New VoIP security threats discovered
Voice-over-IP (VoIP) security specialist VoIPshield Laboratories has recently announced that it has discovered a number of new security vulnerabilities that affect VoIP and unified communications. For the first time, the company has focused on security problems with the Real-time Transport Protocol (RTP), which is used by the popular Microsoft products Office Communications Server 2007, Office Communicator and Windows Live Messenger. Although the vulnerabilities it has discovered are specific to Microsoft products, VoIPShield says that similar flaws exist in other vendors' products.
"Most of the attention in enterprise VoIP/UC security has been paid to the control channel, where SIP and other signalling protocols are used," said Ken Kousky, CEO of security research and analysis firm IP3 and advisor to the VoIP Lab at Illinois Institute of Technology. "Until now, the media stream has been largely ignored by the security community as a source of malicious activity. But attacks from these vectors have the potential to be dangerously persistent and widespread."
VoIPshield says that the Microsoft vulnerabilities it has identified have the potential to affect 250 million computers worldwide, and that if exploited will cause a Denial of Service (DOS) attack on the application and entire desktop environment. However, there's no need for users of Microsoft products to panic; the flaws have not been published, instead VoIPshield is working with Microsoft to plug the security holes and patches will no doubt be issued in due course.
But VoIPshield says that this is just the tip of the iceberg and warns that media stream attacks can have much more serious consequences than denying availability. For example, it is looking at the possibility that an attacker could gain unauthorized access to a user's computer by manipulating the packets of a VoIP call.
VoIP security has been a hot topic in telephony circles for some time, and I covered the main threats in Orange's Enterprise Briefing in October last year. A good source for ongoing information about VoIP security is the VoIP Security Alliance blog.