An eavesdropping vulnerability was revealed on the Full Disclosure mailing list on Wednesday. Vulnerability researchers Humberto Abdelnur, Radu State and Olivier Festor claimed the exploit could allow a remote attacker to turn a VoIP phone into an eavesdropping device, citing a Grandstream SIP phone as an example.
The Jericho Forum is an international group of leading corporate security professionals, academics and vendors, and promotes the development of secure software architectures, among other IT security interests.
Paul Simmonds, a member of Jericho Forum's board of management, said that VoIP is not yet ready for use in businesses. "We don't consider VoIP to be enterprise-ready," Simmonds said. "You can't run VoIP on a corporate network because you can't trust every single device on that network. VoIP as it stands certainly isn't secure. Going forward, everybody should be using inherently secure protocols."
Simmonds said it was not part of Jericho Forum's mission to promote any particular protocol as being more secure. Instead, he insisted that best practices for secure software development should be adhered to. "From a Jericho standpoint, it's not for us to say you must use these protocols or these protocols. You simply shouldn't be sending data over a network insecurely, relying on network security--because it isn't secure," he said.
Simmonds recommended that all data packets in a business network, including VoIP packets, be encrypted.
The researchers who found the Grandstream flaw claim that some SIP stack engines have "serious bugs" which allow an attacker to automatically make a remote phone accept a call without it ringing or without the handset being taken off the hook. "The attacker might be able to listen to all conversations that take place in the remote room without being noticed," the researchers wrote on the Full Disclosure mailing list.
The vulnerability in Grandstream's SIP phone could allow an attacker to send a sequence of two messages, both syntactically correct, which together force the device into an inconsistent state. Once the device is in this state, RTP packets, which are used by most VoIP endpoints, are sent to the attacker. After the messages are sent, the device is not able to hang up, offering attackers the possibility of executing a remote denial-of-service attack, according to the researchers.
Grandstream is aware of the vulnerability in its software, and it will release in late September to address the issue, according to Marianne Rocco, the company's director of marketing. Rocco said that customers who are concerned about the vulnerability should contact Grandstream's support department for a copy of the beta firmware version, which has been tested against the vulnerability. Rocco said there are still ways to detect the vulnerability if the customer does not download the beta firmware. She argued that the phone will ring when the attack starts, and that the call information window will indicate that a call is going on. Grandstream customers are at risk of attack if they don't follow these steps, Rocco said.
Tom Espiner reported for ZDNet UK in London.