VoIP security vulnerabilities tackled by researchers

VoIP vulnerabilities can present a serious security threat, but one company makes its living by doing research and alerting manufacturers, vendors and users to potential problems.

Security threats to voice over IP (VoIP) are one of the major factors that deter numerous IT departments from implementing a VoIP system. But in the fight against denial of service (DoS) attacks, buffer overflow attacks, and hackers there are companies that are prepared to find those hidden vulnerabilities.

For one such company, the fight has been going on for nearly three and a half years. In a recent announcement, Sipera VIPER Lab disclosed seven new threat advisories for SIP-based softphones and Web-based instant messaging services, specifically those from AOL, Avaya, MSN and Nortel. An additional four advisories were released for Avaya's SIP-based hard phones.

In 2003, Sipera Systems was created, along with affiliated research firm Sipera VIPER Lab, to find and document the vulnerabilities that threaten the successful use of VoIP at the enterprise level. By focusing its efforts strictly on voice over IP and IP-based communications, Sipera says it is better prepared to inform both manufacturers and users of VoIP phones and softphones of vulnerabilities that could interfere with their use of the equipment and applications.

"VIPER Lab looks only at VoIP and unified communications," said Brendan Ziolo, marketing director. "By proactively seeking out vulnerabilities, we are protecting VoIP systems against attacks before they can even happen."

The alerts raised by VIPER Lab state that these VoIP softphones could be vulnerable to such issues as resource exhaustion, buffer overflow, DoS attacks, and SIP parsing errors. In issuing these alerts, VIPER Lab contacts the manufacturers first, informing them of potential vulnerabilities in their hardware and software.

Once the manufacturers have had time to be alerted to the vulnerabilities, customers of Sipera are informed of any issues that could give rise to potential problems in their systems that included these products.

In the latest alerts, VIPER found a number of vulnerabilities that were specific to softphones.

"Softphones provide great flexibility for communications but are very vulnerable to attacks. These not only pose threats to the VoIP system but also to the computing and network environments," said Krishna Kurapati, Sipera founder/CTO and head of Sipera VIPER Lab. "Left unaddressed, these vulnerabilities can disrupt critical business and personal voice communications, negating the many advantages to VoIP. Sipera works with its customers and vendors to address these threats before they become a major issue."

The advisories for hard phones were specifically for Avaya's 4602SW SIP phones, which have been found to be vulnerable to server impersonation, accepting SIP requests from random source IP addresses, open UDP port flooding, and RTP port flooding. These vulnerabilities can expose the phones to call hijacking, malicious messaging, denial of service, and voice quality degradation.

VIPER said that it also included in its alerts to vendors and their research reports best practices that could help alleviate the severity of the discovered vulnerabilities. VIPER feels that by alerting vendors, manufacturers and users to these vulnerabilities, existing VoIP systems can be better protected from hackers than if vendors or manufacturers alone were made aware of the vulnerabilities.

"It's important to understand that VoIP is now an application on the Internet and has its own security needs," Ziolo stressed when asked why these alerts are so important. "Enterprises should also realise that it is challenging and requires lots of time and work to have a secure VoIP network -- but it's not impossible."

"VoIP threats aren't stopping companies from implementing VoIP," Ziolo said, "but they are keeping companies from fully realising the advantages of voice over IP."

Read more on Voice networking and VoIP