Presentation Material

Abstract

New video applications promise many exciting cost-saving benefits, but they also bring with them a host of security challenges and vulnerabilities. This session applies existing techniques for VoIP eavesdropping towards next generation attacks against Unified Communication technologies, such as intercepting and recording private video conferences, IP video surveillance systems, and other video collaboration technology. This presentation will focus primarily on informative and insightful live demos that show targeted video attacks and issues that put video application traffic at risk. We will focus on the following:

• First public demonstration of a new version of UCSniff - 3.0, a Windows port of the code, with enhanced video eavesdropping features. UCSniff 3.0 will be publicly released as a free assessment tool that will enable security professionals to more rapidly remediate video based vulnerabilities.
• A new version of a second free assessment too, “VideoJak,” with two new video exploits. We will demonstrate the ability to target a video session display with a user-selected video clip that is played against a targeted video phone. Next, a previously captured, “safe” video stream will be played against a targeted phone in a loop. This has exciting ramifications for IP video surveillance and security systems that monitor a room for activity and display to the user as a video application.
• A new free assessment tool, videosnarf, which takes an offline pcap as input, and outputs any detected video streams into separate avi video files. This is useful for capturing video sessions with other tools (ettercap, wireshark) and being able to play them at an attacker’s leisure.
• A surprise tip that we have learned through VoIP pentesting of production enterprise networks. This trick enhances one’s ability to target specific VoIP users clandestinely. Other VoIP goodness may follow this.

Note that all the tools to be demonstrated are open source, available to the security community at large and that we do not distribute them in any commercial way.

AI Generated Summary^{may contain errors}

Here is a summarized version of the content:

The speaker,2019-01-22T15:36:21.644Z discusses a security vulnerability in Cisco Unified Communications Manager (UCM) 7.1. Specifically, they found that with Gratuitous ARP (GARP) disabled, they couldn’t intercept Skinny messages and media from phones on the network. To defeat this, they developed a method called the “TFTP Man-in-the-Middle Modification Attack.”

Here’s how it works:

1. Target an IP phone and create a target.txt file.
2. Launch UCSF with a new feature that modifies the TFTP configuration file downloaded by the phone during boot-up.
3. Drop Keep Alive messages from the server to the phone, causing the phone to think it lost registration and re-register.
4. Intercept the TFTP GET request for the configuration file and modify the GARP setting from “no” to “yes.”
5. The phone downloads the modified configuration file, enabling GARP.

This attack takes less than 30 seconds and can be used to enable features on phones without being detected. The speaker emphasizes that this vulnerability can be remediated by following Cisco security best practices and turning on security features. They also demonstrate the attack in a video.