asterisk users - Aug 2007 - "Asterisk can be attacked using buffer overflow."

Forbes.com - Magazine Article

<http://www.forbes.com/technology/2007/08/02/voip-security-flaws-tech-internet-cx_ag_0802techvoip.html>

LAS VEGAS - Internet Security VoIP Vandals

Andy Greenberg, 08.02.07, 12:32 AM ET

Internet telephone services like Skype and Vonage are
starting to look less like digital gimmicks and more
like the next generation of voice communication.
They're cheaper than traditional phone services and
increasingly fast and reliable. But they may also be
far more hackable.

Security professionals at the Black Hat conference in
Las Vegas spent Wednesday outlining the exploitable
vulnerabilities in voice over Internet protocol
technology, or VoIP. In a series of presentations,
they demonstrated ways in which cybercriminals can
eavesdrop on VoIP calls, steal data from Internet
telephony devices, intercept credit card numbers from
VoIP connections and shut connections down altogether.

"VoIP is about convergence. The idea is that you save
money and resources and time," said Barrie Dempster, a
senior security consultant at Next Generation Security
Software who made a presentation at the conference.
"But convergent systems give you more avenues of
attack, more ways in. It's not a secure environment."

Because VoIP connects telephone calls via the
Internet, it shares the Internet's weaknesses,
Dempster argued. Those include vulnerability to denial
of service attacks, which overload servers with
thousands of simultaneous requests for data, as well
as basic hacking tactics like guessing the password of
users who fail to change default settings.

Peter Thermos, chief technology officer of Palindrome
Technologies, proved the point onstage: He played
snippets of conversations recorded by snooping on VoIP
calls, exploiting vulnerability in a common element in
VoIP communications known as media gateway control
protocol. "Using this weakness in MGCP, you can do
anything like reroute or tear down connections," He
said. "But eavesdropping is especially scary."

Thermos also described an exploitable hole in ZRTP,
one species of the VoIP language real-time transfer
protocol: ZRTP encrypts all transmitted sounds, but
not the numbers translated from tones. That means
hackers can listen for credit card information
communicated from touchtone phones.

Though the attacks on display were new, VoIP isn't:
Internet telephony has existed since the early '90s.
But Dempster says its increasing adoption hasn't led
to the patching of old bugs. In his presentation, he
described how Asterisk, an open-source VoIP
application, can be attacked using what he said was an
"extremely basic" method known as a buffer overflow.
"We point these problems out," he said, "But the
lessons aren't being taken."

New mobile devices are also drawing attention to VoIP
problems. Krishna Kurapati, founder and chief
technology officer of Sipera Systems, demonstrated
vulnerabilities of several Wi-Fi devices at
Wednesday's presentations, crashing a Blackberry and a
D-Link phone onstage by hacking their wireless
Internet connections. He also simulated the theft of
private data via VoIP from a laptop.

And VoIP attacks aren't just happening in onstage
demonstrations; businesses are increasingly being hit.
Several companies in the last year have been victims
of "toll fraud," a scheme in which hackers break into
a company's VoIP network and sell thousands of dollars
worth of long-distance minutes.

Eric Winsborrow of Sipera Systems says that the wave
of threats has been brought on by VoIP's new
popularity in the business world as well as the
technology's growing connection to the Internet at
large, instead of smaller networks. He also points to
plans at Microsoft to introduce VoIP applications into
upcoming software as a sign that the technology's
security issues are reaching a tipping point.

"There's a perfect storm of more openness and
mobility, more mainstream adoption, and new entrants
into the industry," he says. "The table stakes are
getting much bigger."