[ISN] Jericho Forum voices concerns over VoIP security

From: InfoSec News (alerts@private)
Date: Wed Aug 29 2007 - 23:19:11 PDT


http://news.zdnet.co.uk/security/0,1000000189,39288928,00.htm

By Tom Espiner 
ZDNet UK
29 Aug 2007

A leading member of the Jericho Forum has criticised the security of 
voice-over-IP technology after security researchers revealed that it was 
possible to eavesdrop on VoIP conversations.

An eavesdropping vulnerability was revealed on the popular Full 
Disclosure mailing list on Wednesday. Vulnerability researchers Humberto 
Abdelnur, Radu State and Olivier Festor claimed the exploit could allow 
a remote attacker to turn a VoIP phone into an eavesdropping device, 
citing a Grandstream SIP phone as an example.

The Jericho Forum is an international group of leading corporate 
security professionals, academics and vendors, and promotes the 
development of secure software architectures, among other IT security 
interests.

Paul Simmonds, a member of Jericho Forum's board of management, said 
that VoIP is not yet ready for use in businesses. "We don't consider 
VoIP to be enterprise-ready," Simmonds told ZDNet.co.uk. "You can't run 
VoIP on a corporate network because you can't trust every single device 
on that network. VoIP as it stands certainly isn't secure. Going 
forward, everybody should be using inherently secure protocols."

Simmonds said it was not part of Jericho Forum's mission to promote any 
particular protocol as being more secure. Instead he insisted that best 
practices for secure software development should be adhered to. "From a 
Jericho standpoint, it's not for us to say you must use these protocols 
or these protocols. You simply shouldn't be sending data over a network 
insecurely, relying on network security — because it isn't secure," he 
said.

Simmonds recommended that all data packets in a business network, 
including VoIP packets, be encrypted.

The researchers who found the Grandstream flaw claim that some SIP stack 
engines have "serious bugs" which allow an attacker to automatically 
make a remote phone accept a call without it ringing or without the 
handset being taken off the hook. "The attacker might be able to listen 
to all conversations that take place in the remote room, without being 
noticed," wrote the researchers on the Full Disclosure mailing list.

The vulnerability in Grandstream's SIP phone could allow an attacker to 
send a sequence of two messages, both syntactically correct, which 
together force the device into an inconsistent state. Once the device is 
in this state, RTP packets, which are used by most VoIP endpoints, are 
sent to the attacker. After the messages are sent, the device is not 
able to hang up, offering attackers the possibility of executing a 
remote denial-of-service attack, according to the researchers.

Grandstream is aware of the vulnerability in its software, and it will 
release firmware in late September to address the issue, according to 
Marianne Rocco, the company's director of marketing. Rocco said that 
customers who are concerned about the vulnerability should contact 
Grandstream's support department for a copy of the beta firmware 
version, which has been tested against the vulnerability. Rocco said 
there are still ways to detect the vulnerability if the customer does 
not download the beta firmware. She argued that the phone will ring when 
the attack starts, and that the call information window will indicate 
that a call is going on. Grandstream customers are at risk of attack if 
they don't follow these steps, Rocco said.



____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Wed Aug 29 2007 - 23:40:17 PDT