SlideShare a Scribd company logo
1 of 21
Download to read offline
Auto provisioning sucks
Cal Leeming
cal.leeming@simplicitymedialtd.co.uk
Disclaimer
• I am a programmer, not a security expert
• This has been done using best practises for
responsible disclosure
• POC code will not be disclosed (but can be easily
written in 30~ mins)
how would you feel if..
• You found a vulnerability that allows malicious user to
extract user creds remotely with no authentication
• Your supplier was shipping you vuln devices by default
• Your provider did not fix the problem
• The vendor did not fix the problem entirely
• All your customers were affected
• You were liable for any resulting toll-fraud
• You had to explain this to your customers after
• This is the BS I had to deal with in June 2012
Companies affected
• Yealink
Disclosed June 2012, patched Aug 2012, problem still exists

• Snom (disclosed today)
Disclosed today

• ****.co.uk
Disclosed 2012, problem still exists

• *****.co.uk
Not disclosed

• Many, many others
including those with QSA accreditation from ITSPA
Known attack vectors
• 1) Redirection service at root authority (what is it?)
http://www.888voip.com/rps-redirection-and-provisioning-service-by-yealink/

• 2) Redirection service at reseller
SIP providers, hw wholesalers

• 3) Any external facing provisioning system
HTTP, TFTP etc
Yealink
• V71 firmware
– RPS not enabled by default
– aes encryption optional for v71
– Still vuln if provider does not implement properly

• V70 firmware
– RPS enabled by default
– No AES encryption required
– Legacy services have not been disabled due to this
Yealink
• V71 fw cut using binwalk and yaffs2utils
• V70 fw cut using binwalk and unsquashfs
$ cat ./factory/Setting/autop.cfg
[ autoprovision ]
server_address = ?http://prov.yealink.co.uk/1/ap/
$ grep -R "server_address" .
./factory/Setting/autop_code.cfg:server_address = ?http://prov.yealink.co.uk/1/ap
./factory/Setting/autop_code.cfg:server_address = ?http://yealink.********
$ curl http://prov.yealink.co.uk/1/ap/0015651738ba.cfg
[ autoprovision ]
***
Jun 29 15:41:01 ap: http_client.c(712): UserAgent is yealink SIP-T20P 1.2.3.4 00:11:22:33:44:5f
Jun 29 15:41:01 ap: http_client.c(1292): query header: GET /tftp/00112233445f.cfg
HTTP/1.0^M Host: 1.2.3.4^M User-Agent: yealink SIP-T20P 1.2.3.4 00:11:22:33:44:5f^M
Accept: */*^M Connection: Keep-Alive^M ^M
Yealink
•
•
•
•

MAC range: 001565 XIAMEN YEALINK
16^3 (16,581,375 MACs).
Single threaded, single IP scan, 30 reqs/sec
Can easily write a scanner in ~30 mins

[2013-10-22 12:56:32,463] [scan-yealink-rps.py:131] HIT 001565****** - endpoint is http://*************/***/001565******.cfg
[2013-10-22 12:56:32,627] [scan-yealink-rps.py:119] MISS on 001565******
[2013-10-22 12:56:32,792] [scan-yealink-rps.py:119] MISS on 001565******
Snom
• FW cut using binwalk and jffs
- http://www.kutukupret.com/2010/09/16/mounting-a-jffs2-filesystem-in-linux/
- http://pauldotcom.com/wiki/index.php/Reverse_Engineering_Firmware_Primer
DEFAULTVALUE
http://provisioning.snom.com/snomXXX/snomXXX.php?mac={mac}
snomXXX =
{snom300, snom320, snom360, snom370, snom710, snom720, snom760, snom820, snom820, snom87
0, snom m9}
python pnpserv.py -u http://url.of.the/settings.xml?mac={mac}
python pnpserv.py -u w/o argument defaults to
http://provisioning.snom.com/snom3x0/snom3x0.php?mac={mac}

http://provisioning.snom.com/snom300/snom300.php?mac=00041337C200
Snom
• Requires model number in MAC URL.
• This increases scan time right??
• NOPE.
http://wiki.snom.com/Settings/mac

