Mais conteúdo relacionado Semelhante a VoIP: Attacks & Countermeasures in the Corporate World (20) Mais de Jason Edelstein (10) VoIP: Attacks & Countermeasures in the Corporate World1. VoIP:
Attacks & Countermeasures
in the Corporate World
1 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
2. VoIP Security
Agenda
• Introduction
• Typical VoIP Network Architecture
• Anatomy of VoIP Attacks
• Demo of a few VoIP Attacks
• Countermeasures
2 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
3. VoIP Security
Introduction
• Historically trends and advances in IT outpace security
requirements. e.g. 802.11 Wireless. VoIP is the same.
• Tools are becoming more readily available.
• Many of the threats against VoIP are the same threats
inherited from the data networking world.
e.g. eavesdropping, mitm, replay etc.
3 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
4. VoIP Security
Key Threats
• Denial of Service
– attacks against availability
• Eavesdropping
- unauthorised interception of voice packets
• Impersonation
– masquerading as a handset or a piece of VoIP infrastructure
4 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
5. VoIP Security
Disclaimer
The techniques demonstrated are not vendor specific.
Our attacks are against an “out of the box” or “default”
implementation of VoIP.
We are not responsible for what you do with the tools and
techniques demonstrated!
5 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
6. VoIP Security
Typical Cisco VoIP Implementation
CISCO IP PHONE
7941SERIES
1 2 3
ABC DEF
?
4 5 6
GHI JKL MNO
- +
7 8 9
PQRS TUV WXYZ
0 #
* OPER
IP Phone #1
x 1000
IP Phone #2
x 2000
1 3 5 7 9 11 13 15 17 19 21 23 CATALYST 3550
1 2
SYSTEM
RPS
STAT
UTIL
DUPLEX
SPEED 2 4 6 8 10 12 14 16 18 20 22 24
Cisco Call Manager
IP Phone #3 v4.X
x 3000
Data Voice
VLAN 2 VLAN 6
6 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
7. VoIP Security
Anatomy of Attack – Impersonation
• Step 1: Determine MAC address of handset
• Step 2: Change MAC address on PC
• Step 3: Use Softphone to make a call as that extension
7 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
8. VoIP Security
Anatomy of Attack - Eavesdropping
• Step 1: Gather initial information
• Step 2: Get access to voice VLAN
• Step 3: Locate phone targets
• Step 4: Execute ARP poisoning attack and record voice call
8 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
9. VoIP Security
Information Gathering
• Cisco phone information disclosure
• IP addresses: DHCP, Call Manager, TFTP, DNS Servers
9 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
10. VoIP Security
• Plug into the PC port and sniff!
10 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
11. VoIP Security
Get on the Voice Network
• Use the info we have gathered to get on the Voice VLAN.
• Configure the network adapter to tag all ethernet frames
with the voice VLAN.
• Voila! We are on the voice VLAN.
• Now we can attack any system on the voice network.
11 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
12. VoIP Security
MITM Attack – ARP Theory
1 3 5 7 9 11 13 15 17 19 21 23 CATALYST 3550
1 2
SYSTEM
RPS
STAT
UTIL
DUPLEX
SPEED 2 4 6 8 10 12 14 16 18 20 22 24
12 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
13. VoIP Security
MITM Attack - ARP Poisoning Theory
Attackers PC
IP: 10.6.0.40
MAC: D IP Phone #2
IP: 10.6.0.20
MAC: B
1 3 5 7 9 11 13 15 17 19 21 23 CATALYST 3550
1 2
SYSTEM
RPS
STAT
UTIL
DUPLEX
SPEED 2 4 6 8 10 12 14 16 18 20 22 24
IP Phone #3
IP: 10.6.0.30
MAC: C
13 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
14. VoIP Security
MITM Attack – Execution
• Start Cain & Abel and configure ARP poisoning.
• Cain & Abel also has the capability to record a call.
• Sit back and wait!
14 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
15. VoIP Security
Game Over!
15 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
16. VoIP Security
Some Attack Possibilities..
• Telephone banking / Voicemail PIN disclosure
• Insertion of audio into conversation
• Real-time voicemail capture
16 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
17. VoIP Security
Compromising the PIN
• Telephone banking requires a user to enter a customer
number and PIN using the touchpad.
• Each number pressed sends a unique tone which is
interpreted by the end system.
17 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
19. VoIP Security
• But which buttons were pressed?
19 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
20. VoIP Security
Countermeasures
Cisco Switch:
• Enable DHCP Snooping
• Enable Dynamic ARP Inspection
• Enable IP Sourceguard
• Enable Port Security
• Implement VLAN ACLs
• Implement 802.1x
20 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
21. VoIP Security
Countermeasures (cont.d)
Cisco Call Manager: (Not without some side effects!)
• Disable Settings button on phone
• Disable Span to PC port
• Disable Gratuitous ARP
• Disable PC Voice VLAN Access
• Configure Signaling & Media Encryption!
21 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
22. VoIP Security
How Real is the Threat in Australia?
• One Australian organisation suffers a major telephone hack
each and every day.
• AusCERT Computer Crime and Security Survey 2006 shows
average value of loss of over $60,000.
• The largest phone hack on record is $1.7M.
• 97% not reported due to risk of adverse publicity.
• Threat to phone service - how would your business cope
without phones for an entire day?
• Telstra, Optus and Macquarie Telecom have written to
clients warning of the dangers and confirming the customer
is liable.
22 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
23. VoIP Security
Conclusion
• Most current implementations of VoIP are insecure.
• VoIP can be secured with the right know how.
• The only way to know if your implementation is secure is
to have it audited by independent experts.
23 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
24. VoIP Security
Questions?
Contact:
Jason Edelstein
T: +61 2 9290 4441
E: jasone@senseofsecurity.com.au
www.senseofsecurity.com.au
24 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007