SOURCE BOSTON 2008 Copyright 2008, James M. Atkinson

Telephone Defenses Against the Dark Arts James M. Atkinson Granite Island Group

Telephone Vulnerability Basics 1. Instrument 2. Local Distribution 3. Local Switch 4. Demarcation/Network Interface 5. Transmission 6. Switching

Instrument Vulnerabilities 1.Speaker of Microphone Exploit 2.Installation of Foreign Device 3.Hookswitch Manipulation 4.Software/Firmware Exploits 5.Normal Operation Exploits 6.Moderate Protection, Easy to Subvert

Local Distribution Vulnerabilities 1.Wall Plates 2.Raw Wiring 3.Cross Connection Points 4.Normally Not Protected or Supervised

Local Switch Vulnerabilities 1.Cross Connections Points 2.Switch Inputs/Outputs 3.Switch/PCM Backplane 4.Parallel Channels 5.Switch Software/Firmware Exploits 6.May or May Not Be Protected

Demarcation/Network Interface Vulnerabilities 1.Ripe for Exploitation 2.Poorly Protected 3.Generally Accessible 4.Target Specific 5.Significant Choke Point

Local Transmission Network Vulnerabilities 1.Post Demarcation/NID 2.Before Switch 3.Easy to Isolate Single Subscriber 4.Open Terminals and Boots 5.Not Protected, Wide Open

Switching Vulnerabilities 1.Central Office 2.Used to Be Huge Buildings 3.Modern Small Scale Switching 4.Post 9-11 Logo Removals 5.High Value OVERT Choke Point CALEA and.gov targeting CALEA and.gov targeting 6.Usually Highly Protected

Transmission Network Vulnerabilities 1.Mostly Single Mode Fiber Optics 2.Accessible Pubic Pathways 3.Usually Well Marked 4.High Value COVERT Choke Point 5.Cable Vaults on Alarms 6.“Supervised” Against Breakage

Telephonic Integration Voice over IP Voice over IP Cable ModemsCable Modems Other Broadband ServicesOther Broadband Services ISDN ISDN Fiber Optic Internet Service Fiber Optic Internet Service EVDO EVDO Other Wireless Services Other Wireless Services

The Realistic Threat RF Device RF Device Hard Wired Recorder Hard Wired Recorder Wireless Intercept Wireless Intercept Software Manipulation Software Manipulation Other Methods Other Methods

Essential Tasks Conductor Inventory Conductor Inventory Pathway Mapping Pathway Mapping Known Electronic Metrics Known Electronic Metrics Re-Testing Against MetricRe-Testing Against Metric Open TestingOpen Testing Physical Inspection Physical Inspection

Auditing Telephone Instruments What Kind of Phones What Kind of Phones “Soft Under-Belly” “Soft Under-Belly” What Should It Normally Do What Should It Normally Do Is It a Risk?Is It a Risk? Is It a Threat?Is It a Threat? Hostile Manipulation?Hostile Manipulation? Feature, Hazard, or Risk?

Auditing Wiring What Wire is in the Walls? What Wire is in the Walls? What Wire is in the Ceiling? What Wire is in the Ceiling? Wall Plates? Wall Plates? Termination Points Termination Points Junction Points/Punch Blocks Junction Points/Punch Blocks

Auditing Wiring Conductor Maps Conductor Maps Signal PathwaysSignal Pathways Pair CombinationsPair Combinations Industry Standard Pin-OutsIndustry Standard Pin-Outs Color Codes?Color Codes? Conductor LengthConductor Length Fractions of an Inch Accuracy Fractions of an Inch Accuracy Non Linear Junction CombinationsNon Linear Junction Combinations

Auditing Transmission Paths Map Out Every Map Out Every CableCable ConductorConductor WireWire Fortuitous PathwayFortuitous Pathway Location Must Be Within InchesLocation Must Be Within Inches

Auditing Switching Systems What is a the Default Generic? What is a the Default Generic? Actual Translation?Actual Translation? What is Different?What is Different? Is it Safe?Is it Safe? Always Reduce to Hardcopy Form Always Reduce to Hardcopy Form

Auditing Secure Communications Systems Tampering with Actual Instrument Tampering with Actual Instrument Tampering with: Tampering with: Uncontrolled AccessoriesUncontrolled Accessories Handsets, Cords Cables Handsets, Cords Cables Power Supplies Power Supplies Low Bandwidth (300 Hz) Filter Bypass Low Bandwidth (300 Hz) Filter Bypass Proximity to RF Emitters Proximity to RF Emitters

Prior Penetrations, Hacks, and Attacks. Common Manipulations Common Manipulations Raw Hacking/Manipulations Raw Hacking/Manipulations Naked Attacks Naked Attacks Appropriate Counter Measures Appropriate Counter Measures

VOIP Attacks Extremely High Risk Extremely High Risk Rarely Utilize Hook SwitchRarely Utilize Hook Switch Open MicrophoneOpen Microphone Firmware Can Be Remotely UpdatedFirmware Can Be Remotely Updated Network Provides a Serious Choke PointNetwork Provides a Serious Choke Point

Mechanisms to Detect and Defeat VOIP Attacks and Exploits Detection Detection Unregistered IP Address on VOIP NWUnregistered IP Address on VOIP NW Non-VOIP Asset on VOIP NetworkNon-VOIP Asset on VOIP Network Hub, not Switch Being UsedHub, not Switch Being Used Machine Being Used On BackboneMachine Being Used On Backbone Classic Man-in-the-Middle Exploit Classic Man-in-the-Middle Exploit Suspect Data Traffic on an Unused VOIP Phone LineSuspect Data Traffic on an Unused VOIP Phone Line

Methods to Secure VOIP Systems Utilize Smart Switches Utilize Smart Switches Keep VOIP Terminals on Dedicated Networks and Gateways Keep VOIP Terminals on Dedicated Networks and Gateways Do Not Integrate in Data Networks Do Not Integrate in Data Networks Lockdown Instrument Firmware Lockdown Instrument Firmware Disallow Firmware UpdatesDisallow Firmware Updates

Cardinal Rule Convenience and Privacy are Inversely Proportional™

Questions? Thank You

Telephone Defenses Against the Dark Arts James M. Atkinson Granite Island Group