Hackers have thousands of different ways to access or exploit computing environments.In this article, we focus on one of these many avenues of trespass: remote access via dial-up, better known in the hacking community as wardialing.
Wardialing is like a port scanner for telephones. Numbers are dialed systematically and the answering tones are assessed. Just as with a port scanner, available wardialing products only look for resources that they have been programmed to recognize. These products are useful for generating a coarse level understanding of your telephony-based resources. They cannot be used, however, for fine-grained analysis (i.e., a high degree of accuracy) because there are literally hundreds, if not thousands, of different resources that a modem can be connected to and these automated products only look for a small set of them. Automated products can suffer from both false positives (they categorize a resource incorrectly) as well as false negatives (they categorize a number as having no exploitable resource when, in fact, they were just unable to negotiate correctly in the time allotted).
Understanding the numbers behind the numbers
While dial-based exposures were the original hackers' entry points, in recent years IT managers have focused assessment monies on internet-based vulnerabilities, largely ignoring those associated with their telephone systems. But these phone-based vulnerabilities represent the easy way in to many network environments. The best firewall cannot protect against rogue modems operating on critical servers or user desktops.
Based on performing dial assessments over many years, we usually find some type of carrier tone on 3 percent to 5 percent of the numbers dialed. We are usually able to obtain an interactive session on at least 10 percent of those targets. In large organizations, that can mean a significant number of easily exploitable vulnerabilities. For example, in a sample size of 100,000 phone numbers (just 10 local exchange ranges) that would mean about 3,000 to 5,000 numbers have carrier tone and at least 300 to 500 resources can be exploited in some way.
In the grand scheme of things, false negatives are the real problem. If the software does not detect a carrier signal on the other end when some type of tone activated device is present, you may incorrectly assume that there is no exploitable resource on the other end. The negotiation may have failed for a number of reasons. The dialing program may not have waited long enough for the negotiation (i.e., the training sequence) to succeed, its negotiation protocol may be close but not exactly what the dialed device is expecting, the dialed device may be temporarily off-line, the dialed device may be temporarily in use (a busy signal), or there may be problems with the telephone network that you are currently using.
Failed device training sequences are not uncommon for all of the above reasons and because there are many standards that a typical dialing product may not support. For example, you may have ISDN dial-up to remote branch offices, K56flex, or asynchronous X.25 serial connections that a wardialing setup will not detect.
Telephone infrastructure out of control
Perhaps more surprisingly, we often find that organizations do not have an accurate understanding of their telephone infrastructure. It is not uncommon for organizations not to know how many direct inward dial numbers (DID) they have or the ranges of telephone numbers they control. We regularly find that organizations mistakenly believe they control phone numbers that belong to others, and conversely, we find many telephone numbers thought to be active that are not.
In many cases, establishing a modem connection to an inside computer bypasses most (if not all) of the security measures that have been put in place to protect the organization. Only in rare instances do we find intrusion detection coverage of dial-in access ports. Compounding the problem, we often find that the authentication and authorization barriers that might have prevented access are ineffective because defaults have been left in place.
The combination of loosely controlled telephone infrastructures (compared to a typical internet perimeter) and the ubiquity of modems, means that it is prudent to understand and manage your telephone-based vulnerabilities. The place to start is with a careful inventory of your DID lines. This will enable you to focus your efforts on the small percentage of telephone numbers that connect to vulnerable resources.
You may find the following tools useful in generating a coarse level assessment of your telephony based resources. As mentioned earlier, all of the tools suffer from a number of problems that reduces the accuracy of their results. The best remedy for this is to complement tools with technical skill. We have found that attended wardialing sessions (with experts trained in understanding common carrier based applications and devices) eliminate most of the false reporting problems of automated unattended wardialing products.
Tool Name Comment
ToneLoc The original DOS-based wardialer.
THC-Scan DOS-based but better featured than
ModemScan, Phonesweep Commercial wardialer products.
ShokDial Linux wardialer with source code
available to modify and fix problems.
TBA Fully featured Palm-based wardialer
useful for field testing short ranges of
Armed with that inventory and the best practices listed below, perhaps you can win a few battles in the war of wardialing.
Try these best procedural practices:
- Provide secure (and auditable) means for your system administrators and employees to work remotely.
- Eliminate unrestricted vendor dial-in access to equipment.
- Use a call-back mechanism or caller-ID system for modem access to resources on important networks.
- Monitor critical dial-in systems.
- Establish a secure baseline configuration for corporate computing resources in home offices.
Establish best policy practices:
- Establish and enforce a policy preventing the use of fax machine lines for modem access.
- Require the use of short-lived user IDs and passwords for emergency and vendor access to systems.
- Require secure passwords.
- Use banners to ward off the casual interloper.
Telephone exploitable vulnerabilities are a latent and ongoing problem for most organizations. Forward-looking entities recognize the problem and have integrated telephone infrastructure testing in their overall security programs. Conducting a dial inventory takes some time and a degree of skill, but it often offers a substantial benefit by dramatically and inexpensively eliminating major (unmonitored) vulnerabilities.
Jonathan Gossels is President, Brad C. Johnson is Vice President and Cheng Tang consultant, with SystemExperts Corporation (www.systemexperts.com).