Black Hat 2007: VoIP security reaches tipping point
VoIP security is as bad today as it was a couple years ago, industry experts say. But PGP creator Phil Zimmermann thinks his new Zfone software will help turn the tide.
Industry experts have warned for years that companies are ignoring security when deploying VoIP. Researchers at this year's Black Hat conference say the state of VoIP security is as bad today as it was two years ago, with many adopters relying on protocols that are easy to attack. But PGP creator Phil Zimmermann has unveiled new software he believes will help turn the tide.
Zimmermann calls his new creation Zfone, a VoIP phone software product that lets users encrypt their calls over the Internet. Zfone uses a new cryptography protocol called ZRTP, which has a better architecture than such other VoIP security protocols as SIP (Session Initiation Protocol), H.323 and IAX. Users can download a free beta of Zfone from the Zfone Project Web site.
"Zfone sits in the IP protocol stack and runs as a filter, and it works with multiple programs such as Windows Mobile, Apple iChat, Symbian and Nokia," he said before running a demonstration of how the technology works.
To show how Zfone can protect VoIP sessions from man-in-the-middle attacks without the need for PKI or certificate authority, Zimmermann initiated two VoIP calls with someone in the audience using iChat and then Gismo, a free Internet phone application.
"To prevent a man-in-the-middle attack, we have to use the same session key," he said, pointing out how his software allows for that to happen. "When you have the same session key at both ends, there can be no man in the middle."
Throughout his presentation, Zimmermann stressed the importance of encrypting VoIP transmissions, even though, as he noted, some in the government believe that would hobble law enforcement's ability to tap VoIP conversations as part of criminal investigations. The problem, he said, is that organised criminal outfits are quickly figuring out how to turn the tables by tapping VoIP calls made by the authorities attempting to bring them to justice.
"We have to encrypt our phone calls because the VoIP environment just isn't safe," he said. "It's getting easier for the bad guys to use something like spyware to tap the VoIP conversations of judges, prosecutors and the police."
Zimmermann's demonstration received a positive response from the audience, and other experts backed his claim that it's no longer difficult for digital miscreants to exploit VoIP insecurity.
Himanshu Dwivedi and Zane Lackey of digital security firm iSEC Partners gave a presentation on the various ways attackers can exploit SIP, IAX and H.323. The latter, they say, is particularly vulnerable to attack, but that most users assume H.323 is secure because little evidence to the contrary has been presented. They urged the audience to build a layered defence, noting that the state of VoIP security is as bad now as it was a couple years ago.
"Four to five years ago, we started hearing about the security problems of VoIP, and it's really no better today," Dwivedi said. "The security vendors are not on top of the problem and users are relying on protocols they think are safe, when in fact they are not."
The two then ran through a series of examples showing how attackers could exploit the protocols to listen in on VoIP conversations and extract sensitive information in the process, and create havoc through denial-of-service attacks and by impersonating certain people on the call. IDs, time stamps and certain hashing functions can easily be sniffed, they warned.
Several Black Hat attendees said their organisations aren't using a lot of VoIP yet, but that they know it's something they'll soon have to deal with.
Andrew Fried, an IT security specialist with the U.S. Treasury Department, said his agency wants to increase its VoIP capabilities and hopes the Black Hat sessions will bring him up to speed on the security risks he'll have to be worrying about.
"The government is trying to push more and more work at home and VoIP will be used as part of that ... but fraudulent use of VoIP is something we're more concerned about, with [attackers] making calls in the name of the IRS using VoIP services that are nearly untraceable," Fried said. "Welcome to the world of fraud."