Showing posts with label VoIP. Show all posts
Showing posts with label VoIP. Show all posts

Friday, November 6, 2020

Security Director Alert – Hackers Exploiting VoIP to Compromise Business Accounts

A hacking campaign has compromised VoIP (Voice over Internet Protocol) phone systems at over 1,000 companies around the world over the past year in a campaign designed to make profit from selling compromised accounts.

While the main purpose appears to be dialing premium rate numbers owned by attackers or selling phone numbers and call plans that others can use for free, access to VoIP systems could provide cyber criminals with the ability to conduct other attacks, including listening to private calls, cryptomining, or even using compromised systems as a stepping stone towards much more intrusive campaigns...

It's recommended that organizations change default usernames and passwords on devices so they can't easily be exploited and, if possible, analyze call billings on a regular basis for potentially suspicious destinations, volumes of traffic or call patterns.

And most importantly, organizations should apply the required security patches to prevent known vulnerabilities from being exploited. more

Tuesday, November 19, 2019

Eavesdropping Vulnerability: Cisco SPA100 - Update Firmware

While setting up a VoIP service in their home, security researchers at Tenable Research discovered a total of 19 vulnerabilities in VoIP adapters from Cisco's SPA100 Series.

If exploited, these vulnerabilities could allow an attacker to eavesdrop on a user's conversations, initiate fraudulent phone calls and even pivot further into their internal network.

Tenable Research informed Cisco PSIRT of the 19 vulnerabilities they discovered across seven Cisco security advisories and the networking giant has since addressed these flaws with a new 1.4.1 SR5 firmware release for their SPA 100 series devices.

...if you're using a Cisco SPA 100 series VoIP adapter, it is highly recommended that you update to the latest firmware before these flaws are exploited in the wild. more

Friday, January 26, 2018

Better Secure Voice over Internet - Novel Solution

Researchers at the University of Alabama at Birmingham have developed a novel method to better protect Crypto Phones from eavesdropping and other forms of man-in-the-middle attacks.
Crypto Phones consist of smartphone apps, mobile devices, personal computer or web-based Voice over Internet Protocol applications that use end-to-end encryption to ensure that only the user and the person they are communicating with can read what is sent. In order to secure what is being communicated, Crypto Phones require users to perform authentication tasks.

Research has shown that these tasks are prone to human errors, making these VoIP applications and devices highly vulnerable to man-in-the-middle and eavesdropping attacks... more

A long, technical, interesting read.

Extra Credit... The 4 Best Phones for Privacy & Security


Tuesday, February 16, 2016

Slacker Hacker Hi-Jacker ...Poof! Your VoIP Phone is Pwned

Hackers could listen in on you via your VoIP phone, security researchers have warned.

By using a simple exploit taking advantage of weak default passwords, attackers can hack your VoIP phone to make and receive calls, transfer calls without your knowledge and even spy on your in-person conversations.

Security expert Paul Moore discovered the flaw after consulting on the installation of several VoIP phones...

Once infected, the hacker has complete control over the phone, allowing them to block incoming calls, silently call premium-rate numbers, and secretly listen in on a user's conversations. more

from Paul Moore...
Q. What can the attacker do?
A. Virtually anything. Make calls, receive calls, transfer calls (even before it rings), play recordings, upload new firmware and crucially... use the device for covert surveillance.

Need a security evaluation of your VoIP phones? Contact me. ~Kevin

Saturday, January 23, 2016

VoIP Software Used to Eavesdrop

The backdoor could allow agents, employers or third parties to listen in on conversations...

The GCHQ has developed VoIP encryption tools with a built-in backdoor, allowing both authorities and third parties to listen in on conversations.

The backdoor is embedded into the MIKEY-SAKKE encryption protocol and has a 'key escrow' built in, allowing those with authority - whether an employer or government agency - to access it if a warrant or request is made.

The backdoor was uncovered by Dr Steven Murdoch, a security researcher from the University of London, who wrote a blog about the potential snooping tool. more

Monday, March 23, 2015

Security Director Alert - Cisco VoIP Phone Eavesdropping Vulnerability

Cisco is warning customers about several vulnerabilities in some of its IP phones that can allow an attacker to listen in on users’ conversations. The bug affects the Cisco SPA 300 and 500 Series IP phones.

