Monthly Archives: May 2006

Conferences Coming Up

I can see that the VoIP Developer conference in August has a couple of sessions led by VOIPSA members, namely Andrew Graydon and Bogdan Materna. I’m looking forward to this conference, should have some excellent material.

On the subject of conferences: as Dan York mentioned, the Berlin VoIP Security Workshop starts tomorrow; I’ll be attending, so I hope I bump into a few fellow VOIPSA people over the next couple of days. Stay tuned for a brief conference report here, and also an audio report on Dan’s Bluebox podcast.

Third Annual VoIP Security Workshop in Berlin starts tomorrow…

If you are not aware of it, the Third Annual VoIP Security Workshop starts tomorrow, June 1, in Berlin, Germany. The program looks to be quite an interesting one and I personally would have loved to attend. Unfortunately, it did not work with my travel schedule but I look forward to seeing about attending the Fourth workshop, wherever that will be held. If any of you are attending and want to post some reports on what went on at the workshop, we would certainly love to have them. (Just leave a comment here or email me directly.)

Shall we play a game?

My coworker Dustin forwarded me this article that speculates the yet-to-be released Nintendo Wii game console will support VoIP:

The Nintendo controller will feature a microphone and will store a user phonebook/address book while it will be used as a VoIP phone and will help gamers communicate while online without the need for a headset.

Sony is also getting in on VoIP integration with their PlayStation Portable (PSP) handheld gaming device. Sony announced that VoIP will be added to the handheld via a firmware upgrade sometime in October. Microsoft’s Xbox 360 already supports VoIP through it’s Xbox Live game network service.

I don’t know of anyone that’s done a thorough analysis yet on these VoIP services, however the same threats will likely apply. If you know of a good writeup, please leave a comment.

In the same way that web services have been built in to a variety of devices and applications, so too are similar integrations blurring the lines of VoIP. A couple of other examples besides gaming consoles that come to mind include Instant Messaging clients and Click-to-Call web applications. As you would expect, these hybrid VoIP applications inherit all of the additional security threats of the technologies that they are built on (web, IM, etc.).

Obviously, VoIP security these days is becoming much more than simply protecting IP phones and PBXs.

Blue Box Podcast #27 – Eavesdropping Tutorial

Yesterday I uploaded Blue Box Podcast #27, which marks the first of several tutorials that Jonathan and I intend to do over the next few months. In this show we spent about 20 minutes discussing issues around VoIP eavesdropping, why it is different from the PSTN, what solutions are out there to help protect against it and more. We hope you enjoy that segment, as well as all our usual VoIP security news and commentary. Comments are definitely welcome if you have a different viewpoint or other information to add.

What’s all the Fuzz about?

I’m guessing there’s going to be a resurgence soon in protocol fuzzing against different VoIP phones, PBXs, and especially VoIP softphones. The practice of fuzzing, otherwise known as robustness testing or functional protocol testing, has been around for a while in the security community. The practice has proven itself to be pretty effective at automating vulnerability discovery in applications and devices that support a target protocol.

The prize for the most prolific university fuzzing results to date belongs to the PROTOS project of Oulu University’s Secure Programming Group. Through various incarnations of student projects, the PROTOS group has been faithfully discovering vulnerabilities in a variety of protocol implementations, including SIP and H.323. Ari Takanen of that group eventually graduated and went on to cofound a commercial fuzzing tool company called Codenomicon, along with others from Oulu. In just the last year alone, the market has seen several other new commercial fuzzing entrants including:

Today, VoIP is starting to become a more interesting target for security researchers as the technology becomes more affordable and popular among enterprise customers. While it would be ideal if all VoIP vendors tested their own products internally for security bugs, the reality is that not all of them have the time, resources, or even the security DNA to find them all ahead of time.

For a great list of other fuzzing tools and presentations, check out Matthew Franz’s wiki.

