Voice of VOIPSA

Foreign-based criminals are reportedly ripping off Australian companies by hacking into their telephone systems and racking up massive bills.  Last week a Melbourne retailer and university were hit with collective phone bills for more than 100-thousand dollars of overseas calls.  And both parties are angry with Telstra which they say is insisting they pay the bills.  The Camberwell Electrics Superstore says it was contacted by Telstra to ask why it had made 20 thousand dollars worth of overseas calls in less than two weeks.  And Swinburne University says it knew nothing about the scam until it was hit with an 80-thousand dollar bill.

The goal of Xplico is extract from an internet traffic capture the applications data contained.  For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).  Xplico is released under the GNU General Public License.

While most VoIP-related vulnerabilities are posted to the VOIPSA mailing list or blog, I thought it might be useful to have a informal quarterly summary of sorts among VoIP devices per searches from NIST.  I hope folks find it helpful, and of course post comments if I’ve overlooked anything from 1 January 2008 through 31 March 2008.

VoIP Firewalls

• CVE-2008-0263 Ingate Firewall & SIParator 1/15/2008

Cisco Phones

• CVE-2008-0531 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
• CVE-2008-0530 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
• CVE-2008-0529 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
• CVE-2008-0528 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
• CVE-2008-0527 Cisco Unified IP Phone 7935 and 7936 2/14/2008
• CVE-2008-0526 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
• CVE-2008-1113 Cisco Unified Wireless IP Phone 7921 3/3/2008

Snom Phones

• CVE-2008-1251 Snom 320 SIP Phone 3/10/2008
• CVE-2008-1250 Snom 320 SIP Phone 3/10/2008
• CVE-2008-1249 Snom 320 SIP Phone 3/10/2008
• CVE-2008-1248 Snom 320 SIP Phone 3/10/2008

Vocera Phones

• CVE-2008-1114 Vocera Communications wireless handsets 3/3/2008

Routers & Gateways

• CVE-2008-1334 BT Home Hub router 3/13/2008

Asterisk PBX

• CVE-2008-1289 Asterisk Open Source 3/24/2008
• CVE-2008-1390 Asterisk Open Source 3/24/2008
• CVE-2008-1332 Asterisk Open Source 3/19/2008
• CVE-2008-1333 Asterisk Open Source 3/19/2008

Cisco Call Manager

• CVE-2008-0026 Cisco Unified CallManager/Communications Manager 2/14/2008
• CVE-2008-0027 Cisco Unified Communications Manager 1/16/2008

UPDATE 4/15/08

Want to learn about voice biometrics? I recently learned of the “VoiceBiometrics” conference happening May 14-15, 2008, in New York City. While the agenda does not seem to have anything about VoIP, per se, it’s obviously all about voice and looks quite interesting.

I won’t be there, but if anyone does go and wants to write up some information for this blog (or record information for the Blue Box podcast) we’d be glad to post that info.

[P.S. In full disclosure, one of the event sponsors, VoiceVerified, is a customer of my employer, Voxeo.]

Technorati Tags:
voice, voice security, voice biometrics, biometrics

As I mentioned last week, I’ll be participating in an Ingate-sponsored webinar on “Secure SIP Trunking” in about 2 hours at 2:00pm Eastern US time. If you’d like to learn about VoIP security in general (as well as obviously Ingate’s products), you can participate in the free webinar. Sign up here.

Technorati Tags:
sip, security, sip security, voip, ingate, voip security, voipsa, sip trunking

On April 1st VuNet reported that hackers had taken down the International Space Station’s email capabilities.

So, this was a good April Fool’s joke, right?

Three astronauts onboard the Space Station reported last night that email was no longer working.
Hackers are thought to have planted a Trojan in the computer systems at Houston and used the infection to ride the satellite uplink to the Space Station.

What is especially troubling is the email system’s reliance upon older Microsoft operating systems that are no longer supported by Microsoft.

“I am sorry but there is nothing we can do. It is past its deadline, said Professor Brian Offin, Microsoft’s head of obsolete operating systems.

Again, a good April Fool’s joke, right?

However, this false article brings to light the fact that as newer technologies replace legacy systems, we must bear in mind that the new technology changes will, over time, themselves become legacy systems and subject to the same outdated, unsupported and insecurities that plagued the very legacy systems they replaced.

So what’s this have to do with VoIP and the International Space Station? Well, details are thin, but way back in 2000 VoIP Group Inc. was awarded a contract to provide a VoIP replacement for the ISS to “bring about significant cost reductions as it supplements and then replaces an existing legacy system.”

Initially deployed at NASA’s Marshall Space Flight Center in Huntsville, Alabama, and later at other International Space Station operations centers, the solution will consist of VoIP Group’s gateways connected to the Internet and to Raytheon voice switches and CUseeMe conference servers to support voice conferencing. The system is designed to link together researchers, NASA operations personnel, and potentially ISS crew, to support collaboration during Space Station experiment planning and operations. Because users can access the system using a standard Internet browser on an inexpensive multimedia PC, they can be located at NASA centers, universities, and companies throughout the world, and still connect in real-time, 24 x 7.

