DEFCON: Attack on audio and video conferencing made easy
At the DEFCON conference, which drew to a close yesterday, the developers behind UCSniff presented version 3.0 of the VoIP sniffer, which includes two major new features. Firstly UCSniff, which is coded by Jason Ostrom and Arjun Sambamoorthy, now automatically detects video data transferred by VoIP telephones on the network, even when mixed with audio data. This allows the tool to record those audio and video components which occur in a typical 'unified communication environment'. Secondly, the software will in future also run on Windows – previously it was intended for use only in conjunction with the Linux-based BackTrack 3 penetration testing distribution. The developers plan to make the new version available for download shortly.
UCSniff relies on a standard man-in-the-middle attack on a company LAN, using ettercap for the attack. UCSniff 3.0 detects video streams (H.264) embedded in a voice data stream and converts them into a separate AVI file. An interesting feature when logging into a network is the integrated "VLAN hopper", a tool which detects whether the Ethernet switch establishes its own VLAN (Virtual LAN) for the audio and video components. To be able to eavesdrop on data separated from the remainder of the network and therefore from the attacker's own PC or laptop, UCSniff passes itself off as a VoIP telephone to obtain authorisation from the switch to access the voice VLAN. The sniffer is able to recognise VLAN IDs from a range of vendors and automatically send the appropriate Ethernet packet to the switch. The tool then launches standard ARP spoofing attacks.
The developers behind UCSniff also offer a further attack tool in the form of VideoJak. VideoJak can feed arbitrary video sequences into a network in order to, for example, fool video surveillance systems. In a live demonstration, the programmers simulated surveillance of a valuable trinket in a museum; in this case the trinket was played by a water bottle. The tool first recorded the untouched bottle for 20 seconds, then replayed the recorded sequence on a loop while the 'thief', unseen by the 'guards', grabbed the bottle.
In the experts' opinion, protection against attacks in unified communications systems requires encryption of audio and video data. According to Ostrom and Sambamoorthy, in practice only 1 in 20 companies make use of the integrated security options which are generally built into UC infrastructure.