Monthly Archives: March 2007

Question for readers – what do you think of the new order of the sidebar?

Question for folks reading this weblog: what do you think of the way I just re-ordered the sidebar of this blog? The “Recent Posts” section was up at the top before and while that was useful, I thought it might be more helpful to have the list of categories and contributors up near the top on the first screen of information people see. What do you think? Did you use the “Recent Posts” to quickly see what was here? Or did you just scan down the page? (or read this site in an RSS reader?) Any comments or opinions would be appreciated. I can re-order it in whatever fashion we wish.

Blue Box #54 – new VoIP security tools list, teleworker FUD, Phil Zimmermann, ETel feedback, SPIT, IETF

Blue Box Podcast #54 was posted about a week ago but with travel I didn’t cross-post it here… in this show, Jonathan and I talked a good bit about the new VoIP security tools list released by VOIPSA, the IETF meeting in Prague, Phil Zimmerman and ZRT, SPIT, the ETel conference and also talked a good bit about some articles circulating around about “how VoIP shouldn’t be used for teleworkers because of security”. Detailed show notes and links are available over on the Blue Box website.

SRTP key exchange – minutes of the IETF RTPSEC meeting now posted

As noted earlier, there was an “RTPSEC BOF” session at the IETF 68 meeting last week in Prague. Minutes of the RTPSEC meeting have now been posted, which give a sense of how the discussion went. I’ll provide my own commentary in a separate post (and probably this week’s Blue Box podcast)… for now, I’ll point you to the minutes.

Please note, too, that we welcome guest bloggers here, so if someone who was there is interested in providing their own view on the meeting, drop me a note. We’re always glad to provide a forum for folks to post about VoIP security.

VOIPSA Releases its VoIP Security Tools List

I’m pleased to announce the public release of VOIPSA’s VoIP Security Tool List. The list was developed to address the current void of VoIP security testing resources and sites, for vendors and VoIP users alike. The list is separated into the following seven broad categories:

  • VoIP Sniffing Tools
  • VoIP Scanning and Enumeration Tools
  • VoIP Packet Creation and Flooding Tools
  • VoIP Fuzzing Tools
  • VoIP Signaling Manipulation Tools
  • VoIP Media Manipulation Tools
  • Miscellaneous Tools

Special thanks to VOIPSA members Shawn Merdinger and Dustin Trammell who created the list and have graciously agreed to maintain it. For more information about the tools list, you can listen to Dan York and Jonathan Zar discuss it in Blue Box Podcast #54 and also with Shawn Merdinger in Blue Box Special Edition #16 available at

Next week – perhaps the most important IETF meeting about VoIP security in a long time – how will we do SRTP key exchange?

Next week in Prague, at the 68th IETF meeting, there will be a great many meetings of importance to people concerned about VoIP security, but perhaps none more important than the RTPSEC BOF about SRTP key exchange on Monday, March 19th. As readers and listeners know, one of the key missing standards right now is how vendors can exchange encryption keys for SRTP.

It sounds (and is) geeky, but here’s the impact to the market. Right now, if you buy an IP-PBX system and IP phones from Vendor A, but you want t also buy some SIP phones from Vendor B, there is currently no agreed-upon way for Vendor A and Vendor B’s phones to send secure voice from one phone to the other. Within Vendor A’s IP-PBX and phones, SRTP can be used – and if you were to buy a full system from Vendor B, SRTP could be used entirely there… but there is no agreed-upon way to let Vendor B’s phones work with Vendor A’s phones for SRTP.

Back at IETF 66 in July 2006 there were 11 or 13 proposals (which we covered in Blue Box Podcast #22) but the fields been narrowed now to basically three: DTLS, ZRTP (Phil Zimmermann’s proposal) and a new version of MIKEY. Dan Wing is leading another face-to-face session next week in Prague where the intent is to try to narrow this even further and see if we can’t all agree on a common standard for how to do SRTP key exchange.

IF YOU HAVE COMMENTS OR OPINIONS, NOW is the time to make them! If you can’t get to Prague, you can still join the RTPSEC mailing list or read the Internet Drafts and send comments in to the authors. Please read the drafts and do provide comments… if we are to see secure voice interoperability between SIP phones, this meeting and the discussion therein is extremely important. Please make your opinion heard.