I hope that the sharp folks at NASA and VoIPgroup are taking the proactive steps to avoid security problems with critical communications with the ISS.

I do have to hand it to the VoIPshield Systems folks… they really did go all out for their product launch. As I noted yesterday, they released a slew of vulnerability notices… but I didn’t notice that they also released a YouTube video “dramatizing” a potential DoS attack by someone connecting to a lobby phone. It was a Network World article that pointed me to it:

I have to say that this is the first time that I can personally remember a “VoIP security video” being uploaded to YouTube by a company doing a product launch (although Peter Cox did upload one as he was launching his consultancy). It’s also the first “dramatization” I recall seeing. (Peter’s and others (including mine) have been more documentary/interview style.)

So kudos to VoIPshield for doing something a little bit different. Nice to see.

I’m also a huge fan of telling stories as a way to talk about issues in general, so it’s good to see.

As to the video itself, I had the following comments:

• I didn’t quite get the first 45 seconds or so that seemed to be mostly someone (the attacker, presumably) turning on computers. I guess “scene setting” or something like that.
• When the attacker opened his laptop, connected the Ethernet cable, ran some script, and disconnected the cable and re-connected it to the phone, all I could think was “He must be running Linux” because my previous Windows laptop would never resume as quickly as his did! (My new Mac does, though, but the attacker is not using one.)
• It is a good illustration of the danger of having open Ethernet access in a lobby area (or a conference room that a guest is left alone in). Note that the danger exists with an open Ethernet jack, but of course with an IP phone you also have ready access to a cable.
• I am imagining that the attacker’s script: 1) hops to the voice VLAN (if a VLAN is used); and 2) sends some kind of signaling attack to the IP-PBX that crashes the system. All of which is possible depending upon the system.
• While a VoIP-aware Intrusion Prevention System certainly could help protect against this type of attack, it seems to me a stronger solution might be to look at requiring 802.1X authentication on all Ethernet devices. With 802.1X required, the attacker’s laptop would not have been able to get an IP address without the proper credentials. Of course, this would have required IP phones that support 802.1X (and some out there do).

While the video is more on the alarmist side of the security continuum than I am (but, gee, what does VoIPshield sell?), it’s nice to see someone doing something a bit offbeat and different in trying to talk about VoIP security issues.

I look forward to seeing VoIPshield’s next video…

Technorati Tags:
voip, voip security, security, voipshield, videos

How can you make SIP trunking secure? Is there such a thing as “secure SIP trunking”? Can SIP trunks and VoIP actually be more secure than the PSTN?

All those questions and more will be the subject of a webinar next week sponsored by Ingate Systems (and announced today) in which I will be a participant called “Secure SIP Trunking: What You Need to Know“. The webinar will cover:

• Security misconceptions, challenges and requirements

• VoIP vs. PSTN: How SIP Trunks and VoIP can be more secure than traditional telephony
• The security measures you need; and those you don’t
• The basics of enterprise security and VoIP: SRTP, TLS and NAT traversal
• New security technologies
• Future-proofing your network for new security threats

Now, obviously this webinar is sponsored by Ingate so the solutions offered will involve their products. My role will be to talk about VoIP security in general and issues around securing SIP trunks. It should be an interesting session and you can easily register if you would like to attend. There is no charge.

The webinar will be on Thursday, April 10th, at 2:00pm US Eastern time, 11:00am US Pacific time.

NOTE: VOIPSA does not directly endorse, recommend, or promote products from any vendors. Our mission is to raise the level of discussion around VoIP security issues and so we are glad to participate in any relevant educational efforts such as webinars, conferences or other events. We are participating in this and other events sponsored by Ingate simply because they asked us and the events seemed in line with our overall mission. If you would like VOIPSA participation in an event you are sponsoring, please contact a VOIPSA Board Member about the possibility.

Technorati Tags:
voip security, voip, sip, sip security, sip trunking, sip trunking security, ingate, voipsa

So today VoIPshield Laboratories announced the discovery of over 100 security vulnerabilities in systems from Avaya, Cisco and Nortel and, somewhat predictably, this has already resulted in coverage from the Wall Street Journal BizTech blog and InfoWorld’s Security Watch blog. I will expect to see more coverage in the days ahead as it works its way out into the mainstream media. The news release is a good one and includes great quotes from Gartner’s Lawrence Orans and our (VOIPSA) own Jonathan Zar.

VoIPshield has disclosed all the vulnerabilities to the vendors and has made 44 of the vulnerabilities available at www.voipshield.com/research (That is the number I currently see on the page.)

I should note that VoIPshield Systems, under whom VoIPshield Laboratories falls, is a member of the VOIPSA Technical Board of Advisors. I also have met the VoIPshield folks several times and Jonathan and I interviewed CTO Bogdan Materna eons ago back on Blue Box podcast #12. We’ve been on panels together and I have a high degree of respect for what they are doing and how they are doing it.

