ACM - Computers in Entertainment

VoIP Wars and the Awesome Audience

By Fatih Ozavci

Last year, was my first DEF CON presentation “VoIP Wars: Return of the SIP.” I really enjoyed being a part of this amazing security conference. I presented some next generation VoIP attacks such as SIP trust hacking, SIP proxy bounce attacks and attacking mobile applications through the SIP protocol. I also announced my security assessment tool Viproy VoIP penetration testing kit during the security conference.

This year I had new research to present—“VoIP Wars: Attack of the Cisco Phones”— focusing on attacks to hosted VoIP services; it was a sequel to the previous year’s presentation. This new research targets Cisco-based hosted VoIP environment and communication infrastructure. VOSS Solutions is another part of this research; they are a Cisco partner and provide a hosted VoIP management software suite. I separated my research into four different topics, hardware IP phones, Cisco specific SIP analysis, VOSS management suite and Cisco Skinny protocol analysis.

 First, I modified a Cisco IP phone 7940 for wiretapping and permanent network access. It has sufficient space inside to put two devices such as a battery, an Arduino, or a Raspberry PI. I placed a Raspberry PI inside and created a cloned cable bridge for the voice VLAN cable. While the Cisco IP phone is connected to voice VLAN, the Raspberry PI inside can be connected to the same network. However, I needed a power source for Raspberry PI as well. I’m still working on the alternatives such as using PoE with the same cable, a speakerphone power cable, and an external battery.

I also tested SIP protocol behaviors of the Cisco Unified Communication Server (CUCM) for SIP attacks, which I presented as well. CUCM uses a custom header, Remote-Party-ID, for SIP trunk communication. I mentioned this header last year, and this year I demonstrated it using CUCM. I also noticed Cisco Unified Presence Server (CUPS) has some SIP message content issues. However I couldn’t complete CUPS analysis before my speech; I’ll publish additional research based on it.

Cisco-based hosted VoIP services need a VOSS Solutions management suite because of the tenant services management and self-care services. I found 20-plus vulnerabilities on those management suite applications such as the Self Care portal, Management portal and IP Phone XML services. Those vulnerabilities were stored cross-site scripting vulnerabilities, privilege escalation vulnerabilities, authorization issues, and information leakages. I contacted Cisco PSIRT to disclose the vulnerabilities and they patched many of them. Some of them will be patched this month as well.

The last research topic was Cisco Skinny protocol analysis. My first motivation was we have no public security assessment tool to analyze Skinny-based VoIP networks. Skinny is a binary protocol; it also has different features between the versions. Wireshark can decode some of them, but not the latest ones. I developed a security-testing library for Skinny protocol and three sample modules for it. Those modules can register itself as an IP phone, initiate a call, or redirect all IP phones to a specific number.

I had live demonstrations of my research topics during my presentation at DEF CON 22. I explained all findings and new attack vectors for SIP, Skinny, and hosted VoIP software suite. But the most important thing of my trip to Las Vegas was the amazing audience—thanks you. My daughter also sent a video during my trip to the U. S. She missed me, which is why I wanted to record a video of myself on the stage. The entire audience screamed her name and said hello to her. It was amazing. If I remember one single thing from DEF CON 22, it will be the awesome audience.



Fatih Ozavci is a security researcher and senior consultant with Sense of Security. He is the author of “Viproy VoIP Penetration and Exploitation Testing Kit” and “MBFuzzer Mobile Application MITM Fuzzer tool.” He has also published a paper about Hacking SIP Trust Relationships. Ozavci has discovered many unknown security vulnerabilities and design and protocol flaws in VoIP environments. He analyses VoIP design and implementation flaws which help to improve VoIP infrastructures.