Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Two attacks against VoIP
Peter Thermos

"We are more secure than a regular phone line."

Comments Mode:
Two attacks against VoIP 2006-04-06
Tobias Glemser (3 replies)
As posted at pentest-mailing-list

1. Hijack a user's VoIP Subscription

As to be seen on beginning of page 2 the author describes an attack on a SIP Proxy without user authentication!

"This attack can be successful even if the remote SIP proxy server requires authentication of user registration,...

[ more ]  [ reply ]
Re: Two attacks against VoIP 2006-04-06
Author (2 replies)
The two fundamental messages of the article are the fact that there are VoIP Service providers who misconceive VoIP security and the fact that there is a gap between the standards and products when it comes to supporting certain security features.

The comment "This is also false if we discuss an...

[ more ]  [ reply ]
Re: Re: Two attacks against VoIP 2006-04-12
Tobias Glemser
"The comment "This is also false if we discuss an actual SIP-Proxy implementation." is based on ONE implementation which you have configured and tested in an isolated environment compared to testing 4 different commercial implementations in carrier and enterprise environments respectively."

Nope ...

[ more ]  [ reply ]
Re: Re: Two attacks against VoIP 2006-04-16
Anonymous
That you found some broken proxy that does not support digest authentication is sort of interesting, I'm not aware of any open source or comercial proxy that does not support it. More likely just configured wrong.

I would also like to point out that many proxies support doing all of this over TL...

[ more ]  [ reply ]
Re: Two attacks against VoIP 2006-04-06
Anonymous (1 replies)
" E. g. a standard asterisk SIP-Proxy will always reply with a "SIP/2.0 401 Unauthorized", also submitting a digest and a realm value. The client then has to authenticate using a response value which is normally a MD5 Hash consisting of Username, Password, nonce, HTTP Request Method and Request URI....

[ more ]  [ reply ]
Re: Re: Two attacks against VoIP 2006-04-12
Tobias Glemser
"None of this seems to have any entropy. Which means it's vulnerable to replay attacks, just as the article states."

No. Since the nonce value is unique for each request, if you just try to replay the PBX will reject your packet requesting a new authentication with a different nonce.

So replay w...

[ more ]  [ reply ]
Re: Two attacks against VoIP 2006-04-07
Roger (1 replies)
" using a response value which is normally a MD5 Hash consisting of Username, Password, nonce, HTTP Request Method and Request URI.

This prevents the describend attacks."

Since the hash does not bind to any of the registration information, this offers no protection at all against a MITM attack...

[ more ]  [ reply ]
Re: Re: Two attacks against VoIP 2006-09-25
VoIP_Hacker
You are exactly correct on all accounts ...... MITM is an easy hack. I do it daily in hacking and product demonstrations.

One other note on VLAN's, they are for anything but security. It is a broadcast domain. There are many hacks out there to traverse VLAN's. Yersinia (a hacking app) allows you...

[ more ]  [ reply ]
Two attacks against VoIP 2006-04-06
Greg (2 replies)


I have not examined your assertions so I will not comment on any of

the assertions made in terms of hacking VoiP.

HOWEVER... You state that, on 802.11x networks, that WPA is vulnerable

to attack. It is not. None of your references contain any evidence of

this, and I have yet to see any evide...

[ more ]  [ reply ]
Re: Two attacks against VoIP 2006-10-24
Wireless_VOIP
Here is a simple attack against WPA, WEP or whichever wireless security mechanism ...

Have an access point with same SSID with stroger signal strength, the user's laptop connects to the attacker's access point gives a pop up network is not secure do you really want to connect. (Some % of users wi...

[ more ]  [ reply ]
Re: Two attacks against VoIP 2009-01-19
Anonymous
WPA is not secure. If you dont believe me and you think your wpa or wpa II network is secure fly me out to your location and I will convince you otherwise. One thing that I can not stand is people who think they "know" about computer security. They "know" because they went to a class or seminar some...

[ more ]  [ reply ]
Two attacks against VoIP 2006-04-07
Peter Thermos
The underlying message of article wasn't really about the attacks. The desription of the attacks serve as an introductory reference for readers that don't share the same background as some of us do, especially in VoIP Security. There are many more issues associated with NGN/VoIP (and generaly Intern...

[ more ]  [ reply ]
Two attacks against VoIP 2006-04-10
Anonymous
Great article! I hope to read soon "deregistering a user".

http://www.tumujer.com

...

[ more ]  [ reply ]
Two attacks against VoIP 2006-04-11
MidNet
We have been working in the VoIP space for some time, especially with SIP and have found a solution to this. We recently completed integration of Uniloc netANCHOR into our product line. Read more here: http://wiki.unilocusa.com/index.php/MidNet_delivers_peace-of-mind_to_VoIP_customers

...

[ more ]  [ reply ]
Two attacks against VoIP 2006-11-09
Anonymous
What ever happened to Sivus?...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus