SANS Includes VoIP in Top 20 Security Issues For 2008
Once again, SANS included VoIP among its top 20 issues for 2008:
Recent Posts
Search Blog
- Search Blog
Conferences
General Articles
- Calibre Macro*World, 3/2008
- The biggest VoIP security threats - and how to stop them - Research - Breaking Business and Technology News at silicon.com, 3/2008
- Enterprise security in 2008: Addressing emerging threats like VoIP and virtualization, 1/2008
- VoIP Security Still Falling Short - Network Sentry, 1/2008
- 2008 - the year VoIP gets hacked? | The Register, 1/2008
- PC World - Hackers Claim Flaw in British DSL Service, 1/2008
- Call Jacking: Phreaking the BT Home Hub | GNUCITIZEN, 1/2008
- Blueprint: Network Architecture, 1/2008
- The Top 5 VoIP Security Threats of 2008 - VoIP News, 1/2008
- IT managers complacent about VoIP infrastructure security threats - Security Park news, 1/2008
- Security dominates 2008 IT agenda, 1/2008
- Total surveillance made easy with VoIP phones | GNUCITIZEN, 1/2008
- SIP and Security: Just do it Right, 12/2007
- Top 9 VoIP Threats, 1/2008
- VoIP vulnerabilities increasing, but not exploits, 12/2007
- Techworld.com - VoIP is the next big hack, 12/2007
- Not Waiting for the Big One - VoIP News, 12/2007
- VoIP Security Lessons Microsoft OCS Can Learn From Vonage and Others | NetworkWorld.com Community, 12/2007
- Why Nobody’s VoIP Is Secure - VoIP News, 11/2007
- Techworld.com - Expert scares world with VoIP hacking proof, 11/2007
- Unified communications security vulnerabilities : VoIP Topics, 10/2007
- Vonage Security Problems May Be Just the Start - VoIP News, 11/2007
- VoIP security industry: Guilty as charged - Network World, 11/2007
- � New hack mimics VoIP phone allowing access to data networks | Mobile and Wireless | TechRepublic.com, 11/2007
- VoIP security notices show security remains a multi-vendor issue - Network World, 11/2007
- The Forum for Business IP Telephony - VoiceCon Conference & Events 2008- Enews, 10/30
- SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc
- Hackers gain access to private hotel network using Cisco VoIP | NetworkWorld.com Community
- Phones Aren't Safe Either, Hackers Say | Threat Level from Wired.com
- » VoIP Security firm: we informed Vonage of hackability a month ago and haven’t heard back | IP Telephony, VoIP, Broadband | ZDNet.com
Advisories
- Cisco Security Advisory:�Cisco Unified Communications Manager Denial of Service Vulnerabilities, 10/2007
- Cisco Security Advisory:�Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities, 2/2008
- Cisco Security Advisory: Cisco Unified Communications Manager CTL Provider Heap Overflow� [Products & Services] - Cisco Systems
- AST-2008-001, 1/2008
- Voice of VOIPSA » Blog Archive » Trixbox contains “phone home” code to retrieve arbitrary commands to execute?, 12/2007
- AST-2007-027, 12/2007
- [VOIPSEC] Nokia N95 cellphone remote DoS using the SIP Stack, 12/2007
- [VOIPSEC] Cisco Phone 7940 remote DOS, 12/2007
- AST-2007-026
- AST-2007-025
Skype Articles
- Improper handling of URI arguments, 1/2008
- Voice of VOIPSA » Blog Archive » Oops… Skype failed to mention this wee minor security update…, 12/2007
- URI problem also affects Acrobat Reader and Netscape - heise Security, 10/2007
- How dangerous is Skype?, 3/2007
- Voice of VOIPSA » Blog Archive » And why exactly would I want to install “Ringjacker” and let other people hijack my inbound ringtone?, 2/2007
- Voice of VOIPSA � Blog Archive � How to avoid Skype 3.0 reading the BIOS of your system, 2/2007
- What threats does Skype face? | Tech News on ZDNet, 1/2007
- Confusion over Skype security threat clears up | CNET News.com, 12/2006
- Dangerously Irrelevant: Advising, webcams, and Skype
- iTWire - Skype bugging your network? Here's how to squash it
« October 2007 | Main | December 2007 »
Cisco VoIP Security Podcasts
I got this from Dan Yorks Bluebox Podcast. Cisco has several VoIP security podcasts on their Techwise page.
http://www.cisco.com/en/US/netsol/ns752/networking_solutions_packages_list.html
I Think We Have Enough SIP Attack Tools
This post may seem a little ironic, considering that I just posted info on some new SIP-based tools we built, but I wanted to rant a little about all the SIP attack tools that are out there. My team conducts VoIP security assessments for enterprises, and they have a huge collection of wicked SIP-based attack tools. If we are lucky enough to find some box listening on port 5060, its pretty much toast, considering all the DoS, fuzzing, hijacking, and so on tools that we and the community have access to.
That said, the proliferation of SIP-based attack tools has raised awareness of issues and made a lot of implementations more secure, at least to well known attacks like protocol fuzzing suites.
