Your Hosts

Markus Ehlers Oliver Wittig

Agenda

•Typical threads in VoIP

•Physical access thread

•What can the vendor do

•Secure Calling in AskoziaPBX

Possible attack points in VoIP

Router+

Firewall

IP phone

Soft clients

Phone application+

Web portal

How to find vulnerable devices?

Typical threats in VoIPSpam over Internet TelephonyBroadcast of messages via VoIP

EavesdroppingSecretly listening to private conversations

Service AbuseVoIP fraud

Denial of Service attacksAttempts to prevent legitimate useof services

Physical AccessIP phones as entry point into the network

Spam over Internet Telephony

Problem

• Bulk unsolicited, automatically dialled, pre-recorded phone calls using VoIP protocols

• The spammer attempts to initiate a voice session and then relays a pre-recorded message if the receiver answers.

Measures

• Only accept SIP invites from trusted hosts (SIP registrar)

• Encrypt SIP credentials (SIP over TLS)

• Enforce client cert authentication at SIP server

Eavesdropping

Problem

• Capturing and Decoding VoIP Traffic on the network

• Tools like Wireshark can decode RTP streams into playable audio format

Measures

• Always encrypt RTP packets (SRTP)

Service Abuse

Problem

• Automatic dialling of toll numbers and long distance

• Set up of blind transfer and erase setting server URL of a hacked device

• Call forwarding from one toll number to a second doubles the “income”

Measures

• Secure web server (HTTPS) or switch it off completely

• Deploy phone in user mode and use a strong admin mode password

• Always put a router between phone and the Internet

Physical access to the network

Problem

• An IP phone is a possible entrance gate into the corporate network

• Network switch can enable illicit access for unauthorised devices

Measures

• Snom phones support 802.1x

• IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols.

• It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

802.1x the big fear / effortProblem

• port authentication sounds easy• do not confuse it with MAB• do not expect its all like Wifi or PCs

• certificate bases authentication involves• staging or automatic rollout • revocation / replacing / updating of

certificates

Measures

• build a skilled team• network, switches • radius guest and productive• provisioning guest and productive

• sit together and plan realistically• security audit needs• technical draw backs

Denial of Service attacks

Problem

• A denial-of-service (DoS) attack is a cyber-attack where the perpetrator seeks to make a machine or network resource (services) unavailable to its intended users.

• DoS is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems.

Measures

• Snom has secured its redirection server against possible DoS attacks

• Service provider need to take necessary measures to ensure the availability of their service

What can the vendor do?

A hack that isn’t a hack• Snom’s security measures are sufficient to avoid a hack

• In a SoHo / do it yourself environment, if users disregard warnings and security advice, it is their responsibility.

• Almost every phone used in a business environment is auto-provisioned, i.e. all necessary passwords are set automatically with the initial deployment of the phone.

• But….whats once on the www stays there forever.

External security audit• Manipulation of a phone in the local network, possible by cross site

scripting vulnerabilities

• Path traversal filter bypass

• URLs “../“ could access hidden folders

• VPN profile enabled to run malware on phone

• Bypass of authentication and gain of admin rights

• when restrict_uri_queries and use_hidden_tags were set to “off”

Actions taken

• All detected security leaks have been closed, provided with a firmware update

• Best practise guide was provided, as some users disregard alerts and notifications

http://wiki.snom.com/FAQ/How_do_I_secure_my_phone

Further enhancements in security

• Factory installed SHA-256 certificates on the phones

• Got rid of weak ciphers (TLS), according to Mozilla.org best practises

• Disabled SSLv3 to avoid POODLE (Padding Oracle On Downgraded Legacy Encryption)

• Regular updates of root file system with latest security patches

New devices from Snom

Snom new D300 series

High resolution screensImproved audio quality

2nd screen for fkey labellingBluetooth built-in + USBFont embedded icons

Features depending on model

D305/315 D345 D375

New D745 model

Dual high-resolution displays8x4 configurable, self-labelling, multicolored LED keysGigabit switchUSB portWideband audio12 SIP identities

Secure Calling in Askozia

Secure Calling in Askozia

Secure Calling in Askozia

Secure Calling in Askozia

Secure Calling in Askozia

Secure Calling in Askozia

Questions? Time to wake up!

markus.ehlers@askozia.com