VoIP Hopping the Hotel: Attacking the Crown Jewels through VoIP
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 122 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/40575 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 1969 / 122
3
5
10
11
12
22
23
24
30
31
32
38
43
46
47
49
51
54
56
59
60
62
71
73
76
84
85
88
92
93
96
97
98
104
106
109
112
113
115
119
00:00
InternettelefonieMultiplication signMedical imagingLevel (video gaming)InternettelefonieType theoryCommunications protocolVulnerability (computing)Product (business)Real numberRight angleInformation securityExploit (computer security)MereologyComputer animation
01:18
SharewareVulnerability (computing)InternettelefonieInformation securityOpen sourceMathematical analysisStructural loadClient (computing)System identificationComputer networkExploit (computer security)PenetrationstestRange (statistics)Streaming mediaNetzwerkverwaltungReduction of orderVideoconferencingTelecommunicationAreaProduct (business)Service (economics)Wireless LANMenu (computing)Computer configurationSystem callEmailAuthorizationSystem programmingPlastikkarteMultimediaCASE <Informatik>Observational studyChainCellular automatonStaff (military)TouchscreenElectronic visual displayStrategy gameSingle-precision floating-point formatMaß <Mathematik>Physical systemLevel (video gaming)Mobile WebUniform resource locatorNormed vector spaceDefault (computer science)Virtual LANMereologyExplosionHacker (term)Cartesian coordinate systemDifferential (mechanical device)Point (geometry)Service (economics)AreaSlide ruleGoodness of fitTraverse (surveying)Port scannerOpen sourceKey (cryptography)2 (number)Session Initiation ProtocolInformationSystem callRight angleProduct (business)Form (programming)Reading (process)Line (geometry)Self-organizationCASE <Informatik>InternettelefonieSoftware testingInformation securitySoftwareAuthorizationMultimediaNormal (geometry)Menu (computing)Reduction of orderTelecommunicationVulnerability (computing)Order (biology)Mobile WebDefault (computer science)MultiplicationSI-EinheitenVideoconferencingPhysical systemTouchscreenObservational studyChainStrategy gameFrame problemAssociative propertyContext awarenessMereologyPhysicalismComputer animation
08:46
Limit (category theory)Convex hullAuthorizationVirtual LANInternettelefonieInformation privacyInformation securitySystementwurfComputer networkMultiplicationVideoconferencingFrame problemDynamic Host Configuration ProtocolSoftwareVirtual realityInterface (computing)Control flowServer (computing)System callInternetworkingElectronic meeting systemCompact CassetteConfiguration spaceMach's principleColor managementRootTerm (mathematics)Computer wormVulnerability (computing)GUI widgetAddress spaceInferenceInternettelefonieCommunications protocolVirtual LANSoftwareMereologyInterface (computing)MultiplicationFrame problemSystem callForm (programming)Information securityStatistical hypothesis testingAreaRight angleBitInternetworkingGame controllerDemosceneType theoryEmailStandard deviationServer (computing)2 (number)Self-organizationPoint (geometry)Order (biology)NetzwerkverwaltungConfiguration spaceLaptopQuality of serviceIP addressVulnerability (computing)Filter <Stochastik>Descriptive statisticsOperator (mathematics)Address spaceAuthorizationNortel NetworksPhysical systemPhysicalismStorage area networkCASE <Informatik>Term (mathematics)Computer animation
16:15
Address spaceConfiguration spaceFluid staticsDynamic Host Configuration ProtocolFrame problemVirtual LANLaptopControl flowGateway (telecommunications)Interface (computing)Virtual realityAuthorizationAsynchronous Transfer ModeCommon Language InfrastructureCodeInternettelefonieTouchscreenCommunications protocolComputer data loggingMenu (computing)SharewareGateway (telecommunications)Open sourceDefault (computer science)CASE <Informatik>Address spaceInternettelefonieLaptopCodeVirtual LANRow (database)IP addressSoftwareComputer configurationNumberBootingType theorySharewareMenu (computing)InformationInformation securityBroadcasting (networking)Dependent and independent variablesRight angleGame controllerMultiplication sign1 (number)Goodness of fitSoftware testingDenial-of-service attackRevision controlCommunications protocolData miningIntegrated development environmentDiagram
23:43
SoftwareComputer fontTouchscreenComputer animationSource code
24:45
Virtual LANSeries (mathematics)SoftwareInternettelefonieReal numberSource codeComputer animation
25:23
Personal identification numberSoftwareInternettelefonie
25:59
SoftwareLaptopPersonal identification numberObservational studyElectronic mailing listBitInternettelefonieMetropolitan area networkCASE <Informatik>BootingHacker (term)PasswordSource code
28:06
Level (video gaming)Online helpOvalHacker (term)Metropolitan area networkComputer animationLecture/Conference
28:46
Sound effectTouch typing
29:37
Multiplication signGoodness of fit2 (number)Personal digital assistantBooting1 (number)Order (biology)Type theoryMetropolitan area networkRight angleSoftwareAddress spaceBroadcasting (networking)Information securityGateway (telecommunications)EmailLaptopDefault (computer science)Source codeComputer animation
33:23