• Could easily write a scanner in 30~ mins
SNIPPET:
Snom300 ---- 00041325XXXX, 00041328XXXX, 0004132DXXXX, 0004132FXXXX, 00041334XXXX, 0004133687F000041336FFFF, 00041337XXXX, 0004133BXXXX, 00041350XXXX
snom320 ---- 00041324XXXX, 00041327XXXX, 0004132CXXXX, 00041331XXXX, 00041335XXXX, 00041338XXXX, 00041351XXXX
[2013-10-22 14:47:50,047] [scan-snom-aps.py:22] Scanning MAC range 00-04-13-25-XX-XX to 00-04-13-25-XX-XX (total 7)
[2013-10-22 14:47:50,276] [scan-snom-aps.py:54] MISS on 00041325XXXX
[2013-10-22 14:47:50,276] [scan-snom-aps.py:66] HIT 00041325XXXX - endpoint is http://*******/**/***.php?mac=00041325XXXX
Generic auto prov servers
•
•
•
•

Majority of auto prov servers do not have brute protection
Majority of sys admins don’t check auto prov server logs
Significant number of well known UK providers are vuln to this
Lol 3cx

• Almost every handset is vulnerable to this (encryption is not
always enforced by default)
• Almost every provisioning server is vulnerable to this
• At least one big UK company is exposing thousands of details
because of this
Dirty tricks
•
•
•
•

Scanner speed can be significantly increased using coroutines
Request throughput can be increased using proxies from public lists
Easily reach 1000 requests/sec using 200 lines of python code
The majority of servers would crash and burn if URL is hitting
dynamic code (PHP) instead of plain text

• I have not implemented any of these, as this code is for proof of
concept, not a hit-and-run tool to be used maliciously
Immediate protections
(for non encrypted configs)
• Implement protections using L7 rules (nginx reverse prox, ZXTM etc)
• Rate limit based on MAC+IP combo (default 10 MACs/IP/24h)
• Enforce user agent checks/validation (not 100%, but helps protect
against chancers)
• Track IPs which access provisioning info, check for fraud patterns
(access from different countries etc)
• Automatically block IP if any protections are triggered
• Remove/modify on a case-by-case basis
• This only slows down brute force attacks, it is does NOT prevent
them, nor does it protect against targeted attacks
• Be smart
Immediate protections
(for encrypted configs)
• Haven’t had chance to review these yet
• Snom/Yealink will be chiming in with their two cents on
protections
Out of the factory protection
• Vendors are struggling to make phones secure to auto
provisioning out of the factory, relies on providers doing things
correctly.
• Could you not enforce request validation using a one-time-use
key generated from a unique string embedded into that
phone? (perhaps serial no?). This combined with encryption
gives two layers of security – still not perfect is the SN is leaked
• Got ideas? Share them! The only way this will change is if we all
do our bit to help
how you can help
• Many other vendors are vulnerable, I don’t have enough time
to check them all
• Got a phone that supports zero touch/auto prov? Give this a
try!
• Simple pcap/syslog analysis will usually give up secrets
• FW cutting only needed if you want to dig a bit deeper
• Most providers/vendors are not implementing encrypted
config by default
• Yealink have partially fixed by adding encrypted config (but it’s
not enforced!)
• Test as many different makes/firmware as possible!!!!
This is only the beginning
• Auto provisioning flaws are only the tip of
the ice berg
• Poke around, you will be shocked at what
you find
its not all doom and gloom
• Discovered FS after becoming fed up with
incompetent providers
• Met some amazing people in this community
• Learnt a lot of new skills
• Cudatel isn't vulnerable since they ship
firmwares with RPS off by default
Acknowledgements
• William King aka quentusrex from CudaTel
Helped with finding ways to protect customers, much appreciated!

• Ken Rice aka SwK from FreeSWITCH
Assistance with broadcasting and arranging this conference, thank you!

