Telephone Defenses Against the Dark Arts
James M. AtkinsonJames M. Atkinson
Granite Island GroupGranite Island Group
www.tscm.comwww.tscm.com
Telephone Vulnerability BasicsTelephone Vulnerability Basics
1.1. InstrumentInstrument
2.2. Local DistributionLocal Distribution
3.3. Local SwitchLocal Switch
4.4. Demarcation/Network InterfaceDemarcation/Network Interface
5.5. TransmissionTransmission
6.6. SwitchingSwitching
InstrumentInstrument
VulnerabilitiesVulnerabilities1.1. Speaker of Microphone ExploitSpeaker of Microphone Exploit
2.2. Installation of Foreign DeviceInstallation of Foreign Device
3.3. Hookswitch ManipulationHookswitch Manipulation
4.4. Software/Firmware ExploitsSoftware/Firmware Exploits
5.5. Normal Operation ExploitsNormal Operation Exploits
6.6. Moderate Protection, Easy to SubvertModerate Protection, Easy to Subvert
Local DistributionLocal Distribution
VulnerabilitiesVulnerabilities1.1. Wall PlatesWall Plates
2.2. Raw WiringRaw Wiring
3.3. Cross Connection PointsCross Connection Points
4.4. Normally Not Protected or SupervisedNormally Not Protected or Supervised
Local SwitchLocal Switch
VulnerabilitiesVulnerabilities1.1.Cross Connections PointsCross Connections Points
2.2.Switch Inputs/OutputsSwitch Inputs/Outputs
3.3.Switch/PCM BackplaneSwitch/PCM Backplane
4.4.Parallel ChannelsParallel Channels
5.5.Switch Software/Firmware ExploitsSwitch Software/Firmware Exploits
6.6.May or May Not Be ProtectedMay or May Not Be Protected
Demarcation/Network InterfaceDemarcation/Network Interface
VulnerabilitiesVulnerabilities1.1.Ripe for ExploitationRipe for Exploitation
2.2.Poorly ProtectedPoorly Protected
3.3.Generally AccessibleGenerally Accessible
4.4.Target SpecificTarget Specific
5.5.Significant Choke PointSignificant Choke Point
Local Transmission NetworkLocal Transmission Network
VulnerabilitiesVulnerabilities1.1. Post Demarcation/NIDPost Demarcation/NID
2.2. Before SwitchBefore Switch
3.3. Easy to Isolate Single SubscriberEasy to Isolate Single Subscriber
4.4. Open Terminals and BootsOpen Terminals and Boots
5.5. Not Protected, Wide OpenNot Protected, Wide Open
SwitchingSwitching
VulnerabilitiesVulnerabilities1.1. Central OfficeCentral Office
2.2. Used to Be Huge BuildingsUsed to Be Huge Buildings
3.3. Modern Small Scale SwitchingModern Small Scale Switching
4.4. Post 9-11 Logo RemovalsPost 9-11 Logo Removals
5.5. High Value OVERT Choke PointHigh Value OVERT Choke Point CALEA and .gov targetingCALEA and .gov targeting
6.6. Usually Highly ProtectedUsually Highly Protected
Transmission NetworkTransmission Network
VulnerabilitiesVulnerabilities1.1. Mostly Single Mode Fiber OpticsMostly Single Mode Fiber Optics
2.2. Accessible Pubic PathwaysAccessible Pubic Pathways
3.3. Usually Well MarkedUsually Well Marked
4.4. High Value COVERT Choke PointHigh Value COVERT Choke Point
5.5. Cable Vaults on AlarmsCable Vaults on Alarms
6.6. ““Supervised” Against BreakageSupervised” Against Breakage
Telephonic IntegrationTelephonic Integration
Voice over IPVoice over IP• Cable ModemsCable Modems• Other Broadband ServicesOther Broadband Services
ISDNISDN Fiber Optic Internet ServiceFiber Optic Internet Service EVDOEVDO Other Wireless ServicesOther Wireless Services
The Realistic ThreatThe Realistic Threat
RF DeviceRF Device Hard Wired RecorderHard Wired Recorder Wireless InterceptWireless Intercept Software ManipulationSoftware Manipulation Other MethodsOther Methods
Essential TasksEssential Tasks
Conductor InventoryConductor Inventory Pathway MappingPathway Mapping Known Electronic MetricsKnown Electronic Metrics
• Re-Testing Against MetricRe-Testing Against Metric• Open TestingOpen Testing
Physical InspectionPhysical Inspection
Auditing Telephone InstrumentsAuditing Telephone Instruments
What Kind of PhonesWhat Kind of Phones ““Soft Under-Belly”Soft Under-Belly” What Should It Normally DoWhat Should It Normally Do
• Is It a Risk?Is It a Risk?• Is It a Threat?Is It a Threat?• Hostile Manipulation?Hostile Manipulation?