InternettelefonieSharewareVirtual LANPublic domainControl flowIntegrated development environmentComputer networkGUI widgetInformation securityAuthorizationServer (computing)Information privacySlide ruleSystem programmingRepresentation (politics)PlastikkarteUniqueness quantificationTheory of everythingConditional-access moduleSystem callArchaeological field surveyPersonal digital assistantBoss CorporationSocial engineering (security)Vector potentialAverageMetropolitan area networkPermanentInternettelefonieEmailDependent and independent variablesResultantOnline helpHacker (term)Boss CorporationScripting languageService (economics)IP addressSoftwareMobile appArchaeological field surveyAuthorizationServer (computing)PhysicalismWeb 2.0Personal digital assistantVirtual LANCASE <Informatik>Social engineering (security)Multiplication signCore dumpSoftware testingPoint (geometry)Quality of serviceInformation privacyInformation securityContext awarenessGame theoryRepresentation (politics)Personal identification numberBroadcasting (networking)Address spacePhysical systemKey (cryptography)Observational studyPublic domainIntegrated development environmentSource codeComputer animation
38:46
Archaeological field surveyBoss CorporationSocial engineering (security)Vector potentialInternettelefonieAverageSample (statistics)Virtual LANStatistical hypothesis testingPersonal digital assistantFrame problemMultiplicationCommunications protocolStandard deviationAddress spaceExtension (kinesiology)OSI modelHypermediaPower (physics)Computer networkData modelNumberControl flowSerial portSimilarity (geometry)TopologySystem identificationMessage passingInformation securityType theoryInternettelefonieRight angleVirtual LANInformation securityTracing (software)Real numberPoint (geometry)AverageOperator (mathematics)Boss CorporationSpreadsheetPersonal identification numberPhysicalismCisco IOSLine (geometry)Metropolitan area networkAddress spaceLaptopStatistical hypothesis testingFrame problemContext awarenessSoftwareDependent and independent variables
43:52
MathematicsControl flowInformation securityLaptopPhysical systemGUI widgetMereologyMenu (computing)Equivalence relationSystem administratorInterface (computing)Virtual LANPublic domainAuthenticationMultiplicationConfiguration spaceVotingMiniDiscData dictionaryAuthorizationOpen sourceStatistical hypothesis testingEncryptionProduct (business)Computer networkInternettelefonieRevision controlVulnerability (computing)InformationExploit (computer security)System programmingInformation securityInternettelefonieBlogRevision controlOperator (mathematics)Single-precision floating-point formatAuthenticationOrder (biology)EncryptionVulnerability (computing)Link (knot theory)PhysicalismBridging (networking)Configuration spaceControl flowProcedural programming1 (number)Real numberVirtual LANSoftwareLimit (category theory)InformationContext awarenessComputer animation
Transcript: English(auto-generated)
00:00
I have to be honest, I'm super excited to be here. It's awesome to be back here in Las Vegas. The last time I was here, I spoke to DEFCON 17, and I was on a secret research mission, and I just want to show you a secret image of that. I was invited up on stage onto a drag-up stage under Cirque du Soleil's humanity, and I was a part of the orgy scene,
00:21
and they tried to take off my pants. I didn't let them take off their pants, but it's just, I love Las Vegas because it's always that type of stuff that happens when you're out here. But seriously, on a more serious note, why am I here right now? I want to make this really, really simple. I found a VoIP protocol. I found a protocol exploit method.
00:42
I found a vulnerability in a hotel, and it was a clever physical thing combined with a protocol exploit method, and I want to share that with you in detail today. I want to talk about that, and when I found the vulnerability on a real production network, I thought the right thing to do was to let the hotel know that, so I disclosed it to them anonymously, and I let them know about it.
01:04
But I want to share with you this information, and I also am really excited to show off my VoIP hopper tool, which is my security assessment tool, which actually implements this exploit. So you're going to see the latest VoIP hopper, which I'm going to release right now. So first of all, I want to thank all you guys for being in this room right now.
01:22
I want to thank my friends, my associates that are here, and let's talk about the agenda. I want to blow through this. I want to get to the actual vulnerability, but when I was researching this, it's something I'm so passionate about. What better place to talk about hacking hotels VoIP, but DEF CON, right?
01:43
You're probably in the best place in the world where you have myriad luxury resort hotels, which is actually what I'm researching and what I'm talking about. So we're going to blow through some actual business case examples, because before we get to the technical, I want you to understand the business context of what's going on here. First of all, what is VIPR?
02:01
VIPR stands for Voice of IP Exploit Research, and what we are is we're a highly specialized VoIP pen test team, and we do back-to-back VoIP pen testing, but we also have some other strategic missions. I'm the director of Sapera VIPR Lab, but we're also working on Lava, which is a vulnerability scanner for VoIP. We publish VAST, which is a Linux distro
02:21
that has all of our open-source tools on it, and that's basically what we're doing, is the commonality with us and VIPR is that we're all passionate about voice for IP security, and we love to learn. That's kind of a common thing in our lab. So let's talk market-wise, what's going on with VoIP and hotels. In 2008, worldwide revenue was 869 million.
02:44
By 2014, it's expected to explode to 2 billion. So the point here is that worldwide revenue is growing. It's a growing market, and the second point is it's only in the luxury resort, only in the most expensive hotels. It has not yet penetrated the mid-market yet, but it's expected to soon.
