June 18, 2012

Bypass VoIP physical access controls

Lately I was performing penetration test to a physical access control, which based on VoIP. From a little research that I done, I see some resembles between physical access controls:
1. The functionality is pretty low, e.g. not supporting secure authentication.
2. No ability to use SRTP, which can protect against MiTM attacks.
3. Based on security mechanisms in the PBX.
As far as you may already understand, these endpoints are not secured by design.

What is DTMF?
In VoIP telephony systems, the tones that are dialed called DTMF (Dual-Tone Multi-Frequency). These tones are sent over the RTP (Real-Time Protocol) session, which is generated following SIP negotiation.

Privileged physical access scenario
When visitor arrives to a door, he needs to call the reception in order to allow him the access. The technical explanation behind the scenes is that the physical access control calls the reception, then if the reception picks up the phone, a SIP negotiation is performed and RTP session is started. In this session, the reception phone sends a DTMF (mostly the tone that represents the number 0) to the physical access control, which opens the door if it receives the specific DTMF.

Attack scenario #1 - Forged call
If the PBX in the organization allows calls to the physical access control, then a malicious user can call this control and send the required DTMF in order to open the door. It is not enough though, is many cases the physical access control allows automatic answering mechanism. If this mechanism is disabled, in most cases there is nothing to do. Hence, in this case I would suggest blocking calls to the physical access control using the PBX.

Attack scenario #2 - MiTM
This scenario can be accomplished in case that the VoIP network is not separated from the LAN or in case that the malicious user can connect to the VoIP VLAN on the organization. In this case, a man in the middle attack can be useful following RTP session is initiation. Note: Many physical access controls include multiple choices for dialing (stored numbers).  In this case, the call will be initiated and then the DTMF will be sent over this session, which will open the door, even though the recipient does not agree to open the door. This attack requires resources, e.g. develop filter for the EtterCap or write a short C# program using TAPI (Telephony API).

Attack scenario #3 - DoS
Most of the physical access controls are based on weak computing resources. If the malicious user has a network connection to this device, then he can perform DoS pretty easily, e.g. by sending a lot of requests (I did this with approximately 500 requests to the administration interface in few minutes). As a result, the door won't open by the physical access control, however until the reset of it, employees would have to keep the door open.

In conclusion, the physical access controls should be security tested in order to minimize the attack surface of them.

1 comment:

  1. Door access control systems are used to grant authorization to persons/vehicles, thereby providing restricted access in and out of a concerned place. These systems are
    highly advantageous compared to the conventional locking and monitoring systems.

    door access control system
    keyless entry door
    electronic door lock
    elevator access control
    elevator keyless entry
    door locks