Hackers’ note sparks VoIP security worries. Could it have a big effect on business VoIP?
Paul D. Kretkowski on September 13, 2007
Sometimes, earthshaking news comes in bland packages.Consider the plain-looking Full-Disclosure mailing list. On August 22, it ran a message with the headline, “Remote eavesdropping with SIP Phone GXV-3000.” The accompanying note is three computer scientists’ dry, technical explanation of how an attacker might switch on a VoIP phone — in this case, one from Grandstream — without the owner’s knowledge, and listen in on the phone’s surroundings.
By itself, this message doesn’t carry the historic weight of "Three shots were fired at President Kennedy's motorcade." But some observers worry that it could have a big effect on business VoIP.
In the wake of the announcement, at least one security expert declared that VoIP is not ready for business use because it is inherently insecure. Paul Simmonds, a board member at the security-focused Jericho Forum and global information security director at materials-science company Imperial Chemical Industries PLC, told CNET News.com that "You can't run VoIP on a corporate network because you can't trust every single device on that network. VoIP as it stands certainly isn't secure. Going forward, everybody should be using inherently secure protocols."
They’re Listening
And indeed, Humberto Abdelnur, Radu State and Olivier Festor’s note doesn’t paint a pretty picture: “An attacker [can] automatically make a remote phone accept the call without ringing and without asking the user to take the phone from the hook, such that the attacker might be able to listen to all conversations that take place in the remote room without being noticed.”
So despite all the money you poured into securing email, HTML and your physical premises, a teenager in Belarus can use the VoIP phone on your desk to overhear the new secret formula for Pepsi.
The Grandstream hackers and Simmonds certainly are not the first to warn about VoIP’s insecurity, including the need for encryption, weaknesses such as the DoS (denial of service) attacks detailed on Full-Disclosure and inadequate hardware.
But there is good news here too, mainly that the Full-Disclosure note is part of a long tradition of white-hat hacking, where programmers attack systems in order to quickly expose their vulnerabilities. This pressures system administrators to improve security before the bad guys can exploit it.
To take another example, white hats have also been busy at VoIPSA (VoIP Security Alliance), which recently published a set of tools that lets you do nifty things like insert background noise or even curse words into someone else’s VoIP conversation. One author of these tools, Mark Collier, regularly screens some of the latest VoIP attack/testing tools at his VoIP Security Blog.
It appears that, in classic white-hat style, the Full-Disclosure hackers quietly alerted Grandstream in May so it could create a fix before any damaging waves of publicity or attacks. Abdelnur, State and Festor look good; Grandstream looks proactive; users get an improved VoIP phone; and corporate security experts elsewhere check their own systems for flaws.
Regardless of the reliability of any single device, VoIP security experts recommend a ground-up approach to securing a business VoIP system: firewalls, encryption, trusted devices and separate vLANs (virtual LANs) for voice and data to allow you to monitor each separately for intrusion or tampering. (For more information, see the VoIP-News Security Resource Center.) You should also keep anti-virus software up-to-date in light of a recently discovered virus that piggybacks on Skype chat messages.
Taking this comprehensive approach from the outset should make a weak link — like an unpatched Grandstream phone — much less likely to turn your desk into an attacker’s listening post.
No comments:
Post a Comment