Vulnerabilities

VoIPShield says Microsoft OCS vulnerable to attacks

Doug Mohney — Fri, 14 Nov 2008 15:56:05 -0500

Media stream attacks could affect Micrsofot Office Communications Server (OCS) as well as Office Communicator and Windows Messenger, says VoIPshield Systems. Microsoft is looking into the report.

VoIPshield says the vulnerabilities affect applications using protocols like RTP and, if exploited, could cause a denial of service (DOS) attack against not only the stated applications, but against the whole desktop. The company is not publicly disclosing details of the vulnerabilities, but says it confidentially discloses full details to affected vendors.

A spokesperson for VoIPshield Labs said the company is currently validating new research that shows an attacker can gain unauthorized access to an unsuspecting user's laptop by manipulating the packets of a VoIP phone call - an attack that might even be able to traverse a PSTN gateway. If possible, this attack would be a far more subtle and serious threat than a DoS attack since there would be no warning.

Microsoft is investigating the finding and recommends both managing patches and keeping all software up to date.

For more:
- Read the details of the alleged vulnerability. Article.

UCSniff targets VoIP, UC, and the inside job

Doug Mohney — Sun, 28 Sep 2008 22:16:27 -0400

Over the weekend, the Toorcon security conference in San Diego showcased a next-generation VoIP sniffer. Trust no one, and that goes double if they are on your side of the firewall.

The UCSniff tool, created by VoIP Hopper author and director of Sipera's VIPER VoIP vulnerabilities lab Jason Ostrom, has two settings for mischief. One is a learning mode that sniffs IP traffic and maps phone extensions to specific IP addresses. By default, it captures all the calls and saves them to .WAV files, says CNET news.

Once you have a map of phones to IP addresses, an attacker could use UCSniff to listen to all the VoIP conversations made by a specific mode. If that's not exciting enough, a second model allows for monitoring calls made exclusively between two extensions.

Readers should note that Ostrom's presentation outlines scenarios for the "trusted insider" within the corporation that has access to an organization's VoIP infrastructure and calls for consideration of internal controls and best practices to prevent VoIP eavesdropping.

For more:
- CNet blogs about Toorcon VoIP security session. Posting.

The Ease of Hacking VoIP

Doug Mohney — Sun, 03 Aug 2008 21:54:14 -0400

Most of the 300,000 privately owned IP PBX systems throughout the U.S. are "wide open" to anyone that wants to hack them, says ChannelWeb. Compounding matters are a lack of regulatory interest and failure of vendors to disclose vulnerabilities.

With VoIP systems being implemented on data LANs and blended with other software for unified communications solutions, the potential for mischief can get very large very quickly. VoIPshield has been posting and demonstrating publicly documented (i.e. available through The Google) hacks. While Cisco Call Manager gets a workout on how easy it is to exploit, the real problem lies in companies not updating their VoIP and IP PBX software with the latest security patches and fixes like they do all with all their other software.

If you're not worried yet, there's a free utility called VoIPhopper to jump between voice and data VLANs so one can easily bypass firewalls and nearly all the IDS software for sale today.

For more:
- Hacking VoIP is easy, reports ChannelWeb

Related articles:
Last HOPE Launches Security Season
SPOTLIGHT: Survey: U.S. firms lax about VoIP security

Last Hope Launches Security Season

Doug Mohney — Sun, 20 Jul 2008 16:26:58 -0400

Over the weekend, 2600's The Last HOPE (Hackers On Planet Earth) conference launched what this reporter dubs "Security Season." Be prepared for an onslaught of computer security stories featuring oh-so-clever hackers between now and the wrap-up of DEFCON 16 in mid-August.

At the conference, hacker celebrity Kevin Mitnick appeared to plug his coming tell-all book and demonstrated a script for Digium's Asterisk IP PBX to show Caller ID information for someone calling even if the phone's Caller ID is set to "private."

Other presentations at the conference went much deeper into VoIP security. Blake Cornell and Jeremy McNamara discussed how a number of foreign governments and ISPs are blocking VoIP services in attempt to protect a telephone monopoly and/or to censor information. The duo will release a pair of tools to determine if an ISP is blocking SIP and to scan entire netblocks to determine if any Asterisk IAX2 services are available. Details were also provided as to how Asterisk and VoIP providers who support IAX2 can provide virtually un-blockable VoIP services in a country that is actively blocking SIP-based VoIP services.

Sessions also touched upon the ability to use VoIP as a low cost method to probe phone networks around the world and incidents last year where a group of Italian VoIP hackers exploited VoIP vulnerabilities.

For more:
- Silicon Valley Insider spots Mitnick hacking Asterisk
- The Last Hope website
- Jeremy McNamara's VoIP/Asterisk blog

Related articles:
Newport Networks Riles Up VoIP Security Fears
VoIP Security and the Circle of Trust