VoIP Security Videos on Youtube

Here are a couple of videos from the folks at VoIPShield illustrating some VoIP attacks. The first one shows a hacker walking into a office area (they say it is a bank) and after they distract the receptionist, they disconnect the lobby area VoIP phone and plug in their laptop and presumably launch a DoS attack that takes down the phone system. The entire attack only takes a few seconds, which is theoretically possible, but would normally take longer, because you would probably have to collect and spoof the IP address and possibly MAC address. Also, I am aware of a number of flood-based DoS attacks that will affect a VoIP system. This video implies that there are also some "single-packet-of-death" vulnerabilities out there, which is certainly possible. VoIPShield sells products that provide some countermeasures to these attacks, although arguably the best countermeasure is to use 802.1x (assuming the VoIP phone supports it) or at least port security. This is especially important for semi-public VoIP phones. Or you could put a good-old-fashioned analog phone in these areas.

http://www.youtube.com/watch?v=x56j2BRkUME

Here is another video about a hacker in a hotel, who seems to be using a Man-In-The-Middle attack to gain access to calls, which they in turn record. The target again seems to be a bank. I am not sure why they are showing this attack originate in a hotel, unless they are trying to record calls within the hotel, which is possible, but if were a hotel manager, I would never put pricey VoIP phones in the rooms.

http://www.youtube.com/watch?v=S-3CW-epFBM

The final video shows a hacker who is apparently blocked - he gets a big "access denied" message all over his screen. I assume the idea here is that the target is using VoIPShields security products.

http://www.youtube.com/watch?v=OLwzef_OZzA

Another Link to Voicecon Video

Dan York of Bluebox Podcast fame, posted the following link to the VoIPSA web page, of the video I did at Voicecon.

http://voipsa.org/blog/2008/04/18/information-week-interviews-securelogix-about-voip-security/

VoIP Security Poll

Peter Thermos has a brief, one-question survey. Fill it out if you get a chance:

http://www.vopsecurity.org/index.php?name=Polls&pollID=5

Quarterly Summary of Vulnerabilities

Shawn Merdinger posted a summary of VoIP vulnerabilites for Q1 (Jan-March) on VoIPSA. Its great to see this. I hope he or someone does this each quarter.

http://voipsa.org/blog/2008/04/14/quarterly-voip-vulnerabilities-summary/

Link to A SIP Analysis Tool

Here is a post on VoIPSA about a new SIP analysis tool. Thanks to Shawn Merdinger:

http://voipsa.org/blog/2008/04/16/xplico-network-forensic-analysis-tool/

VoIPShield Releases Extensive List of VoIP Vulnerabilities

VoIPShield recently released an extensive list of VoIP vulnerabilities on their Vulnerabilities Research page. Its a fairly long list. The vulnerabilities are not described in a lot of detail, no exploits are given, nor are any detailed countermeasures described. Some of the vulnerabilities have been addressed by vendors, while others are pending. I will try to review this in more detail in the future. In the meantime, Dan York did a nice review that you can read at:

http://voipsa.org/blog/2008/04/02/voipshield-announces-discovery-of-over-100-vulnerabilities-in-cisco-avaya-nortel-voip-systems/

Short Video on Voice/VoIP Security From Voicecon

Here is a short video where I was interviewed by Fritz Nelson of NoJitter at the most recent Voicecon. It captures a summary of where I believe we are right now with VoIP security:

http://www.nojitter.com/blog/archives/2008/03/voicecon_video.html

In summary:

o The major PBX vendors are doing a better and better job of securing their systems, although new features do add complexity and therefore, new vulnerabilities.

o Enterprises are often leaving these systems in a default configuration and/or not taking advantage of available security features.

o Enterprise VoIP systems are vulnerable. However, the threat of actual attack is still relatively low. This threat will grow over the coming years.

o An assessment of an enterprise VoIP system is the best first step in understanding and mitigating vulnerabilities.

o Denial of Service (DoS) is the major vulnerability faced by enterprises.

o Traditional/legacy voice application attacks are still much more common than VoIP attacks. Issues like toll fraud, poorly secured modems, unauthorized ISP modems, fax SPAM, harrassing callers, etc., remain big issues.

See our website for descriptions of VoIP/voice security products and services:

www.seucrelogix.com

New Nmap Released

Nmap 4.60 was released on March 26 with some new features and fixes, including improvements in operating system and services detections and some fixes to existing bugs. 

Nmap can now be found at:

http://nmap.org

eWeek Article

eWeek published an article on VoIP security. They included several quotes. Note that comment about traditional threats has the word "backspam", that should be "fax spam" :)

http://www.eweek.com/c/a/Security/VOIPSpecific-Attacks-Not-an-Issue-Yet/

Let Asterisk Do Your VoIP Tool's Heavy Lifting

We can all imagine what it might be like to have all the phones in your office simultaneously assaulted with SPIT calls. In my humble opinion, imagination doesn't do justice to the actual experience; it was maddening enough in a lab setting with only 4 phones simultaneously ringing with SPIT calls.

