Ip Signalling And Network Configuration

[cybergibbons]

I'm just looking at changing some theoretical vulnerabilities into actual exploits on some IP signalling boards.

 

Some of these would rely on the signalling board being accessible on the network from a PC (specifically, can the PC send broadcast traffic and the signalling board receive it).

 

So when these boards are installed, how is the network connection normally provided? Is it just plugged into any available network port? Is a specific VLAN created (or any other segregation from the rest of the network)?

[matthew.brough]

In 99% of the cases we install them they just plug onto the local LAN without any segregation at all.

[cybergibbons]

So, if a PC on the same subnet could reconfigure the IP address/gateway, perform a denial-of-service attack, or even act as a man-in-the-middle, would that be considered a problem?

 

It's far easier to compromise one of many PCs that a single embedded board, you see.

Edited May 11, 2014 by cybergibbons

[matthew.brough]

Be a major problem, but no one in the whole sees it. When we have IP devices on corporate networks, they tend to VLAN our gear inc DVRs off but the average commercial/residential alarm we just sit on the network as does everything else.

[james.wilson]

Would that take out both paths though, ie wouldn't it report a single path fail?

[matthew.brough]

I was also thinking about compromise the security device makes my LAN at risk

[cybergibbons]

If you just take out the LAN interface, then a dual path device is going to cause an alarm, yes.

 

But if you can change the gateway, you can act as a man-in-the-middle. If the protocol has no message authentication, sequencing etc. then you can just act as if everything is OK.

 

It's just a nasty hole to leave open.

[sixwheeledbeast]

If the protocol has no message authentication, sequencing etc. then you can just act as if everything is OK.

 

Are there any signalling products that have no message authentication?

 

MITM attack is possible but unlikely IMO.

Signalling devices are sold on how simples they are for monkeys to fit, I doubt the average installer would be able to setup VLAN's or separate subnets.

 

Wouldn't it also depend which path is first priority?

[cybergibbons]

Are there any signalling products that have no message authentication?

 

MITM attack is possible but unlikely IMO.

Signalling devices are sold on how simples they are for monkeys to fit, I doubt the average installer would be able to setup VLAN's or separate subnets.

 

Wouldn't it also depend which path is first priority?

 

Yes, some signalling products appear to have to message authentication - it appears to be trivial to spoof responses.

 

MITM is unlikely currently. But then if one product can be MITMed and another can't, which one is better?

 

With respect to path priority, if you can act as MITM on the secondary LAN interface and then respond with a message saying "Reconfigure all inputs to not trigger on changes", then it doesn't matter that the other path is untouched.