Video and VOIP Vulnerabilities

We have all seen the bad movies where bad guys intercept a video feed from security cameras and replace the live video stream with a false video stream. This was possible using simple CCTV networks, but not easy with video streaming over large IP networks. Now, it’s relatively trivial.

Most of these can be migrated by using VLAN’s to separate data. Unfortunately, tools exist for VLAN hopping. For VoIP specific applications, voiphopper (http://voiphopper.sourceforge.net) can be used to gain access to Voice VLAN ID by emulating a Cisco, Avaya or Nortel IP phone. Most commonly, it is used to spoof an IP Phone CDP packet and create a new Ethernet port based off the VVID. Once access is granted to the VLAN containing voice or video IP phones, VideoJak (http://videojak.sourceforge.net), UCSniff (http://ucsniff.sourceforge.net) or other applications can then be used for interception, man-in-the-middle attacks, replay, or any other desired usage. Increasingly, such tools are rolling VLAN hopping into their functionality for ease of usage.

UCSniff

UCSniff has two modes. Monitoring is of only mild interest as unless the enterprise is using hubs or has SPAN turned on, it is not a serious threat. If an attacker gains access to the switches, however, usage of the tool could be more worrisome. Man-In-The-Middle (MitM) mode is more worrisome. UCSniff works by ARP poisoning the network and re-direct traffic to itself. Unless an enterprise is specifically monitoring for ARP poisoning, the effect is entirely transparent to the user. The most effective hostile deployment is to replace an IP phone with a laptop containing UCSniff. This usually guarantees being on the Voice VLAN and therefore, bypasses any necessity for VLAN hopping. Once on the voice VLAN and in MitM mode, a malicious user can passively intercept, jam, alter, or otherwise manipulate the video streams as they see fit using the tool. One can target a specific user or a specific conversation. UCSniff incorporates automatic VLAN discovery via CDP as well as VLAN hopping capacities.

Another interesting usage of the tool, in a Cisco Unified IP Phone environment, is to collect corporate directories. These directories are very helpful in mapping names to specific devices, and can offer a hostile party a more concise list of targets. This is done through an incorporated tool called ACE, Automated Corporate Enumerator, which mimics the behavior of a phone to acquire all of the necessary personnel information in a very short period of time.

One noticeable method of detention is the cessation of UCSniff without re-ARP’ing the targeted clients. They will all crash. If all IP phones crash at one time without any corresponding server or network issues, a hostile party using ARP poisoning may have disconnected without properly resolving clients back to their original information.

VideoJak

VideoJak is a lightweight tool specifically designed for IP video hijacking or denial of service. Its purpose is to intercept video from a feed, capture a stream, and then replay it on the network. It can also be used to intentionally degrade video IP traffic to varying levels. Very simple and straightforward application, but with problematic implications for IP video surveillance and security systems.

Auxiliary Methods

A cruder but efficient method is to use Wireshark to intercept CDP packets, look for “VOIP VLAN Reply”, and use VLAN hop (http://www.candelatech.com/~greear/vlan/vlan.1.9.tar.gz) or VOIPHopper to alter one’s assigned VLAN to the corresponding VLAN ID found in the intercepted packets. If a switch is insecurely configured, flooding the CAM tables can make a switch perform like a hub allowing an attacker to intercept additional communication.

Countermeasures for a Cisco environment:

• Turn off CDP if possible

• Do not use default VLAN’s under any circumstances

• Restrict VLAN trunking to strictly the VLAN’s used on that specific switch

• Turn on BPDUguard and rootguard

• Set switchport port-security to prevent CAM table attacks, which may be useful in alleviating ARP poisoning

• Apply a VTP domain password

• Monitor for ARP poisoning

• Isolate corporate phone networks from phones in public spaces

• Follow Cisco’s Phone Hardening guidelines (http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/4_0_1/secuphne.pdf)

• Follow NSA’s Switch Configuration Guide (http://www.nsa.gov/ia/_files/switches/switch-guide-version1_01.pdf)

Weaknesses in Electronic Locks

The obvious attack vectors for most locks are the authentication medium. RFID’s are notoriously easy to clone, generally up to 10 meters under practical conditions. Their entire functionality is based off modulated backscatter. A burst of radio frequency is generated, and a portion of it is reflected back at the reading device. This portion is modulated into useful information, usually in the form of a unique number. This unique number is most often tied into a central database for authentication. RFID by itself has absolutely no built in security, which must be provided by an ancillary mechanism. The obvious and most common example of an ancillary authentication mechanism is a personal identification number (PIN) entered into a keypad connected to the RFID reader. Many RFID reader manufacturers offer this as an integrated component.

