Sign up
 Vonage  

       
 
Vonage Forum Menu

Vonage Forums
Vonage VoIP Forum
Dwightkaw Posted:
kredyt bez
zaświadcze
24; kredyt bez
zaświadcze
24; o dochodach
...

In The Forum:
Vonage
Topic:
kredyt bez zaświadczeń
On Dec 03, 2016 at 03:27:10

Kevingrarl Posted:
Су
95;ас&
#1085;иl
1;
пі
76;пр&
#1080;&
...

In The Forum:
Vonage
Topic:
Сучас&
On Dec 02, 2016 at 12:51:38

IsaawUnace Posted:
does cialis work
as well as cialis
add.cgi buy
cialis cialis
the team <a
...

In The Forum:
Vonage
Topic:
Condition good pill instead of ed
On Dec 01, 2016 at 11:11:59

MatrickVop Posted:
buy cialis today
columbus oh
generic cialis
buy cialis online
registered users
...

In The Forum:
Vonage
Topic:
Classify miserly pills no means
On Nov 28, 2016 at 10:42:47

dracossumo Posted:
Ко
84;па&
#1085;иn
3; Tritel
пр
77;до
...

In The Forum:
Vonage
Topic:
&#1048;&#1085;&#1090;&#1077;&#1088;&
On Nov 27, 2016 at 23:00:39

DWSupport Posted:
After recent
Vonage update that
took place on the
4th and 5th of
Nov. E-mails with
...

In The Forum:
Vonage
Topic:
Voicemail Not Forwarding to Outlook Accounts
On Nov 10, 2016 at 12:23:26

peterlee Posted:
Had a call from a
Hospital in Ajax,
Ontario to my home
in
Scarborough, Onta
rio
...

In The Forum:
Vonage Canada
Topic:
Hospital Incoming call unable to connect
On Nov 08, 2016 at 11:59:50

TELLDOUG Posted:
I am looking for a
product that will
make my phone ring
louder so I can
hear using
...

In The Forum:
Vonage
Topic:
Looking for a ringer ameliorate
On Oct 26, 2016 at 09:21:30

HildBeft Posted:
You can recollect
password by
connecting the
router to your pc
and open the
browser
...

In The Forum:
Hard Wiring - Installation
Topic:
How to arrive at wifi password?
On Oct 20, 2016 at 05:05:49

HildBeft Posted:
Great tips..
Thanks for sharing
...

In The Forum:
Hard Wiring - Installation
Topic:
How to have Vonage and another land line?
On Oct 20, 2016 at 04:55:03


Vonage VoIP Forums

Vonage In The News
Vonage Holdings Corp. Reports Fourth Quarter and Full Year 2013 Results

Carolyn Katz Elected to Board of Directors of Vonage Holdings Corp.

Syndication

Vonage Customer Reviews
Vonage vs. Time Warner Cable SoCal
Vonage vs. Time Warner Cable SoCal



Vonage UK Review
Vonage UK Review



Vonage Pros and Cons for 2006
Vonage Pros and Cons for 2006



Vonage, a VT2142 and a RTP300, My Experiences - A Detailed Review
Vonage, a VT2142 and a RTP300, My Experiences - A Detailed Review



Salt Lake City: impressions after several months
Salt Lake City: impressions after several months




Vonage Reviews


Post new topic   Reply to topic  Vonage® VoIP Forum - Vonage News, Reviews And Discussion » Vonage Forum Archive
Author Message
xnewuser
Vonage Forum Master
Vonage Forum Master


Joined: Apr 30, 2006
Posts: 152
Location: Centennial, Colorado

PostPosted: Sat Aug 05, 2006 10:16 pm    Post subject: VoIP hijacking possibility Reply with quote Back to top

Partial excerpt from ABC news:

Quote:
Another security professional showed how people can have their phone numbers hijacked when using certain types of equipment that route calls over the Internet.

The research, from Arias Hung, a security professional with Media Access Guard in Seattle, showed how to control the inner workings of Internet phone routers made by Linksys, which is owned by Cisco Systems Inc. of San Jose, Calif.

