Threats Targeting Endpoints
As shown in Figure 23-1, there are many attack paths against an IP phone, including a connection through the network or through the integrated switch port to which a PC is attached. Corrupt images and altered configuration files can sabotage the IP telephony environment. Further attacks can be started from an infiltrated IP phone that is generally trusted and has access to the network. The physical access to the IP phone can be misused for violations of the IP phone integrity and the privacy of the user. Information can be gathered by browsing to the IP phone as well. In addition, IP phone conversations are vulnerable to various attacks when the network has been infiltrated, so the privacy of calls must be protected.
Figure 23-1. Attacks Against IP Phone Endpoints
Endpoints are a common target of attacks because they are usually less protected than strategic devices, such as servers or network infrastructure devices. If an attacker gets control of an endpoint, such as an IP phone, the attacker could use that device as a jumping-off point for further attacks. Because the endpoints are trusted devices and have certain permissions in the network, an attacker can use them to target devices that they would not be able to reach directly. To get control of an IP phone, an attacker could try to modify the image and configuration file (for example, by spoofing the TFTP server or by replacing the file on the TFTP server itself or while in transit).
Another major threat is eavesdropping on conversations. If an attacker has physical access to the IP phone, the attacker can "tap the wire," either by connecting between the IP phone and the switch or by connecting to the PC port of the IP phone. If the attacker does not have physical access to the IP phone or its network connection, the attacker could launch a man-in-the-middle attack from any network between two communicating endpoints. In a man-in-the-middle attack, the attacker pretends to be a neighboring system (such as the default gateway when the communication is between two IP networks or a peer on the same IP network) and, hence, receives all packets. A common type of man-in-the-middle attack is to use gratuitous Address Resolution Protocol (ARP) for redirection of packets at the MAC address layer.
A lot about the IP phone and the telephony infrastructure can be learned just by looking into the network settings or browsing to the built-in HTTP server of the IP phone. This information contains Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), default router, TFTP, and Cisco CallManager addresses. With this information, a hacker can direct an attack at the TFTP or Cisco CallManager server, because Windows hosts are generally more vulnerable than network components.
Overall, attacks on the endpoints can be broken down into four major categories:
- Eavesdropping on VoIP conversations
- Modifying the IP phone image
- Attacking system and CallManager services
- Hacking network devices and services
The simplest way to eavesdrop on the conversations of a user is to tap the wire between the IP phone and the PC attached to it. A variety of tools exist to accomplish this feat:
- Ettercap A suite for man-in-the-middle attacks that allows sniffing and on-the-fly manipulation of data
- Voice Over Misconfigured Internet Telephones (VOMIT) A tool that can create .wav files from captured G.711 conversations
- Ethereal A sniffer and network protocol analyzer that allows both capturing conversations and converting them to playable files
An attacker could also try to get control of an IP phone by modifying the IP phone image or configuration file. This attack is carried out either at the TFTP server by manipulating the files themselves or by replacing the content while it is in transit. For the first method, the attacker needs access to the directory of the TFTP server; for the second, the attacker has to launch a successful man-in-the-middle attack.
The hacker might want to direct the attack at the most critical telephony components: the servers. An easy way to gather information about the IP addresses of critical components (such as the Cisco CallManager addresses, default gateway address, TFTP server address, DNS server address, and voice VLAN ID) is to retrieve them from the IP phone. This retrieval can be done locally at an IP phone by using the Settings button or by connecting to the IP address of the IP phone with a web browser. From the retrieved information, the hacker can build a topology map, associate it with services, and use the topology map to attack relevant devices.
If the attacker manages to get access to network devices, such as routers and switches, the attacker could redirect traffic to any destination using various kinds of tunnels. These include Generic Route Encapsulation (GRE), IPsec, Layer 2 Protocol Tunneling (L2TP), or Switched Port Analyzer (SPAN).