Unfortunately, ancillary mechanisms are likely not enough to provide adequate security. Most networked building access systems do not use encrypted network traffic, rely on persistent TCP sessions and employ predictable sequence numbering. Most push the applicable data sets down to individual readers, which can be compromised en route. Events are often transmitted back to the central control system, which can allow an intruder to intercept employee traffic. Additionally, in some cases, forged commands can transmitted over the network to lock or unlock doors without the need to know any identification.

No publically known building access system currently encrypts its traffic between the door readers and the control system. This would significantly prevent tampering and would prevent intercepted data. It would also prevent all TCP sequence prediction attacks.

Virtually all modern operating systems use means of avoiding TCP sequence prediction. Many embedded systems, especially building access systems, have not yet resolved this issue. This issue was first significantly documented in April 1989 and many solutions were codified into RFC1948 published in May 1996. Transmission control protocol (TCP) is a protocol that attempts to be reliable and is connection oriented. If a number of TCP packets are received, the sequence number is used to reorder the packets into the correct format. If this sequence is easily guessed, a third party could intercept the traffic and quite easily manipulate both original parties into believing the induced traffic is legitimate. This is known as a “man in the middle” (MITM) attack.

The practical example of attacking a door controller is straight forward.

  1. All door controllers typically have the same first four octets of their MAC address, which can be generally located in vendor documentation or through an internet search.
  2. Once a controller with a matching MAC address is located, poison the ARP cache to redirect traffic through the attacking computer
  3. Use wireshark (or other utility) to monitor packets
  4. Open a packet, observe hex stream payload (which is the open or deny command)
  5. Repeat until confident the payload is an open command. Open commands are significantly more common than deny commands. Statistical analysis should be able to differentiate between an open and deny command relatively quickly. Once this payload is known, this step never has to be repeated.
  6. When you wish to open the door, intercept any packet between the control server and door controller. This does not have to be an open or deny command. It can be a Keep Alive or status transmission sent on a regular basis to monitor for network connectivity.
  7. Use a packet forger, add constant to the sequence bits, and send with hex payload for open.

This command will not be logged by the administrative server, as it is sent directly to the door controller.

Additionally, there have been many other generalized developments in the RFID security field as of late. Of which two are rather significant and worthy of attention. A useful device is scheduled for release at the end of August 2009. The ProxPick, developed by Chris Paget and H4RDW4RE, LLC., offers many useful features for 125-134KHz RFID tags. It can selectively act as a reader, a passive sniffer, play back stored RFID data, or jam a reader. This is more advanced and user friendly than the previous preferred RFID reading tools (primarily ProxMark3 and OpenPCD). This tool was discussed by Chris Paget at the RSA and Defcon conferences. Another interesting development is the development of faraday caged apparel. A company called DIFRwear has made a line of wallets, passport cases, and badge holders that block unwanted RF traffic while the apparel is closed. This was brought to significance by potential and/or alleged security vulnerabilities in RFID enabled credit cards. The products are FIPS 201 certified. Other companies have started developing similar clothing or apparel with built in RF blocking properties.

Countermeasures:

Migrate all building access devices onto a dedicated network isolated from all other traffic. A less secure solution is to migrate all building access devices to a separate VLAN. An attacker can only cause a “Man in The Middle” attack if they can get physical access to the network. Monitor for MITM attacks and related occurrences such as ARP poisoning, which can be accomplished by most intrusion detection systems.

Sources:

Picking Electronic Locks using TCP Sequence Prediction – Ricky Lawshae, Defcon 17 presentation

“Security Problems in TCP/IP Protocol Suite” (http://portal.acm.org/citation.cfm?id=378444.378449) – ACM SIGCOMM Computer Communication Review, Vol 19, Issue 2, April 1989

“Defending Against Sequence Number Attacks” (http://tools.ietf.org/html/rfc1948) – RFC# 1948, S. Bellovin (AT&T Research), May 1996

H4RDW4RE (http://www.h4rdw4re.com) – Manufacturer of multifunctional ProxPick

OpenPCD (http://www.openpcd.org) – RFID development tool

Proxmark (http://www.proxmark.org) – RFID development tool

DIFRwear (http://www.difrwear.com) – Maker of faraday caged apparel, useful in securing RFID communication.

