Friday, July 31, 2009

Hacking Telepresence for Fun and Profit...

Just sat through the VIPER Lab talk on Advanced Video Attacks. If you're not familiar with the Sipera guys, check out their blog for more on the cool (and free!) tools they offer, including the forthcoming UCSniff 3.0, simplifying attacks on VOIP, video, and unified communications.

Most enterprises believe that putting their IP phones on a separate VLAN is secure. Suuuuure it is. I remember seeing Jason Ostrom give a demo at Shmoocon 2008 where he intercepted (and played back) VOIP calls by crashing through a VLAN using VOIP Hopper, one of the early tools that he worked on. Today, he and his colleague Arjun demoed how to instantaneously jack not just an audio stream, but both sides of an actual videoconference. Freakin' COOL.

Not only are the Sipera guys rolling out UCSniff 3.0, but they're also rolling out version 1.1 of VideoJak, enabling pwnage of Cisco's HD surveillance cameras; Wired has a much more in-depth article on Sipera's efforts and demo here. The most important point in the entire article is in the final paragraph, in that Sipera has found that only five percent of enterprises have fully enabled the built-in security features in their unified communications systems. Brutal. Jason and I talked about this over beers last night...the stories he has on organizations not turning on security are mind-boggling.

The Sipera guys are also soon rolling out VideoSnarf, a third tool in the video hacking toolbox. They showed a couple of SWEET demos of manipulating video phones and IP video for fun and profit...for that, you should've been here.

In addition to showing an attack that was extremely LPD/LPI by using UCSniff in target mode, they also figured out a way to defeat GARP disablement on Cisco phones--meaning, if you can get physical access to the network, you can enable GARP and pick off phones one-by-one, jacking an entire enterprise--or just the key execs whose information you care about. Sipera has made the Cisco PSIRT aware of the problem; while Cisco may (or may not) patch this issue, there's a pretty easy fix to prevent being pwned--turn on the friggin' built-in security. Encrypted configuration files = no modification of phone settings. Sure, it's a ~25% performance hit...but that sure beats having your CFO's earnings release preparation calls attacked.

But, sadly, no...I certainly don't expect that the 95% of the orgs that haven't deployed the security already built into their UC systems to do so anytime soon. Meaning, still lots of opportunity for fun and profit by hacking voice and video.


1 comment:

  1. Check this one out,. I recently acquired a nextel blackberry 8350i from a friend of mine. I figured I would use it with a boost sim just like any other nextel...not happening. So I found a way around it! I get almost full blackberry just no BIS stuff (bb messenger, etc.), but I can run all apps and since this thing has built in wifi it works about it at my forums at, if you feel like it, sign up for an account, I could use some new members!