Cisco disclosed that the Cisco Unified Communications Manager (CUCM), formerly CallManager, contains a heap overflow vulnerability in the Certificate Trust List (CTL) Provider service that could allow a remote, unauthenticated user to cause a denial of service (DoS) condition or execute arbitrary code. Here is a link to the vulnerability:
Before I make any bold predictions for VoIP security in 2008, I thought I should review my predictions from last year. After reviewing my predictions, its clear that I should get out of the prediction business. Of course I didn't do as badly as some vendors, who simply list a bunch of bogus issues that they hope become a reality so they can sell their product. Actually my predictions weren't that terrible - its more that they just haven't occurred yet, but will likely do so at some point in the future.
Here are the predictions for 2007 and my opinion as to whether or not I was right, wrong, or half-right:
1) There is no doubt that VoIP security attacks have taken place, but very few have been widely publicized. I predict that in 2007, we will see enterprise VoIP systems attacked and the results publicized.
Half-right. While I am sure (and have seen) enterprise VoIP systems have been attacked, these attacks are not widespread. We conduct enterprise VoIP security assessments and we have been brought in to perform forensic analysis after an attack. The primary motive of these attacks is to use VoIP to enable toll fraud. However, I have not seen any public discussion of attacks.
2) VoIP is an application running on the data network and will continue to be affected by attacks such as worms, virus, Denial of Service (DoS), etc. While these attacks may not directly target VoIP systems, they will disrupt operations because the underlying platforms are vulnerable to the attack.
Wrong. The primary voice vendors, such as Nortel, Cisco, and Avaya, have hardened their IP PBX systems and they have become more resilient to the types of attacks that target the underlying operating system. I am not aware of any work that had a serious negative impact on any major IP PBX in 2007.
3) We will also start to see more VoIP specific attacks, particularly aimed at the enterprise. There is more scrutiny of VoIP systems and attackers will find more issues that are unique to VoIP and the systems that enable it.
Half-right. Some issues have been found and the frequency of security advisories is increasing. However, many of the issues are in smaller, more obscure, and/or SIP platforms, which aren’t commonly used yet in enterprises. Platforms such as Asterisk, other SIP-based proxies, and SIP phones have received a lot of scrutiny, because they are inexpensive and easy to set up and experiment with. Conversely, the security industry really hasn’t done a lot of analysis of the larger IP PBX platforms, such as those available from Nortel, Avaya, and Cisco.
4) Attackers will also be developing more tools to exploit these issues. Even now, there are plenty of tools out there, but you can expect to see more tools and extensions to the tools currently available.
Half-right. We have seen a lot of new tools developed. We personally have developed quite a few new tools, but have not released them yet. The VoIP Security Alliance, www.voipsa.org maintains an extensive list of VoIP security/attack tools. However, most of the available tools are designed for SIP, because it is fairly easy to get a SIP system set up. Very few tools used to attack proprietary signaling protocols were released.
5) Denial of Service (DoS) will continue to be the most significant threat to VoIP systems. Many VoIP systems are very vulnerable to fuzzing and flood based attacks, including simple transport and application layer attacks.
Right. DoS remains the most significant vulnerability in enterprise VoIP deployments. During our assessments, we have always been able to disrupt IP PBX systems, through DoS floods, malformed packets, saturation of limited bandwidth links, etc.
6) You can expect enterprises to start deploying the Session Initiation Protocol (SIP) for handsets as well as connectivity to the public network. The move to SIP will affect security, because there is a long list of SIP attack tools available for use.
Wrong. The adoption rate of SIP in 2007 was slower than expected. Use of SIP for handsets and public trunking did not pick up significantly. Some large enterprises are evaluating use of public SIP trunking, but actual deployments are still uncommon.
7) Even with the move to SIP, proprietary protocols will continue to dominate VoIP for several years. You will start to see new attack tools that target these protocols as well, especially for vendors with wide deployment (Cisco, Avaya, Nortel, Siemens, etc.).
Half-right. Handset protocols using proprietary protocols dominated those using standards-based protocols. However, very few tools were released that could be used to attack these protocols.
8) Social threats such as voice phishing and voice SPAM will start to emerge. They will not be common, but their threat level will grow with the increasing adoption of VoIP. Social engineering attacks could start to become disruptive in late 2007.
Wrong. Neither social threat significantly increased in 2007. There were some additional voice phishing attacks, but not as many as expected. Voice SPAM or SPAM over Internet Telephony (SPIT) did not emerge as an issue.
9) Although vendors will increase their offerings for conversation encryption, it will not be widely employed by enterprises.
Right. Encryption of calls is still very uncommon. During our enterprise VoIP security assessments, we encountered audio encryption in approximately in approximately 10 percent of the deployments.
10) VoIP deployment has the potential to affect traditional networks. Attacks like DoS, SPIT, and toll fraud may “spill” over and affect legacy systems.”
Right. During our assessments, the primary “VoIP” attack we encountered was where the attacker used a non-secure media gateway for toll fraud over traditional networks. VoIP architectures made this attack possible and easier than with traditional, closed networks. Also, while we always find vulnerabilities with VoIP deployments, we rarely encountered actual attacks (other than the one above). However, we always found actual attacks/mis-use of traditional networks, in the areas of poorly secured authorized modems and use of unauthorized modems for dialup ISP access. While VoIP systems are more vulnerable, traditional issues are being exploited more often and the move to VoIP isn’t changing this.
Here is an article summarizing vulnerabilities with the Snom 320 SIP phone. A lot of the vulnerabilities have already been disclosed, but this article summarizes them. Note that when we wrote the Hacking Exposed: VoIP book, we also discovered that you could enable a packet capture on the Snom 190 SIP phone and then save/download the resulting packet capture file. I don't know if you can do this on a Snom 320 SIP phone.