VoIP Security – How to prevent eavesdropping on VoIP
conversa8ons
Dmitry Dessiatnikov
DISCLAIMER All informa8on in this presenta8on is provided for informa8on purposes only and in no event shall Security Aim be liable for any direct, indirect, incidental, or other special damages however caused arising in any way out of the use of informa8on in this presenta8on.
Who Am I? • 15 years in IT security consul8ng & opera8ons
• President at Security Aim • Security Assessments and Penetra8on Tes8ng
• SANS Community Instructor Sec 542 • Salt Lake OWASP Chapter Leader • Board Member UtahSec.org
Agenda
• Background – why secure VoIP? • VoIP – how is enterprise exposed? • Compromise VoIP phone and eavesdrop on VoIP communica8ons – VLAN Hopping
• Cisco Unified Communica8on Issues and Security Configura8on SeVngs
• Harden Cisco IP phones • Conclusions
What is VoIP?
• Voice over Internet Protocol (VoIP) allows for the voice and mul8media traffic to be sent as data packets over an IP network.
• Such benefits as cost savings, portability and integra8on with other applica8ons resulted in its wide adop8on in the corporate environments.
VoIP Security Issues • VoIP inherited the security issues of the Internet protocol that did not exist in the circuit switched systems and that are oZen overlooked in the real world.
Is Voice Data Worth Securing? • Hospital ER Phones Extor8on Denial of Service A[acks
• 911 Call Centers • Public Safety Agencies • Businesses
Is Voice Data Worth Securing? • That depends on what is being discussed or communicated
• US Government officials phone calls • US Assistant Secretary of State for European Affairs and the US ambassador to Ukraine
• Result: US apologized to EU • Could be worse: WWIII
Is Voice Data Worth Securing? • In the enterprise phone conversa8ons may contain: – PII – PHI – Credit Card Data – Intellectual Property – Compe88ve Data – Insider Trading
Is Anyone AZer Your Voice Data?
• Doing Research in This Field • Mistakenly Offered Money for What Would be Considered
Phone Hacking • Some8mes Price is Irrelevant • Obviously the Offers Are Always Declined
Cisco Unified Communica8ons
• The security issues with the implementa8on of the commonly deployed in business Cisco Unified Communica8ons solu8on and Cisco IP phones
• The a[ackers can abuse the common security misconfigura8ons of the Unified Communica8ons system and of the underlying network to eavesdrop on the VoIP phone calls
Cisco Unified Communica8ons -‐ External • External or Internal only? • Employees have IP phones at the remote loca8ons or home to receive phone calls
• Properly secured to connect back to the Call Managers
Who Uses Cisco Phones? • Corporate Offices • Hospitals • Banks • Power Plants • The Office Dwight? Source: h[p://www.omgfacts.com/lists/678/15-‐Facts-‐About-‐Popular-‐TV-‐Shows-‐You-‐Didn-‐t-‐Know
Who Else Uses Cisco Phones? • The President Source: h[p://electrospaces.blogspot.com/2012/02/does-‐obama-‐really-‐lacks-‐cool-‐phones.html
VoIP VLANs • VoIP traffic is placed in a Voice VLAN to segregate it from a data VLAN, which is considered a security control
• However, commonly no access controls used to restrict users from accessing the VoIP network and to prevent the VLAN hopping resul8ng in the intercep8on of phone conversa8ons
VoIP VLAN hopping • The ability to gain access to the VoIP traffic from the data VLAN
• Learn the VoIP VLAN ID from: – CDP broadcast packets on the VoIP network – The se6ngs screen of an IP phone
• Manually assign interface VLAN
VoIP VLAN hopping (cont.) • Manually assign interface VLAN using 802.1Q VLAN Implementa8on for Linux
VoIP VLAN hopping (cont.) • Manually assign interface VLAN on OSX • System Preferences, then click Network, choose Manage Virtual Interfaces and add VLAN
• Select Configure IPv4 using DHCP
Regular ARP-‐Poison MITM • ARP-‐poison the VoIP phones to eavesdrop on the conversa8ons
Recommenda8ons • Restrict access between the user data VLANs and the VoIP infrastructure VLANs
• Use stateful firewalls or VLAN ACLs for inter-‐zone communica8ons
• In public areas lock phone to the wall • Disable the port when the VoIP phone is unplugged
• Consider implemen8ng MACSec defined in IEEE 802.1AE standard to mi8gate 802.1x limita8ons
How to iden8fy the target • To target specific users download the corporate directory of users from the VoIP TFTP server
• TFTP? Really?