• FreeSWITCH community
• Anyone who’s URL I have linked to
• People who took time to write up on fw dissection, it saved me
literally days of work
Worried about this?
there are freeswitch consultants who can help setup secure
remote provisioning

Reach out to
consulting@freeswitch.org
Hint doc names
A31008-M2212-R910-3-7643_en_Internat.pdf
A31008-M2212-R910-3-7643_en_Internat_2.pdf
A31008-M2212-R910-3-7643_en_Internat_3.pdf
A31008-M2212-R910-5-7643.pdf
Auto Provision Manual version 2.0.4.pdf
Auto Provision Manual version 2.0.4_2.pdf
Category_HowTo_XMLRPC Redirection - Snom User Wiki.pdf
Changelog-YUK-V60FW-03012012.pdf
SiemensC450IPConfiguration.pdf
Terms_and_Conditions_for_use_of_snom_redirection_services.pdf
uts.pdf
V70UpgradingManual-21540749528.pdf
Voip_einrichten_eng.pdf
Yealink Auto Provisioning User Guide.pdf
Yealink SIP Phone Release Note of Version 71.pdf
YealinkConfigurationConversionToolUserGuide-21535047441.pdf
YealinkRedirectionandProvisioningService(RPS)UserManualV10ENG-04371557705.pdf
YealinkXMLAPIforRPS-V1.3-ENG (2).pdf
YealinkXMLAPIforRPS-V1.3-ENG.pdf

More Related Content

What's hot

Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalPacSecJP
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed OverviewSensePost
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security Filip Waeytens
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tatSensePost
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finPacSecJP
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasySecurity Weekly
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 

What's hot (19)

Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-security
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made Easy
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 

Viewers also liked

Open Design in a changing design practice
Open Design in a changing design practiceOpen Design in a changing design practice
Open Design in a changing design practicePeter Troxler
 
Main Street, Meet Mr Watson - Matt Coatney
Main Street, Meet Mr Watson - Matt CoatneyMain Street, Meet Mr Watson - Matt Coatney
Main Street, Meet Mr Watson - Matt CoatneyMatt Coatney
 
4A Sessió de Sector Arquitectura: El Plus Ecològic
4A Sessió de Sector Arquitectura: El Plus Ecològic4A Sessió de Sector Arquitectura: El Plus Ecològic
4A Sessió de Sector Arquitectura: El Plus EcològicSector Arquitectura
 
Social Media im Longtail Business I Dirk Ploss, CMO, Lecturio, auf dem 4. Soc...
Social Media im Longtail Business I Dirk Ploss, CMO, Lecturio, auf dem 4. Soc...Social Media im Longtail Business I Dirk Ploss, CMO, Lecturio, auf dem 4. Soc...
Social Media im Longtail Business I Dirk Ploss, CMO, Lecturio, auf dem 4. Soc...Vorname Nachname
 
Soluciones de seguridad informatica abaddon pos iicybersecurity
Soluciones de seguridad informatica abaddon pos iicybersecuritySoluciones de seguridad informatica abaddon pos iicybersecurity
Soluciones de seguridad informatica abaddon pos iicybersecurityDavid Thomas
 
Indulgence 2010 Gourmet Tasting For Charity Official Proposol Final
Indulgence 2010 Gourmet Tasting For Charity Official Proposol FinalIndulgence 2010 Gourmet Tasting For Charity Official Proposol Final
Indulgence 2010 Gourmet Tasting For Charity Official Proposol FinalChefmichaelm
 
Brochure A5 Sept2010
Brochure A5 Sept2010Brochure A5 Sept2010
Brochure A5 Sept2010MerkMeester
 
150925 unesco iclc_bertelsmann-stiftung_noack_how-can-educational-monitoring-...
150925 unesco iclc_bertelsmann-stiftung_noack_how-can-educational-monitoring-...150925 unesco iclc_bertelsmann-stiftung_noack_how-can-educational-monitoring-...
150925 unesco iclc_bertelsmann-stiftung_noack_how-can-educational-monitoring-...Education_for_all_2015
 
Pressupostos 2013 - Ajuntament de Sagunt
Pressupostos 2013 - Ajuntament de SaguntPressupostos 2013 - Ajuntament de Sagunt
Pressupostos 2013 - Ajuntament de SaguntCompromís per Sagunt
 
