We talk a lot about VoIP Security not because we want to sell you products but because it is an important and interesting subject. We see that a public hacking warning group has found a large security flaw in the web interface of Snom VoIP phones. The Snom phone is very popular with IP telephony business users and has a web interface to enable users to make calls and manage their phone.
gnucitizen.org highlights some of the easy to do breaches. These include makiing arbitary calls via the Web interface, stealing the phone history from the logs, poisoning the address book and the most serious flaw, monitoring the victim by making a phone call to the attacker’s number (at their expense).
The gnucitizen.org group are a responsible group and they are publishing methods of how to make your Snom phone more secure and contacting Snom and their distributors to explain the flaws.
While this article highlights Snom phones it is entirely possible that many other phones have similar problems so watch this space.
Read their post here
We regularly talk about Security issues on VoIP systems and we have seen a report over on lightreading.com that is saying as SIP is such an open protocol it is also open to security problems. With a loosely defined standard like SIP, interoperability issues occur, So whatever security measures might apply to one SIP implementation won’t necessarily work for another.
There appears to be an almost willing ignorance of SIP’s vulnerability issues on the part of VOIP network operators and users, say security vendors. Users of SIP applications either don’t understand or don’t care that their voice communications are prone to the same types of malicious viruses that affect email systems or other IP-based networks.
We always need to be careful with these statements and think who is making them as security vendors would not say that VoIP vendors are protecting themselves as it means they do not sell much product – for sure the real picture lies somewhere in the middle.
The following is a very concise table detailing the types of attacks that we should be aware of – Click Image to Enlarge
View the full report here
We take security very seriously and Voice over IP opens up all sorts of avenues for abuse of your systems.
We found a great article over on networksystemsdesignline.com that describes the security issues surrounding a VoIP implementation in summary they are:
- Eavesdropping – An external party monitoring your RTP packet streams
- Spam over Internet – SPIT, we have covered this before here but it is essentially Spam voicemail
- Spoofing – Someone who is pretending to be a remote IP address that you are communicating with
- Call Hijacking – A user can take over a call and this allows them to commit toll fraud
- Denial of Service – DOS attack flooding out the available bandwidth so you are unable to make calls
The full article can be read here – you have been warned