28C3 - Version 2.3.5

28th Chaos Communication Congress
Behind Enemy Lines

Referenten
pt
Programm
Tag Day 3 - 2011-12-29
Raum Saal 2
Beginn 16:00
Dauer 00:30
Info
ID 4656
Veranstaltungstyp Vortrag
Track Hacking
Sprache der Veranstaltung englisch
Feedback

Ooops I hacked my PBX

Why auditing proprietary protocols matters

This talk is cautionary tale about developers forgetting to remove debug interfaces from finished products and the need of repetitive system reviews. A midrange PBX systems (non web) configuration interface is used as an example of what flaws you can actually find in commercial systems.

The Idea behind this talk is to give you an idea what can happen when developers do not audit their code on regular basis. It is not meant to make anybody laugh at another ones stupidity but as a reminder what could happen to YOU if you're a developer.
As an example of what could possibly go wrong, a problem in the way the configuration interface is authenticating its administrators on a PBX is used. It is about dissecting a proprietary TCP/IP based protocol used to configure telephones with system integration through the PBX and unexpectedly finding a flaw which not only allows to modify configuration of phones but also manipulate the PBX. The even bigger oversight was that all communication is possible without using any authentication. It is also a little bit about protocol design and some (false) assumptions still made when when preparing an impending product launch.

But for the sake of honesty: No names and no brands will be given, the talk is based upon a true example but because of responsible disclosure procedures not all information will be released to the public.

Anhängte Dateien

Archived page - Impressum/Datenschutz