RE: Voice over IP

From: Ofir Arkin (ofir@sys-security.com)
Date: Thu Jun 14 2001 - 14:58:19 PDT

Next message: Ryan Russell: "Re: Voice over IP"

Previous message: todd + 1: "Re: finding webroot on IIS"
In reply to: Young, Brandon: "Voice over IP"
Next in thread: Dug Song: "Re: Voice over IP"
Next in thread: Ryan Russell: "Re: Voice over IP"
Reply: Dug Song: "Re: Voice over IP"
Reply: Dug Song: "Re: Voice over IP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Brandon,

I can name few security hazards with VoIP (there are a lot more):

1. Traffic can be sniffed and played back (NAI got sniffer pro module
for this already, there are couple free tools on the net).
2. Denial-of-Service on the conversation - if you have the correct SSID
than you can introduce background noise inside the conversation.
3. Denial-of-Service on the talk itself - you might be able to stop the
actual talk when using the used SSID between source A and source B for
Source C to Source A (can be as well Source C to Source B). 
4. Spoofing signals - terminating talks, initiating non-existing
talks... etc. Let see your face at 4am after I spoofed the 'ring' to
your house :)
Or I falsified signals so the exchange will think you are using your
phone all the time... :)
5. Denial of Service on the Call Manager itself (joint IP/Voice network
I remind you) 
6. Man in the middle is not simple even if you are located somewhere
between the two ends. You have problem of LATENCY... so this is not
obvious to do

I hope this gives you some points to work on :)
There are others but they are related to carrier grade Telco setups.



Ofir Arkin [ofir@sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA


-----Original Message-----
From: Young, Brandon [mailto:byoungat_private] 
Sent: ? 14 ???? 2001 17:48
To: 'pen-testat_private'
Subject: Voice over IP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

A couple of colleagues and I are working on a security audit for a
VOIP system. Anyone know of any exploits and vulnerabilities that may
exist with Cisco's call manager? One thing we have found is that the
traffic can be sniffed during phone calls. TCP is used for the
initial connection setup and then once the phone has setup a session
to the call manager it then uses the RTP protocol. We found that the
conversation is placed in the PCMU audio codec. We are looking to
find a way to extract the payloads and reassemble the audio so that
we can play back the phone conversations.  We are also looking at 
launching a man in the middle attack and getting access to the
conversation and trying and listen to it in real time instead of
capturing and replaying. Any ideas on some possible ways to execute
this? 

Thanks in advance,

//CALENCE
Brandon Young
Consultant - Consulting Services
480.889.9736
byoungat_private
www.calence.com




-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOyjc1HTH1Q5UAycjEQLCfgCfaesfZXb/E35EaTqE9sZdcPCZlGsAoJxf
wh1QNRb61/lEJMHS5LhUDMS6
=atyJ
-----END PGP SIGNATURE-----

Next message: Ryan Russell: "Re: Voice over IP"
Previous message: todd + 1: "Re: finding webroot on IIS"
In reply to: Young, Brandon: "Voice over IP"
Next in thread: Dug Song: "Re: Voice over IP"
Next in thread: Ryan Russell: "Re: Voice over IP"
Reply: Dug Song: "Re: Voice over IP"
Reply: Dug Song: "Re: Voice over IP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 14 2001 - 17:47:04 PDT