[ISN] VoIP phones officially buggable

From: InfoSec News (alerts@private)
Date: Tue Aug 28 2007 - 22:12:48 PDT


http://www.theinquirer.net/default.aspx?article=41964

By Egan Orion
28 August 2007

IT'S REPORTED that Session Initiation Protocol (SIP) devices can be 
vulnerable to eavesdropping.

SIP is used by Voice over IP (VoIP) software and hardware to provide 
digital phone service directly over the Internet, thus bypassing the 
telcos' analog switched networks and related long-distance charges. 
Skype is a VoIP service that uses SIP, for one example, and many ISPs 
and third parties offer VoIP.

Telephones have long been used for eavesdropping, likely since the time 
of Alexander Graham Bell. There were very few secrets in most small 
towns, back when the telephone exchanges used wired plug-boards to 
connect parties and telephone operators could listen in to phone 
conversations at will. As telephone infrastructures were slowly built 
out, many subscribers had "party lines" that were shared among several 
households and let the nosey people listen in to their neighbors phone 
calls.

While eavesdropping is quite impolite, when it's done for adversarial 
purposes, it's called covert listening or more simply, bugging. (A page 
about bugging techniques is here.)

Late last year it surfaced that the FBI has used cellphones as "roving 
bugs", listening to conversations even when the targeted cellphones were 
turned off.

Now a post on the "full-disclosure" list has revealed that SIP devices 
can be similarly vulnerable to covert listening. The Australian IT 
security firm Snnet Beskerming has written a commentary about the 
implications. It writes:

"The research that was published indicates that, for at least one 
vendor, it is possible to automatically call a SIP device from that 
vendor and have it silently accept the call, even if it is still on the 
hook - instantly turning it into a classic bugged phone. Whereas 
historic telephony bugs needed physical targeting of the line running to 
a property or place of business, the presence of VoIP in the equation 
allows bugging from anywhere in the world with equal ability. Now anyone 
can do from their armchair what only spies and law enforcement used to 
be able to do from inside the telephone switch / pit / distribution 
board, though it's still illegal to do so."

It notes that the act of bugging a SIP device also operates as a Denial 
of Service attack.

Although an exploit has been publicly reported against only one vendor's 
SIP implementation, other vendor's software stacks might also be 
vulnerable. Separate similar exploits that targeted Cisco SIP handsets 
with a Denial of Service attack and a buffer overflow attack against 
software from eCentrex have recently been publicly released, too.

So if you happen to use SIP enabled VoIP services, beware.

L'INQ Snnet Beskerming 
http://www.beskerming.com/commentary/2007/08/24/259/Listen_to_SIP_Phones_Even_When_They_are_on_the_Hook


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Tue Aug 28 2007 - 22:21:08 PDT