[VOIPSEC] VOIP Telephone exploitation

Jason Ostrom jpo at pobox.com
Tue Oct 20 04:08:27 BST 2009 

Bob,

By "remote eavesdropping", I believe you are referring to the 
vulnerability that Cisco confirmed and acknowledged over two years ago 
involving the Extension Mobility feature, credit to Joffey Czarny [1].  
The implementation of this attack as I know it exists involves sending 
http xml commands to the web service of the Unified IP Phone, with valid 
extension mobility credentials.

In the notice you can see recommended security practices to help 
mitigate against this issue.  It's funny because yet again we come full 
circle and this issue proves one of the oldest InfoSec problems.  When 
you gain access to one's credentials, bad things can happen.  Same for 
VoIP applications as it is for any other application (i.e.Email).  From 
what I have heard this extension mobility is a very popular feature so a 
lot of customers wouldn't want to disable it.  The largest risk that I 
see is that an end user (user A) can be a valid, trusted internal 
extension mobility user, and uses his/her own set of credentials in 
order to carry out this remote wiretapping against anyone else's phone 
(user B).  So assuming you have already accepted the risk of trusted 
insiders abusing the application service, here are some recommendations:

1)  Enforce strong password policies
2)  Enforce http / tls - dont' send http passwords in the clear ( a 
little difficult to do in this case )
3)  Enforce layer 2 security controls to prevent Sniffing (Cisco DAI, or 
equivalent)
4)  Strong physical security / screening of users

So to help solve the problem of valid user A wiretapping user B, you 
need to have some way of easily logging the http xml commands when an 
extension mobility user is logged out and RTP immediately gets sent to a 
remote station over the network.  Something to log a potential security 
incident.

Cisco Security Response:  Cisco Unified IP Phone Remote Eavesdropping
http://www.cisco.com/warp/public/707/cisco-sr-20071128-phone.pdf

brolen wrote:
> Since the inception of your group, have you identified a clear cut strategy to detect, identify and guard against remote eavesdropping on a VOIP system such as the Cisco-IP phone.  In addition, what tests are being used to identify the activation of the remote maintenance or remote observation features.
>
> I would certainly like to hear from some of your members regarding the defenses and protections for VOIP systems that a company can logically employ.
>
> In addition, has anyone made any headway into the detection and removal of Trojans or rootkits on cellphones.  This appears to be a rather large effort for attacking devices such as I-phones, Blackberrys etc.
>
> Thanks, 
> Bob Rolen
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>

More information about the Voipsec mailing list