How to hack IP voice and video in real-time
BOSTON -- Corporate video conferences can still be easily hacked by insiders using a freeware tool that allows attackers to monitor calls in real-time and record them in files suitable for posting on YouTube.
While the exploit was demonstrated a year ago at security conferences, most corporate networks are still vulnerable to it, says Jason Ostrom, director of VIPER Lab at VoIP vendor Sipera, where he performs penetration tests on clients' business VoIP networks.
He says he sees only 5% of these networks are properly configured to block this attack, which can yield audio and video files of entire conversations. "I almost never see encryption turned on," he says.
Ostrom demonstrated the attack at the Forrester Security Forum in Boston last week using a Cisco switch, two Polycom videophone and a laptop armed with a hacking tool called UCSniff that he pulled together from open source tools.
To eavesdrop on the calls, someone with access to a VoIP phone jack -- including the one in the lobby of the business -- plugs a laptop with the hacking tool on it into the jack. Using address-resolution protocol (ARP) spoofing, the device gathers the corporate VoIP directory, giving the hacker the ability to keep an eye on any phone and to intercept its calls. There's a tool within UCSniff called ACE that simplifies capturing the directory.
Once intercepted, the audio and video from the targeted call flow through the laptop, where it can be viewed as it streams by and also where it is recorded in separate files, one for each end of the conversation, Ostrom says.
Encryption is the answer
The best network defense is to turn on encryption for both signaling and media, he says. The problem isn't with the networking or VoIP and video gear itself, but rather with how they are configured in the network, he says.
One attendee suggested that Layer 2 monitoring tools could pick up on this attack, and Ostrom agrees. But he also says they're not often used in practice. "I don't see a lot of Layer 2 protections to defend against this," he says.
In addition, in his penetration testing he finds that 70% of the networks he tests are vulnerable to toll fraud attacks that use the corporate network as a proxy for make long distance calls.
Edward Amoroso, CSO of AT&T, who sat on a panel at the Forrester conference with Ostrom, says that AT&T plants public-facing vulnerabilities on purpose to lure attackers into honeypots that aren't connected to the network. AT&T then works with law enforcement agencies to identify and prosecute the hackers.
"It introduces a little uncertainty to the hacker," Amoroso says. "They wonder, 'Is it real or not?'" and may be reluctant to jump on every vulnerability they see.
Read more about wide area network in Network World's Wide Area Network section.