Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income! Or Vice Versa?
-
Upload
positive-hack-days -
Category
Technology
-
view
1.629 -
download
0
description
Transcript of Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income! Or Vice Versa?
VoIP security legends and
myths
Konstantin Gurzov
Head of Sales Support Department
VoIP is attractive!
VoIP
Access company’s network
Manage calls (fraud)
Data defect and replacement
Call interception
Personal data theft
and so on…
VoIP infrastructure components
TRANSPORT
APPLICATION SERVERS
MANAGING
BACK-END DEVICES BOUNDARY
DEVICES
PSTN
IP NETWORKS
INTERNET
LOCAL NETWORK BRANCHES
Attacker’s computer
Guest Wi-Fi network
VoIP segment is an integration of a number of specialized platforms and network devices, different
networks and technologies
All local network threats are actual for VoIP
Default passwords
Managing web interfaces
Software vulnerabilities
Traffic interception
Account blocking
Default passwords
Known threats – former protection measures
Примеры рассчитанных метрик на основе "живых" данных при проведении внутренних аудитов ИБ специалистами компании Positive Technologies, 2009 г.
About 50% of all network devices have default or easily bruteforced passwords
Back-end devices•Default PIN for CISCO IP PHONE - «**#*»
SIP gateways•Default password for Asterisk - «admin» leads to:
Denial of service Interception Integrity violation Toll Fraud
Examples
Reconfiguration
Minoring
Interception
Managing web interfaces•SQL Injection•Сross Site Scripting•DoS• and so on.
Known threats – former protection measures
If an attacker manages to access your device web interface, attacks are guaranteed to be successful
CISCO Call Manager• CVE-2010-3039 privilege gaining• CVE-2007-4633 XSS• CVE-2007-4634 SQL Injection• CVE-2008-0026 SQL Injection
Asterisk GUI• CVE-2008-1390 CVSS Base Score 9,3
Examples
The possibility to detect vulnerabilities of different risk level, based on analysis of 5560 sites conducted by Positive Technologies experts, 2009
Known threats – former protection measures
Software vulnerabilities
Arbitrary code execution from the network in в CISCO Call Manager 6
Vulnerability allows attackers to execute
arbitrary code
Known threats – former protection measures
Software vulnerability
Denial of service in CISCO Call Manager 6
Vulnerability allows attackers to cause a
denial of service
Services are unavailable and restricted•web interfaces with vulnerabilities•weak password policy
Known threats – former protection measures
Any VoIP device is a member of Ethernet network, so it is vulnerable to a most part of network attacks
Traffic listening•weakly protected wireless networks• Implementation of «Man in the middle» attack• Tens of specialized applications to listen VoIP traffic, for
example, Cain&Abel (www.oxid.it), UCSniff (http://ucsniff.sourceforge.net)
Known threats – former protection measures
Traffic listening leads to violation of confidentiality and personal data thefts
Examples of real attacks
Traffic fraud
Interception of negotiations
Capture of corporate network
Traffic fraud
PSTN
COMPANY «А» VOIP PROVIDER
IP PBX 2
IP PBX 1Company «Client»
SIP trunk
H.323, SIP
Guest Wi-Fi network
Attacker’s computerIP PBX 1 – Client’s IP PBX of «А» company
IP PBX 2 – Attacker’s IP PBX
1. No ACLs on devices2. Weak device and software password policy3. Low protection level as a whole for VoIP infrastructure4. Billing once a month
Traffic fraud – attacker’s actions
PSTN
COMPANY «А» VOIP PROVIDER
IP PBX 2
IP PBX 1Company «Client»
SIP trunk
H.323, SIP
Guest Wi-Fi network
Attacker’s computer
1. Scan the network and find IP PBX 1.
2. Provide PSTN connection to IP PBX 2 via IP PBX 1.
3. Pass expensive MG/MH calls via «А» into PSTN.
1
2
3«А» operator is unable to explicitly separate responsibilities between itself and its client, so it pays
always
Traffic fraud – can be avoided if
operator:
configures ACLs on external interfaces of client IP PBX;
ensures that calls passed through SIP trank are not routed back;
blocks MG/MH calls if not used;
distributes password policy to VoIP services;
offers services for protection analysis of client’s hardware.
PSTN
IP PBX
Company «А»
TOPTOP
Out of company «А»
office
Attacker’s computer
WEP
Interception of negotiations
1. Use wireless networks2. Weak encryption algorithms3. ACLs are not used4. Weak password policy
Capture corporate network
PSTN
IP PBX
«А» company
TOPTOPOut of
company «А» office
Attacker’s computer
WEP
КЛВС
SQL injectionCVE-2008-0026
5. No managing of changes
Capture corporate network – attacker’s actions
PSTN
IP PBX
Компания «А»
ТОПТОП
Вне офиса Компании «А»
Компьютер нарушителя
WEP
КЛВС
SQL injectionCVE-2008-0026
2
3
1. Get access to the corporate network via Wi-Fi
2. Find CISCO Call Manager by typical responsea) uses SQLi implemented CVE-2008-0026
b) gets user password hashes equivalent to the request
c) restores passwords from hashes
3. One of restored passwords is Admin password for all CISCO local networks
runsql select user,password from applicationuser
https://www.example.org/ccmuser/personaladdressbookEdit.do?key='+UNION+ALL+SELECT+'','','',user,'',password+from+applicationuser;--
1
An attacker can capture all local network via VoIP services
Conclusions
1. VoIP infrastructure is vulnerable to the same security threats as an ordinary corporate network
2. VoIP service vulnerabilities LAN vulnerabilities
3. The same methods are used to create protected infrastructure in VoIP as in LAN
Advices to create secure infrastructure
Advice 1: monitor changes and updates in your VoIP infrastructure.
Advice 2: distribute password policy to VoIP services, use strong crypto algorithms.
Advice 3: use compliance and vulnerability management system to prevent incidents.
Advice 4: offer security level monitoring for clients hardware as VAS.
Advice 5: take a broad view of your infrastructure security, remember it is not only working stations and e-mail system.