Advertisment

IP Communication: The Risks Involved

author-image
PCQ Bureau
New Update

In our earlier issues, we talked about several communication solutions which

work on IP -VoIP, Video Conferencing, Tele-Presence, and even video

surveillance. As these applications have migrated to IP, they have also

inherited the potential risks associated with IP. Some time back, we talked

about how VoIP conversations can be tapped by simple MIM (Man in the middle

attack).

Advertisment

This time, we tried the same kind of an attack on Video Conferencing devices

as well as on Video Surveillance devices. The result which we got was mind

boggling. Here, we will talk talk about how these IP communication channels can

be compromised and how you can protect yourself against such attacks.

In Wireshark you

can see all VoIP streams. To capture and publish these streams, click on

Analyze button.

Eavesdropping VoIP



To begin with, you have to understand the protocols and data flow pattern of

a standard VoIP network. When someone picks up a VoIP phone and dials a number,

a Session Initiation Protocol (SIP) stream is sent to the IP PBX. From here, the

phone recognizes, connects and authenticates the other phone it wants to talk

to. After this session, both the phones establish a direct IP link between each

other. Voice communication between the two takes place in the form of two

streams (backward and forward) of RTP (Real Time Protocol). Each stream contains

the voice generated from one end. So, if there is a conference call happening

with three people, there will be three RTP streams, each having voice from one

end. Now, the problem lies with the RTP protocol. This protocol is not encrypted

and anyone can initiate a 'Man in the Middle' attack and capture the stream

easily. Let's test it through a simple 'hands on.' Take any two VoIP phones from

a vendor and an IP PBX. Now connect all these to a hub. We are not using a

switch, because to intercept data on a switched network you have to run an ARP

Spoofing tool, which is essentially a hacking tool and here we are not

instigating you to hack into a network.

Advertisment

Now after you have connected all the VoIP devices, take a laptop and hook it

on to the same network, and run Ethereal. Whenever someone speaks on the IP

phone, start capturing the data by going to the Capture menu, and then selecting

the appropriate network adapter. Let Ethereal capture the data till the phones

are free. After that, stop the capture process and go to the Statistics menu and

select RTP submenu.

This will show you an option 'Show All Streams.' Click on it and a new window

will open. Here, you will see two different streams of RTP. Select both the

streams one by one and click on the 'Analyze' button. This will open another

window. Here, click on 'Save Payload' and a third window will open. Give a name

to the file, select the '.au' and 'forward' radio buttons, and save the file.

Now you can play this file on any media player and listen to the confidential

talks that might have taken place on the VoIP phone.

Wasn't it easy? Now the question arises, how can you protect yourself against

such kind of an attack? The answer is also not very complex. All you have to do

is to find the correct devices and medium for yourself.

Advertisment
A very interesting

free utility which can take any pcap dump file and can start replaying back

it on network. A must have of hacker's collection.

There are two ways by which you can protect your VoIP communications from

getting tapped. The first way is to make the channel or the medium secure and

the second way is to make the data secure. This means, if you are connecting two

VoIP terminal over a public and unencrypted medium like Internet, then you have

to make sure the devices which you are using supports secure RTP and or SRTP.

SRTP is the encrypted version RTP and most of the enterprise class phones do

have this feature. But of course, the price of such devices are higher than

standard RTP based devices.



For other option where you don't want to invest on high end secure VoIP
endpoints, you can use VPN as a medium, so that nobody can intercept the medium

itself.

Intercepting Video Conferencing



This can be done exactly in the same way as one can intercept VoIP traffic.

The only difference is that Wireshark can directly save the payload in playable

format, so you have to additionally use a tool called rtpplay which comes along

with RTP Tools package. You can download it from http://www.cs.columbia.edu/irt/software

/rtptools/. One you download and unpack it in a Windows machine, save the RTP

payload of the video stream which you have captured from any Vedio Conferencing

session. But this time use everything in the same way except the last step. and

you have to save the payload as raw instead of au. Ones done, you can run

RTPplay on the file which you have just saved like this:

Advertisment

C:\rtpplay.exe —v —T —f —f c:\path _of _the_payload_file —s

dest_ip_address/dest_port/TTL

You can find the source port, destination port and destination IP from the

Wireshark data stream.

Now, this will start streaming the data which you have captured. Now you can

use it in two ways. One, you can keep sending the same stream to the other end

of the device making it blind. Or you can just play it back by using any network

media player such as VLC , view and listen the recording.



To, protect against such attacks, the best approach would be to use such
important video conferences over VPN networks only. So just remember the thumb

rule for this. If the discussion that is going to happen on the video conference

medium has any secrecy involved, then don't go over public networks.

Advertisment

IP Surveillance: the movie effect



I am sure you have seen movies such as, National Treasure or Die Hard 4. A

very common thing which the hackers do in such movies is blinding the

surveillance cameras. From now onwards whenever you see such tricks, believe

those as true and you also will be able to do some of it after going through

this article.

There are different types of Surveillance cameras. Some uses RTP and some

uses RTSP for sending out the picture streams. Being UDP, RTP is very easy to

capture and replay. You can do exactly the same steps which you did in capturing

Vodeo Conferencing streams and throw it back to the receiving units. For

example, when you run Wireshark, it will show you the IPs and ports of the

machine receiving the video feed. Note down the port and the IP and use it as

dest_port and dest_ip_address in the rtpplay command.

If the camera is using RTSP, then it becomes a bit tricky but still you can

do it by using a TCP replay tool instead of a RTP replaying tool. Colasoft

Packet Reply is such a tool which can replay captured data from Wireshark. Just

capture data from any IP surveillance unit and throw it back in a loop and you

will blind the camera.

On the other hand, preventing yourself from such attacks is only possible if

the camera monitoring software is smart enough to check back for Mac IDs and the

camera feed also streams time stamp. Most of the good high end cameras do have

such features. One such camera is D-Links's Securicam which is reviewed in this

issue. So whenever you are going to buy IP surveillance cameras, make sure to

ask for the software capabilities and time stamping feature. And enable and have

a regular eye on the time stamp on the feeds. If there is any anomaly in the tie

stamp, such as it shows time in loops or it show wrong time, then it means

someone is trying to blind your camera.

Advertisment