Reducing Unwanted Communications using SIP (RUCUS)
The Reducing Unwanted Communcations Using SIP (RUCUS) group has been formed to look at ways of dealing with issues such as voice SPAM/SPIT. Here is a link:
Recent Posts
Search Blog
- Search Blog
Conferences
General Articles
- Calibre Macro*World, 3/2008
- The biggest VoIP security threats - and how to stop them - Research - Breaking Business and Technology News at silicon.com, 3/2008
- Enterprise security in 2008: Addressing emerging threats like VoIP and virtualization, 1/2008
- VoIP Security Still Falling Short - Network Sentry, 1/2008
- 2008 - the year VoIP gets hacked? | The Register, 1/2008
- PC World - Hackers Claim Flaw in British DSL Service, 1/2008
- Call Jacking: Phreaking the BT Home Hub | GNUCITIZEN, 1/2008
- Blueprint: Network Architecture, 1/2008
- The Top 5 VoIP Security Threats of 2008 - VoIP News, 1/2008
- IT managers complacent about VoIP infrastructure security threats - Security Park news, 1/2008
- Security dominates 2008 IT agenda, 1/2008
- Total surveillance made easy with VoIP phones | GNUCITIZEN, 1/2008
- SIP and Security: Just do it Right, 12/2007
- Top 9 VoIP Threats, 1/2008
- VoIP vulnerabilities increasing, but not exploits, 12/2007
- Techworld.com - VoIP is the next big hack, 12/2007
- Not Waiting for the Big One - VoIP News, 12/2007
- VoIP Security Lessons Microsoft OCS Can Learn From Vonage and Others | NetworkWorld.com Community, 12/2007
- Why Nobody’s VoIP Is Secure - VoIP News, 11/2007
- Techworld.com - Expert scares world with VoIP hacking proof, 11/2007
- Unified communications security vulnerabilities : VoIP Topics, 10/2007
- Vonage Security Problems May Be Just the Start - VoIP News, 11/2007
- VoIP security industry: Guilty as charged - Network World, 11/2007
- � New hack mimics VoIP phone allowing access to data networks | Mobile and Wireless | TechRepublic.com, 11/2007
- VoIP security notices show security remains a multi-vendor issue - Network World, 11/2007
- The Forum for Business IP Telephony - VoiceCon Conference & Events 2008- Enews, 10/30
- SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc
- Hackers gain access to private hotel network using Cisco VoIP | NetworkWorld.com Community
- Phones Aren't Safe Either, Hackers Say | Threat Level from Wired.com
- » VoIP Security firm: we informed Vonage of hackability a month ago and haven’t heard back | IP Telephony, VoIP, Broadband | ZDNet.com
Advisories
- Cisco Security Advisory:�Cisco Unified Communications Manager Denial of Service Vulnerabilities, 10/2007
- Cisco Security Advisory:�Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities, 2/2008
- Cisco Security Advisory: Cisco Unified Communications Manager CTL Provider Heap Overflow� [Products & Services] - Cisco Systems
- AST-2008-001, 1/2008
- Voice of VOIPSA » Blog Archive » Trixbox contains “phone home” code to retrieve arbitrary commands to execute?, 12/2007
- AST-2007-027, 12/2007
- [VOIPSEC] Nokia N95 cellphone remote DoS using the SIP Stack, 12/2007
- [VOIPSEC] Cisco Phone 7940 remote DOS, 12/2007
- AST-2007-026
- AST-2007-025
Skype Articles
- Improper handling of URI arguments, 1/2008
- Voice of VOIPSA » Blog Archive » Oops… Skype failed to mention this wee minor security update…, 12/2007
- URI problem also affects Acrobat Reader and Netscape - heise Security, 10/2007
- How dangerous is Skype?, 3/2007
- Voice of VOIPSA » Blog Archive » And why exactly would I want to install “Ringjacker” and let other people hijack my inbound ringtone?, 2/2007
- Voice of VOIPSA � Blog Archive � How to avoid Skype 3.0 reading the BIOS of your system, 2/2007
- What threats does Skype face? | Tech News on ZDNet, 1/2007
- Confusion over Skype security threat clears up | CNET News.com, 12/2006
- Dangerously Irrelevant: Advising, webcams, and Skype
- iTWire - Skype bugging your network? Here's how to squash it
« January 2008 | Main | March 2008 »
Cisco IP Phone Vulnerabilities
Cisco released an advisory describing several issues with several of their IP phones.