Once the routers are accessed, a person can change the device's so-called media access control address, which acts as a serial number that Internet phone providers such as Vonage Holdings Corp. use to verify the identity of customers. A person exploiting the flaw could intercept calls made to a legitimate Vonage user and make calls that would appear to come from the user's phone number.

"The service providers should be very concerned," Hung said. "The general consumer should stay away from this router," he said, referring to two models that Linksys designates the WRTP54G and the RTP300.

Cisco spokeswoman Molly Ford said she could not immediately comment on Hung's research.
View user's profile Send private message
munyeca
Full Forum Member
Full Forum Member


Joined: May 09, 2006
Posts: 66

PostPosted: Sun Aug 06, 2006 3:01 am    Post subject: Reply with quote Back to top

ahmagad... so Scary... wat can a custOmer do on their part?

NADA? Sad

i wonder what else / what's the actual worst thing that would happen if a hacker gets in those devices... Eek

_________________
"Rage. Fury. Irritation. Humiliation"
View user's profile Send private message
scerruti
Vonage Forum MVM
Vonage Forum <b>MVM</b>


Joined: Feb 05, 2005
Posts: 1424
Location: Carlsbad, CA (finally)

PostPosted: Sun Aug 06, 2006 7:20 am    Post subject: Reply with quote Back to top

We've touched on the questionable choice Vonage/Linksys (actually Sipura/Motorola probably) made when deciding to use the MAC address to identify the customer configuration.

Chris073 wrote:
I think Linksys should inventigate why their products MAC addresses are being used other then their purpose.


Ultimately this is simply a form of identity theft. I would suspect that eventually you would not be held responsible for the cost of outgoing calls but would never recover any losses that resulted from not receiving any incoming calls.

Vonage's response to this, would be to investigate the IP address that was the source of the cloned MAC address and also replace your equipment.

If you were actually the culprit hijacking calls you would need to do it via a wireless bridge on an open access point. Otherwise it would be easy to track you down. (In theory it may be possible to route the calls through an anonymous network, but I suspect the latency and jitter would make the phone useless.) Therefore this exploit will be limited to someone with a specific need to hijack your phone line, someone who has enough access to your network to obtain your device's MAC address and at least $100 to spend on equipment to make this work.

In my opinion there are significantly easier ways to steal phone service. I will contact Arias Hung and ask him to comment further.

P.S. I sent an email to Arias Hung with a link to this thread in hope that he might provide additional details.

_________________
Stephen P. Cerruti (ISP: TWC)
View user's profile Send private message Visit poster's website Yahoo Messenger
scerruti
Vonage Forum MVM
Vonage Forum <b>MVM</b>


Joined: Feb 05, 2005
Posts: 1424
Location: Carlsbad, CA (finally)

PostPosted: Sun Aug 06, 2006 8:02 am    Post subject: Reply with quote Back to top

munyeca wrote:
ahmagad... so Scary... wat can a custOmer do on their part?

NADA? Sad

i wonder what else / what's the actual worst thing that would happen if a hacker gets in those devices... Eek


What is a customer's risk?

The highest risk comes to businesses who would be impacted by loss of incoming calls. An ordinary user on an unlimited plan may never notice that someone was placing outgoing calls unless they made international calls. Since calls to toll numbers (900, 976) aren't generally possible on Vonage systems the biggest threat is eliminated. 500 minute plan customers may be impacted if they and the hacker combined used more than 500 minutes.

So, in summation, the risk to the user is loss of incoming calls for the period the hacker's router is active, and the cost of toll calls (international calls) and the cost of calls above the 500 minute limit for limited plan users.

Phone impersonation

Another risk may come from someone who is attempting to impersonate you by using your phone. For example, if they stole a credit card from your mailbox but needed your phone to activate it, they could use this technique to place the call. This type of phone impersonation is more insidious than simple caller id spoofing because it would also provide the correct ANI information (used by toll free numbers to identify callers for example). However, the actual usefulness of this is limited. It is very simple to spoof calls to have your caller id through other mechanisms, so the need for this attack is extremely limited.

How could you be vulnerable?

