VOIP: With functionality comes risk
- By William Jackson
- Aug 03, 2006
LAS VEGAS'Voice is one of the hot trends in the convergence of communications onto IP networks, which means it could be the hot new security headache.
As with many applications, adoption comes first and security often is an afterthought, said David Endler, director of security research for TippingPoint, a 3Com company.
'VOIP isn't that different,' said Endler, who spoke at the Black Hat Briefings security conference yesterday. 'It's on the same adoption curve.'
It still is early in that curve, and VOIP-specific attacks still are rare. But they are also unnecessary, said Endler. VOIP is vulnerable to attacks on the underlying platforms in the IP infrastructure on which it rides. Devices can be scanned, breached and spoofed, just like any other piece of hardware or software.
'These phones are minicomputers,' he said. 'A lot of them run Web servers, which is scary. They have no business being exposed on the Internet, but because of misconfiguration, they are.'
Endler, together with Mark Collier, chief technology officer of SecureLogix, is co-author of Hacking VOIP Exposed
, due out in December. Their presentation at Black Hat summarized some of their research findings.
Session Initiation Protocol is emerging as the dominant standard for VOIP, and Endler and Collier demonstrated some basic attacks against VOIP phones and SIP servers. They can be footprinted and scanned for data, and a man-in-the-middle attack can let an attacker sniff VOIP traffic. SIP signaling also is subject to manipulation.
'SIP acts like H
TTP in its challenge-and-response mechanism,' Endler said. 'This is all Web-based stuff, with sniffers,' he said of the attacks.
They also demonstrated SIPSCAN, a tool they created to scan for files on SIP servers, which can be a rich source of data on VOIP applications.
'If you can get a password for somebody's voice mail from these files, you don't need to attack the phone directly,' Endler said.
The good news about VOIP security is that VOIP-specific attacks, although possible, still are rare. Most of the exploits against VOIP systems today can be defended against with proper enterprise security procedures.
'There are mitigation techniques for all of these things,' Endler said.
Techniques include disabling unnecessary services, such as Web servers; changing default passwords and configurations; and hardening the entire system.
'You have to harden not only the phones and servers, but the network itself,' he said.
William Jackson is a Maryland-based freelance writer.