Convocatoria%203 d%20alfacar
Convocatoria%203 d%20alfacarConvocatoria%203 d%20alfacar
Convocatoria%203 d%20alfacarelarcoestandar
 
Presentacion Door09
Presentacion Door09Presentacion Door09
Presentacion Door09maxife
 
Siemens Team Building Testimonial
Siemens Team Building TestimonialSiemens Team Building Testimonial
Siemens Team Building TestimonialScott Watson
 
Linking thoughts to flows Integrated modeling of Social Ecological Systems
Linking thoughts to flows Integrated modeling of Social Ecological SystemsLinking thoughts to flows Integrated modeling of Social Ecological Systems
Linking thoughts to flows Integrated modeling of Social Ecological SystemsMartin Wildenberg
 
Carta al papa Francisco- Rubén García Badillo
Carta al papa Francisco- Rubén García BadilloCarta al papa Francisco- Rubén García Badillo
Carta al papa Francisco- Rubén García BadilloRuben Garcia Badillo
 

Viewers also liked (20)

Open Design in a changing design practice
Open Design in a changing design practiceOpen Design in a changing design practice
Open Design in a changing design practice
 
Dim geschäftsfeld marktforschung_april2012
Dim geschäftsfeld marktforschung_april2012Dim geschäftsfeld marktforschung_april2012
Dim geschäftsfeld marktforschung_april2012
 
Main Street, Meet Mr Watson - Matt Coatney
Main Street, Meet Mr Watson - Matt CoatneyMain Street, Meet Mr Watson - Matt Coatney
Main Street, Meet Mr Watson - Matt Coatney
 
Desnutricion y malnutricion en españa
Desnutricion y malnutricion en españaDesnutricion y malnutricion en españa
Desnutricion y malnutricion en españa
 
4A Sessió de Sector Arquitectura: El Plus Ecològic
4A Sessió de Sector Arquitectura: El Plus Ecològic4A Sessió de Sector Arquitectura: El Plus Ecològic
4A Sessió de Sector Arquitectura: El Plus Ecològic
 
Social Media im Longtail Business I Dirk Ploss, CMO, Lecturio, auf dem 4. Soc...
Social Media im Longtail Business I Dirk Ploss, CMO, Lecturio, auf dem 4. Soc...Social Media im Longtail Business I Dirk Ploss, CMO, Lecturio, auf dem 4. Soc...
Social Media im Longtail Business I Dirk Ploss, CMO, Lecturio, auf dem 4. Soc...
 
Soluciones de seguridad informatica abaddon pos iicybersecurity
Soluciones de seguridad informatica abaddon pos iicybersecuritySoluciones de seguridad informatica abaddon pos iicybersecurity
Soluciones de seguridad informatica abaddon pos iicybersecurity
 
Indulgence 2010 Gourmet Tasting For Charity Official Proposol Final
Indulgence 2010 Gourmet Tasting For Charity Official Proposol FinalIndulgence 2010 Gourmet Tasting For Charity Official Proposol Final
Indulgence 2010 Gourmet Tasting For Charity Official Proposol Final
 
Brochure A5 Sept2010
Brochure A5 Sept2010Brochure A5 Sept2010
Brochure A5 Sept2010
 
150925 unesco iclc_bertelsmann-stiftung_noack_how-can-educational-monitoring-...
150925 unesco iclc_bertelsmann-stiftung_noack_how-can-educational-monitoring-...150925 unesco iclc_bertelsmann-stiftung_noack_how-can-educational-monitoring-...
150925 unesco iclc_bertelsmann-stiftung_noack_how-can-educational-monitoring-...
 
