Tag Archives: VoIP Security

Is The “VoIP” in “VoIP Security” Still The Right Term?

VoipqShould we still be talking about “VoIP security”? Or should we be using some other language?

Back when we started VOIPSA in 2005, “voice over IP (VoIP)” was the term we all were using, but as we look at what kind of activities come next, we’re starting to wonder if we should be talking about “communications security” a bit differently.

For starters, in the past 8 years we’ve moved far beyond simply “voice” into video over IP, text messaging over IP, data sharing over IP… all within a single communications session. Is that still “VoIP”?

Beyond that, we’ve seen a range of other terms coming into usage, including:

  • unified communications (UC)
  • real-time communications (RTC)
  • cloud communications
  • IP communications

and many more. Plus new technologies are out that have pushed “VoIP” beyond its traditional proprietary protocols and the open standard of the Session Initiation Protocol (SIP). We’ve seen the strong emergence of XMPP (Jabber) and its related “Jingle” protocol. We’ve seen the explosion of interest in the WebRTC / RTCWEB protocols and tools.

Are all of those “VoIP”? Or are they something more?

Should we be talking about…

  • UC security?
  • real-time communications security?
  • IP communications security?

Or perhaps just plain old “communications security”? (or is that too generic?) I’ve seen some people talking about “SIP security”, but now that is specific to a single protocol.

Or is “VoIP security” still an okay term to use?

What do you think? What do you use? What do you hear vendors and others using? How should we be talking about securing all these many ways we have to communicate now over IP networks?

Please do let us know either as comments here or out on social networks. (Thanks!)

Microsoft Researching Skype Password Reset Security Hole

This morning The Next Web reported on an exploit where Skype’s password reset web page could be used to hijack a user’s Skype account using only the password associated with the account. So… if you could guess someone’s email address (which can often be found through a Google search), you could effectively take over their Skype account.

Microsoft/Skype has DISABLED this feature while they investigate further so it appears that for the moment the security risk is limited.

However, it may be wise to watch closely the email account associated with your Skype ID for the next bit to see if any random password reset messages are sent to your account. Odds are that attackers will be sniffing around trying to see if there is any other way to exploit the apparent vulnerability.

The Next Web team reports that they were able to reproduce the attack on two Skype accounts of willing victims, confirming that the vulnerability was indeed real. They also reported the issue to Skype and worked with folks there.

The vulnerability is interesting in that it shows the complexity of modern communication applications. Skype is for the most part a desktop/mobile application, but yet it does rely on a centralized cloud-based service for authentication/passwords, etc. A vulnerability in the web interface for that central service then weakens the security of the overall system.

The “good” news for Microsoft/Skype is that because this appears to be a vulnerability in the web interface of the centralized system, this is probably something relatively easy for them to fix – and without requiring any client updates.

Kudos to Microsoft/Skype for reacting quickly to minimize the risk and we look forward to the issue being addressed.


UPDATE #1: Skype has issued a brief statement on their “heartbeat” web site with the same text that has been quoted in several articles.

UPDATE #2: The Verge has an article out now where many people in the comments are suggesting you change the email address associated with your Skype account to something less likely to be guessed. While Microsoft seems to have removed the immediate attack vector and this change is no longer critical to do, it may be something some of you may want to consider.

UPDATE #3: There’s a long Hacker News thread on this issue that also includes a link to an article walking through the exploit step-by-step as well as walking through links to protect your account. Note that because of the steps Microsoft has taken the exploit steps no longer work.


Asterisk Remote Crash Vulnerability in SIP Channel Driver

Asterisk

The folks over at the Digium security team today released security bulletin AST-2011-012 for a remote crash vulnerability in the SIP channel drive. For info about the attack, they state only:

A remote authenticated user can cause a crash with a malformed request due to an uninitialized variable.

An assumption from this statement would be that an UNauthenticated user could not carry out this attack… but I admit to not personally knowing the SIP channel driver of Asterisk enough to be able to stand behind this conclusion.

Regardless, updates have been released in the form of new versions 1.8.7.1 and 10.0.0-rc1.

Avaya Acquires UC Security Firm and SBC Vendor Sipera Systems

Fascinating news today that Avaya has acquired Sipera Systems for an undisclosed sum. We’ve covered Sipera here on this blog any number of times over the past years as they have been one of the few firms very specifically focused on “VoIP security”, or, to be more appropriately buzzword-compliant in 2011, “Unified Communications security.” In fact, the first video podcast I did for the Blue Box Podcast (when I was doing that) way back in August 2007 was with Sipera.

Over the years Sipera has hired some truly excellent people in the field, released some useful tools, originated great research and done a great bit in general to help keep the dialog going on publicly about VoIP/UC security.

