VoIP: Attacks & Countermeasures in the Corporate World

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    Notes on slide 1

    Favorites, Groups & Events

    VoIP: Attacks & Countermeasures in the Corporate World - Presentation Transcript

    1. VoIP: Attacks & Countermeasures in the Corporate World 1 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    2. VoIP Security Agenda • Introduction • Typical VoIP Network Architecture • Anatomy of VoIP Attacks • Demo of a few VoIP Attacks • Countermeasures 2 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    3. VoIP Security Introduction • Historically trends and advances in IT outpace security requirements. e.g. 802.11 Wireless. VoIP is the same. • Tools are becoming more readily available. • Many of the threats against VoIP are the same threats inherited from the data networking world. e.g. eavesdropping, mitm, replay etc. 3 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    4. VoIP Security Key Threats • Denial of Service – attacks against availability • Eavesdropping - unauthorised interception of voice packets • Impersonation – masquerading as a handset or a piece of VoIP infrastructure 4 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    5. VoIP Security Disclaimer The techniques demonstrated are not vendor specific. Our attacks are against an “out of the box” or “default” implementation of VoIP. We are not responsible for what you do with the tools and techniques demonstrated! 5 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    6. VoIP Security Typical Cisco VoIP Implementation CISCO IP PHONE 7941SERIES 1 2 3 ABC DEF ? 4 5 6 GHI JKL MNO - + 7 8 9 PQRS TUV WXYZ 0 # * OPER IP Phone #1 x 1000 IP Phone #2 x 2000 1 3 5 7 9 11 13 15 17 19 21 23 CATALYST 3550 1 2 SYSTEM RPS STAT UTIL DUPLEX SPEED 2 4 6 8 10 12 14 16 18 20 22 24 Cisco Call Manager IP Phone #3 v4.X x 3000 Data Voice VLAN 2 VLAN 6 6 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    7. VoIP Security Anatomy of Attack – Impersonation • Step 1: Determine MAC address of handset • Step 2: Change MAC address on PC • Step 3: Use Softphone to make a call as that extension 7 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    8. VoIP Security Anatomy of Attack - Eavesdropping • Step 1: Gather initial information • Step 2: Get access to voice VLAN • Step 3: Locate phone targets • Step 4: Execute ARP poisoning attack and record voice call 8 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    9. VoIP Security Information Gathering • Cisco phone information disclosure • IP addresses: DHCP, Call Manager, TFTP, DNS Servers 9 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    10. VoIP Security • Plug into the PC port and sniff! 10 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    11. VoIP Security Get on the Voice Network • Use the info we have gathered to get on the Voice VLAN. • Configure the network adapter to tag all ethernet frames with the voice VLAN. • Voila! We are on the voice VLAN. • Now we can attack any system on the voice network. 11 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    12. VoIP Security MITM Attack – ARP Theory 1 3 5 7 9 11 13 15 17 19 21 23 CATALYST 3550 1 2 SYSTEM RPS STAT UTIL DUPLEX SPEED 2 4 6 8 10 12 14 16 18 20 22 24 12 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    13. VoIP Security MITM Attack - ARP Poisoning Theory Attackers PC IP: 10.6.0.40 MAC: D IP Phone #2 IP: 10.6.0.20 MAC: B 1 3 5 7 9 11 13 15 17 19 21 23 CATALYST 3550 1 2 SYSTEM RPS STAT UTIL DUPLEX SPEED 2 4 6 8 10 12 14 16 18 20 22 24 IP Phone #3 IP: 10.6.0.30 MAC: C 13 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    14. VoIP Security MITM Attack – Execution • Start Cain & Abel and configure ARP poisoning. • Cain & Abel also has the capability to record a call. • Sit back and wait! 14 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    15. VoIP Security Game Over! 15 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    16. VoIP Security Some Attack Possibilities.. • Telephone banking / Voicemail PIN disclosure • Insertion of audio into conversation • Real-time voicemail capture 16 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    17. VoIP Security Compromising the PIN • Telephone banking requires a user to enter a customer number and PIN using the touchpad. • Each number pressed sends a unique tone which is interpreted by the end system. 17 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    18. VoIP Security 18 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    19. VoIP Security • But which buttons were pressed? 19 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    20. VoIP Security Countermeasures Cisco Switch: • Enable DHCP Snooping • Enable Dynamic ARP Inspection • Enable IP Sourceguard • Enable Port Security • Implement VLAN ACLs • Implement 802.1x 20 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    21. VoIP Security Countermeasures (cont.d) Cisco Call Manager: (Not without some side effects!) • Disable Settings button on phone • Disable Span to PC port • Disable Gratuitous ARP • Disable PC Voice VLAN Access • Configure Signaling & Media Encryption! 21 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    22. VoIP Security How Real is the Threat in Australia? • One Australian organisation suffers a major telephone hack each and every day. • AusCERT Computer Crime and Security Survey 2006 shows average value of loss of over $60,000. • The largest phone hack on record is $1.7M. • 97% not reported due to risk of adverse publicity. • Threat to phone service - how would your business cope without phones for an entire day? • Telstra, Optus and Macquarie Telecom have written to clients warning of the dangers and confirming the customer is liable. 22 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    23. VoIP Security Conclusion • Most current implementations of VoIP are insecure. • VoIP can be secured with the right know how. • The only way to know if your implementation is secure is to have it audited by independent experts. 23 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    24. VoIP Security Questions? Contact: Jason Edelstein T: +61 2 9290 4441 E: jasone@senseofsecurity.com.au www.senseofsecurity.com.au 24 © Sense of Security 2007 www.senseofsecurity.com AusCERT - May 2007
    SlideShare Zeitgeist 2009

    + Jason EdelsteinJason Edelstein Nominate

    custom

    276 views, 0 favs, 0 embeds more stats

    Discusses VoIP security threats and countermeasures more

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 276
      • 276 on SlideShare
      • 0 from embeds
    • Comments 0
    • Favorites 0
    • Downloads 21
    Most viewed embeds

    more

    All embeds

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories

    Tags

    -->
    What's New

    © 2009 SlideShare Inc. All rights reserved.