Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

HÄCKING CISCO PHONES! 2

Status
Not open for further replies.
hilarious, I watched all 54 minutes of it and seems that all manufacturers of IP phones have the same problem of vulnerability to deal with.
It also tells that a group of first class hackers took over a month to find this and needed unrestricted physical access to the phones to make it happen. They can do it from within the network as well but that also means access to the network.
I run IP phones and digital and I am not worried because if people come into my house then they might also just pick up the phone and dial.
I know that you are not for IP technology (seen in many posts) but I have to tell you that I took more Nortel systems out because people dialed into the mailboxes of people and used the DISA functionality to make $20,000 worth of phone calls than Cisco (nil so far) or any other manufacturer (also nil).
So the vulnerability they talk about in this video is real but having a default password of 1234 in Nortel is by far worse and can be exploited by people with far less technical know how and by just using a phone not thousands of $ worth of computer equipment and a half million dollar education in PC and networking.

Please do not see this as defending the arrogance of Cisco (or any other manufacturer) to say they fixed it and don't really do their job right but also that security problems are there for a lot longer than IP telephony and the worst is on old Nortel equipment as far as I am concerned.

Joe W.

FHandw, ACSS (SME), ACIS (SME)



Interrupt the silence only if you improve it by saying something, otherwise be quiet and everybody will be grateful.
 
That may be so but toll fraud is minor when it comes to compromising the internal security of a clients data network. I always educate my clients on the proper use of voice mail passwords, I set up Trivial password security and I set up two level of international toll restriction for the customer. One within the PBX and then with the local telco..

It will only be a matter of time if it has not already happened that access from outside the company happens. I hope you are responsible enough to advise your customers of the tremendous ricks they will encounter when installing such systems. I do which is why when my clients make a decision on a new phone system they are staying away from IP and VOIP based systems. I am going to show my high security accounts this video and let them make the decision for themselves.

I for one care to much about the welfare of my clients to risk their business just to make a sale. I never "Turn and Burn" a client.

"A phone is a phone and not a computer workstation".
 
We have over 300 clients, I would say close to 275 of them are now on ip systems and we have NEVER had an issue

Not once

Plus the cost savings of VoIP are so much that for you to steer them from it is almost like you taking money from their pockets.

I'm not a cisco fan one bit, even on our hosted platform we try not to sell the phones (unless they are demanded because I think the spa phones suck), but to tell a customer that they should continue to pay triple on their phone bill and not switch to sip trunks and to also lose out on all the great features like click to cll voicemail to email, being able to work remotely , linking offices together to shAre a phone bill to avoid a world renown hacker to hack their phone?

It would be easier for them to just monitor your pots lines at the pole

ddcommllc.com
Avaya/Toshiba/SyntelSolutions

ACIS

"Will work for stars
 
my friend, it's only a matter of time before this starts biting everybody in the butt. You're going to start seeing systems compromise like crazy once this really start getting out on the web.

"A phone is a phone and not a computer workstation".
 
have you ever even consider that this is so transparent that your customers current security issues with their data network may also be being caused by these phones and you're not even considering this app as a possible cause of their current problems. The responsible thing to do would be to send out a security alert to your clients but I suspect you're not going to because that would put you on the hot seat

"A phone is a phone and not a computer workstation".
 
you should then also tell them that they should stop using servers and computers alltogeher... I mean every laptop now has a mic so I guess that's a risk too?

we should just all go back to the 80's

honestly you just sound like someone who is unwilling to adapt.

I mean look at video rental stores

don't be the last one to try and board the ship



ddcommllc.com
Avaya/Toshiba/SyntelSolutions

ACIS

"Will work for stars
 
and like westi said I have heard much more incidents of people hacking into key systems to commit fraud then an ip system

hackers like the ones in a video are going to spend their time hacking into something that is going to translate into $$$

who is going to hack a phone for a month on the 1 in 1 million chance they are going to hear a conversation worth a penny?

it just doesn't make sense and I have never heard of a real life occurrence.



ddcommllc.com
Avaya/Toshiba/SyntelSolutions

ACIS

"Will work for stars
 
when told fraud several years ago became a serious issue in this town I immediately went to every single customer and made sure that their voicemail systems and toll platforms were up to date and honestly advise them of the security risk to their companies . Have you done the same thing for your customers?

"A phone is a phone and not a computer workstation".
 
of course, we only had one incident with toll fraud about 5 years ago and we had advised the customer plenty beforehand

don't get me wrong I was a big fan of the norstar and still think that Avaya should have continued the bcm, but the fact is that they didn't. we were a Nortel shop and we adapted to change.

change happens, the ones who adapt are the ones who survive.

if no one adapted in the Telco world we would all still be using these

Link

ddcommllc.com
Avaya/Toshiba/SyntelSolutions

ACIS

"Will work for stars
 
phoneguy610, I completely agree with you.