A hacker could randomly attempt to spoof MAC addresses. It is likely that many of the Vonage addresses are in series so knowing a single MAC address would allow a hacker to simply add 1 to the number until he found an active line. Alternatively the hacker could go to the store and record numbers from packages and wait until the routers were activated. Finally, if the hacker knew your MAC address, which may be possible if he has access to your network, he could specifically target you.

Could this be fixed?

Linksys/Vonage could resolve this issue with a specific firmware upgrade. The could prevent the user from altering the MAC address sent by the router. A better solution would be to allow the user to specify a pass phrase (your Vonage account password perhaps) that was sent encrypted to the Vonage servers when your router attempted to download the configuration. This would prevent third parties without access to the pass phrase from cloning your device.

They could also allow you to lock your configuration file. Specifying that only updates could be received unless you permitted a one time download via the web site or a call to customer service. This would be required in the event of a factory reset for example.

What action can you take to protect yourself?

If you are a new user you could avoid this equipment. The news summary did not indicate the Motorola equipment was also vulnerable.

If you are an existing user with this equipment you could replace the equipment at your own cost. I seriously doubt either Vonage or Linksys would reimburse you. You could, I think, change the MAC address the device uses on your local network. I believe the Linksys devices allow you to spoof MAC addresses to fool cable modems. This spoofed MAC address is probably not used for your Vonage configuration. Therefore the MAC address visible on your LAN would be different than the one sent to Vonage. The one sent to Vonage could still be captured, but it would be harder. To make this effective you would want to use a real MAC address from a different Linksys router that was not on your network. This would still leave you open to a random attack, but less open to a targeted attack.

In my opinion this issue is not serious enough to warrant a consumer response in the majority of cases. It is a security flaw that Vonage should be concerned about. However, it is important to realize that credit card companies expect a certain level of identity theft, this is a detriment to credit card users who are affected by credit card theft. I would expect Vonage and Linksys to ignore this issue and simply expect a minimal level of fraud.

_________________
Stephen P. Cerruti (ISP: TWC)
View user's profile Send private message Visit poster's website Yahoo Messenger
scerruti
Vonage Forum MVM
Vonage Forum <b>MVM</b>


Joined: Feb 05, 2005
Posts: 1424
Location: Carlsbad, CA (finally)

PostPosted: Sun Aug 06, 2006 8:26 am    Post subject: Reply with quote Back to top

Here is the abstract of Arias Hung's talk:

http://www.defcon.org/html/defcon-14/dc-14-speakers.html#Hung

_________________
Stephen P. Cerruti (ISP: TWC)
View user's profile Send private message Visit poster's website Yahoo Messenger
VonageTPA
Vonage Forum MVM
Vonage Forum <b>MVM</b>


Joined: Jul 11, 2005
Posts: 1715
Location: Florida (usually)

PostPosted: Tue Aug 08, 2006 3:16 pm    Post subject: Reply with quote Back to top

Other than the fact that this was talked about at Defcon, this really isn't news. You can do all of this with freely available tools on the 'net. Ethereal & Cain would do everything described, with the exception of unlocking the adapter, but it's possible you could use these tools for that as well. Without getting into specifics, Cain can sniff out some of the Vonage credentials, but you're looking at letting it run for a LONG time doing some brute-force password cracking.

Don't get too caught up in the MAC stuff... The MAC is used by Vonage, but *NOT* like you're thinking. It gets used to send out configuration files. AND, you DON'T need to spoof the MAC in any way, shape, or form to get the config file.

Here's a real brief summary of how a legitimate Vonage device does its thing, from power-up to making calls:

Power on
Boot operating system (linux)
Load extensions to kernel (router functions, VoIP,etc)
Get configuration file from Vonage (encrypted .XML file)
Read configuration files
Get firmware update if available
Synchronize with Vonage's time servers
Log-in to Vonage via SIP (username is 11 digit phone #, password is random characters)
Ready for calls/standby for incoming.

As far as "unlocking" the router, I'm sure he just uploaded the non-Vonage-locked firmware floating around the 'net. I haven't played around with the .XML config file, but it is possible that the admin password is in there. Not sure 'though.

