[VOIPSEC] Jericho Forum voices concerns over VoIP security

Wed Sep 5 10:26:42 CDT 2007

Hi Brian,
I knew about the Jericho Forum when I wrote a "Deperimetrization"
article [1], a term coined by them. However, I think there is a bit of
hype in the ZDNET article. This is just another vulnerability of a
VoIP device discovered through fuzzing techniques. Fuzzing is
extensively used nowadays, not only in VoIP security, but to test the
security of wireless drivers, web applications, etc.

In my opinion, VoIP can be more secure than the legacy telephony
networks, if implemented and deployed properly. On the one hand, we
have security capabilities in VoIP not available in the PSTN for
end-users, like strong authentication and encryption, just to mention
a couple of examples to mitigate caller ID spoofing and eavesdropping
attacks. On the other hand, the endpoints, that is the VoIP phones,
are more like computers versus the dumb and simple analog devices used
in the PSTN. In this regard, we need to protect them as we do with
workstations and laptops: hardening, patching, etc. The discovery of
all these vulnerabilities should improve the Q&A of current and new
VoIP products.

VoIP is much more similar to the modern cell infrastructures, with
more network intelligence and smart and complex devices: PDA's, smart
phones, etc. We do not consider them insecure, although multiple
vulnerabilities are found monthly, specially when endpoints support
Bluetooth, WiFi, Java virtual machines, etc.

For this specific example, the vulnerability allows turning the end
device into a remote microphone. Although it seems scarier than other
remote DoS vulnerabilities also discovered through fuzzing, as
security professionals our main concern should be that if VoIP
endpoints have vulnerabilities, in the worst case scenario an attacker
is going to be able to fully control the device and remotely execute
code. This is the same situation we suffer nowadays with all the
threats against computers and we live with and fight against it.

Obviously, complexity and security are not good friends, but this
doesn't mean VoIP is not secure enough for deploying into enterprise
networks. It must be deployed wisely, as any IT environment should be.

Cheers,
--
Raul Siles
GSE
www.raulsiles.com

[1] "Deperimeterization - what, why, how?". BCS-ISSG.
http://www.bcs.org/upload/pdf/isNOW_autumn2006.pdf

On 9/3/07, Brian Honan <brian.honan at bhconsulting.ie> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all
>
> Interesting article in ZDNET
>
> Jericho Forum voices concerns over VoIP security
> http://news.zdnet.co.uk/security/0,1000000189,39288928,00.htm
>
> Interesting comments from the Jericho Forum regarding the security of
> VOIP after the disclosure during the week of how to turn a VOIP phone
> into a room bugging device.  For those of you not familiar with the
> Jericho forum, "The Jericho Forum is an international IT security
> thought-leadership group dedicated to defining ways to deliver
> effective IT security solutions that will match the increasing
> business demands for secureIT operations in our open,
> Internet-driven, globally networked world"
> www.http://www.opengroup.org/jericho/.
>
> According to the article the Jericho Forum do not see VOIP as being
> secure enough for deploying into enterprise networks.
>
> I would be interested in the thoughts of those on this list on this
> topic.
>
> Regards
>
> Brian
>
> Brian Honan
> BH Consulting
> Helping You Piece IT Together
> T:  +353-1-4404065
> M:  +353-868114066
> E:  brian.honan at bhconsulting.ie
> W:  http://www.bhconsulting.ie
> B:  http://www.bhconsulting.ie/blog
>
> Supporting Global Security Week http://www.globalsecurityweek.com
>
> This message is for the named person's use only. If you received this
> message in error, please immediately delete it and all copies and
> notify the sender. You must not, directly or indirectly, use,
> disclose, distribute, print, or copy any part of this message if you
> are not the intended recipient. Any views expressed in this message
> are those of the individual sender and not of BH Consulting.
> BH Consulting is a registered trade name for BH IT Consulting
> Limited, Company Registration Number: 393479 with registered offices
> at 49 Luttrelstown Drive, Castleknock, Dublin 15.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.1
>
> iQA/AwUBRtvJ4Iu28IDxtc99EQL6QQCgnArlD2T6PeY5L1B0M75OXIVF3fkAniMh
> 5NDARH8FYh1ay9z9YK4Hp8fp
> =WomV
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>