Jericho Forum voices concerns over VoIP security

Jericho Forum voices concerns over VoIP security

Summary: Following the disclosure of an eavesdropping vulnerability, the security group says VoIP tech is not ready for business deployment

SHARE:
TOPICS: Security
1

A leading member of the Jericho Forum has criticised the security of voice-over-IP technology after security researchers revealed that it was possible to eavesdrop on VoIP conversations.

An eavesdropping vulnerability was revealed on the popular Full Disclosure mailing list on Wednesday. Vulnerability researchers Humberto Abdelnur, Radu State and Olivier Festor claimed the exploit could allow a remote attacker to turn a VoIP phone into an eavesdropping device, citing a Grandstream SIP phone as an example.

The Jericho Forum is an international group of leading corporate security professionals, academics and vendors, and promotes the development of secure software architectures, among other IT security interests.

Paul Simmonds, a member of Jericho Forum's board of management, said that VoIP is not yet ready for use in businesses. "We don't consider VoIP to be enterprise-ready," Simmonds told ZDNet.co.uk. "You can't run VoIP on a corporate network because you can't trust every single device on that network. VoIP as it stands certainly isn't secure. Going forward, everybody should be using inherently secure protocols."

Simmonds said it was not part of Jericho Forum's mission to promote any particular protocol as being more secure. Instead he insisted that best practices for secure software development should be adhered to. "From a Jericho standpoint, it's not for us to say you must use these protocols or these protocols. You simply shouldn't be sending data over a network insecurely, relying on network security — because it isn't secure," he said.

Simmonds recommended that all data packets in a business network, including VoIP packets, be encrypted.

The researchers who found the Grandstream flaw claim that some SIP stack engines have "serious bugs" which allow an attacker to automatically make a remote phone accept a call without it ringing or without the handset being taken off the hook. "The attacker might be able to listen to all conversations that take place in the remote room, without being noticed," wrote the researchers on the Full Disclosure mailing list.

The vulnerability in Grandstream's SIP phone could allow an attacker to send a sequence of two messages, both syntactically correct, which together force the device into an inconsistent state. Once the device is in this state, RTP packets, which are used by most VoIP endpoints, are sent to the attacker. After the messages are sent, the device is not able to hang up, offering attackers the possibility of executing a remote denial-of-service attack, according to the researchers.

Read this

Feature

Tutorial: Creating a secure and reliable VoIP solution

Increasingly widespread, it is important to be aware of measures which can increase VoIP's security and reliability...

Read more

Grandstream is aware of the vulnerability in its software, and it will release firmware in late September to address the issue, according to Marianne Rocco, the company's director of marketing. Rocco said that customers who are concerned about the vulnerability should contact Grandstream's support department for a copy of the beta firmware version, which has been tested against the vulnerability. Rocco said there are still ways to detect the vulnerability if the customer does not download the beta firmware. She argued that the phone will ring when the attack starts, and that the call information window will indicate that a call is going on. Grandstream customers are at risk of attack if they don't follow these steps, Rocco said.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • VoIP security is a problem, but can be guarded against

    Whilst I fully commend the comments of the Jericho forum, VoIP security and issues such as the Grandstream one can be guarded against. Right now the majority of VoIP implementions are within the Corporate boundaries.

    Where communications exit the boundary towards the service providers networks, we can use conventional security technologies such as IPSec VPNs or SSL/TLS connections and sRTP to ensure communications and devices are secured.

    Even where hosted PBXs [for example] are used, existing mechanism hightlighted above provide the same levels of security to VoIP traffic as any other traffic. Further more technologies such as IPSec VPNs are available in SOHO/SME priced devices such as the Draytek Vigor Routers. Its even available for free with Open Source SIP proxies such as OpenSER support TLS for carrying the SIP messages securely.

    There is no excuse for not using existing techniques to secure your VoIP implemenation.

    Neill Wilkinson
    AeonVista Ltd
    neill.wilkinson@...