Hanging on the Telephone: Hacking VoIP

So, hello. Um, I'm very jet lagged. I only came in about a day and a half ago and I'm leaving again tomorrow night. So, yeah, I know. Woo. Woo. For really, really quick travels to America. Um, real quick, this isn't something I would normally do, but um, I wanted to say, I'm sure you're all aware that there's been a small bushfire issue down in Australia in the last couple of months. I know a lot of people in the states have um, like contributed and I know everyone sent their well wishes. Um, it has been really bad. I don't even live out in the communities where that's been really affected, but we've seen all the smoke.

It's been very scary and horrible. Um, so I would never normally do this. Um, if you go to that QR code, um, I'm sure lots of you have already been very kind and given your time and money. Um, and this isn't a thing you have to do, but if you go to that website that you can find behind the QR code, I realize I'm in a security conference and I promise this is not a malicious link before anyone thinks it. Um, that goes to a website that you may not have seen over here, which is um, it's called um, it's my shout and basically you can pay for products um, to uh, buy someone a

coffee, buy someone a beer, like buy someone a bed um, in a B&B because a lot of the communities that have been affected by bushfires are the rural communities which are dependent on tourism and of course nobody is going there at the moment. A lot of people have cancelled their holidays and now we have coronavirus. So, worth checking out if you want to buy someone a coffee cuz those guys and guys and girls are not doing so well. So, uh, yeah. I promise it's not a malicious link. I'm not I'm not fishing you. It's the first thing I would have thought. So, moving on to what I'm actually talking about today. I'm going to talk about a brief history

of phone hacking before VoIP was a thing because phone hacking is not new. Um, and depending on your generation and how long you've been in in tech for, it you you probably know some of this already, but I'm willing to bet at least a decent proportion of people in here are not aware of this. Um, I'm going to recap the basic tech principles of VoIP systems. Uh, you may know it, you may not and then we'll talk about some of the common attack vectors for VoIP. Now, this is the moment of truth to see if the sound started working. I'm going to show you a clip that you have probably almost definitely seen before, but we'll see if we get sound or not.

You're going to watch it anyway.

What city, please? Uh, Goose Island, Oregon, please. The number for Dr. Robert Hume, H U M E on Tall Cedar Road. Checking under Dr. Robert Hume, H U M E on Tall Cedar Road, I find no listing. What does that mean? He doesn't have a phone? I'm sorry, I have no listing. Oh, wait. Uh, uh, uh, Falken. Dr. Stephen Falken, F A L K E N at the same address. I find no listing for Dr. Stephen Falken, F A L K E N on Tall Cedar Road, Goose Island. Thank you.

No? Oh. Oh, there we go. Hello. Yeah. So, if you haven't seen that clip before, I'm sure a lot of people have seen WarGames. If you haven't, of course that's Matthew Broderick trying to um, do actually do some phone hacking. Now, in fact, you you may or may not know that is completely unrealistic unsurprisingly for a movie. Um, in fact, in um, that would not have been possible in the 1980s. Um, it would have been possible in the 60s. Uh, essentially um, payphones in the US anyway, um, the dial tone, uh, it was always dial tones first for emergency calling. So, you wouldn't have had to do that to get a dial tone. Um, there's a very big long write up of

that. There's so much critique of that clip online on YouTube. I'm not going to regurgitate it all, but suffice to say you could do that, but not in the 80s and definitely not now. But, you know, it's still a it's still a thing that we talk about is phone hacking and I like that clip. It's not going to start again, is it? Keep going. Thank you. So, let's talk about phone hacking and the history of phone hacking. The first phone hack, um, arguably what was the first hack ever, was actually in 1903, which was the telegram. It was done by this magician in the UK called Neville Maskelyne. Maskelyne. I've been practicing saying that name. Can't do

it. So, uh, Marconi, who of course is very very famous, made a lot of money from patenting telegram technology, actually managed to intercept signals when he was doing a demo and actually started joking around. He started putting the word rats into the signal and then started uh, actually doing like little ditties and was saying, "There was a young fellow of Italy who diddled the public quite prettily." And then was doing Shakespearean and things like that. Um, so Marconi unsurprisingly wasn't very happy. Um, and he didn't know where it was coming from. He was furious and it actually turns out that 4 days later um, this chap Neville, um, he actually uh, confessed in the Times cuz

of course this was 1900. So, um, um, this was the Reddit or the Twitter of that day and confessed that he had done it and his he justified his actions saying was for the public good. So, this may sound familiar, but 100 years ago. Um, uh, some people said he was a hooligan. Some um, and it was scientific hooliganism and it was an outrage. Um, but of course in fact, he was trying to disclose um, he was trying to disclose and prove that Marconi's invention wasn't 100% secure, which was some one of the claims he was making. It actually turned out that um, uh, Maskelyne was paid to do this by the Eastern Telegraph Company who weren't

very happy that Marconi's wireless uh, was basically going to ruin all the investment they'd made in uh, telegraph poles. So, there you go. We don't really change very much, do we? It's it's actually really cool. There's lots of other stories that are similar. Um, so that's kind of where the very, very, very early days of phone hacking. Then I think we skip a little bit. Of course, I could talk here about Enigma and decoding, but I'm not going to. I think that's very well known and it is intercepting signals, so we could argue it was phone hacking, but I want to go a little bit further than that and talk about freaking. Now, freaking really

started in the 50s. Um, freak apparently comes from phone free and freak. Um, I still feel like possibly it should be spelled F F F, P H R E E K. Just my take, but there we go. And it began when people realized that they could recreate the uh, the exact pitch of the phone routing signal. Now, the phone routing signal is different now, but at the time you could. I mean, typically freakers were just using these things to make phone calls. Um, and some people use them for eavesdropping, but yeah. Um, I don't know why, but I just put like Barney and telephone. Sorry. Like some of these I I feel like um, my my GIF and meme game is

like not as strong as usual in these slides. I don't know. There's there's less phone related GIFs out there. Who knew? So, there you go. Um, I wanted to put some fun facts in about freaking. Um, some people can whistle in a perfect uh, 2600 uh, MHz pitch. I have a video of it, which might work, hopefully. Um and uh, uh there was a whistle that they gave away in packets of Captain Crunch that you could actually it would actually admit the right pitch. So, um seriously. Um and so, people could do freaking with a freebie out of Captain Crunch. There you go. Um a lot of if you're if you're familiar with freaking and this was the

first thing I were aware of, some people actually made something called a blue box uh which was a really common way for people to manipulate things. Both Steve Jobs and and Woz uh they made blue box boxes at college. Um they're quite well known for having done that. Um it kind of um freaking kind of dropped out of fashion uh well, you couldn't really do it when uh signaling became out of band as in it was actually separated from the main voice signal because you couldn't send signals down the phone line um that were part of the signaling. So, it kind of stopped in the '80s, but yeah, there's a nicer Captain Crunch whistle. So, if you do have some really old

phones, maybe you can uh play around with it. Interestingly, let's see if this works. I apologize for the bad quality of this clip. I like could not Is it going to go? I couldn't find anything better, but it's more about the sound.

If you had perfect pitch like blind phone freak Joe Engressia, you could whistle calls through the network. I'll see if I make it this time. This is really hard to do. It sounded like all the tones were present, so it tone should be ringing about now. Okay, it hit the phone. It just takes a little while. He even showed off his skills for the local media. From his one phone to a town in Illinois and back to So, there you go. That's Joe Engressia who could actually whistle a perfect pitch. It's a cool party trick, I think. Um it doesn't work anymore, but it's cool, right? And yeah, sorry for the the sorry if that hurt people's ears, but

if anyone if anyone can do that, like please come show me afterwards. So, real quick. Um I don't know who here has worked with VoIP. As I said, I've spent a lot of time with VoIP. I'm pretty sure it's Stockholm Syndrome, but I'm still very fond of it. If you don't know how VoIP works, um moving on to more modern phones. Um a quick 101 is you have an IP phone. An IP phone will talk to um I've put call manager up here because I used to work with a lot of Cisco products, but any kind of other phone manager phone uh phone servers. Um it will signal uh when um it can't do anything.

These IP phones are really stupid. Like they can't do anything by themselves. So, an IP phone will talk to the call manager or whatever call server it is. It will say, "Hello, what do I do?" The call manager will tell it what to do. Um and then it will call another phone. So, it will say, "Someone's just dialed this number, what do I do with it?" The call manager will then give the IP of the other phone. It will basically resolve the phone number to an IP address, and then the uh voice stream will go in between. The voice stream never goes up to the server. The server just does signaling and tells the phones what to

do. So, it's actually very straightforward. Next, uh slightly different one we're going out to the ordinary phone network. Um an IP phone, if it wants to call a phone that is outside the VoIP system, it will talk to the call manager server again. It will say, "I don't know where this call this number goes to." Call manager says, "Ah, that's goes externally." It will go to your router or a voice gateway. Um and then it goes to your uh phone, and it flows. So, that's real real quick how this works. Oh, and the router, I realized like when I was doing this before, the router does also actually talk to the call manager, so yeah. Um some VoIP providers we've known

and loved, there's things like BroadSoft Cisco Avaya Mitel all kinds of things. Um so, I'm not going into those, but I'm sure you must have worked with some of those at some point. Um so, I just wanted to talk briefly cuz I realized my videos have taken too long and I just got the 5-minute signal. Damn. Um about some of the attacks. Um VLAN hopping, this is a classic VoIP attack. It requires physical access to the network. Um you're going and uh basically you just need to identify the voice VLAN number and then you start sending traffic into it. This allows you to eavesdrop on calls. Um I've done this one before. Um it basically requires you

to physically secure your network. You know, hard-coding MAC addresses, I know that's an awful thing to do, but in theory it does stop this attack. Um firewalling of phones in public areas, etc. Um again, struggling for phone-related gifts here, so DDoS. Uh DDoS, of course, we can do with phones. It's actually known as TDoS, teleph- telephony denial of service. Um a guy who was um an iOS bug bounty hunter managed to TDoS the 911 in several cities a few years ago. Complete accident, but quite bad. Of course, you know, you don't want to TDoS 911. Not anywhere. Um Yeah, I mean it's um attacking DNS servers is always good for VoIP cuz VoIP needs to resolve to um