03:03
So what I want to talk next is I want to talk about the benefits to the hotel of having VoIP. I want to talk about the benefits to the guests from a business perspective, and then I want to talk about what the benefits of VoIP security are. Benefits to hotels, these are the well-known benefits of VoIP in general. Simplicity of network management, saving on cabling costs,
03:22
reduction of telecom expenses. You have ad and marketing revenue directly on the phones. You can do branding on the phones that are in the guest rooms, which is what we're talking about. You improve customer service by having increased revenue from customers coming back. New VoIP applications provide a technology differentiator over your competition,
03:43
and you can use VoIP as a QA tool to improve customer service. And then also, the obvious thing, rebuilding lost telephone service revenue from mobile phones, especially in international areas. An EU commission had found that the charges were inflated for international roaming.
04:02
So here's a couple of slide points on this. VoIP over Wi-Fi in hotels. Increasingly, hotels are having these handsets and giving them out to guests, where poolside, they can hit a button and order a product or a service. Benefits to the guests. We have the obvious improved service. You can order room service from your IP phone menu.
04:22
New products and services, like the VoIP over Wi-Fi handsets. You have new and advanced calling features. And then you have cheaper calls. I mean, who doesn't want cheaper calls in their guest room when you don't want to use your mobile phone, when you're international or otherwise? It's increasingly becoming the norm that hotels that are using VoIP are allowing free calling, free domestic calling.
04:43
So what are the VoIP security benefits for a hotel? Prevents unauthorized access into internal systems. Protects hotel guests from eavesdropping. For the guests, it prevents eavesdropping on your private communications, like RTP media reconstruction, eavesdropping.
05:01
And trapping sensitive data, if you look at SIP info method, where you can actually trap banking IVR applications if you're calling in your bank from your hotel guest room. Let's talk really quick about some case studies of VoIP in hotels. Peninsula Hotels, a five-star luxury hotel chain. Fourteen hotels globally linked. The basic thing was telecom cost savings.
05:22
They used their global customer service center to allow all the calls and had some cost savings there. So the WIN, right here in Las Vegas. You guys have probably heard of the WIN. It's improved customer service through VoIP, improved the guests' experience. Their strategy was to pamper and delight the guests.
05:42
Each guest room has an IP phone. Beautiful little phone here, I found this. Here's a great quote. As WIN resorts is showing, the entire organization can become a contact center. The phone is no longer just a communication channel. It's a form of customer service in its own right.
06:01
Hotel 1000, downtown Seattle, deployed Cisco VoIP technology. They used a vendor called Precipia, which specializes in hotel IP telephony applications. They had multiple custom applications developed by Precipia. They have a video valet system. They have a condominium security entry application that uses IP cameras and pops up a picture of the user on the screen of the phone.
06:24
And a VoIP application to detect guest preferences and set room preferences. So the video valet system is pretty cool. The guest sitting in the room basically hits a button on their Cisco phone. Everything is automatically routed. The valet guy has a Wi-Fi VoIP phone. He knows exactly where to go to get the car.
06:41
He takes a picture of the car once he's picked it up. And it goes directly up to the hotel guest's phone. And he knows that his car is ready. Here's a great quote, Hotel 1000. People are designing this network. It is never just about bricks and mortar, nor is it about technical bells and whistles. Is it about the experience that matters to the individual traveler.
07:02
That is not the norm for most hotels. So if you're reading between the lines here, what you're seeing is that they're using VoIP to provide better guest customer service and to be a technology differentiator over their customers. Okay, now we're getting more into the heart of this issue. Now we're starting to get good here.
07:21
So the heart of the problem that I'm talking about today is a VLAN traversal vulnerability, which is trivial to exploit and leads to unauthorized IP network access. So the business risk is that hotels deploying VoIP have many benefits that they provide. But from all deployments I've seen are at risk of unauthorized internal IP network access to the rooms
07:44
through the guest's phone sitting in the rooms. Because these physical ports by default allow VLAN traversal. And I'm going to talk in detail about what that is. So let's go back to 1999. This is actually the vulnerability. And part of my research is, is I always give credit to people.
08:02
And I think that we're kind of just advancing, trying to advance forward here. But there's a lot of people that have already done a lot of good work here. In 1999, IEEE 802.22 unauthorized VLAN traversal weakness. You see here, by spoofing various Ethernet frame fields, you can traverse from one VLAN to another.
08:21
So Steve Shoup, Dave Taylor, 12 years later, this is what we're looking at right now. When Cisco P-cert responded to this in 1999, they acknowledged the vulnerability. I could pull it up for you right now. And they recommended best practices of disabling trunk ports that shouldn't be in use. Now remember this key line, disable trunk ports that should not be in use.
08:42
Because I'm going to come back to that in a second. Here's some other researchers. At stake, Mike Schiffman, Black Hat USA, Sean Convery, Cisco White Paper. So it's basically 1999 to 2002. Some great SANS resources. So VoIP hopping, you've seen the title of this talk. What are we talking about here?
09:01
I coined this term in 2007. I call it unauthorized VLAN access within a VoIP infrastructure that was not intended by the system design. And this business risk increases in areas with the inherent right to privacy, like hotel guest rooms, and poor physical security, like public access. Here's a little article that's on Symantec.com right now, VoIP Hopping, a method of testing VoIP security.
09:25
You can read a little bit more information about it. So back to what we said. All best practices recommend disabling trunk ports in user access networks. But the irony is, with VoIP to work, some form of a trunk port must be used.
09:42
That's a trunk port in the traditional sense, which is what I'm going to talk about with this hotel case study. And then there's also the multi-access VLANs with auxiliary ports, which is the Cisco Voice VLAN. So here's an overview of this benefit of having VoIP in your network. We have the blue cable that transmits.
