As shown in Figure 23-1, there are many attack paths against an IP phone, including a connection through the network or through the integrated switch port to which a PC is attached. Corrupt images and altered configuration files can sabotage the IP telephony environment. Further attacks can be started from an infiltrated IP phone that is generally trusted and has access to the network. The physical access to the IP phone can be misused for violations of the IP phone integrity and the privacy of the user. Information can be gathered by browsing to the IP phone as well. In addition, IP phone conversations are vulnerable to various attacks when the network has been infiltrated, so the privacy of calls must be protected.
Figure 23-1. Attacks Against IP Phone Endpoints
Endpoints are a common target of attacks because they are usually less protected than strategic devices, such as servers or network infrastructure devices. If an attacker gets control of an endpoint, such as an IP phone, the attacker could use that device as a jumping-off point for further attacks. Because the endpoints are trusted devices and have certain permissions in the network, an attacker can use them to target devices that they would not be able to reach directly. To get control of an IP phone, an attacker could try to modify the image and configuration file (for example, by spoofing the TFTP server or by replacing the file on the TFTP server itself or while in transit).
Another major threat is eavesdropping on conversations. If an attacker has physical access to the IP phone, the attacker can "tap the wire," either by connecting between the IP phone and the switch or by connecting to the PC port of the IP phone. If the attacker does not have physical access to the IP phone or its network connection, the attacker could launch a man-in-the-middle attack from any network between two communicating endpoints. In a man-in-the-middle attack, the attacker pretends to be a neighboring system (such as the default gateway when the communication is between two IP networks or a peer on the same IP network) and, hence, receives all packets. A common type of man-in-the-middle attack is to use gratuitous Address Resolution Protocol (ARP) for redirection of packets at the MAC address layer.
A lot about the IP phone and the telephony infrastructure can be learned just by looking into the network settings or browsing to the built-in HTTP server of the IP phone. This information contains Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), default router, TFTP, and Cisco CallManager addresses. With this information, a hacker can direct an attack at the TFTP or Cisco CallManager server, because Windows hosts are generally more vulnerable than network components.
Overall, attacks on the endpoints can be broken down into four major categories:
The simplest way to eavesdrop on the conversations of a user is to tap the wire between the IP phone and the PC attached to it. A variety of tools exist to accomplish this feat:
An attacker could also try to get control of an IP phone by modifying the IP phone image or configuration file. This attack is carried out either at the TFTP server by manipulating the files themselves or by replacing the content while it is in transit. For the first method, the attacker needs access to the directory of the TFTP server; for the second, the attacker has to launch a successful man-in-the-middle attack.
The hacker might want to direct the attack at the most critical telephony components: the servers. An easy way to gather information about the IP addresses of critical components (such as the Cisco CallManager addresses, default gateway address, TFTP server address, DNS server address, and voice VLAN ID) is to retrieve them from the IP phone. This retrieval can be done locally at an IP phone by using the Settings button or by connecting to the IP address of the IP phone with a web browser. From the retrieved information, the hacker can build a topology map, associate it with services, and use the topology map to attack relevant devices.
If the attacker manages to get access to network devices, such as routers and switches, the attacker could redirect traffic to any destination using various kinds of tunnels. These include Generic Route Encapsulation (GRE), IPsec, Layer 2 Protocol Tunneling (L2TP), or Switched Port Analyzer (SPAN).
Part I: Cisco CallManager Fundamentals
Introduction to Cisco Unified Communications and Cisco Unified CallManager
Cisco Unified CallManager Clustering and Deployment Options
Cisco Unified CallManager Installation and Upgrades
Part II: IPT Devices and Users
Cisco IP Phones and Other User Devices
Configuring Cisco Unified CallManager to Support IP Phones
Cisco IP Telephony Users
Cisco Bulk Administration Tool
Part III: IPT Network Integration and Route Plan
Cisco Catalyst Switches
Configuring Cisco Gateways and Trunks
Cisco Unified CallManager Route Plan Basics
Cisco Unified CallManager Advanced Route Plans
Configuring Hunt Groups and Call Coverage
Implementing Telephony Call Restrictions and Control
Implementing Multiple-Site Deployments
Part IV: VoIP Features
Configuring User Features, Part 1
Configuring User Features, Part 2
Configuring Cisco Unified CallManager Attendant Console
Configuring Cisco IP Manager Assistant
Part V: IPT Security
Securing the Windows Operating System
Securing Cisco Unified CallManager Administration
Preventing Toll Fraud
Hardening the IP Phone
Understanding Cryptographic Fundamentals
Understanding the Public Key Infrastructure
Understanding Cisco IP Telephony Authentication and Encryption Fundamentals
Configuring Cisco IP Telephony Authentication and Encryption
Part VI: IP Video
Introducing IP Video Telephony
Configuring Cisco VT Advantage
Part VII: IPT Management
Introducing Database Tools and Cisco Unified CallManager Serviceability
Configuring Alarms and Traces
Using Additional Management and Monitoring Tools
Part VIII: Appendix
Appendix A. Answers to Review Questions