This familiarity, though, does not prevent me from feeling a bit uneasy about two aspects of this announcement today. First, if you look down the list of vulnerabilities in almost all cases (41 of 44) the vendor response state is “Attempting to address the issue“.

In other words, these are current, open vulnerabilities. No patches. No fixes. (Outside of the stated recommendation to follow network security best practices and potentially to purchase a VoIP security product such as the one VoIPshield makes.)

Now in many cases the vulnerability announcements are sufficiently vague that an attacker is not going to be able to do a whole lot with them. However, in other cases, there’s enough information there to point the way for an attacker. For instance, this one for Cisco for “UCM Multiple Hardcoded Passwords” indicates:

Description

By knowing and using the hardcoded account names and passwords (a total of three have been identified) on the UCM platform, an attacker can connect to the system and issue database commands which can result in code execution, denial of service, license exhaustion or theft, etc.

So now we know there are three account names (at least) with default passwords that can be used to administer a Cisco UCM system. How long will it be now before someone sitting there with a brute-force password script will figure out those names and post them to one of the various default password lists out there?

Now, this particular vulnerability announcement does state:

Cisco acknowledges the presence of these hardcoded passwords and is working to have the values set to an administrator definined setting during installation.

This will undoubtedly involve a new release of the software (since it refers to the installation process). That will take some time, obviously, and in the meantime any Cisco Unified Communications Manager installations out there are potentially vulnerable to abuse through these hardcoded usernames and passwords.

I understand that VoIPshield did contact these vendors and at least per the WSJ article gave them at least 30 days notice. I also realize that vendors may not always be able to create quick solutions and also may not assign the same priority to issues (or may in fact dispute/dismiss the issue). Having been on the vendor side, I well understand the dynamics of working with security research firms. I know there can be challenges on both sides. Still, I personally would have been a lot more comfortable with seeing this information out there if they had waited a bit until more than just 3 of the 44 listed vulnerabilities have vendor patches available.

Which brings me to my second concern. The vulnerability notices posted do not include any “mitigating circumstances”. They state the description of the problem and offer the recommendation to use network security best practices and VoIP security products such as those sold by VoIPshield, but they do not provide a sense of how to evaluate the risk involved. For instance, with the hardcoded passwords, I am assuming the attacker needs to be on the internal network, but is that correct to assume? With the DFR Cancel Backup Command Injection vulnerability, does the attacker need to be on the internal network? Or could they be on the public Internet? (if systems traversed the Internet)

Now perhaps VoIPshield is waiting to provide this type of information until there is a fix out there. This is also their first time issuing public vulnerability notices in this form. Perhaps with feedback such as this they will provide that added information. But without that kind of information, it’s not clear to me that I have enough information to understand the potential risk to my systems. (And perhaps we’ll have to have them on a podcast to talk about all of this.)

Regardless of these two concerns, the fact remains that VoIPshield Laboratories has entered the space as a new research entity and has already brought out a wealth of research. Per their news release, this is just the first step and more information will be coming soon. That all is good to hear as having such research groups focusing on the VoIP security space is a definite good thing. We need more research in the field and so it’s great to see VoIPshield entering the space publicly. (They’ve obviously been doing this research privately for their products for some time.)

And, if you are the administrator of a system from Avaya, Cisco or Nortel, I would strongly encourage you to review the vulnerabilities and try to understand which of them may or may not affect your installations.

Technorati Tags:
voip, voip security, security, cisco, avaya, nortel, voipshield

It’s refreshing to see a vendor in the IP phone space respond to reported security problems with their products.  During the GNUcitizen Router Hacking Challenge several issues were reported with the Snom 320.  The vulnerabilities posted were also picked up by Tom Keating’s blog.  Gnucitizen posted a webpage detailing the vulnerabilities as well, and the vendor response has been very good, with the following actions taken by Snom (note: typos left in):

• We will publish an article on “how to make your snom phone saver” on our website (including a link to it on the start page)
• We will send out a newsletter to all our registred VARS and distributers with this information
• We will work on the FW to improve security (just checked, on FW Ver. 7 the Flash applet is disabled by default)
• We will publish a new email adress, for security matters (mostlikly security@snom.com), which goes to a bunch of people.

So, this is a good start, but I do have a few humble suggestions for Snom:

1. Have a dedicated security page, e.g. www.snom.com/security/ that has their product security policy spelled out.
2. Setup PGP for the security@snom.com email alias and post the public key so that communications can be encrypted.
3. Formalize the product vulnerability advisory process, including sending out the advisory to various mailing lists, etc.  Following Cisco PSIRT and Asterisk advisory format is a fine start.
4. Tidy up the English translations for better flow and understanding.

Overall, this is encouraging to see a VoIP phone vendor stepping up and taking ownership of product vulnerabilities - Kudos to Snom!