Dustin D. Trammell Security Research BreakingPoint Systems, Inc.

Computer Academic Underground

About Me
ustin . !ramme"" a.k.a. I#ruid $mp"oyed by BreakingPoint Systems, Inc. % http&''(((.bpointsys.com )ounder, Computer Academic Underground % http&''(((.caugh*.org' Co+)ounder, A,A- .Austin ,ackers Association# % http&''(((.austinhackers.org' Contributor, /oIP Security A""iance % http&''(((.0oipsa.com'

About this Presentation

Attacks discussed are either recent or signi1icant Making the case that attack too"s are a0ai"ab"e and mature i0ided into three sections& % Brie1"y, /oIP Basics % Attacks ./u"ns, Attacks, Impact, !oo"s, Mitigation# % Prob"ems (ith suggested mitigation actions I2"" be discussing on"y technica" attacks

3egend
Attack C"asses
% Attack against A0ai"abi"ity % Attack against Integrity % Attack against Con1identia"ity

Current"y Un+patched $4amp"e ' emo Attack !oo" Re1erences

5otes on Mitigation
61ten there are no c"ear+cut 7so"utions8 to any 0u"nerabi"ity or attack I (i"" re1rain 1rom using the 7iso"ate your /oIP net(ork8 cop+out 7so"ution8 Some mitigation techni*ues suggested do (ork9 In part three, I2"" on"y be discussing&
% !hose that don2t (ork (e"" % !hose that ha0e signi1icant dra(backs % !hose that ha0e signi1icant barriers to imp"ementation

/oIP Basics
/oIP 1or the uninitiated...

!ermino"ogy
/oIP + /oice o0er Internet Protoco" Ca"" + the session aggregate o1 signa"ing and media bet(een endpoints $ndpoint + Point (here a ca"" terminates So1t+phone + /oIP phone imp"emented entire"y in so1t(are ,ard+phone + /oIP phone (ith a physica" presence, a"so sometimes re1erred to as a 7handset8 PS!5 + Pub"ic S(itched !e"ephone 5et(ork, or your traditiona" te"ephony net(orks.

Signa"ing 0s. Media

Separate channe"s 1or signa"ing in1ormation 0s. media .bearer# data due to abuse Adopted 1rom traditiona" te"ephony systems Some protoco"s "ike IA:'IA:; combine these into a sing"e channe"

Protoco"s < Ports

Signa"ing
% % % % % Session Initiation Protoco" .SIP# & !CP'U P =>?>,=>?@ Session escription Protoco" .S P# & $ncapsu"ated in SIP Media Aate(ay Contro" Protoco" .MACP# & U P ;B;C,;C;C Skinny C"ient Contro" Protoco" .SCCP'Skinny# & !CP ;>>>,;>>@ Rea"+time !rans1er Contro" Protoco" .R!CP# & .S#R!PD@

Media
% Rea"+time !rans1er Protoco" .R!P# & ynamic % Secure Rea"+time !rans1er Protoco" .SR!P# & ynamic

,ybrid
% Inter+Asterisk e:change 0.@ .IA:#& U P =>E? .obso"ete# % Inter+Asterisk e:change 0.; .IA:;# & U P B=?F

,.E;E Protoco" Suite < Ports

Signa"ing
% ,.;B= + Ca"" Parameters + % ,.;;=.> ynamic !CP

G.FE@ + Ca"" Setup + !CP @C;> RAS + U P @C@F

% Audio Ca"" Contro" + !CP @CE@ % R!CP + R!P Contro" + ynamic U P

Media
% R!P + Audio + % R!P + /ideo + ynamic U P ynamic U P

Audio Codecs
o C$3P + B.H Ibps AIPS )ami"y + @E.E Ibps and up i3BC + @= Ibps, ;>ms 1rames ' @E.E Ibps, E>ms 1rames I!U A.C@@ + ?BIbps .a.k.a. a"a( ' u"a(# I!U A.C;; + BH ' =? ' ?B Ibps I!U A.C;E.@ + =.E ' ?.E Ibps, E>ms 1rames I!U A.C;? + @? ' ;B ' E; ' B> Ibps I!U A.C;H + @? Ibps I!U A.C;F + H Ibps, @>ms 1rames 3PC@> + ;.= Ibps Spee4 + ;.@= to BB.; Ibps, )ree 6pen+Source codec http&''(((.0oip+in1o.org'(iki+Codecs

