September 20, 2010, 1:00 PM — BOSTON -- Corporate video conferences can still be easily hacked by insiders using a freeware tool that allows attackers to monitor calls in real-time and record them in files suitable for posting on YouTube.
While the exploit was demonstrated a year ago at security conferences, most corporate networks are still vulnerable to it, says Jason Ostrom, director of VIPER Lab at VoIP vendor Sipera, where he performs penetration tests on clients' business VoIP networks.
He says he sees only 5% of these networks are properly configured to block this attack, which can yield audio and video files of entire conversations. "I almost never see encryption turned on," he says.
Ostrom demonstrated the attack at the Forrester Security Forum in Boston last week using a Cisco switch, two Polycom videophone and a laptop armed with a hacking tool called UCSniff that he pulled together from open source tools.
To eavesdrop on the calls, someone with access to a VoIP phone jack -- including the one in the lobby of the business -- plugs a laptop with the hacking tool on it into the jack. Using address-resolution protocol (ARP) spoofing, the device gathers the corporate VoIP directory, giving the hacker the ability to keep an eye on any phone and to intercept its calls. There's a tool within UCSniff called ACE that simplifies capturing the directory.
Once intercepted, the audio and video from the targeted call flow through the laptop, where it can be viewed as it streams by and also where it is recorded in separate files, one for each end of the conversation, Ostrom says.
Encryption is the answer
The best network defense is to turn on encryption for both signaling and media, he says. The problem isn't with the networking or VoIP and video gear itself, but rather with how they are configured in the network, he says.
One attendee suggested that Layer 2 monitoring tools could pick up on this attack, and Ostrom agrees. But he also says they're not often used in practice. "I don't see a lot of Layer 2 protections to defend against this," he says.
In addition, in his penetration testing he finds that 70% of the networks he tests are vulnerable to toll fraud attacks that use the corporate network as a proxy for make long distance calls.