[VOIPSEC] VOIP Telephone exploitation

Rubino, Mark (Mark) mrubino at avaya.com
Mon Oct 19 09:03:05 CDT 2009 

 

While I agree that encryption would be the way to go I also agree it is
difficult to deploy and expensive to maintain for the majority of VoIP
users other than the largest and more capable of end users. 

Check the VoIPSA Resources and the web for general information regarding
securing VoIP. I recommend contacting your specific vendor for their
VoIP security best practices regarding secure network design (regardless
of encryption). From what I have seen the security deployed for a
particular VoIP system is dependant on the equipment involved, the
overall network design and cost.

Regarding the Cisco phones 'remote monitoring' ability, is there any
additional data on this - is it skinny, H323 or SIP protocol based Cisco
phones?. I don't suppose anyone would have a trace for review? Going out
on a limb I would suggest investigating means to alert on one-way VoIP
streams...



Regards,
Mark 
 

-----Original Message-----
From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
Behalf Of voipsec-request at voipsa.org
Sent: Sunday, October 18, 2009 7:00 AM
To: voipsec at voipsa.org
Subject: Voipsec Digest, Vol 58, Issue 4

Send Voipsec mailing list submissions to
	voipsec at voipsa.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
or, via email, send a message with subject or body 'help' to
	voipsec-request at voipsa.org

You can reach the person managing the list at
	voipsec-owner at voipsa.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Voipsec digest..."


Today's Topics:

   1. VOIP Telephone exploitation (brolen)
   2. Re: VOIP Telephone exploitation (Ari Takanen)
   3. Re: VOIP Telephone exploitation (Jerome Athias)


----------------------------------------------------------------------

Message: 1
Date: Sat, 17 Oct 2009 09:48:57 -0500
From: "brolen" <brolen at mindspring.com>
To: <voipsec at voipsa.org>
Subject: [VOIPSEC] VOIP Telephone exploitation
Message-ID: <B8F0106AB1784A84928B392635EC05D4 at Office>
Content-Type: text/plain;	charset="iso-8859-1"

Since the inception of your group, have you identified a clear cut
strategy to detect, identify and guard against remote eavesdropping on a
VOIP system such as the Cisco-IP phone.  In addition, what tests are
being used to identify the activation of the remote maintenance or
remote observation features.

I would certainly like to hear from some of your members regarding the
defenses and protections for VOIP systems that a company can logically
employ.

In addition, has anyone made any headway into the detection and removal
of Trojans or rootkits on cellphones.  This appears to be a rather large
effort for attacking devices such as I-phones, Blackberrys etc.

Thanks,
Bob Rolen

------------------------------

Message: 2
Date: Sat, 17 Oct 2009 22:51:19 +0300
From: Ari Takanen <voipsa at codenomicon.com>
To: brolen <brolen at mindspring.com>
Cc: voipsec at voipsa.org
Subject: Re: [VOIPSEC] VOIP Telephone exploitation
Message-ID: <20091017195119.GC6819 at codenomicon.com>
Content-Type: text/plain; charset=us-ascii

Hi Bob,

In VoIP most problems are because vendors do not activate encryption and
key management by default. A plain SIP+RTP implementation is always
vulnerabile to a huge number of issues, for which there is not really
any other fix but to start using TCP and/or TLS for SIP, and some type
of encryption for RTP. Even if such functionality is available, very few
deployments actually use them. You get what you deserve.

Regarding real, zero day threats in devices: trojans, and so on... The
only method to eliminate them is to fix the software. Fortunately VoIP
is one of the most active areas of fuzzing and zero day discovery. And
so is cell-phone fuzzing. If you take any software product for VoIP or
mobile communications that has not gone through fuzz testing, you will
easily find tens if not hundreds of zero day buffer overflow and denial
of service bugs. At least using our fuzzing tools. It is still
embarrassing even for me to demonstrate SBC or SIP-aware firewall
crashing from a zero-day buffer overflow test. You would think at least
the security vendors would finally get it.

Best regards,

/Ari


On Sat, Oct 17, 2009 at 09:48:57AM -0500, brolen wrote:
> Since the inception of your group, have you identified a clear cut
strategy to detect, identify and guard against remote eavesdropping on a
VOIP system such as the Cisco-IP phone.  In addition, what tests are
being used to identify the activation of the remote maintenance or
remote observation features.
> 
> I would certainly like to hear from some of your members regarding the
defenses and protections for VOIP systems that a company can logically
employ.
> 
> In addition, has anyone made any headway into the detection and
removal of Trojans or rootkits on cellphones.  This appears to be a
rather large effort for attacking devices such as I-phones, Blackberrys
etc.
> 
> Thanks,
> Bob Rolen
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

--
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen                       Codenomicon Ltd.
ari.takanen at codenomicon.com       Tutkijantie 4E
tel: +358-40 50 67678             FI-90570 Oulu
http://www.codenomicon.com        Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-



------------------------------

Message: 3
Date: Sun, 18 Oct 2009 10:57:17 +0200
From: Jerome Athias <jerome.athias at free.fr>
To: brolen <brolen at mindspring.com>
Cc: voipsec at voipsa.org
Subject: Re: [VOIPSEC] VOIP Telephone exploitation
Message-ID: <1255856237.21227.27.camel at juzam>
Content-Type: text/plain; charset="UTF-8"

Hi,

crypto on Cisco phones is easily breakable.
The problem is that it couldn't be released because it should be
impossible for Cisco to update the firmwares, and releasing this stuff
would be a nightmare for companies using it.

/JA

Le samedi 17 octobre 2009 ? 09:48 -0500, brolen a ?crit :
> Since the inception of your group, have you identified a clear cut
strategy to detect, identify and guard against remote eavesdropping on a
VOIP system such as the Cisco-IP phone.  In addition, what tests are
being used to identify the activation of the remote maintenance or
remote observation features.
> 
> I would certainly like to hear from some of your members regarding the
defenses and protections for VOIP systems that a company can logically
employ.
> 
> In addition, has anyone made any headway into the detection and
removal of Trojans or rootkits on cellphones.  This appears to be a
rather large effort for attacking devices such as I-phones, Blackberrys
etc.
> 
> Thanks, 
> Bob Rolen




------------------------------

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


End of Voipsec Digest, Vol 58, Issue 4
**************************************

More information about the Voipsec mailing list