 I have to be honest, I'm super excited to be here. It's awesome to be back here in Las Vegas. The last time I was here, I spoke at DEF CON 17 and I was on a secret research mission and I just want to show you a secret image of that. I was invited up on stage, on to a dragged up stage on the Cirque du Soleil's Humanity and I was a part of the orgy scene and they tried to take off my pants. I didn't let them take off the pants but it's just, I love Las Vegas because it's always that type of stuff that happens when you're out here. But seriously, on a more serious note, why am I here right now? I want to make this really, really simple. I found a VoIP protocol, I found a protocol exploit method. I found a vulnerability in a hotel and it was a clever physical thing combined with a protocol exploit method and I want to share that with you in detail today. I want to talk about that and when I found the vulnerability on a real production network, I thought the right thing was due was to let the hotel know that so I disclosed it to them anonymously and I let them know about it but I want to share with you this information and I also am really excited to show off my VoIP hopper tool which is my security assessment tool which actually implements this exploit so you're going to see the latest VoIP hopper which I'm going to release right now. So, first of all, I want to thank all you guys for being in this room right now. I want to thank my friends, my associates that are here and let's talk about the agenda. I want to blow through this. I want to get to the actual vulnerability but when I was researching this, it's something I'm so passionate about. What better place to talk about hacking hotels VoIP but DEF CON, right? You're probably in the best place in the world where you have myriad luxury resort hotels which is actually what I'm researching and what I'm talking about. So, we're going to blow through some actual business case examples because before we get to the technical, I want you to understand the business context of what's going on here. First of all, what is Viper? Viper stands for Voice of IP Exploit Research and what we are is we're a highly specialized VoIP Pintest team and we do back-to-back VoIP Pintesting but we also have some other strategic missions. I'm the director of Supera Viper Lab but we also, we're working on Lava which is a vulnerability scanner for VoIP. We publish VAS which is a Linux distro that has all of our open source tools on it and that's basically what we're doing is the commonality with us in Viper is that we're all passionate about voice for IP security and we love to learn. That's kind of a common thing in our lab. So, let's talk market-wise what's going on with VoIP Pintest hotels. In 2008, worldwide revenue was 869 million. By 2014, it's expected to explode to 2 billion. So the point here is that worldwide, is that revenue is growing, it's a growing market and the second point is it's only in the luxury resort only in the most expensive hotels. It has not yet penetrated the mid-market yet but it's expected too soon. So what I wanna talk next is I wanna talk about the benefits to the hotel of having VoIP. I wanna talk about the benefits to the guests from a business perspective and then I wanna talk about what the benefits of VoIP security are. So benefits to hotels, simplicity, these are the well-known benefits of VoIP in general. Simplicity of network management, saving on cabling costs, reduction of telecom expenses. You have ad and marketing revenue directly on the phones. You can do branding on the phones that are in the guest rooms, which is what we're talking about. You improve customer service by having increased revenue from customers coming back. New VoIP applications provide a technology differentiator over your competition and then you can use VoIP as a QA tool to improve customer service. And then also the obvious thing, rebuilding lost telephone service revenue from mobile phones, especially in international areas. An EU commission had found that the charges were inflated for international roaming. So here's some, a couple of slide points on this. VoIP over wire fry in hotels. Increasingly hotels are having these handsets and giving them out to guests where poolside they can hit a button in order of product or service. Benefits to the guests. We have the obvious improved service. You can order room service from your IP phone menu, new products and services like the VoIP over Wi-Fi handsets. You have new and advanced calling features and then you have cheaper calls. I mean, who doesn't want cheaper calls in their guest room when you don't want to use your mobile phone, when you're international or otherwise? It's increasingly becoming the norm that hotels that are using VoIP are allowing free calling, free domestic calling. So what are the VoIP security benefits for a hotel? Prevents unauthorized access into internal systems, protects hotel guests from like eavesdropping. For the guests, it prevents eavesdropping on your private communications like RTP media reconstruction, eavesdropping and trapping sensitive data. If you look at SIP info method where you can actually trap banking IVR applications if you're calling in your bank from your hotel guest room. Let's talk really quick about some case studies of VoIP in hotels. Peninsula hotels, a five star luxury hotel chain, 14 hotels globally linked. The basic thing was telecom cost savings. They used their customer global customer service center to allow all the calls and had some cost savings there. So the win right here in Las Vegas, you guys have probably heard of the win. It's improved customer service through VoIP, improve the guests experience. Their strategy was to pamper and delight the guests. Each guest room has an IP phone, beautiful little phone here, I found this. Here's a great quote. As win resorts is showing, the entire organization can become a contact center. The phone is no longer just a communication channel, it's a form of customer service in its own right. Hotel 1000, Seattle, downtown Seattle, deployed Cisco VoIP technology. They used a vendor called Percipia, which specializes in hotel IP telephony applications. They had multiple custom applications developed by Percipia. They have a video valet system. They have a condominium security entry application that uses IP cameras and pops up a picture of the user on the screen of the phone. And a VoIP application to detect guest preferences and set room preferences. So the video valet system is pretty cool. The guest sitting in the room basically hits a button on their Cisco phone. Everything is automatically routed. The valet guy has a Wi-Fi VoIP phone. He knows exactly where to go to get the car. He takes a picture of the car once he's picked it up and it goes directly up to the hotel guest's phone and he knows that his car's ready. Here's a great quote, Hotel 1000. The people that are designing this network. It is never just about bricks and mortar, nor is it about technical bells and whistles. Is it about the experience that matters to the individual traveler? That is not the norm for most hotels. So if you're reading between the lines here, what you're seeing is that they're using VoIP to provide better guest customer service and to be a technology differentiator over their customers. Okay, now we're getting more into the heart of this issue. Now we're starting to get good here. So the heart of the problem that I'm talking about today is a VLAN traversal vulnerability, which is trivial to exploit and leads to unauthorized IP network access. So the business risk is that hotels deploying VoIP have many benefits that they provide, but from all deployments I've seen are at risk of unauthorized internal IP network access to the rooms through the guest phones sitting in the rooms because these physical ports by default allow VLAN traversal and I'm gonna talk in detail about what that is. So let's go back to 1999. This is actually the vulnerability and part of my research is is I always give credit to people and I think that we're kind of just advancing, trying to advance forward here, but there's a lot of people that have already done a lot of good work here. In 1999, IEEE 802.1Q unauthorized VLAN traversal weakness. You see here by spoofing various Ethernet frame fields, you can gain unauthorized, you can traverse from one VLAN to another. So Steve Shoup, Dave Taylor, 12 years later, this is what we're looking at right now. When Cisco P-Sert responded to this in 1999, they acknowledged the vulnerability. I could pull it up for you right now and they recommended best practices of disabling trunk ports that shouldn't be in use. Now remember this key line, disabled trunk ports that should not be in use because I'm gonna come back to that in a second. Here's some other researchers. At stake, Mike Schiffman, Black Hat USA, Sean Convery, Cisco White Paper. So it's basically in 1999 to 2002. Some great sands resources. So VoIPopping, you've seen the title of this talk. What are we talking about here? I coined this term in 2007. I call it unauthorized VLAN access within a VoIP infrastructure that it was not intended by the system design. And this business risk increases in areas with the inherent right to privacy, like hotel guest rooms, and poor physical security, like public access. Here's a little article that's on semantic.com right now, VoIPopping, a method of testing VoIP Security. You can read a little bit more information about it. So back to what we said. All best practices recommend disabling trunk ports for user access networks. But the irony is, with VoIP to work, some form of a trunk port must be used. That's a trunk port in the traditional sense, which is what I'm gonna talk about with this hotel case study. And then there's also the multi-access VLANs with auxiliary ports, which is the Cisco voice VLAN. So here's an overview of this benefit of having VoIP in your network. We have the blue cable that transmits. We have benefits of VoIP we're saving on cabling, because we're transmitting two logical VLANs over the same physical port. It's always allowed. That traffic is always allowed by default. We have easy provisioning for the IP phones, because we have protocol discovery mechanisms for the phones to automatically associate to the voice VLAN. And then we have easy quality of service. It's automatically and easy applied by the network administrator on this switch. So now I'm gonna actually step you through. These are two steps to this attack. And it's the 802.1UQ frame tagging attack, and this is what we do. We first have to learn the voice VLAN ID, okay? So what we're doing is we're gonna need to insert a 4-byte 802.1Q header into a standard Ethernet frame. And we have to have that 12-bit of the VLAN ID. We have to have that VLAN ID, that 12-bits, to put into the 4-byte header, to put it into the standard Ethernet frame. We have to do that, because if we send the packet to the port, the switch is gonna discard the traffic unless we have the correct VLAN ID. So we need to have that VLAN ID. That's the important point here. There's multiple discovery mechanisms, CDP, LDP Med, which is a newer protocol, DHCP, and Nordtel and Avaya. So here's the second part of this. Once we know the 12-bit VLAN ID, we're gonna actually spoof the Ethernet tag frames, which is trivial to do using standard software. VoIPopper especially does this. So we do is we create a virtual interface, like let's say the VLAN ID is 200. We create E0.200. And then if you look on your Linux PC, then you have a created a virtual interface, and then you send a DHCP request that's tagged with that voice interface. You're basically becoming the phone. And so all subsequent tags are frame, are all subsequent Ethernet frames are tagged with that voice VLAN ID. So I'm gonna show you an overview of what we're looking at here. This is actually, let's say that this is a hotel infrastructure network, okay? So the first thing we know is that the phones are have by default access to the call control servers. Whether there's a firewall or whether there is not a firewall, they are always gonna have access to the call control servers, otherwise they can't place calls. We unplug the phone from the wall. We plug in our VoIPacker Ninja. So what is he gonna do? He's just gonna try and send packets out. He gets an IP address. He only has access to the guest VLAN. He only has access out to the internet. Let's say he gets crafty. He's like, I'm gonna sniff packets. I'm gonna learn the voice VLAN ID, or I'm gonna spoof CDP, okay? So now I know VLAN ID 200. I insert it into there. I create a virtual interface, and now it's the same thing as I have access to the same access as a phone. So now I can tag my packets and I can send them and I have full access to the call control network, okay? So now I can sit all day long attacking the call control servers, which actually might allow me to penetrate further. And if they don't have a firewall, which a lot of organizations don't seeing to the talk before this when he talked about separating the voice and the data, most customers that I see don't separate the voice and the data, right? So then you're gonna have access to the entire internal network, just by VLAN hop. So back to what we talked about with Cisco. How do we, the Cisco piece or advisory in 1999, how do we reconcile this problem? Current best practices recommend disabling trunk ports in user access networks. Yet the VoIP configuration requires 802.1Q trunking in these user access networks. That's the irony, in order for this to work, in order for convergence to work, we have to allow the two VLANs. And in these physically separated areas, take a look at this quote from Cisco. Cisco is aware of VLAN spoofing attacks and recommends that customers apply best practices where possible to reduce the impact of such attacks on their networks. And then a little further down on the advisory. The recommended configuration is disabled trunking everywhere it is not required so that tag frames are discarded on ports not configured for trunking. Well, guess what? Like I said, in a hotel guest room, you do have to have trunking enabled in order for this to work. So that was 1999. That was 1999. This is 2012, 2011. Okay. I swear I haven't had that much to drink yet. I always like it when I'm the only person in the room that finds something funny, don't you? Okay, so now we're jumping into the hotel vulnerability. I was talking with a friend and telling her about the story. And it's funny that she was like saying, this is like a scene out of Oceans 11 or something. I mean, could this not be like a future movie that they make where instead of doing all this fancy physical security, they just check into the guest room. They just check into the guest room and they have multiple polluters and they're able to get access into the internal network and pilfer out the electronic cache or whatever. It's a funny idea. But I mean, you literally have like a doomsday type of scenario. So my story of the hotel, I was, like I said before, I was sitting in a luxury hotel very recently that had IP phones configured in the guest rooms. So I wanna go into detail about the security controls that were placed, that were in place, and a detailed description of the methods and how they were defeated. So the first security control that we found is we tried to unplug the phone from the wall and have our laptop plugged in and we tried to do the normal stuff that you would do in order to gain access network and we had no access to the network. So we kind of became clear that the hotel administrators, security operations or whomever, kind of knew what they were doing is that they were trying to apply security to prevent us to gain unauthorized access. You couldn't just unplug and plug in as if you were a curious user. So the first thing that we saw is they did MAC address hiding. So what they did is they, on the back of the VoIP phone, they unplugged, they peeled off the MAC address because it's kind of a common knowledge in this type of scenario that we're talking about is that you can spoof the MAC address of a phone on your, using standard software on your laptop and gain access to the network because they're doing port security or MAC address filtering. So the fact that they had peeled it off and fur that they knew about port security or MAC address filtering and by hiding the MAC address they were trying to prevent us from spoofing the MAC address. So the second thing we noticed is once we had escalated the, once we had gone a little further, we noticed that we had spoofed the MAC address but we sent a DH request and the DHCP response timed out. So a casual unskilled person would think, well I can't gain access to the network so some people could see that DHCP would kind of be a security control and that it would defeat the casual people and all the phones were configured with static IP addresses. So that's one of the things that we observed. So the next question becomes if you were gonna gain access to network and you're sitting in the guest room, how do you know the right IP address to use across the network where there's no IP address conflict? So this is kind of one of the major things about VoIPOPPER that I'm gonna show you guys is when we just plugged in and had a sniffer running we noticed that the trunk ports were leaking the VLAN ID and what I mean by this is we were receiving 802.1Q tagged frames, ethernet, ARP packets that were tagged. So all we had to do was open up a sniffer and see we saw the VLAN ID that the phones were using by just using a sniffer. So this was news to me because I thought maybe this is some kind of misconfiguration, maybe they shouldn't do, they had trunk ports configured and as you know trunk ports, the broadcast domain, any broadcast type of traffic is gonna forward out all the ports. So why were we receiving? So I'm gonna talk about what the methods are, okay? So this summarizes kind of what it is. Let's take a look at this, okay? This is what we're doing here. We unplugged phone number one, the VoIPPER NANDRO comes in, he disconnects the phone, he puts a sniffer on laptop number one. So he tells his friend, his colluder in the adjoining room, reboot that phone, man. So he reboots the phone. So when that phone boots up, it's always gonna send a gratuitous ARP and it's gonna send an ARP, it's like a little signature. It's gonna send two ARPs, one gratuitous, one looking for its default IP gateway. So the packet comes across the broadcast domain across the same VLAN that's shared and he gets that. He gets the source IP and the source MAC of that phone. Now he statically configures his laptop with the IP address and the MAC address of that phone. So then what he does is he moves into the other room because if they have port security, that phone is only gonna be allowed on that port in the adjoining room number two. He attaches offline, IP and MAC, then he attaches to the port. And so then we reattach phone number one and at that point he has unauthorized access to the network. And he can ping the default gateway so that proves that he has access to the network. So now I wanna, VoIPPER is like a passion of mine. It's a tool that I started writing like in 2006, 2007. And I'm really excited to show the new version of VoIPPER here. I wrote a new version of VoIPPER called, I wrote a new feature called assessment mode. And what I wanna do with this is it's a CLI mode that you go into and you can pass individual commands so I can start building like new features. Some of the new features are, it has LDP Med Dissector support. So it dissects LDP Med. It spoofs LDP Med. It has an ARP and 802.1Q Dissector for a new way of learning the voice VLAN ID. And it does automatic VLAN hop based on the first learn mechanism. So you don't even have to know what you're doing. You launch VoIPPER assessment mode. It automatically VLAN hops for you based on the first protocol method that's configured provision in the environment. And then it actually automatically VLAN hops and then automatically records, passively records the IP and Mac of every single phone on the VoIP VLAN. So you can use this as a pen test tool to store off and learn all the phones and it's non intrusive. It doesn't send any ART packets to, it doesn't do any type of like ART poisoning or anything like that. It just listens for the traffic. And I also fixed many issues with the integrated DHCP code. So let's take a look at the screenshots of this really quick. This is showing kind of when you type the help menu, you've got many different options that you can do. Here's a screenshot showing LDP Med spoofed. So we hit one button M and we spoof it and we are able to dissect the packet. We're actually spoofing the phone. By default, LDP Med does not allow you to learn the VoIP VLAN ID. See, it's a little different than CDP. CDP advertises the VoIP VLAN ID to anyone that attaches to the switch port. LDP Med will not. But if we spoof the TLV network policy, we basically tell the