[VOIPSEC] Cisco 7920 wireless IP Phones

Robert Moskowitz rgm at icsalabs.com
Thu May 26 14:51:30 CDT 2005 

At 12:27 AM 5/26/2005, Christopher A. Martin wrote:
>For the example listed below, the demonstration merely required a brief
>sniffer capture to determine permitted MAC/IP addresses and determine
>non-broadcast SSID's.

I have worked hard at stopping people from 'hiding' their SSID.  It can't 
be done and can actually work against roaming (very important for VoIP).

>The actual attack was against TKIP pre-share keys and consisted of a
>brute-force dictionary attack which took no time at all. Impersonating
>the AP was also key to the attack. Strength of WEP/WPA protections did
>not matter.

But it is easy to create a PSK that cannot be attacked in this manner.  It 
is also important to change the SSID from the default, as the SSID is 
included in the session key generation, and a default SSID-PSK combination 
can be attacked with a database of guesses (note that the attack against 
PSK requires 4096 hashes operations per try).

>The fact is, in your case you may utilize WPA2-AES, your neighborhood
>hotspot probably won't even be WPA capable. More individuals and even
>small businesses are going to buy off the shelf linksys and what have
>you (even vonage, etc.) without any real security capabilities enabled.

For a product that can make WPA deployment easy for homes and SMBs check 
out lucidlink.com.  Disclaimer, I designed the EAP method and helpped 
design the overall product.

>That said, internally if we develop something to defend against this
>unique to VoIP based on this that will be a different story.

Belts and suspenders.  All layers need their own protection, as each has 
different risk models.

We need to focus on VoIP security and not ASSuME that layer 2 or 3 security 
is in place.

PLEASE?

>Bottom line, wireless is not secure period. I knew this prior to
>attending but had no idea that it was as simple as it is until I saw it
>with my own eyes. Before this I thought WPA was going to be the big save
>for the wireless scene until this conference.

All depends on proper deployment.  And we all know about that oxymoron.


Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of Cybertrust, Inc.
W:      248-968-9809
F:      248-968-2824
VoIP:   248-291-0713
E:      rgm at icsalabs.com

There's no limit to what can be accomplished if it doesn't matter who gets 
the credit

More information about the Voipsec mailing list