Slashdot Mirror

← Back to Stories (view on slashdot.org)

Overlooked VoIP Security Issues?

Posted by ryuzaki0 on from the missed-vulnerabilities dept.

penciling_in asks: "Voiponder is running an informative article identifying VoIP attacks, which are applicable to current systems but lack public awareness and are, for the most part, misunderstood. The author's primary purpose is to 'discuss two of the most well known attacks that can be carried out in current VoIP deployments. The first attack demonstrates the ability to hijack a user's VoIP Subscription and subsequent communications. The second attack looks at the ability to eavesdrop in to VoIP communications.' This leaves me begging the question: What other not-so-publicized VoIP security issues should companies be watching out for?"

5 of 42 comments (clear)

  1. Gasp! by Loonacy · · Score: 4, Insightful

    An unencrypted protocol is susceptible to man-in-the-middle attacks? Who'da thunk?

  2. This leaves me begging the question by Holi · · Score: 1, Insightful

    No it doesn't, it leaves you asking the question.

    go ahead mod me down.

    --
    Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
  3. Uhh... by isometrick · · Score: 2, Insightful

    On the first one (registration hijacking) we have 401 unauthorized and WWW-Authenticate (similar to HTTP digest authentication). So unless you know the peer's shared secret with the registrar, you're out of luck. As well as CSeq to prevent message replay.

    On the second one ... really? You can listen to completely unencrypted trivially compressed audio packets if you can sniff them? Duh. So you either rely on nobody being in the middle on a switched network, or you encrypt it.

    Is anyone in the biz really unaware of this?

    1. Re:Uhh... by isometrick · · Score: 1, Insightful

      Sorry to reply to myself.

      Further, if someone is directly in the middle of the link for your SIP conversation, use SIP over TLS and don't trust any unauthorized certs. Just like you would do with any other protocol.

  4. There's an unspoken assumption here. by techno-vampire · · Score: 2, Insightful

    The article assumes that VOIP software is going to be sending/receiving VOIP and nothing else. Imagine a trojan that looks for and infects VOIP software, then uses it to phone home and send any confidential info to the server using the VOIP ports. All your user names, passwords, credit card info. Next, it sends home a list of all files. The server checks for certain obvious possibilities (e.g., customer.db, address.db, etc.) and replies with instructions to have them sent as well. Identity theft, wholesale and automated.

    --
    Good, inexpensive web hosting