10:02
We have benefits of VoIP. We're saving on cabling because we're transmitting two logical VLANs over the same physical port. It's always allowed. That traffic is always allowed by default. We have easy provisioning for the IP phones because we have protocol discovery mechanisms for the phones to automatically associate to the Voice VLAN.
10:20
And then we have easy quality of service. It's automatically and easy applied by the network administrator on this switch. So now I'm going to actually step you through. These are two steps to this attack. And it's the 802.1UQ frame tagging attack. And this is what we do. We first have to learn the Voice VLAN ID.
10:41
So what we're doing is we're going to need to insert a 4-byte 802.1Q header into a standard Ethernet frame. And we have to have that 12-bit of the VLAN ID. We have to have that VLAN ID, that 12 bits, to put into the 4-byte header, to put it into the standard Ethernet frame. We have to do that because if we send the packet to the port, the switch is going to discard the traffic unless we have the correct VLAN ID.
11:07
So we need to have that VLAN ID. That's the important point here. There's multiple discovery mechanisms. CDP, LDP Med, which is a newer protocol, DHCP, and Nortel and Avaya. So here's the second part of this. Once we know the 12-bit VLAN ID, we're going to actually spoof the Ethernet tag frames, which is trivial to do using standard software.
11:27
VoidPopper especially does this. So what we do is we create a virtual interface. Like let's say the VLAN ID is 200. We create E0.200. And then if you look on your Linux PC, then you have created a virtual interface. And then you send a DHCP request that's tagged with that voice interface.
11:45
You're basically becoming the phone. And so all subsequent Ethernet frames are tagged with that voice VLAN ID. So I'm going to show you an overview of what we're looking at here.
12:00
Let's say that this is a hotel infrastructure network. So the first thing we know is that the phones have, by default, access to the call control servers. Whether there's a firewall or whether there is not a firewall, they are always going to have access to the call control servers. Otherwise, they can't place calls. We unplug the phone from the wall. We plug in our VoidPacker Ninja.
12:23
So what is he going to do? He's just going to try and send packets out. He gets an IP address. He only has access to the guest VLAN. He only has access out to the Internet. Let's say he gets crafty. He's like, I'm going to sniff packets. I'm going to learn the voice VLAN ID. Or I'm going to spoof CDP. So now I know VLAN ID 200. I insert it into there.
12:41
I create a virtual interface. And now it's the same thing as I have access to the same access as a phone. So now I can tag my packets and I can send them. And I have full access to the call control network. So now I can sit all day long attacking the call control servers, which actually might allow me to penetrate further.
13:02
And if they don't have a firewall, which a lot of organizations don't, seeing to the talk before this, when he talked about separating the voice and the data, most customers that I see don't separate the voice and the data, right? So then you're going to have access to the entire internal network, just by VLAN hop.
13:21
So back to what we talked about with Cisco. The Cisco P-cert advisory in 1999. How do we reconcile this problem? Current best practices recommend disabling trunk ports and user access networks. Yet the void configuration requires 802.1Q trunking in these user access networks. That's the irony. In order for this to work,
13:42
in order for convergence to work, we have to allow the two VLANs. And in these physically separated areas, take a look at this quote from Cisco. Cisco is aware of VLAN spoofing attacks and recommends that customers apply best practices where possible to reduce the impact of such attacks on their networks. And then a little further down on the advisory, the recommended configuration is disable trunking everywhere it is not required
14:03
so that tag frames are discarded on ports not configured for trunking. Well, guess what? Like I said, in a hotel guest room, you do have to have trunking enabled in order for this to work. So that was 1999. That was 1999. This is 2012, 2011.
14:21
Okay. I swear I haven't had that much to drink yet. I always like it when I'm the only person in the room that finds something funny, don't you? Okay, so now we're jumping into the hotel vulnerability. I was talking with a friend and telling her about this story, and it's funny. She was like saying, this is like a scene out of Ocean's Eleven or something. I mean, could this not be like a future movie that they make
14:42
where instead of doing all this fancy physical security, they just check into the guest room. They just check into the guest room and have multiple colluders and they're able to get access into the internal network and pilfer out the electronic cache or whatever. It's a funny idea. I mean, you literally have like a doomsday type of scenario.
15:01
So my story of the hotel. Like I said before, I was sitting in a luxury hotel very recently that had IP phones configured in the guest rooms. So I want to go into detail about the security controls that were in place and a detailed description of the methods and how they were defeated.
15:22
So the first security control that we found is we tried to unplug the phone from the wall and have our laptop plugged in and we tried to do the normal stuff that you would do in order to gain access to the network and we had no access to the network. So it kind of became clear that the hotel administrators,
15:40
security operations or whomever, kind of knew what they were doing is that they were trying to apply security to prevent us to gain unauthorized access. You couldn't just unplug and plug in as if you were a curious user. So the first thing that we saw is they did MAC address hiding. So what they did is on the back of the VoIP phone, they peeled off the MAC address
16:02
because it's kind of a common knowledge in this type of scenario that we're talking about is that you can spoof the MAC address of a phone using standard software on your laptop and gain access to the network because they're doing port security or MAC address filtering. So the fact that they had peeled it off inferred that they knew about port security or MAC address filtering
16:21
and by hiding the MAC address, they were trying to prevent us from spoofing the MAC address. So the second thing we noticed is once we had escalated, once we had gone a little further, we noticed that we had spoofed the MAC address but we sent a DHCP request and the DHCP response timed out.