Feature, Hazard, or Risk?Feature, Hazard, or Risk?
Auditing WiringAuditing Wiring
What Wire is in the Walls?What Wire is in the Walls? What Wire is in the Ceiling?What Wire is in the Ceiling? Wall Plates?Wall Plates? Termination PointsTermination Points Junction Points/Punch BlocksJunction Points/Punch Blocks
Auditing WiringAuditing Wiring
Conductor MapsConductor Maps• Signal PathwaysSignal Pathways• Pair CombinationsPair Combinations• Industry Standard Pin-OutsIndustry Standard Pin-Outs• Color Codes?Color Codes?
• Conductor LengthConductor Length Fractions of an Inch AccuracyFractions of an Inch Accuracy
• Non Linear Junction CombinationsNon Linear Junction Combinations
Auditing Transmission PathsAuditing Transmission Paths
Map Out EveryMap Out Every• CableCable• ConductorConductor• WireWire• Fortuitous PathwayFortuitous Pathway
• Location Must Be Within InchesLocation Must Be Within Inches
Auditing Switching SystemsAuditing Switching Systems
What is a the Default Generic?What is a the Default Generic?• Actual Translation?Actual Translation?• What is Different?What is Different?• Is it Safe?Is it Safe?
Always Reduce to Hardcopy FormAlways Reduce to Hardcopy Form
Auditing Secure Communications Auditing Secure Communications Systems Systems
Tampering with Actual InstrumentTampering with Actual Instrument Tampering with:Tampering with:
• Uncontrolled AccessoriesUncontrolled Accessories Handsets, Cords CablesHandsets, Cords Cables Power SuppliesPower Supplies Low Bandwidth (300 Hz) Filter BypassLow Bandwidth (300 Hz) Filter Bypass Proximity to RF EmittersProximity to RF Emitters
Prior Penetrations, Hacks, and Prior Penetrations, Hacks, and Attacks. Attacks.
Common ManipulationsCommon Manipulations Raw Hacking/ManipulationsRaw Hacking/Manipulations Naked AttacksNaked Attacks
Appropriate Counter MeasuresAppropriate Counter Measures
VOIP AttacksVOIP Attacks
Extremely High RiskExtremely High Risk• Rarely Utilize Hook SwitchRarely Utilize Hook Switch• Open MicrophoneOpen Microphone• Firmware Can Be Remotely UpdatedFirmware Can Be Remotely Updated
• Network Provides a Serious Choke PointNetwork Provides a Serious Choke Point
Mechanisms to Detect and Defeat Mechanisms to Detect and Defeat VOIP Attacks and ExploitsVOIP Attacks and Exploits
DetectionDetection• Unregistered IP Address on VOIP NWUnregistered IP Address on VOIP NW• Non-VOIP Asset on VOIP NetworkNon-VOIP Asset on VOIP Network• Hub, not Switch Being UsedHub, not Switch Being Used• Machine Being Used On BackboneMachine Being Used On Backbone
Classic Man-in-the-Middle ExploitClassic Man-in-the-Middle Exploit
• Suspect Data Traffic on an Unused VOIP Suspect Data Traffic on an Unused VOIP Phone Line Phone Line
Methods to Secure VOIP SystemsMethods to Secure VOIP Systems
Utilize Smart SwitchesUtilize Smart Switches Keep VOIP Terminals on Dedicated Keep VOIP Terminals on Dedicated
Networks and GatewaysNetworks and Gateways Do Not Integrate in Data NetworksDo Not Integrate in Data Networks Lockdown Instrument FirmwareLockdown Instrument Firmware
• Disallow Firmware UpdatesDisallow Firmware Updates
Cardinal RuleCardinal Rule
Convenience and Convenience and Privacy are Inversely Privacy are Inversely
Proportional™Proportional™