Author Archives: David Endler

Internet pioneers speak out on VoIP wiretapping

As a followup to Dustin Trammell’s posting about CALEA compliance, the Information Technology Association of America released a report today entitled Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP. To quote from a an InfoWorld article covering the report:

The study, co-authored by several people including TCP/IP co-creator Vinton Cerf and former U.S. National Security Agency encryption scientist Clinton Brooks, comes days after a U.S. appeals court upheld the FCC’s VOIP wiretapping rules. On Friday, the U.S. Court of Appeals for the District of Columbia upheld the ruling, requiring that VOIP providers offering a substitute for traditional telephone service comply with a 1994 telephone wiretapping law called the Communications Assistance for Law Enforcement Act (CALEA).

The FCC did not immediately respond to a request for comments about the ITAA study. But on Friday, FCC Chairman Kevin Martin said allowing law enforcement wiretapping of VOIP calls is of “paramount importance” to U.S. security.

Tracking VOIP calls would be more difficult than tracking calls on the traditional telephone network, because VOIP providers have little control over how their calls are routed across the Internet, said Whitfield Diffie, chief security officer at Sun Microsystems Inc. VOIP providers “have no special Internet privileges” to control traffic, said Diffie, one of the study’s authors.

Hacker cracks Net phone providers for gain

The New York Times is reporting a story about Edwin Andres Pena, a 23 year old Miami resident who was arrested today by the Federal government. The Feds allege that Pena was involved in a scheme to sell discounted Internet phone service by breaking into other Internet phone providers and piggybacking connections through their networks unbeknowst to them. According to the story:

To evade detection, Pena is said to have hacked into computers run by an unsuspecting investment company in Rye Brook, N.Y., commandeered its unprotected servers and re-routed his phone traffic through them. These steps made it appear as if that company was sending calls to more than 15 Internet phone companies.

In one three-week period, for instance, prosecutors say that one of the victimized Internet phone providers, based in Newark, received about 500,000 calls that were made to look as if they came from the company in Rye Brook. The Newark company was left having to pay $300,000 in connection fees for routing the phone traffic to other carriers, without receiving any revenue for the calls, prosecutors said.

You can read the entire story here.

New versions of Asterisk fix denial of service flaw

New versions of Asterisk were released today that fix a security vulnerability in the IAX2 channel driver:

The Asterisk Development Team today released Asterisk 1.2.9.1 and Asterisk 1.0.11.1 to address a security vulnerability in the IAX2 channel driver (chan_iax2). The vulnerability affects all users with IAX2 clients that might be compromised or used by a malicious user, and can lead to denial of service attacks and random Asterisk server crashes via a relatively trivial exploit.

All users are urged to upgrade as soon as they can practically do so, or ensure that they don’t expose IAX2 services to the public if it is not necessary.

Slightly more detail about the flaw is available in the Changelog:

* channels/chan_iax2.c: ensure that the received number of bytes is
included in all IAX2 incoming frame analysis checks (fixes a
known vulnerability)

Shall we play a game?

My coworker Dustin forwarded me this article that speculates the yet-to-be released Nintendo Wii game console will support VoIP:

The Nintendo controller will feature a microphone and will store a user phonebook/address book while it will be used as a VoIP phone and will help gamers communicate while online without the need for a headset.

Sony is also getting in on VoIP integration with their PlayStation Portable (PSP) handheld gaming device. Sony announced that VoIP will be added to the handheld via a firmware upgrade sometime in October. Microsoft’s Xbox 360 already supports VoIP through it’s Xbox Live game network service.

I don’t know of anyone that’s done a thorough analysis yet on these VoIP services, however the same threats will likely apply. If you know of a good writeup, please leave a comment.

In the same way that web services have been built in to a variety of devices and applications, so too are similar integrations blurring the lines of VoIP. A couple of other examples besides gaming consoles that come to mind include Instant Messaging clients and Click-to-Call web applications. As you would expect, these hybrid VoIP applications inherit all of the additional security threats of the technologies that they are built on (web, IM, etc.).

Obviously, VoIP security these days is becoming much more than simply protecting IP phones and PBXs.

What’s all the Fuzz about?

I’m guessing there’s going to be a resurgence soon in protocol fuzzing against different VoIP phones, PBXs, and especially VoIP softphones. The practice of fuzzing, otherwise known as robustness testing or functional protocol testing, has been around for a while in the security community. The practice has proven itself to be pretty effective at automating vulnerability discovery in applications and devices that support a target protocol.

The prize for the most prolific university fuzzing results to date belongs to the PROTOS project of Oulu University’s Secure Programming Group. Through various incarnations of student projects, the PROTOS group has been faithfully discovering vulnerabilities in a variety of protocol implementations, including SIP and H.323. Ari Takanen of that group eventually graduated and went on to cofound a commercial fuzzing tool company called Codenomicon, along with others from Oulu. In just the last year alone, the market has seen several other new commercial fuzzing entrants including:

Today, VoIP is starting to become a more interesting target for security researchers as the technology becomes more affordable and popular among enterprise customers. While it would be ideal if all VoIP vendors tested their own products internally for security bugs, the reality is that not all of them have the time, resources, or even the security DNA to find them all ahead of time.

For a great list of other fuzzing tools and presentations, check out Matthew Franz’s wiki.

Researchers seek to save VoIP from security threats

An article from ComputerWorld discusses a grant that the NSF has earmarked for the research of VoIP security threats:

The National Science Foundation says it has issued US$600,000 to the University of North Texas to spearhead development of a multi-university test bed to study VoIP security. Other participants are Columbia University, Purdue University and the University of California-Davis. VoIP spam, denials of service, emergency services and quality of service will be among the areas targeted for research during the three-year project. The research will also look at vulnerabilities that emerge from the integration of VoIP and legacy networks.

The group of schools plans to disseminate its findings widely to technology developers, academia and others involved in network convergence.

Ram Dantu from the Univeristy of North Texas is leading the charge and is also a member of VOIPSA’s Technical Advisory Board, as are several of the other researchers involved in this grant. Ram has been intrumental is driving the state of VoIP security not only through his own research and professional career, but by organizing industry workshops on VoIP security.

I expect the results from their efforts to be sobering, hopefully helping vendors and providers to enhance the security of their solutions and offerings.