Voice of VOIPSA

New versions of Asterisk were released today that fix a security vulnerability in the IAX2 channel driver:

The Asterisk Development Team today released Asterisk 1.2.9.1 and Asterisk 1.0.11.1 to address a security vulnerability in the IAX2 channel driver (chan_iax2). The vulnerability affects all users with IAX2 clients that might be compromised or used by a malicious user, and can lead to denial of service attacks and random Asterisk server crashes via a relatively trivial exploit.

All users are urged to upgrade as soon as they can practically do so, or ensure that they don’t expose IAX2 services to the public if it is not necessary.

Slightly more detail about the flaw is available in the Changelog:

* channels/chan_iax2.c: ensure that the received number of bytes is
included in all IAX2 incoming frame analysis checks (fixes a
known vulnerability)

My coworker Dustin forwarded me this article that speculates the yet-to-be released Nintendo Wii game console will support VoIP:

The Nintendo controller will feature a microphone and will store a user phonebook/address book while it will be used as a VoIP phone and will help gamers communicate while online without the need for a headset.

Sony is also getting in on VoIP integration with their PlayStation Portable (PSP) handheld gaming device. Sony announced that VoIP will be added to the handheld via a firmware upgrade sometime in October. Microsoft’s Xbox 360 already supports VoIP through it’s Xbox Live game network service.

I don’t know of anyone that’s done a thorough analysis yet on these VoIP services, however the same threats will likely apply. If you know of a good writeup, please leave a comment.

In the same way that web services have been built in to a variety of devices and applications, so too are similar integrations blurring the lines of VoIP. A couple of other examples besides gaming consoles that come to mind include Instant Messaging clients and Click-to-Call web applications. As you would expect, these hybrid VoIP applications inherit all of the additional security threats of the technologies that they are built on (web, IM, etc.).

Obviously, VoIP security these days is becoming much more than simply protecting IP phones and PBXs.

I’m guessing there’s going to be a resurgence soon in protocol fuzzing against different VoIP phones, PBXs, and especially VoIP softphones. The practice of fuzzing, otherwise known as robustness testing or functional protocol testing, has been around for a while in the security community. The practice has proven itself to be pretty effective at automating vulnerability discovery in applications and devices that support a target protocol.

The prize for the most prolific university fuzzing results to date belongs to the PROTOS project of Oulu University’s Secure Programming Group. Through various incarnations of student projects, the PROTOS group has been faithfully discovering vulnerabilities in a variety of protocol implementations, including SIP and H.323. Ari Takanen of that group eventually graduated and went on to cofound a commercial fuzzing tool company called Codenomicon, along with others from Oulu. In just the last year alone, the market has seen several other new commercial fuzzing entrants including:

• Musecurity’s Mu-4000
• Gleg.net’s ProtoVer Professional
• Beyond Security’s BeStorm
• Security Innovation’s Hydra

Today, VoIP is starting to become a more interesting target for security researchers as the technology becomes more affordable and popular among enterprise customers. While it would be ideal if all VoIP vendors tested their own products internally for security bugs, the reality is that not all of them have the time, resources, or even the security DNA to find them all ahead of time.

For a great list of other fuzzing tools and presentations, check out Matthew Franz’s wiki.

An article from ComputerWorld discusses a grant that the NSF has earmarked for the research of VoIP security threats:

The National Science Foundation says it has issued US$600,000 to the University of North Texas to spearhead development of a multi-university test bed to study VoIP security. Other participants are Columbia University, Purdue University and the University of California-Davis. VoIP spam, denials of service, emergency services and quality of service will be among the areas targeted for research during the three-year project. The research will also look at vulnerabilities that emerge from the integration of VoIP and legacy networks.

The group of schools plans to disseminate its findings widely to technology developers, academia and others involved in network convergence.

Ram Dantu from the Univeristy of North Texas is leading the charge and is also a member of VOIPSA’s Technical Advisory Board, as are several of the other researchers involved in this grant. Ram has been intrumental is driving the state of VoIP security not only through his own research and professional career, but by organizing industry workshops on VoIP security.

I expect the results from their efforts to be sobering, hopefully helping vendors and providers to enhance the security of their solutions and offerings.