VoIP hijacking possibility

Posts: 1424 · Posted: Wed Aug 09, 2006 12:51 pm Post subject:

VonageTPA wrote:

No need to alter the MAC, far more useful (if not as immediate) to get the config file, decrypt it, take the SIP credentials & run with it.

Have you got time estimates on decrypting a config file?

VonageTPA wrote:

Ultimately, this type of attack is nearly useless to find a specific person's account and hijack it, but if you're looking for a free random Voip line, then it can be done.

While I think that the hackers were thinking about the prospect of free calls, the possibility of hijacking a known line is certainly the one that presents more risk.

I've mentioned one way of obtaining the MAC via access to the LAN (possibly through an open wireless access point) and one way to circumvent that (using a different MAC address on your LAN).

If your Vonage device is left out in the open it would be a simple matter to get the MAC from the unit. I wouldn't even need to look at it, I could just lift the unit and snap a picture with my camera phone.

Finally a little social engineering is the basis for a lot of these hacks, "Hi, I'm Ned from Vonage and we are calling to verify your router MAC address as part of our quality assessment program, are you near the router now?".

VonageTPA wrote:

You have to keep things in perspective 'though. It's FAR easier to go after analog phone lines. Just hop out of your car, hook on with 2 alligator clips, and you're in.

I don't think you can really compare this. It is far less risky to sit in a coffee shop somewhere and place calls than to physically connect to a line. Yes, if you want to eavesdrop alligator clips or a scanner might be the easiest method, but it doesn't do much for hijacking calls unless you get really fancy with a second line and a call diverter.

Posts: 1715 · Posted: Fri Aug 11, 2006 12:42 pm Post subject:

scerruti wrote:

Have you got time estimates on decrypting a config file?

Hmm..good question. With some of the top procs out there now & some good algorithms, you're probably looking in terms of many months. If Vonage's passwords AREN'T 100% random, then we're talking a much shorter time.

Quote:

Finally a little social engineering is the basis for a lot of these hacks, "Hi, I'm Ned from Vonage and we are calling to verify your router MAC address as part of our quality assessment program, are you near the router now?".

Social engineering has always been a huge security hole in any security system, and one I've used in the past for various reasons. I still think going to a Big Box store with a mobile phone cam is the safest/quickest way if you don't mind waiting a few weeks for those units to get purchased & activated.

Quote:

I don't think you can really compare this. It is far less risky to sit in a coffee shop somewhere and place calls than to physically connect to a line. Yes, if you want to eavesdrop alligator clips or a scanner might be the easiest method, but it doesn't do much for hijacking calls unless you get really fancy with a second line and a call diverter.

Agreed with that. The other problem is that phone calls are tracable, so whoever's trying to pull this off better not call friends/family/people they care about on the hijacked line.

Reading back over the DefCon description, they didn't even boast doing anything this intricate 'though:
"Discover how vendor provisioning works on these routers, in order to reclaim control of your hardware. Learn specifics as to the ar7 dual processor architecture that the hardware utilizes, and how to unlock its numerous built-in capabilities that have been crippled prior to release by the vendor. Watch a demonstration of how easy Voip and its companion protocol MGCP can be manipulated for illegal purposes such as call spoofing, number hijacking, and untraceable call routing."

They're just claiming that you can unlock the router. Seperately, they show the protocol vulnerabilities, not necessarily hacking Vonage for these purposes. I'd agree that SIP (never played with the older MGCP) appears to be written for a secure environment rather than the wild untamed internet. That said, it wouldn't take much to add additional authentication steps to prevent tampering. With Vonage able to get the device manufacturers to write custom firmware, they could easily add a couple of extra steps that'd thwart any reasonable hack attempts.