Fun with Phones. Phreaking, Fraud, Scams, and the Next Generation of Telephony Problems. Leigh Honeywell TASK.to 2006

Transcription

1 Fun with Phones Phreaking, Fraud, Scams, and the Next Generation of Telephony Problems Leigh Honeywell TASK.to 2006

2 Old School Phreaking Beige Boxing: the use of a butt set to make calls on another person's line Red Boxing: the sounds of coins dropping (played the system chimes, not the actual sound of the coins) Even exists for PalmOS - RedPalm Blue Boxing: more complex system tone generation Orange Boxing: generates the FSK tones to set the caller ID

3 Those were the days...* Blue and Red boxes tend to not work anymore You do still see the old Centurion payphones around from time to time Credits to: *not that I was around for the days

4 Other PSTN Stuff Breaking into Voic Wardialing TDD Relay Pranks Malware Dialers Other kinds of Toll Fraud Cloning: Cordless Phones and Cellular

5 The Sordid History of Premium Rate Numbers Used legitimately for dating lines, phone sex, and... weather Interesting scams such as enticing kids to call them on TV Then came the dialers: software surreptitously installed on a user's computer to dial when they weren't online A variation: high-cost Caribbean numbers

6 Local Premium Rate Scams NPA-900-XXXX and NPA-976-XXXX numbers are premium Many people don't know this The missed-call trick... Expect to see more of this in the future, targetting cell phone users.

7 And then there was VOIP Issues VOIP as Target Consumer VOIP: Voice over the Net Skype Gizmo zphone SIP and IAX Providers Enterprise VOIP: Voice on the LAN (and off too) If it's on the Internet you're in trouble... VOIP as Vector Next-Generation Phishing SPIT

8 911 and VOIP Many VOIP phones are independent of geography; this makes 911 problematic Many services rely on a call centre which redirects to the appropriate location Others tell you you're on your own

9 Skype Peer-to-peer IP-to-IP and IP-to-Landline by default Can also do inbound with US DID's for a fee Proprietary, unaudited encryption Uses timing verification to foil analysis with GDB No 911 No Lawful intercept

10 Gizmo Project Solves some of Skype's problems Can connect to SIP PBXs such as Asterisk at the same time as an IM-style buddy list

11 zphone Source code available DH Key exchange Firewalls your RTP stream and does the encryption before it sends it back out Doesn't prevent pattern analysis Similar in spirit to the Cryptophone project which does something similar over the PSTN

12 VOIP Termination Providers Many providers still working out bugs of selling VOIP termination Most well-known casualty, LiveVOIP, bankrupt over $300,000 in toll fraud Many providers limit calling to certain jurisdictions Termination providers are on the Internet, so vulnerabilities in the software they use (Asterisk, SER, commercial softswitches) can translate directly to financial losses

13 Enterprise VOIP: Voice on the LAN Andrew has most of this covered A quick look at some tools and methods for breaking stuff...

14 Hacking the Enterprise Some things can be accomplished by identifying the system based on the voic prompts, just like a POTS PBX Google Hacking VOIP: PBXs on the net Phones on the net Passwords are often default Some phones even have packet capture built into the web interface (SNOM)

15 Enumeration Several ways to collect users SIP UA TFTP fun there are many common config names SNMP sniffing Have a look at SiVuS and SIPSCAN Now that an attacker has the users... in comes the spam Countermeasures: Change default passwords! Keep your phones off the Net!

16 MITM and Eavesdropping Fun tools: Cain and Abel Ethereal / Vomit

17 DOS Several things can be spoofed to cause DOS Phone reboot MWI One could also change the ringtone...

18 VOIP Phishing Several variations on this idea, only a few seen in the wild Basic premise is that people trust phones more than the Net Several structures: asking a user to call a # Phone call asking a user to call a # back SMS requesting a phone call to a provided # At BlackHat this summer an even tricker attack was proposed...

19 BlackHat Phishing Demo Cook up the best Company you can Include a phone number for the user to call That number points to your PBX, which records the call and forwards it to the real Company IVR The user is probably familiar with that IVR, so they probably won't suspect a thing! The same thing could be done originating with SMS

20 Pretty Picture Shamelessly lifted from Jay Schulman's BH talk

21 Another Pretty Picture

22 SPIT Spam over IP Telephony Minimal cost of IP to landline termination in the North American market combined with cheap labour overseas means it's now cost-effective to spam people by calling them It's even cheaper to just play pre-recorded messages The only ways we're going to be able to combat this: Regulation Providers shutting down problem accounts

23 Resources Schulman and Endler VOIP talks from BH 2006 a quick search will turn these up in PDF form - SIP- SCAN - VOMIT - SiVuS VOIP Security Alliance useful mailing list and blog.