DEF CON, an "underground" information security conference (appropriately held in an upscale hotel in the entertainment capital of the US) is on, together with sister Black Hat Briefings, and the fresh crop of FUD is already making it to the business press worldwide. There's nothing like a catchy headline, and Forbes has got one of those: VoIP Vandals. Let's see what it's about:
Security professionals at the Black Hat conference in Las Vegas spent Wednesday outlining the exploitable vulnerabilities in voice over Internet protocol technology, or VoIP. In a series of presentations, they demonstrated ways in which cybercriminals can eavesdrop on VoIP calls, steal data from Internet telephony devices, intercept credit card numbers from VoIP connections and shut connections down altogether.
I wonder if there's something radically new. Some details:
"VoIP is about convergence. The idea is that you save money and resources and time," said Barrie Dempster, a senior security consultant at Next Generation Security Software who made a presentation at the conference. "But convergent systems give you more avenues of attack, more ways in. It's not a secure environment." Because VoIP connects telephone calls via the Internet, it shares the Internet's weaknesses, Dempster argued. Those include vulnerability to denial of service attacks, which overload servers with thousands of simultaneous requests for data, as well as basic hacking tactics like guessing the password of users who fail to change default settings.
Environments become secure if and when we chose to secure them. VoIP set of technologies gives countless ways to achieve integrity and privacy of communications. It's much better in that regard that POTS, the pretty old telephony service it's replacing. And by the way - many people who witnessed major disaster, or attended a sports event, or just tried to call relatives in a developing country on a public holiday, know of limitations of POTS is its susceptability to load-based denial of service. Plus, legacy telephones don't have passwords to speak of, so there's nothing even to guess.
Well Mr. Dempster may have said FUD without substance, but other guys conducted cool demonstrations. They have shown weaknesses resulted in insecure iplementation of MGCP, and lack of touch tone protection in ZRTP, o VoIP protocol invented by Phil Zimmermann of PGP fame. Nice hacks they may be. Pity no one's using the protocols. SIP and proprietary protocols like Skype have won the protocol race.
Of course, Microsoft's embrace of the realtime communications and VoIP is considered no less than upcoming doom:
Eric Winsborrow of Sipera Systems says that the wave of threats has been brought on by VoIP's new popularity in the business world as well as the technology's growing connection to the Internet at large, instead of smaller networks. He also points to plans at Microsoft to introduce VoIP applications into upcoming software as a sign that the technology's security issues are reaching a tipping point.
I don't know where Mr. Winsborrow has spent last several years, but conf.exe is a part of Windows for a long while, and we are long past the tipping poing. There will be no VoIP crash boom bang. It is secure. Mr. Winsborrow and his squad managed to crash a BlackBerry handheld and a D-Link phone by injecting packets into Wi-Fi network (as if you couldn't crash any of those networks entirely with a microwave), and simulated the theft of private data via VoIP from a laptop. I invite them to exploit a setup with Kerberos authentication and SIP signaling secured with TLS. That is common in Microsoft world and is used to interconnect organisations as well as internally.
VoIP scaremongering is pathetic.