Two security experts at hacker conference ToorCon9 in San Diego this week hacked into their hotel's corporate network using a Cisco VoIP phone.
The hackers, John Kindervag and Jason Ostrom said they were able to access the hotel's financial and corporate network and recorded other phone calls, according to a blog on Wired.com.
The hackers used penetration tests propounded by a tool called VoIP Hopper, which mimics the Cisco data packets sent at three minute intervals and then trades a new Ethernet interface, getting the PC - which the hackers switched in place of the hotel phone - into the network running the VoIP, according to the blog post.
The Avaya configuration is superior to Cisco, according to the hackers, because you have to send requests beyond a sniffer. Although it can be breached the same way, by replacing the phone with a PC.
UPDATE 11/29/07: Cisco confirms ability to eavesdrop on remote calls using its VoIP phones
Cisco confirmed it is possible to eavesdrop on remote conversations using Cisco voIP phones. In its security response, Cisco says: "an attacker with valid Extension Mobility authentication credentials could cause a Cisco Unified IP Phone configured to use the Extension Mobility feature to transmit or receive a Real-Time Transport Protocol (RTP) audio stream."
Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.
The Cisco Subnet blog is the official blog of the Network World Cisco Subnet community, managed by Editor Linda Leung. Cisco Subnet is the independent voice of Cisco customers and is your gateway to daily Cisco news, blogs, opinion, books, prize giveaways and more. Visit the Cisco Subnet home page daily and while you are there, subscribe to the Cisco Alert e-mail newsletter, which includes news and views generated by the Cisco Subnet community as well as Cisco-related stories on Network World and elsewhere on the Web.
(WAN community)|
|
VoIP hacker clowns
What a freaking joke! Two bozos hack into a Cisco system, and then laud Avaya for it's security? Gorilla marketing if ever I heard it!
Saw the presentation
Saw the presentation meatpie, you might tap the breaks. The comment was that Avaya had *slightly* better security. They are just as vulnerable as Cisco IP Phones and they demonstrated that as well.
Reply to Meatpie
Typical reaction from a cisco drone. It appears you have been swimming in your large VAT of Cisco Kool Aid for far too long. None of this should be surprising to anyone with a modicum of objectivity. Cisco is typicall the target because they are the most deployed IP Communications system out there today. In addition they market and promote their offering on a level way beyond what the rest of the enterprise vendors do. So it is quite logical they will be attacked more often than others. As indicated in these other posts it does not mean the other vendors are bullet proof.
CDP has been widely known as a security risk for a long time. In Cisco's own documentation they recommend turning it off in some sections although they rely heavily on it for several functions related to their offering.
Makes No Sense
Wouldn't the Hotel have had the VoIP on a separate VLan from their data network? How did these guys jump those boundaries and get into the data VLan?
How did they jump the boundries, simple, the hotel is a tightwad
The answer is the usual lack of money in IT, what is the last department in a company's budget? IT, we all know what we could do, if we had the resources!
you are right. i really
you are right. i really supported what u said. we all know what we could do, if we had the resources!
its a point
The point is that VLANs aren't Boundaries...
We did this manually in 1996, without nice tools, but we didn't go to fancy venues and show off, we simply didn't deploy weak vlans, and we didn't mix important data with lesser data...
Following a simple strategy outlined in the NSA IAM material, you would classify the voip and data network with the highest of the two sensitivities, and protect it as such.
In many cases, this means to STOP using VLANs to provide both sides of the connection.
I'm shocked that it takes a simple vlan hacking tool to wake people up. This is old news.
Clarification
I agree. VLANs should never be relied on as a primary protection control or considered a security mechanism. And VLAN Hopping has been around for a long time, as 'Anonymous' seems to point out.
I won't go into the details of the Hotel configuration that allowed this, but I will say it was done manually two years ago, during a customer-authorized penetration test. Since that time, I have seen many other customer VoIP environments that allow the same issue.
I wrote VoIP Hopper in order to allow VoIP Administrators and Network Engineers to quickly test and automate the task, and improve the security of their VoIP environments.
I'm an independent security guy and was offering my opinion at ToorCon. I like both Cisco and Avaya, and work for neither company. Please don't shoot the messenger.
Jason Ostrom
http://voiphopper.sf.net
So what extra is there to an
So what extra is there to an Avaya install rather than sniffing packets? Both vendors use proprietary signaling and RTP (afaik) so I don't get the distinction. Are you saying that spoofing CDP to get the VLAN is easier than sending a DHCP request? Avaya will also use the VVID on the port if they aren't using trunking (which is worse). The MITM attack should have been knocked down by the network but that's poor admin. No distinction there between VoIP vendors either.
I'll tell you what's extra
I think the idea here was that Cisco IP Phones use CDP for auto-configuration and discovery of the VVID, which can be easily sniffed in a default configuration.
Avaya IP Phones, on the other hand, use a custom DHCP client that sends and decodes special parameters. They are provisioned via DHCP Option 55 (Parameter Request List), requesting Option 176, to discover the VVID.
Everything else being equal, a regular PC directly attached to the port can more easily sniff CDP than it can send the special DHCP request (which, by the way, a regular PC can't do by default). It's true that the VVID is a small bit of information that may be considered trivial by some, but in a blind attacker scenario, one would need the VVID before they can hop to the voice VLAN. I'm also not talking about reading the VVID off of the phone or Voice VLANs versus trunk ports properly pruned to only allow two VLANs. It is also assumed that CDP would be disabled on every port in an Avaya environment.
I think Cisco is great - in fact, I love Cisco.
-VoIP Hacker Clown
BTW, I've been called much worse than "VoIP Hacker Clown." In fact, the football coaches used to call me "Puck Head".
Go figure ;-)