Guide to Picking Locks on the Cheap for Beginners

Disclaimer: Don’t do anything stupid or illegal. It’s bad. Besides, if you’re reading this, you’re just starting out. Locks are cheap, and I really prefer to practice on my locks while sitting around my place with beer, wine or a cigar. Only practice on your own locks. It’s a lot more convenient and locks aren’t that expensive. Ask people for old locks they lost the keys to, or ones that use combos they forgot. Snag misc keys the same way. Trust me, they’ll be happy to fork over the worthless junk cluttering up their storage space.

Like most geeks, back in high school I was always poking at stuff to learn about this whole new world thing. Three things caught my attention: computers, locks and books. I was probably one of the few kids to ever get in trouble on a regular basis for reading during class. I’d finish the textbook in a couple days (and generate solutions for all of the problems, early brute forcing skillz) and move onto whatever interested me. My parents were never quite sure if they should be happy or upset at that discipline issue. Anyways, something that caught my eye were the dinky cheap Master locks that everyone was mandated to buy. I noticed that if a student forgot a combination, the facilities folks never cut the padlock off but used a master key to open any lock. That interested and annoyed me. First off, I didn’t like the fact that anyone could open my locker without my knowing, and second, I wanted to know how to that. I “lost” my padlock a couple times, forcing my parents to buy me new ones. (I was a sneaky devil of a child, if you can’t tell.) I disassembled a couple and the rest I experimented on.

Through my experiments, I was horrified to learn the secrets of the padlock. It was… bad. I learned that it’s called a “warded lock”. The lock employs obstructions to block a key. If you get by these obstructions, you open the lock. Snagging a ton of keys from students at the end of the year, I experimented in mutilating the keys to avoid these obstructions. I ended up making my own “master key” that had all bumps shaved down but one. And it opened any Master lock. Now, you can buy “warded key sets” or “warded picks” online for $10. It’s a set of five types of “master keys” that open nearly any warded lock. Horrible friggin security, but they’re cheap and keep honest people honest.

A master key wasn’t very exciting to the average 15 year old. It doesn’t have good presentation value to the ladies and the only slightly more appreciation among the crowd of my peers. So I wanted to find other ways to pick a padlock that looked more difficult and impressive. Eventually I found a way to make a lock think it should be open. I cut up a soda can, forming an M the size of a nickel. I bent the two side pieces back to re-enforce the ‘handle’ and would slip it into the crack between the shackle and the body of the lock. It’d touch the latch holding the shackle closed and spring it open. This is called “shimming”, with the devices called “shims”. Sweet, we’re lockpicking like the movies now!

Pretty impressive, but not good enough. I did some research and found a program for the TI-81 calculator. You’d clear the lock by spinning the dial a bunch of times. Pull on the shackle, it’d bind up on one of the digits. I don’t recall the reset, but I’d punch them into the calculator and it’d give me a list of ten combos. Could be the first, could be the last. So I practiced quite a bit at entering combos. I finally had an impressive (to 15 year olds) act to crack the locks that wasn’t too easy, but not too hard. I got pretty good at the most inefficient means of cracking a Master lock.

Next up, I wanted to learn how most doors worked. Again, easiest way to figure something out when you’re an impatient kid, bash it open with something heavy and figure out how the pieces go together. Come to think of it, that’s still my primary engineering strategy… So I got some door knobs, bashed them open and studied the components. Significantly, significantly different. Much better design. Much harder to crack but shimming still works. Folks think a credit card is handy, but you want something a bit more flexible. Blockbuster card works pretty well, and they’re generally nice about replacing them after you mutilated it. Or you can buy overly expensive flexible metal gizmo’s to do the same task. Whatever works.

