[VOIPSEC] Cisco 7920 wireless IP Phones

Christopher A. Martin chris at infravast.com
Fri May 27 00:55:02 EDT 2005


I agree with everything you stated, very well stated I might add, I did
get off track on this thread. 

The point that I was trying to make before I brought up airsnarf is that
you can brute force preshare keys even with WPA by impersonating an AP,
IP spoofing and mac spoofing assist in this part of the attack.  All of
this is possible by sniffing the airwaves to determine the information
required for the impersonation of the AP. This also works even if you do
not broadcast an SSID and even if you implement mac and ip filtering.

A stronger signal than the original AP completes the successful
impersonation with most users default settings.

The gathering the information that the users are transmitting during the
negotiation for dictionary attack completes the gathering of the
preshare key.

That is a high level description of the attack.

I will try to allocate some time this weekend to provide a more lucid
response. It's been a crazy three weeks for me.

Chris

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Bernie L. Dixon
Sent: Thursday, May 26, 2005 9:28 AM
To: Chris at infravast.com; 'Robert Thompson Jr.'; Voipsec at voipsa.org
Subject: RE: [VOIPSEC] Cisco 7920 wireless IP Phones

This tool has nothing to do with breaking encryption. It's more of a
password-gathering tool, it puts up a fake login page just like you'd
get
from a T-Mobile or Verizon hotspot. This tool just makes it easy to set
up a
rogue AP and fish for people's logins.  It will not break SSL or TLS.  

Under 802.11i AES 256-bit encryption is available.  This tool would
stand no
chance against that encryption (nor any other tool to date); however,
hijacking connections before transactions occur is not under debate here
--
breaking encryption is.  Converting airsnarf to work against VOIP as to
hijacking it is also not under debate - that would be possible too.

Bad cryptographic implementations can be broken.  WEP 64 or 128 is no
challenge, but AES implemented properly - no way (yet).

Any encryption adds overhead.  We need to get over that fact and move
on.
Security in itself adds overhead, so is our answer not to do any?  I
think
not.  Let's design security into the architecture at the beginning of
its
life cycle so we stop doing the band-aid approach to fixing security
problems.  Off set the performance impact by proper engineering during
all
phases of implementation, not as an afterthought. 

Bernie Dixon, CISSP, TICSA
Protected Networks, Inc.


-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Christopher A. Martin
Sent: Wednesday, May 25, 2005 10:26 PM
To: 'Robert Thompson Jr.'; Voipsec at voipsa.org
Subject: RE: [VOIPSEC] Cisco 7920 wireless IP Phones

TLS is SSL all grown up.

SSL and SSH can be hijacked (MiM, Man in the middle) by hacker tools
crafted specifically for VoIP. A good example of ssl hijacking is a tool
called airsnarf.

http://airsnarf.shmoo.com/

I believe that this would be a trivial task to convert to SIP since it
is merely a cousin to html.

The author, Beetle, gave some very good demonstrations of how easy it is
to break "ANY" wireless encryption/protection scheme and, with this
tool, hijack any ssl/tls encrypted page to capture authentication/credit
card or any other info that was supposed to be encrypted. Over two days
he was able to show a class of about 60 people, many new to wireless how
to do the same thing.

When I say that IPSec adds too much overhead I refer to the fact that,
due to encapsulation, IPSec adds approximately 40% additional overhead
to an IP packet and often fragmentation due to packets that need to be
fragmented for encapsulation.

Chris

-----Original Message-----
From: Robert Thompson Jr. [mailto:rthompson at columbiabank.com] 
Sent: Wednesday, May 25, 2005 1:19 PM
To: Chris at infravast.com; Voipsec at voipsa.org
Subject: RE: [VOIPSEC] Cisco 7920 wireless IP Phones

I am very new to VOIP, so please bear with me.

But when you say that it is trivial to intercept the traffic, you just
mean to receive it right?  You are not talking about deciphering the
information and being able to listen in on the conversation are you?

Why would IPSEC add too much overhead?

Instead of SSH and SSL, could TLS be used?  As I am under the
understanding that TLS doesn't have any more overhead than SSL though is
quite more secure.

Rob.

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Christopher A. Martin
Sent: Tuesday, May 24, 2005 5:47 PM
To: 'Finnegan, James M SAM Contractor'; Voipsec at voipsa.org
Subject: RE: [VOIPSEC] Cisco 7920 wireless IP Phones


It is trivial to hijack, intercept, impersonate any type of traffic over
wireless, whether WEP, WAP, etc is implemented. IPSec over it is about
the only safe bet (which adds too much overhead). SSH and SSL can also
be compromised due to wireless hijacking.

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Finnegan, James M SAM Contractor
Sent: Tuesday, May 24, 2005 12:03 PM
To: Voipsec at voipsa.org
Subject: [VOIPSEC] Cisco 7920 wireless IP Phones

Greetings all,

  I have run into a problem I was hoping to get feedback on. We are
using the 7920 IP Phones at our sites, running CCM 3.3.

 The Army has decided the wireless link needs to be encrypted with
something other than WEP or WEP  w/LEAP. Our standard wireless
encryption is 3DES.
The
7920's only support WEP or WEP w/LEAP. Has anyone run into this problem?

 

Thanks

 

Mike Finnegan

B.I.T.S.

U.S.Army Corp of Engineers

 

 

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org



_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org





More information about the Voipsec mailing list