We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

VoIP Hopping the Hotel: Attacking the Crown Jewels through VoIP

54
 Zitieren
 Teilen
 Herunterladen
 Bestellen
Kein Logo verfügbarDEF CON
 Ostrom, Jason

Formale Metadaten

Titel
VoIP Hopping the Hotel: Attacking the Crown Jewels through VoIP
Serientitel
Anzahl der Teile
122
Autor
Lizenz
CC-Namensnennung 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
Jason Ostrom - VoIP Hopping the Hotel: Attacking the Crown Jewels through VoIP This presentation is about the security of VoIP deployed in hotel guest rooms. What it is, why it benefits administrators and users, and how easily it can be broken. The hospitality industry is widely deploying VoIP. Since 2008, we've seen an increase of these rollouts along with Admin awareness of applying the required security controls in order to mitigate this potential backdoor into a company's mission critical data and systems - their Crown Jewels. The method is simple: through VoIP, a malicious hotel guest may gain access into corporate data resources such as a company's sensitive financial or HR systems. This talk will present updated research with a new case study: A Hotel VoIP infrastructure that had security applied. We will explore the missing pieces. How has this risk changed for permitting a hotel guest unauthorized network access, and who should be concerned? An old VLAN attack will be re-visited, with a new twist: how the VLAN attack applies to recent production VoIP infrastructure deployments, and how it can be combined with a new physical method. A new version of the free VoIP Hopper security tool will be demonstrated live, showcasing this new feature. In addition, we will investigate an alternative to CDP for device discovery and inventory control: LLDP-MED (Link Layer Device Discovery - Media Endpoint Discovery). A case study penetration test of a client infrastructure that used LLDP-MED follows , with a comparison to CDP. VoIP Hopper will demonstrate the first security assessment tool features for this advancing protocol. Mitigation recommendations will follow. Jason Ostrom is a security researcher working in the Sipera VIPER Lab, with an interest in VoIP and layer 2 security issues. He is a graduate of the University of Michigan, Ann Arbor, and has over 13 years of experience in the IT industry, including VoIP penetration testing. He is the author of the VoIP Hopper security tool and has contributed to other open source UC security tools.