Dial V for Vulnerable - Attacking VoIP Phones
Offered By: 44CON Information Security Conference via YouTube
Course Description
Overview
Explore the world of VoIP phone vulnerabilities in this 41-minute conference talk from the 44CON Information Security Conference. Dive into past projects and future prospects before examining the architecture and attack targets of VoIP systems. Learn about firmware access techniques, including SPI, UART, and bootloader examples. Discover various emulation approaches and firmware vulnerabilities, such as null pointer dereference and web-based findings. Investigate command injection techniques, password bypass methods, and stack-based buffer overflows in ARM devices. Gain insights into exploit development challenges, device overviews, and vulnerability assessments. Conclude with valuable recommendations for users, administrators, and developers, as well as key lessons learned in VoIP security.
Syllabus
Intro
Past Projects
What's next?
Perfect World
Real World
Architecture and Attack Targets
Abstract Methodology
Firmware Access for Software People
Examples: SPI
Examples: UART
Examples: Bootloader
Use Vulnerability
Emulation Approaches
Firmware Emulation
Dos - NullPointer Dereference
Web Based Findings - CSRF
Web Based Findings - Gigaset Maxwell Basic
Command Injection
Injection Example (Shell Script)
How to Bypass Password?
Exploit to Delete Password
Problem!
Stack Based Buffer Overflow (ARM)
Control SPC
Exploit Development, Challenges
Device Overview
Vulnerability Overview
Recommendations for Users/Admins
Recommendations for Developers
Lessons Learned?
Taught by
44CON Information Security Conference
Related Courses
Supply Chain Unchained - How To Be A Bad SaaS44CON Information Security Conference via YouTube Aviation Security 101
44CON Information Security Conference via YouTube The Anti-Checklist Manifesto
44CON Information Security Conference via YouTube Why Are We Still Doing Authentication Wrong?
44CON Information Security Conference via YouTube What Do Hackers See When They Look at the Clouds
44CON Information Security Conference via YouTube