Learn, hack!

URL

http://ftp.ccc.de/congress/28C3/mp4-h264-HQ/28c3-4656-en-ooops_i_hacked_my_pbx_h264.mp4

File name

28c3-4656-en-ooops_i_hacked_my_pbx_h264.mp4

File size

220.1 MB

MD5

b243824e0fdce72c2dcc0b0862cf91f7

SHA1

61d177100871e09e1837f392e992afc616f5ad71

This talk is cautionary tale about developers forgetting to remove debug interfaces from finished products and the need of repetitive system reviews. A midrange PBX systems (non web) configuration interface is used as an example of what flaws you can actually find in commercial systems. The Idea behind this talk is to give you an idea what can happen when developers do not audit their code on regular basis. It is not meant to make anybody laugh at another ones stupidity but as a reminder what could happen to YOU if you're a developer. As an example of what could possibly go wrong, a problem in the way the configuration interface is authenticating its administrators on a PBX is used. It is about dissecting a proprietary TCP/IP based protocol used to configure telephones with system integration through the PBX and unexpectedly finding a flaw which not only allows to modify configuration of phones but also manipulate the PBX. The even bigger oversight was that all communication is possible without using any authentication. It is also a little bit about protocol design and some (false) assumptions still made when when preparing an impending product launch. But for the sake of honesty: No names and no brands will be given, the talk is based upon a true example but because of responsible disclosure procedures not all information will be released to the public.