Suggestions for VoIP security topics for podcast episodes

As noted earlier, we’ve been running a survey of members of the VOIPSA Technical Advisory Board asking about a number of VOIPSA-related topics. We’ll be posting more information here as we continue the analysis, but in the meantime, I did post a list of suggested podcast topics over on the Blue Box web site. If you have any additional suggestions please feel free to post them either here or in response to the Blue Box posting. Thanks to everyone in VOIPSA who participated – and Jonathan and I look forward to bringing you some of these topics in future Blue Box podcasts.

Skype patches medium-risk security hole

Skype logoGiven the hype around Skype, I will not at all be surprised to see media attention paid over the next few days to Skype’s new security bulletin about a vulnerability in the way files are transferred in IM by the Windows Skype client.  From the bulletin, it appears that an attacker could craft a URL in such a way that it could initiate a file transfer to a Skype user.  But, the attacker has to be on the recipient’s approved sender list or trick the recipient into following the URL.  Given that, it makes sense that they only rate it as a medium.  As this has nothing to do with voice, why am I writing about it here?  Well, simply because it is Skype and I expect to see people talking about it.  The fix is of course to simply upgrade to the newest versions.

More information is available at the Skype security blog and in a Network World article.

Reliable VoIP

Since communities first established storehouses of grain to provision against future famine, people have organized government to prevent shortages of life’s essentials.

Electronic communication, in all its forms, has become essential to our continued prosperity, liberty and social advancement.

Fundamentally this society is in transition from a robust redundant and managed telephone system optimized for universal voice service to a faster and more diversified collection of unmanaged communications designed for any kind of data.

While the benefits of this transition are numerous, the trade-offs have received less attention.  The key issues in reliability flow from two fundamentals:

First, the physical architecture of much of the internet is optimized for cost and not reliability. For technical reasons given the art of the time, the original phone system was deployed in a highly parallel manner with separated wire pairs for each line running back to a local central office. Even in an extreme disaster, such as a tornado, service was often available or quickly restored across a wide area. This is no longer true in all modern deployments of internet and VoIP today.

Second, the software and protocol architecture of the internet favors in-band signaling, i.e. combining data and signal (control) together. So for example if you compare and contrast the history of the H.323 protocol (having its roots in ISDN) with the more recent SIP protocol, there is evident a modern architectural movement toward greater convergence of data and control.

Technical choices are being made in favor of convergence, cost and features.

To a modern designer avoiding convergence violates the ideal view of all bits as equal as converging data is highly attractive if you assume reliable delivery.

The social issue of who is responsible for assuring reliability is not captured in today’s economy. The complexity and costs of high reliability are disfavored for events beyond the ordinary recapture of revenue.

At issue is the social deferral of the costs of emergency. The commercial market with current policy tends to disfavor adding costs which evade recovery.

The issues above are not confined to wired telephony. They extend to wireless as well.

When answering the question─ how are radio towers provisioned? ─consider whether the answer takes the data on a path through a vulnerability. When it does, the tower is no longer an independent reliable backup.

Thus, it may be prudent to ask and consider the following questions:

  • Is there a consensus of knowledge about the physical reliability of the internet in handling emergencies?

  • If not, what projects might be proposed to bring the value chain to a common point of understanding?

  • Is there a consensus of knowledge about the actual redundancy of converged communications?

  • If not, what projects might be proposed to create a common view?

  • Is there an agreed sense among all constituencies on the best practices for overflow and capacity planning of the internet and VOIP?

  • What might be done to encourage industry and the public to prepare for communication in the event people are stranded and unable to get to their customary and approved means of communication?

From A Statement Offered In Support Of Testimony in Washington, D.C.
In The Matter of Planning For Social/Governmental Emergencies

Jonathan Zar is Secretary & Outreach Chair for VOIPSA, the VoIP Security Alliance. VOIPSA represents 100 organizations and over three thousand of the world’s experts in converged media security. Mr. Zar would like to acknowledge the valuable contributions informing his statement from Mr. Robert Simkavitz and Mr. Philip Walenta of VOIPSA. Mr. Zar’s words are his own and he has offered his statement as a private citizen and not in his official capacity as a spokesman for VOIPSA.

Copyright (c) 2006 All Rights Reserved
Permission Granted To Reproduce Intact Citing This Posting