VOIP WARS: ATTACK OF THE CISCO PHONES

Many hosted VoIP service providers are using Cisco hosted collaboration suite and Cisco VoIP solutions. These Cisco hosted VoIP implementations are very similar; they have Cisco Unified Communication services, SIP protocol for IP Phones of tenants, common conference solutions, Skinny protocol for compliance, generic RTP implementation, VOSS Solutions product family for management services for tenants. Tenants use desktop and mobile clients to connect these services. Cisco hosted VoIP implementations and VoIP clients are vulnerable to many attacks, including:

  • VLAN attacks,
  • SIP trust hacking,
  • Skinny based signaling attacks,
  • Bypassing authentication and authorization,
  • Call spoofing,
  • Eavesdropping,
  • Desktop/mobile client compromising
  • Attacks against IP Phone management services; and,
  • Web based vulnerabilities of the products

The presentation covers Skinny and SIP signaling attacks, 0day bypass technique for call spoofing and billing bypass, LAN attacks against supportive services for IP Phones, desktop and mobile phones, practical 0-day attacks against IP Phone management and tenant services. These attacks are available for desktop and mobile clients too, such as caller ID spoofing and fake messaging to compromise clients, fuzzing VoIP call signaling, MITM attacks and crashing mobile clients.

Attacking Cisco VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by the presenter). It has a dozen modules to test trust hacking issues, signaling attacks against SIP services and Skinny services, gaining unauthorized access, call spoofing, brute-forcing VoIP accounts and debugging services using as MITM. Furthermore, Viproy provides these attack modules in a penetration testing environment and full integration. The presentation contains live demonstration of practical VoIP attacks and usage of new Viproy modules.

Presented by