Voice of VOIPSA » Shawn Merdinger

Shodan: Computer Search Engine and VoIP Devices

Shawn Merdinger — Thu, 07 Jan 2010 18:54:22 +0000

Most of us are familiar with the information disclosure risks associated with devices like phones and ATAs on the Internet, and this has been mentioned in presentations like Endler/Collier at BlackHat in 2006. However, the recent emergence of Shodan significantly raises the exposure of these devices, especially embedded systems.

Shodan bills itself as a “Computer Search Engine” and some folks have raised questions about the impact, ethics, etc. So far, Shodan has remained under-the-radar, but I expect we’ll see more coverage and questioning of what value-add this service provides to security efforts.

A few simple searches of Shodan will provide the reader more insight of the capabilities of this service. Bear in mind that searches can get much more specific. Also, Shodan is growing, and it’s worth re-visiting the site to gain better perspective of updates.

Example searches:

1. VOIP — http://shodan.surtri.com/?q=voip
2. Nortel — http://shodan.surtri.com/?q=nortel
3. Mitel — http://shodan.surtri.com/?q=mitel
4. .mil — http://shodan.surtri.com/?q=.mil
5. SCADA — http://shodan.surtri.com/?q=scada

Stoned Bootkit

Shawn Merdinger — Wed, 09 Sep 2009 14:22:04 +0000

Typically I don’t follow the deluge of Windows rootkits available because the sheer number and variety make diligently understanding all of them more than fairly daunting. After all, given limited resources, one must choose their battles and specialties in the security field.

That said, occasionally a Windows rootkit surfaces that is so mean, nasty and downright cool, that it becomes a must-know. Such is the case with the newest release of Stoned Bootkit. Be sure to go to their site and check it out, along with the paper, but here are a few highlights:

Attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record

Attacks TrueCrypt full volume encryption

Has integrated FAT and NTFS drivers

Has an integrated structure for plugins and boot applications (for future development

Understanding the threats that Windows rootkits like this pose to VoIP security, especially on end users, is key.

Home Medical Devices and VoIP Security

Shawn Merdinger — Wed, 02 Sep 2009 17:10:57 +0000

With all the hubbub surrounding medical insurance reform, town hall meetings, and other ~~distractions~~ events it’s worthwhile looking at some of the technical medical devices coming into the marketplace to be placed in patients’ homes, connected to their broadband internet connection.

Of several products in the patient home monitoring space, the Intel Health Guide PHS 6000 is perhaps one of the better positioned to garner marketshare because of several factors: including the size of Intel, on-going placement of the PHS 6000 in settings, and FDA approval in July, 2008.

Of the many PHS 6000 features, the device also supports two-way video conferencing between patient and caregiver. As this communication takes place over the broadband connection, it’s reasonable to assume that some sort of VoIP software is in place. Of course, details at this point are thin, and it’s even hard to get a real handle on what the PHS 6000 operating system really is, with some reports indicating Microsoft Windows XP, and others indicating a embedded Linux derivative. Still, it looks like there is a VoIP stack, and it’s likely SIP-based.

Clearly, the importance of the security of devices like the Intel PHS 6000 is apparent. And with the growing interest and funding towards cost-reduction and tele-health, we can expect to see these types of devices deployed widely. But what of the security posture? Sure, there’s boasting of encryption for the connection, but features like SSL mean little in the face of real attacks and vulnerabilities — think SSL encryption downgrade attacks, spoofing and man-in-the-middle vectors to start.

To get the word out, I’ve started a LinkedIn group called MedSec to get together like-minded, talented security people with an interest in medical device security. I’ve been chumming the waters with this approach in the hopes that the right people with the right connections conduct proper security evaluations of this PHS 6000 device, and it’s back-end management system as well. Of course, if approached, I’m interested in some hand’s on time too

Something Old, Something New: Nmap’s VoIP Fingerprinting

Shawn Merdinger — Wed, 12 Aug 2009 21:53:51 +0000

Over time, it’s easy to become a bit out of touch with security tools. With new tools arriving on the scene daily, and updates to established tools occurring frequently, the deluge of information can be overwhelming; not to mention all of the other security fodder we process.

That said, I find it encouraging to revisit some of the really established tools to see what changes and improvements are in place. Nmap is without a doubt the classic security tool in every aspect, from quality, to longevity, to street credibility. Even Hollywood has clue when it comes to Nmap, as evidenced in Matrix, Bourne, and Die Hard films with Nmap showing up on someone’s computer screen!

One of my favorite Nmap features is the OS Identification and Application Fingerprinting capabilities. In part, this type of identification relies on the Nmap community scanning known devices and submitting signatures to be added to the Nmap databases (service probes, OS, etc.).

As of 21 July, 2009, the Nmap OS database has the following VoIP device Fingerprints:

Also, it’s well worth taking a look at the VoIP devices identified in the Nmap Service Probes database as services that identify a VoIP device do not necessarily mean that the VoIP device has a fingerprint. In other words, there are VoIP devices in the Service Probes database that are not in the OS Fingerprint database, so look carefully!

For even more coolness, be sure to check out the NSE.

Wrapping-up, I’ve nothing less than mad props for Fyodor and all of the other folks who’ve contributed to this fantastic tool. Nmap was one of the first tools I used 10 years ago when first cutting my teeth in security, and remarkably, is a tool that I continue to use almost daily.

First 911 Center to support SMS

Shawn Merdinger — Fri, 07 Aug 2009 20:32:01 +0000

Recently multiple news outlets reported on Waterloo, Iowa’s Black Hawk County 911 center’s new SMS capability.

While this subject is not specifically VoIP security, considering the blending of communications methods and the importance of 911 call centers I figure that SMS in this context is fair game for a VOIPSA Blog post.

Several security implications surrounding this new 911 SMS capability come to mind:

Time Delays in SMS transmissions – we’ve all experienced some delay, from marginal to extended, when it comes to sending and receiving SMS messages. What remains unclear from reports is if the carriers supporting 911 SMS in Black Hawk County give SMS to 911 communication priority network access, either initially and/or throughout the entire SMS dialog.

Lingo – SMS messages are limited to 160 characters. As a result, acronyms and texting lingo are pervasive. Reports say the 911 operators are brushing up on their texting lingo in preparation. I sure do hope they are using decent resources, such as TLLTMSIFW, so when HIOOC comes in IDGARA is the right response.

Flooding – sending mass amounts of SMS messages could adversely affect the call center’s operations. Using pre-paid phones, bluetooth dongles and simple software, an attacker with marginal resources could initiate this kind of attack with ease. How will 911 call centers handling SMS handle floods of SMS messages? The nuisance facter here should not be underestimated; here’s some good anecdotal experience

SMS Spoofing – with the advent of various spoofing services, we’ve seen the types of attacks that can leverage spoofing. SpoofCard time and again has unauthorized access to voicemail, and still an issue with some carrier’s default user settings. We can expect to see the same issues with SMS spoofing.

SMS Swatting – will likely be a byproduct of spoofing SMS messages to 911 call centers. However, the use of SMS brings a new twist to Swatting, since the spoofed SMS message will be tied to a cellular phone, rather than a fixed landline number, perhaps leading to mobile Swatting as law enforcement will need to track the mobile phone (GPS, triangulation) to gain physical proximity the the SMS origin.

MMS – while no mention is made in the news reports about MMS support at 911 call centers, I think it’s reasonable to assume that ability to handle multimedia messages is in the works. The implications of moving from 160 characters of text to multimedia messaging with attached video/photos are dramatic. Further, this opens new attack vectors in terms of how these multimedia files are processed and accessed (think trojan Flash, PNG, etc.).

I’ve only scratched the surface here of course, but hopefully this provides some food for thought — as always, comments welcome

Google Trends on VoIP Security

Shawn Merdinger — Tue, 28 Jul 2009 21:22:40 +0000

I’ve recently been using Google Trends for some research, and find it an interesting tool for, well, trending. Doing a Google Trends profile of VoIP Security shows an interesting tailing-off. So what’s the story? Is this just another case of “it’s all the same, nobody cares” in action?

GNUcitizen research discovery: Default key algorithm in Thomson and BT Home Hub routers

Shawn Merdinger — Thu, 17 Apr 2008 13:32:53 +0000

Well, the GNUcitizen folks are at it again, and have discovered the default WEP keys shipped with Thomson and BT Home routers. ZDnet and a few other news outlets have picked up the story, but IMHO your best bet it to read the details from the source. You can see BT’s security response here.

Australians falling victim to foreign phone hackers

Shawn Merdinger — Thu, 17 Apr 2008 12:48:33 +0000

Foreign-based criminals are reportedly ripping off Australian companies by hacking into their telephone systems and racking up massive bills. Last week a Melbourne retailer and university were hit with collective phone bills for more than 100-thousand dollars of overseas calls. And both parties are angry with Telstra which they say is insisting they pay the bills. The Camberwell Electrics Superstore says it was contacted by Telstra to ask why it had made 20 thousand dollars worth of overseas calls in less than two weeks. And Swinburne University says it knew nothing about the scam until it was hit with an 80-thousand dollar bill.

Xplico Network Forensic Analysis Tool

Shawn Merdinger — Wed, 16 Apr 2008 20:32:23 +0000

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT). Xplico is released under the GNU General Public License.

Quarterly VoIP Vulnerabilities Summary

Shawn Merdinger — Mon, 14 Apr 2008 21:04:46 +0000

While most VoIP-related vulnerabilities are posted to the VOIPSA mailing list or blog, I thought it might be useful to have a informal quarterly summary of sorts among VoIP devices per searches from NIST. I hope folks find it helpful, and of course post comments if I’ve overlooked anything from 1 January 2008 through 31 March 2008.

VoIP Firewalls

CVE-2008-0263 Ingate Firewall & SIParator 1/15/2008

Cisco Phones

CVE-2008-0531 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
CVE-2008-0530 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
CVE-2008-0529 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
CVE-2008-0528 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
CVE-2008-0527 Cisco Unified IP Phone 7935 and 7936 2/14/2008
CVE-2008-0526 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
CVE-2008-1113 Cisco Unified Wireless IP Phone 7921 3/3/2008

Snom Phones

CVE-2008-1251 Snom 320 SIP Phone 3/10/2008
CVE-2008-1250 Snom 320 SIP Phone 3/10/2008
CVE-2008-1249 Snom 320 SIP Phone 3/10/2008
CVE-2008-1248 Snom 320 SIP Phone 3/10/2008

Vocera Phones

CVE-2008-1114 Vocera Communications wireless handsets 3/3/2008

Routers & Gateways

CVE-2008-1334 BT Home Hub router 3/13/2008

Asterisk PBX

CVE-2008-1289 Asterisk Open Source 3/24/2008
CVE-2008-1390 Asterisk Open Source 3/24/2008
CVE-2008-1332 Asterisk Open Source 3/19/2008
CVE-2008-1333 Asterisk Open Source 3/19/2008

Cisco Call Manager

CVE-2008-0026 Cisco Unified CallManager/Communications Manager 2/14/2008
CVE-2008-0027 Cisco Unified Communications Manager 1/16/2008

UPDATE 4/15/08

Milw0rm 5113 Philips VOIP841 PC-Free DECT 6.0 Wireless IP Phone 2-14-2008