There are many reports about happenings around Black Hat 2007. But as we go, it is what is happening with VoIP that makes us double check our protocols, codecs and connectivity. The most security is concentrated on SIP but when I started using VoIP it was H.323 that I wet my hands with. There are many a providers and business that still heavily rely H.323 for VoIP communications. To be truthfull, I still have two gateways (one commercial and one handmade!) that relies on H.323 and two of the most reliable devices. But the vulnerability is there!
Also the popularity of Asterisk has increased the use of IAX and now in the upper levels of usage.
So we should not be surprised when we hear;
“H.323 and IAX are just as bad as SIP, if not worse,” Dwivedi said Wednesday at the Black Hat Briefings security conference.
It can be relatively simple for anyone with access to a network to compromise the call set-up protocols, and Dwivedi and iSEC partner Zayne Lackey proved it with a demonstration of attack tools.
Although SIP may be better known, H.323 is the most widely used protocol in enterprise VOIP environments because of its stability and scalability. IAX is gaining in popularity for use with the Asterisk open-source PBX.
But both H.323 and IAX authenticate to their gatekeepers using MD5 hashing to hide the password. But the elements used with the password to create the hash are transmitted in the clear, making it possible to run an offline dictionary attack against the hash to determine the password. This is an especially simple job for a VOIP telephone where the password will just be numeric, rather than alphanumeric.
“Nine times out of ten you will find that password” with a dictionary attack, Dwivedi said. IAX passwords can be cracked even more easily because the hash is created from only two elements. Attackers can make up rainbow tables requiring only a look-up of a corresponding password from the hash with no real computation involved.
Authorization to the network can be just as easy to attack by finding the authorization key. Phones also can be blocked from being authorized on the network by sending a spoofed rejection packet.
Once an attacker controls the authentication and authorization of a phone, he can control that phone, impersonate it or gain unauthorized access to the network. Denial-of-service attacks against the protocols are easier.
“Making the VOIP phone unavailable is not very hard,” Dwivedi added.
The protocols can support better security, but products examined by Dwivedi and Lackey did not implement it, they said.
Source
0 comments:
Post a Comment