Blue Box podcast #53 – Skype security, OpenID vs OSP, Cisco IP phone advisories, EU privacy legislation… and smokers a threat to VoIP security?

VoIP Skype CreditBlue Box podcast #53 is now available covering a range of topics, including a listener’s suggestion for the Skype multiple login issue, Cisco’s IP phone security advisories, network neutrality, EU privacy legislation and, yes, we covered that wacky story about smokers being a threat to VoIP because we just had to… plus the usual listener comments, VOIPSEC review and other VoIP security news. Detailed show notes, links and more over at the Blue Box site.

ETel VoIP security session – “The Story of SysAdmin Steve” – now available as a podcast

At O’Reilly’s 2007 Emerging Telephony conference last week in San Francisco, I had the opportunity to give a 15-minute presentation to all attendees about VoIP security. Rather than doing the traditional slideware outlining the threats, tools, best practices, etc., I tried to do something very different and simply tell a story of what could happen if a VoIP system were installed in an insecure manner – and how to go about securing that system. I tried to make it interesting and humorous (something not often tied to VoIP security) and the feedback at the show was quite positive. The audio and slides are now available over at Blue Box and I’d definitely be interested in any feedback you all have about the presentation, either in content or style.

Phone “Phreakers” Steal Minutes

The March 19th edition of NewsWeek has an article about cyber thieves stealing VoIP minutes by hacking into VoIP providers’ gateways. It’s the first time I’ve actually seen real numbers applied to VoIP theft:

‘These thieves steal 200 million minutes a month, worth $26 million, says New York telecom Stealth Communications. With more than 5,000 wholesale-minutes markets worldwide, located mainly on Internet forums, fraud is hard to track. Emmanuel Gadaix, head of TSTF, a Hong Kong firm that investigates VoIP thefts, says it’s “very easy to set up a temporary link” through a hacked gateway. His company was recently hired by a Panamanian telecom that lost $110,000 to phreakers. TSTF followed tracks, in vain, that snaked through Bulgaria, Canada, Costa Rica, Hong Kong and the United States. Phreaker trails are “way too complicated” to track successfully, says Gadaix.’

This brings up memories of the Edwin Pena case, in which he was able to rake in over $1 million USD in profits from stealing and reselling VoIP minutes from several providers.

Does anyone know for sure how these VoIP provider gateways are being broken into? Default passwords? Well known vulnerabilities in the operating system? Stolen access codes?

New VoIP Phishing Scheme

Brian Krebs from the Washington Post reports on a new VoIP Phishing (Vishing) scheme targeting Bank of America customers. The scam appears as an official looking Bank of America email and tries to convince the victim to dial a toll free number to sort out some account problems. Once the victim dials that number, they’re prompted to enter in their account number and secret pin number. The evil doers are then able to easily access the bogus system and reconstruct all of the numbers you entered. Much like how traditional email phishing attacks flourished in the last couple of years, I absolutely believe that VoIP Phishing scams will skyrocket this year.

For some background, there was a compelling presentation at last year’s BlackHat security conference by Jay Schulman, entitled Phishing with Asterisk (PDF). In his presentation, Jay showed how easy it was for attackers to use Asterisk PBX to set up a spoofed banking automated attendant and route all calls to a toll free number through to that PBX. Additionally, Mark Collier and I devoted an entire chapter to VoIP Phishing in our book, Hacking Exposed: VoIP.

I’ve included a snapshot below of one of the first VoIP Phishing emails targeting PayPal that emerged last year that we showcased in our book. Click on it to see the larger image.

Lenovo and Avaya partner to link ThinkPad fingerprint reader to softphone access

Interesting announcement out of Lenovo and Avaya down at VoiceCon this week – the two companies will collaborate to enable Avaya’s softphone to make use of certain aspects of Lenovo’s Thinkpad line. Specifically:

As part of the alliance, the integrated fingerprint reader in Lenovo’s ThinkPads and Password Manager technologies will support Avaya’s IP Softphone solution. This will bar unauthorized people from using a Softphone or accessing their phonebook if the laptop is lost.

We’ve written and talked in the past about the use of biometric devices to control access, but unless I’m wrong this is one of the first times I’ve heard it mentioned specifically with a VoIP product from one of the major VoIP vendors. Cool to see.