Monthly Archives: October 2006

Additional VoIP Attack Tools

David Endler and I posted several new tools on our “Hacking Exposed” website, We also provided updates and better README files for some of the existing tools. Here is a quick summary of the new tools:

  • rtpinsertsound/rtpmixsound – these tools take the contents of a .wav or tcpdump format file and insert or mix in the sound. These tools require access (sniffing of the VoIP traffic but not necessarily MITM) to the RTP stream, so they can properly craft sequence numbers, timestamps, etc. rtpinsertsound, with the right timing, can be used to add words or phrases to a conversation. rtpmixsound can be used to merge in background audio, like noise, sounds from a “gentlemans club”, curse words, etc., etc. These tools have been tested in a variety of vendor environments and work in pretty much any environment, where encryption isn’t used.
  • redirectpoison – this tool works in a SIP signaling environment, to monitor for an INVITE request and respond with a SIP redirect response, causing the issuing system to direct a new INVITE to another location. This tool requires access to the SIP signaling, but does not require a MITM (Man-in-the-middle attack). We tested this tool with the Asterisk and SER SIP proxies, along with a variety of SIP phones.
  • spitter – this tool works in conjunction with Asterisk, to set up a voice SPAM/SPIT generation platform. Once Asterisk is set up, spitter is used to schedule any number of calls, using your choice of audio files.

The tools come with README files, so they should be pretty easy to use. Please let us know what you think. We are particularly interested in results for the rtpxxxsound tools. A number of us “security experts” have been warning of these attacks, but this is the first set of tools I have seen that actually accomplish them.

Looking To The Past

Nothing to do with VoIP, but security minded people might be interested in this.  At the Victoria & Albert Museum (V&A) in London, I saw this mechanical indicator lock:

Indicator Lock

This device has two counters integrated into the lock: one is a dummy, and the other counts the number of times that the lock has been opened, allowing you to carefully monitor access to your piles of gold, kidnapped princesses, battle plans, and other precious posessions.

It’s very easy to fall into the conceit of thinking that security is a modern concern, but devices like this have been around for centuries.

VoIP Phone Vulnerabilities

At the IP’06 event in London recently, I heard Tom Cross of Internet Security Solutions present on VoIP Security, and some of types of threats to VoIP phones.  Those of you that have listened to the Bluebox Podcast will have heard Dan York, Jonathan Zar and Shawn Merdinger talk about the threats to phone handsets before.  Some of these devices ship from the factory in an unsafe state, with security holes like remote configuration backdoors and TFTP servers running on the phone.  Often if there are usernames and passwords they can be weak combinations like ‘1’ and 1′ or ‘root’ with no password.  Often users do not know that these back doors are open, and the software does not force you to change from default or factory passwords.

The cost of not closing these security holes is that someone could remotely hack into the phone, and once in control of the phone could trace or record phone calls; mount a denial-of-service attack such as repeatedly reboot the phone; or hijack the phone in order to make calls at your cost.  So Tom’s advice was to make sure that VoIP phones are not accessible to the Internet, so they can’t be attacked from outside.

In many ways the PBX is a dinosaur these days, since it is solving problems we no longer have.  For example VoIP phones have built in dialling directories, so we don’t need a special abbreviated dialling system inside the company; VoIP softphones can have their own voicemail functionality, so we don’t need the PBX to do that.  Also traditionally, the PBX has been the device that shares out and manages the expensive, limited resources, the telco trunk lines, and increasingly PBXes don’t need to do that either, often sitting just on a LAN or LANs.  However, thinking about Tom’s words, the security aspect is a whole new reason to buy PBXes, as any device that can limit the exposure of SIP phones to attack is going to be of benefit.




Archive of Telecom Junkies podcast on VoIP fraud now available

Back in July, I participated in a Telecom Junkies podcast discussing the then-current Pena/Moore VoIP fraud case. At the time, the Voice Report team had a website that only showed the current episode, i.e. if you missed the appearance of the episode on the home page, there was no easy way to go back and listen to older episodes.That is changed now. They do have permalinks for episodes and you can get an archive of older episodes. And so… ta da… you can now listen to the episode that we did back in July about the VoIP fraud case. Check it out if you are interested in that case. (Which we have subsequently discussed in a Blue Box episode where we recounted that Edwin Pena is now a fugitive on the run!)

Blue Box Podcast #42 – VoIP service provider security, Skype security, government spyware and more

Blue Box Podcast #42 is now available and covers a range of topics, including the security (or lack thereof) of VoIP service providers, news from the Internet Telephony conference, Skype security and the usual other VoIP security news, listener comments, etc.

All Quiet On The Western Front

I just stumbled across an interesting article about the use of VoIP in the battlefield. Looking at it from a security point-of-view, you can see that they have all the problems of civilian VoIP, but the consequences of failure could be much higher.

To take some examples: A successful denial-of-service attach could disable battlefield communication; Defeating the encryption system could result in eavesdropping, and the gathering of strategic intelligence; Failures in authentication could result in an enemy posing as your troops, inserting their own disinformation, or perhaps they could make accredited troops fail to attach to the voice network. Network hijacking could also be a problem, where they piggyback on your network to use its resources and equipment to pass their own data.

Certainly a lot of threats to counter. I’ve heard it said that military technology is 10 years ahead of civilian technology. I’m hoping that’s true in this case, and that there’s a lot of good stuff that we can benefit from in the next few years.

Blue Box Podcast – “Intro to VoIP Security” panel at Internet Telephony

Over at Blue Box, I have just uploaded a podcast of the “Intro to VoIP Security” panel at the Internet Telephony conference last week in San Diego, CA. Moderated by Ken Camp, the panel provided a good introduction to the basic issues related to VoIP security.

This is the first of several panel sessions related to VoIP security that we will be making available through the podcast feed. We thank Rich Tehrani and the rest of the TMCNet staff for allowing us to record the sessions. Thanks also to Ken Camp for his assistance and to all the panelists who gave their permission to be recorded as well.

Just Plain Cuckoo

According to news in PC Pro magazine, authorities in Switzerland have come up with an unorthodox plan to tackle call tapping of Skype and other VoIP users.  VoIP calls can be end-to-end encrypted, which means that tapping on the Internet itself is often not practical.  For example Skype use an undisclosed encryption algorithm and key exchange system.  Phil Zimmermann’s Zfone employs perfect secrecy so that the conversation cannot even be listened to later offline when the encryption key has been obtained.

So the Swiss plan?  Tap the calls on the PC, by means of installing some kind of trojan to tap into the audio stream before it is encrypted.  It would be installed either by the authorities or remotely by the ISP.

Now, this is a daft idea on so many different levels that it’s hard to know where to begin.  In an ordered society like Switzerland you could expect a high level of compliance with this kind of procedure.  Unfortunately, the ones that won’t comply (for example malevolent hackers; gangsters; terrorists) are probably the ones that you are most interested in gathering intelligence about.  Secondly, it’s a gift for criminals, since if you leave a backdoor open, the PC already compromised, then someone will likely exploit this for criminal purposes.

With the right software in place, audio could be relayed in from elsewhere, allowing criminals to make calls “on your phone”, possibly implicating you in a crime.  Similarly, audio could be relayed out, so that those outside the government service could tap your phone, a boon to tabloid newspapers and blackmailers.

Finally, in a world of ever more mobile users, is this approach even practical?  Mobile users with GPRS in their phone or PDA can connect to the Internet without even touching a Swiss ISP.  Crime doesn’t necessarily stop at borders these days, couldn’t criminals just be in and out of the country before the G-Man sneaks some tapping software onto their laptop?



Talk to the Hand

We’ve written here before about Phil Zimmermann’s Zfone and the ZRTP protocol, but what exactly does an encrypted phone call sound like?  Well, here is a sample, captured with Wireshark and converted to MP3 for your audio pleasure with Goldwave.

Now, if only Mr. Schwarzenegger can find a way to apply the same encryption to all of his MP3 recordings…