16:40
So a casual, unskilled person would think, well, I can't gain access to the network so some people could see that DHCP would kind of be a security control and that it would defeat the casual people and all the phones were configured with static IP addresses. So that's one of the things that we observed. So the next question becomes,
17:00
if you were going to gain access to the network and you're sitting in the guest room, how do you know the right IP address to use across the network where there's no IP address conflict? So this is kind of one of the major things about VoIPopper that I'm going to show you guys is when we just plugged in and had a sniffer running,
17:21
we noticed that the trunk ports were leaking the VLAN ID and what I mean by this is we were receiving 802.1Q tagged frames, ARP packets that were tagged. So all we had to do was open up a sniffer and we saw the VLAN ID that the phones were using by just using a sniffer. So this was news to me
17:40
because I thought maybe this is some kind of misconfiguration, maybe they had trunk ports configured and as you know, trunk ports, the broadcast domain, any broadcast type of traffic is going to forward out all the ports. So why were we receiving?
18:40
So I'm going to talk about what the methods are, okay? So this summarizes kind of what it is. Let's take a look at this, okay? This is what we're doing here. We unplugged phone number one, the VoIPacker Ninja comes in, he disconnects the phone, he puts a sniffer on laptop number one.
19:01
So he tells his friend, his colluder in the adjoining room, reboot that phone, man. So he reboots the phone. So when that phone boots up, it's always going to send a gratuitous ARP and it's going to send an ARP. It's like a little signature. It's going to send two ARPs, one gratuitous,
19:20
one looking for its default IP gateway. So the packet comes across the broadcast domain, across the same VLAN that's shared and he begets that. He gets the source IP and the source MAC of that phone. Now he statically configures his laptop with the IP address and the MAC address of that phone. So then what he does is he moves into the other room
19:40
because if they have port security, that phone is only going to be allowed on that port in the adjoining room number two. He attaches offline, IP and MAC, then he attaches to the port and so then we reattach phone number one and at that point, he has unauthorized access to the network and he can ping the default gateway
20:02
so that proves that he has access to the network. So now I want to, VoIPopper is like a passion of mine. It's a tool that I started writing like in 2006, 2007 and I'm really excited to show the new version of VoIPopper here. I wrote a new version of VoIPopper called, I wrote a new feature called Assessment Mode
20:22
and what I want to do with this is it's a CLI mode that you go into and you can pass individual commands so I can start building like new features. Some of the new features are, it has LDP med disector support, so it dissects LDP med, it spoofs LDP med, it has an ARP and 802.1Q disector for a new way of learning the voice VLAN ID
20:42
and it does automatic VLAN hop based on the first learn mechanism. So you don't even have to know what you're doing. You launch VoIPopper assessment mode, it automatically VLAN hops for you based on the first protocol method that's configured on provision in the environment and then it actually automatically VLAN hops and then automatically passively records
21:01
the IP and MAC of every single phone on the VoIP VLAN. So you can use this as a pen test tool to store off and learn all the phones and it's not intrusive, it doesn't send any ARP packets to, it doesn't do any type of like ARP poisoning or anything like that. It just listens for the traffic. And I also fixed many issues with the integrated DHCP code.
21:20
So let's take a look at the screenshots of this really quick. This is showing kind of when you type the help menu, you've got many different options that you can do. Here's a screenshot showing LDP Med spoofed. So we hit one button, M, and we spoof it and we are able to dissect the packet. We're actually spoofing the phone. By default, LDP Med does not allow you to learn the VoIP VLAN ID.
21:44
See, it's a little different than CDP. CDP advertises the VoIP VLAN ID to anyone that attaches to the switch port. LDP Med will not. But if we spoof the TLV, network policy, we basically tell the switch that we're a phone and then we get the VoIP VLAN ID via LDP Med.
22:02
Okay, so this actually makes it like really, really easy to run. Like I said, I'm actually disabling the automatic VLAN hop, but the first method that's seen by VoIP Hopper, it will automatically VLAN hop and send a DHCP request. Like I said, there's a passive ARP sniffer after the VLAN hop that silently logs and records the phone and Mac and IP from the ARP traffic.
22:23
And it logs it to a file. Okay, another thing. If DHCP is disabled, one of the things we saw like on this hotel case study, when DHCP was disabled, you know, it would time out. Well, now we time out, and then VoIP Hopper automatically sets a fake static IP
22:41
and then automatically starts sniffing for the phones on the VoIP VLAN. And then, once we learn on these phones, we can select from an index, we can select from a menu which phone we want to spoof. And then another feature I saw, which was useful from a VoIP pen test,
23:00
is I was getting a flood of LDP Med traffic on the network, and I was getting all the phones, learning information about the phones. And so I wrote a feature that basically records all the LDP Med packets and puts them away in an inventory in a file, myassessment.txt.
23:21
Yeah. So I had a guy in Viper, like, help me out a lot on some real low-level stuff, and I thank Tom for this, but it's time to actually show the demo of VoIP Hopper. It's the best part here. So we're doing good. Can you see here? Yeah.
23:48
Okay. So I have the screen here for VoIP Hopper, and I'm just going to launch it, and let's just see what happens on the network. Let's just see what happens for the first method that's discovered.
24:05
What's that? Can you hear? Large the what? Oh, the font.
24:38
There we go.