In the summer of 2006, Mark assigned me the task of producing a tool to generate SPIT calls to demonstrate to customers how aggravating SPIT can be. He also wanted to feature the tool in his Hacking Exposed VoIP book. He suggested I consider the open-source SIPp project as the base program to use for the tool - which wasn't a bad suggestion. In 2006, SIPp was already a useful tool for generating SIP traffic - meaning VoIP signaling traffic, but it wasn't a call generator in the telemarketing sense with any built-in sophisticated call management (signaling and audio). I wanted to be able to generate a lot of simultaneous calls over a VoIP trunk with coordinated audio playback. I could envision taking quite a while to augment SIPp to support that requirement.

With the Internet at my fingertips, I searched to see if anyone out here had already published an open-source SPIT tool. I couldn't find one cached by the major search engines. However, I did find a tool called TeleYapper. It was produced by a guy who wanted to automate his notifications to parents of players on the softball team he coached; things like where/when the next practice or game would be held, weather related cancellations, …etc. He used the @Home version of Asterisk and created an appropriate dial-plan to accomplish his goals. He could call his Asterisk IP PBX from a remote location (e.g. from work), record a message, and have Asterisk begin calling phone numbers stored in a MySQL database to play that message to his softball team's parents. He had it detecting when a voicemail machine answered his call and delayed the notification during the voicemail's greeting. He even had it set up so it would remember to call numbers again that went unanswered or were busy.

TeleYapper pretty much fit the bill for what Mark wanted. It certainly was flexible. It had a license somewhat similar to the GNU open-source license, but not exactly. It did require a MySQL database.

At the time, I had also recently come up-to-speed and was experimenting with Asterisk for a section of the Hacking Exposed VoIP book. Taking inspiration from TeleYapper, I thought I'd let Asterisk do the "heavy lifting" for the SPIT tool. I could produce a fairly simple SPIT dial-plan and a little C program to provoke Asterisk to make calls over a SPIT trunk. I named the little C program "spitter". How original!

spitter requires access to the outgoing spool folder of an Asterisk installation which squat thrusts the SPIT calls for you. I've always run spitter on the same platform where Asterisk is installed, but I suppose spitter could be run on a separate platform with Asterisk's outgoing spool folder mounted remotely. spitter inputs an ASCII file with simply formatted "call records". Each call record stipulates the SPIT trunk (i.e. a dial-plan "context" in Asterisk parlance), the target destination (i.e. phone number), a calling line ID (i.e. text) to supply to the destination, the name of a sound file to play, and the step number of the dial-plan context where the call handling should begin (i.e. the "priority" in Asterisk parlance). spitter merely processes the input file of call records sequentially. It copies a call record within the input file into its own uniquely named "call file". It then moves that file into Asterisk's outgoing spool folder. When Asterisk detects a file within its outgoing spool folder, it automatically launches the call in accordance with the call record found in that file. It removes the call file from its outgoing spool folder when the call completes.

The spitter command line permits you to limit the number of spitter call files present in Asterisk's outgoing spool folder at any one time. The limit lets you do two things: 1) prevents the PC running spitter and Asterisk from becoming saturated; and 2) prevents your telephony trunk from becoming saturated or from violating any service provider imposed simultaneous call limit. In the former case, if you have an input file with a lot of call records (e.g. hundreds), the limit can prevent Asterisk from attempting to launch so many simultaneous calls that you encounter the Linux "too many files open" error. Otherwise, the number of simultaneous calls you can produce is only limited by the robustness of your PC, and the maximum bandwidth of your telephony trunk or a service provider simultaneous call limit.

Naturally, we're not suggesting anyone should actually employ spitter or Asterisk to perpetrate a real-life SPIT gatling gun any more than we would encourage the abuse of TeleYapper as a real-life SPIT platform. spitter is intended for illustrative purposes only. We hope it aids fellow whitehats to produce and test systems to thwart the SPIT calls we all know are coming eventually.

The next time you're thinking of producing a tool that requires a serious level of built-in call management support, consider the open-source Asterisk IP PBX to do your heavy lifting. It supports several signaling protocols and includes useful dial-plan functions. See:

www.asterisk.org

The Hacking Exposed VoIP book contains additional information about spitter and includes examples.

This isn't intended to knock the SIPp project. SIPp is a very useful tool for performance testing a VoIP product. It's great for driving vectors of certain sequences of SIP signaling messages to your target system to verify it is well-behaved.

Mark O'Brien