Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income! Or Vice Versa?


Published on

Integrated services by telecom operators and Unified Communications technology promise a quick payback and great convenience. However, it was discovered from practice that VOIP and IPPBX services can cause many problems, first of all relating to information security and fraud. What information security issues can arise for a company if Unified Communications are used? VOIP/PBX/MGW broken in 60 seconds - is it possible? Effective methods and practicalities of Unified Communications security will be discussed.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income! Or Vice Versa?

  1. 1. VoIP security legends and myths Konstantin Gurzov Head of Sales Support Department
  2. 2. VoIP is attractive ! VoIP Access company’s network Manage calls ( fraud ) Data defect and replacement Call interception Personal data theft and so on …
  3. 3. VoIP infrastructure components VoIP segment is an integration of a number of specialized platforms and network devices, different networks and technologies
  4. 4. All local network threats are actual for VoIP <ul><li>Default passwords </li></ul><ul><li>Managing web interfaces </li></ul><ul><li>Software vulnerabilities </li></ul><ul><li>Traffic interception </li></ul><ul><li>Account blocking </li></ul>
  5. 5. <ul><li>Default passwords </li></ul>Known threats – former protection measures Примеры рассчитанных метрик на основе &quot;живых&quot; данных при проведении внутренних аудитов ИБ специалистами компании Positive Technologies , 2009 г. About 50% of all network devices have default or easily bruteforced passwords
  6. 6. <ul><li>Back-end devices </li></ul><ul><ul><li>Default PIN for CISCO IP PHONE - « **#* » </li></ul></ul><ul><li>SIP gateways </li></ul><ul><ul><li>Default password for Asterisk - « admin » leads to: </li></ul></ul><ul><ul><ul><li>Denial of service </li></ul></ul></ul><ul><ul><ul><li>Interception </li></ul></ul></ul><ul><ul><ul><li>Integrity violation </li></ul></ul></ul><ul><ul><ul><li>Toll Fraud </li></ul></ul></ul>Examples Reconfiguration Minoring Interception
  7. 7. <ul><li>Managing web interfaces </li></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>С ross Site Scripting </li></ul></ul><ul><ul><li>DoS </li></ul></ul><ul><ul><li>and so on. </li></ul></ul>Known threats – former protection measures If an attacker manages to access your device web interface, attacks are guaranteed to be successful
  8. 8. <ul><li>CISCO Call Manager </li></ul><ul><ul><li>CVE-2010-3039 privilege gaining </li></ul></ul><ul><ul><li>CVE-2007-4633 XSS </li></ul></ul><ul><ul><li>CVE-2007-4634 SQL Injection </li></ul></ul><ul><ul><li>CVE-2008-0026 SQL Injection </li></ul></ul><ul><li>Asterisk GUI </li></ul><ul><ul><li>CVE-2008-1390 CVSS Base Score 9,3 </li></ul></ul>Examples The possibility to detect vulnerabilities of different risk level, based on analysis of 5560 sites conducted by Positive Technologies experts, 2009
  9. 9. Known threats – former protection measures <ul><li>Software vulnerabilities </li></ul>Arbitrary code execution from the network in в CISCO Call Manager 6 Vulnerability allows attackers to execute arbitrary code
  10. 10. Known threats – former protection measures <ul><li>Software vulnerability </li></ul>Denial of service in CISCO Call Manager 6 Vulnerability allows attackers to cause a denial of service
  11. 11. <ul><li>Services are unavailable and restricted </li></ul><ul><ul><li>web interfaces with vulnerabilities </li></ul></ul><ul><ul><li>weak password policy </li></ul></ul>Known threats – former protection measures Any VoIP device is a member of Ethernet network, so it is vulnerable to a most part of network attacks
  12. 12. <ul><li>Traffic listening </li></ul><ul><ul><li>weakly protected wireless networks </li></ul></ul><ul><ul><li>Implementation of « Man in the middle » attack </li></ul></ul><ul><ul><li>Tens of specialized applications to listen VoIP traffic, for example, Cain & Abel ( ), UCSniff ( ) </li></ul></ul>Known threats – former protection measures Traffic listening leads to violation of confidentiality and personal data thefts
  13. 13. Examples of real attacks <ul><li>Traffic fraud </li></ul><ul><li>Interception of negotiations </li></ul><ul><li>Capture of corporate network </li></ul>
  14. 14. Traffic fraud IP PBX 1 – Client’s IP PBX of «А» company IP PBX 2 – Attacker’s IP PBX <ul><li>No ACLs on devices </li></ul><ul><li>Weak device and software password policy </li></ul><ul><li>Low protection level as a whole for VoIP infrastructure </li></ul><ul><li>Billing once a month </li></ul>
  15. 15. Traffic fraud – attacker’s actions <ul><li>Scan the network and find IP PBX 1. </li></ul><ul><li>Provide PSTN connection to IP PBX 2 via IP PBX 1. </li></ul><ul><li>Pass expensive MG / MH calls via «А» into PSTN. </li></ul>1 2 3 «А» operator is unable to explicitly separate responsibilities between itself and its client, so it pays always
  16. 16. Traffic fraud – can be avoided if <ul><li>operator: </li></ul><ul><li>configures ACLs on external interfaces of client IP PBX; </li></ul><ul><li>ensures that calls passed through SIP trank are not routed back; </li></ul><ul><li>blocks MG / MH calls if not used ; </li></ul><ul><li>distributes password policy to VoIP services; </li></ul><ul><li>offers services for protection analysis of client’s hardware . </li></ul>
  17. 17. Interception of negotiations <ul><li>Use wireless networks </li></ul><ul><li>Weak encryption algorithms </li></ul><ul><li>ACLs are not used </li></ul><ul><li>Weak password policy </li></ul>
  18. 18. Capture corporate network <ul><li>No managing of changes </li></ul>
  19. 19. Capture corporate network – attacker’s actions <ul><li>Get access to the corporate network via Wi-Fi </li></ul><ul><li>Find CISCO Call Manager by typical response </li></ul><ul><ul><li>uses SQLi implemented CVE-2008-0026 </li></ul></ul><ul><ul><li>gets user password hashes equivalent to the request </li></ul></ul><ul><ul><li>restores passwords from hashes </li></ul></ul><ul><li>One of restored passwords is Admin password for all CISCO local networks </li></ul>2 3 <ul><ul><li>runsql select user,password from applicationuser </li></ul></ul>'+UNION+ALL+SELECT+'','','',user,'',password+from+applicationuser;-- 1 An attacker can capture all local network via VoIP services
  20. 20. Conclusions <ul><li>VoIP infrastructure is vulnerable to the same security threats as an ordinary corporate network </li></ul><ul><li>VoIP service vulnerabilities LAN vulnerabilities </li></ul><ul><li>The same methods are used to create protected infrastructure in VoIP as in LAN </li></ul>
  21. 21. Advices to create secure infrastructure <ul><li>Advice 1: monitor changes and updates in your VoIP infrastructure . </li></ul><ul><li>Advice 2: distribute password policy to VoIP services, use strong crypto algorithms . </li></ul><ul><li>Advice 3: use compliance and vulnerability management system to prevent incidents . </li></ul><ul><li>Advice 4: offer security level monitoring for clients hardware as VAS . </li></ul><ul><li>Advice 5: take a broad view of your infrastructure security, remember it is not only working stations and e-mail system . </li></ul>
  22. 22. Thank you for your attention ! Questions ? Konstantin Gurzov [email_address]