Security tools probe VoIP flaws
Published: 03 Aug 2006 10:40 BST
If your VoIP phone starts ringing off the hook, it might not denote a surge in your popularity — just that someone is trying one of 13 newly released security tools.
Security researchers at the Black Hat security confab released the tools in Las Vegas on Wednesday. The programs are meant to test the security of increasingly popular Voice over Internet Protocol telephony systems, Dave Endler, director of security research at TippingPoint, said in an interview. TippingPoint is part of 3Com, which sells VoIP products.
Each of the tools can be used to launch VoIP system attacks such as overloading phones or VoIP exchanges with ambiguous traffic, flooding phones with calls, forcing hang-ups, rebooting phones, and reassigning the devices to other users or nobody at all, Endler said.
"If you want all the chief executive's calls to show up at your desk, that's what you would use," he said. Enterprises look at VoIP systems because of their rich features, promise of lower costs, and use of the same infrastructure as computer networks.
The tools were designed to help administrators determine the vulnerability of their telephony systems, Endler said. "Obviously, releasing any security tools is a double-edged sword in that you can't restrict who has access," he said.
All of the tools target systems that use the Session Initiation Protocol, or SIP. While SIP is increasingly used in VoIP systems, it isn't widely used yet, Endler said. Instead, products from vendors such as Cisco Systems, Avaya and Nortel Networks all use proprietary protocols.
"The majority of VoIP systems out there are not SIP enabled," Endler said. "Most of them are pushing forward with SIP adoption." Endler and co-presenter Mark Collier of SecureLogix hope their work will help VoIP systems be more secure when SIP makes it into the mainstream, Endler said. "VoIP security is still in its infancy," he said.
The release of the tools will have little impact on VoIP users today, agreed Dan York, director of IP technology at VoIP vendor Mitel. "But we're all moving to SIP," he said. The new protocol is in demand because industry-wide adoption would mean phones from one vendor would work with a VoIP exchange from another, which isn't true today.
York believes the tools serve a purpose. "SIP is coming into play and they give us the tools to test the systems and make them more secure."
Did you find this article useful?
263 out of 2400 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