Pressupostos 2013 - Ajuntament de Sagunt
Pressupostos 2013 - Ajuntament de SaguntPressupostos 2013 - Ajuntament de Sagunt
Pressupostos 2013 - Ajuntament de Sagunt
 
Convocatoria%203 d%20alfacar
Convocatoria%203 d%20alfacarConvocatoria%203 d%20alfacar
Convocatoria%203 d%20alfacar
 
Alhuda CIBE - Islamic Finance & Investment Symposium by Sohail Jaffar
Alhuda CIBE - Islamic Finance & Investment Symposium by Sohail JaffarAlhuda CIBE - Islamic Finance & Investment Symposium by Sohail Jaffar
Alhuda CIBE - Islamic Finance & Investment Symposium by Sohail Jaffar
 
Presentacion Door09
Presentacion Door09Presentacion Door09
Presentacion Door09
 
Centaures
CentauresCentaures
Centaures
 
Lettre de motivation
Lettre de motivationLettre de motivation
Lettre de motivation
 
Siemens Team Building Testimonial
Siemens Team Building TestimonialSiemens Team Building Testimonial
Siemens Team Building Testimonial
 
Linking thoughts to flows Integrated modeling of Social Ecological Systems
Linking thoughts to flows Integrated modeling of Social Ecological SystemsLinking thoughts to flows Integrated modeling of Social Ecological Systems
Linking thoughts to flows Integrated modeling of Social Ecological Systems
 
Carta al papa Francisco- Rubén García Badillo
Carta al papa Francisco- Rubén García BadilloCarta al papa Francisco- Rubén García Badillo
Carta al papa Francisco- Rubén García Badillo
 
Cadena de-frio minsal
Cadena de-frio minsalCadena de-frio minsal
Cadena de-frio minsal
 

Similar to RPS/APS vulnerability in snom/yealink and others - slides

Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02PacSecJP
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Digital Bond
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNorth Texas Chapter of the ISSA
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...CODE BLUE
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Distil Networks
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Teemu Tiainen
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...LINE Corporation
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applicationseightbit
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 

Similar to RPS/APS vulnerability in snom/yealink and others - slides (20)

Provisioning Q and A
Provisioning Q and AProvisioning Q and A
Provisioning Q and A
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...
 
IT infrastructure security 101
IT infrastructure security 101IT infrastructure security 101
IT infrastructure security 101
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 

Recently uploaded

Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2DianaGray10
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationBuild Intuit
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdfHCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdfROWELL MARQUINA
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
The Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemThe Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemSafe Software
 
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023Joshua Flannery
 
Tecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for RotogravureTecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for RotogravureAntonio de Llamas
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationDianaGray10
 
Why Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionWhy Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionDEEPRAJ PATHAK
 
Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceOpsTree solutions
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
full stack practical assignment msc cs.pdf
full stack practical assignment msc cs.pdffull stack practical assignment msc cs.pdf
full stack practical assignment msc cs.pdfHulkTheDevil
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 

Recently uploaded (20)

Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientation
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdfHCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
The Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemThe Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data Ecosystem
 
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
 
Tecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for RotogravureTecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for Rotogravure
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automation
 
Why Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionWhy Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile Evolution
 
Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer Experience
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
full stack practical assignment msc cs.pdf
full stack practical assignment msc cs.pdffull stack practical assignment msc cs.pdf
full stack practical assignment msc cs.pdf
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 

