Get a good night's sleep and don't bug anybody without asking me.
Richard M. Nixon
Throughout history, people have sought to safeguard the privacy of their communications. One of the better known examples comes from Julius Caesar, who invented a rudimentary shifting cipher (known as the Caesar Cipher ) to encode military communications sent to his army via messenger. Since Julius Caesar's age, the field of cryptography has advanced substantially to support almost any form of communication, including VoIP.
As VoIP is simply just another data application, there are a variety of ways to safeguard one's privacy along the various OSI layers. Unfortunately, there are also a variety of ways that an attacker can compromise the privacy of your VoIP conversations by targeting each of those layers . And with the appropriate access to the right point in your network, an attacker can perform a variety of attacks beyond simply listening to your conversations.
The four major network eavesdropping attacks that we will cover in this chapter include TFTP configuration file sniffing, number harvesting , call pattern tracking, and conversation eavesdropping. Each of these attacks requires that an attacker gain access to some part of your network where active VoIP traffic ( bootup , signaling, media, and so on) is flowing . This access can be obtained anywhere from VoIP endpoints (PC host with softphone or phone) to switch access to VoIP proxy/gateways to the Session Border Controller. To gain this type of access, there are a variety of tools and techniques that attackers can leverage.
We have largely left physical layer attacks out of this chapter. Not to be dismissive, but if any of the components of your VoIP network fall into the wrong hands, there are many ways for an attacker to assume administrative control over it. For a great example of what is possible with a Cisco phone, check out Ofir Arkin's paper, "The Trivial Cisco IP Phones Compromise" at http://www.sys-security.com/archive/papers/The_Trivial_Cisco_IP_Phones_Compromise.pdf.
Let's first define the four attacks we just outlined before describing the different ways they can be performed.
As you learned in Chapters 2 and 3, most IP phones rely on a TFTP server to download their configuration file after powering on. The configuration file often contains passwords that can be used to connect back directly to the phone (in other words, telnet, the web interface, and so on) and administer it. An attacker who is sniffing the wire when the phone downloads this file can glean these passwords and potentially reconfigure and control the IP phone.
Number harvesting describes an attacker passively monitoring all incoming and outgoing calls in order to build a database of legitimate phone numbers or extensions within an organization. This type of database can be used in more advanced VoIP attacks such as signaling manipulation (covered in Chapter 13) or SPIT attacks (covered in Chapter 14).
Call pattern tracking goes one step further than number harvesting to determine who someone is talking to, even when their actual conversation is encrypted. This has obvious benefits to law enforcement if they can determine any potential accomplices or fellow criminal conspirators. There are also corporate espionage implications as well if an evil corporation is able to see which customers their competitors are calling. Basically, this attack is akin to stealing someone's monthly cell phone bill in order to see all incoming and outgoing phone numbers.
The most hyped and the threat of most concern to many VoIP users is conversation eavesdropping. Quite simply, this attack describes an attacker recording one or both sides of a phone conversation. Beyond learning the actual content of the conversation, an attacker can also use tools to translate any touch tones pressed during the call. Touch tones, also known as dual-tone multifrequency (DTMF) tones, are often used when callers enter pin numbers or other authoritative information when on the phone with their bank or credit card company. Being able to capture this information could result in an attacker being able to replay these numbers to gain access to the same account over the phone.