[VOIPSEC] VOIP Telephone exploitation
Jan-Tilo Kirchhoff
jan-tilo.kirchhoff at aastra.com
Thu Nov 5 09:32:49 CST 2009
As a productmanager and sales consultant for VoIP enabled PBXs for the SME segment, with a special interest in security I have been following this group for some time now. I would also be interested in any hints regarding Bob's request.
>From my experience the whole security discussion (not only regarding VoIP) has a tendency to focus on specific threats, while neglecting a more holistic approach.
IMHO - If you want to have a secure VoIP system you have to start building a secure network. Most threats can be mitigated when you have proper access control to your (local area) network. Once you know who has access to your network malicious behaviour (e.g. eavesdropping) should be trackable by using the same network monitoring tools you are already using to make sure that all the other data on your network is not misused.
This does not mean that having SIPS/RTPS enabled phones isn't a good idea. Security always works best when it is applied at different layers. If one layer is compromised the information is still protected. Also some sort of encryption is a must when you want to comunicate over WAN/Internet.
The main problem I see is that implementing proper security - VoiP or IT in general - is not a question of one or more specific protocols. Security has to be seen as part of a larger effort and can only be achieved by setting up a process. ISO 27000, ITIL or the german "BSI Grundschutz Handbuch" (www.bsi.de) Security guidelines published by the german counterpart of NIST) are good ways to start such a process but especially smaller enterprise have a lack of experience and resources to do this.
So vendors have to make using security features as easy as possible without
a) causing new security loopholes in the name of easy and simple configuration and rollout (key/certificate distribution is one of the key points that has to be solved in such a way that it can be done without a degree in computerscience)
b) giving a false impression that all is well only by using a specific feature (e.g. RTPS encrypted audio streams).
Regards,
Tilo
-----Ursprüngliche Nachricht-----
Von: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] Im Auftrag von voipsec-request at voipsa.org
Gesendet: Sonntag, 18. Oktober 2009 13:00
An: voipsec at voipsa.org
Betreff: Voipsec Digest, Vol 58, Issue 4
Send Voipsec mailing list submissions to
voipsec at voipsa.org
To subscribe or unsubscribe via the World Wide Web, visit
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
or, via email, send a message with subject or body 'help' to
voipsec-request at voipsa.org
You can reach the person managing the list at
voipsec-owner at voipsa.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Voipsec digest..."
Today's Topics:
1. VOIP Telephone exploitation (brolen)
2. Re: VOIP Telephone exploitation (Ari Takanen)
3. Re: VOIP Telephone exploitation (Jerome Athias)
----------------------------------------------------------------------
Message: 1
Date: Sat, 17 Oct 2009 09:48:57 -0500
From: "brolen" <brolen at mindspring.com>
To: <voipsec at voipsa.org>
Subject: [VOIPSEC] VOIP Telephone exploitation
Message-ID: <B8F0106AB1784A84928B392635EC05D4 at Office>
Content-Type: text/plain; charset="iso-8859-1"
Since the inception of your group, have you identified a clear cut strategy to detect, identify and guard against remote eavesdropping on a VOIP system such as the Cisco-IP phone. In addition, what tests are being used to identify the activation of the remote maintenance or remote observation features.
I would certainly like to hear from some of your members regarding the defenses and protections for VOIP systems that a company can logically employ.
In addition, has anyone made any headway into the detection and removal of Trojans or rootkits on cellphones. This appears to be a rather large effort for attacking devices such as I-phones, Blackberrys etc.
Thanks,
Bob Rolen
------------------------------
Message: 2
Date: Sat, 17 Oct 2009 22:51:19 +0300
From: Ari Takanen <voipsa at codenomicon.com>
To: brolen <brolen at mindspring.com>
Cc: voipsec at voipsa.org
Subject: Re: [VOIPSEC] VOIP Telephone exploitation
Message-ID: <20091017195119.GC6819 at codenomicon.com>
Content-Type: text/plain; charset=us-ascii
Hi Bob,
In VoIP most problems are because vendors do not activate encryption and key management by default. A plain SIP+RTP implementation is always vulnerabile to a huge number of issues, for which there is not really any other fix but to start using TCP and/or TLS for SIP, and some type of encryption for RTP. Even if such functionality is available, very few deployments actually use them. You get what you deserve.
Regarding real, zero day threats in devices: trojans, and so on... The only method to eliminate them is to fix the software. Fortunately VoIP is one of the most active areas of fuzzing and zero day discovery. And so is cell-phone fuzzing. If you take any software product for VoIP or mobile communications that has not gone through fuzz testing, you will easily find tens if not hundreds of zero day buffer overflow and denial of service bugs. At least using our fuzzing tools. It is still embarrassing even for me to demonstrate SBC or SIP-aware firewall crashing from a zero-day buffer overflow test. You would think at least the security vendors would finally get it.
Best regards,
/Ari
On Sat, Oct 17, 2009 at 09:48:57AM -0500, brolen wrote:
> Since the inception of your group, have you identified a clear cut strategy to detect, identify and guard against remote eavesdropping on a VOIP system such as the Cisco-IP phone. In addition, what tests are being used to identify the activation of the remote maintenance or remote observation features.
>
> I would certainly like to hear from some of your members regarding the defenses and protections for VOIP systems that a company can logically employ.
>
> In addition, has anyone made any headway into the detection and removal of Trojans or rootkits on cellphones. This appears to be a rather large effort for attacking devices such as I-phones, Blackberrys etc.
>
> Thanks,
> Bob Rolen
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
--
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen Codenomicon Ltd.
ari.takanen at codenomicon.com Tutkijantie 4E
tel: +358-40 50 67678 FI-90570 Oulu
http://www.codenomicon.com Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
------------------------------
Message: 3
Date: Sun, 18 Oct 2009 10:57:17 +0200
From: Jerome Athias <jerome.athias at free.fr>
To: brolen <brolen at mindspring.com>
Cc: voipsec at voipsa.org
Subject: Re: [VOIPSEC] VOIP Telephone exploitation
Message-ID: <1255856237.21227.27.camel at juzam>
Content-Type: text/plain; charset="UTF-8"
Hi,
crypto on Cisco phones is easily breakable.
The problem is that it couldn't be released because it should be
impossible for Cisco to update the firmwares, and releasing this stuff
would be a nightmare for companies using it.
/JA
Le samedi 17 octobre 2009 ? 09:48 -0500, brolen a ?crit :
> Since the inception of your group, have you identified a clear cut strategy to detect, identify and guard against remote eavesdropping on a VOIP system such as the Cisco-IP phone. In addition, what tests are being used to identify the activation of the remote maintenance or remote observation features.
>
> I would certainly like to hear from some of your members regarding the defenses and protections for VOIP systems that a company can logically employ.
>
> In addition, has anyone made any headway into the detection and removal of Trojans or rootkits on cellphones. This appears to be a rather large effort for attacking devices such as I-phones, Blackberrys etc.
>
> Thanks,
> Bob Rolen
------------------------------
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
End of Voipsec Digest, Vol 58, Issue 4
**************************************
More information about the Voipsec
mailing list