Most corporate networks still vulnerable to VoIP attacks
September 24, 2010
Recent Internet security testing performed by Sipera Systems Inc. reveal that most corporate VoIP (Voice over Internet Protocol) and video conferencing equipment used in the business world today can still be easily hacked by some insiders using a freely downlable tool that allows attackers to monitor all incoming voice calls and video signals in real-time, and then record them in certain files that would be suitable for posting on YouTube or similar social sites.
Jason Ostrom, director of Viper Labs Inc. says that while the security exploit was demonstrated in August 2009 at a few security conferences, most corporate networks today are still very vulnerable to such attacks.
The Richardson, Texas, VoIP vendor where he performs penetration tests on clients' business VoIP networks says that only about 5 percent of these networks are properly configured to block such attacks from the outside, which can then deliver sensitive audio and video files of entire conversations and that could subsequently fall into the wrong hands to commit corporate espionage, sharing trade secrets, etc.
"I almost never, never see encryption turned on, and that's a very big mistake," Ostrom added.
He demonstrated the attack at Forrester Research’s Security Forum in Boston last week using a Cisco Systems switch, two Polycom video phones and a simple laptop armed with a hacking tool called UC-Sniff that he downloaded from open source websites.
To successfully eavesdrop on the voice calls, someone with access to a VoIP phone jack -- including the one in the lobby of the business -- plugged any ordinary laptop with the hacking tool on it into the jack. Then, using address-resolution protocol (ARP) spoofing, the device gathers the corporate VoIP directory, giving the hacker the ability to keep an eye on any phone and to intercept its calls.
There's also a tool within UC-Sniff called ACE that simplifies capturing the directory in the process.
Once intercepted, the audio and video signals from the targeted call flow through the laptop, where they can be viewed as they stream by and also where they are recorded in separate files, one for each end of the conversation, Ostrom says. One file is used for the reception and the other for the transmission (IE: the response) of the two-way messages.
The hacking feat is deceptively simple to reproduce and involves almost no knowledge of hacking techniques, and all the criminal needs to do is to download the free software tool, get a laptop and get to work.
As always, Ostrom says the best network defense is still to turn 'On' the encryption for both signaling and media, he says. "There's really no sense in having encryption turned off when you already have the resource available! When you go to bed at night, do you lock your doors?"
The problem isn't with the networking, the VoIP or the video gear itself, but rather with how they are configured in the network, Ostrom warned. He added "Software is only as good as if it is well configured to do the job it was intended to do in the first place."
However, one conference attendee suggested that Layer 2 monitoring tools could pick up on this attack, and Ostrom agreed, but he also said that those same tools aren't used that much often in the field.
"I very seldom see any Layer 2 protection devices to defend against this sort of VoIP or video attacks," he added.
Additionally, in his penetration testing he found that almost 70.3 percent of all networks he tested were vulnerable to toll fraud attacks as well. Toll fraud attacks use the corporate network as a proxy for making long distance calls, often times overseas and at peak times of a business day.
For his part, Edward Amoroso, chief security officer for AT&T, who sat on a panel at the Forrester Research conference with Ostrom, says that, on any given day, AT&T plants public-facing vulnerabilities on purpose just to lure in potential attackers into so-called 'honeypots' that aren't even connected to the corporate network.
AT&T then works with the local law enforcement agencies to correctly identify and then prosecute the hackers.
Amoroso says "It certainly introduces some risk to the hacker. They then wonder 'is that network real or fake?' and may then be very reluctant to jump on every vulnerability they see. But as good as this may sound, there are still many that will take the risk."
Source: Sipera Systems Inc.
You can link to the Internet Security web site as much as you like.