The reality is that most enterprises have very little, if any SIP. Of course there are some little-known SIP interfaces, like that between CME and CUE, some internal SIP trunking, and in some very rare cases, SIP to the service provider, but very little handset SIP. The vast majority of the protocols you run into include H.323 (inlcuding proprietary mutations), SCCP, Unistim, MGCP, etc. What the community needs are more tools that can be used to test for vulnerabilities on the protocols that are actually being used by enterprises. I am sure some of these exist, but I am not aware of many that are public. This is too bad, because I don't think customers understand how fragile some of these systems are. For example we have a tool that perform a "call flood" attack on one of these protocols and forces a reboot of a key VoIP system component. I suspect other folks, including the bad guys, have similar tools. I hope the VoIP security community can spend more time on these sorts of tools, to show enterprises where the vulnerabilities are, and in general, improve the security of these systems.
Of course there are many vectors of attack into a VoIP system, but the signaling (and media to some degree) are always lucrative, because they have to be exposed to the network.
Another Tool For RTP Injection
The folks at iSecPartners recently (at Blackhat actually) released information and a tool that injects audio into a VoIP (RTP) session. As they correctly point out, some earlier tools like ours are command-line and can be a chore to use. They have built a slick GUI, that appears to just key off of RTP (which makes it independent of the signaling) and inject audio. I don't think they have the ability to mix audio.
Here are links to the software and a presentation:
http://www.isecpartners.com/tools.html
http://www.isecpartners.com/files/iSEC_Garbutt_Lackey_Point,%20Click,%20RTPInject%20_bh07.pdf
I am hoping to build a version of the Call Monitor that I described on the previous post, that doesn't require SIP. It will either work with common signaling protocols like SCCP, H323 mutations, Unistim, or if possible, just key off of RTP.
New Generation of SIP Attack/Testing Tools
We (Mark O'Brien and I) recently upgraded the SIP tool set we released along with the Hacking Exposed Book, on a contract with the US government. A summary of the new features is:
o Additional support for TCP and authentication where appropriate.
o A new passive directory scanner.
o A new tool to query registrations.
o Several new DoS tools, using different requests.
o A state-full fuzzing tool, based on SIPp.
o Multiple enhancements to the sip_rogue application-level MITM platform.
o A new Call Monitor tool
The call monitor tool is probably the most interesting - it graphically displays all active SIP calls. It allows the user to run other attack tools, including the teardown and RTPinsertsound and RTPmixsound tools. This is nice, because these tools require a lot of command line parameters, so the Call Monitor makes the tools a lot easier to run. It addition, the Call Monitor allows the user to define up to 10 pre-defined audio files, which can be inserted or mixed into a call on command. The Call Monitor also streams the audio for a selected call to an audio player, so the user can listen to a conversation and properly "time" insertion of a word, phrase, or sound. This makes attacks like replacing "buy"/"sell", "1000"/"1,000,000" in a trading scenario possible. Here is a screen shot of the Call Monitor:
I am not sure we will be able to release these tools, but I am working on that.
SIPVicious
I updated the link to the SIPVicious tool set in my "Tools" typelist. Also, here is a link to the authors blog. I haven't had a chance to play with the tools, its on my list like a zillion other things, but they look pretty cool and useful.
RTP Stenography
Here is an interesting presentation by Dustin Trammell on RTP stenography. Dustin presented this material at the most recent Blackhat/Defcon. Dustin includes links to tools that allow you to tunnel data through an RTP session:
http://www.dustintrammell.com/presentations/Real-time-Steganography-with-RTP.pdf
McAfee Predicts 50% Rise in VoIP Attacks for 2008
Dustin Trammell posted on the VoIPSA blog, that McAfee predicts that VoIP attacks will rise 50% in 2008. When we conduct assessments for enterprises, we always find vulnerabilities, but rarely if ever find evidence of attacks. Interestingly, we ALWAYS find ongoing attacks/misuse of the legacy systems. I have no idea for how many VoIP attacks will occur in 2007, but whatever the number is, McAfee, a major security technology vendor, believes these attacks will go up 50%. We will see.