Aenera"iJed Attacks

)"ooding
/u"nerabi"ities&
% Most hard+phones ha0e "imited or underpo(ered hard(are % Protoco"s pro0ide unauthenticated and unauthoriJed 1unctions

Attack&
% )"ood the de0ice (ith /oIP protoco" packets&
SIP I5/I!$, 6P!I65S Bogus R!P media packets

% )"ood the de0ice (ith net(ork protoco" packets&

!CP SK5 ICMP

$11ect&
% % egraded ca"" *ua"ity e0ice crash, ha"t, 1reeJe, or respond poor"y

)"ooding
!oo"s&
% Scapy + Aenera" purpose packet too"
http&''(((.secde0.org'proLects'scapy'

% In0ite)"ood + SIP In0ite 1"ooder

http&''(((.hackinge4posed0oip.com'too"s'in0ite1"ood.tar.gJ

% IA:)"ood + IA: protoco" 1"ooder

http&''(((.hackinge4posed0oip.com'too"s'ia41"ood.tar.gJ

% U P)"ood + Aenera" U P 1"ooder

http&''(((.hackinge4posed0oip.com'too"s'udp1"ood.tar.gJ

% R!P)"ood + R!P protoco" 1"ooder

http&''(((.hackinge4posed0oip.com'too"s'rtp1"ood.tar.gJ

Mitigation&
% Protect your core net(ork de0ices 1rom e4terna" access % Rate+"imit /oIP tra11ic at points o1 contro"

)"ood Amp"i1ication
/u"nerabi"ities&
% Protoco"s pro0ide unauthenticated 1unctiona"ity % Some protoco"s use a connection"ess transport .U P#

Attack&
% Spoo1 the source address o1 your packet as originating 1rom your 0ictim % Spread the "o0e around % In0oke 1unctiona"ity that responds (ith more data than the re*uest

$11ect&
% 7Smur18+"ike amp"i1ication 1"ood

)"ood Amp"i1ication
!oo"s&
% Scapy + Aenera" purpose packet too"
http&''(((.secde0.org'proLects'scapy'

% 5etSamhain
http&''source1orge.net'proLects'netsamhain'

% 5emesis
http&''(((.packet1actory.net'proLects'nemesis'

Mitigation&
% Use a connection oriented transport .!CP# % Authenticate protoco" messages % Rate+"imit net(ork tra11ic

)uJJing
/u"nerabi"ities&
% Protoco" stack imp"ementations are immature ' poor

Attack&
% Send ma"1ormed messages to a de0ice2s input 0ectors

$11ect&
% Many endpoint de0ices (i"" crash, ha"t, 1reeJe, respond poor"y, or other(ise enter a oS condition % Some core de0ices may beha0e simi"ar"y % /ery e11ecti0e method o1 identi1ying so1t(are bugs

)uJJing
!oo"s&
% Su""ey )uJJer http&''(((.1uJJing.org % PR6!6S Suite + SIP, ,!!P, S5MP
http&''(((.ee.ou"u.1i'research'ouspg'protos'

% ohr(urm + R!P
http&''maJJoo.de'b"og';>>?'>H';=Mohr(urm

% )uJJy Packet + R!P, bui"t+in ARP poisoner

http&''"ibresource.inria.1r'proLects'/oIPNSecurity'1uJJypacket

% 6ther too"s
http&''(((.threatmind.net'sec(iki')uJJing!oo"s

Mitigation&
% Use open+source so1t+phones and hard+phone 1irm(are % emand resi"ient de0ices 1rom your de0ice 0endor % Ask about and re0ie( your 0endor2s GA processes

Attacks Against Signa"ing

Signa"ing Manipu"ation 60er0ie(

/u"nerabi"ities&
% Protoco"s are unencrypted and unauthenticated % Signa"ing e4tends to endpoint de0ice

