August 2, 2006 9:22 PM PDT
New tools test VoIP security
- Related Stories
Black Hat: Privacy risk in e-PassportsAugust 8, 2006
Study: Net telephony quality worseningJuly 24, 2006
Microsoft takes on Cisco with Nortel allianceJuly 18, 2006
Skype protocol cracked?July 14, 2006
Phishers come calling on VoIPJuly 10, 2006
Cisco adopts IP telephony standardMarch 6, 2006
Commentary: Checking in on VoIPAugust 25, 2003
Researchers at the Black Hat security conference here released the tools on Wednesday. The programs are meant to test the security of increasingly popular voice over Internet Protocol telephony systems, Dave Endler, director of security research at TippingPoint, said in an interview. TippingPoint is part of 3Com, which sells VoIP products.
Each of the tools can be used to launch VoIP system attacks, such as overloading phones or VoIP exchanges with ambiguous traffic, flooding phones with calls, forcing hang-ups, rebooting phones, and reassigning the devices to other users or nobody at all, Endler said.
"If you want all the CEO's calls to show up at your desk, that's what you would use," he said. Enterprises look at VoIP systems because of their rich features, promise of lower costs, and use of the same infrastructure as computer networks.
The tools were designed to help administrators determine the vulnerability of their telephony systems, Endler said.
"Obviously, releasing any security tools is a double-edged sword in that you can't restrict who has access," he said.
All of the tools target systems that use the Session Initiation Protocol, or SIP. While SIP is increasingly used in VoIP systems, it isn't widely used yet, Endler said. Instead, products from vendors such as Cisco Systems, Avaya and Nortel Networks all use proprietary protocols.
"The majority of VoIP systems out there are not SIP enabled," Endler said. "Most of them are pushing forward with SIP adoption." Endler and co-presenter Mark Collier of SecureLogix hope their work will help VoIP systems be more secure when SIP makes it into the major leagues, Endler said.
"VoIP security is still in its infancy," he said.
The release of the tools will have little effect on VoIP users today, agreed Dan York, director of IP technology at VoIP vendor Mitel. "But we're all moving to SIP," he said. The new protocol is in demand because industrywide adoption would mean phones from one vendor would work with a VoIP exchange from another, which isn't true today.
York said the tools serve a purpose. "SIP is coming into play and they give us the tools to test the systems and make them more secure," he said.
2 commentsJoin the conversation! Add your comment