by April 1, 2009 0 comments

In our earlier issues, we talked about several communication solutions which
work on IP -VoIP, Video Conferencing, Tele-Presence, and even video
surveillance. As these applications have migrated to IP, they have also
inherited the potential risks associated with IP. Some time back, we talked
about how VoIP conversations can be tapped by simple MIM (Man in the middle

This time, we tried the same kind of an attack on Video Conferencing devices
as well as on Video Surveillance devices. The result which we got was mind
boggling. Here, we will talk talk about how these IP communication channels can
be compromised and how you can protect yourself against such attacks.

In Wireshark you
can see all VoIP streams. To capture and publish these streams, click on
Analyze button.

Eavesdropping VoIP
To begin with, you have to understand the protocols and data flow pattern of
a standard VoIP network. When someone picks up a VoIP phone and dials a number,
a Session Initiation Protocol (SIP) stream is sent to the IP PBX. From here, the
phone recognizes, connects and authenticates the other phone it wants to talk
to. After this session, both the phones establish a direct IP link between each
other. Voice communication between the two takes place in the form of two
streams (backward and forward) of RTP (Real Time Protocol). Each stream contains
the voice generated from one end. So, if there is a conference call happening
with three people, there will be three RTP streams, each having voice from one
end. Now, the problem lies with the RTP protocol. This protocol is not encrypted
and anyone can initiate a ‘Man in the Middle’ attack and capture the stream
easily. Let’s test it through a simple ‘hands on.’ Take any two VoIP phones from
a vendor and an IP PBX. Now connect all these to a hub. We are not using a
switch, because to intercept data on a switched network you have to run an ARP
Spoofing tool, which is essentially a hacking tool and here we are not
instigating you to hack into a network.

Now after you have connected all the VoIP devices, take a laptop and hook it
on to the same network, and run Ethereal. Whenever someone speaks on the IP
phone, start capturing the data by going to the Capture menu, and then selecting
the appropriate network adapter. Let Ethereal capture the data till the phones
are free. After that, stop the capture process and go to the Statistics menu and
select RTP submenu.

This will show you an option ‘Show All Streams.’ Click on it and a new window
will open. Here, you will see two different streams of RTP. Select both the
streams one by one and click on the ‘Analyze’ button. This will open another
window. Here, click on ‘Save Payload’ and a third window will open. Give a name
to the file, select the ‘.au’ and ‘forward’ radio buttons, and save the file.
Now you can play this file on any media player and listen to the confidential
talks that might have taken place on the VoIP phone.

Wasn’t it easy? Now the question arises, how can you protect yourself against
such kind of an attack? The answer is also not very complex. All you have to do
is to find the correct devices and medium for yourself.

A very interesting
free utility which can take any pcap dump file and can start replaying back
it on network. A must have of hacker’s collection.

There are two ways by which you can protect your VoIP communications from
getting tapped. The first way is to make the channel or the medium secure and
the second way is to make the data secure. This means, if you are connecting two
VoIP terminal over a public and unencrypted medium like Internet, then you have
to make sure the devices which you are using supports secure RTP and or SRTP.
SRTP is the encrypted version RTP and most of the enterprise class phones do
have this feature. But of course, the price of such devices are higher than
standard RTP based devices.
For other option where you don’t want to invest on high end secure VoIP
endpoints, you can use VPN as a medium, so that nobody can intercept the medium

Intercepting Video Conferencing
This can be done exactly in the same way as one can intercept VoIP traffic.
The only difference is that Wireshark can directly save the payload in playable
format, so you have to additionally use a tool called rtpplay which comes along
with RTP Tools package. You can download it from
/rtptools/. One you download and unpack it in a Windows machine, save the RTP
payload of the video stream which you have captured from any Vedio Conferencing
session. But this time use everything in the same way except the last step. and
you have to save the payload as raw instead of au. Ones done, you can run
RTPplay on the file which you have just saved like this:

C:\rtpplay.exe —v —T —f —f c:\path _of _the_payload_file —s

You can find the source port, destination port and destination IP from the
Wireshark data stream.

Now, this will start streaming the data which you have captured. Now you can
use it in two ways. One, you can keep sending the same stream to the other end
of the device making it blind. Or you can just play it back by using any network
media player such as VLC , view and listen the recording.
To, protect against such attacks, the best approach would be to use such
important video conferences over VPN networks only. So just remember the thumb
rule for this. If the discussion that is going to happen on the video conference
medium has any secrecy involved, then don’t go over public networks.

IP Surveillance: the movie effect
I am sure you have seen movies such as, National Treasure or Die Hard 4. A
very common thing which the hackers do in such movies is blinding the
surveillance cameras. From now onwards whenever you see such tricks, believe
those as true and you also will be able to do some of it after going through
this article.

There are different types of Surveillance cameras. Some uses RTP and some
uses RTSP for sending out the picture streams. Being UDP, RTP is very easy to
capture and replay. You can do exactly the same steps which you did in capturing
Vodeo Conferencing streams and throw it back to the receiving units. For
example, when you run Wireshark, it will show you the IPs and ports of the
machine receiving the video feed. Note down the port and the IP and use it as
dest_port and dest_ip_address in the rtpplay command.

If the camera is using RTSP, then it becomes a bit tricky but still you can
do it by using a TCP replay tool instead of a RTP replaying tool. Colasoft
Packet Reply is such a tool which can replay captured data from Wireshark. Just
capture data from any IP surveillance unit and throw it back in a loop and you
will blind the camera.

On the other hand, preventing yourself from such attacks is only possible if
the camera monitoring software is smart enough to check back for Mac IDs and the
camera feed also streams time stamp. Most of the good high end cameras do have
such features. One such camera is D-Links’s Securicam which is reviewed in this
issue. So whenever you are going to buy IP surveillance cameras, make sure to
ask for the software capabilities and time stamping feature. And enable and have
a regular eye on the time stamp on the feeds. If there is any anomaly in the tie
stamp, such as it shows time in loops or it show wrong time, then it means
someone is trying to blind your camera.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.