I'm always a bit skeptical of VoIP security vulnerabilities discovered by firms which sell security products. Nevertheless, I thought it was worth sharing this bit of news.
Update: Microsoft responded that VoIPShield's test is "on a non-secure implementation of OCS, which you would have to disable as we are secure with a default installation."
See, that's why I was "a bit skeptical"!
VoIPshield Laboratories, the research division of VoIPshield Systems Inc., is making its first-ever announcement in a new category of research related to security vulnerabilities in VoIP and Unified Communications (UC) systems. These vulnerabilities affect applications that use media stream protocols like RTP (Real-time Transport Protocol), a popular standardized packet format for delivering audio and instant messaging over the Internet.
The Microsoft products affected are Office Communications Server 2007, Office Communicator and Windows Live Messenger. These products deliver software-powered VoIP, presence, instant messaging and audio/video/Web conferencing functionality to end users. Microsoft estimates that over 250 million computers worldwide run these applications. All use RTP to deliver the content of the message; therefore all are vulnerable to this class of attack.
"Most of the attention in enterprise VoIP/UC security has been paid to the control channel, where SIP and other signalling protocols are used," said Ken Kousky, CEO of security research and analysis firm IP3 and advisor to the VoIP Lab at Illinois Institute of Technology. "Until now, the media stream has been largely ignored by the security community as a source of malicious activity. But attacks from these vectors have the potential to be dangerously persistent and widespread."
The Microsoft vulnerabilities announced today, if exploited, cause a Denial of Service (DoS) condition against not only the stated applications but the entire desktop environment.
"Today's announcements are just the tip of the iceberg," said Andriy Markov, director of VoIPshield Labs. "Although they are specific to Microsoft's applications, similar flaws exist in other VoIP vendors' products. And many other media stream attacks exist that have more severe implications than service availability. We're presently validating new research that shows an attacker can gain unauthorized access to an unsuspecting user's laptop by manipulating the packets of a VoIP phone call. We believe that these attacks can even be made to traverse a PSTN gateway."
Under its Responsible Disclosure Policy, VoIPshield confidentially discloses full details of the vulnerabilities to the affected vendors, and works with them to facilitate the development of application fixes. Details of the vulnerabilities are not publicly disclosed.
Securing the media stream is particularly challenging because once the messaging session is established, the flow of voice packets is not always monitored and managed by the call server.
"Media traffic, whether it's voice or video, can travel peer-to-peer," Kousky added. "Security practitioners have historically considered blocking peer-to-peer traffic as the best protection practice. Unfortunately, for voice packets that strategy doesn't work and so careful consideration has to be given to the placement of the protection mechanisms within the network."
"VoIP and Unified Communications represent not only new technologies, but new paradigms in the way information is communicated and consumed," said Rick Dalmazzi, VoIPshield's president & CEO. "The result is brand new vectors of attack against the entire corporate IT infrastructure. Companies must start now to educate themselves in this new area of security. VoIPshield has been working exclusively in VoIP and UC security since 2004 and has compiled a number of assessment and protection techniques and products for enterprise networks."
Effective immediately, customers of VoIPshield's VoIPguardTM VoIP/UC Intrusion Prevention System can download the new signatures using the VoIPshield UpdateTM subscription service. VoIPguard contains over 500 VoIP/UC specific signatures to detect and prevent malicious signalling and media traffic.
In April, VoIPshield was named one of five "Cool Vendors in Infrastructure Protection for 2008" by Gartner. In October VoIPshield was named one of the "Top 50 Canadian Companies" by Red Herring.
android apple asterisk at&t blackberry cell phone cisco dell digium e911 facebook fcc google google talk gps im ip-pbx ipad iphone ipod itexpo ITEXPO lync microsoft mobile phone open source outage phone review sip skype sony unified communications verizon video video conferencing voip vonage wireless xbox 360
- Apple (280)
- Bittorrent (2)
- Call Center and CRM (48)
- Computer Hardware (183)
- Computer Software (71)
- Gadgets (650)
- Google (225)
- Home Entertainment (263)
- Internet (173)
- Linux (111)
- Microsoft (376)
- MovableType (48)
- News (187)
- Personal and Humor (118)
- Politics (9)
- Reviews (246)
- Security (2)
- Social Networking (42)
- Sports/Outdoor Technology (9)
- Tablets (32)
- Technology and Science (355)
- Unified Communications (471)
- VoIP (2285)
- Wireless (584)
- p2p (20)
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- March 2005
- February 2005
- January 2005
- December 2004
- November 2004
- October 2004
- September 2004
- August 2004
- July 2004
- June 2004
- May 2004
- April 2004
- March 2004
Featured Videos