- By William Jackson
- Aug 02, 2007
LAS VEGAS ' VOIP means voice over IP, and IP means vulnerabilities. Weaknesses with Session Initiation Protocol for VOIP are well-known, but other widely used protocols such as H.323 and IAX get less attention, according to Himanshu Dwivedi, founding partner at iSec Partners.
'H.323 and IAX are just as bad as SIP, if not worse,' Dwivedi said Wednesday at the Black Hat Briefings security conference.
It can be relatively simple for anyone with access to a network to compromise the call set-up protocols, and Dwivedi and iSEC partner Zayne Lackey proved it with a demonstration of attack tools.
Although SIP may be better known, H.323 is the most widely used protocol in enterprise VOIP environments because of its stability and scalability. IAX is gaining in popularity for use with the Asterisk open-source PBX.
But both H.323 and IAX authenticate to their gatekeepers using MD5 hashing to hide the password. But the elements used with the password to create the hash are transmitted in the clear, making it possible to run an offline dictionary attack against the hash to determine the password. This is an especially simple job for a VOIP telephone where the password will just be numeric, rather than alphanumeric.
'Nine times out of ten you will find that password' with a dictionary attack, Dwivedi said.
IAX passwords can be cracked even more easily because the hash is created from only two elements. Attackers can make up rainbow tables requiring only a look-up of a corresponding password from the hash with no real computation involved.
Authorization to the network can be just as easy to attack by finding the authorization key. Phones also can be blocked from being authorized on the network by sending a spoofed rejection packet.
Once an attacker controls the authentication and authorization of a phone, he can control that phone, impersonate it or gain unauthorized access to the network. Denial-of-service attacks against the protocols are easier.
'Making the VOIP phone unavailable is not very hard,' Dwivedi added.
The protocols can support better security, but products examined by Dwivedi and Lackey did not implement it, they said.
William Jackson is a Maryland-based freelance writer.