The Avaya purchase is fascinating because, as Eric Krapf noted in a NoJitter post this morning, Avaya has been OEMing a Session Border Controller (SBC) solution from market leader Acme Packet for quite some time. As Eric notes:

The deal therefore could represent a shift in the enterprise SBC market, at a moment when E-SBCs are emerging as a key component of enterprise real-time communications deployments, especially in SIP trunking deployments. Acme Packet has been far and away the market share leader in SBCs, with over 50%, and its SBC works with all the leading enterprise communications platforms.

However, enterprise vendors including Cisco and Siemens (and now, it seems, Avaya) have released their own SBCs, and in the case of Siemens, the SBC only talks to Siemens platforms on the enterprise side of the device. It remains to be seen whether the Sipera SBC will work only with Avaya Aura–but it seems unlikely that anyone other than an Avaya customer would buy an Avaya SBC.

Now, the news release of course plays up how Sipera’s solutions work with both Avaya and non-Avaya systems but to Eric’s point there may in the future be little incentive for non-Avaya customers to purchase a solution, given that there are other “independent” players out there in the SBC market like Acme Packet, Ingate Systems, Sonus Networks and others.

Regardless of how it all shakes out, it is an interesting move and one that bears watching.

Congrats to our friends at Sipera and Avaya on the acquisition, and we look forward to seeing how it evolves.

Voipscanner.com – a hosted service for scanning IP-PBXs

VoipscannerThis week at the SIPNOC event near DC, an attendee asked if I knew of any hosted services that would scan the external interface of a network to see if the VoIP services were secure. He sells SIP connectivity to small businesses, many of whom typically have purchased an IP-PBX from somewhere like a retail store and have minimal IT expertise. He wondered if there was a service he could refer these small businesses to so that they could check the security of their system. Basically something for VoIP along the lines of hosted services like “Shields Up” that will check the security of your firewall.

I didn’t know of such a service, but posted the question to the VOIPSEC mailing list. A couple of people contacted me privately about some services in the works, but then someone did pass along a link to a public service available now:

https://voipscanner.com/voipscanner/

Now, I’ve not used this service but I’m certainly aware of Sandro Gauci and a number of the different tools he has been working on, including SIPVicious and VOIPPACK. After watching his short video and seeing the sample report, this definitely looks like an interesting service.

Of course, with any hosted service my security paranoia is heightened and I want to know what will be done with my data. Will the scan of my IP-PBX be recorded on the Voipscanner.com servers? Will a copy of my report be saved there? Basically… can I trust the site? In looking through the terms of service after you click the graphic to “apply” for access I didn’t see any wording around this… but it’s also Friday and I’m tired… I could have missed it.

Anyway, this service is out there and for those of you comfortable with using such a service it may be useful for you. If you know of other similar services I’d also love to hear about them.

Speaking at SIPNOC on SIP Security – What Would You Like Me to Say To Service Providers?

Sipnoc2011 1Tomorrow I will be in Herndon, Virginia, outside of Washington, DC, at “SIPNOC: The SIP Network Operators Conference“. I will be speaking in two sessions (details here), one of which is a panel about “SIP Adoption and Network Security” and will include two other panelists from Acme Packet and Sipera Systems.

The panel discussion is planned to be about what are the primary security issues related to wider deployment of SIP at the network operator / service provider level, and what can we do about them. The discussion will be in a room full of people from various large operators / service providers.

I have my list of topics I intend to raise, but I’m curious about what you all might say… if you were to stand up in front of a room of network operators to talk about how they could improve the security of their SIP networks… or what the major issues are that you see… what would you say?

If you have thoughts, please do leave them as comments here. As I am on the panel representing VOIPSA, I’m certainly glad to incorporate comments from the wider community.

P.S. If you are at SIPNOC this week, please do say hello!

State of Communications Security Report is Live

Here is a link to the SecureLogix State of Communications Security Report. It is currently at the NoJitter site. We will post it to our website and here in a couple of weeks.

http://www.nojitter.com/sponsoredcontent/view/cid/3900003

This is the first time ever that anyone has released a security report that is focused on voice/VoIP/communications. The report describes voice security trends and includes a ton of data from 100’s of assessments, that backs up the trends we present.

Webinar Tomorrow: Securing Next Generation IP Communications Systems

International Legal Technology AssociationTomorrow (Friday, December 17, 2010) I will be participating in a webinar entitled “Deployment of Next Generation IP Security” for the International Legal Technology Association, an industry organization looking to “maximize the value of technology in support of the legal profession“. It should be fun and I’m expecting that the questions I’ll receive may indeed be a bit different from doing a webinar to security professionals or enterprise IT staff.

