Full Disclosure mailing list archives
Re: Cisco IP Phone vulnerability
From: "Shawn Merdinger" <shawnmer () gmail com>
Date: Mon, 2 Apr 2007 09:42:18 -0600
On 3/31/07, J. Oquendo <sil () infiltrated net> wrote:
-----BEGIN LSD SIGNED MESSAGE----- Infiltrated.net Security Advisory: Cisco IP Phone Denial of Service http://www.infiltrated.net/ciscoIPPhone7960.html Revision 6.9
Hi, If I may suggest, there could be other "root causes" here. This report below is quite a read, both content and length, and is most certainly no joke. Though (in the waning spirit of April fool's day) I suppose a little fun can be had...for instance, the rationale for why maddox.xmission.com is not an acceptable home page for emergency relief worker laptops still eludes me. After all, it's "The Best Page in the Universe" is it not? Or, perhaps you've pondered what is the most "politically correct" manner for expeditiously dispatching crystal meth addicts coming down from their high in scenic Pearlington, Mississippi after hurricane Katrina? Read on intrepid souls... http://www.nps.navy.mil/DisasterRelief/docs/NPS-Katrina_AAR_LL.pdf HASTILY FORMED NETWORKS FOR COMPLEX HUMANITARIAN DISASTERS AFTER ACTION REPORT AND LESSONS LEARNED FROM THE NAVAL POSTGRADUATE SCHOOL'S RESPONSE TO HURRICANE KATRINA 1 - 30 September 2005 Authors Brian Steckler (NPS Faculty) Bryan L. Bradford, Maj, USAF (NPS Student) Steve Urrea, Capt, USMC (NPS Student) <begin opinionated drivel> Typical Question: "Should we worry about VoIP phone security posture and resistance to real-world attack?" Typical Answer: "VLANs. VoIP phones way inside the perimeter and untouchable. Nothing to see here. Move along. Last call. Thanks for stopping by." Perhaps not... Unfortunately, somehow essential security concepts, for example, "attackers will target your weakest points" and "attacker physical access can very well equal game over" seem largely absent from the dialog when it comes to the security posture of many VoIP phones (wifi, desktop, dual-mode). The evident issues thus far, from basic stability to über-l4m3 low-hanging fruit, are the proverbial canaries in the coal mine; a love-tap compared to the beating looming on the horizon unless lots more folks with skin in this game get "eyes on target" to past, present and emerging risks/threats/vectors/mitigation/security QA, etc. Clearly the gloves are coming off, and it's not a stretch to imagine something, oh say, as obscure as the forthcoming Apple iPhone (or several) up for "PWN to OWN" right next to the Mac laptops (and who knows what else) at some security conference soon, perhaps this summer in that quaint and charming little desert town? Hrm, if Apple wanted to "reach out to the security community" I suppose DR might consider penciling in some time at Cansecwest for a iPhone lovefest [1]. After all, didn't Window Snyder recently mention something about who in the game these days seems to 0wn the little things that mean so much, like "power" and "control" and "time" [2] -- maybe the "lumps now better than lumps later" approach is a feasible tactic and <gasp> makes good business sense? Eh, what do I know? Were I really smart I would've learned how to play golf and gone into marketing. Nevertheless, as with any gear, be it a hillbilly-armor Humvee or VxWorks Mars Lander, time will tell if VoIP phones, and recent/upcoming emergency communication offerings are up to the challenge and can truly "cut the fog" of chaos when the sh*t hits the fan. I really hope that when the rubber tires on all those fancy Jack Bauer wannabe suburbans [3] hit the road and get to where they need to go, that the packets also hit the wire the way they should, and the right people get the right information at the right time so they can make the right decisions...you know, like it happens on 24. So as we chuckle away yet another April Fool's Day, with many of us sitting in comfy homes with full bellies, waiting for our $700 Playstation 3 to catch fire and burn the house down (just wait until they start getting dusty - "dude, is that smoke?"), I humbly suggest that we try to understand the true costs and implications of security/quality issues affecting VoIP phones, and of course all the other pieces of this shifting, opaque puzzle of madness and amusement. Requisite bottom line: VoIP phones have emerged as a critical tool that's going into people's hands in demanding situations when communication matters most and circumstances are the least forgiving. There must be clear, tangible, and enforceable obligations in conjunction with truly independent and on-going security evaluation to ensure mission-critical VoIP phones are resistant to real-world attacks. Failure to take decisive action may very well end up costing more in human misery and property loss than the proactive investment to ensure reasonably secure posture in VoIP phones. <end opinionated drivel> Btw, thanks for sharing the new VoIP security tools at your site <www.infiltrated.net>, and we'll get them added asap to the VOIPSA VoIP Security Tool List <http://www.voipsa.org/Resources/tools.php> :-) Kind regards, --scm Shawn Merdinger Independent Security Researcher voipninja.com Notes: [1] <shameless plug> Voipninja.com is accepting sponsorship of Voipninja research staff to attend select conferences – potential ROI/deliverables include trip report, out-brief, and respectable bar tabs </shameless plug> [2] http://news.zdnet.com/2100-1009_22-6170219.html [3] http://cms.firehouse.com/content/article/article.jsp?sectionId=46&id=54007 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Cisco IP Phone vulnerability Shawn Merdinger (Apr 02)