switch that we're a phone and then we get the VoIP VLAN ID via LDP Med. Okay, so this actually makes it like really, really easy to run. Like I said, I'm actually disabling the automatic VLAN hop but the first method that's seen by VoIP Hopper, it will automatically VLAN hop and send a DHCP request. Like I said, there's a passive ARP sniffer after the VLAN hop that silently logs and records the phone and Mac and IP from the ARP traffic and it logs it to a file. Okay, another thing, if DHCP is disabled, one of the things we saw on this hotel case study, when DHCP was disabled, it would time out. Well now, we time out and then VoIP Hopper automatically sets a fake static IP, static IP and then automatically starts sniffing for the phones on the VoIP VLAN. And then once we learn on these phones, we can select from an index, we can select from a menu which phone we want to spoof. And then another feature I saw which was useful from a VoIP pen test is I was getting a flood of LDP Med traffic on the network and I was getting all the phones learning information about the phones. And so I wrote a feature that basically records all the LDP Med packets and puts them away in an inventory in a file, myassessment.txt. Yeah, so I had a guy in Viper was helping me out a lot on some real low level stuff and I think Tom did this but it's time to actually show the demo of VoIP Hopper. It's the best part here, so we're doing good. Can you see here? Yeah, okay, so I have the screen here for VoIP Hopper and I'm just gonna launch it and let's just see what happens on the network. Let's just see what happens for the first method that's discovered. What's that? Can you hear? Large the what? Oh, the font, there we go. Okay, is that a little better? All right, so we automatically discovered the VoIP VLAN, we kind of missed that part but you see here, CDP was the first mechanism that was seen and it automatically VLAN hopped. We didn't have to do anything and then it's capturing the R packet. So I wanted to also tell you, I have a real VoIP powered network here. I've got two of these cutting edge Cisco 9900 series phones and this is just to simulate like a hotel network where we have four phones on the same VLAN. So I'm gonna actually have VoIP Hopper now delete that interface and we're gonna launch it again. And so I can right here, I can spoof a CDP packet and automatically VLAN hop there. Now let's spoof LDP Med packet. Okay, so I automatically gain access to the network there and then let's show, this is just the basic features that I talked about. Let's disconnect and connect to, I have a monitor span session set up because when I did this internal VoIP PIN test, this is just happening like, it's just automatically doing it so fast here. Okay, so what I'm doing here is I'm just listening for the LDP Med endpoints to send me traffic. Okay, so there it was here. When I did this internal VoIP PIN test, I suddenly just getting all these LDP Med packets. So I wrote this feature that like, if I happen to receive the packets, which I shouldn't because LDP Med should only be sent from endpoint to switch, I shouldn't be receiving that traffic as well. So I wrote this feature that anytime I got LDP Med, I could inventory all the phones. So you see here, it's a growing list of the phones. So that kind of shows off the beginning part of this but this is not the fun part because I actually wanna simulate what we saw in the hotel case study. So I'm gonna reconnect to that port and we're gonna make this a little bit more difficult and fun now. Okay, so we're gonna get into the switch and also for all the Uber hackers out there that are trying to hack my switch, I just wanna go ahead and just show you my passwords. Cisco, Cisco one, two, three. So anyone trying to get in, just go for it, man. Okay, let's turn off CDP and let's turn off DHCP. We're gonna make this fun. And now let's reboot the laptop. So now we're gonna do exactly what we saw in the hotel network. And now we're gonna have, actually, we're gonna have a colluder here. So I'm actually gonna need a volunteer. We're gonna need someone that's gonna be another void packer ninja to, can I get some hands for someone that would like to come up on stage and like help out with, sorry, man. You right there? So can we get some audio? I don't hear the audio. We need the special effects here. What's your name, man? Ryan. Ryan. Let's do this, man. Are you ready to do this? Yeah, I think so. You're ready? Yeah. Okay. This is gonna be your phone over here, Ryan. Right? So we're in the room together. I think we're ready to go. Okay, you don't touch anything right now. I'll just, I'm gonna give you the instructions on what to do. Yeah. All right. Cause this is something you just don't mess around with, right? So what happens in the hotel is that if you don't do things the right way, the security comes knocking on the door, right? And I'm just gonna write out, I'm gonna say it was Ryan's fault. Okay, so you guys see this here. I don't have anything, especially when I don't type the great command. So I got I've config, I've got nothing, right? So what are we gonna do, Ryan? What we're gonna do is I'm gonna control the laptop and I got the sniffer attached already to this guy right here. So with static IPs, I