Our in-house system started as a Norstar, then a BCM. The systems were great, however when Avaya decided to abandon the product line, we jumped ship and moved to an in-house VoIP system.

VoIP can be reliable, secure and offer tons of new features and options that digital systems couldn't. The problem is there are so many people that feel that since they have a little bit of networking knowledge and can install these systems themselves. However because of this, they are completely unaware of the security requirements.

Just like Digital systems, VoIP systems have a set of requirements to make them secure:
[ul]
[li]VoIP systems should never be able to be accessed from the internet (via a public IP or port forwards). The exception is if you have SIP trunks. In that case, filters (both ACLs and SBC IP filters) should be in place.[/li]
[li]Passwords should be changed from default values (just like Digital systems).[/li]
[li]External Transfers should be restricted on AA scripts (just like Digital systems).[/li]
[li]Both the Call Server and Phone Firmware should be kept up to date (which BTW Cisco has corrected. The hacking method shown above has been corrected in the latest firmware)[/li]
[li]All external calls should be handled through a SBC[/li]
[li]Remote users should have their calls passed through a VPN (once again, no external traffic for the VoIP server).[/li]
[/ul]

As mentioned before, each system has their own security requirements whether its a digital or VoIP system. A digital system can be hacked just as bad as a VoIP system.
If installed correctly, a phone system can run great. The problem is unless people are aware of the security requirements, they shouldn't be involved with installing or maintaining them.

It's scary to see how many people have their system fully exposed their VoIP system to the internet because they are unaware. The same thing could be said if you had a poorly-installed Digital system. If you don't keep it up to date, and don't change the passwords, you could run into issues.

It is great to know there are so many types of systems out there and that people really have the option to choose the system that works best for them. VoIP offers a lot of flexibility and can offer a significant cost savings too if done correctly. We moved to a new system a few months ago and by moving to SIP trunks, it is saving us an average of $5200 a year. The system has also been running solid.
 
that's my point. Like you said most people don't know what they're doing. They think just because the equipment & Technology look similar to it. that is it.. They don't understand what you're doing and they don't have the experience or knowledge and they don't care. Then the company security systems get compromised. With the old systems the best you could do was told fraud. With these newer systems you can get into customers databases credit card numbers Social Security numbers confidential high-profile high security information and on and on.

with the legacy equipment the worst you could do was told fraud. this is precisely why I do not use patch panels I still use 60 61 10 blocks because I don't want to customers moving the cables around thinking they know what they're doing so they don't have to pay for a service call.

"A phone is a phone and not a computer workstation".
 
Well lets not jump ahead of ourselves here. I'm not aware of any phone system that holds that holds credit cards or SSI numbers, unless you are talking about a hosted VoIP system (which BTW all landline companies also have customer portals that has the same data available over the Internet). Exposed PCs are at a much greater risk of exposing data than a phone system.

All I am trying to say is VoIP is just as secure as Digital if installed properly. If not installed properly, ANY system can be at risk, whether it's digital or VoIP.

What customers have to do is really weigh what works best for them. For some, a standard POTS line is all they need, for others a full-fledged VoIP system can increase productivity and cost savings.

On a side note, Hybrid systems (such as the BCM) can be exposed if not properly installed. Want an example? take a look at the second page of this google search. Those are all BCM systems that are publically available over the internet.
 
I have yet to see a VoIP system that gives hackers access to ss numbers and credit card numbers lol



ddcommllc.com
Avaya/Toshiba/SyntelSolutions

ACIS

"Will work for stars
 
And if (as in the UK) PCI compliance is met, then credit card details aren't recorded and only stored in an encrypted database with no external access to the internet.

ACSS - SME
General Geek

 
IvNortel I think you need to do a little research into things instead of spreading these lies about to your customers. Phones sytems don't store Social security numbers, that's the back end DB and is no difference to a Option81 with a screen pop running.
How many people have a pc hooked up to a Legacy terminal? it's going to be far easier to compromise that and brute force a telnet session onto a old system than compromising a modern one?
Where are your email alerts telling you that a users account has had 3 password attempts and has no been locked out? Where are your text messages telling you that someone has attempted to log into your kit, or that the lines were breifly disconnected?
You get physiscal access to any part of the comms kit and you've already lowered your security, no matter what you use.
And if you that worried about VoIP, do a little reading on SIPS and TLS and see how that compares to ease dropping, with me just putting a splitter on an anlogue line.
As I said in another post, stop this bitterness and saying the whole world in wrong, as at some point, you'll end up on the scarp heap.

Robert Wilensky:
We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true.

 
I can;t believe that you all have missed the point. The CISCO phones are the avenues into the customers data bases. I am still wondering if any of you will even alert any of your clients to the potential hacking. After reading the posts I don't believe any of you will.

"A phone is a phone and not a computer workstation".
 
And he still doesn't get it **sigh**

ddcommllc.com
Avaya/Toshiba/SyntelSolutions

ACIS

"Will work for stars
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top