Author Archives: Shawn Merdinger

Shodan: Computer Search Engine and VoIP Devices

Most of us are familiar with the information disclosure risks associated with devices like phones and ATAs on the Internet, and this has been mentioned in presentations like Endler/Collier at BlackHat in 2006. However, the recent emergence of Shodan significantly raises the exposure of these devices, especially embedded systems.

Shodan bills itself as a “Computer Search Engine” and some folks have raised questions about the impact, ethics, etc. So far, Shodan has remained under-the-radar, but I expect we’ll see more coverage and questioning of what value-add this service provides to security efforts.

A few simple searches of Shodan will provide the reader more insight of the capabilities of this service. Bear in mind that searches can get much more specific. Also, Shodan is growing, and it’s worth re-visiting the site to gain better perspective of updates.

Example searches:

1. VOIP —
2. Nortel —
3. Mitel —
4. .mil —
5. SCADA —

Stoned Bootkit

stoned bootkitTypically I don’t follow the deluge of Windows rootkits available because the sheer number and variety make diligently understanding all of them more than fairly daunting. After all, given limited resources, one must choose their battles and specialties in the security field.

That said, occasionally a Windows rootkit surfaces that is so mean, nasty and downright cool, that it becomes a must-know. Such is the case with the newest release of Stoned Bootkit. Be sure to go to their site and check it out, along with the paper, but here are a few highlights:

  • Attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record
  • Attacks TrueCrypt full volume encryption
  • Has integrated FAT and NTFS drivers
  • Has an integrated structure for plugins and boot applications (for future development
  • Understanding the threats that Windows rootkits like this pose to VoIP security, especially on end users, is key.

    Home Medical Devices and VoIP Security

    With all the hubbub surrounding medical insurance reform, town hall meetings, and other distractions events it’s worthwhile looking at some of the technical medical devices coming into the marketplace to be placed in patients’ homes, connected to their broadband internet connection.
    death panels!
    Of several products in the patient home monitoring space, the Intel Health Guide PHS 6000 is perhaps one of the better positioned to garner marketshare because of several factors: including the size of Intel, on-going placement of the PHS 6000 in settings, and FDA approval in July, 2008.

    Of the many PHS 6000 features, the device also supports two-way video conferencing between patient and caregiver. As this communication takes place over the broadband connection, it’s reasonable to assume that some sort of VoIP software is in place. Of course, details at this point are thin, and it’s even hard to get a real handle on what the PHS 6000 operating system really is, with some reports indicating Microsoft Windows XP, and others indicating a embedded Linux derivative. Still, it looks like there is a VoIP stack, and it’s likely SIP-based.

    Clearly, the importance of the security of devices like the Intel PHS 6000 is apparent. And with the growing interest and funding towards cost-reduction and tele-health, we can expect to see these types of devices deployed widely. But what of the security posture? Sure, there’s boasting of encryption for the connection, but features like SSL mean little in the face of real attacks and vulnerabilities — think SSL encryption downgrade attacks, spoofing and man-in-the-middle vectors to start.

    To get the word out, I’ve started a LinkedIn group called MedSec to get together like-minded, talented security people with an interest in medical device security. I’ve been chumming the waters with this approach in the hopes that the right people with the right connections conduct proper security evaluations of this PHS 6000 device, and it’s back-end management system as well. Of course, if approached, I’m interested in some hand’s on time too 🙂

    Something Old, Something New: Nmap’s VoIP Fingerprinting

    Over time, it’s easy to become a bit out of touch with security tools. With new tools arriving on the scene daily, and updates to established tools occurring frequently, the deluge of information can be overwhelming; not to mention all of the other security fodder we process.

    That said, I find it encouraging to revisit some of the really established tools to see what changes and improvements are in place. Nmap is without a doubt the classic security tool in every aspect, from quality, to longevity, to street credibility. Even Hollywood has clue when it comes to Nmap, as evidenced in Matrix, Bourne, and Die Hard films with Nmap showing up on someone’s computer screen!

    One of my favorite Nmap features is the OS Identification and Application Fingerprinting capabilities. In part, this type of identification relies on the Nmap community scanning known devices and submitting signatures to be added to the Nmap databases (service probes, OS, etc.).