24:42
Okay. Is that a little better? All right. So we automatically discovered the VoIP VLAN. We kind of missed that part, but you see here, CDP was the first mechanism that was seen, and it automatically VLAN hopped. We didn't have to do anything, and then it's capturing the R package. So I wanted to also tell you, I have a real VoIP-powered network here.
25:04
I've got two of these cutting edge Cisco 9900 series phones, and this is just to simulate like a hotel network where we have four phones in the same VLAN. So I'm going to actually have VoIP Hopper now delete that interface,
25:21
and we're going to launch it again, and so, you know, right here I can spoof a CDP packet, and automatically VLAN hop there. Okay. Now let's spoof a LDP med packet. Okay. So I automatically gain access to the network there,
25:45
and then let's show, this is just the basic features that I talked about. Let's disconnect and connect to, I have a monitor span session set up, because when I did this internal VoIP pin test,
26:07
this is just happening like, it's just automatically doing it so fast here. Okay. So what I'm doing here is, I'm just listening for the LDP med endpoints to send me traffic.
26:38
Okay. So there it was here.
26:40
When I did this internal VoIP pin test, I was suddenly just getting all these LDP med packets, so I wrote this feature that like, if I happen to receive the packets, which I shouldn't, because LDP med should only be sent from endpoint to switch, I shouldn't be receiving that traffic as well. So I wrote this feature that anytime I got LDP med, I could inventory all the phones. So you see here, it's a growing list of the phones.
27:03
So that kind of shows off the beginning part of this, but this is not the fun part, because I actually want to simulate what we saw in the hotel case study. So I'm going to reconnect to that port, and we're going to make this a little bit more difficult and fun now.
27:22
Okay. So we're going to get into the switch, and also for all you like, for all the Uber hackers out there that are trying to hack my switch, I just want to go ahead and just show you my passwords. Cisco, Cisco 123.
27:41
So anyone trying to get in, just go for it, man. Okay, let's turn off CDP, and let's turn off DHCP. We're going to make this fun.
28:00
And now let's reboot the laptop. So now we're going to do exactly what we saw in the hotel network. And now we're going to have, actually, we're going to have a clooter here,
28:21
so I'm actually going to need like a volunteer. We're going to need someone that's going to be another void hacker ninja. Can I get some hands for someone that would like to come up on stage and like help out with... Sorry, man. You right there.
28:51
So can we get some audio? I don't hear the audio. We need the special effects here.
29:04
What's your name, man? Ryan. Let's do this, man. Are you ready to do this? Yeah, I think so. You're ready? Okay. This is going to be your phone over here, Ryan. Right? So we're in the room together.
29:22
I think we're ready to go. Okay, you don't touch anything right now. I'm going to give you the instructions on what to do. All right. Because this is something you just don't mess around with, right? So what happens in the hotel is that if you don't do things the right way,
29:43
the security comes knocking on the door, right? And I'm just going to run out. I'm going to say it was Ryan's fault. Okay. So you guys see this here. I don't have anything, especially when I don't type the right command. So I've got ifconfig.
30:01
I've got nothing, right? So what are we going to do, Ryan? What we're going to do is I'm going to control the laptop. And I got the sniffer attached already to this guy right here. So with static IPs, I see less ARP traffic. Okay. So let's go ahead and configure.
30:23
Okay. So we have VoIPopper running. So Ryan, what I want you to do is reach in the back of the phone and just unplug the port 1 and plug it back in. You plugged the port 1? Nice, Ryan. That's awesome, man. Give a hand for him.
30:41
That's right. You want a beer, man? I had some. So what's happening here is VoIPopper first needs to learn the VLAN ID before it VLAN hops. So when your phone boots up, we're probably going to get something here in a second. So let's just wait around. So we're just sitting in our hotel room drinking a beer.
31:06
So like I said, that broadcast, Gratuitous ARP, and then the broadcast looking for its default gateway, VoIPopper picks that up. See? We got 802.1q VLAN header. We learned the VLAN ID. Now what's happening is, let's watch this. It's going to time out on the DHCP
31:21
because that also has to happen before the ARP sniffer starts listening for the new phones. So minimum time out, 20 seconds.
31:41
There we go. Okay, so now we're listening. Now the ARP sniffers. So I want you to reboot it one more time. Nice. Good job, man. You were like the most enthusiastic guy. That's why I had to pick you as my assistant.
32:06
Okay, so it's going to take a second here. What's happening is, like I said, the ARP sniffer is detecting all the phones on the network. So when we reboot, we use the phone as a reboot tool in order to learn all the IP phone, the MAC address,
32:21
the MAC and IP of the phones. The question was, why don't we use a hub? We could easily use a hub. We could easily use a hub, and we could also use port 2 on the phone. We could connect directly to port 2 on the phone and learn the MAC address.
32:42
What's that? No, I'm not... You want to see this guy up here, though. You want to see this guy up here. No, I'll get to that in a second, but what do we see here? We learn the IP and the MAC of the phone, right? So we see here that it's probably... This is probably the phone,
33:02
and the other one's the gateway. So before we do anything here, let's take a look at this. Okay, so I got the... And my MAC address is this right here. And let's test... And let's try pinging something here.
33:21
We got nothing, right? So let's go ahead and spoof this, right? So, Ryan, what we're going to do is... I'm going to do this, but I want you to unplug the phone from the wall because now I'm swapped over. So go ahead and unplug the phone permanently. Okay, now I'm going to spoof this phone. Good job, man.
