VoIP protocol insecurity

• Plaintext SIP messages are trivial to modify or inject, particularly over broadcast media. Although SIP is not encrypted, it can be protected using IPsec, SSL/TLS or S/MIME. However, even then, some header fields like "To" and "Via" must remain visible so SIP requests can be routed correctly. Attackers can thus send spoofed INITIATE requests containing phony IP addresses. Or an attacker who captures SIP setup messages can use spoofed "BYE" requests to disrupt calls in progress.

  More on this topic Five VoIP security recommendations VoIP Learning Guide More VoIP tips More on enterprise voice security

• ASN.1 makes H.323 messages slightly harder to fabricate, but not much. To make matters worse, in January 2004, the UK National Infrastructure Security Coordination Center reported a slew of ASN.1 vulnerabilities in many H.323 implementations. According to US CERT VU#749342 (http://www.kb.cert.org/vuls/id/749342), "Sending an exceptional ASN.1 element to a vulnerable telephony component that cannot handle it may cause the application or system behavior to become unpredictable... The impacts associated with these vulnerabilities include denial-of-service and potential execution of arbitrary code." Many of the affected implementations have since been patched, but this illustrates the potential for widespread vulnerabilities in complex new code that is not thoroughly error-tested.

• Researchers also discovered dozens of denial-of-service (DoS) vulnerabilities in the INVITE message processing of many SIP implementations. According to CERT Advisory CA-2003-06 (http://www.cert.org/advisories/CA-2003-06.html), "Exploitation of these vulnerabilities may result in denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain unauthorized access to the affected device."

• Even when a single vendor's implementation is involved, impact may be significant due to the volume of VoIP endpoints. In April 2004, the Microsoft Windows H.323 implementation (http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx) reportedly contained a request-handling buffer overflow condition. This vulnerability can be exploited to run arbitrary code on unpatched Windows 98, ME, NT, 2000, XP and Server 2003 systems, and with early versions of NetMeeting.

This tip originally appeared as part of SearchSecurity.com's VoIP protocols: A technical guide

ABOUT THE AUTHOR:

Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications.

Rate this Tip To rate tips, you must be a member of SearchUnifiedCommunications.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT VoIP Security SIP tutorial Unified communications security risks and countermeasures Can outsiders access my VoIP line and gather confidential data? Top VoIP Chapter Downloads of 2007 Best practices for instant messaging security Top rated VoIP security tips of 2007 Voice over IPv6: Architectures for Next Generation VoIP Networks VoIP vulnerability threatens data How to Cheat at VoIP Security VoIP vulnerabilities tackled by research company VoIP Protocols Microsoft's Real-Time Codec (RTC) for VoIP optimization Is there a difference between VoIP and IP telephony? VoIP for the globe-trotting frequent traveler SIP tutorial Springer Handbook of Speech Processing Top 10 VoIP tips for 2007 Push-to-talk implementation using SIP protocol IP PBX eases VoIP transition for gas company Open communications vs. closed communications? SIP phone quality and clarity solutions Unified Communications Tech Tip Demystifying unified communications deployment strategies Presence management and security Presence: SIMPLE versus XMPP Four factors driving videoconferencing Consider IBM Lotus SameTime for UC, not just Microsoft OCS An introduction to SIP, part 1 What's the value of unified communications? The benefits and challenges of presence within unified communications Will we get reliable unified communications? Top 10 VoIP tips for 2007 RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary vishing  (SearchUnifiedCommunications.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.