Nearly all door locks are pin tumbler locks. You have a cylinder with an opening for the key that rotates to open the lock. Internally, there are a row of pin tumblers. These pins are on springs, and they prevent the cylinder from rotating. They’re usually of different lengths (hence why your keys have all those bumps). Push the pins up a specific amount, and the cylinder freely rotates. These locks can primarily be picked because the pins are of slightly different sizes and tolerances. The lockpicking is essentially turning the cylinder so the pins are jammed between the cylinder and the rest of the assembly. One pin is binding more than the rest. Push that one up, and now it can’t go back down. Find the next pin offering the most resistance, and so forth.

Enough with the boring exposition. Now, onto the exciting part. Let’s pick a lock.

First, what you need to pick a lock. Locate the following.

Tools

You need a lock, a multi-tool (buy a decent one), and two paper clips. That’s it. No, seriously.

Find or buy a doorknob. Any will do. Find the nearly cheapest door lock you can find. Unlock it. Look for a hole between the door knob and the part normally touching the door. Move it around until the holes line up. Stick a small screw driver in it. Wiggle around. The doorknob should come off. Now, there should be a notch in the back of the door knob. Stick your screw driver in it, and wiggle off the ring on the back of the doorknob. Now wiggle out the lock cylinder out of the doorknob. Ta’dah!

The lock assembly you are now holding in your hands is a pin tumbler lock, with between five and seven tumblers. That’s a lot for someone just starting out. There should be a block sticking out of the cylinder shaped thing. On top of that block should be a metal cover. We want to remove it. Break out your trusty multi-tool or pliers. Remove the cover. If there are indentations in the top (most likely), you need to pry perpendicular to the angle of that the key is inserted. Watch out, the springs may shoot out. Once you remove the cover plate, use your multi-tool to crush the indentations to being level with the rest of the plate. Now, dump out the contents of the lock. You should get five or six springs, and twice that number of brass pins. One set will be virtually identical. The rest will be slightly longer or shorter. Take ONE of the brass pins from that are virtually identical and drop that one in the first hole closet to the key hole, then drop in one of the variable length brass pins and lastly drop in a spring. Now, slide the cover plate back on. Use your multi-tool to crimp it back into proper shape, but being relatively easy to slide on and off.

We now have a one tumbler lock.

Take two paper clips. Nice mid-sized metal ones. Straight one out into a line, then hold one end into a handle. The other, take the middle loop of metal and bend it out until it is perpendicular to the larger loop, forming an L. Crush the inner loop slightly with your multi-tool. Insert the smaller loop end of the L into the bottom of the lock, away from the pins. Congratulations, you have just made your first lock-pick. It’s a torsion wrench (most often incorrectly called a tension wrench). Your straight line with a handle paper clip is now a “pick”.

Play around with your torsion wrench. You want to make it stick out at a comfy angle. Push on it just slightly with a finger, preferably the same one holding the cylinder. It should also be out of the way so you can freely move your pick.

Here is a way of holding the cylinder and torsion wrench.

Approach 1

And another.

Approach 2

Now, put your lock-pick in the keyhole and probe around inside the lock. Get a feel for the inner dimensions of the lock, without all the pins in it. After you get a feel for the dimensions of the lock, find the tumbler. Put a slight amount of torque/pressure on the torsion wrench and slowly push the pin up. You’ll have to play around a bit with how much torque you’re putting on the lock. You shouldn’t need a lot. You might have to work the pin a few times. When it gets to the right spot, the lock will freely turn. Congratulation, you picked your first lock.

Remove the cover plate from the top of the lock, move the tumbler to another hole. Repeat a bunch of times. It should be pretty easy after the first few tries. Now, let’s make things more complicated. Toss in TWO tumblers. After you apply torque and you start probing the tumblers, you should notice one of the tumblers offers noticeably more resistance. That’s the tumbler with the pin that is binding. Press that tumbler up first. Then press the looser tumbler up secondly. It may now offer more resistance than the previous time you pushed on it, as it’s now the pin that is binding.

Stick with the two tumblers for a while. Move them around between the different openings. After you’re really comfortable, you can start adding more tumblers.

If you’d like an unsolicited suggestion. Don’t buy a “lock picking set”. They’re really overpriced and include lots of stuff you don’t need. Buy a torsion wrench (aka a tension wrench) and a half-diamond pick from any locksmith supply company on the internet. They should be a couple of bucks each. Don’t pay more than roughly $5 for either. You might want to consider buying a couple different variations of the tension wrench and half-diamond pick. You can buy nicer picks later if you really like lockpicking.