    As of 21 July, 2009, the Nmap OS database has the following VoIP device Fingerprints:

      Fingerprint Alcatel 4035 VoIP phone
      Fingerprint Sirio by Alice VoIP phone
      Fingerprint AudioCodes Mediant 1000 VoIP gateway
      Fingerprint Audiocodes MP-114 or MP-118 VoIP gateway
      Fingerprint Avaya G350 Media Gateway (VoIP gateway)
      Fingerprint Avaya Office IP403 VoIP gateway
      Fingerprint Avaya Office IP500 VoIP gateway
      Fingerprint Aastra 480i GT or 9133i IP phone
      Fingerprint Inter-tel 8662 VoIP phone
      Fingerprint Comtrend CT-800 VoIP gateway
      Fingerprint D-Link DVG-4022S VoIP gateway
      Fingerprint Grandstream HandyTone HT-488 analog VoIP adapter
      Fingerprint Grandstream BudgeTone 100 VoIP phone
      Fingerprint Grandstream BudgeTone 100 VoIP phone
      Fingerprint Grandstream GXP2000 VoIP phone
      Fingerprint Grandstream GXP2020 VoIP phone
      Fingerprint Thomson ST 2020 or 2030 VoIP phone
      Fingerprint Interbell IB-305 VoIP phone
      Fingerprint Linksys PAP2T VoIP router
      Fingerprint Linksys SPA901 or SPA921 SIP VoIP phone
      Fingerprint Linksys SPA942, SPA962, or SPA9000 VoIP phone; SPA3102 VoIP gateway; or Sipura SPA-2100 or SPA-2101 VoIP adapter
      Fingerprint Mitel 3300 CXi VoIP PBX
      Fingerprint Netcomm V300 VoIP gateway
      Fingerprint Neuf Box Trio3D DSL modem/router/VoIP/TV
      Fingerprint Nortel CS1000M VoIP PBX or Xerox Phaser 8560DT printer
      Fingerprint Patton SmartNode 4960 VoIP gateway (SmartWare 4.2)
      Fingerprint Perfectone IP-301 VoIP phone
      Fingerprint Planet VIP-154T VoIP phone (MicroC/OS-II)
      Fingerprint Polycom SoundPoint IP 301 VoIP phone
      Fingerprint Polycom SoundPoint IP 301 VoIP phone
      Fingerprint Polycom SoundPoint IP 430 VoIP phone
      Fingerprint PORTech GSM VoIP gateway
      Fingerprint PORTech MV-374 GSM-SIP VoIP gateway
      Fingerprint Samsung OfficeServ 7200 VoIP gateway
      Fingerprint ShoreTel ShoreGear-T1 VoIP switch
      Fingerprint Siemens HiPath optiPoint 400 VoIP phone
      Fingerprint Sipura SPA-1001 or SPA-3000 VoIP adapter
      Fingerprint Sipura SPA-3000 VoIP adapter
      Fingerprint Thomson Symbio VoIP phone
      Fingerprint Vegastream Vega 400 VoIP Gateway

    Also, it’s well worth taking a look at the VoIP devices identified in the Nmap Service Probes database as services that identify a VoIP device do not necessarily mean that the VoIP device has a fingerprint. In other words, there are VoIP devices in the Service Probes database that are not in the OS Fingerprint database, so look carefully!

    For even more coolness, be sure to check out the NSE.

    Wrapping-up, I’ve nothing less than mad props for Fyodor and all of the other folks who’ve contributed to this fantastic tool. Nmap was one of the first tools I used 10 years ago when first cutting my teeth in security, and remarkably, is a tool that I continue to use almost daily.

    First 911 Center to support SMS

    Recently multiple news outlets reported on Waterloo, Iowa’s Black Hawk County 911 center’s new SMS capability.

    While this subject is not specifically VoIP security, considering the blending of communications methods and the importance of 911 call centers I figure that SMS in this context is fair game for a VOIPSA Blog post.

    Several security implications surrounding this new 911 SMS capability come to mind:

    Time Delays in SMS transmissions – we’ve all experienced some delay, from marginal to extended, when it comes to sending and receiving SMS messages. What remains unclear from reports is if the carriers supporting 911 SMS in Black Hawk County give SMS to 911 communication priority network access, either initially and/or throughout the entire SMS dialog.

    Lingo – SMS messages are limited to 160 characters. As a result, acronyms and texting lingo are pervasive. Reports say the 911 operators are brushing up on their texting lingo in preparation. I sure do hope they are using decent resources, such as TLLTMSIFW, so when HIOOC comes in IDGARA is the right response.

    Flooding – sending mass amounts of SMS messages could adversely affect the call center’s operations. Using pre-paid phones, bluetooth dongles and simple software, an attacker with marginal resources could initiate this kind of attack with ease. How will 911 call centers handling SMS handle floods of SMS messages? The nuisance facter here should not be underestimated; here’s some good anecdotal experience

    SMS Spoofing – with the advent of various spoofing services, we’ve seen the types of attacks that can leverage spoofing. SpoofCard time and again has unauthorized access to voicemail, and still an issue with some carrier’s default user settings. We can expect to see the same issues with SMS spoofing.

    SMS Swatting – will likely be a byproduct of spoofing SMS messages to 911 call centers. However, the use of SMS brings a new twist to Swatting, since the spoofed SMS message will be tied to a cellular phone, rather than a fixed landline number, perhaps leading to mobile Swatting as law enforcement will need to track the mobile phone (GPS, triangulation) to gain physical proximity the the SMS origin.

    MMS – while no mention is made in the news reports about MMS support at 911 call centers, I think it’s reasonable to assume that ability to handle multimedia messages is in the works. The implications of moving from 160 characters of text to multimedia messaging with attached video/photos are dramatic. Further, this opens new attack vectors in terms of how these multimedia files are processed and accessed (think trojan Flash, PNG, etc.).

    I’ve only scratched the surface here of course, but hopefully this provides some food for thought — as always, comments welcome 🙂

    GNUcitizen research discovery: Default key algorithm in Thomson and BT Home Hub routers

    Well, the GNUcitizen folks are at it again, and have discovered the default WEP keys shipped with Thomson and BT Home routers.  ZDnet and a few other news outlets have picked up the story, but IMHO your best bet it to read the details from the source. You can see BT’s security response here.

    Australians falling victim to foreign phone hackers

    Foreign-based criminals are reportedly ripping off Australian companies by hacking into their telephone systems and racking up massive bills.  Last week a Melbourne retailer and university were hit with collective phone bills for more than 100-thousand dollars of overseas calls.  And both parties are angry with Telstra which they say is insisting they pay the bills.  The Camberwell Electrics Superstore says it was contacted by Telstra to ask why it had made 20 thousand dollars worth of overseas calls in less than two weeks.  And Swinburne University says it knew nothing about the scam until it was hit with an 80-thousand dollar bill.

    Xplico Network Forensic Analysis Tool

    The goal of Xplico is extract from an internet traffic capture the applications data contained.  For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).  Xplico is released under the GNU General Public License.

    Quarterly VoIP Vulnerabilities Summary

    While most VoIP-related vulnerabilities are posted to the VOIPSA mailing list or blog, I thought it might be useful to have a informal quarterly summary of sorts among VoIP devices per searches from NIST.  I hope folks find it helpful, and of course post comments if I’ve overlooked anything from 1 January 2008 through 31 March 2008.

    VoIP Firewalls

    Cisco Phones

    • CVE-2008-0531 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
    • CVE-2008-0530 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
    • CVE-2008-0529 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
    • CVE-2008-0528 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
    • CVE-2008-0527 Cisco Unified IP Phone 7935 and 7936 2/14/2008
    • CVE-2008-0526 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
    • CVE-2008-1113 Cisco Unified Wireless IP Phone 7921 3/3/2008

    Snom Phones

    Vocera Phones

    Routers & Gateways

    Asterisk PBX

    Cisco Call Manager

    • CVE-2008-0026 Cisco Unified CallManager/Communications Manager 2/14/2008
    • CVE-2008-0027 Cisco Unified Communications Manager 1/16/2008

    UPDATE 4/15/08

  • Milw0rm 5113 Philips VOIP841 PC-Free DECT 6.0 Wireless IP Phone 2-14-2008