see less ARP traffic. It seems, okay. So let's go ahead and configure. Okay, so we got VoIPop are running. So Ryan, what I want you to do is reaching the back of the phone and just unplug the port one and plug it back in. You plug it port one? Nice, Ryan, that's awesome, man. Give him a hand for it. But that's right. You want a beer, man? I had some. So what's happening here is VoIPop are first needs to learn the VLAN ID before it VLAN hops. So when your phone boots up, we're probably gonna get something here in a second. So let's just wait around. So we're just sitting in our hotel room drinking a beer. So like I said, that broadcast gratuitous ARP and then the broadcast, looking for its default gateway, VoIPop are picks that up. See, we got 802.1 Q VLAN header. We learned the VLAN ID. Now what's happening is, let's watch this. It's gonna time out on the DHCP because that also has to happen before the ARP sniffer starts listening for the new phones. So minimum timeout, 22nd. There we go. Okay, so now we're listening. Now the ARP sniffer. So I want you to reboot it one more time. Nice, good job, man. You were like the most enthusiastic guy. That's why I had to pick you as my assistant. Okay, so it's gonna take a second here. What's happening is like I said, the ARP sniffer is detecting all the phones on the network. So when we reboot, we use the phone as a reboot tool in order to learn all the IP phone, the Mac address, the Mac and the IP of the phones. The question was, why don't we use a hub? We could easily use a hub. We could easily use a hub and we could also use port two on the phone. We could connect directly to port two on the phone and learn the Mac address. What's that? No, I'm not. You want to see this guy up here, though. You want to see this guy up here. No, I'll get to that in a second, but what do we see here? We learn the IP and the Mac of the phone, right? So we see here that that's probably, this is probably the phone and the other one's the gateway. So before we do anything here, let's take a look at this. Okay, so I got the, and my Mac address is this right here. And let's test and let's try pinging something here. We got nothing, right? So let's go ahead and spoof this, right? So Ryan, what we're gonna do is, I'm gonna do this, but I want you to unplug the phone from the wall because now I'm swapped over. So go ahead and unplug the phone permanently. Okay, now I'm gonna spoof this phone. Good job, man. Now what do we see? We got the IP address of the phone set statically. We got the spoofed Mac address. And now we have access. Not only that, let's just scan the network. This is what we do, right? There we go. Four devices on the network. Give a hand to this guy. Unauthorized access to the network. So this innocent little VoIPopper versus the hotel, who won? So in summary, I just wanna summarize this. What happens when you control, physically control two or more ports on the phone? Are people really thinking about this? We have a potential coordinated attack from trusted ports by issue of just checking into the hotel guest room. Key assumptions are you have to be members of the same broadcast domain. That's why we get adjoining rooms. The point is that for VoIPQS and convergence to work, you usually need both VLANs allowed. Risk of VLAN hop has been known for years. That's not what this talk is about. I'm trying to advance forward the idea about this is the risk of VLAN hop in environments that require trunk ports and user access networks. The impact in the case study with the hotel that we're talking about, every time I talk about this, I have to be just really careful. The impact of this hotel is it enables UC-specific attacks against the VoIP network like eavesdropping, and it enables potential unauthorized access to internal core services and systems. It could represent business critical business impact. An attacker sitting in the privacy as room could spend all the time here she wants, penetrating further. What I'm seeing is that hotels have very low awareness about this issue. It's not just some of them, it's all of the hotels I see have this issue. That's why I'm here. Talking about VoIPOPpers, the way it was born in 2007, I did an authorized VoIPEN test and then I wrote VoIPOPPER, and that was the result of this, and the customer said you can't get access from the voice network to the data, and we got in, we got into the servers, and we showed that. So physical security is compromised here, and it's a unique situation for the hotel rooms. Security controls need to compensate for this, that's why you look at things like 802.1x. Everyone says when you have physical access something, it's game over, right? But that's the irony there, like I said, is in the hotel guest rooms, guests have physical access to the phones because it's a business benefit to use the phones. Otherwise, why even have the phones there? Okay, I started doing some fun little research on this because I wanted to say who are these people putting in these networks? Who are these people recommending best practices? So a couple of vendors turned up, this is with Hotel 1000 in Seattle. Valchros was the trusted Cisco partner that put in the network, so I wanted to ask Valchros, hey, what best practices did you recommend when you put in Hotel 1000 to, I was like a little investigative journalist, but I found that they no longer had a server, they no longer had a web server, so I didn't get too far on that one. With Precipia though, they're the trusted, look here, Precipia Network's the most widely used and trusted name in hotel IP phone applications. So I sent them an email, I'm not sure if you can see this, but I said I was wondering what is your best practices, do you have a security solution that can help prevent unauthorized access from hackers breaking into internal networks of hotel guest rooms? I got no response from Precipia, a little disappointed in that, would have been kind of fun. Okay, so another little thing that I did, little fun thing is I decided to do a little survey of hotels, it was kind of like a social engineering little survey, and just a survey to find out what was going on in the marketplace. So I had a research assistant call, basically find 100 of the most expensive, luxurious resort hotels in the world, and call them up and find out, A, do they have VoIP in the hotel guest rooms, and B, what was their price? So as a result of this, there was 20% international, it was like Paris, London, Tokyo, Monte Carlo, and then it was, and then 80% domestic, mostly like Las Vegas casino hotels. And the script went like this, my boss has a strong preference for hotels with VoIP as he really likes the service and convenience of these phones. Does that sound kind of like suspicious to you? Like your boss has like a fetish for IP phones, he's gonna like curl up really close with his pillow, that's just disturbing. So the result was kind of surprising to me, only eight out of 100 phones had confirmed to have VoIP in the guest rooms, and the average room price was 655. So you know, I got this nice list, it's really cool, nice spreadsheet. It'd be interesting a few years from now to research this and find out where the market is on this because I started, this is a passion of mine, I started this in 2007 and now we are in 2011. It would have been interesting to do this back then. Oh, now here's the typical response. I actually took the audio from one of the conversations, I'm gonna play it to you. Can I make sure the audio works on this? I assume so. So listen here. Okay, I just have one more question. My boss is a preference for hotels that have a voice over IP. He likes the convenience and special features of this type of phone, so do you provide those in your guest room? It's VoIP, voice over IP phones. It's just like an internet phone. You can't hear any of that, you can't hear the audio of the other person. Well anyway, she says, oh, not quite sure if our phones do that. I don't know what's wrong with the clip right now, but I'm not hearing that. Okay, you can't hear, but she says she comes back on the phone and she says she checked with her, she's real sweet too. Okay, that's sweet, so there would be... She checked with her IT director and they do have IP phones. I mean, they're straight from the IT director, we have IP phones in the guest rooms. Just thought it was interesting to see how they interpret the question of voice over IP, the hotel reservation specialist, and like I said, most of them had no idea about what voice over IP was, they always had to check with someone, that's the point of the exercise. So last little segment here, voice VLANs as trunk ports. When I started building out this feature of VoIPOPR because the issue was a non-Sysco environment, I had to build the feature for the 802.1Q ARP Dysector and I saw this tagging thing was happening even in Cisco networks on their Ethernet switches. So I went back through all the internal VoIP Pintests and looked at the PCAP traces that I had saved and I found that they all indeed did this and this is the Cisco voice VLAN. So in summary, the Cisco voice VLAN operates just like a trunk port when you're just doing a standard trunk port. So I sent this notification to Cisco P-Sert and because I want to work together and I want to help improve the security and we're still working together on it but the subject is Cisco iOS advertises voice VLAN ID by sending tagged frames to switch access ports. So Cisco P-Sert, they look like they have real good awareness of this and they're working on it. So hopefully they'll come up with a solution that helps protect customers and that's the whole point of why we're here. But the voice VLANs has trunk ports. It's an interesting thing. It's called a multi-VLAN access port with auxiliary VLANs. That's what the voice VLAN is and Cisco says it's not officially a trunk port. I'm gonna skip over LDP Med because the stuff that really makes me passionate is to talk about this hotel VoIP security. So I want to just skip along to the end here and because we only have a few more minutes left. So mitigations. Don't do this. Don't do port security. Don't do MAC address filtering. I already talked about that, including hiding the MAC address. Hiding a MAC address isn't a security feature. Now this is something interesting that I'm starting to see in more deployments is using physical locks on the phones, locking them to the VoIP port to the wall and locking the voice port on the phone itself. And this is a vendor Panduit that I've seen. I've done some internal VoIP pen tests where they knew I was coming so they put these locks on. Seriously, I'm not kidding you. They had their physical security operations come do this but we were able to defeat it because you just use one of these tools. And then that's what it looks like. That's what it looks like. But this is really interesting. Let me tell you this. I'm staying in a hotel right now. I'm not staying here. I'm staying in another hotel and just a couple of days ago I found out that they have VoIP in their phones. VoIP in their guest rooms. Now I'm not gonna do anything with that but it's a new vendor that I've never seen before. Telodex is their specialized for VoIP in the hospitality industry. And interesting, really, really fascinating. They did like a poor man's physical security. They stripped the top of the RJ45. Instead of using these physical locks, they stripped it off. I don't know if you can see that but you can't like take the little bottom and pull it out. I just thought it was interesting. I mean, do they really trust that that's gonna prevent someone from getting access? But that does tell you, we don't want you unplugging the phones and plugging in your laptop. That's what it tells me. And I tell you, when someone does something physical like this, that's where I draw the line. I would never try and circumvent that unless it was an authorized pen test. So you can use tweezers on the side. I have these tweezers tools. I didn't mean to say that. I'm just saying if I was gonna do something. But as luck would have it, check this out. I actually moved rooms in this hotel yesterday morning and guess what, these ones didn't have the security in place. They look at the little RJ45 sticking out there. So interestingly enough, it shows that the physical security solution wasn't consistently applied across these hotel rooms. I mean, you have like hundreds or thousands in these luxury resort hotels in Las Vegas. You have to actually make sure that every single room is configured the same way. It's a human error is always the weakest link in a security system and this just proves it again right here. Interesting. So just a couple more minutes. Here's a great idea that I got from Zach and Chris with Cisco. Lock the phones to the wall using Panduit locks like real locks and then if someone breaks through the locks, air disable the port. Make the port automatically shut off because if someone's breaking through those locks that's really a suspicious activity. So you can do one of two things. You can air disable the port or you can keep the port up but send a high priority security alert that notifies your security admins and they come breaking down the door when they're trying to VLAN hop and think that no one knows about it. That's like an awesome solution. I think all the hotels should be doing that because the physical security combined with an operational procedure is really good. The detection and the logging. 802.1x is another well-known thing. Do multi-domain authentication. Don't configure the single VLAN because CDP can spoof when you use voice VLANs. There's a couple of limitations with 802.1x. I'm just gonna gloss over that. In 2008, we published a tool called X-Test and it highlights the two issues where you can piggyback on the successful authentication of a 802.1x wired supplement like a phone and you can gain access to the network. We talked about this at Torcon. Looks like there's an awesome talk tomorrow where this guy is doing a transparent bridge through Linux, so you might wanna check that out. Looks like he's kind of advancing that forward. MaxSec is another mitigation recommendation. Provides hop-by-hop layer two encryption. It's like the next version of 802.1x. I'm wrapping up here. I just wanna thank you guys for listening. I wanna tell you why I did this. This is a talk of my, is a culmination of my research on something that I'm passionate about. I wrote this blog, Attacking the Crown Jewels Through Voip with Voipso, which I'm a blogger for, kind of inspired me to actually do the name of this, the title of this talk because I found this issue after I wrote that blog. I'm trying to create educational awareness. I wanna publish a new version of Voipopper because I know that seeing is believing, showing is believing, and sometimes people just have to see a vulnerability with their own eyes in order to understand the impact of that issue in order to actually start remediating the issue, they have to see it with their own eyes. It's my hope above all else that this information gets to the net ops and the security operations of these luxury hotels. That is my one hope is that we can create educational awareness and have them start fixing these issues because if I'm showing this to you today and the people that were in the room with me both know this too, that were in the room with me before, how many people already know about this and were silent about this issue? How many hotels have already been breached? Because if I can do this, I know a lot of other people can. And I just hope that we publish some best practices around UC security for these unique scenarios where we have trunking allowed in user access networks. That's what this talk is about. And that's all I got.