_________________
ISP: Varies depending where I'm at.
Vonage: Linksys RTP300
Router: IPCop 1.4.10
Phones: various
Total calls since Jul 24, 2005: 4,794 calls
Total Minutes since Jul 24, 2005: 25,552 minutes
View user's profile Send private message
scerruti
Vonage Forum MVM
Vonage Forum <b>MVM</b>


Joined: Feb 05, 2005
Posts: 1424
Location: Carlsbad, CA (finally)

PostPosted: Tue Aug 08, 2006 3:38 pm    Post subject: Reply with quote Back to top

VonageTPA wrote:
You can do all of this with freely available tools on the 'net. Ethereal & Cain would do everything described,

Ethereal and Cain require you to have access to the target's network.

Ethereal and Cain can not hijack incoming calls so that calls are diverted to you instead of the intended recipient.

This reminds me of a story.

VonageTPA wrote:
Don't get too caught up in the MAC stuff... The MAC is used by Vonage, but *NOT* like you're thinking. It gets used to send out configuration files. AND, you DON'T need to spoof the MAC in any way, shape, or form to get the config file.

I am uncertain why you think the MAC address is not critical here. According to this poorly documented claim, if I know the MAC address that Vonage has on file for your Linksys router I can enter it into my router and hijack your SIP registration.

There is open debate on whether you would need something besides simply the MAC address to do this. The configuration file, as you point out, is encrypted. The question I have is where does the encryption key originate? Does this attack depend on knowing the encryption key or breaking the encryption? Is the encryption key the same for all units, based on the MAC address or provided in a table by MAC address from the manufacturer? Does the encryption key change?

The Ethereal and Cain attacks would be effective on any Vonage device. Why does the DefCon presenter feel that these two particular devices should be avoided by consumers? What additional risk do they pose?

_________________
Stephen P. Cerruti (ISP: TWC)
View user's profile Send private message Visit poster's website Yahoo Messenger
VonageTPA
Vonage Forum MVM
Vonage Forum <b>MVM</b>


Joined: Jul 11, 2005
Posts: 1715
Location: Florida (usually)

PostPosted: Wed Aug 09, 2006 10:27 am    Post subject: Reply with quote Back to top

scerruti wrote:
[

Ethereal and Cain can not hijack incoming calls so that calls are diverted to you instead of the intended recipient.


I was hoping to discuss this matter without posting a virtual "how-to-guide" for Vonage, so I'll try to keep the details as minimal as necessary for the argument. In this case, you are partially correct. As long as you have absolutely NO access to the victim's network, you will have a difficult time using Ethereal. Cain can still prove useful for decoding/decrypting passwords 'though. Also, through router poisoning, you can snag some pretty interesting stuff. The chances of going after a specific user via the traditional packet sniffing techniques without being on the same subnet/network as them is probably remote. BUT, once you have some info, then Cain becomes useful.

Quote:
I am uncertain why you think the MAC address is not critical here. According to this poorly documented claim, if I know the MAC address that Vonage has on file for your Linksys router I can enter it into my router and hijack your SIP registration.


Yes & no... I can say with 100% confidence that having the correct MAC address is NOT required to use the Vonage service. The configuration (provisioning) filenames actually have the MAC address in them, which is the only way/reason that the MAC address is even part of the issue. The provisioning files are how Vonage controls the ATAs and how they make changes to them, from making sure it has the correct phone #, to changing ringtones & volume levels. Useful, but they actually don't do anything special. Think of it like using DHCP vs. static IPs. The config file is similar to DHCP, entering the SIP credentials manually is similar to how you configure static IPs. Once you've gotten a MAC address, you can download the config file from Vonage's server, and with some time & patience, break the encryption on the file and extract the full SIP credentials (username, password, proxy servers, ports, SIP-specific settings, dial-plans, and other things). Then you can use any SIP-compatible device you like with Vonage's service, without using the SoftPhone option. In fact, the real high-level Vonage techs will sometimes do troubleshooting on adapter-specific problems by taking the info from the decrypted config file and enter it into a standard non-Vonage-specific SIP device.

Where this is scary is that there's nothing stopping someone from going into a big box retailer with a camera phone, taking pictures of a few Vonage boxes (Linksys has a habit of putting the serial # & MAC address on the outside of the box) and I'll stop there so I'm not giving a how-to guide.

