“This is the most dangerous piece of equipment ever invented. You connect everybody together, everybody can talk. And nobody can hear.” – Master Sgt. Dennis Goodman, Virginia National Guard ACU-1000 Operator Welcome to the 7th installment of “Asking The Cisco Systems IPICS Expert” — Cisco IPICS security questions derived from publicly available information. From the focus and tone of my previous six blog posts I suppose some folks might have the perception that I’m “picking” on Cisco. That is not the case, and don’t worry as there are several other products in the interoperability space that I plan on asking security questions about, notably the JPS Raytheon’s ACU-1000 and ACU-2000 devices that I mentioned in my first post and will expand upon in this and future posts. Before getting into this round of questions, I was thinking that it might be a good idea to take a step back and try to gain a better perspective of the big picture, or at least part of it. Over the past several years a few billion dollars has been placed towards achieving interoperability. However, it is through the recent PSIC grants of 2007 that one billion, derived from the proceeds of FCC spectrum sales, was allocated directly towards individual state grants for interoperability. A few months back I suppose one billion might seem to be a good chunk of money, but after the past few weeks’ news of hundreds of billions of bailouts — “Country Wall Street First” — it strikes me as not too much money at all for such an important objective. In other words, think of it this way; one billion is about what the US is spending every 2 to 3 days in Iraq. Still, for vendors, garnering a share of the PSIC grant money is definitely worth pursuing for a “win.” As an example, Cisco has put forth PSIC brochures and such for states as guidelines for how their particular technology, such as the IPICS, meets states’ needs. Also, some IPICS rollouts, such as Cisco CEO John Chambers’ home state of West Virginia, has more than 600 fire departments and 200 police departments connected. You’ll notice that the title of this post includes JPS Raytheon. About a year ago in October, 2007 Cisco Systems and JPS Raytheon began to collaborate and integrate the JPS ACU-2000 into the Cisco Systems IPICS soultion. Below is an example of where the JPS ACU-2000 fits into the IPICS solution. Cisco Systems IPICS and JPS ACU-2000 Question 31: Over the past few years a number of vulnerabilities have been discovered in Tomcat. A NIST NVD search shows 71. As the IPICS Server utilizes Tomcat, is the IPICS Server affected by these vulnerabilities? Should users be at all concerned? Question 32: Default credentials and poor passwords are a serious problem. They have been so for many years and will continue to provide an attack vector for years to come. Convicted VoIP “hacker” Robert Moore is quoted stating to Informationweek: Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords. “I’d say 85% of them were misconfigured routers. They had the default passwords on them,” said Moore. “You would not believe the number of routers that had ‘admin’ or ‘Cisco0′ as passwords on them. While resources such as Phenoelit’s DPL and Nessus plugins can facilitate attackers (and legitimate pentesting, auditing, etc.), I believe poor configuration documentation is also to blame. For example, the Cisco IPICS Server supports SNMPv3 in read-only mode “for security enhancement” — however, if one looks at the SNMP portion of the configuration documentation you’ll see the following: Cisco Systems IPICS SNMP Configuration While we can hope that folks configuring the IPICS Server would not take these instructions literally, has any consideration been given to “hardening” the Cisco IPICS documentation? What about IPICS course materials for those seeking IPICS certification? Question 33: The JPS ACU-2000 has a HTTP server for administration and configuration of the SIP Control Module (SCM-2). According to the administrator manual, page 2-104, a screenshot of the admin.cgi page appears to allow two actions to take place without requiring authentication: 1. Reboot of the SCM-2 and 2. Upload of new firmware to the SCM-2. Is this in fact the case? Please see screenshot below. JPS ACU-2000 HTTP interface Question 34: Concerning the JPS ACU-2000, are there any plans to improve the security of the SCM-2 Administration HTTP server by adding encryption like SSL/TLS? Question 35: According the JPS ACU-2000 data sheet, the SIP interface supports the following RFCs 3261, 2976, 3515, 2327, 3264, 1889. However, there seems to be no ACU-2000 support for encrypted SIP, such as SRTP. Is this indeed the case? If so, are there any plans to add more secure protocols for the ACU-2000 VoIP capabilities? Also, are there any JPS and Cisco “best practices” or “security recommendations” to mitigate the risks of unencrypted VoIP traffic in the Cisco IPICS and JPS ACU-2000 solutions? As with my previous questions, I thank you for your time and look forward to your answers. Shawn Merdinger Security Researcher
-
I posted to google.com
Asking The Cisco Systems IPICS and JPS Raytheon ACU-2000 Experts: Questions 31-35 [Voice of VOIPSA]
http://feeds.feedburner.com/~r/Security-Bloggers-Network/~3/404831362/
- Tags:
- security
- VoIP Security
- Best Practices
- Miscellaneous
- Platform Security
- SIP
- VoIP Security Companies
- VoIP Security Research
- VoIP Vulnerabilities
September 27 2008, 1:59pm | Comments »
1
