From: InfoSec News (alertsinfosecnews.org)
Date: Thu Aug 30 2007 - 01:19:11 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://news.zdnet.co.uk/security/0,1000000189,39288928,00.htm

By Tom Espiner
ZDNet UK
29 Aug 2007

A leading member of the Jericho Forum has criticised the security of
voice-over-IP technology after security researchers revealed that it was
possible to eavesdrop on VoIP conversations.

An eavesdropping vulnerability was revealed on the popular Full
Disclosure mailing list on Wednesday. Vulnerability researchers Humberto
Abdelnur, Radu State and Olivier Festor claimed the exploit could allow
a remote attacker to turn a VoIP phone into an eavesdropping device,
citing a Grandstream SIP phone as an example.

The Jericho Forum is an international group of leading corporate
security professionals, academics and vendors, and promotes the
development of secure software architectures, among other IT security
interests.

Paul Simmonds, a member of Jericho Forum's board of management, said
that VoIP is not yet ready for use in businesses. "We don't consider
VoIP to be enterprise-ready," Simmonds told ZDNet.co.uk. "You can't run
VoIP on a corporate network because you can't trust every single device
on that network. VoIP as it stands certainly isn't secure. Going
forward, everybody should be using inherently secure protocols."

Simmonds said it was not part of Jericho Forum's mission to promote any
particular protocol as being more secure. Instead he insisted that best
practices for secure software development should be adhered to. "From a
Jericho standpoint, it's not for us to say you must use these protocols
or these protocols. You simply shouldn't be sending data over a network
insecurely, relying on network security — because it isn't secure," he
said.

Simmonds recommended that all data packets in a business network,
including VoIP packets, be encrypted.

The researchers who found the Grandstream flaw claim that some SIP stack
engines have "serious bugs" which allow an attacker to automatically
make a remote phone accept a call without it ringing or without the
handset being taken off the hook. "The attacker might be able to listen
to all conversations that take place in the remote room, without being
noticed," wrote the researchers on the Full Disclosure mailing list.

The vulnerability in Grandstream's SIP phone could allow an attacker to
send a sequence of two messages, both syntactically correct, which
together force the device into an inconsistent state. Once the device is
in this state, RTP packets, which are used by most VoIP endpoints, are
sent to the attacker. After the messages are sent, the device is not
able to hang up, offering attackers the possibility of executing a
remote denial-of-service attack, according to the researchers.

Grandstream is aware of the vulnerability in its software, and it will
release firmware in late September to address the issue, according to
Marianne Rocco, the company's director of marketing. Rocco said that
customers who are concerned about the vulnerability should contact
Grandstream's support department for a copy of the beta firmware
version, which has been tested against the vulnerability. Rocco said
there are still ways to detect the vulnerability if the customer does
not download the beta firmware. She argued that the phone will ring when
the attack starts, and that the call information window will indicate
that a call is going on. Grandstream customers are at risk of attack if
they don't follow these steps, Rocco said.

____________________________________
Attend HITBSecConf2007 - Malaysia
Taking place September 3-6 2007 featuring seven tracks of technical
training and a dual-track security conference with keynote speakers
Lance Spitzner and Mikko Hypponen! - Book your seats today!
http://conference.hitb.org/hitbsecconf2007kl/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]