How to Defeat a VoIP Hopper
VoIP Hopper and security threats
New threats to VoIP systems are being discovered every day. Hackers can be an industrious lot and as VoIP gains greater traction in the business world, new techniques for hacking into the VoIP network are being found. Today we take a look at a specific type of threat that ironically makes use of the very security measures that network administrators implement on their VoIP systems. Namely, attacks against VLANs.
As we've seen before, VLANs help us segment VoIP traffic and give it a virtual network of its own thus enabling us to implement Quality of Service (QoS) and implement security policies that would be messy to enable in any other way. Cisco, Avaya and Nortel hardware switches have built in policies that ease this sort of arrangement and in most cases it works exceptionally well.
However, security researchers have found ways to exploit the methods used by these switches and many software programs have been developed that demonstrate ways in which they can be attacked. Today we look at VoIP Hopper which is rapidy gaining a reputation for being an excellent tool to probe for weaknesses in VoIP systems.
Workings of the VoIP Hopper
Unlike phones and other hardware systems which are task specific, computers are general machines with enormous capabilities of customization. This flexibility allows us to use it for many different purposes. In the case of VoIP Hopper, the software uses this flexibility to make it look as if the computer is a VoIP phone.
It works by placing the computer on a network with has a Voice VLAN in operation. The system then detects which type of protocols are being used on the network. In the case of a Cisco setup, the Cisco Discovery Protocol (CDP) is looked for. The software then crafts a port that looks just like an IP phone to the switch and since it knows the type of protocols being used, it mimics the behavior appropriately including the completion of a DHCP handshake.
This allows the software to "hop" from one VLAN on which the regular network exists to the Voice VLAN thus gaining unfettered access the underlying VoIP system!
Defeating the VoIP Hop
This technique to gain access is surprisingly effective and can be countered only by implementing proper layer 2 access controls. For example, one can restrict access the VoIP network to only a given number of MAC addresses which correspond to the actual VoIP phones which exist. This effectively filters out any third party from crashing in.
Another method is to implement network access controls using the 802.1x protocol which forces connecting devices to undergo authentication processes.
Of course, if you're using hosted VoIP PBX systems, such details should be taken care of by the VoIP provider leaving you free to take care of your business. Make sure you go through lots of hosted PBX phone reviews before choosing which company you want to stick with.