VoIP vulnerabilities, for a time, were a
nuisance that threatened to make VoIP and VoIP devices unusable or
plague them with poor call quality, but a recent discovery found
that certain types of VoIP attacks can be used to get into the data
network and steal information.According to Sipera VIPER Lab, laptops running
VoIP smartphones are most susceptible to the attacks, meaning
that a laptop running an enterprise VoIP softphone can be
compromised, and hackers can take control and delete or steal data
off that laptop.
Sachin Joglekar, vulnerability research lead for Sipera VIPER
Lab, said the discovery is "huge," and the implications could be
even bigger. Sipera VIPER Lab sniffs out and publishes VoIP
vulnerabilities and exploits to educate users about potential
security holes.
"VoIP phones and unified communications products in general are
a backdoor for attackers and hackers to get into the network and
steal your data," Joglekar said.
In the past, softphones running on Windows XP machines with
Service Pack 2 were vulnerable to buffer overflow attacks that
would crash the phone. Now, however, a similar type of attack uses
the SIP protocol to exploit the overflow attack. The attack,
encoded into SIP, gets onto the machine and opens a connection from
the exploited machine to the hacker's, allowing him to view, copy,
delete or steal files.
Joglekar said the vulnerability was tested in certain types of
softphones, but "softphones across the board" could be
attacked.
"The vulnerability is nothing specific to a certain softphone or
product in any way," he said.
"The data is reachable from the VoIP side," he added, "and
typical data security tools cannot protect against it."
Brendan Ziolo, director of marketing for Sipera Systems, said
the vulnerability is a new threat on the VoIP landscape, which was
once considered a closed-off portion of the network.
"VoIP networks have been closed," he said. "If you brought it
down, you brought down the phones and that's it."
But the extension of VoIP networks with SIP trunks and the
growing use of Wi-Fi dual-mode phones and other tools increase the
risk because VoIP and data are converged.
To protect against such attacks, Joglekar said, companies need
to ensure that their OS patches are up to date, and they should be
sure to employ strong encryption and authentication on the VoIP
side. One common misconception, he said, is that VoIP devices come
with security built in, which in many cases is true; but this level
of security is typically not turned on in default settings.
In addition, Ziolo said, firewalls and intrusion-protection
systems fall short of protecting against certain VoIP
vulnerabilities because they focus solely on data without wrapping
in enhanced VoIP protection. And since such attacks can run in the
background and go unnoticed for a long time, this can create a
false sense of security.
Joglekar said companies figure that firewalls provide adequate
protection, but considering that laptops now act more like servers
for making and receiving calls, it is not enough to treat VoIP and
unified communications traffic as typical IP traffic.
"Firewalls don't get the real-time aspect of voice and unified
communications," he said, adding that deep packet inspection and
behavioral analysis become imperatives for ensuring the safety of
VoIP traffic.
There are tools out there that offer VoIP-specific encryption,
authentication and other protection, but many companies fail to
realize that similar tools they use on the data side aren't up to
snuff in the VoIP world.
Similar vulnerabilities have been identified in the Wi-Fi
dual-mode arena, as well as on other unified communications tools
like instant messenger.
Eric Winsborrow, Sipera's CMO and the former vice president of
product marketing at McAfee, said VoIP-related vulnerabilities that
can threaten data should serve as a wake-up call that more
protection is needed.
"Enterprises spend billions of dollars on traditional data
security and closely monitor OS vulnerability announcements on the
first Tuesday of the month," Winsborrow said. "Meanwhile, Sipera
VIPER Lab has identified an exhaustive list of VoIP vulnerabilities
that can be exploited to disrupt critical business communications
and, in this case, steal confidential data through a security hole
that data security vendors are fundamentally unable to address. The
regulatory impact of this exploit alone, should it happen in the
wild, would be severe."