SOURCESOURCEBOSTON 2008BOSTON 2008

Copyright 2008, James M. Atkinson

Telephone Defenses Against the Dark Arts

James M. AtkinsonJames M. Atkinson

Granite Island GroupGranite Island Group

www.tscm.comwww.tscm.com

Telephone Vulnerability BasicsTelephone Vulnerability Basics

1.1. InstrumentInstrument

2.2. Local DistributionLocal Distribution

3.3. Local SwitchLocal Switch

4.4. Demarcation/Network InterfaceDemarcation/Network Interface

5.5. TransmissionTransmission

6.6. SwitchingSwitching

InstrumentInstrument

VulnerabilitiesVulnerabilities1.1. Speaker of Microphone ExploitSpeaker of Microphone Exploit

2.2. Installation of Foreign DeviceInstallation of Foreign Device

3.3. Hookswitch ManipulationHookswitch Manipulation

4.4. Software/Firmware ExploitsSoftware/Firmware Exploits

5.5. Normal Operation ExploitsNormal Operation Exploits

6.6. Moderate Protection, Easy to SubvertModerate Protection, Easy to Subvert

Local DistributionLocal Distribution

VulnerabilitiesVulnerabilities1.1. Wall PlatesWall Plates

2.2. Raw WiringRaw Wiring

3.3. Cross Connection PointsCross Connection Points

4.4. Normally Not Protected or SupervisedNormally Not Protected or Supervised

Local SwitchLocal Switch

VulnerabilitiesVulnerabilities1.1.Cross Connections PointsCross Connections Points

2.2.Switch Inputs/OutputsSwitch Inputs/Outputs

3.3.Switch/PCM BackplaneSwitch/PCM Backplane

4.4.Parallel ChannelsParallel Channels

5.5.Switch Software/Firmware ExploitsSwitch Software/Firmware Exploits

6.6.May or May Not Be ProtectedMay or May Not Be Protected

Demarcation/Network InterfaceDemarcation/Network Interface

VulnerabilitiesVulnerabilities1.1.Ripe for ExploitationRipe for Exploitation

2.2.Poorly ProtectedPoorly Protected

3.3.Generally AccessibleGenerally Accessible

4.4.Target SpecificTarget Specific

5.5.Significant Choke PointSignificant Choke Point

Local Transmission NetworkLocal Transmission Network

VulnerabilitiesVulnerabilities1.1. Post Demarcation/NIDPost Demarcation/NID

2.2. Before SwitchBefore Switch

3.3. Easy to Isolate Single SubscriberEasy to Isolate Single Subscriber

4.4. Open Terminals and BootsOpen Terminals and Boots

5.5. Not Protected, Wide OpenNot Protected, Wide Open

SwitchingSwitching

VulnerabilitiesVulnerabilities1.1. Central OfficeCentral Office

2.2. Used to Be Huge BuildingsUsed to Be Huge Buildings

3.3. Modern Small Scale SwitchingModern Small Scale Switching

4.4. Post 9-11 Logo RemovalsPost 9-11 Logo Removals

5.5. High Value OVERT Choke PointHigh Value OVERT Choke Point CALEA and .gov targetingCALEA and .gov targeting

6.6. Usually Highly ProtectedUsually Highly Protected

Transmission NetworkTransmission Network

VulnerabilitiesVulnerabilities1.1. Mostly Single Mode Fiber OpticsMostly Single Mode Fiber Optics

2.2. Accessible Pubic PathwaysAccessible Pubic Pathways

3.3. Usually Well MarkedUsually Well Marked

4.4. High Value COVERT Choke PointHigh Value COVERT Choke Point

5.5. Cable Vaults on AlarmsCable Vaults on Alarms

6.6. ““Supervised” Against BreakageSupervised” Against Breakage

Telephonic IntegrationTelephonic Integration

Voice over IPVoice over IP• Cable ModemsCable Modems• Other Broadband ServicesOther Broadband Services

ISDNISDN Fiber Optic Internet ServiceFiber Optic Internet Service EVDOEVDO Other Wireless ServicesOther Wireless Services

The Realistic ThreatThe Realistic Threat

RF DeviceRF Device Hard Wired RecorderHard Wired Recorder Wireless InterceptWireless Intercept Software ManipulationSoftware Manipulation Other MethodsOther Methods

Essential TasksEssential Tasks

Conductor InventoryConductor Inventory Pathway MappingPathway Mapping Known Electronic MetricsKnown Electronic Metrics

• Re-Testing Against MetricRe-Testing Against Metric• Open TestingOpen Testing

Physical InspectionPhysical Inspection

Auditing Telephone InstrumentsAuditing Telephone Instruments

What Kind of PhonesWhat Kind of Phones ““Soft Under-Belly”Soft Under-Belly” What Should It Normally DoWhat Should It Normally Do

• Is It a Risk?Is It a Risk?• Is It a Threat?Is It a Threat?• Hostile Manipulation?Hostile Manipulation?

