Author Archives: Mark Collier

About Mark Collier

I am the CTO/VP Engineering at SecureLogix. I am responsible for our product and technology offerings. I am actively researching voice and VoIP security. I have developed quite a few tools, written the book Hacking Exposed: VoIP, and maintain a blog at www.voipsecurityblog.com.

State of Communications Security Report is Live

Here is a link to the SecureLogix State of Communications Security Report. It is currently at the NoJitter site. We will post it to our website and here in a couple of weeks.

http://www.nojitter.com/sponsoredcontent/view/cid/3900003

This is the first time ever that anyone has released a security report that is focused on voice/VoIP/communications. The report describes voice security trends and includes a ton of data from 100’s of assessments, that backs up the trends we present.

More on Telephony Denial of Service (TDoS) Attacks

I assume most everyone has seen the FBI press release on Telephony Denial of Service (TDoS). For those who have not, see:

http://newark.fbi.gov/pressrel/pressrel10/nk051110.htm

I am also seeing the term used to describe enterprise-directed DoS, where an attacker typically floods a contact center with calls. I have recently worked with both enterprises, service providers, and hosted IVR companies that have seen these attacks. The current motive seems to be traffic pumping/revenue generation, not DoS per se, but the side impact is that operation at the target sites is degraded or seriously disrupted, depending on call volume and trunk capacity. Interestingly, the targets I have talked to are primarily using TDM trunks, while the attackers (according to the service providers I have talked to) are using VoIP. I have a post on my blog with more information:

http://voipsecurityblog.typepad.com/marks_voip_security_blog/2010/06/more-on-telephony-dos-tdos.html

Is anyone else seeing these attacks?

Additional VoIP Attack Tools

David Endler and I posted several new tools on our “Hacking Exposed” website, www.hackingvoip.com. We also provided updates and better README files for some of the existing tools. Here is a quick summary of the new tools:

  • rtpinsertsound/rtpmixsound – these tools take the contents of a .wav or tcpdump format file and insert or mix in the sound. These tools require access (sniffing of the VoIP traffic but not necessarily MITM) to the RTP stream, so they can properly craft sequence numbers, timestamps, etc. rtpinsertsound, with the right timing, can be used to add words or phrases to a conversation. rtpmixsound can be used to merge in background audio, like noise, sounds from a “gentlemans club”, curse words, etc., etc. These tools have been tested in a variety of vendor environments and work in pretty much any environment, where encryption isn’t used.
  • redirectpoison – this tool works in a SIP signaling environment, to monitor for an INVITE request and respond with a SIP redirect response, causing the issuing system to direct a new INVITE to another location. This tool requires access to the SIP signaling, but does not require a MITM (Man-in-the-middle attack). We tested this tool with the Asterisk and SER SIP proxies, along with a variety of SIP phones.
  • spitter – this tool works in conjunction with Asterisk, to set up a voice SPAM/SPIT generation platform. Once Asterisk is set up, spitter is used to schedule any number of calls, using your choice of audio files.

The tools come with README files, so they should be pretty easy to use. Please let us know what you think. We are particularly interested in results for the rtpxxxsound tools. A number of us “security experts” have been warning of these attacks, but this is the first set of tools I have seen that actually accomplish them.