Here is a link to the VoIPSA blog entry:
http://voipsa.org/blog/2007/11/16/mcafee-predicts-50-rise-in-voip-attacks-for-2008/
Sipera Viper Link
Sipera's Viper lab has a web page with general information, vulnerabilities, attacks, and a blog. They have had this for a while, but seem to be updating it a bit more lately. Here is a link (it is also in my links list for VoIP security blogs):
Madynes Project
The folks working on the Madynes project have been releasing a number of VoIP vulnerabilities and tools. Here is a link to their site in case you want to check it out:
My Articles/Quotes
- VOIP-Specific Attacks Not an Issue Yet, 3/2008
- Hacking VoIP Exposed - VoIP News, 8/2007
- Seven Tips For VoIP Security Success - BSM, 2/2007
- VOIP: What? Me Worry?, 2/2007
- VoIP Security on Parade: Collier Predictions; ITEXPO Education, 2/2007
- VoIP Security: Cisco Unified CallManager Quiz & Chapter, 2/2007
- RSA '07: VoIP security threatened by default settings, warn experts - Network World, 2/2007
- Residential VoIP Security Tips from voip.com, 2/2007
- SAP INFO, 2/2007
- The Forum for Business IP Telephony - VoiceCon Enews -, 1/2007
- VoIP, IP Telephony - VoIP Risks Take Center Stage in 2007 - CRN, 1/2007
- McGraw-Hill Publishes `Hacking Exposed: VoIP' Book Co-Authored by TippingPoint and SecureLogix Experts, 1/2007
- Dark Reading - Desktop Security - VOIP More Vulnerable - Security News Analysis, 12/2006
- VoIP Loop Book Review, 1/2007
- VoIP Soon to Be a Target for ..., 1/2007
- Book Review: Hacking Exposed VoIP - VARBusiness, 1/2007
- Security Threats Come A-Callin', 8/2006
- Enterprise View: Voice over IP Security, TMCNet, 10/2005
- Skype Security, VoIP Magazine, 2/2006
- The Value of VoIP Security, Recent Repost, Communications Convergence, 2/2006
- VOIPSA Threat Taxonomy Summary, VoIP Magazine, 1/2006
VoIP Security Blogs/Links
- Voice Over Packet Security Forum :: Your single (open) source for NGN/VoIP security issues and solutions (News)
- Dustin D. Trammell
- MADYNES research team Portal
- VoIP security - Network World
- Sipera - VoIP Vulnerabilities: Resources
- VoIP security Special Report at silicon.com
- IP Telephony (VOIP) Security: Threats, Defenses and Countermeasures
- VoIP Security - Voxilla Forum
- Blue Box: The VoIP Security Podcast
- Voice Over IP Security Alliance (VoIPSA)
Tools
- Tools | iSEC Partners
- Software — MADYNES research team Portal
- SIPVicious
- Primeobsession :: For number / security geeks!! - VOIP Sound Board
- xenion HQ - RTP Break
- TacVoIP: Hardcore VoIP Security
- VOIPSA : Resources : VoIP Security Tools
- Hacking Exposed VoIP: Voice over IP Security Secrets and Solutions by David Endler and Mark Collier
Podcasts
Books
Interesting Documents
- Paper on General VoIP Security, x/2007
- VoIP Security Research Paper, x/2007
- SANS Institute - VoIP Security Vulnerabilities, 12/2007
- Draft RFC Defining Session Border Controllers, 12/2007
- Draft RFC For SIP Identity Using Media Path
- Draft RFC for Asserted Identity in SIP
- Draft RFC for Handling Session Keys for SRTP
- eBook from ShoreTel With Chapter on VoIP Security
- SIP Threats
- McAfee's Sage Issue on the Future of Security
Interesting Presentations
- Another Presentation on Nortel Unistim Vulnerabilities, xx/2007
- Presentation on Nortel Unistim Vulnerabilities, xx/2007
- Remote Eavesdropping Using Cisco Phones, xx/2007
- Peer-to-peer SIP Security Presentation, 2/2008
- Voice of VOIPSA » Blog Archive » “Hacking and Attacking VoIP Systems” - Slides from my Astricon 2007 presentation about Asterisk and VoIP security, 1/2008
- 3rd ETSI Security Workshop Agenda, 1/2008
- Voice of VOIPSA » Blog Archive » “Hacking and Attacking VoIP Systems” - Slides from my Astricon 2007 presentation about Asterisk and VoIP security, 1/2008
- Hannes Tschofenig � My Slides from the 3rd ETSI Security Workshop, 1/2008
- Independent Research | iSEC Partners
- RTP Stenography
SPIT/Voice SPAM
- SIP Usage Scenarios Similar to SPIT, 1/2008
- RFC 5039 - The Session Initiation Protocol (SIP) and Spam, 1/2008
- Does UC present new opportunities for spammers? | IT Security | TechRepublic.com, 1/2008
- SPAM and SPIT: what are the dangers? | IT Security | TechRepublic.com, 1/2008
- Draft RFC For SPIT Mitigation (SPIT Score), 12/2007
- Why VoIP is the next target for spammers | Technology | The Guardian, 11/2007
- Voice of VOIPSA » Blog Archive » Now I’ve CAPTCHA’d Your Attention, 7/2007
- Voice of VOIPSA � Blog Archive � IETF group puts forward framework to combat SPIT (VoIP spam) for discussion, 6/2007
- Getting Smart About SPIT - Voxilla, 3/2007
- Voice of VOIPSA � Blog Archive � Combatting Voice SPAM with VoIP SEAL, 3/2007
Phishing
- Your phone may be under attack - MSN Money, 4/2007
- Voice of VOIPSA � Blog Archive � New VoIP Phishing Scheme, 3/2007
- Phishers' Latest Platforms: VoIP, SMS - Technology News by TechWeb, 1/2007
- Phishing attacks now using phone calls - USATODAY.com, 12/2006
- New Bait for Phishing Scams, 11/2006
- Phishing attacks now using phone calls - USATODAY.com, 11/2006
- Phishing Scams – Don't Get Hooked!, 7/2006
- Phishers Hit The Phone Bank With Asterisk, 8/2006
- Something's phishy - Security - Technology - smh.com.au, 10/2006
