Our industry is renowned for producing lots of acronyms – it makes sure no one else knows what we are talking about !
VoIM or Voice over Instant Messenger is the ability while instant messaging to then have a voice call using VoIP, the question here is are we talking an IM client with VoIP capability or a VoIP client with IM capability, by this we mean MSN Messenger which most users will use for Instant Messaging and probably not think about the VoIP capabilities or Skype where most people will use the VoIP capability and not think too much about Instant Messages.
I guess this technology will grow and grow as it seems logical to turn an IM conversation into voice if more clarification is needed (we can still talk faster than we can type – for now anyway !)
Currently this is very much a Peer to Peer type technology but more solutions are being implemented in the Enterprise space for group chat which will then lead to the ability for group calls, conferencing etc.
We all hear about government agencies that listen into phone calls and how VoIP has presented some interesting challenges for them. In the past we have heared Skype say theat their calls cannot be listened into because of their proprietery encryption methods, well we have now seen a story to the contrary.
The Austrian interior ministry have said that it is possible to listen into Skype conversations, implying that there maybe a back door built into the program.
We saw the story at Heise online and they had talked to a number of parties present at a recent meeting between ISP representatives and the Austrian regulator on lawful intercept of IP services who confirm the report. Skype has declined comment on if the software has a back door or if there is a specific key for decrypting data streams.
Rumors have been floating around for a while that Skype is selling a special listening device to interested governments. As Skype’s code and protocols are both proprietary and closed, security experts have long wondered what Skype is capable of and what risks may arise in deploying the software in an enterprise environment.
Austrian officials have demanded that ISP allow the interior ministry to install network bridges and Linux servers in their network centers to copy and filter data traffic.
See the origional story here.
We talk a lot about VoIP Security not because we want to sell you products but because it is an important and interesting subject. We see that a public hacking warning group has found a large security flaw in the web interface of Snom VoIP phones. The Snom phone is very popular with IP telephony business users and has a web interface to enable users to make calls and manage their phone.
gnucitizen.org highlights some of the easy to do breaches. These include makiing arbitary calls via the Web interface, stealing the phone history from the logs, poisoning the address book and the most serious flaw, monitoring the victim by making a phone call to the attacker’s number (at their expense).
The gnucitizen.org group are a responsible group and they are publishing methods of how to make your Snom phone more secure and contacting Snom and their distributors to explain the flaws.
While this article highlights Snom phones it is entirely possible that many other phones have similar problems so watch this space.
Read their post here
Category VoIP, VoIP Security | 
Author admin | 
15 February, 2008 10:54 am | 
Comments (2)
Tagged with: attacks, DOS, GSM/3G, IP Telephony, PABX, security, SMS PBX, Snom, Voice over IP, VoIP
We regularly talk about Security issues on VoIP systems and we have seen a report over on lightreading.com that is saying as SIP is such an open protocol it is also open to security problems. With a loosely defined standard like SIP, interoperability issues occur, So whatever security measures might apply to one SIP implementation won’t necessarily work for another.
There appears to be an almost willing ignorance of SIP’s vulnerability issues on the part of VOIP network operators and users, say security vendors. Users of SIP applications either don’t understand or don’t care that their voice communications are prone to the same types of malicious viruses that affect email systems or other IP-based networks.
We always need to be careful with these statements and think who is making them as security vendors would not say that VoIP vendors are protecting themselves as it means they do not sell much product – for sure the real picture lies somewhere in the middle.
The following is a very concise table detailing the types of attacks that we should be aware of – Click Image to Enlarge
View the full report here
So here we go the dreaded Spammers are looking for other ways to hit us with their unwanted content.
It has been reported that Hackers have attacked Columbia University, ironically this is the university where the co-author of the VoIP protocol resides. The hackers left marketing SPIT (spam over internet telephony) on multiple phone extensions at the University.
According to the Guardian newspaper, there already are examples of voice phishing or vishing in the U.S. where the penetration of VoIP is getting up to 15 percent. “The real problem with VoIP is that it’s very easy to take a name as your identity which appears with a call, or to put up a number on a screen that isn’t actually the number that the call’s being made from,” David Endler, director of security research at TippingPoint told the Guardian.
“This lends itself perfectly to vishing, which we’ve already started to see, and I’m genuinely surprised we haven’t seen more. People generally trust the phone, so if they get a voicemail from their bank saying they need to call in, they will, and they’re used to telling an agent some security details or tapping in a pass code on the phone to prove who they are. As soon as they’ve done that they’ve given a hacker their identity,” said Endler.
We picked this one up on a few VoIP security websites. It seems that an exploit has been found on a Grandstream VoIP phone that it could be forced to go off hook even when the handset is down so that the exploiter could be listening in plus this acts as a Denial of Service (DOS) attack stopping regular callers from contacting you.
Many people are guessing that many other Vendors may also be suseptable to this exploit so be careful as you never know who is listening.
For the record the Grandstream model is the GXV-3000 and we were unable to confirm if a new firmware has fixed this problem, let us know if you have more information.
Get more details here here or here
Regular readers will know that VoIP security is a hot issue with us and we saw an interesting Press Release on the National Computing Centre website, the NCC is a very well respected organisation.
They have undertaken a survey that shows that only 15% of companies have any VoIP security on their networks.
The survey was more wide ranging looking also at WiFi networks and USB devices.
As usual we all need to heed the warnings and secure our networks as there are always people looking to exploit any loopholes you leave ope.
Full article here
We do not want to be seen as ‘Skype bashers’ but they have one of the highest profiles in the VoIP market place, and after their well publicised recent problems they have now suffered a Worm attack specifically designed to hit Skype users.
The worm arrives via a cleverly worded chat message, supposedly from an IM buddy. The message includes a link to what is apparently a JPEG file. In one example described elsewhere, the name and path make the file appear to be an erotic image. Clicking the link produces a pop-up window asking the user to run a screensaver (.scr) file. Clicking the OK button loads the worm onto the victim’s computer, which then sends the same message to that user’s buddies.
Currently the damage the worm has done to users’ computers remains unknown. One thing is clear is that this could not have come at a worst time for Skype as it’s reputation for reliability took a big knock with the recent outage that lasted for more than a day. That high-profile incident prompted much speculation about whether Internet VoIP is reliable enough for small businesses, the latest problem will make it all the harder for Skype to argue that it is.
On a positive note most of the large Virus Checker companies have a fix for the Worm and Skype have published a manual fix albeit that users need to be pretty PC savvy to implement it.
We take security very seriously and Voice over IP opens up all sorts of avenues for abuse of your systems.
We found a great article over on networksystemsdesignline.com that describes the security issues surrounding a VoIP implementation in summary they are:
- Eavesdropping – An external party monitoring your RTP packet streams
- Spam over Internet – SPIT, we have covered this before here but it is essentially Spam voicemail
- Spoofing – Someone who is pretending to be a remote IP address that you are communicating with
- Call Hijacking – A user can take over a call and this allows them to commit toll fraud
- Denial of Service – DOS attack flooding out the available bandwidth so you are unable to make calls
The full article can be read here – you have been warned 
