[VOIPSEC] Cisco 7920 wireless IP Phones

Robert Thompson Jr. rthompson at columbiabank.com
Thu May 26 18:25:17 BST 2005


Christopher Martin wrote:

"The actual attack was against TKIP pre-share keys and consisted of a
brute-force dictionary attack which took no time at all."

When they validated what you saw, was this using a weak password?  Did
it not automatically rotate on a specified time interval?  If you are
using a strong password that is set to change frequently there really
shouldn't be any way of brute forcing it.  There just wouldn't be enough
time.

Please explain further.

Rob.

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Christopher A. Martin
Sent: Wednesday, May 25, 2005 9:27 PM
To: 'Porter, Thomas (Tom)'; 'Finnegan,James M SAM Contractor';
Voipsec at voipsa.org
Subject: RE: [VOIPSEC] Cisco 7920 wireless IP Phones

For the example listed below, the demonstration merely required a brief
sniffer capture to determine permitted MAC/IP addresses and determine
non-broadcast SSID's.

The actual attack was against TKIP pre-share keys and consisted of a
brute-force dictionary attack which took no time at all. Impersonating
the AP was also key to the attack. Strength of WEP/WPA protections did
not matter. 

The fact is, in your case you may utilize WPA2-AES, your neighborhood
hotspot probably won't even be WPA capable. More individuals and even
small businesses are going to buy off the shelf linksys and what have
you (even vonage, etc.) without any real security capabilities enabled.

You can learn more about the attack by attending one of the classes
given by Beetle around the country. I am not going to give away detailed
methodology that someone is earning a living on and that also that can
be immediately harmful if it were loosed in the wild (Google can find
all the info necessary to do this though, in a heartbeat, just takes
some quick research) but I will give the source of the information.
There are several links that can be found regarding the wireless flaws
from the conference that I attended http://www.dallascon.com.

That said, internally if we develop something to defend against this
unique to VoIP based on this that will be a different story. 


Bottom line, wireless is not secure period. I knew this prior to
attending but had no idea that it was as simple as it is until I saw it
with my own eyes. Before this I thought WPA was going to be the big save
for the wireless scene until this conference.

Chris

-----Original Message-----
From: Porter, Thomas (Tom) [mailto:tporter at avaya.com]
Sent: Wednesday, May 25, 2005 10:46 PM
To: Chris at infravast.com; Finnegan, James M SAM Contractor;
Voipsec at voipsa.org
Subject: RE: [VOIPSEC] Cisco 7920 wireless IP Phones

I'm curious how you'd go about breaking into a WPA2-AES protected
network via traffic hijacking, interception, or impersonation. AFAIK,
this has not been demonstrated. I'd be interested to see some examples
of this -- my guess is that you won't be able to provide them.

Tom  

-----Original Message-----
From: Christopher A. Martin [mailto:chris at infravast.com]
Sent: Wednesday, May 25, 2005 11:33 PM
To: Porter, Thomas (Tom); 'Finnegan, James M SAM Contractor';
Voipsec at voipsa.org
Subject: RE: [VOIPSEC] Cisco 7920 wireless IP Phones

Unfortunately it is not merely "easily said" it has been demonstrated
and is very true. Porting such attacks to VoIP over wireless would be
trivial.



-----Original Message-----
From: Porter, Thomas (Tom) [mailto:tporter at avaya.com]
Sent: Wednesday, May 25, 2005 11:45 AM
To: Chris at infravast.com; Finnegan, James M SAM Contractor;
Voipsec at voipsa.org
Subject: RE: [VOIPSEC] Cisco 7920 wireless IP Phones

 
"It is trivial to hijack, intercept, impersonate any type of traffic
over wireless, whether WEP, WAP, etc is implemented."

While this is easily said, other than for WEP, it is not necessarily
true.

Best Regards,
Tom 

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Christopher A. Martin
Sent: Tuesday, May 24, 2005 8:47 PM
To: 'Finnegan, James M SAM Contractor'; Voipsec at voipsa.org
Subject: RE: [VOIPSEC] Cisco 7920 wireless IP Phones


It is trivial to hijack, intercept, impersonate any type of traffic over
wireless, whether WEP, WAP, etc is implemented. IPSec over it is about
the only safe bet (which adds too much overhead). SSH and SSL can also
be compromised due to wireless hijacking.

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Finnegan, James M SAM Contractor
Sent: Tuesday, May 24, 2005 12:03 PM
To: Voipsec at voipsa.org
Subject: [VOIPSEC] Cisco 7920 wireless IP Phones

Greetings all,

  I have run into a problem I was hoping to get feedback on. We are
using the 7920 IP Phones at our sites, running CCM 3.3.

 The Army has decided the wireless link needs to be encrypted with
something other than WEP or WEP  w/LEAP. Our standard wireless
encryption is 3DES.
The
7920's only support WEP or WEP w/LEAP. Has anyone run into this problem?

 

Thanks

 

Mike Finnegan

B.I.T.S.

U.S.Army Corp of Engineers

 

 

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org



_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org



More information about the Voipsec mailing list