Attacks&
% InLect ma"icious signa"ing messages into a signa"ing channe" % Send ne( signa"ing messages to endpoints or ser0ices

$11ects&
% )orced ca"" tear+do(n oS % Media redirection, inLection, or ca"" hiLacking % Registration manipu"ation oS ' hiLack

)orced Ca"" !eardo(n

/u"nerabi"ities&
% Most protoco"s are unencrypted and do not authenticate a"" packets % !he signa"ing channe" can be monitored

Attack&
% InLect spoo1ed ca"" tear+do(n messages into the signa"ing channe" such as&
SIP& BK$ IA:& ,A5AUP .)rame type >4>?, Subc"ass >4>=#

$11ect&
% oS& A ca"" in progress is 1orcib"y c"osed.

)orced Ca"" !eardo(n

!oo"s&
% !eardo(n + SIP BK$ inLector
http&''(((.hackinge4posed0oip.com'too"s'teardo(n.tar.gJ

% sip+ki"" + InLects 0a"id SIP teardo(n messages into a session

http&''skora.net'up"oads'media'sip+ki""

% sip+pro4yki"" + Simi"ar techni*ue against SIP pro4ies

http&''skora.net'up"oads'media'sip+pro4yki""

% IA:,angup
http&''(ebsite.isecpartners.com'1i"es'IA:,angup.tar.gJ

% ,;;=RegReLect
http&''(ebsite.isecpartners.com'1i"es'h;;=regreLect.tar.gJ

Mitigation&
% $ncrypt the signa"ing channe" % Authenticate e0ery signa"ing message

Registration .Ca""# ,iLacking

/u"nerabi"ity&
% Signa"ing protoco"s are unencrypted

Attack&
% 6bser0e a "egitimate endpoint registration % Use obser0ed in1ormation and credentia"s to rep"ace the "egitimate registration % 6bser0e a ca""+setup message

$11ect
% 5e( ca""s 1or the endpoint are routed to the ma"icious de0ice rather than the "egitimate de0ice

Registration .Ca""# ,iLacking

!oo"s
% Registration ,iLacker
http&''(((.hackinge4posed0oip.com'too"s'reghiLacker.tar.gJ

% Registration Remo0er
http&''(((.hackinge4posed0oip.com'too"s'eraseregistrations.tar.gJ

% Registration Adder
http&''(((.hackinge4posed0oip.com'too"s'addNregistrations.tar.gJ

% RedirectPoison
http&''(((.hacking0oip.com'too"s'redirectpoisonN0@[email protected]

Mitigation
% $ncrypt signa"ing tra11ic

Media ,iLacking
/u"nerabi"ities&
% Signa"ing protoco"s are unencrypted and unauthenticated % Signa"ing e4tends to endpoint de0ice

Attack&
% InLect ma"icious signa"ing messages into a signa"ing channe" % Send ne( signa"ing messages to endpoints or ser0ices

$11ect&
% Media redirection, dup"ication, or termination

Media ,iLacking $4amp"e

Media ,iLacking $4amp"e

Media ,iLacking $4amp"e

Media ,iLacking
!oo"s&
% sip+redirectrtp D rtppro4y
http&''skora.net'0oip'attacks'

Mitigation&
% $ncrypt the signa"ing channe" % )i4 protoco"s to authenticate A33 signa"ing messages re"ated to a ca""

Ca""er+I Spoo1ing
/u"nerabi"ity&
% Protoco"s are un+authoriJed and un+0eri1ied end+to+end % $nd+point supp"ied data is not cha""enged % Many automated systems use Ca""er+I in1ormation to authenticate users

Attack&
% Initiate a ca"" (ith 1a"si1ied Ca""er+I in1ormation

$11ect&
% An attacker may appear to the ca""ed party as someone they are not % An attacker may be erroneous"y authenticated

Ca""er+I Spoo1ing
!oo"s&
% Most so1t+phones % Asterisk IPB: % /oIP to PS!5 ser0ice pro0iders that honor user+ supp"ied Ca""er+I in1ormation
http&''(((.ia4.cc' + IA:'SIP /oIP Ser0ice pro0ider http&''(((.spoo1card.com' + Ca""ing+card based http&''(((.te"espoo1.com' + )or 7business8 use http&''(((.1akeca""er.com' + !e4t to /oice 7prank8 messages-

