Security Expert Exploits Hotel Network Vulnerabilities

By John Kindervag, CISSP, CCNA, ICE, senior security architect, Vigilar, Inc. | April 15, 2008

The Hacker Suite
To the desk clerk, he looked like any other weary traveler, his collar turned up to fight the bitter winds. As she looked up his reservation, he reached into his pocket and nonchalantly tossed a credit card on the desk. She picked it up, swiped it through the hotel's point of sale card reader and watched the authorization pop up. Soon he had his keycard. He wordlessly turned and walked toward the elevators.
The elevator door open and he walked out, his head slowly turning to case the hallway. He memorized the floor plan, the exits and stairwells, and the location of each security camera. Instinctively he pulled his collar higher and turned his face to obscure his image. As he opened the door he immediately reached around to the inside handle and grabbed the "Do Not Disturb" sign and put it on the outside. He closed the door and turned the security lock. As he scanned the room his eyes fell on the IP Telephone sitting at the desk. A wry smile crossed his lips. This was the reason he was here. As he pulled his laptop out of his bag he created an escape plan. Hopefully he wouldn't need it. The credit card number was fresh and had never been used.

He unplugged the IP Phone and plugged the phone's Ethernet cable into his laptop. It booked up to his Backtrack Live CD. He loved Backtrack. If the heat came down, he could power down his computer and eliminate evidence of his attack. First, he fired up a sniffer to look for CDP, Cisco Discovery Protocol, which is used to find and communicate with the IP phones. He watched the packets fill his screen, waiting for a filter to fire. Soon he had it.

He looked through the capture and parsed the CDP packet. It told him that the Voice VLAN was 200. He created a Virtual Interface on his laptop and configured it to use VLAN 200. Just in case the Hotel was using MAC Address Filtering to help lockdown the network, he picked up the IP Phone lying on the desk and flipped it over. There he saw the sticker with the phone's MAC Address printed on it. He manually configured the Virtual Interface to spoof the phone's MAC. Now he knew that the switch would think he was an IP phone and pass his traffic accordingly. Next, he had the new interface request a DHCP lease on the Voice VLAN. Soon he had a fully functioning network connection and to every piece of network gear his PC looked exactly like an IP Phone. 

He was inside. He hoped there was no firewall between the Voice VLAN and other VLANs on the network. Without a firewall, he knew that the network would allow him to route to other assets in the corporate network. It was late. The chances that anyone was in the data center looking at logs were less than minimal. He began to poke around the network. It took a while, but he eventually discovered what he looking for: the credit card database.

He plugged in a USB hard drive and began downloading the data. Once the download was complete, he jumped on the free wireless provided by the hotel and uploaded the data onto a secure server located in a foreign country that had poor relations with US law enforcement. Once the data had been checked, he knew he would find a sizable sum had been wire transferred into his offshore account.
The last step in the process was to securely wipe the evidence off the USB drive. When completed, even an electron microscope couldn't pull up anything that could be used against him. It was late. He was tired and hadn't slept. It was a nice hotel with an enticing bed, but this not the time to rest. He packed up and disappeared into the night.
Thinking Like a Hacker
It was precisely this scenario that Vigilar was asked to test by one of our hotel clients. Jason Ostrom, Vigilar senior security consultant, was given access to a hotel room and told to find out if he could break into their corporate network through the IP TelephoneÃÆ’Æ'Æ'ÃĥÂ.ÃÆ’Æ'Â.ÃÆ’.Ã.•¬Ã…¡Ãĥ¬ÃÆ’Æ'Â.ÃÆ’.Ã.•¬Ã…¾ÃĥÂ.s network connection. By thinking like a malicious hacker, Jason was able to penetrate through to the data network by using a combination of techniques he calls VoIP Hopping. This type of VLAN hopping attack is just one of the attack vectors being used by attackers today. Attackers have also been known to attack the SIP protocol and commit Toll Bypass Fraud using VoIP networks.

In the past few years, many corporations have been lured into the world of Voice over IP by the promises it brings. One of the cornerstones is convergence: the concept that all types of traffic, such as voice, video and data, will use the same network. But with the benefits of convergence comes a price: security.

As traditional voice and data networks converge, more avenues of attack open up. The awareness of these threats within the enterprise is low. Jason Ostrom is concerned. ÃÆ’Æ'Æ'ÃĥÂ.ÃÆ’Æ'Â.ÃÆ’.Ã.•¬Ã…¡Ãĥ¬ÃÆ’Æ'Ã.‚¬¦ÃÆ’.Ã.•¬Ã…"What I see professionally is that many customers are vulnerable to this threat. A regular PC should never have access to the Voice VLAN.ÃÆ’Æ'Æ'ÃĥÂ.ÃÆ’Æ'Â.ÃÆ’.Ã.•¬Ã…¡Ãĥ¬ÃÆ’Æ'Ã.‚¬Å¡ÃĥÂ�

Strong Defense
Defense methodologies are in their infancy and are sure to improve in the near future. To help protect against VoIP attacks Ostrom recommends putting a firewall between the Voice and Data VLANs. By putting the Voice VLAN on a separate DMZ of a firewall, many current attacks can be thwarted. It is important to lock down the firewall so that only protocols used by IP Telephony are allowed to flow.

Additionally, Ostrom advocates placing an Intrusion Prevention System (IPS) designed with VoIP in mind. Also, VoIP is typically unencrypted on internal LAN segments, so Ostrom advises that engineers use strong encryption and authentication of VoIP calls across the LAN so that confidential calls cannot be sniffed and recorded.

As Voice over IP deployments grow, they will entice more and more attackers to look for ways to access valuable data through VoIP networks. It is an open secret within the Hacker and InfoSec communities that VoIP is the next frontier of hacking. Jason Ostrom was so concerned by the lack of awareness to IP Telephony security issues that he created an open source tool, VoIP Hopper, that network administrators and engineers can freely download to assess the security of their VoIP network. VoIP Hopper is available at

John Kindervag, CISSP, CCNA, ICE is a Senior Security Architect at Vigilar, Inc and a 20 year veteran of the high-technology world.

comments powered by Disqus

ht events

2017 Multi-Unit Restaurant Technology Executive Summit