Copyright Security-Assessment.com 2004

Security-Assessment.com

Hacking VoIP

Is your Conversation confidential?

by Nick von Dadelszen and Darren Bilby

Copyright Security-Assessment.com 2004

Security-Assessment.com

VoIP Trends

• VOIP becoming more popular and will increase in future

• Many ISPs and Teleco’s starting to offer VoIP services

• Like most other phone calls, it is presumed to be confidential

Copyright Security-Assessment.com 2004

Security-Assessment.com

Types of Phones

• SoftPhone

• HardPhone

Copyright Security-Assessment.com 2004

Security-Assessment.com

Typical VoIP Architecture

Copyright Security-Assessment.com 2004

Security-Assessment.com

Attacks Against VoIP

• Multiple attack avenues:

– Standard traffic capture attacks

– Bootp attacks

– Phone-based vulnerabilities

– Management interface attacks

Copyright Security-Assessment.com 2004

Security-Assessment.com

Consequences of Attacks

• Consequences of VoIP attacks include:

– Listening or recording phone calls

– Injecting content into phone calls

– Spoofing caller ID

– Crashing phones

– Denying phone service

– VoIP Spamming

Copyright Security-Assessment.com 2004

Security-Assessment.com

VoIP Protocols

• H.323

– Earlier protocol used, though still used today

– Provides for encryption and authentication of data

• SIP

– Digest authentication based on HTTP, but many times not enabled

– No encryption

• MGCP

– Relies on IPSEC for security, but most current phones don’t support IPSEC

Copyright Security-Assessment.com 2004

Security-Assessment.com

Use of VLANS

• Cisco recommends separate VLANs for data and voice traffic

• To ease implementation, many phones allow sharing of network connections with desktop PCs

• VoIP allows the use of SoftPhones installed on desktop PCs

• Therefore cannot separate voice traffic from the rest of the network

Copyright Security-Assessment.com 2004

Security-Assessment.com

Capturing VoIP Data

• Ethereal has built-in support for some VoIP protocols

• Has the ability to capture VoIP traffic

• Can dump some forms of VoIP traffic directly to WAV files.

Copyright Security-Assessment.com 2004

Security-Assessment.com

Copyright Security-Assessment.com 2004

Security-Assessment.com

Copyright Security-Assessment.com 2004

Security-Assessment.com

Audio Capture

Copyright Security-Assessment.com 2004

Security-Assessment.com

Other Tools

• Vomit

– Injects wave files into VoIP conversations

• Tourettes

– Written by a staff member of a customer for fun

– Injects random swear words into a conversation

Copyright Security-Assessment.com 2004

Security-Assessment.com

Example Phone Exploit

• CAN-2002-0769

• Cisco ATA-186 Web interface could reveal sensitive information

• Sending a POST request consisting of one byte to the HTTP interface of the adapter reveals the full configuration of the phone, including administrator password

• IP Phones – Another thing to patch!

Copyright Security-Assessment.com 2004

Security-Assessment.com

Caller ID Spoofing

• Caller ID is based on a Calling Party Number (CPN)

• This is always sent when a call is placed

• A privacy flag tells the receiver whether to show the number or not

• Have always been able to spoof Caller ID but needed expensive PBX equipment to do so.

• With VoIP PBX software, spoofing is easier

• Has repercussions for phone authentication