Doug
2007-Aug-03 17:38 UTC
[asterisk-users] "Asterisk can be attacked using buffer overflow."
Forbes.com - Magazine Article <http://www.forbes.com/technology/2007/08/02/voip-security-flaws-tech-internet-cx_ag_0802techvoip.html> LAS VEGAS - Internet Security VoIP Vandals Andy Greenberg, 08.02.07, 12:32 AM ET Internet telephone services like Skype and Vonage are starting to look less like digital gimmicks and more like the next generation of voice communication. They're cheaper than traditional phone services and increasingly fast and reliable. But they may also be far more hackable. Security professionals at the Black Hat conference in Las Vegas spent Wednesday outlining the exploitable vulnerabilities in voice over Internet protocol technology, or VoIP. In a series of presentations, they demonstrated ways in which cybercriminals can eavesdrop on VoIP calls, steal data from Internet telephony devices, intercept credit card numbers from VoIP connections and shut connections down altogether. "VoIP is about convergence. The idea is that you save money and resources and time," said Barrie Dempster, a senior security consultant at Next Generation Security Software who made a presentation at the conference. "But convergent systems give you more avenues of attack, more ways in. It's not a secure environment." Because VoIP connects telephone calls via the Internet, it shares the Internet's weaknesses, Dempster argued. Those include vulnerability to denial of service attacks, which overload servers with thousands of simultaneous requests for data, as well as basic hacking tactics like guessing the password of users who fail to change default settings. Peter Thermos, chief technology officer of Palindrome Technologies, proved the point onstage: He played snippets of conversations recorded by snooping on VoIP calls, exploiting vulnerability in a common element in VoIP communications known as media gateway control protocol. "Using this weakness in MGCP, you can do anything like reroute or tear down connections," He said. "But eavesdropping is especially scary." Thermos also described an exploitable hole in ZRTP, one species of the VoIP language real-time transfer protocol: ZRTP encrypts all transmitted sounds, but not the numbers translated from tones. That means hackers can listen for credit card information communicated from touchtone phones. Though the attacks on display were new, VoIP isn't: Internet telephony has existed since the early '90s. But Dempster says its increasing adoption hasn't led to the patching of old bugs. In his presentation, he described how Asterisk, an open-source VoIP application, can be attacked using what he said was an "extremely basic" method known as a buffer overflow. "We point these problems out," he said, "But the lessons aren't being taken." New mobile devices are also drawing attention to VoIP problems. Krishna Kurapati, founder and chief technology officer of Sipera Systems, demonstrated vulnerabilities of several Wi-Fi devices at Wednesday's presentations, crashing a Blackberry and a D-Link phone onstage by hacking their wireless Internet connections. He also simulated the theft of private data via VoIP from a laptop. And VoIP attacks aren't just happening in onstage demonstrations; businesses are increasingly being hit. Several companies in the last year have been victims of "toll fraud," a scheme in which hackers break into a company's VoIP network and sell thousands of dollars worth of long-distance minutes. Eric Winsborrow of Sipera Systems says that the wave of threats has been brought on by VoIP's new popularity in the business world as well as the technology's growing connection to the Internet at large, instead of smaller networks. He also points to plans at Microsoft to introduce VoIP applications into upcoming software as a sign that the technology's security issues are reaching a tipping point. "There's a perfect storm of more openness and mobility, more mainstream adoption, and new entrants into the industry," he says. "The table stakes are getting much bigger."