Cisco Unified Communica8ons Manager Common Issues
• Insecure Creden8al Policy • Security Mode Disabled • Configura8on File Encryp8on not Enabled • Lack of authen8ca8on for the download of IP phone cer8ficate enrollment
Cisco Unified Communica8ons Manager
Cisco Unified Communica8ons Manager
• When the Device Security Mode is set to “Non Secure” in the CUCM Phone Security Profile Configura8on, the call setup and the actual call traffic is not encrypted or secured
• When the “TFTP Encrypted Config” seVng is not selected, the phone provisioning and registra8on occurs in clear text
• Retrieve registra8on informa8on for every phone on the network from the TFTP server
Cisco Unified Communica8ons Manager
• Cer8ficate Authority Proxy Func8on (CAPF) is used to install, upgrade, or delete locally significant cer8ficates on the supported Cisco Unified IP Phone models. The “By Null String” authen8ca8on mode disables authen8ca8on for the download of IP Phone cer8ficate enrollment.
• Because no user interven8on is needed, remote a[ackers may be able to provision the rouge cer8ficates on the phones by reseVng or reboo8ng the devices.
Cisco Unified Communica8ons Manager
Solu8ons • Enable the “Check for Trivial Passwords” • All user logins and voicemail PINs will meet the complexity criteria
• Disable the “No Limit for Failed Logons” • Set the failed logon counter • Select the “Administrator Must Unlock”
Cisco Unified Communica8ons Manager
Solu8ons • Enable the encrypted device security mode • Offers integrity, authen8ca8on and encryp8on through the use of TLS connec8ons with the AES128/SHA encryp8on for signaling
• Uses Secure Real Time Protocol for carrying the actual phone call media
• Not all phones support encrypted calls
Cisco Unified Communica8ons Manager
Solu8ons • Enable “TFTP Encrypted Config” seVng to encrypt the phone configura8on files that the IP phones download from the provisioning TFTP servers
• Authen8cate cer8ficate enrollment based on a pre-‐exis8ng Locally Significant Cer8ficate (LSC)
• Use “By Exis8ng Cer8ficate (Precedence to LSC)” seVng for the authen8ca8on mode
Cisco Unified Communica8ons Manager
Solu8ons • The solu8on has had some security issues with the cer8ficate valida8on of new CTLs
• To mi8gate: – Perform ini8al CTL deployment in a trusted environment
– Review valida8on of the new CTLs • Reference: Blackhat Europe 2012: “All Your Calls Are S8ll Belong to Us” by Enno Rey & Daniel Mende
Mi8ga8ng Controls • Some models have Security By Default (SBD) enabled
• If an a[acker a[empts to modify the phone seVngs using a configura8on file from a rouge TFTP server the phone rejects the file due to a signature verifica8on failure because the file has the signature that does not match the Ini8al Trust List (ITL) of the phone
Cisco Phones Security Issues • The following seVngs have security implica8ons that are not commonly disabled on the reviewed IP phones, thus exposing them to unauthorized modifica8ons: – “SeVng” Access – PC Port SeVng – PC Voice VLAN Access – Gratuitous ARP – Web Access
“SeVng” Access • By default, pressing the SeVngs bu[on on a Cisco IP Phone provides access to a variety of informa8on, including phone configura8ons that have security implica8ons.
• Disable the SeVng Access seVng through the Cisco CallManager Administra8on.
• These seVngs do not display on the phone if they are disabled in the Cisco CallManager Administra8on.
• Change the default password to override seVngs.
PC Voice VLAN access • An integrated switch • Default seVng to enable the PC port on all Cisco IP phones.
• Disable in the public areas: lunch areas or conference rooms
• Enabled PC Port for a short period of 8me during the boot up process before it is disabled
Override Phone SeVngs
• Cisco IP phones receive seVngs over TFTP • Disable the ability to specify a rouge TFTP server for provisioning
• ARP poison the network to make phones connect to rouge TFTP server
• Download phone config file and modify it • Push it out using a rouge TFTP server
Password Protect Your Phones • The SeVngs menu password is not set by default on the phones that are even used in the public areas
• Allows for the provisioned security seVngs to be modified by unlocking the phone with the “***#” combina8on
• The PC Port Configura8on seVng can be changed to “Auto Nego8ate” instead of “Disabled”
Password Protect Your Phones
Eavesdropping on VoIP conversa8ons
DEMO
Conclusion • Be aware of the risks before you make significant 8me and financial investment
• Don’t make assump8ons about security enforced by the manufacturers
• Securely configure Cisco Unified Communica8ons Manager solu8on and phones
• To know if your VoIP environment is secure validate controls through tes8ng!
Q & A Slides:
www.securityaim.com/resources/presenta8ons Contact:
Dd[at]securityaim[dot]com Twi[er: @SecurityAim