Other IP Phone Attacks

There are several additional attacks possible against IP phones. These are covered next .

Attack Poor Local Protections

By default, unplugging and plugging in the combined RJ-45 Ethernet/power cable from the back of the Avaya 4602SW IP phone provokes its boot cycle. During boot, a prompt appears temporarily to permit a user to enter the IP phone's setup by pressing the * key. There is no password required to change the IP phone's settings. These settings vary as a function of the IP phone's application load. According to Avaya's website, version 2.3 is the latest release of the Avaya 4602 IP phone. The H.323 load permits the user to change the following settings during boot:

• Phone IP   The phone's IP address

• CallSvc   The IP address of the IP phone's call processing server

• CalSvcPort   TCP port of call processing server

• Router   Router's IP address

• Mask   Defines the class of the IP phone's IP address, for example, 255.255.255.0

• FileSvc   Configuration server's IP address

• 802.1Q on/off status   VLAN status

At best, changing any one of these settings prevents the IP phone from properly registering with the Communication Manager. At worst, the IP phone can be prevented from communicating successfully with any network infrastructure. It would not be surprising if other Avaya IP phone models are as easily reconfigured.

Attack Default Configuration TFTP Download Files

FTP, HTTP, and HTTPS can all be used to download firmware loads to IP phones (FTP is also used for backup and restore). If a customer uses TFTP to download firmware, several Avaya documents recommend that the administrator disable those services when he or she is not downloading firmware; for example, Configuring DHCP and TFTP Servers on Avaya G350 and G250 Media Gateways for Avaya IP 4600 Series Telephones suggests the following:

"The Avaya G350 and G250 Media Gateways can be configured as DHCP and FTP servers for IP phones. When an 4600 Series IP phone is powered up with defaults or is reset to the default values by pressing MUTE 73738# (RESET#) , the telephone will function as a DHCP client and sends a DHCP request. After the IP phone gets its IP address and the IP address of a TFTP server from the DHCP server (or from the 46xxsettings.txt file), the IP phone will function as a TFTP client by requesting files from the TFTP server. If the TFTP server has a different version than the IP phone, the IP phone will be upgraded by requesting telephone firmware from the TFTP server. The related IP phone firmware must be placed on the TFTP server for upgrades. This behavior is controlled by the 46xxupgrade.scr file."

So, if an attacker has the ability to spoof the DHCP server and TFTP server, then the IP phones can be reprogrammed simply by going to the keypad and pressing <MUTE>73738# .

Countermeasurs Local Access Countermeasures

There are several countermeasures you can employ to secure local access to Avaya IP phones.

Restrict Local Configuration of the IP Phone

This behavior is controlled by the customizable system parameters PROCSTAT and PROCPSWD settings. PROCSTAT controls whether local (dialpad) administrative options can be accessed (0 means all administrative options are allowed; 1 means only viewing is allowed). PROCPSWD can restrict administration to a required password.

LAN Switch Port Security

You can use 802.1x support within the LAN switch to detect the unplugging of an IP phone.

Static Addressing

Use of DHCP can be avoided by assigning static addresses to each IP phone.

Secure File Download

The Overview for Avaya Communication Manager says, "Security of IP phone config files This feature supports the inclusion of a digital certificate and the use of TLS to allow an IP phone to authenticate the server for the download of configuration files. This enables IP phones to ensure that configuration parameters come only from an authenticated source. Configuration files that are delivered through this mechanism can deliver message digest values for the authentication of software code files delivered through a non-secure connection."