RPS/APS vulnerability in snom/yealink and others - slides

  • 1. Auto provisioning sucks Cal Leeming cal.leeming@simplicitymedialtd.co.uk
  • 2. Disclaimer • I am a programmer, not a security expert • This has been done using best practises for responsible disclosure • POC code will not be disclosed (but can be easily written in 30~ mins)
  • 3. how would you feel if.. • You found a vulnerability that allows malicious user to extract user creds remotely with no authentication • Your supplier was shipping you vuln devices by default • Your provider did not fix the problem • The vendor did not fix the problem entirely • All your customers were affected • You were liable for any resulting toll-fraud • You had to explain this to your customers after • This is the BS I had to deal with in June 2012
  • 4. Companies affected • Yealink Disclosed June 2012, patched Aug 2012, problem still exists • Snom (disclosed today) Disclosed today • ****.co.uk Disclosed 2012, problem still exists • *****.co.uk Not disclosed • Many, many others including those with QSA accreditation from ITSPA
  • 5. Known attack vectors • 1) Redirection service at root authority (what is it?) http://www.888voip.com/rps-redirection-and-provisioning-service-by-yealink/ • 2) Redirection service at reseller SIP providers, hw wholesalers • 3) Any external facing provisioning system HTTP, TFTP etc
  • 6. Yealink • V71 firmware – RPS not enabled by default – aes encryption optional for v71 – Still vuln if provider does not implement properly • V70 firmware – RPS enabled by default – No AES encryption required – Legacy services have not been disabled due to this
  • 7. Yealink • V71 fw cut using binwalk and yaffs2utils • V70 fw cut using binwalk and unsquashfs $ cat ./factory/Setting/autop.cfg [ autoprovision ] server_address = ?http://prov.yealink.co.uk/1/ap/ $ grep -R "server_address" . ./factory/Setting/autop_code.cfg:server_address = ?http://prov.yealink.co.uk/1/ap ./factory/Setting/autop_code.cfg:server_address = ?http://yealink.******** $ curl http://prov.yealink.co.uk/1/ap/0015651738ba.cfg [ autoprovision ] *** Jun 29 15:41:01 ap: http_client.c(712): UserAgent is yealink SIP-T20P 1.2.3.4 00:11:22:33:44:5f Jun 29 15:41:01 ap: http_client.c(1292): query header: GET /tftp/00112233445f.cfg HTTP/1.0^M Host: 1.2.3.4^M User-Agent: yealink SIP-T20P 1.2.3.4 00:11:22:33:44:5f^M Accept: */*^M Connection: Keep-Alive^M ^M
  • 8. Yealink • • • • MAC range: 001565 XIAMEN YEALINK 16^3 (16,581,375 MACs). Single threaded, single IP scan, 30 reqs/sec Can easily write a scanner in ~30 mins [2013-10-22 12:56:32,463] [scan-yealink-rps.py:131] HIT 001565****** - endpoint is http://*************/***/001565******.cfg [2013-10-22 12:56:32,627] [scan-yealink-rps.py:119] MISS on 001565****** [2013-10-22 12:56:32,792] [scan-yealink-rps.py:119] MISS on 001565******
  • 9. Snom • FW cut using binwalk and jffs - http://www.kutukupret.com/2010/09/16/mounting-a-jffs2-filesystem-in-linux/ - http://pauldotcom.com/wiki/index.php/Reverse_Engineering_Firmware_Primer DEFAULTVALUE http://provisioning.snom.com/snomXXX/snomXXX.php?mac={mac} snomXXX = {snom300, snom320, snom360, snom370, snom710, snom720, snom760, snom820, snom820, snom87 0, snom m9} python pnpserv.py -u http://url.of.the/settings.xml?mac={mac} python pnpserv.py -u w/o argument defaults to http://provisioning.snom.com/snom3x0/snom3x0.php?mac={mac} http://provisioning.snom.com/snom300/snom300.php?mac=00041337C200
  • 10. Snom • Requires model number in MAC URL. • This increases scan time right?? • NOPE. http://wiki.snom.com/Settings/mac • Could easily write a scanner in 30~ mins SNIPPET: Snom300 ---- 00041325XXXX, 00041328XXXX, 0004132DXXXX, 0004132FXXXX, 00041334XXXX, 0004133687F000041336FFFF, 00041337XXXX, 0004133BXXXX, 00041350XXXX snom320 ---- 00041324XXXX, 00041327XXXX, 0004132CXXXX, 00041331XXXX, 00041335XXXX, 00041338XXXX, 00041351XXXX [2013-10-22 14:47:50,047] [scan-snom-aps.py:22] Scanning MAC range 00-04-13-25-XX-XX to 00-04-13-25-XX-XX (total 7) [2013-10-22 14:47:50,276] [scan-snom-aps.py:54] MISS on 00041325XXXX [2013-10-22 14:47:50,276] [scan-snom-aps.py:66] HIT 00041325XXXX - endpoint is http://*******/**/***.php?mac=00041325XXXX
