How to Hack IP Voice and Video in Real-Time
While the exploit was demonstrated a year ago at security conferences, most corporate networks are still vulnerable to it, says Jason Ostrom, director of VIPER Lab at VoIP vendor Sipera, where he performs penetration tests on clients' business VoIP networks.
Ostrom demonstrated the attack at the Forrester Security Forum in Boston last week using a Cisco switch, two Polycom videophone and a laptop armed with a hacking tool called UCSniff that he pulled together from open source tools.
To eavesdrop on the calls, someone with access to a VoIP phone jack -- including the one in the lobby of the business -- plugs a laptop with the hacking tool on it into the jack. Using address-resolution protocol (ARP) spoofing, the device gathers the corporate VoIP directory, giving the hacker the ability to keep an eye on any phone and to intercept its calls. There's a tool within UCSniff called ACE that simplifies capturing the directory.
The best network defense is to turn on encryption for both signaling and media, he says. The problem isn't with the networking or VoIP and video gear itself, but rather with how they are configured in the network, he says.
- · Rackspace debuts OpenStack cloud servers
- · America's broadband adoption challenges
- · EPAM Systems Leverages the Cloud to Enhance Its Global Delivery Model With Nimbula Director
- · Telcom & Data intros emergency VOIP phones
- · Lorton Data Announces Partnership with Krengeltech Through A-Qua⢠Integration into DocuMailer