June 18, 2012

Bypass VoIP physical access controls

Lately I was performing penetration test to a physical access control, which based on VoIP. From a little research that I done, I see some resembles between physical access controls:
1. The functionality is pretty low, e.g. not supporting secure authentication.
2. No ability to use SRTP, which can protect against MiTM attacks.
3. Based on security mechanisms in the PBX.
As far as you may already understand, these endpoints are not secured by design.

What is DTMF?
In VoIP telephony systems, the tones that are dialed called DTMF (Dual-Tone Multi-Frequency). These tones are sent over the RTP (Real-Time Protocol) session, which is generated following SIP negotiation.

Privileged physical access scenario
When visitor arrives to a door, he needs to call the reception in order to allow him the access. The technical explanation behind the scenes is that the physical access control calls the reception, then if the reception picks up the phone, a SIP negotiation is performed and RTP session is started. In this session, the reception phone sends a DTMF (mostly the tone that represents the number 0) to the physical access control, which opens the door if it receives the specific DTMF.

Attack scenario #1 - Forged call
If the PBX in the organization allows calls to the physical access control, then a malicious user can call this control and send the required DTMF in order to open the door. It is not enough though, is many cases the physical access control allows automatic answering mechanism. If this mechanism is disabled, in most cases there is nothing to do. Hence, in this case I would suggest blocking calls to the physical access control using the PBX.

Attack scenario #2 - MiTM
This scenario can be accomplished in case that the VoIP network is not separated from the LAN or in case that the malicious user can connect to the VoIP VLAN on the organization. In this case, a man in the middle attack can be useful following RTP session is initiation. Note: Many physical access controls include multiple choices for dialing (stored numbers).  In this case, the call will be initiated and then the DTMF will be sent over this session, which will open the door, even though the recipient does not agree to open the door. This attack requires resources, e.g. develop filter for the EtterCap or write a short C# program using TAPI (Telephony API).

Attack scenario #3 - DoS
Most of the physical access controls are based on weak computing resources. If the malicious user has a network connection to this device, then he can perform DoS pretty easily, e.g. by sending a lot of requests (I did this with approximately 500 requests to the administration interface in few minutes). As a result, the door won't open by the physical access control, however until the reset of it, employees would have to keep the door open.

In conclusion, the physical access controls should be security tested in order to minimize the attack surface of them.

June 13, 2012

Recursive bot herder attack

DDoS attacks are known as massive attacks that are controlled by the C&C (command & control) center, A.K.A bot herder. These bot herders control thousands of bots, hence I believe that they might be a good attack target for "smarter" attackers.

What is recursive DDoS?
The perspective of infecting endpoints is well known, however I believe that the real targets that should be attacked are the bot herders. The main idea of this attack illustrated in the following image:
The main idea behind the attack is that the "recursive bot herder" infects the "bot herders" in the internet, which leads to control of many bot networks. The scenarios of infection will be explained later in this post.
Moreover, I called this attack "recursive" since not only bot herders can be controlled by the recursive bot herder, but also the recursive bot herders can be controlled by other recursive bot herders, see example below:

On one hand, The C&C centers are mostly distributed to many IP addresses, which most of the times are also changed. In this case, the infection of the bot herders should be accomplished in a specific period of time. On the other hand, if the IP addresses of the bot herders are not changed (too bad), the attack surface is bigger since there is more time to attack the server.

Bot herders attack vectors
There are many ways to infect bot herders, starting from the traditional ways to spread bots and ending with administrative console attacks (part of them are web-based).

In conclusion, this attack is theoretical but not as a science fiction since technically it is possible. In addition, I believe that this attack has been partially (without controlling recursively) executed already without knowing that.