Analysis: Hacking VoIP, As Easy As 1-2-3
Because of legislation in the data world, vendors have to announce vulnerabilities to the public. However, there's no legislation in the voice world, so it's up to vendors to disclose vulnerabilities. And so far, they've failed to be upfront with customers. FDIC examiners are not asking about VoIP yet, according to VoIPshield.
This is the state of VoIP security today. Most of the 300,000 privately owned IP-PBX systems deployed throughout the US are wide open to anyone that wants to hack them. And that's only the tip of the iceberg.
Originally used as a call saver, VoIP systems are now being integrated with data LANs to form unified communication platforms. The goal of vendors like Cisco and Microsoft run quite deep into the data stack. By combining instant messaging, presence awareness and other communication routes into a single platform, users will be able to stay in touch with everyone at all times. Microsoft touts this highly integrated VoIP architecture with its Office Communication Server 2007.
Those that believe in the new architecture and convert must know that their integrated VoIP platforms are in close contact with data LANs. And here's the where things can go awry quickly.
VoIPshield showed us a hack from outside a firewall using a known vulnerability in Cisco's Call Manager 5.0. First off, a quick search for Call Manager on Google gave us to an eye awakening experience. Cut and paste the following example into the Google search bar -- inurl:"ccmadmin" intext:CallManager. While not all links returned lead you to an exposed Call Manager, look for "Cisco Unified CallManager Console." Once you click on the link, you'll find Cisco's CallManager wide open to the Web.
When contacted about this article, Cisco had no comment.
This is public information, so we are not divulging any secrets. Moreover, VoIPshield and the Test Center agreed not to release further details of the exploit. There are many other searches you can do that will show much more information about gaining access to VoIP systems.
As they say, ignorance is a blessing, but not so with VoIP. Over the years, the misconception about phone systems being isolated boxes that can only transmit voice and the lack of information perpetuated by vendors have led many administrators to believe that it is OK to expose their call manager Web-based interfaces expose to the Web.
For the exploit, VoIPshield researchers used a laptop to connect to a Cisco Call Manager. The researchers used another laptop to connect to a Cisco soft phone and to view responses from a Call Manager. All that was needed was the IP of the call manager to run the tools.
Once connected, the researchers forced an update to the soft phones. The update contained an executable that allowed the researches to gain full control of users' corporate computers. The executable takes effect only after a reboot.
Because the executable was bundled as part of the Cisco soft phone application, it was completely undetected by personal firewalls or anti-malware software.
If you are not in shock yet, here's another Google search request that allow hackers to find Cisco phones -- inurl:NetworkConfiguration cisco. Keep in mind that it is possible to find phones exposed to an external network. From there, hackers can quickly gain the knowledge on how to exploit a Call Manager that works with the exposed phones.
The NetworkConfiguration search exposes IP addresses and brings up a page on some of the results with the IP addresses of the call manager. One search, one click, and there you go!
Since VoIP works alongside data LANs, hackers can use a free utility called VoIPhopper to jump between voice and data VLANs. This is by far the easiest way to bypass firewalls and just about all IDS software on the market. What's more, crafted VoIP packets can circumvent today's security IDS stacks, so even a direct attack in a multi-layered corporate intranet or a WAN will not be able to stop hackers from gaining unprecedented access to internal systems.
Let's just say, if banks can be extorted, anyone is vulnerable. Most administrators don't realize that VoIP phones are located in hostile environments. These phones are located where contractors work, in lobby areas and in hotel rooms. Simply walking into a bank and ask for a phone and almost everyone will not think twice to leave you unattended with the phone.
At 20 employees, Ontario based VoIPshield is working to establish itself as a security vendor. The company wields lots of power on the market because they're unique and the first ones to do this, but its technology is largely unknown. Like the more established data security vendors, VoIPshield is using its security alerts to gain the vendors' respect and market trust. In turn, the company offers two key products to partners and customers " VoIPaudit and VoIPguard.
Data VARs should take advantage of this moment by offering customers security scans with the VoIPaudit technology.
VoIPaudit performs security audit on VoIP infrastructure by automatically discovering devices and services. The product also tests for vulnerabilities. VoIPguard arrives with two detection engines. One engine is signature based and relies on discovered vulnerabilities in its database. The other engine is much smarter and attempts to discern traffic to find whether it's malicious or not. The smart engine looks at traffic going through logging events, studies protocols and general IP-PBX traffic behavior. Both products are fed with updates as part of a subscription service.