Cisco had confirmed the vulnerabilities, which were discovered by Chris Watts, a researcher at Tech Analysis in Australia, and is working on a new version of the firmware to fix the bugs.

“A vulnerability in the firmware of the Cisco Small Business SPA 300 and 500 series IP phones could allow an unauthenticated, remote attacker to listen to the audio stream of an IP phone,” Cisco said in its advisory.

“The vulnerability is due to improper authentication settings in the default configuration. An attacker could exploit this vulnerability by sending a crafted XML request to the affected device. An exploit could allow the attacker to listen to a remote audio stream or make phone calls remotely.”

...The fix for the bug is not yet available, but Cisco said it is preparing one. more

Monday, October 20, 2014

Business Phone VoIP Hack - Phreaking Expensive

Bob Foreman’s architecture firm ran up a $166,000 phone bill in a single weekend last March. But neither Mr. Foreman nor anyone else at his seven-person company was in the office at the time... (hackers) routed $166,000 worth of calls from the firm to premium-rate telephone numbers in Gambia, Somalia and the Maldives...

The scheme works this way, telecommunications fraud experts say: Hackers sign up to lease premium-rate phone numbers, often used for sexual-chat or psychic lines, from one of dozens of web-based services that charge dialers over $1 a minute and give the lessee a cut...

Hackers then break into a business’s phone system and make calls through it to their premium number, typically over a weekend, when nobody is there to notice.
With high-speed computers, they can make hundreds of calls simultaneously, forwarding as many as 220 minutes’ worth of phone calls a minute to the pay line...


...telecom experts advise people to turn off call forwarding and set up strong passwords for their voice mail systems and for placing international calls. (more)

Sunday, March 2, 2014

How the Avaya Phone on Your Desk Can Be Turned Into A Bug

Security researchers have designed a stealthy eavesdropping attack that sounds like it's straight out of a James Bond movie. It starts with a booby-trapped document that compromises an unpatched laser printer, which in turn converts a popular Internet phone into a covert bugging device.

The proof-of-concept attack exploits currently unpatched vulnerabilities in the Avaya one-X 9608, a popular model of phone that uses the Internet rather than a standard phone line to make and receive calls. Researcher Ang Cui, a Ph.D. candidate at Columbia University and chief scientist at Red Balloon Security, declined to provide many details on the vulnerabilities until users have had time to install a patch that Avaya is expected to release soon. He did say the weaknesses allow devices on the same local network to remotely execute code that causes the device to surreptitiously record all sounds within earshot and transmit them to a server controlled by attackers. He demonstrated a similar bugging vulnerability last year in competing Internet phones designed by Cisco Systems, which has since patched the underlying bugs...

The compromise begins with a booby-trapped document that when printed executes malicious code on certain models of HP LaserJet printers that have not been patched against a critical vulnerability. Once compromised, the printers connect to attack servers, creating a means for outside hackers to bypass corporate firewalls. The attackers then use the printers as a proxy to enumerate and connect to other devices in the corporate network.

Once an Avaya 9608 phone is discovered, the attackers can inject code into it that infects its firmware. The compromise, which survives reboots, activates the phone's microphone without turning on any lights or otherwise giving any indication that anything is amiss. The infected phones can be set up to record conversations only after attacker-chosen keywords are detected. Recorded conversations can be sent through a corporate network onto the open Internet, but the malware also has a secondary method for exfiltration that bypasses any devices that block suspicious network traffic. In the event that such devices are detected, the malware can turn a phone's circuit board into a radio transmitter that sends the recorded conversations to a receiver that's anywhere from several inches to 50 feet away, depending on environmental variables.
 

The larger point is that bugs in electronics firmware are notoriously easy to exploit, as a small sample of recent stories shows. Even if a target isn't using the phones or printers featured in the demonstration, chances are good that the target is using some constellation of devices that are susceptible to remote hijacking. And besides, many organizations fail to apply firmware updates, so even if a patch has been released, there's a good chance that it will never get installed on many vulnerable devices. (more)

Security Director Alert: Make sure software patching is a priority on the IT department's list. Start with this list for HP printers.

Thursday, February 21, 2013

Spykpe

A technology called Legal Intercept that Microsoft hopes to patent would allow the company to secretly intercept, monitor and record Skype calls. And it's stoking privacy concerns. (more)

We're shocked. q.v. - Yesterday's story.