http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml
Presentation on SIP Security
Here is a presentation from the 3rd ETSI Security Workshop on SIP security:
http://www.tschofenig.com/wp/wp-content/uploads/2008/01/tschofenig-ietf-security.ppt
Cisco Vulnerability Disclosed
Cisco disclosed that the Cisco Unified Communications Manager (CUCM), formerly CallManager, contains a heap overflow vulnerability in the Certificate Trust List (CTL) Provider service that could allow a remote, unauthenticated user to cause a denial of service (DoS) condition or execute arbitrary code. Here is a link to the vulnerability:
http://www.cisco.com/en/US/products/products_security_advisory09186a0080932c61.shtml
Research Paper on VoIP Security Issues
Here is a research paper on VoIP Security vulnerabilities. I am not sure of the exact date that it was published, but some time in 2007:
http://www.hillside.net/plop/2007/papers/PLoP2007_PelaezEtAl.pdf
Top 5 VoIP Security Threats for 2008
Here is an article with the top 5 predictions for 2008.
http://www.voip-news.com/feature/top-security-threats-2008-012408/
Review of My Top 10 Predictions for Last Year
Before I make any bold predictions for VoIP security in 2008, I thought I should review my predictions from last year. After reviewing my predictions, its clear that I should get out of the prediction business. Of course I didn't do as badly as some vendors, who simply list a bunch of bogus issues that they hope become a reality so they can sell their product. Actually my predictions weren't that terrible - its more that they just haven't occurred yet, but will likely do so at some point in the future.
Here are the predictions for 2007 and my opinion as to whether or not I was right, wrong, or half-right:
1) There is no doubt that VoIP security attacks have taken place, but very few have been widely publicized. I predict that in 2007, we will see enterprise VoIP systems attacked and the results publicized.
Half-right. While I am sure (and have seen) enterprise VoIP systems have been attacked, these attacks are not widespread. We conduct enterprise VoIP security assessments and we have been brought in to perform forensic analysis after an attack. The primary motive of these attacks is to use VoIP to enable toll fraud. However, I have not seen any public discussion of attacks.
2) VoIP is an application running on the data network and will continue to be affected by attacks such as worms, virus, Denial of Service (DoS), etc. While these attacks may not directly target VoIP systems, they will disrupt operations because the underlying platforms are vulnerable to the attack.
Wrong. The primary voice vendors, such as Nortel, Cisco, and Avaya, have hardened their IP PBX systems and they have become more resilient to the types of attacks that target the underlying operating system. I am not aware of any work that had a serious negative impact on any major IP PBX in 2007.
3) We will also start to see more VoIP specific attacks, particularly aimed at the enterprise. There is more scrutiny of VoIP systems and attackers will find more issues that are unique to VoIP and the systems that enable it.
Half-right. Some issues have been found and the frequency of security advisories is increasing. However, many of the issues are in smaller, more obscure, and/or SIP platforms, which aren’t commonly used yet in enterprises. Platforms such as Asterisk, other SIP-based proxies, and SIP phones have received a lot of scrutiny, because they are inexpensive and easy to set up and experiment with. Conversely, the security industry really hasn’t done a lot of analysis of the larger IP PBX platforms, such as those available from Nortel, Avaya, and Cisco.
4) Attackers will also be developing more tools to exploit these issues. Even now, there are plenty of tools out there, but you can expect to see more tools and extensions to the tools currently available.
Half-right. We have seen a lot of new tools developed. We personally have developed quite a few new tools, but have not released them yet. The VoIP Security Alliance, www.voipsa.org maintains an extensive list of VoIP security/attack tools. However, most of the available tools are designed for SIP, because it is fairly easy to get a SIP system set up. Very few tools used to attack proprietary signaling protocols were released.
5) Denial of Service (DoS) will continue to be the most significant threat to VoIP systems. Many VoIP systems are very vulnerable to fuzzing and flood based attacks, including simple transport and application layer attacks.
Right. DoS remains the most significant vulnerability in enterprise VoIP deployments. During our assessments, we have always been able to disrupt IP PBX systems, through DoS floods, malformed packets, saturation of limited bandwidth links, etc.
