Information Security News: VoIP vulnerabilities increasing, but not exploits

[InfoSec News <alerts () infosecnews org>]

http://www.networkworld.com/news/2007/121707-crystal-ball-voip-vulnerabilities.html

By Tim Greene
Network World
12/17/07

The threats against VoIP are numerous and seem to be growing, but in 
2008 the technology probably won't suffer crippling attacks.

The potential danger is very real. VoIP is susceptible to the many 
exploits that networks generally are heir to -- denial of service, 
buffer overflows and more. VoIP PBXs are servers on corporate networks 
and are only as secure as the networks themselves.

In addition, there are many voice-specific attacks and threats. These 
have been chronicled by researchers and vendors intending to alert users 
and suggest ways to guard against them.

For instance, two protocols widely used in VoIP -- H.323 and Inter 
Asterisk eXchange -- have been shown to be vulnerable to sniffing during 
authentication, which can reveal passwords that later can be used to 
compromise the voice network. Implementations of Session Initiation 
Protocol (SIP), an alternative VoIP protocol, can leave VoIP networks 
open to unauthorized transport of data.

In addition, tools that can help find vulnerable deployments have been 
published online by a VoIPSA, an industry group dedicated to securing 
VoIP. The VoIPSA tools are intended to help businesses test and secure 
their networks, but these and other online tools can be used to probe 
for weaknesses as well.

Still, there have been few exploits so far and none that have been 
widespread or crippling to businesses. "We are not hearing about 
attacks. We dont think they are happening," says Lawrence Orans, an 
analyst with Gartner.

Part of the reason may be that the largest VoIP vendors use proprietary 
protocols, such as Cisco's Skinny, Nortel's Unistim and Avaya's variant 
of H.323, Orans says. That makes them difficult to obtain and study for 
potential security cracks. "These systems are not readily available to 
the bad guys," he says.

SIP, which is gaining popularity, is a mixed bag, Orans says, because it 
is readily available to those who might want to exploit it. "I would say 
that SIP is a good-news, bad-news story. It's easy to get your hands on, 
and that includes the bad guys. The good news is there are more options 
to protect SIP," he says. These options include firewalls and 
intrusion-prevention systems that support SIP (compare products).

Another reason for the lack of broad exploits is that there isnt enough 
ROI for attackers' development time. Attackers' motivation may improve, 
however, as VoIP increases in popularity, something it is doing 
relentlessly.

Hybrid PBX systems -- which handle both VoIP and TDM voice -- account 
for 64% of all PBX lines sold, according to a December 2007 Infonetics 
report. Pure IP systems (compare products) account for another 18%.

Meanwhile, not everybody agrees with the assessment that VoIP will not 
suffer a major hit in 2008. "VoIP is, in essence, a time bomb, poised 
for a massive exploit," says Paul Simmonds, a member of the management 
board of the Jericho Forum, a user group promoting new principles for 
secure networking.

All contents copyright 1995-2007 Network World, Inc.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/