Friday, January 4, 2013

Security Director Alert - VoIP Phone Eavesdropping

Murray Associates warns clients that VoIP phones are inherently less secure than the older style phones. It is one reason they advise disconnecting phones in meeting rooms until they are needed. 

Ang Cui, through his extensive research, has moved this threat from theoretical to very real. 

For in-depth information we recommend viewing his presentation. (video)

High-tech telephones common on many workplace desks in the U.S. can be hacked and turned into eavesdropping devices, researchers at Columbia University have discovered.

The hack, demonstrated for NBC News, allows the researchers to turn on a telephone's microphone and listen in on conversations from anywhere around the globe. The only requirement, they say, is an Internet connection.

Doctoral candidate Ang Cui and Columbia Professor Sal Stolfo, who discovered the flaw while working on a grant from the U.S. Defense Department, say they can remotely order a hacked telephone to do anything they want and use software to hide their tracks. For example, they said they could turn on a webcam on a phone equipped with one or instruct the phone's LED light to stay dark when the phone's microphone has been turned on, so an eavesdropping subject wouldn’t be alerted that their phone has been hacked. (more)

Sunday, November 25, 2012

Patent Wars - VoIP Wiretaps

After Microsoft acquired Skype, we looked at a Microsoft patent called "Legal Intercept" meant for monitoring and recording VoIP communications. At that time, there were questions about if Microsoft would ruin Skype by making a backdoor for easy spy and pry government and law enforcement access. But a California-based company called VoIP-Pal already had such a surveillance patent that is meant to "allow government agencies to 'silently record' VoIP communications."

The Microsoft patent was filed in December 2009, but a company called Digifonica (International) Limited had filed a similar wiretapping VoIP patent in 2007. Then, in May 2012, VoIP-Pal attained five VoIP patents from the acquisition of Digifonica Gibraltar. One of the five patents is called "Lawful Intercept" and is meant for "intercepting VoIP and other data communications." (more)

Sunday, October 21, 2012

$89.99 Wi-Fi Bug You Control With Your iPhone... from anywhere!

"WeMo Baby conveniently turns your iPad, iPhone, or iPod touch into a baby monitor so you don't have to carry an extra device to keep in touch with your baby. 

It works with your existing Wi-Fi router to wirelessly stream audio from your baby's room to your mobile device." (more)

Why is this scary?
• It will be repackaged into a covert listening device.
• Unlike previous baby-mon mods, this one is digital.
• Its signal hides among legitimate Wi-Fi signals.
• Listen in from anywhere via the Internet.
• Digitally clear audio.
• Pair with a voice activated recorder for "TiVO" spying.
• It can send text messages when it hears audio.

P.S. Although this product hasn't launched yet, Murray Associates has a detection solution ready. ~Kevin

Wednesday, July 25, 2012

Hey kids, we bought and fixed Skype just for you!

Skype has denied reports that recent changes to its architecture would make calls and messages easier to monitor by law enforcement.

Skype, a worldwide Internet-based voice and video calling service Microsoft acquired last year for $8.5 billion, said Tuesday the changes to its peer-to-peer infrastructure were done to improve the quality of service.

What it did was move "supernodes" into datacenters, Skype said. Supernodes act as directories that find the right recipient for calls. In the past, a user's computer that was capable of acting as a directory was upgraded from a node to a supernode. A node is the generic term for computers on a network. (more)

Monday, July 23, 2012

Bugging History - May 13, 1966

Photo Tag: The extent of the business in snooping devices is indicated by the growth in contrivances to detect wiretaps and "bugs". Some merely warn the intended victim, while others jam or scramble the snooping. This telephone de-bugging meter discovers any transmitter (bug) in the phone or in the lines leading to it. De-bugging devices are bought mostly by business executives who suspect espionage by competitors. (AP Photo/Robert Kradin) (more)

It was never unusual for news reporters to get the facts wrong when reporting on business espionage, bugging or general electronic snooping. It still isn't unusual. The photo actually shows how a carbon microphone from the common phone of the day could easily be replaced by one which also transmitted the voice via radio. 

