Cisco IP Phones – The next easiest venue into your NACed network?

VoIP, IP Phones, and the gear from Cisco always fascinated me. In the past I have published several advisories and papers regarding vulnerabilities and security issues I have found with the Cisco IP Phone gear.

Looking into how Cisco handles IP Phones with their NAC solutions caused me to raise some interesting questions regarding it.

The IP phones identify/authenticate to Cisco NAC solutions using CDP packets. These packets can be easily spoofed. Usually a computer will be hooked to the IP Phone. The IP phone would assign a different VLAN tag for traffic from the IP phone, and a different VLAN tag for the computer date. What if a hub is connected to the wall, the computer is disconnected from the IP phone and now is connected to the hub and uses the VLAN tag of the Voice VLAN? What if the computer spoof an “authenticating” CDP packet?

Not even mentioning the fact the IP phone can be disconnected and the computer may completely abused its MAC address and the special authentication way of it.

You get the picture.


Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: