War Dialling – a Thing of the Past or the Return of Forgotten Evil?
Are you part of an organisation that performs war dialling as part of their regular external security audits? I can almost guarantee that most readers of this article will answer ‘no’ to that question. By not conducting regular war dialling as part of their regular external security audits, organisations are leaving themselves open to potential network security breaches due to the lack of knowledge of rogue or poorly configured modems attached to their network infrastructure. Rogue modems are known to have been installed by disgruntled employees or an attacker that has breached the physical perimeter of the organisation.
For those new to the subject, war dialling is a technique used by attackers, traditionally using a modem, to scan a list of telephone numbers to search for modems, faxes, voice mail, PBXs, loops, dial tones, forwarders etc. War dialling was made well known in the ever so popular 1983 film ‘War Games’ starring Matthew Broderick as a teenage hacker who unwittingly hacks a United States military supercomputer programmed to predict potential effects of a nuclear war. Attackers will often use war dialling attacks to gain access the protected network without having to compromise the organisation’s firewall in place between the public and private networks. Sometimes, these systems won’t even require valid authentication credentials (e.g. username and password) to be able to gain access to systems within the organisations network perimeter.
As a security consultant I rarely get asked about war dialling assessments by clients and there seems to be a general opinion that war dialling is a 1980’s to mid 90’s attack vector. Until recently there has been a lack of development of war dialling tools/utilities by the public community. However, last year new, free and readily available war dialling software was released (e.g. WarVOX by Metasploit) by the community that allows an attacker to scan over 1,000 numbers per hour. Has this attack vector diminished from the face of the Earth or are there really attackers out there still using this dinosaur of war dialling as a method to attack public and private organisations? Go figure…
In my extensive experience in security testing and auditing; most organisations do not commission war dialling as part of their regular security audits. However, some security experts may argue that unauthorised or insecure modems are one of the most overlooked security issues today. As with most successful attacks, this could prove to be fatal to the security posture of the organisation and most likely prove to be very embarrassing and costly in terms of remedial action and in regards to the organisation’s reputation..
So what do you come across in a war dialling audit for an organisation as a security consultant? I think this all depends on the size and nature of the business; but some real examples from the most recent real tests include the following systems that have found to be, most of the time, insecure or mis-configured: Private Branch Exchange (PBX) telephone exchange systems, Cisco based telecommunications networks systems (MPLS), data storage systems, various monitoring systems for water and environmental protection industries, fire and alarm systems, elevator control systems, secure dial-in services normally used to provide secure remote or occasional access to Local Area Networks (LAN) via the public telephone network and various fax compatible systems. Some of these systems are generally classified as important or critical systems by the organisation. Most of the time the client never knew these systems were remotely accessible and it turns out that the service provider installed it for remote trouble shooting or that it is the default installation configured with default login credentials!
Now consider this; what if some of these remote access systems would be Supervisory Control and Data Acquisition (SCADA) systems to control valves, motors or other forms of equipment. This is obviously relevant for power transmission, oil and gas and water treatment industries, but not limited to those. For example, what if an attacker was able to shut down, through access gained via an insecure remote access dial-up service, the power in that local area or open a valve at the sewage plant valve remotely causing a sewage discharge. More disastrous examples could be illustrated but I think you should be able to think of a few yourself… how about sewage plants, chemical plants, embedded systems, crane control systems, water purification systems, petroleum wellhead pump controls or even nuclear power generation systems. I am not saying all of these types of systems have modems directly connected to them but associated infrastructure might.
Throughout my career as a security consultant I have been firm believer that war dialling should form part of an organisation’s regular security audit. War dialling will bring assurance to the organisation that they don’t have rogue, poorly configured or unauthorised exposed modems to the general Internet and that they are resilient and secure against potential attacks. To date, there has not been one war dialling audit conducted that I have been involved with; without a vulnerability being uncovered for the organisation commissioning the audit. With new improved war dialling techniques and software being readily available, perhaps you should consider conducting a war dialling audit to explore/enumerate, classify and audit your exposed systems? Just remember, if you don’t find your vulnerabilities, the evil attackers surely will.
Robert P. S. Jansson (CISSP, CISA, LPT, ECSA, CEH)