  • 11. Generic auto prov servers • • • • Majority of auto prov servers do not have brute protection Majority of sys admins don’t check auto prov server logs Significant number of well known UK providers are vuln to this Lol 3cx • Almost every handset is vulnerable to this (encryption is not always enforced by default) • Almost every provisioning server is vulnerable to this • At least one big UK company is exposing thousands of details because of this
  • 12. Dirty tricks • • • • Scanner speed can be significantly increased using coroutines Request throughput can be increased using proxies from public lists Easily reach 1000 requests/sec using 200 lines of python code The majority of servers would crash and burn if URL is hitting dynamic code (PHP) instead of plain text • I have not implemented any of these, as this code is for proof of concept, not a hit-and-run tool to be used maliciously
  • 13. Immediate protections (for non encrypted configs) • Implement protections using L7 rules (nginx reverse prox, ZXTM etc) • Rate limit based on MAC+IP combo (default 10 MACs/IP/24h) • Enforce user agent checks/validation (not 100%, but helps protect against chancers) • Track IPs which access provisioning info, check for fraud patterns (access from different countries etc) • Automatically block IP if any protections are triggered • Remove/modify on a case-by-case basis • This only slows down brute force attacks, it is does NOT prevent them, nor does it protect against targeted attacks • Be smart
  • 14. Immediate protections (for encrypted configs) • Haven’t had chance to review these yet • Snom/Yealink will be chiming in with their two cents on protections
  • 15. Out of the factory protection • Vendors are struggling to make phones secure to auto provisioning out of the factory, relies on providers doing things correctly. • Could you not enforce request validation using a one-time-use key generated from a unique string embedded into that phone? (perhaps serial no?). This combined with encryption gives two layers of security – still not perfect is the SN is leaked • Got ideas? Share them! The only way this will change is if we all do our bit to help
  • 16. how you can help • Many other vendors are vulnerable, I don’t have enough time to check them all • Got a phone that supports zero touch/auto prov? Give this a try! • Simple pcap/syslog analysis will usually give up secrets • FW cutting only needed if you want to dig a bit deeper • Most providers/vendors are not implementing encrypted config by default • Yealink have partially fixed by adding encrypted config (but it’s not enforced!) • Test as many different makes/firmware as possible!!!!
  • 17. This is only the beginning • Auto provisioning flaws are only the tip of the ice berg • Poke around, you will be shocked at what you find
  • 18. its not all doom and gloom • Discovered FS after becoming fed up with incompetent providers • Met some amazing people in this community • Learnt a lot of new skills • Cudatel isn't vulnerable since they ship firmwares with RPS off by default
  • 19. Acknowledgements • William King aka quentusrex from CudaTel Helped with finding ways to protect customers, much appreciated! • Ken Rice aka SwK from FreeSWITCH Assistance with broadcasting and arranging this conference, thank you! • FreeSWITCH community • Anyone who’s URL I have linked to • People who took time to write up on fw dissection, it saved me literally days of work
  • 20. Worried about this? there are freeswitch consultants who can help setup secure remote provisioning Reach out to consulting@freeswitch.org
  • 21. Hint doc names A31008-M2212-R910-3-7643_en_Internat.pdf A31008-M2212-R910-3-7643_en_Internat_2.pdf A31008-M2212-R910-3-7643_en_Internat_3.pdf A31008-M2212-R910-5-7643.pdf Auto Provision Manual version 2.0.4.pdf Auto Provision Manual version 2.0.4_2.pdf Category_HowTo_XMLRPC Redirection - Snom User Wiki.pdf Changelog-YUK-V60FW-03012012.pdf SiemensC450IPConfiguration.pdf Terms_and_Conditions_for_use_of_snom_redirection_services.pdf uts.pdf V70UpgradingManual-21540749528.pdf Voip_einrichten_eng.pdf Yealink Auto Provisioning User Guide.pdf Yealink SIP Phone Release Note of Version 71.pdf YealinkConfigurationConversionToolUserGuide-21535047441.pdf YealinkRedirectionandProvisioningService(RPS)UserManualV10ENG-04371557705.pdf YealinkXMLAPIforRPS-V1.3-ENG (2).pdf YealinkXMLAPIforRPS-V1.3-ENG.pdf