Mitigation&
% % on2t honor user+supp"ied Ca""er+I in1ormation on2t trust Ca""er+I in1ormation 1or user authentication

Ca""er+I 5ame isc"osure

/u"nerabi"ity&
% Ca""er+I In1ormation can be spoo1ed % PS!5 s(itches add name in1ormation to Ca""er+I

Attack&
% Set your Ca""er+I to the number you (ant to identi1y % Ca"" yourse"1 so that the path o1 your ca"" routes through the PS!5 % Recei0e the Ca""er+I in1ormation (hich (i"" ha0e the name associated (ith the number

$11ect&
% Phone 5umber to 5ame 3ookup % isc"osure o1 potentia""y un"isted in1ormation

Ca""er+I 5ame isc"osure

!oo"s&
% Asterisk IPB: % Most so1t+phones % /oIP to PS!5 ser0ice pro0iders that honor user+ supp"ied Ca""er+I in1ormation
http&''(((.ia4.cc' + IA: /oIP pro0ider, use Asteriskhttp&''(((.spoo1card.com' + Ca""ing+card based http&''(((.te"espoo1.com' + )or 7business8 use http&''(((.1akeca""er.com' + !e4t to /oice 7prank8 messages-

% PS!5 !e"ephone 3ine ('Ca""er+I

Mitigation&
% ,a0e the PS!5 te"ephony pro0ider remo0e the Ca""er+ I name associated (ith your number

$a0esdropping the $n0ironment

/u"nerabi"ities&
% Signa"ing e4tends to the endpoint de0ices % Signa"ing is neither authenticated nor encrypted

Attack&
% Send ma"1ormed ca"" set+up signa"ing to a de0ice

$11ect&
% e0ice si"ent"y ans(er the incoming ca"" % Audio 1rom the de0ice2s en0ironment may be ea0esdropped

$a0esdropping the $n0ironment

!oo"s
% Arandstream A:/+E>>> SIP Phone e4p"oit&
http&''0oipsa.org'pipermai"'0oipsecN0oipsa.org';>>C+ August'>>;B;B.htm"

% 6ther undisc"osed de0ices ha0e the same issue

Mitigation
% A11ected 0endors need to patch their protoco" stacks % e0ices (ith a0ai"ab"e patches need to be updated

irectory $numeration
/u"nerabi"ities&
% Protoco"s pro0ide unauthenticated 1unctiona"ity % Protoco"s respond di11erent"y to 0a"id 0s. in0a"id usernames % Protoco"s are unencrypted on the (ire

Attack&
% Acti0e& Send specia""y cra1ted protoco" messages (hich e"icit a te""ing response 1rom the ser0er % Passi0e& Oatch net(ork tra11ic 1or de0ice registration messages

$11ect&
% /a"id usernames are disc"osed % Usernames may be used in a more targeted attack such as pass+phrase cracking.

irectory $numeration $4amp"e

Send this to target SIP de0ice&
6P!I65S sip&testP@C;.@?.E.;> SIP';.> /ia& SIP';.>'!CP @C;.@?.E.EE9branchQEa1Ae/iEcF;31p !o& test Rsip&testP@C;.@?.E.;>S Content+3ength& >

Recei0e&
SIP';.> B>B 5ot )ound

irectory $numeration
!oo"s&
% SIPCrack + Sni11s tra11ic 1or 0a"id usernames and then attempts to crack their pass(ords
http&''(((.remote+e4p"oit.org'inde4.php'Sipcrack

% enumIA: + Uses IA: R$AR$G messages against Asterisk http&''(((.tippingpoint.com'security'materia"s'enumia4+>.Ba.tar.gJ % SIPSCA5 + Uses SIP 6P!I65S, I5/I!$, and R$AIS!$R messages against SIP ser0ers
http&''(((.hackinge4posed0oip.com'too"s'sipscan.msi

Mitigation&
% $ncrypt signa"ing to pre0ent passi0e enumeration % )i4 protoco"s that respond di11erent"y to 0a"id 0s. in0a"id username registrations.

Attacks Against the Media

Media InLection
/u"nerabi"ity
% Media channe" packets are unauthenticated and unencrypted

Attack&
% InLect ne( media into an acti0e media channe" % Rep"ace media in an acti0e media channe"

$11ect&
% Modi1ication o1 media % Rep"acement o1 media % e"etion o1 media

Media InLection $4amp"e& R!P

Rea"+!ime !rans1er Protoco" U P !ransport Re*uisites&
% Ab"e to obser0e a "egitimate R!P session

AdLust se*uence numbers o1 inLected packets so that they (i"" arri0e 7be1ore8 "egitimate packet Send a(ay-

Media InLection
!oo"s
% R!PInsertSound
http&''(((.hacking0oip.com'too"s'rtpinsertsoundN0E.>.tar.g J

% R!PMi4Sound
http&''(((.hacking0oip.com'too"s'rtpmi4soundN0E.>.tar.gJ

% R!PInLect .AUI#
http&''(ebsite.isescpartners.com'1i"es'R!PInLect.tar.gJ

Mitigation
% Authenticate or 0eri1y recei0ed media packets % $ncrypt the media channe"

Co0ert Communication
/u"nerabi"ity
% Media channe" packets are unauthenticated and unencrypted

Attack&
% Manipu"ate an acti0e media channe" and embed co0ert communication data % $4tract co0ert communication data 1rom an acti0e media channe"

$11ect&
% Send co0ert data using someone e"se2s ca"" media % Recei0e co0ert data embedded into someone e"se2s ca"" media

MI!M Co0ert Communication

R!P R!P SteganR!P A R!P $ndpoint A SteganR!P B R!P $ndpoint B

Co0ert Communication
!oo"s
% SteganR!P
http&''source1orgenet'proLects'steganrtp'

% /o;IP
5o "onger a0ai"ab"e

Mitigation
% Authenticate or 0eri1y media packets % $ncrypt the media channe" .some protection#

$a0esdropping the Media

/u"nerabi"ity&
% Media protoco"s are usua""y un+encrypted on the (ire % Media tra11ic can be obser0ed and recorded

Attack&
% 6bser0e ' Record the media packets % Reconstruct the pay"oad into an easi"y p"ayab"e media 1i"e

$11ect&
% Ca""s are not pri0ate-

$a0esdropping $4amp"e& R!P

R!P $a0esdropping

R!P $a0esdropping

R!P $a0esdropping

$a0esdropping the Media

!oo"s&
% $therea" ' O ireshark
http&''(((.(ireshark.org'

% Cain < Abe"

http&''(((.o4id.it'cain.htm"

% /omit + !argets Cisco de0ices

http&''0omit.4tdnet.n"'

% $therpeek /:
http&''(((.(i"dpackets.com'products'etherpeek'o0er0ie(

Mitigation&
% $ncrypt the media channe"

Attacks 3e0eraging the Under"ying 5et(ork

Con1iguration
/u"nerabi"ity&

isc"osure& In1rastructure

% Most hard+phones use )!P or !)!P (hen booting % )!P is an insecure protoco" % !)!P is an e0en more insecure protoco"

Attack&
% % % % % )!P& 6bser0e the de0ice2s "ogin credentia"s !)!P& Auess or obser0e 1i"enames Arab the con1iguration 1i"e and 1irm(are 1rom the ser0er 6r Lust reconstruct the 1irm(are ' con1iguration 1i"e 1rom obser0ation isc"osure o1 sensiti0e in1ormation such as&
Usernames ' Pass(ords Ca"" Ser0er, Aate(ay, Registration Ser0er, etc. A0ai"ab"e /oIP ser0ices

$11ect&

Con1iguration
!oo"s&
% $therea" ' Oireshark %

isc"osure& In1rastructure

http&''(((.(ireshark.org'

educti0e Reasoning
Cisco phones ha0e MAC based 1i"enames&
% % % % C!3S$PReth.addrS.t"0 S$PReth.addrS.cn1.4m" SIPReth.addrS.cn1 MACReth.addrS.cn1

!hen there2s de1au"ts&

% :M3 e1au"t.cn1.4m" % SIP e1au"t.cn1 % dia"p"an.4m"

% !)!P+Brute1orce + Brute 1orces !)!P 1i"enames http&''(((.hackinge4posedcisco.com'too"s'!)!P+brute1orce.tar.gJ

Mitigation&
% on Tt use !)!P- )!P is better, but sti"" not secure... % Use non+de1au"t 1i"enames

Attacks Against $ndpoint Ser0ices

Con1iguration isc"osure& e0ice

/u"nerabi"ity&
% ,ard+phones pro0ide management inter1aces % /:Oorks remote debugging and conso"e port open

Attack&
% Point a bro(ser at the de0ice on port H> % S5MP+(a"k the de0ice % Attach a remote /:Oorks debugger

$11ect&
% isc"osure o1 sensiti0e in1ormation such as&
Usernames ' Pass(ords Ca"" Ser0er, Aate(ay, Registration Ser0er, etc. A0ai"ab"e /oIP ser0ices e0ice interna"s

Con1iguration isc"osure& e0ice

!oo"s&
% Oeb Bro(ser + Connect to port H> % S5MP(a"k + retrie0e a subtree o1 management 0a"ues
http&''net+snmp.source1orge.net'docs'man'snmp(a"k.htm"

% /:Oorks debugger .A B#

Mitigation&
% % isab"e de0ice admin ports "ike ,!!P and S5MP isab"e remote debugging ports

Oeb Management Inter1ace :SS

/u"nerabi"ity
% % e0ices don2t sanitiJe input ' (eb output e0ice (eb management apps disp"ay "og and message data

Attack
% $mbed :SS code into a signa"ing message % Send cra1ted message to target de0ice % Oait 1or user to disp"ay "ogs'message 0ia the de0ice2s (eb inter1ace

Impact
% Cross+Site+Scripting code e4ecution % Potentia" tra0ersa" o1 trust boundaries

Oeb Management Inter1ace :SS

!oo"s&
% Any /oIP de0ice (ith user+con1igurab"e disp"ay 1ie"ds % $4amp"e&
http&''0oipsa.org'pipermai"'0oipsecN0oipsa.org';>>C+ 6ctober'>>;B=;.htm"

Mitigation&
% % on2t use de0ice (eb management inter1aces emand more secure protoco" stacks 1rom your de0ice 0endors

/endor+Speci1ic Attacks

/endor+Speci1ic Attacks
Cisco

Cisco IP Phone )orced Reboot

/u"nerabi"ity&
% SCCP runs on !CP (hich is 0u"nerab"e to reset attacks % I1 a phone2s signa"ing channe" is terminated this (ay the phone per1orms a 1u"" reboot % As o1 1irm(are H.>.C.># .most recent 1or CFB>, H.E.E not a0ai"# % Pub"ic isc"osure& >B';>';>>B % http&''(((.cisco.com'(arp'pub"ic'C>C'cisco+sa+;>>B>B;>+tcp+ nonios.shtm"

Attack&
% InLect a RS! packet into the signa"ing channe"

$11ects&
% !he IP phone per1orms a 1u"" reboot % Ser0ice is una0ai"ab"e (hi"e doing so

Cisco IP Phone& )orced Reboot

!oo"s&
% tcpki"" + Sni11s net(ork tra11ic 1or a !CP session and inLects RS! packets to 1orcib"y c"ose the connection

/endor Response& >B';>';>>B

% http&''(((.cisco.com'(arp'pub"ic'C>C'cisco+sa+;>>B>B;>+tcp+ nonios.shtm" % Summary& )i4ed adhering to 0ersion ; o1 http&''too"s.iet1.org'(g'tcpm'dra1t+iet1+tcpm+tcpsecure' % Resu"t& Attack is s"ight"y harder but not much. Phone sti"" reboots.

Mitigation&
% !he de0ice shou"d re+estab"ish the session rather than per1orming a 1u"" de0ice reboot. % ."ike (hen you prompt a RS! 0ia an ICMP destination'protoco" unreachab"e .!ype E, Code ;# attack against the CCM .BI &@;@EB##

/endor+Speci1ic Attacks
)iOin

SS;HS ebug Conso"e ,ard+coded Credentia"s

/u"nerabi"ity
% /4Oorks debug conso"e open 0ia !e"net % /4Oorks credentia"s hard+coded to user 7@8 and pass 7@8 % As o1 1irm(are >@N>;N>C .current as o1 @>';B'>?#

Pub"ic

isc"osure& >F';;'>?

% http&''(((.osne(s.com'story.php'@=F;E'Re0ie(+)iOin+SS;HS+Oi)i+ /oIP+SIPSkype+Phone' % BI & ;>@=B

Attack
% !e"net to the phone on port ;E % Authenticate (ith username 7@8, pass(ord 7@8

$11ects
% e0ice con1iguration disc"osure % Authentication credentia"s disc"osure % oS 0ia memory corruption, disk 1ormat'corruption

SS;HS ebug Conso"e ,ard+coded Credentia"s

!oo"s
% !e"net c"ient

/endor Response
% 5oti1ied >F'@='>? by Uachary McAre(, no response. % 5oti1ied >F';?'>? by myse"1, no response.

Mitigation
% Issue the 7td t!e"netd8 command (ithin the /:O orks conso"e % Update the 1irm(are
5o updated 1irm(are a0ai"ab"e Re*uires proprietary USB cab"e that you can on"y get 1rom )iOin !hey apparent"y don2t se"" it-

Issues Oith Mitigation

$ncrypt the Media Channe"

Many dep"oyed de0ices don2t support SR!P Many ne( de0ices (on2t support SR!P yet 5o standard (ay to negotiate or send keys Some methods 1or keying uti"iJe the unencrypted signa"ing channe" any(ay UR!P& , Iey 5egotiation (ithin the media channe" May use IPSec or !3S, but...

$ncrypt the Signa"ing Channe"

!here is a"so no standard (ay to do this A"ternati0es to encrypting the signa"ing protoco" itse"1 inc"ude&
% IPSec to encrypt at the net(ork "ayer
5ot sca"ab"e Issues (ith ca"" set+up times

% !3S to encrypt at the transport "ayer

5ot end+to+end Issues (ith trust9 no g"oba" PII

% 5e( protoco"&

!3S-

Authenticate A"" Signa"ing Messages

Re*uires that you update'1i4 the protoco"s !he nature o1 /oIP re*uires that unkno(n parties be ab"e to initiate sessions Can potentia""y (rap the protoco" in an authenticating transport "ike IPSec or !3S

)i4 the Protoco"s

5ot an immediate so"ution More time consuming (ith open ' standards based protoco"s
% Kou ha0e to con0ince a committee there is a prob"em % e"iberation takes time

May be 1aster ' easier (ith proprietary protoco"s

% But you ha0e to con0ince the 0endor there is a prob"em

on2t !rust Ca""er+I

Un1ortunate"y, users ha0e been trained to be"ie0e that Ca""er+I is trust(orthy Ca""er+I should be trust(orthy Oi"" take time to educate users

Use open+source so1t+phones ' 1irm(are Un1ortunate"y, most open+source so1t+ phones a"so ha0e poor protoco" stacks
% But at "east you can&
Audit the code Report prob"ems to the maintainers

As 1ar as I2m a(are, there is no open source 1irm(are 1or hard+phones

% Most are 0endor+proprietary

emand Resi"ient /endor e0ices

/endors aren2t moti0ated to impro0e de0ice security Some de0ices in this area are getting better Phones are "imited by their hard(are

Rate+"imit 611ensi0e !ra11ic

3o(+rate 1"oods sti"" e11ecti0e- .Lust di11erent"y# 3o(+rate 1"oods "ook "ike "egitimate tra11ic Media doesn2t "ike "atency

onVt use !)!P- .or )!P#

Most 0endor /oIP systems don2t pro0ide an a"ternati0e

Conc"usions

G<A