Re: [TSCM-L] IP Telephones from Michael Puchol on 2006-11-22 (file.mbox)

From: Michael Puchol <mpu..._at_sonar-security.com>
Date: Wed, 22 Nov 2006 10:58:34 +0100

It depends quite a bit on the telephone model and switchboard system
being used. The threat would most certainly require some level of access
to the system, including in some cases the need to reboot the phone.
Some case scenarios:

1. An attacker activates the automatic pickup on the telephone, and
deactivates ringing or sets a silent ringtone, and then calls the
extension which automatically answers and thus he can listen to sound
around the phone. This would require access to either the phone itself
remotely (Cisco phones for example have a setup page that can be
accessed using a web browser), or to the centralized settings file the
phone pulls when restarting plus the ability to restart the phone.

2. An attacker modifies the firmware on the phone to permit free-flowing
RTP from it to a predetermined destination IP, off-premises. This can be
done on some phones that have a more or less 'free' SDK, but for
example, Cisco phones require that firmware images be signed, so it
would be harder to do in practice. For other phones, they usually get
their initial settings from a TFTP server, including firmware updates,
so an attacker carry out his plan if he could reboot the phones, after
injecting the firmware image into the TFTP server (the reboot could
happen by cutting power to the facility).

There are other attack vectors in VoIP, for example traffic sniffing on
unencrypted RTP streams, or directly reconfiguring the switchboard to
record and forward calls - with Asterisk, this is very simple, five or
six lines of code is all that's needed, with an external script to email
the resulting recordings, conveniently compressed in mp3 format.

Regards,

Mike

Michael Dever wrote:
> Does anyone know if it is possible to remotely activate the 'hands free'
> function on an IP telephone (using software) to allow listening in to
> room conversations?
>
> What sort of level of capability would be required to carry out this threat?
>
> What protocols should the TSCMer use to clarify this threat? What
> countermeasures can be used to defeat this threat?
>
> Regards
> Mike
>
>
> Michael J. Dever CPP PSP
>
> Dever Clark + Associates< /SPAN>
> GPO Box 1163
> Canberra ACT 2601
> Australia
>
> Voice: +612 6254 5337
> Mobile: +61419 252 839
> Email: d..._at_bigpond.net.au <mailto:d..._at_bigpond.net.au>
>
> This message is sent in strict confidence for the addressee(s) only.
> It may contain legally privileged information. The contents are not to
> be disclosed to anyone other than the addressee.
> Unauthorised recipients are requested to preserve this confidentiality
> and to advise the sender immediately of any error in transmission.
>
>
>
>
> >
Received on Sat Mar 02 2024 - 00:57:19 CST

This archive was generated by hypermail 2.3.0 : Sat Mar 02 2024 - 01:11:44 CST