[VOIPSEC] Hijacking Your Entire Voip Infrastructure

J. Oquendo sil at infiltrated.net
Fri Jan 23 15:14:27 CST 2009 

So I sat around chuckling at the obvious after reading
this via another list I'm on:

-------- Original Message --------
Subject: [outages] packet8 - voip service interruption.
Date: Fri, 23 Jan 2009 12:36:41 -0800
To: outages at outages.org <outages at outages.org>

1/23/2009 10:30am PST:

At 7 pm (Pacific) last night (January 22, 2008) we began working with
Register.com to investigate a possible DNS registry issue with
www.packet8.net. This issue has resulted in customers not being able to
reach the packet8.net website, and also experience failures in their
telephone service. Our telephones and DTA?s have several hard coded
fail-over processes built into them, but the DNS issues we experienced
at several ISPs prevented these back mechanisms from functioning correctly.

Most Internet Service Providers updated to the correct DNS routing
within minutes of the initial issue. However, we have reports that ATT,
ATT-Mobile and Time Warner Roadrunner on the East coast have not updated
DNS servers with the correct information.

/ END MESSAGE

How insanely dangerous is that considering Packet8 should
(I say MUST some will disagree) re-do all of their usernames
and passwords for any VoIP related devices/trunks/ATA's/etc.

"But why?" sayeth puzzled onlookers...

So let's look at the logical breakdown of DNS and why this
scenario can leave you with a huge phone bill via toll fraud...

You're a VoIP company and your DNS servers are hijacked.
The hijacker can make a boolean query go to a sniffable
machine - all your clients are sending registration info
to this pirate machine - your DNS gets fixed, hijackers
sleep for a month or two... Up plop duplicate trunks,
devices, etc.

While someone thought it was nothing more than a DNS
hijack, could have been done under the core objective
to amass account information for a more sinister
reason somewhere down the line. Rememeber... First and
foremost - VoIP is no different that email - all your
trunks are belong to $WHOM_EVER_SNIFFED_THEM.

@SeanM ... Didn't forget you, give me a call on Monday
swamped w/work/life/research/studies... 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Enough research will tend to support your
conclusions." - Arthur Bloch

"A conclusion is the place where you got
tired of thinking" - Arthur Bloch

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

More information about the Voipsec mailing list