Re: Pentesting Telephone-Systems

From: Volker Tanger (vtlists@wyae.de)
Date: Tue Sep 06 2005 - 17:26:47 EDT


Greetings!

On 6 Sep 2005 07:51:37 -0000
sebastian.michel@ctl-loeper.de wrote:

> I spended much time to get technical informations about pentesting
> telephone systems, but with no success.

Basically it is as with any other pentesting.

But the customer especially here is better off with a whitebox analysis
as pentesting usually is bound to break something. A bad idea for
telephony systems that are expected to show five-9 and more of
reliablility...

> Where are security-flaws,

Everywhere.
;-)

Okay, basically the risks are:
        - fee fraud
        - eavesdropping (live and box)
        - impersonation (live and box)
        - availability/reliablility

The most common risks include
        - most user using default password
          (usually "0000" or extension number)
        - too many, too risky/"intelligent" features active
            (and changable for the end user)
        - unprotected trunk access
        - weak proection of admin access (modem)
        - "hung" sessions eating away channels and money

> what methods are know to work

Be creative! Usually more attacks work than you might expect even on
well administrated systems. TK systems are still thought of as cables
and relais, so even old school attacks surprisingly often work on TK
systems. The more computer based stuff the system has the better for
the attacker - usually.

> which tools are already available

First and foremost: your brain, your imagination.

System/user documentation.

Wardialing, if necessary. Usually only finds few unknown systems, but
sometimes you hit it right on the spot. Best finds for me: INAX console
(phone+data line controller) or the "unused" video conference system of
the CEO that silently answered calls...

> I heard that manufacturer are obligated to build in a backdoor for
> secret services in their products. Is this right?

No. But most (enterprise) TK systems feature a "supervisor" mode where a
trainer/supervisor/agency can hook-on to a running session. The law
requiring agency taps only affects telephony providers (at least in
Germany).

But I have encountered systems where there actually is a backdoor (e.g.
predefined password to gain admin access) built-in by the manufacturer.

Bye

Volker

-- 
Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@wyae.de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:49 EDT