33:41
Now what do we see? We got the IP address of the phone set statically. We got the spoofed MAC address. And now we have access. Not only that, let's just scan the network.
34:01
This is what we do, right? There we go. Four devices on the network. Give a hand to this guy. Unauthorized access to the network.
34:24
So this innocent little VoIPopper versus the hotel. Who won? So in summary, I just want to summarize this. What happens when you control, physically control two or more ports on the phone? Are people really thinking about this?
34:41
We have a potential coordinated attack from trusted ports by issue of just checking into the hotel guest room. Key assumptions are you have to be members of the same broadcast domain. That's why we get adjoining rooms. The point is that for VoIP QoS and convergence to work usually need both VLANs allowed. Risk of VLAN hop has been known for years.
35:02
That's not what this talk is about. I'm trying to advance forward the idea about this is the risk of VLAN hop in environments that require trunk ports and user access networks. The impact in the case study with the hotel that we're talking about, every time I talk about this I have to be just really careful.
35:20
The impact of this hotel is that it enables you see specific attacks against the VoIP network like eavesdropping, and it enables potential unauthorized access to internal core services and systems. It could represent business critical, critical business impact. An attacker sitting in the privacy of his room could spend all the time here she wants penetrating further.
35:42
What I'm seeing is that hotels have very low awareness about this issue. It's not just some of them. It's all of the hotels I see have this issue. That's why I'm here. Talking about VoIP hoppers, the way it was born in 2007, I did an authorized VoIP pin test
36:02
and then I wrote VoIP hopper and that was the result of this. The customer said you can't get access from the VoIP network to the data. We got in, we got into the servers and we showed that. Physical security is compromised here and it's a unique situation for the hotel rooms.
36:20
Security controls need to compensate for this. That's why you look at things like 802.1X. Everyone says when you have physical access to something, it's game over, right? But that's the irony there. Like I said, in the hotel guest rooms, guests have physical access to the phones because it's a business benefit to use the phones. Otherwise why even have the phones there?
36:40
I started kind of doing some fun little research on this because I wanted to say who are these people putting in these networks? Who are these people recommending best practices? So a couple of vendors turned up. This is with hotel 1000 in Seattle. Valkros was the trusted Cisco partner that put in the network. So I wanted to ask Valkros, hey,
37:00
what best practices did you recommend when you put in hotel 1000 to, I was like a little investigative journalist, but I found that they no longer had a server. They no longer had a web server, so I didn't get too far on that one. With Percipia, though, they're the trusted, look here, Percipia Network is the most widely used and trusted name in hotel IP phone
37:21
applications. So I sent them an email. I'm not sure if you can see this, but I said I was wondering if, what is your best practices? Do you have a security solution that can help prevent unauthorized access from hackers breaking into internal networks of hotel guest rooms? I got no response from Percipia. A little disappointed in that.
37:41
Would have been kind of fun. Okay, so another little thing that I did, a little fun thing, is I decided to do a little survey of hotels. It was kind of like a social engineering little survey and just a survey to find out what was going on in the marketplace. So I had a research assistant call, basically find 100 of the most expensive luxurious resort hotels in the world
38:02
and call them up and find out, A, do they have VoIP in the hotel guest rooms and B, what was their price? So as a result of this, there was 20% international, it was like Paris, London, Tokyo, Monte Carlo, and then it was 80% domestic, mostly like Las Vegas
38:21
casino hotels. And the script went like this, my boss has a strong preference for hotels with VoIP as he really likes the service and convenience of these phones. Does that sound kind of like suspicious to you? Like, your boss has like a fetish for IP phones, he's gonna like curl up really close with his pillow, that's just disturbing.
38:43
So the result was kind of surprising to me, only 8 out of 100 phones had confirmed to have VoIP in the guest rooms. And the average room price was $655. So you know, I got this nice list, it's really cool, nice spreadsheet. It'd be interesting a few years from now to research this and find out where the market
39:01
is on this because, you know, I started, this is a passion of mine, I started this in 2007, and now we are in 2011. It would've been interesting to do this back then. Oh, now here's the typical response. I actually took the audio from one of the conversations, I'm gonna play it to you. Can I make sure the audio works on this? I assume so.
39:22
So listen here. Okay, I just have one more question. My boss has a preference for hotels that have a voice over IP. He likes the convenience and special features of this type of phone, so do you provide those in your guest room?
39:46
It's VoIP, voice over IP phones. It's just like an internet phone. You can't hear anything. You can't hear the audio of the other person. Well anyway, she says, oh, not quite
40:00
sure if our phones do that. I don't know what's wrong with the clip right now, but I'm not hearing that. Okay, you can't hear, but she says, she comes back on the phone and she says she checked with her IT, she's real sweet too. She checked with her IT director and they do have IP phones.
