Article

VoIP vulnerabilities tackled by research company

Kate Dostart, Associate Editor

Security threats to voice over IP (VoIP) are one of the major factors that deter numerous IT departments from implementing a VoIP system. But in the fight against denial of service (DoS) attacks, buffer overflow attacks, and hackers there are companies that are prepared to find those hidden vulnerabilities.

For one such company, the fight has been going on for nearly three and a half years. In a recent announcement, Sipera VIPER Lab disclosed seven new threat advisories for SIP-based softphones and Web-based instant messaging services, specifically those from AOL, Avaya, MSN and Nortel. An additional four advisories were released for Avaya's SIP-based hard phones.

    Requires Free Membership to View

More information on VoIP vulnerabilities and security
VoIP security fundamentals

VoIP security -- problems inherited from data networking
In 2003, Sipera Systems Inc. was created, along with affiliated research firm Sipera VIPER Lab, to find and document the vulnerabilities that threaten the successful use of VoIP at the enterprise level. By focusing its efforts strictly on voice over IP and IP-based communications, Sipera says it is better prepared to inform both manufacturers and users of VoIP phones and softphones of vulnerabilities that could interfere with their use of the equipment and applications.

"VIPER Lab looks only at VoIP and unified communications," said Brendan Ziolo, marketing director. "By proactively seeking out vulnerabilities, we are protecting VoIP systems against attacks before they can even happen."

The alerts raised by VIPER Lab state that these VoIP softphones could be vulnerable to such issues as resource exhaustion, buffer overflow, DoS attacks, and SIP parsing errors. In issuing these alerts, VIPER Lab contacts the manufacturers first, informing them of potential vulnerabilities in their hardware and software.

Once the manufacturers have had time to be alerted to the vulnerabilities, customers of Sipera are informed of any issues that could give rise to potential problems in their systems that included these products.

In the latest alerts, VIPER found a number of vulnerabilities that were specific to softphones.

"Softphones provide great flexibility for communications but are very vulnerable to attacks. These not only pose threats to the VoIP system but also to the computing and network environments," said Krishna Kurapati, Sipera founder/CTO and head of Sipera VIPER Lab. "Left unaddressed, these vulnerabilities can disrupt critical business and personal voice communications, negating the many advantages to VoIP. Sipera works with its customers and vendors to address these threats before they become a major issue."

The advisories for hard phones were specifically for Avaya's 4602SW SIP phones, which have been found to be vulnerable to server impersonation, accepting SIP requests from random source IP addresses, open UDP port flooding, and RTP port flooding. These vulnerabilities can expose the phones to call hijacking, malicious messaging, denial of service, and voice quality degradation.

VIPER said that it also included in its alerts to vendors and their research reports best practices that could help alleviate the severity of the discovered vulnerabilities. VIPER feels that by alerting vendors, manufacturers and users to these vulnerabilities, existing VoIP systems can be better protected from hackers than if vendors or manufacturers alone were made aware of the vulnerabilities.

"It's important to understand that VoIP is now an application on the Internet and has its own security needs," Ziolo stressed when asked why these alerts are so important. "Enterprises should also realize that it is challenging and requires lots of time and work to have a secure VoIP network -- but it's not impossible."

"VoIP threats aren't stopping companies from implementing VoIP," Ziolo said, "but they are keeping companies from fully realizing the advantages of voice over IP."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: