I'm always a bit skeptical of VoIP security vulnerabilities discovered by firms which sell security products. Nevertheless, I thought it was worth sharing this bit of news
.Update: Microsoft responded that VoIPShield's test is "on a non-secure implementation of OCS, which you would have to disable as we are secure with a default installation."See, that's why I was "a bit skeptical"!
VoIPshield Laboratories, the research division of VoIPshield Systems Inc., is making its first-ever announcement in a new category of research related to security vulnerabilities in VoIP and Unified Communications (UC) systems. These vulnerabilities affect applications that use media stream protocols like RTP (Real-time Transport Protocol), a popular standardized packet format for delivering audio and instant messaging over the Internet.
The Microsoft products affected are Office Communications Server 2007, Office Communicator and Windows Live Messenger. These products deliver software-powered VoIP, presence, instant messaging and audio/video/Web conferencing functionality to end users. Microsoft estimates that over 250 million computers worldwide run these applications. All use RTP to deliver the content of the message; therefore all are vulnerable to this class of attack.
"Most of the attention in enterprise VoIP/UC security has been paid to the control channel, where SIP and other signalling protocols are used," said Ken Kousky, CEO of security research and analysis firm IP3 and advisor to the VoIP Lab at Illinois Institute of Technology. "Until now, the media stream has been largely ignored by the security community as a source of malicious activity. But attacks from these vectors have the potential to be dangerously persistent and widespread."
The Microsoft vulnerabilities announced today, if exploited, cause a Denial of Service (DoS) condition against not only the stated applications but the entire desktop environment.
"Today's announcements are just the tip of the iceberg," said Andriy Markov, director of VoIPshield Labs. "Although they are specific to Microsoft's applications, similar flaws exist in other VoIP vendors' products. And many other media stream attacks exist that have more severe implications than service availability. We're presently validating new research that shows an attacker can gain unauthorized access to an unsuspecting user's laptop by manipulating the packets of a VoIP phone call. We believe that these attacks can even be made to traverse a PSTN gateway."
Under its Responsible Disclosure Policy, VoIPshield confidentially discloses full details of the vulnerabilities to the affected vendors, and works with them to facilitate the development of application fixes. Details of the vulnerabilities are not publicly disclosed.
Securing the media stream is particularly challenging because once the messaging session is established, the flow of voice packets is not always monitored and managed by the call server.
"Media traffic, whether it's voice or video, can travel peer-to-peer," Kousky added. "Security practitioners have historically considered blocking peer-to-peer traffic as the best protection practice. Unfortunately, for voice packets that strategy doesn't work and so careful consideration has to be given to the placement of the protection mechanisms within the network."
"VoIP and Unified Communications represent not only new technologies, but new paradigms in the way information is communicated and consumed," said Rick Dalmazzi, VoIPshield's president & CEO. "The result is brand new vectors of attack against the entire corporate IT infrastructure. Companies must start now to educate themselves in this new area of security. VoIPshield has been working exclusively in VoIP and UC security since 2004 and has compiled a number of assessment and protection techniques and products for enterprise networks."
Effective immediately, customers of VoIPshield's VoIPguardTM VoIP/UC Intrusion Prevention System can download the new signatures using the VoIPshield UpdateTM subscription service. VoIPguard contains over 500 VoIP/UC specific signatures to detect and prevent malicious signalling and media traffic.
In April, VoIPshield was named one of five "Cool Vendors in Infrastructure Protection for 2008" by Gartner. In October VoIPshield was named one of the "Top 50 Canadian Companies" by Red Herring.