Security threats to voice over IP (VoIP) are
one of the major factors that deter numerous IT departments from
implementing a
VoIP system. But in the fight against denial of service (DoS)
attacks, buffer overflow attacks, and hackers there are companies
that are prepared to find those hidden
vulnerabilities.
For one such company, the fight has been going on for nearly
three and a half years. In a recent announcement, Sipera VIPER Lab
disclosed seven new threat advisories for
SIP-based softphones and Web-based instant messaging services,
specifically those from AOL, Avaya, MSN and Nortel. An additional
four advisories were released for Avaya's SIP-based hard
phones.
In 2003, Sipera Systems was created, along with affiliated
research firm Sipera VIPER Lab, to find and document the
vulnerabilities that threaten the successful use of VoIP at the
enterprise level. By focusing its efforts strictly on voice over IP
and IP-based communications, Sipera says it is better prepared to
inform both manufacturers and users of VoIP phones and softphones
of vulnerabilities that could interfere with their use of the
equipment and applications.
"VIPER Lab looks only at VoIP and unified communications," said
Brendan Ziolo, marketing director. "By proactively seeking out
vulnerabilities, we are protecting VoIP systems against attacks
before they can even happen."
The alerts raised by VIPER Lab state that these VoIP softphones
could be vulnerable to such issues as resource exhaustion, buffer
overflow, DoS attacks, and SIP parsing errors. In issuing these
alerts, VIPER Lab contacts the manufacturers first, informing them
of potential vulnerabilities in their hardware and software.
Once the manufacturers have had time to be alerted to the
vulnerabilities, customers of Sipera are informed of any issues
that could give rise to potential problems in their systems that
included these products.
In the latest alerts, VIPER found a number of vulnerabilities
that were specific to softphones.
"Softphones provide great flexibility for communications but are
very vulnerable to attacks. These not only pose threats to the VoIP
system but also to the computing and network environments," said
Krishna Kurapati, Sipera founder/CTO and head of Sipera VIPER Lab.
"Left unaddressed, these vulnerabilities can disrupt critical
business and personal voice communications, negating the many
advantages to VoIP. Sipera works with its customers and vendors to
address these threats before they become a major issue."
The advisories for hard phones were specifically for Avaya's
4602SW SIP phones, which have been found to be vulnerable to server
impersonation, accepting SIP requests from random source IP
addresses, open UDP port flooding, and RTP port flooding. These
vulnerabilities can expose the phones to call hijacking, malicious
messaging, denial of service, and voice quality degradation.
VIPER said that it also included in its alerts to vendors and
their research reports best practices that could help alleviate the
severity of the discovered vulnerabilities. VIPER feels that by
alerting vendors, manufacturers and users to these vulnerabilities,
existing VoIP systems can be better protected from hackers than if
vendors or manufacturers alone were made aware of the
vulnerabilities.
"It's important to understand that VoIP is now an application on
the Internet and has its own security needs," Ziolo stressed when
asked why these alerts are so important. "Enterprises should also
realise that it is challenging and requires lots of time and work
to have a secure VoIP network -- but it's not impossible."
"VoIP threats aren't stopping companies from implementing VoIP,"
Ziolo said, "but they are keeping companies from fully realising
the advantages of voice over IP."