August 29, 2007 12:13 PM PDT

Security group voices concerns over VoIP

Security group voices concerns over VoIP
Related Stories

Enterasys aims to secure enterprise VoIP

August 22, 2007

Skype's 'unprecedented' outage

August 20, 2007

Confusion over Skype security threat clears up

December 20, 2006

Cisco squashes VoIP, router bugs

January 18, 2006
Related Blogs

Skype outage linked to 'massive restart'

August 20, 2007

Cisco issues 10 security updates

August 9, 2007
A leading member of the Jericho Forum security group has criticized the security of voice over IP technology after researchers revealed that it was possible to eavesdrop on VoIP conversations.

An eavesdropping vulnerability was revealed on the Full Disclosure mailing list on Wednesday. Vulnerability researchers Humberto Abdelnur, Radu State and Olivier Festor claimed the exploit could allow a remote attacker to turn a VoIP phone into an eavesdropping device, citing a Grandstream SIP phone as an example.

The Jericho Forum is an international group of leading corporate security professionals, academics and vendors, and promotes the development of secure software architectures, among other IT security interests.

Paul Simmonds, a member of Jericho Forum's board of management, said that VoIP is not yet ready for use in businesses. "We don't consider VoIP to be enterprise-ready," Simmonds said. "You can't run VoIP on a corporate network because you can't trust every single device on that network. VoIP as it stands certainly isn't secure. Going forward, everybody should be using inherently secure protocols."

Simmonds said it was not part of Jericho Forum's mission to promote any particular protocol as being more secure. Instead, he insisted that best practices for secure software development should be adhered to. "From a Jericho standpoint, it's not for us to say you must use these protocols or these protocols. You simply shouldn't be sending data over a network insecurely, relying on network security--because it isn't secure," he said.

Simmonds recommended that all data packets in a business network, including VoIP packets, be encrypted.

The researchers who found the Grandstream flaw claim that some SIP stack engines have "serious bugs" which allow an attacker to automatically make a remote phone accept a call without it ringing or without the handset being taken off the hook. "The attacker might be able to listen to all conversations that take place in the remote room without being noticed," the researchers wrote on the Full Disclosure mailing list.

The vulnerability in Grandstream's SIP phone could allow an attacker to send a sequence of two messages, both syntactically correct, which together force the device into an inconsistent state. Once the device is in this state, RTP packets, which are used by most VoIP endpoints, are sent to the attacker. After the messages are sent, the device is not able to hang up, offering attackers the possibility of executing a remote denial-of-service attack, according to the researchers.

Grandstream is aware of the vulnerability in its software, and it will release in late September to address the issue, according to Marianne Rocco, the company's director of marketing. Rocco said that customers who are concerned about the vulnerability should contact Grandstream's support department for a copy of the beta firmware version, which has been tested against the vulnerability. Rocco said there are still ways to detect the vulnerability if the customer does not download the beta firmware. She argued that the phone will ring when the attack starts, and that the call information window will indicate that a call is going on. Grandstream customers are at risk of attack if they don't follow these steps, Rocco said.

Tom Espiner reported for ZDNet UK in London.

See more CNET content tagged:
VoIP, attacker, corporate security, vulnerability, researcher


Join the conversation!
Add your comment
I think its a security Issues not a VoIp Issue.
I understand networks can be hacked. In that case VOIP is as vulnerable as banks and Investment firms, even Social Security administration..

However, Most VoIP devices like Grandstream are behind a NAT...and not on Public IP..

In a Enterprise environment, unless someone from inside is paying foul, you should never see this problem. If someone from public internet has hacked into your Grandstream that is a Security breach not a VoIP problem
Posted by ujjvalkoul (1 comment )
Reply Link Flag
VoIP Security? How about your old phone system?
It is rather entertaining to hear all of the discussion related to VoIP security over the past decade. Indeed, there are security risks, but the traditional phone network is also vulnerable. When VoIP first started to become widely known, people talked about how easy it was to listen to others' conversations using software to collect packets from the network. Indeed, it is possible. I can also listen to the conversation at your house using a $2 phone and a pair of alligator clips.

Historically, people thought that caller ID was definite proof of identity, but people are now learning that anybody with access to the telephone network can forge that information very easily-- there are no checks anywhere. Perhaps the biggest surprise to many is that fax is insecure. Some people actually believe that a signature on a fax page is positive proof that a person signed the document. Even a child can cut the signature from one page, paste it on another, and fax it to make it appear like the person signed the document.

There are truly very few "secure" systems, VoIP or otherwise.
Posted by paulej (1261 comments )
Reply Link Flag
Up to now, with the company's famous commitment to customer
privacy, I had assumed that my AT&T VoIP service was
impenetrably secure.
Posted by nicmart (1829 comments )
Reply Link Flag
What stupidity!
This is ridiculous! In fact, it's absurd.

They start from the presumption that your traditional phone lines/PBX are secure...when they're not. That's how the current administration got the whole warrantless wiretapping business rolling. Complicity from Telcos.

If voip on your network is insecure then your entire network is likely insecure. It's not a voip issue at all.

There are ample means of securing voip. Zphone & SRTP come to mind just for starters. VPN technology is also a good approach. VOIP can be dramatically more secure than your old PBX, if you make the effort.

Posted by mjgraves (2 comments )
Reply Link Flag
It's not a new concern
It's always been an old concern and this only goes to prove it.

Regardless of how much potential many claim VoIP to hold... it also holds the potential for malacious use!

That said... until VoIP can be proven MORE reliable than our current telephony system... it should not be considered as a possible replacement!

It's new technology... new technology usually experiences the majority of security weaknesses.

That said, even attempting to replace a vital communications medium such as our current telephony system with a digital system is bizzare to say the least.

When power goes out... digital phones CANNOT be used... conventional Alexender Graham Bell invented phones however do seem to work.

Thus until such time as a BETTER replacement comes out... investors shouldn't be dubbed by false advertisement!

Bottom line: Digital telephony is before it's time! It's still in Alpha stage... not ready to replace the current Bell Telephone system by a long run. As such, those purporting otherwise should be held accountable for their false claims!!!

Posted by wbenton (522 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.