August 2nd, 2007
VoIP security vulnerabilities demonstrated at Black Hat conference
Several presentations at the Black Hat security conference in Las Vegas yesterday illustrated some of VoIP’s security vulnerabilities.
According to Forbes.com’s Andy Greenberg, who was in attendance, the presentations documenented ways “in which cybercriminals can eavesdrop on VoIP calls, steal data from Internet telephony devices, intercept credit card numbers from VoIP connections and shut connections down altogether.
“VoIP is about convergence. The idea is that you save money and resources and time,” Andy quoted Barrie Dempster, a senior security consultant at Next Generation Security Software as saying. “But convergent systems give you more avenues of attack, more ways in. It’s not a secure environment.”
Because VoIP connects telephone calls via the Internet, it shares the Internet’s weaknesses, Andy noted that Dempster argued. Those include vulnerability to denial of service attacks, which overload servers with thousands of simultaneous requests for data, as well as basic hacking tactics like guessing the password of users who fail to change default settings.
Specifics were provided by Palindrome Technologies CTO Peter Thermos.
His easels for painting VoIP security vulnerabilities: Media Gateway Control Protocol, which can allow for rerouuting, disrupting and eavesdropping.
Wratcheting security matters more, Thermos then turned his attention to exploits in a real-time VoIP secure authentication and transfer protocol called ZTRP.
ZTRP encrypts all transmitted sounds, but not the numbers translated from tones. The result can be hackers picking up credit card information sent from touchtone phones.
And that wasn’t all. Dempster described “buffer overflow” vulnerabilities in open-source VoIP application Asterisk. Krishna Kurapati, CTO of Sipera Systems, simulated private data theft via VoIP communication over a laptop.
As to the big picture, Eric Winsborrow of Sipera Systems is quoted by Greenberg as saying “there’s a perfect storm of more openness and mobility, more mainstream adoption, and new entrants into the industry,” he says. “The table stakes are getting much bigger.”
Russell Shaw is an enterprise computing journalist, analyst and author based in Portland, Oregon. See his full profile and disclosure of his industry affiliations.