Due to the simple installation, it was generally referred to as a "drop-in bug". To the untrained eye, both looked legitimate, but your ear could tell! The internal carbon granules inside the microphone sounded like sand when shaken. In order to build the bug inside the housing, the carbon had to be emptied out to allow space for the electronics and micro-mic. Those bugged mics were silent when shaken.

Another photo from the same era, shows two ways to tap a phone: the drop-in bug, and the big suction cup induction coil near the earpiece. Both seem crude by today's standards.

Most modern handsets are sealed units. Dropping anything in them is problematic. There are still a few, however, that are screwed together. 

Here are two examples of what you shouldn't see if you open one of these...

Inspecting today's telephones require more than a trained eye, because there may not be anything to see. 

Conversations from VoIP phones travel as computer bits which may be collected far from the phone instrument. In fact, some VoIP phones transmit room audio even when they are supposedly hung up.

Other business telephone systems have many eavesdropper-friendly features built right into them, no extra hardware needed. Just program the features correctly and listen-in.

Think your phone system is bugged or tapped? Give me a call. ~Kevin

Saturday, March 3, 2012

NSA-Level Cell Phone Security (No, you can't have one.)

The US National Security Agency has modified Google’s Android operating system to create smart phones that use powerful encryption to protect every call. The “Fishbowl” devices were announced today at the RSA security conference in San Francisco by Margaret Salter, the agency’s Technical Director, who said she hoped to encourage companies to adopt some of ideas used in the system.

Such was the interest in the NSA’s presentation that this reporter – and most others – weren't able to gain access to the room where the demo was held. Australian IT publication SC Magazine did, though, reporting that Salter said 100 Fishbowl phones are being used to test the new technology. The Fishbowl phones allow fully encrypted calls that can be used to discuss the most classified information. Commercially available phones would require NSA employees to “speak in code”, SC say.
 
The NSA has made rough specifications of the system available online. They show that Fishbowl phones make calls using a Skype-style VOIP app that routes connections through NSA servers. (more)

Monday, February 13, 2012

Video: Multi-Billion Dollar Industrial Espionage Explained



Real Life Example: Titanium dioxide is a commonly used substance. It is in paint, but also shows up in sunscreen and food coloring. Hundreds of thousands of tons are shipped around the world every year.

Decades ago, DuPont developed secret processes to make high-quality titanium dioxide in a manner that is less toxic than the traditional production method. The process, which made it the most efficient maker in the world, is a closely held trade secret. Global sales of the product, which is dominated by DuPont, are $12 billion annually.

Titanium oxide makers in China use an older, more toxic, less efficient manufacturing process. But in 2010, Jinzhou Titanium Industry announced that it had achieved high-quality status production like DuPont. That claim may be tied to the apparent theft of DuPont trade secrets. (more)

Monday, January 23, 2012

Security Director Alert: Eavesdropping via Video Teleconferencing

Covertly eavesdropping on boardroom chit chat using the teleconferencing system is not new. We've been demonstrating (and correcting) this problem for our clients for years. The vulnerability, however, has finally received some publicity. 
Result: Expect more attempts to access video teleconferencing systems.
Recommendations: Turn off the autoanswer feature on your teleconferencing system. Make sure your system is behind a firewall.

FREE offer: The full Murray Associates Video Teleconferencing Security Checklist is available to corporate security directors (only) at no charge. Contact me here, and get our Off-Site Meeting Checklist, too!.

via The New York Times...
One afternoon this month, a hacker took a tour of a dozen conference rooms around the globe via equipment that most every company has in those rooms; videoconferencing equipment...the hacker was HD Moore, a chief security officer at Rapid7, a Boston based company that looks for security holes in computer systems...Mr. Moore has found it easy to get into several top venture capital and law firms, pharmaceutical and oil companies and courtrooms across the country...

“These are literally some of the world’s most important boardrooms — this is where their most critical meetings take place — and there could be silent attendees in all of them.” 

New systems are outfitted with a feature that automatically accepts inbound calls so users do not have to press an “accept” button every time someone dials into their videoconference. The effect is that anyone can dial in and look around a room, and the only sign of their presence is a tiny light on a console unit, or the silent swing of a video camera. 

Two months ago, Mr. Moore wrote a computer program that scanned the Internet for videoconference systems that were outside the firewall and configured to automatically answer calls. In less than two hours, he had scanned 3 percent of the Internet. 