40:22
I mean, they're straight from the IT director. We have IP phones in the guest rooms. Just thought it was interesting to see how they interpret the question of voice over IP, the hotel reservation specialist, and like I said, most of them had no idea about what voice over IP was. They always had to check with someone. That's the point of the exercise. So last little segment here, voice VLANs as trunk ports. When
40:41
I started building out this feature of VoIP because the issue was a non-Cisco environment, I had to build the feature for the 802.1q ARP dissector and I saw this tagging thing was happening even in Cisco networks on the ethernet switches, so I went back through all the internal VoIP tests and looked at the PCAP traces that I had saved and I found that they all indeed
41:02
did this and this is the Cisco Voice VLAN. So in summary, the Cisco Voice VLAN operates just like a trunk port when you're just doing a standard trunk port. So I sent this notification to Cisco PSIRT because I want to work together and I want to help improve the security and we're still working together on it, but the subject
41:21
is Cisco iOS advertises Voice VLAN ID by sending tagged frames to switch access ports. Cisco PSIRT, they look like they have real good awareness of this and they're working on it, so hopefully they'll come up with a solution that helps protect customers and that's the whole point of why we're here. But the Voice VLANs has trunk ports, it's an interesting thing,
41:41
it's called a multi-VLAN access port with auxiliary VLANs, that's what the Voice VLAN is. And Cisco says it's not officially a trunk port. I'm going to skip over LEP Med because the stuff that really makes me passionate is to talk about this hotel VoIP security. So I want to just skip along to the end here because we only have a few more minutes left. So mitigations,
42:02
don't do this, don't do port security, don't do MAC address filtering, I already talked about that, including hiding the MAC address. Hiding a MAC address isn't a security feature. Now this is something interesting that I'm starting to see in more deployments, is using physical locks on the phones, locking them to the VoIP port to the wall and locking the voice port on the phone
42:21
itself, and this is a vendor panduit that I've seen, I've done some internal VoIP pin tests where they knew I was coming so they put these locks on. Seriously, I'm not kidding you, they had their physical security operations come do this but, you know, we were able to defeat it because you just use one of these tools and that's
42:41
and that's what it looks like that's what it looks like but this is really interesting let me tell you this, I'm staying in a hotel right now, I'm not staying here I'm staying in another hotel and just a couple of days ago I found out that they have VoIP in their phones, VoIP in their guest rooms, now I'm not going to do anything with that, but it's a new vendor that I've never seen before, Teledex
43:02
is their specialized for VoIP in the hospitality industry, and interesting, really really fascinating, they did like a poor man's physical security, they stripped the top of the RJ45 instead of using these physical locks, they stripped it off, I don't know if you can see that, but you can't like take the little bottom and pull it out, I just thought
43:22
it was interesting, I mean, do they really trust that that's going to prevent someone from getting access, but that does tell you, we don't want you unplugging the phones and plugging in your laptop that's what it tells me, and I tell you when someone does something physical like this that's like, that's where I draw the line I would never, you know, try and circumvent that unless it was, you know
43:42
an authorized pin test, so you can use tweezers on the side, I have these tweezer tools I didn't mean to say that, I'm just saying if I was going to do something, but as luck would have it, check this out, I actually moved rooms in this hotel yesterday morning and guess what,
44:03
these ones didn't have the security in place they look at the little RJ45 sticking out there, so interestingly enough, it shows that the physical security solution wasn't consistently applied across these hotel rooms I mean, you have like hundreds or thousands of these luxury resort hotels
44:20
in Las Vegas, you have to actually make sure that every single room is configured the same way it's a human error, it's always the weakest link in a security system, and this just proves it again right here, interesting so just a couple more minutes here's a great idea that I got from Zach and Chris with Cisco
44:43
lock the phones to the wall using Panduit locks, like real locks, and then if someone breaks through the locks, air disable the port, make the port automatically shut off, because if someone's breaking through those locks, that's really a suspicious activity so you can do one of two things, you can air disable
45:01
the port, or you can keep the port up but send a high priority security alert that notifies your security admins, and they come breaking down the door when they're trying to VLAN hop, and think that no one knows about it that's, I mean, that's like an awesome solution, I think all the hotels should be doing that, because the physical security combined with an operational procedure
45:21
is really good, the detection and the logging 802.1.x is another well known thing do multi-domain authentication don't configure the single VLAN because CDP can spoof when you use voice VLANs there's a couple of limitations with 802.1.x I'm just going to gloss over that. In 2008
45:41
we published a tool called Xtest and it highlights the two issues where you can piggy back on the successful authentication of an 802.1.x wired supplement like a phone and you can gain access to the network we talked about this at Torcon, looks like there's an awesome talk tomorrow, where this guy is doing a transparent bridge through Linux so you might want to check that out, looks like he's kind of
46:01
advancing that forward. MaxSec is another mitigation recommendation provides hop-by-hop layer 2 encryption it's like the next version of 802.1.x I'm wrapping up here, I just want to thank you guys for listening, I want to tell you why I did this, this is a talk of my culmination of my research
46:20
on something that I'm passionate about I wrote this blog, Attacking the Crown Jewels through VoIP with VoIP, which I'm a blogger for kind of inspired me to actually do the name of the title of this talk because I found this issue after I wrote that blog I'm trying to create education awareness, I want to publish a new version of VoIP-hopper
46:41
because I know that seeing is believing showing is believing and sometimes people just have to see a vulnerability with their own eyes in order to understand the impact of that issue in order to actually start remediating the issue, they have to see it with their own eyes. It's my hope above all else that this information gets to the NetOps
47:01
and the security operations of these luxury hotels that is my one hope is that we can create education awareness and have them start fixing these issues because if I'm showing this to you today and the people that were in the room with me both know this too, that were in the room with me before how many people already know about this and were
47:20
silent about this issue how many hotels have already been breached because if I can do this I know a lot of other people can and I just hope that we publish some best practices around UC security for these unique scenarios where we have trunking allowed in user access networks that's what this talk is about and that's all I got