[VOIPSEC] VOIP Telephone exploitation

Tue Oct 20 18:05:23 CDT 2009

Hi, all.This year, I've analyzed SIP over TLS and SRTP.
What if port number 5061(default port number for cipher text communication)
is blocked through network by an attacker?
If I were a attacker(hacker), I would not sniff TLS message because it is
hard to be analyzed.
Instead of it, attacker would block 5061 port and the SIP device would send
plain(not cipher) SIP message using 5060 port for backward compatibility.
In this way, attacker can obtain SIP message and RTP key(Pre-Shared Key)
used in RTP communication easily.
It may be a sort of SSL strip hacking technique as I think.

What do you think of it?

Regards,
Gilbert

On Tue, Oct 20, 2009 at 12:08 PM, Jason Ostrom <jpo at pobox.com> wrote:

> Bob,
>
> By "remote eavesdropping", I believe you are referring to the vulnerability
> that Cisco confirmed and acknowledged over two years ago involving the
> Extension Mobility feature, credit to Joffey Czarny [1].  The implementation
> of this attack as I know it exists involves sending http xml commands to the
> web service of the Unified IP Phone, with valid extension mobility
> credentials.
>
> In the notice you can see recommended security practices to help mitigate
> against this issue.  It's funny because yet again we come full circle and
> this issue proves one of the oldest InfoSec problems.  When you gain access
> to one's credentials, bad things can happen.  Same for VoIP applications as
> it is for any other application (i.e.Email).  From what I have heard this
> extension mobility is a very popular feature so a lot of customers wouldn't
> want to disable it.  The largest risk that I see is that an end user (user
> A) can be a valid, trusted internal extension mobility user, and uses
> his/her own set of credentials in order to carry out this remote wiretapping
> against anyone else's phone (user B).  So assuming you have already accepted
> the risk of trusted insiders abusing the application service, here are some
> recommendations:
>
> 1)  Enforce strong password policies
> 2)  Enforce http / tls - dont' send http passwords in the clear ( a little
> difficult to do in this case )
> 3)  Enforce layer 2 security controls to prevent Sniffing (Cisco DAI, or
> equivalent)
> 4)  Strong physical security / screening of users
>
> So to help solve the problem of valid user A wiretapping user B, you need
> to have some way of easily logging the http xml commands when an extension
> mobility user is logged out and RTP immediately gets sent to a remote
> station over the network.  Something to log a potential security incident.
>
> Cisco Security Response:  Cisco Unified IP Phone Remote Eavesdropping
> http://www.cisco.com/warp/public/707/cisco-sr-20071128-phone.pdf
>
>
> brolen wrote:
>
>> Since the inception of your group, have you identified a clear cut
>> strategy to detect, identify and guard against remote eavesdropping on a
>> VOIP system such as the Cisco-IP phone.  In addition, what tests are being
>> used to identify the activation of the remote maintenance or remote
>> observation features.
>>
>> I would certainly like to hear from some of your members regarding the
>> defenses and protections for VOIP systems that a company can logically
>> employ.
>>
>> In addition, has anyone made any headway into the detection and removal of
>> Trojans or rootkits on cellphones.  This appears to be a rather large effort
>> for attacking devices such as I-phones, Blackberrys etc.
>>
>> Thanks, Bob Rolen
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>>
>>
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>