Nortel has announced a new voice security blog. Since we are a Nortel voice security partner, we will be contributing quite a bit. There are just a couple of entries now, but you will want to save this link:
Here is a "theoretical" attack where by exploiting a softphone vulnerability, you can create DoS condition or gain access to the PC running the softphone. I don't believe an exploit has been released or used in the real world.
"Spot me if you can: Uncovering spoken phrases in encrypted VoIP", was given by Charles Wright of Johns Hopkins. Charles began by stating that VoIP offers comparable quality and better security than typical land lines, although it may be possible to deduce some information from encrypted traffic by sampling certain characteristics. If the attacker's goal is to recover information about the word content of a VoIP stream, then there are considerable challenges that must be surmounted; most notable are the large potential vocabulary and natural variability of human speech. Charles proceeded with the claim that despite these challenges, such information can be deduced due to the fact that the efficient variable bitrate encoding used by VoIP encodes different phonemes at distinct bitrates. He then showed how a hidden markov model can be used to recover spoken word content at recall rates of approximately 50% for reasonable precision rates. He concluded by pointing out that VoIP packets can be padded with null content to thwart such an attack.
Over the past 10 years, SecureLogix has conducted many voice security assessments for enterprise customers. Our products also continuously monitor enterprise customers voice networks for attack. Our voice security assessments include two parts. First we instrument the TDM or VoIP trunks connecting one or more enterprise sites to the public network. We monitor all the voice traffic into and out of the site(s) and identify any security issues. For customers with VoIP, we can include a VoIP security vulnerability assessment/penetration test. We access the internal network and test the IP PBX, network, and VoIP phones for vulnerabilities.
Interestingly, while we always find vulnerabilities on VoIP systems, we have only seen one real world attack, and that attack involved good-old-fashioned toll fraud. However, we always find voice application security issues. These security issues are present whether the enterprise is using VoIP or not. Some of the issues we find include:
-Unauthorized modems used to access the Internet – most users know that if they access inappropriate sites on the Internet through the primary connection, that the access will be detected, logged, and possibly blocked. Some users bypass this security by connecting an analog phone line to a modem in their PC/laptop and dial their Internet Service Provider (ISP). While this isn’t a fast connection, it is fine to check personal mail, check stocks, look at sport sites, etc. We have seen as many as 100 simultaneous unauthorized modem connections at large sites. These connections are unmonitored and can allow the user to accidently download malware or leak confidential information. Plus, the connection is also not protected by a network firewall and an attacker who finds the users IP address can hack in, attack the PC/laptop, and/or jump off onto other systems.
-Poorly secured authorized modems – many critical infrastructure systems, including PBXs and other equipment, use modems for remote access. These modems can be easily found by simple “war dialing” of numbers at an enterprise site. Many of these modems are poorly protected and once found, can be exploited. These attacks can be very serious, because the systems connected to the modems are often critical.
-Toll fraud – while VoIP has made some long distance calling a lot cheaper, some long distance, especially international calls, can be still be expensive. Toll fraud is still a serious issue for the enterprise. It can range from a few international calls made over fax lines to a hacked Direct Inward System Access (DISA) or VoIP interface, where the attacker sells numbers/access and can rack up $100,000s of charges in a short amount of time.
-Harassing calls – this includes a variety of irritating and even dangerous calls and call patterns, to include fax SPAM, harassing executives, bomb threats, and other attacks.
-Social engineering – includes calling into enterprises and call centers looking for inexperienced users who give out confidential information.
So while VoIP vulnerabilities get a lot of the hype, don’t forget about basic application voice security issues. They are virtually always present at enterprise sites, whether VoIP is used or not. For more information on these and other issues, see SecureLogix’s web page at www.securelogix.com
Version 2.3 of SIPVicious is now available. The new version includes enhanced fingerprinting support for svmap, the ability to add signatures and share them with others in the VoIP hacking community and last but not least the ability to leverage the svmap tool to perform DNS SRV checks which looks like it will be fun.
I attended the annual, International Nortel Networks Users Association Global Connect conference last week in Dallas Texas. The conference seemed very well attended and I overheard a couple of times that this was the largest Global Connect conference ever. I was there to network, attend some sessions, speak in some sessions, and of course, spend time in the dreaded booth...
Nortel led several presentations on security. I attended all of them and participated in two. Nortel has some very general data security technology/solutions and continues to enhance the security of their voice systems. The Nortel folks did a great job of presenting current voice security issues and covering various solutions that they have available.
One of the sessions I participated in was "Confessions of VoIP Hackers". I provided an introduction to the current threat landscape and the Nortel folks followed up with various solutions they have to address the issues. They also did a slick demo of a MITM attack used to listen in on a call. I would put the presentation up here, but it is too big for the site.
I also participated in a "Meet the Experts" panel on VoIP security. We didn't use presentations, but rather just answered questions. I didn't detect any real "thread" through the questions. There was a lot of discussion about signaling/audio encryption. No one there said they were currently using encryption. Issues like key management and impact to third party management systems were cited as the key issues hindering deployment.
The article below has an interesting take on VoIP security. The article refers to a summary taken by the ACUTA, which is an organization consisting of colleges and universities. Last year, this survey cited VoIP security as its "biggest worry". This year, VoIP security was cited as a much smaller issue. The survey states that this is because economic worries now far outpace security issues. Why worry about security if you can't even pay for the VoIP system? This is pretty alarming trend. While VoIP systems are in some cases becoming more secure, as more deployments occur, the threat of attack will increase. It will be unfortunate if enterprises can't afford to address security.
I will also be attending the Nortel Users Conference (INNUA) in Dallas Texas. I am participating in a couple of the sessions involving voice and VoIP security. Here is a link to the conference if anyone would like more information.
I just attended the Hacker Halted USA conference held in Myrtle Beach, SC. As you could guess, I spoke on VoIP security. About 100 folks attended. I used the same presentation as Interop. I am including a copy here in case anyone wants to check it out: