Voice of VOIPSA

Blue Box Podcast #36 is now available for download. In this super-sized show, we discuss the voice security talks given at Black Hat 2006 last week in Las Vegas. There is an interview with David Endler and Mark Collier about the VoIP security tools they released, an interview with Ofir Arkin about his talk on NAC and involvment with VOIPSA, and many other news items coming out of the conference.

Today here at Black Hat, Dave Endler and Mark Collier released a set of VoIP hacking tools that allow you to initiate – and automate – a whole range of attacks against SIP devices. Definitely interesting tools to check out.

I recently installed BT Communicator, which is British Telecom’s answer to Skype.  Like Skype it allows free calls (PC to PC) and offers the capability to break out onto the PSTN to call anyone anywhere, for a fee.  Being naturally curious, I fired up Wireshark and captured some of the activity on the line, and I was delighted to discover that it’s using our old friends SIP and RTP to signal and carry the calls.  In contrast, if you capture Skype traffic, you can’t figure out what’s happening unless you put an awful lot of research into it.

Are BT offering unique value with their service?  I think so: firstly the billing backs into the same BT billing system, and ends up on my phone bill, where Skype operate a pay-as-you-go system that needs charging via card etc.  One less thing to worry about with BT.  Secondly, unlike Skype, BT are embracing open standards, but still with an eye on security (the service uses Proxy Authentication to secure the calls, but no crypto yet).  Skype consider their softphone to be an important part of their service offering, and won’t open up the protocol to other clients.  As I see it, most of the Skype value is in the sheer number of customers that use the service, and I imagine Ebay also saw it this way, but this is a topic for another day.  BT, on the other hand, are looking further out to the open standards world, where it will be an advantage to be SIP-compatible.  Perhaps this is already architected to slot right in to their IMS backbone, 21CN.  One final advantage is that there are actually people out there that don’t use the Internet much, and don’t know about Skype.  So BT are actually using their marketing money to tell these people that they can call their friends for free using Communicator.   Of course they are cannibalizing their own call revenue, but perhaps they see the bigger picture, that like Skype, this can be used to pull through all kinds of other revenue generating services.

I like this approach to business better than that of companies like Shanghai Telecom and China Telecom, who reportedly have bought software technology to detect and block Skype traffic.  Presumably, they will also be blocking SIP, since this is technically much less difficult.  The thinking behind this is that if people aren’t calling with Skype, then they have to pick up the legacy phone.  This kind of thinking, “I don’t make any money out of this; can I block it?” is just the kind of blinkered approach that leads to telco lobbying in the net neutrality debate in the US.  Companies like AT&T would like to get paid twice, once by the Skypes and Googles, and then again by their telco customers.  Of course we’d all like to get paid twice, but most of us don’t have the political clout to make it happen. 

BT have not always been the most dynamic company, but I imagine that if they can learn something about business from Skype, then all large telcos stand a chance.  So come on guys, stop wringing your hands and worrying about becoming the bitpipe, and get out there and innovate.

I sent a message the other day on ebay, and came across a new feature: to submit a message you now have to prove you are not spammer but human (these being opposites) with a Turing test or CAPTCHA.  Ok, these things are common on web systems these days, but the new slant here was that if you could not read the graphic, you could click on a link and download an audio version to listen to instead.  This is also one of the proposed strategies for dealing with SPIT (SPAM over Internet Telephony) in our VoIP systems of the future, i.e. interact with the bona fide caller or spammer and present them with some kind of test or quiz before they get put through.  This could be as simple as “Press 8 to speak to Martyn or 0 for voicemail.”

But there is also an arms race aspect to this, for the smart spammer might also employ automatic speech recognition (ASR) technology, which is increasingly cheap and effective due to increasing CPU performance and falling hardware prices.  Their ASR server could be programmed to understand digits, and so have a fair stab at giving the correct answer to the CAPTCHA. 

It interested me that on ebay, the audio file downloaded did not have a pristine recording of the digits being read out, but instead had a variety of noises in the background: white noise; some fragments of speech.  Naturally it’s quite easy for a human to extract the digits from the background noise, but this is just the kind of chaff that might confuse the enemy radar, so to speak, of the spammer’s ASR system.

Happy July 4th to those of you in the USA, and welcome back all our friends that just celebrated Canada Day.

I’m guessing there’s going to be a resurgence soon in protocol fuzzing against different VoIP phones, PBXs, and especially VoIP softphones. The practice of fuzzing, otherwise known as robustness testing or functional protocol testing, has been around for a while in the security community. The practice has proven itself to be pretty effective at automating vulnerability discovery in applications and devices that support a target protocol.

The prize for the most prolific university fuzzing results to date belongs to the PROTOS project of Oulu University’s Secure Programming Group. Through various incarnations of student projects, the PROTOS group has been faithfully discovering vulnerabilities in a variety of protocol implementations, including SIP and H.323. Ari Takanen of that group eventually graduated and went on to cofound a commercial fuzzing tool company called Codenomicon, along with others from Oulu. In just the last year alone, the market has seen several other new commercial fuzzing entrants including:

• Musecurity’s Mu-4000
• Gleg.net’s ProtoVer Professional
• Beyond Security’s BeStorm
• Security Innovation’s Hydra

Today, VoIP is starting to become a more interesting target for security researchers as the technology becomes more affordable and popular among enterprise customers. While it would be ideal if all VoIP vendors tested their own products internally for security bugs, the reality is that not all of them have the time, resources, or even the security DNA to find them all ahead of time.

For a great list of other fuzzing tools and presentations, check out Matthew Franz’s wiki.