The abstract is as follows:

Deployment of next generation IP-PBXs and Session Initiation Protocol (SIP) are the new standard. AT&T has gone on record stating POTS is dead. So are these new technologies safe? How can you insure a safe and secure environment? Recently in one such sophisticated attack the attacker hacked into the SIP provider and bounced off the IP-PBX which re-directed the calls to a Michigan number which then re-directed the calls to International Countries of known terrorist activity thus racking up over $12,000 in toll-fraud charges. Could this happen to you? This Webinar will look into the following:

  • How to properly choose a SIP provider
  • Voice encryption with emphasis on soft phone deployment on laptops, wireless and Wi-Fi devices.
  • User Authentication via third party certification (Today anyone can download an app or purchase a calling-card which allows them to display any Caller ID Number)
  • Remote User and Voice RTP Stream protection (This is a known VOIP Vulnerability)

Securing your IP-PBX can be simple once you understand the issues. It is then up to you as to what level of protection you which to deploy.

If you are interested in offering a similar webinar to your organization, be it a company, nonprofit or industry group, please feel free to drop me a note, as I’m always open to participating in such sessions (and have done so many times in the past).

And if you are a ILTA member, I look forward to answering your questions tomorrow!


If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.


VoIP Honeypot GeoIP data

Hey, Jason Ostrom here.  In the spirit of some of the valuable information being shared on the rising trend of SIP scanning activity and toll fraud, I’ve created a Perl script that does GeoIP lookups of potential attackers, sorting them based on scanning activity and country origination.  The script is free to anyone, and currently only works with Asterisk logging for an Asterisk based VoIP Honeypot.  Feel free to re-use this script as you see fit.  The idea behind it is to quickly view hit counts and percentages of failure activity based on country codes using geolocation technology.  You can roll this script into your cron and see the number of hits and where they are coming from on a daily basis.  Details on how to install and use the script are here, and the script itself can be downloaded from the UCSniff downloads section.

Note that you can run the script in debug mode to lookup IP addresses based on city origination.  Hope this script helps you and let us know how it goes.

 

Revisiting Shodan Computer Search Engine: Oh Noes, the places you’ll go!

I’m sorry to say so
But, sadly it’s true
That bang-ups and hang-ups
Can happen to you

— Dr. Seuss, "Oh, the places you’ll go!" (1990)

Back in January 2010, I wrote a short blog post about Shodan and VoIP devices and mentioned that it’s a site well worth revisiting.  Well, that time has come, and there’s plenty more to talk about when it comes to Shodan.

What is Shodan?

It is a publicly available, searchable database of pre-scanned networked devices.  The scanning includes banner results from common services like telnet and http, and is akin to fingerprinting.  One way to look at it is like Rainbow Tables for networked devices.

What’s the risk?

When a new vulnerability is discovered, Shodan makes it easy for attackers to search for vulnerable devices without actively scanning.  For example, say a vulnerability is published about Apache Mod_Security — an attacker can easily search Shodan for vulnerable version and then launch an attack to pwn the box.

Attackers can also use Shodan search filters and really narrow down search results, by country code or CIDR netblock for example.  You do have to register for more specific search functionality if you’re interested in say, the 24 Cisco boxes in Iran with no authentication.

Pssst….wanna Pwn 7000 Cisco routers/switches?

Yes you can.  And only because some network admin didn’t know how to configure HTTP authentication.  It’s easy peasy with Shodan’s most popular search.  Click on the resulting IP addresses from that search and you’ll get the HTTP interface of a Cisco router/switch with no authentication.  Add "/level/15/exec/-/sh/run/CR" to the IP address and you’ll get the "show running configuration" output of the device.  Understand what’s going on here.  An attacker can easily add an admin-level account, change the configuration, crack the listed Cisco passwords in the configuration to target other devices on that network, etc. 

Why should I care?

Shodan creates risk by making poor configurations and other adminstrator mistakes much more visible to potential attackers.  It also creates risk by providing a pre-scanned inventory of potential targets.  I’ve seen some amazingly frightning devices discovered through Shodan that are wide open and have no authentication — for a few examples:

  • An Eastern European country’s SCADA water treatment network
  • A switch controlling the Neurosurgery VLANs of a hospital
  • Physical security door access controller systems
  • Routers with VoIP configurations
  • and plenty more….

These are just a few examples of the micro-risks.  I think from a macro-risk perspective, specifically concerning the Cisco routers with no authentication, is the very possible and easy mass takeover of routers and potential for BGP attacks.  Not possible?  Well, think back to early 2008 when Pakistan modified BGP routes to block YouTube and because of a misconfiguration, large swaths of the Internet outside of Pakistan could not access the site. This was the result of a error from a few routers broadcasting bad BGP routes — now imagine if an attacker does this with a few thousand routers distributed globally?  I think it’s really only a matter of time…

What should I do?

There are tangible steps you can take.  First and foremost if to register fora free Shodan account and search for devices on your organization’s CIDR netblock.  If you are working with buisness partners that are connected to you, check their CIDR netblocks in Shodan as well.  Make a stink and inform the right network and security people of the risks of Shodan exposure.

Or

You can do nothing, and let Shodan determine your fate.  Your choice.