Your Hosts
Markus Ehlers Oliver Wittig
Agenda
•Typical threads in VoIP
•Physical access thread
•What can the vendor do
•Secure Calling in AskoziaPBX
Possible attack points in VoIP
Router+
Firewall
IP phone
Soft clients
Phone application+
Web portal
How to find vulnerable devices?
Typical threats in VoIPSpam over Internet TelephonyBroadcast of messages via VoIP
EavesdroppingSecretly listening to private conversations
Service AbuseVoIP fraud
Denial of Service attacksAttempts to prevent legitimate useof services
Physical AccessIP phones as entry point into the network
Spam over Internet Telephony
Problem
• Bulk unsolicited, automatically dialled, pre-recorded phone calls using VoIP protocols
• The spammer attempts to initiate a voice session and then relays a pre-recorded message if the receiver answers.
Measures
• Only accept SIP invites from trusted hosts (SIP registrar)
• Encrypt SIP credentials (SIP over TLS)
• Enforce client cert authentication at SIP server
Eavesdropping
Problem
• Capturing and Decoding VoIP Traffic on the network
• Tools like Wireshark can decode RTP streams into playable audio format
Measures
• Always encrypt RTP packets (SRTP)
Service Abuse
Problem
• Automatic dialling of toll numbers and long distance
• Set up of blind transfer and erase setting server URL of a hacked device
• Call forwarding from one toll number to a second doubles the “income”
Measures
• Secure web server (HTTPS) or switch it off completely
• Deploy phone in user mode and use a strong admin mode password
• Always put a router between phone and the Internet
Physical access to the network
Problem
• An IP phone is a possible entrance gate into the corporate network
• Network switch can enable illicit access for unauthorised devices
Measures
• Snom phones support 802.1x
• IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols.
• It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
802.1x the big fear / effortProblem
• port authentication sounds easy• do not confuse it with MAB• do not expect its all like Wifi or PCs
• certificate bases authentication involves• staging or automatic rollout • revocation / replacing / updating of
certificates
Measures
• build a skilled team• network, switches • radius guest and productive• provisioning guest and productive
• sit together and plan realistically• security audit needs• technical draw backs
Denial of Service attacks
Problem
• A denial-of-service (DoS) attack is a cyber-attack where the perpetrator seeks to make a machine or network resource (services) unavailable to its intended users.
• DoS is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems.
Measures
• Snom has secured its redirection server against possible DoS attacks
• Service provider need to take necessary measures to ensure the availability of their service
What can the vendor do?
A hack that isn’t a hack• Snom’s security measures are sufficient to avoid a hack
• In a SoHo / do it yourself environment, if users disregard warnings and security advice, it is their responsibility.
• Almost every phone used in a business environment is auto-provisioned, i.e. all necessary passwords are set automatically with the initial deployment of the phone.
• But….whats once on the www stays there forever.
External security audit• Manipulation of a phone in the local network, possible by cross site
scripting vulnerabilities
• Path traversal filter bypass
• URLs “../“ could access hidden folders
• VPN profile enabled to run malware on phone
• Bypass of authentication and gain of admin rights
• when restrict_uri_queries and use_hidden_tags were set to “off”
Actions taken
• All detected security leaks have been closed, provided with a firmware update
• Best practise guide was provided, as some users disregard alerts and notifications
http://wiki.snom.com/FAQ/How_do_I_secure_my_phone
Further enhancements in security
• Factory installed SHA-256 certificates on the phones
• Got rid of weak ciphers (TLS), according to Mozilla.org best practises
• Disabled SSLv3 to avoid POODLE (Padding Oracle On Downgraded Legacy Encryption)
• Regular updates of root file system with latest security patches
New devices from Snom
Snom new D300 series
High resolution screensImproved audio quality
2nd screen for fkey labellingBluetooth built-in + USBFont embedded icons
Features depending on model
D305/315 D345 D375
New D745 model
Dual high-resolution displays8x4 configurable, self-labelling, multicolored LED keysGigabit switchUSB portWideband audio12 SIP identities
Secure Calling in Askozia
Secure Calling in Askozia
Secure Calling in Askozia
Secure Calling in Askozia
Secure Calling in Askozia
Secure Calling in Askozia