Feature, Hazard, or Risk?Feature, Hazard, or Risk?

Auditing WiringAuditing Wiring

What Wire is in the Walls?What Wire is in the Walls? What Wire is in the Ceiling?What Wire is in the Ceiling? Wall Plates?Wall Plates? Termination PointsTermination Points Junction Points/Punch BlocksJunction Points/Punch Blocks

Auditing WiringAuditing Wiring

Conductor MapsConductor Maps• Signal PathwaysSignal Pathways• Pair CombinationsPair Combinations• Industry Standard Pin-OutsIndustry Standard Pin-Outs• Color Codes?Color Codes?

• Conductor LengthConductor Length Fractions of an Inch AccuracyFractions of an Inch Accuracy

• Non Linear Junction CombinationsNon Linear Junction Combinations

Auditing Transmission PathsAuditing Transmission Paths

Map Out EveryMap Out Every• CableCable• ConductorConductor• WireWire• Fortuitous PathwayFortuitous Pathway

• Location Must Be Within InchesLocation Must Be Within Inches

Auditing Switching SystemsAuditing Switching Systems

What is a the Default Generic?What is a the Default Generic?• Actual Translation?Actual Translation?• What is Different?What is Different?• Is it Safe?Is it Safe?

Always Reduce to Hardcopy FormAlways Reduce to Hardcopy Form

Auditing Secure Communications Auditing Secure Communications Systems Systems

Tampering with Actual InstrumentTampering with Actual Instrument Tampering with:Tampering with:

• Uncontrolled AccessoriesUncontrolled Accessories Handsets, Cords CablesHandsets, Cords Cables Power SuppliesPower Supplies Low Bandwidth (300 Hz) Filter BypassLow Bandwidth (300 Hz) Filter Bypass Proximity to RF EmittersProximity to RF Emitters

Prior Penetrations, Hacks, and Prior Penetrations, Hacks, and Attacks. Attacks.

Common ManipulationsCommon Manipulations Raw Hacking/ManipulationsRaw Hacking/Manipulations Naked AttacksNaked Attacks

Appropriate Counter MeasuresAppropriate Counter Measures

VOIP AttacksVOIP Attacks

Extremely High RiskExtremely High Risk• Rarely Utilize Hook SwitchRarely Utilize Hook Switch• Open MicrophoneOpen Microphone• Firmware Can Be Remotely UpdatedFirmware Can Be Remotely Updated

• Network Provides a Serious Choke PointNetwork Provides a Serious Choke Point

Mechanisms to Detect and Defeat Mechanisms to Detect and Defeat VOIP Attacks and ExploitsVOIP Attacks and Exploits

DetectionDetection• Unregistered IP Address on VOIP NWUnregistered IP Address on VOIP NW• Non-VOIP Asset on VOIP NetworkNon-VOIP Asset on VOIP Network• Hub, not Switch Being UsedHub, not Switch Being Used• Machine Being Used On BackboneMachine Being Used On Backbone

Classic Man-in-the-Middle ExploitClassic Man-in-the-Middle Exploit

• Suspect Data Traffic on an Unused VOIP Suspect Data Traffic on an Unused VOIP Phone Line Phone Line

Methods to Secure VOIP SystemsMethods to Secure VOIP Systems

Utilize Smart SwitchesUtilize Smart Switches Keep VOIP Terminals on Dedicated Keep VOIP Terminals on Dedicated

Networks and GatewaysNetworks and Gateways Do Not Integrate in Data NetworksDo Not Integrate in Data Networks Lockdown Instrument FirmwareLockdown Instrument Firmware

• Disallow Firmware UpdatesDisallow Firmware Updates

Cardinal RuleCardinal Rule

Convenience and Convenience and Privacy are Inversely Privacy are Inversely

Proportional™Proportional™

Questions?Questions?

Thank YouThank You

Telephone Defenses Against the Dark Arts

James M. AtkinsonJames M. Atkinson

Granite Island GroupGranite Island Group

www.tscm.comwww.tscm.com