6) You can expect enterprises to start deploying the Session Initiation Protocol (SIP) for handsets as well as connectivity to the public network. The move to SIP will affect security, because there is a long list of SIP attack tools available for use.
Wrong. The adoption rate of SIP in 2007 was slower than expected. Use of SIP for handsets and public trunking did not pick up significantly. Some large enterprises are evaluating use of public SIP trunking, but actual deployments are still uncommon.
7) Even with the move to SIP, proprietary protocols will continue to dominate VoIP for several years. You will start to see new attack tools that target these protocols as well, especially for vendors with wide deployment (Cisco, Avaya, Nortel, Siemens, etc.).
Half-right. Handset protocols using proprietary protocols dominated those using standards-based protocols. However, very few tools were released that could be used to attack these protocols.
8) Social threats such as voice phishing and voice SPAM will start to emerge. They will not be common, but their threat level will grow with the increasing adoption of VoIP. Social engineering attacks could start to become disruptive in late 2007.
Wrong. Neither social threat significantly increased in 2007. There were some additional voice phishing attacks, but not as many as expected. Voice SPAM or SPAM over Internet Telephony (SPIT) did not emerge as an issue.
9) Although vendors will increase their offerings for conversation encryption, it will not be widely employed by enterprises.
Right. Encryption of calls is still very uncommon. During our enterprise VoIP security assessments, we encountered audio encryption in approximately in approximately 10 percent of the deployments.
10) VoIP deployment has the potential to affect traditional networks. Attacks like DoS, SPIT, and toll fraud may “spill” over and affect legacy systems.”
Right. During our assessments, the primary “VoIP” attack we encountered was where the attacker used a non-secure media gateway for toll fraud over traditional networks. VoIP architectures made this attack possible and easier than with traditional, closed networks. Also, while we always find vulnerabilities with VoIP deployments, we rarely encountered actual attacks (other than the one above). However, we always found actual attacks/mis-use of traditional networks, in the areas of poorly secured authorized modems and use of unauthorized modems for dialup ISP access. While VoIP systems are more vulnerable, traditional issues are being exploited more often and the move to VoIP isn’t changing this.
Article About Vulnerabilities on the Snom 320 SIP Phone
Here is an article summarizing vulnerabilities with the Snom 320 SIP phone. A lot of the vulnerabilities have already been disclosed, but this article summarizes them. Note that when we wrote the Hacking Exposed: VoIP book, we also discovered that you could enable a packet capture on the Snom 190 SIP phone and then save/download the resulting packet capture file. I don't know if you can do this on a Snom 320 SIP phone.
http://www.gnucitizen.org/projects/total-surveillance-made-easy-with-voip-phones/
Draft RFC Describing SPIT/Voice SPAM
Here is a draft RFC describing the SPIT/Voice SPAM issue, along with some proposed solutions:
Reflection on 2007/Predictions for 2008 on BlueBoxPodcast
Dan York and Jonathon Zar, of BlueboxPodcast offered up a brief reflection on 2007 and predictions for 2008. Like all their episodes, it is worth a listen:
My Articles/Quotes
- VOIP-Specific Attacks Not an Issue Yet, 3/2008
- Hacking VoIP Exposed - VoIP News, 8/2007
- Seven Tips For VoIP Security Success - BSM, 2/2007
- VOIP: What? Me Worry?, 2/2007
- VoIP Security on Parade: Collier Predictions; ITEXPO Education, 2/2007
- VoIP Security: Cisco Unified CallManager Quiz & Chapter, 2/2007
- RSA '07: VoIP security threatened by default settings, warn experts - Network World, 2/2007
- Residential VoIP Security Tips from voip.com, 2/2007
- SAP INFO, 2/2007
- The Forum for Business IP Telephony - VoiceCon Enews -, 1/2007
