

    AusCERT - May 2007

    You might also like