Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Intercept Threats of Cisco IP Phones

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Intercept Threats of Cisco IP Phones
Date: Tue, 16 Nov 2004 07:35:30 -0600 (CST) 
http://cryptome.org/cisco-holes.htm

Thanks to A. 
14 November 2004

In the SIP images of Cisco 7960/7940 (and perhaps 7970/7980) phones,
there is a "telnet" option which can be enabled.  In the highest
access mode of this interface, it is possible to activate a "test
keys" mode, which would allow an external party to make calls to
remote (external) destinations without the local user hearing any
indication that the phone had been placed into "remote intercom" mode.  
The test key mode allows a telnet user to simulate the exact
keystrokes of a local user.

Additionally, there is a feature called "auto-answer" which can be
activated on a single line, meaning that whatever SIP username is
associated with that line will also achieve an auto-answer (on
speakerphone, if available) for that line.  This also can be used as a
remote area surveillance system.  (Example: in our office, I have a
special extension which calls all phones across the entire office and
muxes them back into a single conference bridge, so that I can listen
to the entire office at night to see if there is anything amiss (fan
noises, UPS signalling, fire alarms, voices.))

Both variations create a bright green LED to light up on the deskset,
and also the LCD screen shows the status of the "call" in progress, so
there is some external indication that something is happening.

Cisco has made some progress in ensuring that "pirate" versions of
code for the phones is not easily developed and uploaded; updated
versions need to be cryptographically signed before the phone will
upload them (exact methods unknown) which to some degree mitigates
threat from versions which have no physical indications, though
anything is possible with enough budget and brainpower.

Both of these "features" are available currently on the SIP images and
present different threat situations for voice surveillance.

I don't know if they're also available in the SCCP or H.323 versions
of the code.  Both are exceedingly dangerous, and telnet mode should
never be enabled in an insecure (or even secure) environment.

The intercom feature is also an issue, since there is no reverse
authentication from the Cisco phones (another major failing inmy
opinion of Cisco's SIP practical implementation strategy.)



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - 
http://www.osvdb.org/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Intercept Threats of Cisco IP Phones, InfoSec News <=
Previous by Date:  [ISN] Annual Computer Security Conference reminder, InfoSec News
Next by Date:  [ISN] Desktop search engines threaten SSL VPN security, InfoSec News
Previous by Thread:  [ISN] Annual Computer Security Conference reminder, InfoSec News
Next by Thread:  [ISN] Desktop search engines threaten SSL VPN security, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]