- VoIP, IP Telephony - VoIP Risks Take Center Stage in 2007 - CRN, 1/2007
- McGraw-Hill Publishes `Hacking Exposed: VoIP' Book Co-Authored by TippingPoint and SecureLogix Experts, 1/2007
- Dark Reading - Desktop Security - VOIP More Vulnerable - Security News Analysis, 12/2006
- VoIP Loop Book Review, 1/2007
- VoIP Soon to Be a Target for ..., 1/2007
- Book Review: Hacking Exposed VoIP - VARBusiness, 1/2007
- Security Threats Come A-Callin', 8/2006
- Enterprise View: Voice over IP Security, TMCNet, 10/2005
- Skype Security, VoIP Magazine, 2/2006
- The Value of VoIP Security, Recent Repost, Communications Convergence, 2/2006
- VOIPSA Threat Taxonomy Summary, VoIP Magazine, 1/2006
VoIP Security Blogs/Links
- Voice Over Packet Security Forum :: Your single (open) source for NGN/VoIP security issues and solutions (News)
- Dustin D. Trammell
- MADYNES research team Portal
- VoIP security - Network World
- Sipera - VoIP Vulnerabilities: Resources
- VoIP security Special Report at silicon.com
- IP Telephony (VOIP) Security: Threats, Defenses and Countermeasures
- VoIP Security - Voxilla Forum
- Blue Box: The VoIP Security Podcast
- Voice Over IP Security Alliance (VoIPSA)
Tools
- Tools | iSEC Partners
- Software — MADYNES research team Portal
- SIPVicious
- Primeobsession :: For number / security geeks!! - VOIP Sound Board
- xenion HQ - RTP Break
- TacVoIP: Hardcore VoIP Security
- VOIPSA : Resources : VoIP Security Tools
- Hacking Exposed VoIP: Voice over IP Security Secrets and Solutions by David Endler and Mark Collier
Podcasts
Books
Interesting Documents
- Paper on General VoIP Security, x/2007
- VoIP Security Research Paper, x/2007
- SANS Institute - VoIP Security Vulnerabilities, 12/2007
- Draft RFC Defining Session Border Controllers, 12/2007
- Draft RFC For SIP Identity Using Media Path
- Draft RFC for Asserted Identity in SIP
- Draft RFC for Handling Session Keys for SRTP
- eBook from ShoreTel With Chapter on VoIP Security
- SIP Threats
- McAfee's Sage Issue on the Future of Security
Interesting Presentations
- Another Presentation on Nortel Unistim Vulnerabilities, xx/2007
- Presentation on Nortel Unistim Vulnerabilities, xx/2007
- Remote Eavesdropping Using Cisco Phones, xx/2007
- Peer-to-peer SIP Security Presentation, 2/2008
- Voice of VOIPSA » Blog Archive » “Hacking and Attacking VoIP Systems” - Slides from my Astricon 2007 presentation about Asterisk and VoIP security, 1/2008
- 3rd ETSI Security Workshop Agenda, 1/2008
- Voice of VOIPSA » Blog Archive » “Hacking and Attacking VoIP Systems” - Slides from my Astricon 2007 presentation about Asterisk and VoIP security, 1/2008
- Hannes Tschofenig � My Slides from the 3rd ETSI Security Workshop, 1/2008
- Independent Research | iSEC Partners
- RTP Stenography
SPIT/Voice SPAM
- SIP Usage Scenarios Similar to SPIT, 1/2008
- RFC 5039 - The Session Initiation Protocol (SIP) and Spam, 1/2008
- Does UC present new opportunities for spammers? | IT Security | TechRepublic.com, 1/2008
- SPAM and SPIT: what are the dangers? | IT Security | TechRepublic.com, 1/2008
- Draft RFC For SPIT Mitigation (SPIT Score), 12/2007
- Why VoIP is the next target for spammers | Technology | The Guardian, 11/2007
- Voice of VOIPSA » Blog Archive » Now I’ve CAPTCHA’d Your Attention, 7/2007
- Voice of VOIPSA � Blog Archive � IETF group puts forward framework to combat SPIT (VoIP spam) for discussion, 6/2007
- Getting Smart About SPIT - Voxilla, 3/2007
- Voice of VOIPSA � Blog Archive � Combatting Voice SPAM with VoIP SEAL, 3/2007
Phishing
- Your phone may be under attack - MSN Money, 4/2007
- Voice of VOIPSA � Blog Archive � New VoIP Phishing Scheme, 3/2007
- Phishers' Latest Platforms: VoIP, SMS - Technology News by TechWeb, 1/2007
- Phishing attacks now using phone calls - USATODAY.com, 12/2006
- New Bait for Phishing Scams, 11/2006
- Phishing attacks now using phone calls - USATODAY.com, 11/2006
- Phishing Scams – Don't Get Hooked!, 7/2006
- Phishers Hit The Phone Bank With Asterisk, 8/2006
- Something's phishy - Security - Technology - smh.com.au, 10/2006
