[VOIPSEC] VOIP Telephone exploitation

Wyss, Felix Felix.Wyss at inin.com
Tue Oct 20 19:46:10 CDT 2009 

That's a classic downgrade attack ("weakest link") and not specific to SIP over TLS/TCP.  If you don't configure your VoIP system to require the use of TLS for all security relevant signaling, you may just as well save yourself the trouble of using TLS.  

--Felix

> -----Original Message-----
> From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
> Behalf Of Gilbert Lee
> Sent: Tuesday, October 20, 2009 19:05
> To: voipsec at voipsa.org
> Cc: brolen
> Subject: Re: [VOIPSEC] VOIP Telephone exploitation
> 
> Hi, all.This year, I've analyzed SIP over TLS and SRTP.
> What if port number 5061(default port number for cipher text
> communication)
> is blocked through network by an attacker?
> If I were a attacker(hacker), I would not sniff TLS message because it is
> hard to be analyzed.
> Instead of it, attacker would block 5061 port and the SIP device would
> send
> plain(not cipher) SIP message using 5060 port for backward compatibility.
> In this way, attacker can obtain SIP message and RTP key(Pre-Shared Key)
> used in RTP communication easily.
> It may be a sort of SSL strip hacking technique as I think.
> 
> What do you think of it?
> 
> Regards,
> Gilbert
> 
> On Tue, Oct 20, 2009 at 12:08 PM, Jason Ostrom <jpo at pobox.com> wrote:
> 
> > Bob,
> >
> > By "remote eavesdropping", I believe you are referring to the
> vulnerability
> > that Cisco confirmed and acknowledged over two years ago involving the
> > Extension Mobility feature, credit to Joffey Czarny [1].  The
> implementation
> > of this attack as I know it exists involves sending http xml commands to
> the
> > web service of the Unified IP Phone, with valid extension mobility
> > credentials.
> >
> > In the notice you can see recommended security practices to help
> mitigate
> > against this issue.  It's funny because yet again we come full circle
> and
> > this issue proves one of the oldest InfoSec problems.  When you gain
> access
> > to one's credentials, bad things can happen.  Same for VoIP applications
> as
> > it is for any other application (i.e.Email).  From what I have heard
> this
> > extension mobility is a very popular feature so a lot of customers
> wouldn't
> > want to disable it.  The largest risk that I see is that an end user
> (user
> > A) can be a valid, trusted internal extension mobility user, and uses
> > his/her own set of credentials in order to carry out this remote
> wiretapping
> > against anyone else's phone (user B).  So assuming you have already
> accepted
> > the risk of trusted insiders abusing the application service, here are
> some
> > recommendations:
> >
> > 1)  Enforce strong password policies
> > 2)  Enforce http / tls - dont' send http passwords in the clear ( a
> little
> > difficult to do in this case )
> > 3)  Enforce layer 2 security controls to prevent Sniffing (Cisco DAI, or
> > equivalent)
> > 4)  Strong physical security / screening of users
> >
> > So to help solve the problem of valid user A wiretapping user B, you
> need
> > to have some way of easily logging the http xml commands when an
> extension
> > mobility user is logged out and RTP immediately gets sent to a remote
> > station over the network.  Something to log a potential security
> incident.
> >
> > Cisco Security Response:  Cisco Unified IP Phone Remote Eavesdropping
> > http://www.cisco.com/warp/public/707/cisco-sr-20071128-phone.pdf
> >
> >
> > brolen wrote:
> >
> >> Since the inception of your group, have you identified a clear cut
> >> strategy to detect, identify and guard against remote eavesdropping on
> a
> >> VOIP system such as the Cisco-IP phone.  In addition, what tests are
> being
> >> used to identify the activation of the remote maintenance or remote
> >> observation features.
> >>
> >> I would certainly like to hear from some of your members regarding the
> >> defenses and protections for VOIP systems that a company can logically
> >> employ.
> >>
> >> In addition, has anyone made any headway into the detection and removal
> of
> >> Trojans or rootkits on cellphones.  This appears to be a rather large
> effort
> >> for attacking devices such as I-phones, Blackberrys etc.
> >>
> >> Thanks, Bob Rolen
> >> _______________________________________________
> >> Voipsec mailing list
> >> Voipsec at voipsa.org
> >> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >>
> >>
> >>
> >
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list