VoIP vulnerability threatens data

VoIP vulnerabilities, for a time, were a nuisance that threatened to make VoIP and VoIP devices unusable or plague them with poor call quality, but a recent discovery found that certain types of VoIP attacks can be used to get into the data network and steal information.

According to Sipera VIPER Lab, laptops running VoIP softphones are most susceptible to the attacks, meaning that a laptop running an enterprise VoIP softphone can be compromised, and hackers can take control and delete or steal data off that laptop.

Sachin Joglekar, vulnerability research lead for Sipera VIPER Lab, said the discovery is "huge," and the implications could be even bigger. Sipera VIPER Lab sniffs out and publishes VoIP vulnerabilities and exploits to educate users about potential security holes.

"VoIP phones and unified communications products in general are a backdoor for attackers and hackers to get into the network and steal your data," Joglekar said.

In the past, softphones running on Windows XP machines with Service Pack 2 were vulnerable to buffer overflow attacks that would crash the phone. Now, however, a similar type of attack uses the SIP protocol to exploit the overflow attack. The attack, encoded into SIP, gets onto the machine and opens a connection from the exploited machine to the hacker's, allowing him to view, copy, delete or steal files.

Joglekar said the vulnerability was tested in certain types of softphones, but "softphones across the board" could be attacked.

"The vulnerability is nothing specific to a certain softphone or product in any way," he said.

"The data is reachable from the VoIP side," he added, "and typical data security tools cannot protect against it."

Brendan Ziolo, director of marketing for Sipera Systems, said the vulnerability is a new threat on the VoIP landscape, which was once considered a closed-off portion of the network.

"VoIP networks have been closed," he said. "If you brought it down, you brought down the phones and that's it."

But the extension of VoIP networks with SIP trunks and the growing use of Wi-Fi dual-mode phones and other tools increase the risk because VoIP and data are converged.

To protect against such attacks, Joglekar said, companies need to ensure that their OS patches are up to date, and they should be sure to employ strong encryption and authentication on the VoIP side. One common misconception, he said, is that VoIP devices come with security built in, which in many cases is true; but this level of security is typically not turned on in default settings.

In addition, Ziolo said, firewalls and intrusion-protection systems fall short of protecting against certain VoIP vulnerabilities because they focus solely on data without wrapping in enhanced VoIP protection. And since such attacks can run in the background and go unnoticed for a long time, this can create a false sense of security.

Joglekar said companies figure that firewalls provide adequate protection, but considering that laptops now act more like servers for making and receiving calls, it is not enough to treat VoIP and unified communications traffic as typical IP traffic.

"Firewalls don't get the real-time aspect of voice and unified communications," he said, adding that deep packet inspection and behavioural analysis become imperatives for ensuring the safety of VoIP traffic.

There are tools out there that offer VoIP-specific encryption, authentication and other protection, but many companies fail to realise that similar tools they use on the data side aren't up to snuff in the VoIP world.

Similar vulnerabilities have been identified in the Wi-Fi dual-mode arena, as well as on other unified communications tools like instant messenger.

Eric Winsborrow, Sipera's CMO and the former vice president of product marketing at McAfee, said VoIP-related vulnerabilities that can threaten data should serve as a wake-up call that more protection is needed.

"Enterprises spend billions of dollars on traditional data security and closely monitor OS vulnerability announcements on the first Tuesday of the month," Winsborrow said. "Meanwhile, Sipera VIPER Lab has identified an exhaustive list of VoIP vulnerabilities that can be exploited to disrupt critical business communications and, in this case, steal confidential data through a security hole that data security vendors are fundamentally unable to address. The regulatory impact of this exploit alone, should it happen in the wild, would be severe."