A leading member of the Jericho Forum security group has criticized the security of voice over IP technology after researchers revealed that it was possible to eavesdrop on VoIP conversations.
An eavesdropping vulnerability was revealed on the Full Disclosure mailing list on Wednesday. Vulnerability researchers Humberto Abdelnur, Radu State and Olivier Festor claimed the exploit could allow a remote attacker to turn a VoIP phone into an eavesdropping device, citing a Grandstream SIP phone as an example.
The Jericho Forum is an international group of leading corporate security professionals, academics and vendors, and promotes the development of secure software architectures, among other IT security interests.
Paul Simmonds, a member of Jericho Forum's board of management, said that VoIP is not yet ready for use in businesses. "We don't consider VoIP to be enterprise-ready," Simmonds said. "You can't run VoIP on a corporate network because you can't trust every single device on that network. VoIP as it stands certainly isn't secure. Going forward, everybody should be using inherently secure protocols."
Simmonds said it was not part of Jericho Forum's mission to promote any particular protocol as being more secure. Instead, he insisted that best practices for secure software development should be adhered to. "From a Jericho standpoint, it's not for us to say you must use these protocols or these protocols. You simply shouldn't be sending data over a network insecurely, relying on network security--because it isn't secure," he said.
Simmonds recommended that all data packets in a business network, including VoIP packets, be encrypted.
The researchers who found the Grandstream flaw claim that some SIP stack engines have "serious bugs" which allow an attacker to automatically make a remote phone accept a call without it ringing or without the handset being taken off the hook. "The attacker might be able to listen to all conversations that take place in the remote room without being noticed," the researchers wrote on the Full Disclosure mailing list.
The vulnerability in Grandstream's SIP phone could allow an attacker to send a sequence of two messages, both syntactically correct, which together force the device into an inconsistent state. Once the device is in this state, RTP packets, which are used by most VoIP endpoints, are sent to the attacker. After the messages are sent, the device is not able to hang up, offering attackers the possibility of executing a remote denial-of-service attack, according to the researchers.
Grandstream is aware of the vulnerability in its software, and it will release in late September to address the issue, according to Marianne Rocco, the company's director of marketing. Rocco said that customers who are concerned about the vulnerability should contact Grandstream's support department for a copy of the beta firmware version, which has been tested against the vulnerability. Rocco said there are still ways to detect the vulnerability if the customer does not download the beta firmware. She argued that the phone will ring when the attack starts, and that the call information window will indicate that a call is going on. Grandstream customers are at risk of attack if they don't follow these steps, Rocco said.
I understand networks can be hacked. In that case VOIP is as vulnerable as banks and Investment firms, even Social Security administration..
However, Most VoIP devices like Grandstream are behind a NAT...and not on Public IP..
In a Enterprise environment, unless someone from inside is paying foul, you should never see this problem. If someone from public internet has hacked into your Grandstream that is a Security breach not a VoIP problem
It is rather entertaining to hear all of the discussion related to VoIP security over the past decade. Indeed, there are security risks, but the traditional phone network is also vulnerable. When VoIP first started to become widely known, people talked about how easy it was to listen to others' conversations using software to collect packets from the network. Indeed, it is possible. I can also listen to the conversation at your house using a $2 phone and a pair of alligator clips.
Historically, people thought that caller ID was definite proof of identity, but people are now learning that anybody with access to the telephone network can forge that information very easily-- there are no checks anywhere. Perhaps the biggest surprise to many is that fax is insecure. Some people actually believe that a signature on a fax page is positive proof that a person signed the document. Even a child can cut the signature from one page, paste it on another, and fax it to make it appear like the person signed the document.
There are truly very few "secure" systems, VoIP or otherwise.
They start from the presumption that your traditional phone lines/PBX are secure...when they're not. That's how the current administration got the whole warrantless wiretapping business rolling. Complicity from Telcos.
If voip on your network is insecure then your entire network is likely insecure. It's not a voip issue at all.
There are ample means of securing voip. Zphone & SRTP come to mind just for starters. VPN technology is also a good approach. VOIP can be dramatically more secure than your old PBX, if you make the effort.
It's always been an old concern and this only goes to prove it.
Regardless of how much potential many claim VoIP to hold... it also holds the potential for malacious use!
That said... until VoIP can be proven MORE reliable than our current telephony system... it should not be considered as a possible replacement!
It's new technology... new technology usually experiences the majority of security weaknesses.
That said, even attempting to replace a vital communications medium such as our current telephony system with a digital system is bizzare to say the least.
When power goes out... digital phones CANNOT be used... conventional Alexender Graham Bell invented phones however do seem to work.
Thus until such time as a BETTER replacement comes out... investors shouldn't be dubbed by false advertisement!
Bottom line: Digital telephony is before it's time! It's still in Alpha stage... not ready to replace the current Bell Telephone system by a long run. As such, those purporting otherwise should be held accountable for their false claims!!!
Chinese authorities have reportedly taken iPads from a third-party retailer, a move apparently brought on by Apple's continued refusal to honor a trademark for the iPad name owned by a Chinese manufacturer.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
After a higher-than-expected fourth quarter, the video subscription service unburdens itself of a pending yearlong class action suit and settles for $9 million.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
This week, we pass around Sony's new PlayStation Vita for some hands-on testing, check out HP's newest Beats Audio laptop, and debate the best and worst Valentine's Day gadget gifts.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
However, Most VoIP devices like Grandstream are behind a NAT...and not on Public IP..
In a Enterprise environment, unless someone from inside is paying foul, you should never see this problem. If someone from public internet has hacked into your Grandstream that is a Security breach not a VoIP problem
Historically, people thought that caller ID was definite proof of identity, but people are now learning that anybody with access to the telephone network can forge that information very easily-- there are no checks anywhere. Perhaps the biggest surprise to many is that fax is insecure. Some people actually believe that a signature on a fax page is positive proof that a person signed the document. Even a child can cut the signature from one page, paste it on another, and fax it to make it appear like the person signed the document.
There are truly very few "secure" systems, VoIP or otherwise.
privacy, I had assumed that my AT&T VoIP service was
impenetrably secure.
They start from the presumption that your traditional phone lines/PBX are secure...when they're not. That's how the current administration got the whole warrantless wiretapping business rolling. Complicity from Telcos.
If voip on your network is insecure then your entire network is likely insecure. It's not a voip issue at all.
There are ample means of securing voip. Zphone & SRTP come to mind just for starters. VPN technology is also a good approach. VOIP can be dramatically more secure than your old PBX, if you make the effort.
mgraves
Regardless of how much potential many claim VoIP to hold... it also holds the potential for malacious use!
That said... until VoIP can be proven MORE reliable than our current telephony system... it should not be considered as a possible replacement!
It's new technology... new technology usually experiences the majority of security weaknesses.
That said, even attempting to replace a vital communications medium such as our current telephony system with a digital system is bizzare to say the least.
When power goes out... digital phones CANNOT be used... conventional Alexender Graham Bell invented phones however do seem to work.
Thus until such time as a BETTER replacement comes out... investors shouldn't be dubbed by false advertisement!
Bottom line: Digital telephony is before it's time! It's still in Alpha stage... not ready to replace the current Bell Telephone system by a long run. As such, those purporting otherwise should be held accountable for their false claims!!!
Walt