VoIP needs to resolve to DNS. Um and then of course, there's war dialing where you use machines um to just go through every single phone number. Um I mean, that's a little bit slow. It's not always considered DDoS, but um and I'm sure you've seen that in WarGames and other movies. Um again, I was struggling, so we're going to go for overflowing beer cuz why not? Um what was interesting was after 911 was DDoS, there were a lot which was by accident, there were actually a lot of copycat attacks of people doing it again and again on purpose, which is really really sick for night like for the emergency services. It's not cool, but um VoIP quick protocols, as you probably

know, if you've done any kind of uh um like uh eavesdropping or like Pcap on networks with this, VoIP protocols are often in the clear by default. SIP, RTP, H.323, MGCP, Skinny, most of these do have a secure version, but often it requires you to uh to at least have a certificate on every single phone, and people don't want to do it in general cuz it's difficult, so you will often find these things are in the clear. So, I mean like I mean, it's bad, but this is when they were developed, it wasn't a thing. Next thing we talk about is toll fraud. Toll fraud, and I'm really sorry if there was anybody in here from any of

these countries. I am not trying to have a pop at your country, but um the top five countries apparently at the moment to call using toll fraud are Cuba, Somalia, Bosnia and Herzegovina, Estonia, and Latvia. So, what people do is they will um change manipulate users or the configuration of a system to basically do long-distance calls for cheap. So, um I actually saw an example in a phone system I worked with where the um someone got into the phone system, uh did a call forward all to international numbers, which should have been blocked, but wasn't. And so, they would call the local number and then uh from their mobile, and then the actual company's call system uh phone system

would pick up the bill for the long-distance call. Um smart, but it should have been stopped with correct configuration. So, you know, bit of yeah, bit of fraud. Um this makes me sad because I was going to give out chocolate fish here. Um in New Zealand, where um I've spent a significant amount of my time living, uh we have chocolate marshmallow fish, and it's for fishing. Um they didn't turn up before I left Australia, so I do have koalas. I'm not going to be able to throw them cuz it's too dark. So, if you want chocolate and stickers, just come see me at the end. Um voice fishing, of course, is a thing. If there's anyone in here who hasn't been

called by a scammer from somewhere in the world, then I don't know what's wrong with you cuz that happens all the time. I felt like I needed to mention it for completeness. I'm not really going to talk about it cuz everyone knows about it. Um contact centers are interesting. Um contact centers use something called IVR. That that's the script, interactive voice response. Um I know it's not at all annoying, but in fact, those applications can handle really sensitive information. Um and so, you may have been transferred by a call center agent to put in your PIN or something like that. If those applications aren't configured properly, that information can be stolen and if it isn't cleared

away. So, if you're ever developing IVR applications, keep that in mind. Um SS7 hacking. SS7 is the signaling that's used throughout the PSTN network, the public network. Um Hacking Team in 2014, they uh they of course um came to prevalence uh when they were found out that they were using SS7 vulnerabilities to for their um for their products. Um and you know, we So, they were basically selling it to particularly brutal regimes. Not great. I know, this is just my favorite. I try and get it in everything. Um voicemail is super insecure. It's often one of the first things attackers will look for. Clippy is on this slide for no reason. Um and um the British celebrity voicemail hacking,

you might remember this. Um we called it hacking, it wasn't really hacking. It was it was basically journalists manipulating default PINs to get into uh celebrities' and other people's voicemails. The most uh sad thing about this was um you may or may not be aware that they actually broke into the voicemail of a teenager who was murdered. Um and because they accessed her voicemails, her parents thought she was still alive, which is obviously awful. So, but that's what that was about. They didn't really do hacking, they just well, arguably depends if you want to call it hacking or not. They were basically exploiting default pins in voicemail boxes. Um but very sad. Uh people went to jail and rightly so, I

think. So, I've gone through this at speed cuz I've completely messed up my timings, but why is VoIP still important? I'll put all of these up on the screen. VoIP technology still exists behind the scenes. We're all going to softphones, we're going to Teams, we're going to Slack. Um but VoIP is still behind there at least carrying your audio. So, you can find this in all your collaboration technology. So, have a look. It might be something you want to incorporate into your pen testing, risk assessment, etc. Um you might still be using SMS for MFA. Please stop that. Like it's broken. Um and um understanding how things work is always good. And I don't think we talk

about VoIP enough, and I'm very very fond of it. So, yeah. And this is my take a photo for link slide. Um there's a couple of um interesting articles up there that I was reading and using to create this presentation. Uh I will leave this up. Definitely watch the video there in the middle, which is how phone freaking work by the 8-bit guy. Super cool. Um and yeah, I think I'm about up for time. So, I'm going to leave it there. Thank you for listening. Um I hope that was just a little uh whistle-stop tour of VoIP stuff. And uh I think we have a bit of a gap, so I'll stay here, give out stickers, give you

chocolate. I have like 12 koalas, so you know, first come first served. And uh thank you very much, besides. Um it's been lovely to be here.