Device Default Settings

  IT Threats, Voice Threats   -  

For a moment just imagine the following scenario: The AAA is a large corporation with a state of art Headquarters and receives many visitors daily. One day, one such visitor, Mr. X, pays a visit to the CTO of AAA Corp.  (who happens to be his close friend) to invite him to an upcoming security conference. After calling the CTO, who will meet him in the lobby, he turns his attention to the shiny piece of hardware, which a moment ago he used to call his friend. Well, does it look too technical for him to sort out what it is? Maybe not! Mr. X is a seasoned White-Hat hacker and today he is onto something. Mr. X starts playing around with the Cisco Unified IP Phone and reaches the Network Configuration menu. To his surprise, the settings are unlocked! He opens the IP address of the IP Phone in a web browser from his laptop plugged into the PC port of the phone (yet another crucial security setting that should have been toggled off). Surprise, surprise! He has sufficient information that a hacker would need to begin his attack!

If it were not for Mr. X being friendly and a White-Hat hacker, but for someone with malicious intentions, AAA’s network is beginning to be exploited! It does not matter if it has firewalls, IPS, or state-of-art security mechanism if someone from inside can initiate an attack.  As vital it is to secure network equipment (physical security), perimeter, links, applications, and conversation streams, end-to-end security is achieved only when users endpoints are also part of the overall security plan.

Mitigations

Cisco Unified IP Phones (endpoints) and Cisco Unified Communications Manager (CUCM) offer built-in features to secure the user-facing endpoints. These features can be enabled or disabled on a phone-by-phone basis to increase the security of an IP Telephony deployment. Because the end-user layer is where most of the attacks (internal or external) originate from, it is sensible to have some simple tasks carried out to harden the endpoints so that the otherwise impending attacks are counteracted. These tasks can be performed from the CUCM.

PC Port

PC ports enable a daisy-chained PC to connect to the corporate network. Malicious users can exploit this feature as an access point into the IP Telephony network. It is strongly recommended to have this feature turned off in phones that are placed in a public-facing areas of an organizations (for example, the lobby, elevator, break rooms, and so on) and when an employee does not need hardwire connectivity to the network.

It is important to understand that there is no point to disable the phone’s PC port if an end user can simply plug directly into the switch port of the wall jack and gain data VLAN access and try to perform VLAN hopping attack. Therefore, for end-to-end security, 802.1x should be deployed for endpoint security network access.

Settings Access

Details about the network infrastructure could be compromised with access to the settings button of the IP Phone. Each IP Phone has a network settings page that list many of the network elements and detailed information needed for the phone to operate. This information could be used by an attacker to start a reconnaissance on the network. Access to the settings button can be completely disabled, or just the network settings can be disabled, leaving the ring types and contrast options available for end users to access (in restricted mode).

Gratuitous Address Resolution Protocol ARP (GARP)

Network devices use GARP packets to announce their presence on the network. Although this may seem like a useful functionality (and in some cases it might be), it can be exploited by an attacker who claims to be the default router, thereby leading the network device into sending all information the attacker (performing a man-in-the-middle [MITM] attack). By default, Cisco Unified IP Phones accept GARP packets. By disabling the IP Phone to respond to GARP packets, you can prevent MITM attacks.

PC Voice VLAN Access

This functionality acts like a two-edged sword. On one hand, it enables the network administrators to capture voice traffic, which aids in troubleshooting any voice-related issues. However, on other hand it can be exploited by hackers and attackers to sniff the voice traffic of the IP Phone. The sniffed streams can be reconstructed and replayed to hear conversations. By disabling this feature, the IP Phone can stop forwarding voice traffic to the PC Port. This functionality should be disabled and should be temporarily enabled only for troubleshooting.

Web Access

Just like settings access, if the web server on the phone is turned on, a potential hacker can point a web browser at the phone’s IP address and data mine much of the information from the web pages that are served from the phone. Disabling the web server functionality for the phone blocks access to the phone internal web pages, which provide statistics and configuration information.

Span to PC Port

The span to PC port functionality is somewhat similar to PC Voice VLAN access. It allows spanning one port to another (just like a Cisco Catalyst Switch) to enable all the traffic from one or more VLANs to go out a port on the PC port (such as the Voice VLAN) using the IP Phone’s internal switch. This functionality should be enabled only when you have a situation in which you need to troubleshoot any voice-related issues.

Speakerphone

Insiders (malicious users) can eavesdrop the conversation on speakerphone. You can disable speakerphones, for example, on a per user or job function basis, by enabling the check box to disable the speakerphone.