In that sliver, he discovered 5,000 wide-open conference rooms at law firms, pharmaceutical companies, oil refineries, universities and medical centers. He stumbled into a lawyer-inmate meeting room at a prison, an operating room at a university medical center, and a venture capital pitch meeting where a company’s financials were being projected on a screen. 

Among the vendors that popped up in Mr. Moore’s scan were Polycom, Cisco, LifeSize, Sony and others. Of those, Polycom — which leads the videoconferencing market in units sold — was the only manufacturer that ships its equipment — from its low-end ViewStation models to its high-end HDX products — with the auto-answer feature enabled by default. (more)

Tuesday, December 27, 2011

VoIP Phone Eavesdropping Prevention Tips

via Mike Chapple, Network Security
Every organization considering a Voice over Internet Protocol (VoIP) telephone system deployment hears the same dire warnings: “Routing voice calls over a data network exposes calls to eavesdropping.” 

While it’s certainly true that any telephone call carries a certain degree of eavesdropping risk, is it true that VoIP calls have an inherently higher degree of risk? In this tip, we explore the ins and outs of VoIP eavesdropping.

VoIP eavesdropping is possible
First, it’s important to be clear about one thing: It is absolutely possible to eavesdrop on a VoIP telephone call. It’s also possible to eavesdrop on a telephone call placed using the traditional public switched telephone network (PSTN). The difference lies in the tools and skill set needed to conduct the eavesdropping. (more)

Monday, December 26, 2011

VoIP Phone Tap Taps

Tapping a VoIP phone line isn't difficult... via Janitha

Here's a quick background on what's going on. In 10/100 twisted pair ethernet networks, only two of the four pairs of wires are actually used for data transmission. From a computer's perspective, the orange pair is for RX and the green pair is for TX. The passive splice tap works by connecting a sniffer's RX to either the RX or TX of the wire being sniffed. By having two RX interfaces on the sniffer, you can capture full duplex traffic on the wire.

Recipe
Before starting, you will need the ingredients for a passive splice tap. Two punch down type 8P8C (aka RJ45) IDC connector jacks, A punch-down tool, Two regular pass-though ethernet cables, a sharp knife, clear tape, and an alibi. You also need a laptop to log the data with two ethernet interfaces (two usb to ethernet adapters will do the job). Now for the instructions.

First take the cable you want to tap and cut the casing long ways a few inches to expose the 4 pairs of wires inside. Isolate the green and the orange pair of twisted wires.



Next, take one of the jacks and find the orange and orange-white connectors (will look like two blades with a gap between). Put the jack perpendicular to the orange pair of wires. Now punch down the orange wire in to the orange connector, and the orange-white wire in to the orange-white connector. Take the another jack and repeat the process, but this time punch the green wire in to the orange connector, and the green-white in to the orange-white connector.



At this point, the tap it physically done. Yes, It's that simple. Now connect each of the jacks to the ethernet interfaces on the laptop using the two regular ethernet cables. The sniffer laptop will be like 'wtf mate' and fail at auto negotiating a link since only the RX wires are hooked up. So bring the two interfaces up manually in promiscuous mode (if in *nix, use ifconfig with the promisc switch).

Finally fire up wireshark or your favorite packet sniffer. If you are using wireshark, select capturing on the 'Any' interface as we want to capture data on both ethernet adapters at the same time. If the sniffer app does not have an 'any' interface, simply start two instances and capture the two interfaces separately. Further more, you can bond the two interfaces so you can treat the full-duplex as a single interface if you have that much free time.

Or, you can make one of these.







Why do I mention it?
Because I too often hear, "Can they really tap a digital phone?"

Wednesday, November 16, 2011

Hiding Secret Data in VoIP Phone Calls

Researchers have devised a new scheme for hiding secret data within VoIP packets, making it possible to carry on legitimate voice conversations while stolen data piggybacks on the call undetected, making its way to thieves on the outside.

Click to enlarge.
Called transcoding steganography or TranSteg, the method calls for setting a larger-than-necessary payload space in VoIP packets and using the extra room to carry covert messages. In their experiment the researchers could send 2.2MB of covert data in each direction during an average seven-minute phone call.

As with all steganography, the objective is to deliver covert data without raising suspicions that a secret message even exists. (more)