IT security group concerned over VoIP safety

Published 30 August 2007

Leading member of Jericho Forum criticizes the security of VoIP technology after researchers reveal that it was possible to eavesdrop on VoIP conversations

More and more companies and individuals have moved from traditional telephony to VoIP-based communication. They may be saving money, but at the same time they are increasing their vulnerability to hacking. In evidence: An eavesdropping vulnerability was revealed on the Full Disclosure mailing list on Wednesday. Vulnerability researchers Humberto Abdelnur, Radu State, and Olivier Festor reported that the exploit could allow a remote attacker to turn a VoIP phone into an eavesdropping device, citing a Grandstream SIP phone as an example.

VoIP’s vulnerabilitydoes not come as a surprise to insiders. We wrote last week about the Jericho Forum, an international group of leading corporate security professionals, academics, and vendors aiming to promote the development of secure software architectures, among other IT security interests. Paul Simmonds, a member of Jericho Forum’s board of management, said that VoIP is not yet ready for use in businesses. “We don’t consider VoIP to be enterprise-ready,” Simmonds said. “You can’t run VoIP on a corporate network because you can’t trust every single device on that network. VoIP as it stands certainly isn’t secure. Going forward, everybody should be using inherently secure protocols.”

C|Net News’s Tom Espiner quotes Simmonds to say that it was not part of Jericho Forum’s mission to promote any particular protocol as being more secure. Instead, he insisted that best practices for secure software development should be adhered to. “From a Jericho standpoint, it’s not for us to say you must use these protocols or these protocols. You simply shouldn’t be sending data over a network insecurely, relying on network security — because it isn’t secure,” he said. Simmonds recommended that all data packets in a business network, including VoIP packets, be encrypted.

The researchers who found the Grandstream flaw said that some SIP stack engines have “serious bugs” which allow an attacker automatically to make a remote phone accept a call without it ringing or without the handset being taken off the hook. “The attacker might be able to listen to all conversations that take place in the remote room without being noticed,” the researchers wrote on the Full Disclosure mailing list. The vulnerability in Grandstream’s SIP phone could allow an attacker to send a sequence of two messages, both syntactically correct, which together force the device into an inconsistent state. Once the device is in this state, RTP packets, which are used by most VoIP endpoints, are sent to the attacker. After the messages are sent, the device is not able to hang up, offering attackers the possibility of executing a remote denial-of-service attack, according to the researchers.

Brookline, Massachusetts-based Grandstream said it was aware of the vulnerability in its software, and it will release a patch in late September to address the issue, according to Marianne Rocco, the company’s director of marketing. Rocco said that customers who are concerned about the vulnerability should contact Grandstream’s support department for a copy of the beta firmware version, which has been tested against the vulnerability. Rocco said there are still ways to detect the vulnerability if the customer does not download the beta firmware. She argued that the phone will ring when the attack starts, and that the call information window will indicate that a call is going on. Grandstream customers are at risk of attack if they don’t follow these steps, Rocco said.