Monthly Archives: March 2007

Why Computerworld.au is dead wrong about “Enterprises must avoid IP telephony for teleworkers or face attack”

Enterprises must avoid IP telephony for teleworkers or face attack?” Huh? The headline on this ComputerWorld.au article was just too much to believe. Why not simply say:

Enterprises must avoid using the Internet or face attack

Which is about as valid of a headline. (And, on one level, it’s true – disconnected from the Internet you won’t be attacked from the Net!) The problem I have is that this headline lumps all together both “smart” (secure) and “stupid” (insecure) IP telephony implementations.

Perhaps the headline most annoys me because I spend every day talking on a secure VoIP teleworker set and that the ability to securely deploy an IP phone anywhere you can get an IP address is to me the “killer app” for VoIP. In fact, I have three such teleworker phones here on my desk (I have become a phone geek… they are all different models). What is so dreadfully wrong about the article headline is this one basic fact:

Almost all enterprise IP telephony vendors already have a solution today to allow secure teleworker deployment!

Okay, so full disclosure time – I was the product manager for Mitel when we rolled out our secure teleworker solution back in January 2003, so I’m just a wee bit biased here. But the reality is that all of us playing seriously in the enterprise IP telephony market have solutions, today, that solve this problem and let teleworkers work securely from wherever they are. Outside of Mitel, Cisco does. Avaya does. Nortel does. I’m sure the others do, too. You have to in order to be taken seriously.

Sadly, the headline and first paragraph are so wrong that it is tempting to dismiss the entire article, but the article actually contains some valid points. Let’s try it again with a new headline. Here’s how I might have written it:

Enterprises must avoid INSECURE IP telephony solutions for teleworkers or face attack

While that’s not as sexy and probably won’t attract as much “link love” as their strong statement, it’s much closer to the truth. For instance, if you were (or are) clueless enough to deploy a system on your network that is directly connected to the Internet that still uses the default passwords, then, I’m sorry, but you get the attacks your cluelessness deserves. Consider this quote:

“If users fail to change default settings, hackers can access a hole into the network by locating the VoIP Web server [on Google] and could find usernames and passwords in installation documentation from the vendor’s Web site,”

Yes, indeed. There’s any number of sites that can tell you how to use Google to find IP phones and default passwords are available in numerous sites around the net. The article does go on and talk about how IP phones could potentially, if compromised, be used to then attack other systems. It provides a bit of a scare there in that it says you could log keystrokes for online banking… perhaps a bit of a stretch, but in truth there is at least one IP phone vendor out there that at one point included the ability to initiate a packet capture from the phone, so in that particular case it could indeed capture all packets and thereby keystrokes (from whatever PC was plugged into the phone’s second port, presumably). So yes, that kind of thing is possible. And the article concludes with valid advice:

…the solution is to disable VoIP Web servers, change default usernames, passwords and voicemail greetings.

All excellent advice that should be part of a standard “defense in depth” plan that looks at how you secure the overall system.

Yes, if you cobble together some IP telephony solution for teleworkers without thinking about security, you could and probably will face attacks. I could see someone putting a SIP proxy server on the edge of a network and giving teleworking employees a free SIP softphone or cheap hard phone that doesn’t support secure SIP and SRTP, not realizing that all their voice and call signaling will be transmitted across the Internet in the clear. I could see someone sending the phones out to remote employees and not changing the password or using a simple password so that remote administration could be “simpler” and “more convenient”.

Do something that stupid and yes, you will be attacked.

But just because people can deploy clueless and insecure IP telephony teleworker solutions doesn’t mean that they will nor does it mean that those insecure solutions are the only ones out there. Just Google “teleworker solution” and you’ll see loads of options, most all of which offer security as a critical component.

Anyone deploying IP telephony in the enterprise today does have solutions for secure teleworker deployments… so don’t avoid IP telephony for teleworkers…. embrace it. Putting an IP phone securely anywhere you can get an IP address (and sufficient connectivity) is just about the coolest thing you can do with VoIP – and it opens up so many possibilities once you fully start to understand the full ramifications of disconnecting a corporate extension from any lock to geography.

So, ComputerWorld Australia, your article was more-or-less okay, but your headline was dead wrong. (Unless, of course, you were consciously trying to annoy people like me and get us to point to your article… in which case it succeeded.)

New Hacking for Traditional Networks

I was intrigued by a talk advertised for the upcoming Black Hat Europe 2007 conference about hacking SS7.  Philippe Langlois will talk about SCTPscan – Finding entry points to SS7 Networks & Telecommunication Backbones, and as he says:

“SCTP is the protocol used to carry all telecom signalling information on IP according to the SIGTRAN protocol suite. It’s the foundation, as TCP is the foundation for the web and email.”

SS7 has been largely a secret world, a private network of networks for signaling voice calls across all the world’s cellcos and telcos.  In traditional SS7, all the links are achieved with T1 or E1 pipes, and there’s no opportunity to get access to this signalling backbone. 

However, SIGTRAN effectively uses an IP network as a transport system for signalling, doing away with the need for T1/E1 links and specialized hardware.  SCTP is a protocol that is used instead of TCP or UDP for this purpose.  So from a hacker point of view, SCTP is a pipe that can be exploited and scanned in order to get access to telco resources.

Increasingly, with NGNs being interconnected with traditional networks, tools like SIGTRAN will be used to allow different IP architectures to co-exist, so as Langlois implies, a hacker can write special tools that spoof higher protocol layers like M3UA, ISUP and TCAP to explore or interfere with the operation of SS7.  This is a potential danger because normally a high degree of trust exists between different SS7 network operators, and when they interconnect they do so in the understanding that each party will “behave nicely”.

In the Internet world, of course, there is no guarantee of “niceness”, and SIGTRAN links need to be locked down with tools like firewalls.  In an ideal world, SCTP would be only protocol allowed through on SIGTRAN links, and furthermore each party should have checks on the source addresses that are allowed to send messages and interact with SS7 service elements.  You would normally expect that SIGTRAN links (into SS7 backbones) could not be accessed or routed to from anywhere on the public network, but of course routing and Ethernet switching errors can occur, accidentally connecting segments that should not be.

However, SS7 has some advantages on its side in this war.  Firstly, it is a complex set of protocols, and most hackers will not have any “hands-on” experience that will help them find weaknesses in the network.  Also, SS7 networks in practice use a system called global title addressing, which means that co-operating networks can use each others’ services without needing to know the internal construction of the network.  This will work to defeat outsiders from understanding how a network is put together.

Whatever the pros and cons, we should not be complacent, and I’m sure the traditional telcos will not be, since money is at stake. We can be sure in the Internet that anything that can be hacked, someone will try to hack it.