[VOIPSEC] VOIP Telephone exploitation
jpo at pobox.com
Tue Oct 20 04:08:27 BST 2009
By "remote eavesdropping", I believe you are referring to the
vulnerability that Cisco confirmed and acknowledged over two years ago
involving the Extension Mobility feature, credit to Joffey Czarny .
The implementation of this attack as I know it exists involves sending
http xml commands to the web service of the Unified IP Phone, with valid
extension mobility credentials.
In the notice you can see recommended security practices to help
mitigate against this issue. It's funny because yet again we come full
circle and this issue proves one of the oldest InfoSec problems. When
you gain access to one's credentials, bad things can happen. Same for
VoIP applications as it is for any other application (i.e.Email). From
what I have heard this extension mobility is a very popular feature so a
lot of customers wouldn't want to disable it. The largest risk that I
see is that an end user (user A) can be a valid, trusted internal
extension mobility user, and uses his/her own set of credentials in
order to carry out this remote wiretapping against anyone else's phone
(user B). So assuming you have already accepted the risk of trusted
insiders abusing the application service, here are some recommendations:
1) Enforce strong password policies
2) Enforce http / tls - dont' send http passwords in the clear ( a
little difficult to do in this case )
3) Enforce layer 2 security controls to prevent Sniffing (Cisco DAI, or
4) Strong physical security / screening of users
So to help solve the problem of valid user A wiretapping user B, you
need to have some way of easily logging the http xml commands when an
extension mobility user is logged out and RTP immediately gets sent to a
remote station over the network. Something to log a potential security
Cisco Security Response: Cisco Unified IP Phone Remote Eavesdropping
> Since the inception of your group, have you identified a clear cut strategy to detect, identify and guard against remote eavesdropping on a VOIP system such as the Cisco-IP phone. In addition, what tests are being used to identify the activation of the remote maintenance or remote observation features.
> I would certainly like to hear from some of your members regarding the defenses and protections for VOIP systems that a company can logically employ.
> In addition, has anyone made any headway into the detection and removal of Trojans or rootkits on cellphones. This appears to be a rather large effort for attacking devices such as I-phones, Blackberrys etc.
> Bob Rolen
> Voipsec mailing list
> Voipsec at voipsa.org
More information about the Voipsec