[VOIPSEC] Virus/Worms/Trojan attack against VoIP
Hendrik Scholz
hscholz at raisdorf.net
Mon May 15 06:26:37 CDT 2006
Hi!
Gupta, Sachin wrote:
> Is anybody aware of the possibility of virus attack on a Resedential
> Gateway / IP Phone, running of a well known Operating system, with Voice
> capabilities ?
...
> Is this a theoritical attack or anything like this has happened before?
I've been looking into theoretical and practical attacks on VoIP enabled
DSL routers. The main 'features' a target should have are:
- common Operating System, i.e. underlying Linux
- world-wide open ports (i.e. 5060/udp)
- above-average market penetration
- easly detectable to get the propagation started later on
I had a closer look at several systems among which was the AVM
(www.avm.de) Fritz!Box. The overall market penetration is damn good
in Germany. Most variants sold are DSL routers bundled with DSL
access.
All you have to do is look up the DSL resellers offering free AVM
routers, use whois to obtain their DSL 'dialup' blocks and scan
for boxes. I found networks where I had more than a 80% hit ratio
with 60-75% average of all probed IPs running that particular
router.
Interesting enough that particular firmware does run on multiple
versions of the router (DSL only, DSL+wireless, VoIP only, VoIP + ...).
- AVM runs Linux and there is an active 'modder' community.
- AVM does have port 5060/udp open as this might be needed for ENUM
- as written above market penetration is very high in some places.
- scanning is easy (SIP OPTIONS, then look for the User-Agent in the reply).
As for the attack itself I didn't find anything yet but assume one
could have some fun with SPIT (i.e. using Alert-Info).
Just my $.02,
Hendrik
P.S. I justed picked AVM as a sample.
--
Hendrik Scholz - <hscholz at raisdorf.net> - http://www.wormulon.net/
drag me, drop me - treat me like an object
More information about the Voipsec
mailing list