Quote:
There is open debate on whether you would need something besides simply the MAC address to do this. The configuration file, as you point out, is encrypted. The question I have is where does the encryption key originate? Does this attack depend on knowing the encryption key or breaking the encryption? Is the encryption key the same for all units, based on the MAC address or provided in a table by MAC address from the manufacturer? Does the encryption key change?


I've seen what you're asking about, but I'm not about to post it in a public forum. All that I will comment on is that the encryption key is different for each unit AND it can be changed remotely.

Quote:
The Ethereal and Cain attacks would be effective on any Vonage device. Why does the DefCon presenter feel that these two particular devices should be avoided by consumers? What additional risk do they pose?


The RTP300/WRTP54G both run on linux and people have pretty much picked apart entire firmware versions down to the core and learned many things about them. You can feed an RTP300 a bogus config file by faking the config file server and it'll happily accept it. As far as consumers avoiding these devices, I'm not 100% sure why they'd reccomend that action, but we already know the routing portion of these devices is barely functional to begin with.

_________________
ISP: Varies depending where I'm at.
Vonage: Linksys RTP300
Router: IPCop 1.4.10
Phones: various
Total calls since Jul 24, 2005: 4,794 calls
Total Minutes since Jul 24, 2005: 25,552 minutes
View user's profile Send private message
scerruti
Vonage Forum MVM
Vonage Forum <b>MVM</b>


Joined: Feb 05, 2005
Posts: 1424
Location: Carlsbad, CA (finally)

PostPosted: Wed Aug 09, 2006 10:39 am    Post subject: Reply with quote Back to top

Therefore, the basic questions remain.

If I have one of these Linksys devices and I alter only my MAC address to that of someone elses device can I convince Vonage to set my encryption key and load a configuration file for another user?

Without access to the victims network traffic is there any other way to hijack his configuration? We know you could download an encrypted configuration file, but could you decrypt it?

Using the method that spawned this thread can you hijack only a line from someone who is using one of these routers or can you hijack any Vonage line? If the latter why should a consumer specifically avoid this router?

Is my initial assessment of risk as provided in this thread accurate?

_________________
Stephen P. Cerruti (ISP: TWC)
View user's profile Send private message Visit poster's website Yahoo Messenger
VonageTPA
Vonage Forum MVM
Vonage Forum <b>MVM</b>


Joined: Jul 11, 2005
Posts: 1715
Location: Florida (usually)

PostPosted: Wed Aug 09, 2006 11:09 am    Post subject: Reply with quote Back to top

scerruti wrote:
Therefore, the basic questions remain.

If I have one of these Linksys devices and I alter only my MAC address to that of someone elses device can I convince Vonage to set my encryption key and load a configuration file for another user?

No need to alter the MAC, far more useful (if not as immediate) to get the config file, decrypt it, take the SIP credentials & run with it.

Quote:

Without access to the victims network traffic is there any other way to hijack his configuration? We know you could download an encrypted configuration file, but could you decrypt it?

Other than downloading the encrypted config file, I don't know of any way off the top of my head. If you have some access to the same subnet as the victim, you might be able to do some router table poisoning upstream of you and sniff out some SIP traffic from there. The traffic method would give you the phone#/userID and servers immediately, but you'd have to do some cracking (which takes time, it's a long password) to obtain the password.

Quote:
Using the method that spawned this thread can you hijack only a line from someone who is using one of these routers or can you hijack any Vonage line? If the latter why should a consumer specifically avoid this router?


All of the Vonage adapters use very similar config files with similar encryption. The steps to break the config files for the Sipura-based devices is only slightly different than for the TI-based devices.

Ultimately, this type of attack is nearly useless to find a specific person's account and hijack it, but if you're looking for a free random Voip line, then it can be done. I should note, that if someone obtains the SIP credentials for your account, they CAN get your incoming calls. If you have hit-or-miss incoming calls, then that may be a sign that something is amiss.

As far as why they singled out these routers specifically, maybe they've found a backdoor in the linux side of things. OR, since it's linux, maybe they've come up with a quick script that'd reprogram the adapter to give you a place to enter your MAC address rather than use the device's own. Then you might be able to get the decryption password directly rather than spending some serious time cracking it.

