Saturday, 13 February 2016

Are You The Only One Using Your VOIP Phone?

Voice Over Internet Protocol (VOIP) is becoming an ever more popular way of making phone calls.  Most of us still have a Plain Old Telephone System (POTS) somewhere on our desk, but many are using VOIP as it provides a degree of communications integration that POTS can do only with expensive gateways.  Thousands of VOIP handsets are appearing in organisations large and small: it is becoming the norm.

The trouble is, as I have said many times before, IP and many of its associated protocols were never built to be secure.  Worse still, those implementing VOIP applications in firmware (the software that runs on these dedicated handsets) seem to be making some basic mistakes which are leaving us open to eavesdropping - the good old fashioned type of eavesdropping as well, where someone can listen to the conversations of anyone with range of the microphones  on the VOIP phone.

All the way back in 2012 (which is a long time ago in technology evolutionary terms) I recall researchers showing how you could hack into these phones.  These hacks exploited, for example, a vulnerability in  the kernel of the version of unix running on the handsets, whereby arbitrary code could be run by an attacker.

Yes, it runs unix so it is possible to attack it just like any other computer. They all have some form of operating system and it is usually a cut down, open source version to save on cost. So often they are building to a price point and security is not at the front of their minds.  This is compounded by the added difficulty of updating embedded software when a problem is found.

The first step to successfully writing secure code is to recognise the threat landscape within which the code operates.  As far back as 2007 SANS published a paper on the threats to, and countermeasures for, VOIP communications.  It is still worth a read today.

Last year Nettitude did an interesting study into the subject. The report  noted that the types of services being attacked on such devices was not just SIP as you might expect but includes HTTP, Telnet , RDP and others.  One really has to wonder why some of these are running on a "phone":
Results from report by Nettitude

Now, different manufacturers have different versions of the operating systems running, and they write different applications.  Hence, vulnerabilities tend to be specific to a few models of phone.  However, these vulnerabilities are disclosed and hackers can identify which system you are using simply by phoning and listening to the answer messages - there are databases of which message indicates which system.  Finding and taregtting a particular manufacturers technology once a vulnerability is identified is not difficult. 

And if you cant be bothered to do all that tedious phoning (or build a tool to do it for you) then you can simply use Google. Try typing in inurl:"NetworkConfiguration" cisco or "(e.g. 0114930398330)" snom which are among many well known searches for such phones from a range of manufacturers.

Oh before I forget, for those who want to delve a little further we now have Shodan, which has a range of canned queries ready for you to explore including some phones that have no password at all!  Can you believe it?  You will when you see the hack at the end of this blog post.

You can learn more about the techniques used to exploit vulnerabilities in VOIP phones in general  here.

Sadly not all of the vulnerabilities are deep within the kernel of the chosen operating system.  Some are so obvious that you can't quite imagine they were allowed through.  For example, one manufacturer had left the default setup so that authentication was not required in order to run certain functions remotely.  This meant that an attacker could send a specially crafted XML request to your and bingo, they could dial another phone from your handset.

That particular manufacturer issued their own security warning and said that a fix would be available within the month.  But I wonder how often firmware in any device is updated by its users or their IT department?  Did you even know your desk phone was running software that potentially needed updating?

Incorrect default settings is a common theme in security flaws for devices running on firmware.  As the Internet Of Things starts rolling out you'll see a lot more of this problem.

It's not obvious how you monetise an ability to dial one phone remotely from another, but throw in premium rate numbers and suddenly you can see how it might work.  I get your desk phone to dial my premium rate number (sometimes paying me over a £1 per minute for the call duration) and it's like printing money.  As an attacker, if you are clever and get the pattern right you might even not raise an alarm even if/when the bill is scrutinised within a business.  Steal a little from here and a little from there and you can accumulate massive sums.

Luckily most criminals are greedy and hit targets for large call charges thereby raising suspicions.

This type of premium rate hack is conducted almost exclusively out of hours ie when no one is likely to be at their desk, so that the first time it might be noticed is when the company receives the bill.  They may be greedy but these criminals are not stupid - again Nettitude mapped the timings of such attacks and it is quite clear what is happening:

Results from Nettitude report

And of course, the hackers could be really nasty and record whatever audio is within range of the handset and charge you a premium rate for the privilege: espionage where the motive is obscured even if it is detected.

Bearing in mind how well understood and lot of this hacking is you might be surprised to learn that this is still possible.  But only today Paul Moore, Per Thorsheim and Scott Helme were able to use just a few lines of code to completely own a VOIP phone.  Here is the video of them demonstrating the exploit:

Full details of the latest findings can be found here.  What were they exploiting? Default settings again.

Clearly if this problem was still present in their phones (and remember they are security researchers so apply patches whenever they receive notification) then something is going wrong with the whole process of prevention, detection and correction.  Some part of this lifecycle is breaking down.

There is an old adage that any microphone should be treated as live.  Perhaps don't become that paranoid but please remember that if your desk phone is a VOIP phone then you need to treat it like a computer or a smart phone. It can be misappropriated by hacker under the right (or rather the wrong) conditions.  Watch for security patches and make sure they are applied, and don't let your VOIP phone be the weak link in your security chain.