Part IV: VoIP Session and Application Hacking

Chapter List

Chapter 11: VoIP Fuzzing
Chapter 12: Flood-based Disruption of Service
Chapter 13: Signaling and Media Manipulation

Case Study: John Smith Gets Even

John Smith is a network administrator at MonsterSoft, the world's largest vendor of enterprise software. MonsterSoft sells operating systems, databases, application suites, security products, and so on. They pride themselves on offering excellent products along with stellar customer support. They have several thousand customer support personnel, who field millions of calls from customers using products critical to their business operations. MonsterSoft is a very aggressive user of VoIP. They have one of the largest VoIP deployments and use it for their entire customer support operation.

John, however, is not a happy camper. He keeps getting lousy raises and passed over for promotions. Worse yet, he is pretty sure he is about to get laid off, as a result of yet another acquisition and merger by MonsterSoft. He figures that MonsterSoft has treated him unfairly, and he is on the way out anyway, so he might as well stick it to them.

John is quite familiar with the network and understands how the new VoIP system is set up. He knows that despite support from the vendor for audio encryption, it is never used. He also knows that all of the customer support calls are aggregated on a core switch link connecting to the media gateway that converts the VoIP calls for the PSTN. John has connected a PC to the switch and uses Ethereal/Wireshark to monitor the traffic. The traffic is H.323 or MGCPhe isn't sure, but it doesn't matter because he knows that the audio is all carried with the Real-Time Protocol (RTP). He has played around before and captured calls, listening in on customers asking questions. Some of these calls are routine, but of course a fair number involve critical issues.

To get even, John thinks up a nasty attack. He downloads an interesting program called rtpmixsound from This program reads in a .wav audio file and " mixes " its contents with any RTP stream that it sees. For each packet in a targeted RTP stream, rtpmixsound merges the captured audio with that from the .wav file, resulting in new audio with noticeable background noise, sounds, or words. The .wav file can contain any audio, from dirty words to insulting phrases to moaning women (think of Meg Ryan from the restaurant scene in When Harry Met Sally ). The mixing occurs in one direction only, so one side won't be aware that the attack is even occurring.

John gets a buddy to record several phrases and save them as .wav files. The phrases include "God you're dumb," "Read the damn manual," "Is it that idiot again?" and so forth. You get the picture. John then set up a Linux PC with the rtpmixsound software and configured the network so that the PC is able to monitor and mix in new packets. He has Ethereal/Wireshark set up to monitor for RTP streams and uses this to target random calls. John unleashes the attack on a Monday, which is the busiest customer support day. Unbeknownst to the customer support personnel, several insulting phrases are being played back to their customers, as if they or someone in the background is insulting them. Customers keep asking, "What did you say?" and exclaiming, "How dare you say that!"

The customer support personnel, some of whom speak poor English, are used to customers who are irate or misunderstand them, so they don't think anything is wrong. Over the course of the day, hundreds of key customers are incensed and insist on speaking with a manager. Unfortunately, some of the same phrases are uttered in these conversations as well. The net result is that MonsterSoft upsets several of their key customers, resulting in irreparable damage to their reputation. MonsterSoft tries reviewing their recordings of the calls, but because they were recorded before the audio was mixed in, they have no idea what happened . They have no viable response and basically have to tell their customers that they have no explanation, but that they are terribly sorry. MonsterSoft decides that they will give affected customers a discount on next year's customer support, resulting in a significant loss of revenue.

John is clever enough to disable the program after using it that one morning, so it is never detected .

Hacking Exposed VoIP. Voice Over IP Security Secrets & Solutions
Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions
ISBN: 0072263644
EAN: 2147483647
Year: 2004
Pages: 158

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: