Analysis of a VoIP Attack

Klaus Darilion published an interesting paper explaining what happened to German VoIP users and how to mitigate. I suggest that you read this one. Looks like attacks are becoming more and more widespread / mainstream.

Vishing alarming rise

As phishers keep searching for new ways to dupe their victims into submission, they will start eying VoIP more and more. Check out this the register article where the FBI issued a new warning. Nothing really new from a security social engineering perspective.

image stolen from blogantivirus

More on INVITEing phones to ring

This is a follow up on a previous post.

Apart from using a softphone, you can make use of svmap.py (part of SIPVicious tool suite) to reproduce the behavior:

./svmap.py -m INVITE 192.168.1.4 -p5061

Where 192.168.1.4 is the IP of the SIP phone and 5061 is the SIP port of the phone. For a ghost call effect, if you have a network with all SIP phones listening on port 5060, you can just run the following to get them to ring at the same time:

./svmap.py -m INVITE 192.168.1.1/24

Updated list of softphones tested and exhibiting this behavior:

• WengoPhone **
  
• X-lite release 1011b
• SJPhone 1.65.377a
• Ekiga 2.0.11 (beta)
• Yate
• SIP Communicator

Some VoIP phones (hardware) were also tested and exhibit this behavior as well:

• GrandStream GXP 2000
• Grandstream BT100
• Aastra 480i
• Aastra 9133i
• Polycom IP330
• Cisco CP7940G*
• Lancom VP 100*
• Linksys SPA 921*

* Requires a valid extension
** Requires valid extension or no extension

how (not) to get your ex back

Just uploaded a short story showing how an unsolicited user can phone up a victim by knowing (or finding out) IP and port of the victim's VoIP phone. This story ties in with what we've been discussing in previous blog post.

You may check out the story here.