You have to keep things in perspective 'though. It's FAR easier to go after analog phone lines. Just hop out of your car, hook on with 2 alligator clips, and you're in.

_________________
ISP: Varies depending where I'm at.
Vonage: Linksys RTP300
Router: IPCop 1.4.10
Phones: various
Total calls since Jul 24, 2005: 4,794 calls
Total Minutes since Jul 24, 2005: 25,552 minutes
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


All times are GMT - 5 Hours

Vonage Service Plans


Vonage VoIP Members
Members List Members
New waltertg4
New Today 0
Yesterday 6
Total 99001

Who Is On Site
Visitors 92
Members 0
Total 92


Vonage VoIP Forum Members:
Login Here
Not a Member? You can Register Here
As a registered member you will have access to the VoIP Speed Test, Vonage Service Announcements and post comments in the
Vonage VoIP Forums

Vonage Stock Price
Value: 6.57
Change:   N/A
Up to 15 Minute Delay

Site Search
 






†AK and HI residents pay $29.95 shipping. ††Limited time offer. Valid for residents of the United States (&DC), 18 years or older, who open new accounts. Offer good while supplies last and only on new account activations. One kit per account/household. Offer cannot be combined with any other discounts, promotions or plans and is not applicable to past purchases. Good while supplies last. Allow up to 2 weeks for shipping. Other restrictions may apply.

1Unlimited calling and other services for all residential plans are based on normal residential, personal, non-commercial use. A combination of factors is used to determine abnormal use, including but not limited to: the number of unique numbers called, calls forwarded, minutes used and other factors. Subject to our Reasonable Use Policy and Terms of Service.

2Shipping and activation fees waived with 1-year agreement. An Early Termination Fee (with periodic pro-rated reductions) applies if service is terminated before the end of the first 12 months. Additional restrictions may apply. See Terms of Service for details.

HIGH SPEED INTERNET REQUIRED. †VALID FOR NEW LINES ONLY. RATES EXCLUDE INTERNET SERVICE, SURCHARGES, FEES AND TAXES. DEVICE MAY BE REFURBISHED. If you subscribe to plans with monthly minutes allotments, all call minutes placed from both from your home and registered ExtensionsTM phones will count toward your monthly minutes allotment. ExtensionsTM calls made from mobiles use airtime and may incur surcharges, depending on your mobile plan. Alarms, TTY and other systems may not be compatible. Vonage 911 service operates differently than traditional 911. See www.vonage.com/911 for details.

** Certain call types excluded.

www.vonage-forum.com is not an official Vonage support website & is independently operated.
All logos and trademarks are property of their respective owners. All comments are property of their posters.
All other www.vonage-forum.com content is © Copyright 2002 - 2013 by 4Sight Media LLC.

Thinking of signing up for Vonage but have questions?
Business and Residential customers can call Toll Free 24 hours a day at: 1-888-692-8074
No Vonage Promotion Code or Coupon Codes are required at www.vonage.com to receive any special,
best Vonage cheap deals, free sign up offers or discounts.

[ | | | | | ]

Vonage Forum Site Maps

Vonage | VoIP Forum | How VoIP Works | Wiring and Installation Page Two | International Rate Plans 2 | Internet Phone
Promotion | Vonage Review | VoIP | Broadband Phone | Free Month | Rebate | Vonnage | Vontage | VoIP | Phone Service
Phone | llamadas ilimitadas a Mexico | Latest News | VoIP Acronyms | Deal | Philippines Globe Phone | Site Maps

The Vonage Forum provides the Vonage sign up Best Offer Promotion Deal.
If you are considering signing up for Vonage and have found our Vonage News, Customer Reviews, Forums
& all other parts of this site useful, please use our Vonage Sign up page.


Vonage VoIP Phone Service is redefining communications by offering consumers
& small business VoIP Internet phones, an affordable alternative to traditional phone service.
The Vonage VoIP Forum Generated This Page In: 0.83 Seconds and 401 Pages In The Last 60 Seconds
The Vonage VoIP Forum