[VOIPSEC] Cisco 7920 wireless IP Phones

[Robert Moskowitz]

At 11:26 PM 5/25/2005, Christopher A. Martin wrote:
>TLS is SSL all grown up.
>
>SSL and SSH can be hijacked (MiM, Man in the middle) by hacker tools
>crafted specifically for VoIP. A good example of ssl hijacking is a tool
>called airsnarf.
>
>http://airsnarf.shmoo.com/
>
>I believe that this would be a trivial task to convert to SIP since it
>is merely a cousin to html.
>
>The author, Beetle, gave some very good demonstrations of how easy it is
>to break "ANY" wireless encryption/protection scheme and, with this
>tool, hijack any ssl/tls encrypted page to capture authentication/credit
>card or any other info that was supposed to be encrypted. Over two days
>he was able to show a class of about 60 people, many new to wireless how
>to do the same thing.

It all comes down to proper policy.  I can configure even the Microsoft 
client rather easily to defeat these attacks.

Any scheme is easy to break when improperly deployed.

>When I say that IPSec adds too much overhead I refer to the fact that,
>due to encapsulation, IPSec adds approximately 40% additional overhead
>to an IP packet and often fragmentation due to packets that need to be
>fragmented for encapsulation.

If you have PMTU discovery you do not get fragmentation.

But just as Beatle showed attacks on SSL, I can show attacks on improperly 
configured IPsec deployments.

IPsec is no pancea.  Protecting wireless means proper deployment of IEEE 
802.11i

Please note:

I was a co-chair for IPsec, and during my tenure we got the RFCs out.
I am one of the contributors to 802.11i


Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of Cybertrust, Inc.
W:      248-968-9809
F:      248-968-2824
VoIP:   248-291-0713
E:      rgm at icsalabs.com

There's no limit to what can be accomplished if it doesn't matter who gets 
the credit