Hacking the lobby telephone

Hacking the lobby telephone
Hacking the lobby telephone 

By Robert Vamosi
Defense in Depth
February 17, 2008

WASHINGTON -- Two security researchers at ShmooCon demonstrated on 
Saturday how a laptop connected to a VoIP telephone could, in some 
cases, expose a business' internal network to outsiders.

John Kindervag, senior security architect for Vigilar, said that public 
waiting areas in hospitals, conference rooms, and hotel rooms are 
particularly vulnerable to this attack since often there is no IT staff 
around. Appearing on stage at the East Coast computer hacker conference 
with Kindervag was Jason Ostrom, manager of Vigilar's Vulnerability 
Assessment and Compliance Practice team, who used the ShmooCon 
conference to show off his latest version of VoIP Hopper, a tool he uses 
for penetration testing of companies that are running voice over IP 
phone systems.

Kindervag said that VoIP was gaining acceptance with large companies and 
organizations for many reasons: there are no toll calls over the 
Internet; there's less cabling involved; employees can move offices 
without having to rewire or change switching operations for their 
phones; and finally, voice mail notices can appear in one's Outlook 
inbox. "This is very popular among CIOs," Kindervag said.

But Ostrom's tool allows one to hook up a laptop computer to a public 
VoIP phone and connect to the company's or organization's internal 
network with full administrator access. VoIP Hopper can be used to 
intercept Cisco Discovery Protocol (CDP), which announces the device 
type and the SNMP agent address of neighboring devices, and 
automatically create a new ethernet device. This could allow someone to 
map or otherwise do damage to a company's network from a public waiting 
area. The tool also allows one to physically remove the phone and have a 
laptop spoof the phone's MAC address, so the network is unaware that a 
laptop has replaced the expected phone.

To prevent such attacks, the researchers recommend turning off CDP. They 
also recommend disabling port 2 on any public VoIP phone, and include 
the public phone within a firewall.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods