BlackHat Briefings 2007 was a bit disappointing this year. This year, the first day of briefings had an entire track devoted to Voice Services. Being the sole VoIP researcher for TippingPoint’s DVLabs, I of course attended this entire track. In short, three words: waste of time. Out of 5 talks on VoIP security, I learned one single new piece of information. At best, the content was the same old attacks against new or attention-starved targets. At worst, it was the same old attacks against the same old targets. In all honesty, if the BlackHat CFP review board had accepted the updated version of my VoIP Attacks! talk that I had submitted, 80% of the attacks shown in the VoIP Services track would have been covered by about 50% of my slides. Maybe not in as much detail, or against the same targets, but that’s kinda the point of my VoIP Attacks! talk; almost all the attacks I speak about work against most protocols or multiple targets, just with slightly different implementations. But then I guess that would have removed the need for an entire VoIP track, which I’m guessing they wanted to have since it’s a hot topic. Also, my RTP Steganography talk that was accepted to DEFCON rather than BlackHat would have been much more appropriate for this track than some of the talks they accepted. I’m not bitter though (:
The second day I saw the talks by the other DVLabs researchers which of course were excellent.
One thing that struck me this year was the names of the people speaking. For a conference that’s actually named BlackHat, there was only a single person speaking under their handle or nym. To me that speaks volumes about the type of content being presented versus the image that the conference is purporting. Also, identifying the number of speakers associated with the conference sponsors versus those that aren’t is an interesting exercise for anyone that cares to look into it. I think this conference is becoming way to corporate and is beginning to do it’s attendees a disservice. This probably stems from the fact that the conference was sold recently and is now managed by a corporate entity.
Here are my summaries of the presentations that I attended:
Keynote: A Story About Digital Security in 2017
Richard Clarke, Chairman, Good Harbor Consulting
Richard provided some very thought provoking imagery of the near future and the effects of convergence in an insecure cyberspace. He wondered why many of the security solutions that are available today are not widely deployed, and also indicated that many failings of the White House in regards to cyber-security policy are just because they don’t “get it.” This was an excellent talk and made me want to go read his book.
Something Old (H.323), Something New (IAX), Something Hollow (Security), and something Blue (VoIP Administrators)
Himanshu Dwivedi & Zane Lackey
Probably the longest presentation title of the entire conference, this was also probably the best talk in the entire Voice Services track, however that’s really not saying much considering how low the other talks in the track set that bar. This talk was essentially presenting the same types of attacks that have been done to death against other protocols, except that they were targeting H.323 and IAX instead. Not really much new here, however the authors do get points for choosing targets that haven’t gotten much attention from other researchers and weaponizing their attacks by releasing attack tools. Their attacks included dictionary attacks against passwords, replay attacks of valid credentials, timestamp-based DoS attacks, spoofed message DoS’s like registration rejects, call rejects, and hangups, and authentication type downgrade attacks. As I said, essentially the same stuff we’ve been seeing against SIP, MGCP, etc. for a while now.
I don’t think Phil is even trying anymore… He showed up a few minutes late to his own talk and didn’t have the right video adapter for his laptop, having to borrow one from someone in the audience. He then proceeded to just demo his Z-Phone product and talk about some seemingly random points about it, whatever he could remember at the time… The entire thing seemed very “off-the-cuff” to me. He had no slides and he didn’t really go very deep into explaining much about Z-Phone or ZRTP until audience questions began probing him for it. I’m personally a big fan of ZRTP but I really think he did a disservice to his product and his protocol by not explaining it in-depth at the beginning with a slide deck to illustrate the points.
VoIP Security: Methodology and Results
This was basically a summary of what anyone working in VoIP Security already knows. Barrie stated that the focus is currently on protocols and encryption, but those aren’t the only major issues with VoIP. He also blames a lot of VoIP’s vulnerability on the underlying network and access to it, such as asking the question “why is someone sniffing the network?” rather than addressing why the protocols are still unencrypted. He also blamed a lot of insecurity on inheritance from the underlying OS, which seemed a lot like passing the buck to me. Most practitioners and researchers in VoIP security know and understand these concepts, and have shifted their focus to the actual problems with the VoIP technologies themselves, understanding that you need to lock down the user platform that the soft-phone is running on, and that you need to secure your network that the iPBX resides in, etc. I felt like it was 2002 all over again where the hot saying was “Telephony is now just data, secure your data network!”.
Transparent Weaknesses in VoIP
This talk primarily centered around manipulating the MGCP protocol’s functionality to do things like redirect or reroute the media stream through a proxy host or network segment where it could then be eavesdropped upon. There were also some various DoS attacks, again, all of this has been known and discussed for years. This talk did include the one piece of information that I learned from the entire track, and that was that many times DTMF tones will be transmitted as RTP events rather than in the audio itself, thus exposing them to observers when SRTP (more specifically ZRTP) is used to secure the media confidentiality. I was unaware that SRTP didn’t encrypt any included events. Thanks Peter for teaching me something new, my entire day wasn’t a total waste of time. However I have to almost immediately take those kudos away for then talking about Caller-ID spoofing. AGAIN. I swear if I see another talk about Caller-ID spoofing I’m going to shoot myself. This topic has an entire TWO slides dedicated to it in my VoIP Attacks! talk, and that’s about all it really deserves these days is a quick mention, because this attack has been around for nearly half a decade. He also talked about some various other spoofing attacks like spoofing registrations, and then went on to demo the SiVuS tool. I left at this point because I use SiVuS all the time, and it’s a great tool; I didn’t need to see an overview.
Vulnerabilities in Wi-Fi/Dual-Mode VoIP Phones
I attended this talk with interest because Sachin is essentially who replaced me when I left Sipera Systems and I really wanted to see how things were progressing with their VIPER Lab research. Sachin however couldn’t make it, and instead my previous boss, Krishna Kurapati took his place and began the presentation with a thinly veiled vendor pitch. He began by stating that VoIP and dual-mode phones were approaching the removable device risk model. I thought that was odd because almost all phones now include some form of externally accessible internal storage, usually linkable directly to the PC by a USB cable. My last couple of phones have had this feature and most everyone I know’s phone does as well. As such, most phones reached that risk model long ago… That observation seemed a little late to the game. Next was an extremely basic example of a buffer overflow and was labeled as a protocol vulnerability when it really had nothing to do with the protocol; it was an implementation vulnerability in a particular device. There were also some tutorials mentioned that the audience could download from Sachin’s original slide deck which Krishna had admittedly deviated from. Krishna then went on to talk about some Sipera discovered vulnerabilities which were pretty generic like buffer overflows, improperly handled delimiters, format string bugs, protocol syntax errors, resource exhaustion, etc. but didn’t really provide any details in regards to what these vulnerabilities affected. He then went on to some attack demos. Unfortunately it’s difficult to do demos involving multiple hard and soft phones in a conference setting and he had some difficulties with the camera he was using and it’s lighting to show the phones’ displays. He performed 2 DoS attacks which were pretty generic and then a standard buffer overflow to reverse shell exploit. I think anyone that is attending BlackHat understands the implications of a reverse shell, but he then wasted about 15 minutes talking about all of the random things that an attacker could do with a remote shell like reading all the files, creating new files, etc. Unfortunately I think that this presentation really demonstrated Sipera’s lack of information security vernacular and lack of understanding of some basic security concepts. It would have been much better had there been a lot more detail of the detailed vulnerabilities and demo attacks, such as what they targeted, what functionality they were exploiting, if the vendor had patched them yet or not, etc. Overall the talk was very disappointing.
PyEmu: A Multi-purpose Scriptable x86 Emulator
Cody’s presentation was excellent. He spoke about the different types of emulators in clear, understandable vocabulary, outlined what his emulator was meant to do, and spoke about how it accomplishes various tasks and it’s different modes of operation. He then gave examples of each mode of operation that were easy to understand. Being someone who doesn’t do a lot of reversing myself, I understood everything he spoke about and comprehended the entire presentation, which speaks to how well the concepts and information was conveyed. I could particularly see myself using this in the debugging mode of operation, being able to bring a process to a desired state, then use the emulator to manipulate it’s execution in the direction I want with the option to revert back to the point that emulation began, kinda like VMWare snapshots but for processes instead of OSs.
Fuzzing Sucks! (or Fuzz it Like you Mean it!)
Pedram Amini & Aaron Portnoy
This was easily the best talk on fuzzing that I’ve seen in years. Pedram and Aaron actually brought something new to the table and provided a tool that not only helps you fuzz things in a very intelligent manner, but also manages the work-flow in an efficient, intelligent manner, which is honestly something that’s been missing from other fuzzing tools. Sulley provides a couple of novel components such as being able to define your own complex data types and re-use those later from a stored database and the monitor agents that will trap a process’ exception and collect a ton of information on it for you and then revert the target virtual machine back to a known-good state. This fuzzer can essentially work all weekend for you, completely unattended, and when you come back it provides you with more information about a particular test case that caused a fault than you probably really need to know. I’ve not needed to fuzz anything lately myself so I hadn’t been playing with this while Pedram & co. were developing it, but I’m very excited to give it a try now.