Recently, while researching the viability of wireless VoIP phones, I stumbled upon a security tool called VoIP Hopper. It is a very interesting tool that mimics the behavior of an IP Phone. The attack process begins with VoIP Hopper scanning for Cisco Discovery Protocol (CDP) packets. If CDP packets are found and the Voice VLAN (VVLAN) feature is enabled, VoIP Hopper can determine the ID of that VLAN. This allows VoIP Hopper to create a new Ethernet interface that will communicate with the previously found VVLAN. Next VoIP Hopper will instigate a DHCP handshake and if successful it's pretty much "game over and match."
The significance of this tool did not really register until I started reading articles from the just concluded ToorCon9 conference. This Wired article from October 21, 2007 describes the attack venue used to gain access to a hotel's data network via the Cisco VoIP network. In the Wired article, John Kindervag and his partner Jason Ostrom-security experts at ToorCon9-mentioned that:
"The whole catalyst behind VoIP Hopper is we were in a hotel room with a Cisco phone. We were (able to get) into the (hotel's) corporate network and got access to their financial and corporate network and recorded other phone calls."
Normally VoIP phones connect to separate switches or special VLANs on data network switches, both of which belong to the corporate internal network. Up until now, not much thought has been given to isolating VoIP VLANs from internal data VLANs. After news of this exploit, setting up a firewall between VoIP and data networks will become just as important as controlling the Internet perimeter and guest access.
One attack avenue that was not mentioned is using wireless VoIP phone systems. Being a wireless security junkie, I realized that not requiring a wired connection provides many more opportunities to gain network access, especially if the coverage area extends past the secured physical perimeter. VoIP Hopper is just one more reason why wireless data networks should be considered un-secure and fire-walled. Using strong encryption/authentication techniques are also obvious requirements. With these best practices in place, attack venues like VoIP Hopper should not be a concern.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.